eadaf26df948f0fd541f297e2f0bad435aa4bee5c97e4324ad767dacca77e29d

Analysis

max time kernel
139s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-05-2023 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Abantes.exe
Size

2.7MB
MD5

cd2e58136d3049e9be40ae29f9250c93
SHA1

e97beb8b87d130e5c5745981e3614ed6aa3caae3
SHA256

dac4b5511343cf863832e38886af8a3e1d55529648314eb02cc21fa3979f6419
SHA512

3ad23ad35d23acfa9edc187f443f28c4bb11279472632726f450b10cc09a653e10f4832f9cca44d063ad1259de6c7017ca6ca8f64ed07d302c3b2d06628f0ba7
SSDEEP

49152:yi98eUDa7+tCg3e+zNWZjUDa7+tCg3e+zNWyUDa7+tCg3e+zNWR9Bh:yAC+7+p3ej2+7+p3ejh+7+p3ejDBh

Score

10^/10

discovery evasion exploit persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Abantes.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe, C:\\Windows\\Defender\\Abantes.exe"	Abantes.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

Abantes.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Abantes.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

920 netsh.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Abantes.exe

pid	process
920	netsh.exe

Possible privilege escalation attempt 14 IoCs

exploit

Processes:

takeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exe

pid	process
1988	takeown.exe
1816	takeown.exe
1560	icacls.exe
1536	takeown.exe
2036	icacls.exe
848	icacls.exe
1276	takeown.exe
1184	icacls.exe
1160	icacls.exe
1820	icacls.exe
1148	takeown.exe
968	takeown.exe
1776	takeown.exe
940	icacls.exe

Sets file execution options in registry 2 TTPs 49 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Abantes.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdge.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe"	Abantes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe	Abantes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe"	Abantes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WindowsAnytimeUpgradeui.exe	Abantes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\StikyNot.exe	Abantes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe"	Abantes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe"	Abantes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	Abantes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe	Abantes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ehshell.exe	Abantes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe"	Abantes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe"	Abantes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe"	Abantes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpsrchvw.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe"	Abantes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp64.exe	Abantes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	Abantes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe	Abantes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SnippingTool.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe"	Abantes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WindowsAnytimeUpgrade.exe	Abantes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WindowsAnytimeUpgrade.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe"	Abantes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpsrchvw.exe	Abantes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe	Abantes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe"	Abantes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe	Abantes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe"	Abantes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	Abantes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe"	Abantes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe	Abantes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DVDMaker.exe	Abantes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DVDMaker.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe"	Abantes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordpad.exe	Abantes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstsc.exe	Abantes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe"	Abantes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WindowsAnytimeUpgradeui.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe"	Abantes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ehshell.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe"	Abantes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstsc.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe"	Abantes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe	Abantes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe"	Abantes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	Abantes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe"	Abantes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordpad.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe"	Abantes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SnippingTool.exe	Abantes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\StikyNot.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe"	Abantes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe"	Abantes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	Abantes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeCP.exe	Abantes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeCP.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe"	Abantes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdge.exe	Abantes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp64.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe"	Abantes.exe

Modifies file permissions 1 TTPs 14 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exe

pid	process
1148	takeown.exe
1776	takeown.exe
2036	icacls.exe
1820	icacls.exe
848	icacls.exe
1536	takeown.exe
1560	icacls.exe
1160	icacls.exe
968	takeown.exe
940	icacls.exe
1184	icacls.exe
1988	takeown.exe
1276	takeown.exe
1816	takeown.exe

Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1042

Processes:

Abantes.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\Defender\\icon.ico" Abantes.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\Defender\\icon.ico"	Abantes.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Abantes.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Abantes.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Abantes.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Abantes.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0"	Abantes.exe

Drops file in System32 directory 1 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\en-US\authui.dll.mui cmd.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\en-US\authui.dll.mui	cmd.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Abantes.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.bmp"	Abantes.exe

Drops file in Windows directory 17 IoCs

Processes:

