Analysis
-
max time kernel
167s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:41
Static task
static1
Behavioral task
behavioral1
Sample
90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
Resource
win10v2004-20220414-en
General
-
Target
90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
-
Size
570KB
-
MD5
4cb6d61ad2425bede38804cc18113e01
-
SHA1
faa8c450493e4ac9fdd95bed030dc2051da6c6b6
-
SHA256
90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e
-
SHA512
318461bddb899f0883a54c2a3cd9814aa5a789d0f2aab0b64f340ea36256536350bfbc971f36c76dc929efbdbd6227dbb815a7a447322f806fb721f3e6ae8f24
Malware Config
Extracted
C:\odt\9j8Pznq_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\9j8Pznq_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\9j8Pznq_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Favorites\9j8Pznq_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Pictures\9j8Pznq_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Searches\9j8Pznq_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Public\Libraries\9j8Pznq_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\9j8Pznq_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2156-132-0x0000000001010000-0x000000000112C000-memory.dmp family_avaddon behavioral2/memory/2156-133-0x0000000000400000-0x0000000000CBD000-memory.dmp family_avaddon -
suricata: ET MALWARE Win32/Avaddon Ransomware Style External IP Address Check
suricata: ET MALWARE Win32/Avaddon Ransomware Style External IP Address Check
-
Modifies extensions of user files 13 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exedescription ioc process File renamed C:\Users\Admin\Pictures\CompareConvert.tif => C:\Users\Admin\Pictures\CompareConvert.tif.bCeBDDBaAB 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File renamed C:\Users\Admin\Pictures\ConfirmConvert.crw => C:\Users\Admin\Pictures\ConfirmConvert.crw.bCeBDDBaAB 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File renamed C:\Users\Admin\Pictures\GroupReceive.raw => C:\Users\Admin\Pictures\GroupReceive.raw.bCeBDDBaAB 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File renamed C:\Users\Admin\Pictures\MeasureDismount.crw => C:\Users\Admin\Pictures\MeasureDismount.crw.bCeBDDBaAB 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File renamed C:\Users\Admin\Pictures\PingResolve.tiff => C:\Users\Admin\Pictures\PingResolve.tiff.bCeBDDBaAB 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File renamed C:\Users\Admin\Pictures\SearchLock.raw => C:\Users\Admin\Pictures\SearchLock.raw.bCeBDDBaAB 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File renamed C:\Users\Admin\Pictures\SkipConnect.png => C:\Users\Admin\Pictures\SkipConnect.png.bCeBDDBaAB 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File renamed C:\Users\Admin\Pictures\BackupSend.tif => C:\Users\Admin\Pictures\BackupSend.tif.bCeBDDBaAB 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File opened for modification C:\Users\Admin\Pictures\PingResolve.tiff 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File renamed C:\Users\Admin\Pictures\RestartConvertTo.raw => C:\Users\Admin\Pictures\RestartConvertTo.raw.bCeBDDBaAB 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File opened for modification C:\Users\Admin\Pictures\StepSplit.tiff 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File renamed C:\Users\Admin\Pictures\StepSplit.tiff => C:\Users\Admin\Pictures\StepSplit.tiff.bCeBDDBaAB 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File renamed C:\Users\Admin\Pictures\InitializeCompare.tif => C:\Users\Admin\Pictures\InitializeCompare.tif.bCeBDDBaAB 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe -
Processes:
90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3751123196-3323558407-1869646069-1000\desktop.ini 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exedescription ioc process File opened (read-only) \??\T: 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File opened (read-only) \??\X: 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File opened (read-only) \??\B: 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File opened (read-only) \??\H: 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File opened (read-only) \??\M: 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File opened (read-only) \??\N: 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File opened (read-only) \??\Q: 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File opened (read-only) \??\R: 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File opened (read-only) \??\F: 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File opened (read-only) \??\O: 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File opened (read-only) \??\P: 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File opened (read-only) \??\S: 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File opened (read-only) \??\V: 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File opened (read-only) \??\Z: 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File opened (read-only) \??\A: 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File opened (read-only) \??\G: 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File opened (read-only) \??\K: 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File opened (read-only) \??\L: 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File opened (read-only) \??\U: 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File opened (read-only) \??\Y: 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File opened (read-only) \??\E: 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File opened (read-only) \??\I: 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File opened (read-only) \??\J: 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe File opened (read-only) \??\W: 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 39 api.myip.com 40 api.myip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 18 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 5092 2156 WerFault.exe 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 3560 2156 WerFault.exe 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 4712 2156 WerFault.exe 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 4772 2156 WerFault.exe 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 5052 2156 WerFault.exe 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 4488 2156 WerFault.exe 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 560 2156 WerFault.exe 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 4520 2156 WerFault.exe 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 1764 2156 WerFault.exe 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 4484 2156 WerFault.exe 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 216 2156 WerFault.exe 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 1052 2156 WerFault.exe 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 3236 2156 WerFault.exe 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 3240 2156 WerFault.exe 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 4260 2156 WerFault.exe 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 648 2156 WerFault.exe 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 1976 2156 WerFault.exe 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 3924 2156 WerFault.exe 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exepid process 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
