avaddon | f6fce8a0d32cba5508cf11d4a9ab53a1bbef43bdeb64ffd6930a40211b5f3bef

General

Target

01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
Size

2.0MB
MD5

f8290f2d593a05ea811edbd3bff6eacc
SHA1

497985116f4ebaa05f1774c16adb5aa52b8e9756
SHA256

01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993
SHA512

97e4563b6112e4f6c7ee46cc1e18de931d4e052d387e6c37f7fdd7d352ef817778bd95041eeaf05e2bdf657afa1b09e52f4933ca22c6ea8f98983d8c13b56c14
SSDEEP

24576:AxT2+3dmY7FF1JLurH0q7kRZLJn0A0ffqN3CzPtakNLIE4GPoyP:f+NmY7FFHurUayLLKCdCzPtFZb

Score

10^/10

avaddon evasion ransomware trojan

Malware Config

Signatures

Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
ransomware avaddon

Avaddon payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2736-134-0x0000000000400000-0x0000000000605000-memory.dmp	family_avaddon
behavioral2/memory/2736-466-0x0000000000400000-0x0000000000605000-memory.dmp	family_avaddon
behavioral2/memory/2736-491-0x0000000000400000-0x0000000000605000-memory.dmp	family_avaddon

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\SuspendSwitch.tiff	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File renamed	C:\Users\Admin\Pictures\AssertCheckpoint.tiff => C:\Users\Admin\Pictures\AssertCheckpoint.tiff.Pv8D	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File renamed	C:\Users\Admin\Pictures\RequestExpand.raw => C:\Users\Admin\Pictures\RequestExpand.raw.Pv8D	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File renamed	C:\Users\Admin\Pictures\ConvertToHide.tiff => C:\Users\Admin\Pictures\ConvertToHide.tiff.Pv8D	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File opened for modification	C:\Users\Admin\Pictures\ExpandSplit.tiff	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File renamed	C:\Users\Admin\Pictures\ExpandSplit.tiff => C:\Users\Admin\Pictures\ExpandSplit.tiff.Pv8D	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File renamed	C:\Users\Admin\Pictures\SuspendSwitch.tiff => C:\Users\Admin\Pictures\SuspendSwitch.tiff.Pv8D	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File opened for modification	C:\Users\Admin\Pictures\AssertCheckpoint.tiff	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertToHide.tiff	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe

description	ioc	process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-2805025096-2326403612-4231045514-1000\desktop.ini	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe

description	ioc	process
File opened (read-only)	\??\P:	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File opened (read-only)	\??\E:	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File opened (read-only)	\??\I:	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File opened (read-only)	\??\K:	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File opened (read-only)	\??\Q:	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File opened (read-only)	\??\R:	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File opened (read-only)	\??\S:	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File opened (read-only)	\??\W:	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File opened (read-only)	\??\H:	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File opened (read-only)	\??\N:	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File opened (read-only)	\??\U:	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File opened (read-only)	\??\V:	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File opened (read-only)	\??\Z:	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File opened (read-only)	\??\M:	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File opened (read-only)	\??\B:	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File opened (read-only)	\??\F:	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File opened (read-only)	\??\G:	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File opened (read-only)	\??\J:	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File opened (read-only)	\??\L:	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File opened (read-only)	\??\O:	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File opened (read-only)	\??\T:	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File opened (read-only)	\??\A:	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File opened (read-only)	\??\Y:	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
File opened (read-only)	\??\X:	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

54 api.myip.com
55 api.myip.com
83 api.myip.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
54	api.myip.com
55	api.myip.com
83	api.myip.com