Abantes.execmd.exe

description	ioc	process
File created	C:\Windows\Defender\Payloads.dll	Abantes.exe
File created	C:\Windows\Defender\Rules.exe	Abantes.exe
File created	C:\Windows\Defender\explorer.exe.mui	Abantes.exe
File created	C:\Windows\Defender\authui.dll.mui	Abantes.exe
File opened for modification	C:\Windows\Defender\wallpaper.jpg	Abantes.exe
File opened for modification	C:\Windows\Defender\Abantes.exe	Abantes.exe
File created	C:\Windows\Defender\icon.ico	Abantes.exe
File created	C:\Windows\Defender\LogonUIStart.exe	Abantes.exe
File created	C:\Windows\Defender\IFEO.exe	Abantes.exe
File created	C:\Windows\Defender\data.bin	Abantes.exe
File created	C:\Windows\Defender\logonOverwrite.bat	Abantes.exe
File opened for modification	C:\Windows\en-US\explorer.exe.mui	cmd.exe
File created	C:\Windows\Defender\Action.bat	Abantes.exe
File created	C:\Windows\Defender\cursor.cur	Abantes.exe
File created	C:\Windows\Defender\LogonUi.exe	Abantes.exe
File created	C:\Windows\Defender\Abantes.exe	Abantes.exe
File opened for modification	C:\Windows\Defender	Abantes.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1644 timeout.exe
1708 timeout.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1280 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

912 taskkill.exe

pid	process
1644	timeout.exe
1708	timeout.exe

pid	process
1280	vssadmin.exe

pid	process
912	taskkill.exe

Modifies Control Panel 16 IoCs

evasion

Processes:

Abantes.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Cursors\Wait = "C:\\Windows\\Defender\\cursor.cur"	Abantes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Cursors\SizeWE = "C:\\Windows\\Defender\\cursor.cur"	Abantes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Cursors\Hand = "C:\\Windows\\Defender\\cursor.cur"	Abantes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Cursors\No = "C:\\Windows\\Defender\\cursor.cur"	Abantes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Cursors\SizeAll = "C:\\Windows\\Defender\\cursor.cur"	Abantes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Cursors\NWPen = "C:\\Windows\\Defender\\cursor.cur"	Abantes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\Defender\\cursor.cur"	Abantes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\Defender\\cursor.cur"	Abantes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Cursors\Help = "C:\\Windows\\Defender\\cursor.cur"	Abantes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Cursors\UpArrow = "C:\\Windows\\Defender\\cursor.cur"	Abantes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Cursors\SizeNWSE = "C:\\Windows\\Defender\\cursor.cur"	Abantes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Cursors\SizeNESW = "C:\\Windows\\Defender\\cursor.cur"	Abantes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Desktop\WallpaperStyle = "2"	Abantes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Desktop\TileWallpaper = "0"	Abantes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Cursors\SizeNS = "C:\\Windows\\Defender\\cursor.cur"	Abantes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Mouse\MouseTrails = "7"	Abantes.exe

Modifies registry class 2 IoCs

Processes:

Abantes.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Windows\\Defender\\icon.ico"	Abantes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\Defender\\icon.ico"	Abantes.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Abantes.exe

pid process

1084 Abantes.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Abantes.exe

pid process

1084 Abantes.exe

pid	process
1084	Abantes.exe

pid	process
1084	Abantes.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Abantes.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1084	Abantes.exe
Token: SeTakeOwnershipPrivilege	1988	takeown.exe
Token: SeTakeOwnershipPrivilege	1276	takeown.exe
Token: SeTakeOwnershipPrivilege	1816	takeown.exe
Token: SeTakeOwnershipPrivilege	1536	takeown.exe
Token: SeTakeOwnershipPrivilege	1148	takeown.exe
Token: SeTakeOwnershipPrivilege	1776	takeown.exe
Token: SeIncreaseQuotaPrivilege	1972	WMIC.exe
Token: SeSecurityPrivilege	1972	WMIC.exe
Token: SeTakeOwnershipPrivilege	1972	WMIC.exe
Token: SeLoadDriverPrivilege	1972	WMIC.exe
Token: SeSystemProfilePrivilege	1972	WMIC.exe
Token: SeSystemtimePrivilege	1972	WMIC.exe
Token: SeProfSingleProcessPrivilege	1972	WMIC.exe
Token: SeIncBasePriorityPrivilege	1972	WMIC.exe
Token: SeCreatePagefilePrivilege	1972	WMIC.exe
Token: SeBackupPrivilege	1972	WMIC.exe
Token: SeRestorePrivilege	1972	WMIC.exe
Token: SeShutdownPrivilege	1972	WMIC.exe
Token: SeDebugPrivilege	1972	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1972	WMIC.exe
Token: SeRemoteShutdownPrivilege	1972	WMIC.exe
Token: SeUndockPrivilege	1972	WMIC.exe
Token: SeManageVolumePrivilege	1972	WMIC.exe
Token: 33	1972	WMIC.exe
Token: 34	1972	WMIC.exe
Token: 35	1972	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1972	WMIC.exe
Token: SeSecurityPrivilege	1972	WMIC.exe
Token: SeTakeOwnershipPrivilege	1972	WMIC.exe
Token: SeLoadDriverPrivilege	1972	WMIC.exe
Token: SeSystemProfilePrivilege	1972	WMIC.exe
Token: SeSystemtimePrivilege	1972	WMIC.exe
Token: SeProfSingleProcessPrivilege	1972	WMIC.exe
Token: SeIncBasePriorityPrivilege	1972	WMIC.exe
Token: SeCreatePagefilePrivilege	1972	WMIC.exe
Token: SeBackupPrivilege	1972	WMIC.exe
Token: SeRestorePrivilege	1972	WMIC.exe
Token: SeShutdownPrivilege	1972	WMIC.exe
Token: SeDebugPrivilege	1972	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1972	WMIC.exe
Token: SeRemoteShutdownPrivilege	1972	WMIC.exe
Token: SeUndockPrivilege	1972	WMIC.exe
Token: SeManageVolumePrivilege	1972	WMIC.exe
Token: 33	1972	WMIC.exe
Token: 34	1972	WMIC.exe
Token: 35	1972	WMIC.exe
Token: SeIncreaseQuotaPrivilege	524	WMIC.exe
Token: SeSecurityPrivilege	524	WMIC.exe
Token: SeTakeOwnershipPrivilege	524	WMIC.exe
Token: SeLoadDriverPrivilege	524	WMIC.exe
Token: SeSystemProfilePrivilege	524	WMIC.exe
Token: SeSystemtimePrivilege	524	WMIC.exe
Token: SeProfSingleProcessPrivilege	524	WMIC.exe
Token: SeIncBasePriorityPrivilege	524	WMIC.exe
Token: SeCreatePagefilePrivilege	524	WMIC.exe
Token: SeBackupPrivilege	524	WMIC.exe
Token: SeRestorePrivilege	524	WMIC.exe
Token: SeShutdownPrivilege	524	WMIC.exe
Token: SeDebugPrivilege	524	WMIC.exe
Token: SeSystemEnvironmentPrivilege	524	WMIC.exe
Token: SeRemoteShutdownPrivilege	524	WMIC.exe
Token: SeUndockPrivilege	524	WMIC.exe
Token: SeManageVolumePrivilege	524	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Abantes.execmd.exe

description	pid	process	target process
PID 1084 wrote to memory of 2000	1084	Abantes.exe	cmd.exe
PID 1084 wrote to memory of 2000	1084	Abantes.exe	cmd.exe
PID 1084 wrote to memory of 2000	1084	Abantes.exe	cmd.exe
PID 1084 wrote to memory of 2000	1084	Abantes.exe	cmd.exe
PID 2000 wrote to memory of 1988	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 1988	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 1988	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 1988	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 848	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 848	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 848	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 848	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1276	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 1276	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 1276	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 1276	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 1184	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1184	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1184	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1184	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1816	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 1816	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 1816	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 1816	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 1536	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 1536	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 1536	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 1536	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 1148	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 1148	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 1148	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 1148	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 968	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 968	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 968	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 968	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 1776	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 1776	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 1776	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 1776	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 940	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 940	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 940	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 940	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1560	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1560	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1560	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1560	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 2036	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 2036	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 2036	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 2036	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1820	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1820	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1820	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1820	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1160	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1160	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1160	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1160	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 1972	2000	cmd.exe	WMIC.exe
PID 2000 wrote to memory of 1972	2000	cmd.exe	WMIC.exe
PID 2000 wrote to memory of 1972	2000	cmd.exe	WMIC.exe
PID 2000 wrote to memory of 1972	2000	cmd.exe	WMIC.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

Abantes.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Welcome To Hell"	Abantes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "This Computer has been Infected by the Abantes Trojan. Hope You Enjoy."	Abantes.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Abantes.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "67108863"	Abantes.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Abantes.exe
"C:\Users\Admin\AppData\Local\Temp\Abantes.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Sets file execution options in registry
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Windows\Defender\Action.bat""
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f logonui.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1988
- - C:\Windows\SysWOW64\icacls.exe
    icacls logonui.exe /granted Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:848
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\en-US" /r /d y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1276
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\en-US" /granted Admin:F /T /C
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1184
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f explorer.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f regedit.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f HelpPane.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1148
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Temp" /r /d y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\en-US" /r /d y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1776
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Temp" /granted Admin:F /T /C
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:940
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\en-US" /granted Admin:F /T /C
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1560
- - C:\Windows\SysWOW64\icacls.exe
    icacls regedit.exe /granted Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2036
- - C:\Windows\SysWOW64\icacls.exe
    icacls explorer.exe /granted Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1820
- - C:\Windows\SysWOW64\icacls.exe
    icacls HelpPane.exe /granted Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1160
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where name='Admin' set FullName='Abantes Was Here'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where name='Admin' rename 'Abantes Was Here'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:524
- - C:\Windows\SysWOW64\netsh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:920
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1280
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:912
- - C:\Windows\SysWOW64\timeout.exe
    TIMEOUT 1
    3⤵
    - Delays execution with timeout.exe
    PID:1644
- - C:\Windows\SysWOW64\timeout.exe
    TIMEOUT 2
    3⤵
    - Delays execution with timeout.exe
    PID:1708

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Defender\Action.bat

Filesize
1KB

MD5
8b3585b4f84496c306b6c082ea6e52ef

SHA1
04bf1cf0f68a571e746fb7c863f71fa70e0e79d3

SHA256
d06d5f8501501af5677b133ff7aa531ccf1bf9b2673a1f26117f0420532b599e

SHA512
733bb98473fc8b3c8f0f96ff5ccec9212c36f7162742ee124d6a0edd0186e171ec61de97a3268663812802c90d29cd1e5077af72e02f550d94d67ebe106c0591

Download Submit
C:\Windows\Defender\Action.bat

Filesize
1KB

MD5
8b3585b4f84496c306b6c082ea6e52ef

SHA1
04bf1cf0f68a571e746fb7c863f71fa70e0e79d3

SHA256
d06d5f8501501af5677b133ff7aa531ccf1bf9b2673a1f26117f0420532b599e

SHA512
733bb98473fc8b3c8f0f96ff5ccec9212c36f7162742ee124d6a0edd0186e171ec61de97a3268663812802c90d29cd1e5077af72e02f550d94d67ebe106c0591

Download Submit
C:\Windows\Defender\authui.dll.mui

Filesize
21KB

MD5
a3a8fb6325f2f4fd31039775be19a9a4

SHA1
dba1acba938c8720b23b992ef77f130b6dbe7428

SHA256
6baf83c2c45f0e3a1a1dedc799cce6adb766dabe25baa847f9dd308aae0218eb

SHA512
9a03528d3b1a6a0bc3fbce6149d1cf6e21fe629c53d1b93954e6147cdfbf95eb272e75dbf906e38a1981706e71f679fda680cdf8601491ba792576c9b54d043e

Download Submit
C:\Windows\Defender\explorer.exe.mui

Filesize
15KB

MD5
39f1a6a8b713fcf30afc03ea3c936f85

SHA1
9209b25730c7896e047e5a4fc1da73c294e55c0e

SHA256
b69b61675531060d350a795a53568ccf19a146060cebb659ebc658a0e8b27fc9

SHA512
82b402b1c94fb8444e9d32f10becad994715667fc36d427faf6ae4f433c8e7025c3ca387e6cae7fb4e14f2e9f36446354c1c2585445fd79e7673b78419232780

Download Submit
memory/1084-54-0x0000000000340000-0x00000000005F8000-memory.dmp

Filesize
2.7MB

Download
memory/1084-55-0x00000000022B0000-0x0000000002304000-memory.dmp

Filesize
336KB

Download
memory/1084-56-0x00000000006B0000-0x00000000006F0000-memory.dmp

Filesize
256KB

Download
memory/1084-86-0x00000000006B0000-0x00000000006F0000-memory.dmp

Filesize
256KB

Download