wmic.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 5080 wmic.exe Token: SeSecurityPrivilege 5080 wmic.exe Token: SeTakeOwnershipPrivilege 5080 wmic.exe Token: SeLoadDriverPrivilege 5080 wmic.exe Token: SeSystemProfilePrivilege 5080 wmic.exe Token: SeSystemtimePrivilege 5080 wmic.exe Token: SeProfSingleProcessPrivilege 5080 wmic.exe Token: SeIncBasePriorityPrivilege 5080 wmic.exe Token: SeCreatePagefilePrivilege 5080 wmic.exe Token: SeBackupPrivilege 5080 wmic.exe Token: SeRestorePrivilege 5080 wmic.exe Token: SeShutdownPrivilege 5080 wmic.exe Token: SeDebugPrivilege 5080 wmic.exe Token: SeSystemEnvironmentPrivilege 5080 wmic.exe Token: SeRemoteShutdownPrivilege 5080 wmic.exe Token: SeUndockPrivilege 5080 wmic.exe Token: SeManageVolumePrivilege 5080 wmic.exe Token: 33 5080 wmic.exe Token: 34 5080 wmic.exe Token: 35 5080 wmic.exe Token: 36 5080 wmic.exe Token: SeIncreaseQuotaPrivilege 5056 wmic.exe Token: SeSecurityPrivilege 5056 wmic.exe Token: SeTakeOwnershipPrivilege 5056 wmic.exe Token: SeLoadDriverPrivilege 5056 wmic.exe Token: SeSystemProfilePrivilege 5056 wmic.exe Token: SeSystemtimePrivilege 5056 wmic.exe Token: SeProfSingleProcessPrivilege 5056 wmic.exe Token: SeIncBasePriorityPrivilege 5056 wmic.exe Token: SeCreatePagefilePrivilege 5056 wmic.exe Token: SeBackupPrivilege 5056 wmic.exe Token: SeRestorePrivilege 5056 wmic.exe Token: SeShutdownPrivilege 5056 wmic.exe Token: SeDebugPrivilege 5056 wmic.exe Token: SeSystemEnvironmentPrivilege 5056 wmic.exe Token: SeRemoteShutdownPrivilege 5056 wmic.exe Token: SeUndockPrivilege 5056 wmic.exe Token: SeManageVolumePrivilege 5056 wmic.exe Token: 33 5056 wmic.exe Token: 34 5056 wmic.exe Token: 35 5056 wmic.exe Token: 36 5056 wmic.exe Token: SeIncreaseQuotaPrivilege 2176 wmic.exe Token: SeSecurityPrivilege 2176 wmic.exe Token: SeTakeOwnershipPrivilege 2176 wmic.exe Token: SeLoadDriverPrivilege 2176 wmic.exe Token: SeSystemProfilePrivilege 2176 wmic.exe Token: SeSystemtimePrivilege 2176 wmic.exe Token: SeProfSingleProcessPrivilege 2176 wmic.exe Token: SeIncBasePriorityPrivilege 2176 wmic.exe Token: SeCreatePagefilePrivilege 2176 wmic.exe Token: SeBackupPrivilege 2176 wmic.exe Token: SeRestorePrivilege 2176 wmic.exe Token: SeShutdownPrivilege 2176 wmic.exe Token: SeDebugPrivilege 2176 wmic.exe Token: SeSystemEnvironmentPrivilege 2176 wmic.exe Token: SeRemoteShutdownPrivilege 2176 wmic.exe Token: SeUndockPrivilege 2176 wmic.exe Token: SeManageVolumePrivilege 2176 wmic.exe Token: 33 2176 wmic.exe Token: 34 2176 wmic.exe Token: 35 2176 wmic.exe Token: 36 2176 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exedescription pid process target process PID 2156 wrote to memory of 5080 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe wmic.exe PID 2156 wrote to memory of 5080 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe wmic.exe PID 2156 wrote to memory of 5080 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe wmic.exe PID 2156 wrote to memory of 5056 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe wmic.exe PID 2156 wrote to memory of 5056 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe wmic.exe PID 2156 wrote to memory of 5056 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe wmic.exe PID 2156 wrote to memory of 2176 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe wmic.exe PID 2156 wrote to memory of 2176 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe wmic.exe PID 2156 wrote to memory of 2176 2156 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe wmic.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe"C:\Users\Admin\AppData\Local\Temp\90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe"1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 8562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 9002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 9002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 9202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 10042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 11002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 15322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 16282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 18082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 17882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 18322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 17722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 15402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 10762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 19242⤵
- Program crash
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 17602⤵
- Program crash
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 10562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 18362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2156 -ip 21561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2156 -ip 21561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2156 -ip 21561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2156 -ip 21561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2156 -ip 21561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2156 -ip 21561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2156 -ip 21561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2156 -ip 21561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2156 -ip 21561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2156 -ip 21561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2156 -ip 21561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2156 -ip 21561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2156 -ip 21561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2156 -ip 21561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2156 -ip 21561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2156 -ip 21561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2156 -ip 21561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2156 -ip 21561⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2156-131-0x0000000000F23000-0x0000000000F9D000-memory.dmpFilesize
488KB
-
memory/2156-132-0x0000000001010000-0x000000000112C000-memory.dmpFilesize
1.1MB
-
memory/2156-133-0x0000000000400000-0x0000000000CBD000-memory.dmpFilesize
8.7MB
-
memory/2176-136-0x0000000000000000-mapping.dmp
-
memory/5056-135-0x0000000000000000-mapping.dmp
-
memory/5080-134-0x0000000000000000-mapping.dmp