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe

pid	process
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

wmic.exewmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4580	wmic.exe
Token: SeSecurityPrivilege	4580	wmic.exe
Token: SeTakeOwnershipPrivilege	4580	wmic.exe
Token: SeLoadDriverPrivilege	4580	wmic.exe
Token: SeSystemProfilePrivilege	4580	wmic.exe
Token: SeSystemtimePrivilege	4580	wmic.exe
Token: SeProfSingleProcessPrivilege	4580	wmic.exe
Token: SeIncBasePriorityPrivilege	4580	wmic.exe
Token: SeCreatePagefilePrivilege	4580	wmic.exe
Token: SeBackupPrivilege	4580	wmic.exe
Token: SeRestorePrivilege	4580	wmic.exe
Token: SeShutdownPrivilege	4580	wmic.exe
Token: SeDebugPrivilege	4580	wmic.exe
Token: SeSystemEnvironmentPrivilege	4580	wmic.exe
Token: SeRemoteShutdownPrivilege	4580	wmic.exe
Token: SeUndockPrivilege	4580	wmic.exe
Token: SeManageVolumePrivilege	4580	wmic.exe
Token: 33	4580	wmic.exe
Token: 34	4580	wmic.exe
Token: 35	4580	wmic.exe
Token: 36	4580	wmic.exe
Token: SeIncreaseQuotaPrivilege	1720	wmic.exe
Token: SeSecurityPrivilege	1720	wmic.exe
Token: SeTakeOwnershipPrivilege	1720	wmic.exe
Token: SeLoadDriverPrivilege	1720	wmic.exe
Token: SeSystemProfilePrivilege	1720	wmic.exe
Token: SeSystemtimePrivilege	1720	wmic.exe
Token: SeProfSingleProcessPrivilege	1720	wmic.exe
Token: SeIncBasePriorityPrivilege	1720	wmic.exe
Token: SeCreatePagefilePrivilege	1720	wmic.exe
Token: SeBackupPrivilege	1720	wmic.exe
Token: SeRestorePrivilege	1720	wmic.exe
Token: SeShutdownPrivilege	1720	wmic.exe
Token: SeDebugPrivilege	1720	wmic.exe
Token: SeSystemEnvironmentPrivilege	1720	wmic.exe
Token: SeRemoteShutdownPrivilege	1720	wmic.exe
Token: SeUndockPrivilege	1720	wmic.exe
Token: SeManageVolumePrivilege	1720	wmic.exe
Token: 33	1720	wmic.exe
Token: 34	1720	wmic.exe
Token: 35	1720	wmic.exe
Token: 36	1720	wmic.exe
Token: SeIncreaseQuotaPrivilege	3548	wmic.exe
Token: SeSecurityPrivilege	3548	wmic.exe
Token: SeTakeOwnershipPrivilege	3548	wmic.exe
Token: SeLoadDriverPrivilege	3548	wmic.exe
Token: SeSystemProfilePrivilege	3548	wmic.exe
Token: SeSystemtimePrivilege	3548	wmic.exe
Token: SeProfSingleProcessPrivilege	3548	wmic.exe
Token: SeIncBasePriorityPrivilege	3548	wmic.exe
Token: SeCreatePagefilePrivilege	3548	wmic.exe
Token: SeBackupPrivilege	3548	wmic.exe
Token: SeRestorePrivilege	3548	wmic.exe
Token: SeShutdownPrivilege	3548	wmic.exe
Token: SeDebugPrivilege	3548	wmic.exe
Token: SeSystemEnvironmentPrivilege	3548	wmic.exe
Token: SeRemoteShutdownPrivilege	3548	wmic.exe
Token: SeUndockPrivilege	3548	wmic.exe
Token: SeManageVolumePrivilege	3548	wmic.exe
Token: 33	3548	wmic.exe
Token: 34	3548	wmic.exe
Token: 35	3548	wmic.exe
Token: 36	3548	wmic.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe

description	pid	process	target process
PID 2736 wrote to memory of 4580	2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe	wmic.exe
PID 2736 wrote to memory of 4580	2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe	wmic.exe
PID 2736 wrote to memory of 4580	2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe	wmic.exe
PID 2736 wrote to memory of 1720	2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe	wmic.exe
PID 2736 wrote to memory of 1720	2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe	wmic.exe
PID 2736 wrote to memory of 1720	2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe	wmic.exe
PID 2736 wrote to memory of 3548	2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe	wmic.exe
PID 2736 wrote to memory of 3548	2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe	wmic.exe
PID 2736 wrote to memory of 3548	2736	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe	wmic.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe

C:\Users\Admin\AppData\Local\Temp\01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe
"C:\Users\Admin\AppData\Local\Temp\01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993.exe"
1⤵
- UAC bypass
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2736

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2736-133-0x00000000023C0000-0x00000000024CE000-memory.dmp

Filesize
1.1MB

Download
memory/2736-134-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2736-466-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2736-491-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads