Analysis
-
max time kernel
63s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
22-10-2023 17:04
Static task
static1
Behavioral task
behavioral1
Sample
d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
Resource
win10v2004-20231020-en
General
-
Target
d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
-
Size
441KB
-
MD5
b1758767d10c75d1589c16763fca6fd3
-
SHA1
2722f21a31859ea735e908a1c705d07b139e3b12
-
SHA256
d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb
-
SHA512
93bdfaf8a7b35e3c0110e931a35c5a901c8acf06b36dd9e8cba9b770be642525ba0350ae94d68556961b06b0d802cd2e1997fc73849c643f76eba721215abf5e
-
SSDEEP
12288:5I7bv0KUN/9MISQBqz9xbwL5A++dMncx4wjSvh:K7QzuyErzrSwjMh
Malware Config
Extracted
C:\Users\Admin\Desktop\eioxO_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\eioxO_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\eioxO_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Music\eioxO_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Public\Pictures\Sample Pictures\eioxO_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 2816 wmic.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 2816 wmic.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 2816 wmic.exe 28 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (183) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3185155662-718608226-894467740-1000\desktop.ini d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe File opened (read-only) \??\S: d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe File opened (read-only) \??\T: d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe File opened (read-only) \??\V: d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe File opened (read-only) \??\E: d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe File opened (read-only) \??\K: d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe File opened (read-only) \??\P: d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe File opened (read-only) \??\L: d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe File opened (read-only) \??\W: d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe File opened (read-only) \??\Y: d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe File opened (read-only) \??\F: d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe File opened (read-only) \??\G: d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe File opened (read-only) \??\H: d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe File opened (read-only) \??\J: d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe File opened (read-only) \??\N: d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe File opened (read-only) \??\O: d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe File opened (read-only) \??\U: d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe File opened (read-only) \??\Z: d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe File opened (read-only) \??\A: d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe File opened (read-only) \??\B: d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe File opened (read-only) \??\I: d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe File opened (read-only) \??\M: d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe File opened (read-only) \??\Q: d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe File opened (read-only) \??\X: d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2152 vssadmin.exe 308 vssadmin.exe 792 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2540 wmic.exe Token: SeSecurityPrivilege 2540 wmic.exe Token: SeTakeOwnershipPrivilege 2540 wmic.exe Token: SeLoadDriverPrivilege 2540 wmic.exe Token: SeSystemProfilePrivilege 2540 wmic.exe Token: SeSystemtimePrivilege 2540 wmic.exe Token: SeProfSingleProcessPrivilege 2540 wmic.exe Token: SeIncBasePriorityPrivilege 2540 wmic.exe Token: SeCreatePagefilePrivilege 2540 wmic.exe Token: SeBackupPrivilege 2540 wmic.exe Token: SeRestorePrivilege 2540 wmic.exe Token: SeShutdownPrivilege 2540 wmic.exe Token: SeDebugPrivilege 2540 wmic.exe Token: SeSystemEnvironmentPrivilege 2540 wmic.exe Token: SeRemoteShutdownPrivilege 2540 wmic.exe Token: SeUndockPrivilege 2540 wmic.exe Token: SeManageVolumePrivilege 2540 wmic.exe Token: 33 2540 wmic.exe Token: 34 2540 wmic.exe Token: 35 2540 wmic.exe Token: SeIncreaseQuotaPrivilege 2488 wmic.exe Token: SeSecurityPrivilege 2488 wmic.exe Token: SeTakeOwnershipPrivilege 2488 wmic.exe Token: SeLoadDriverPrivilege 2488 wmic.exe Token: SeSystemProfilePrivilege 2488 wmic.exe Token: SeSystemtimePrivilege 2488 wmic.exe Token: SeProfSingleProcessPrivilege 2488 wmic.exe Token: SeIncBasePriorityPrivilege 2488 wmic.exe Token: SeCreatePagefilePrivilege 2488 wmic.exe Token: SeBackupPrivilege 2488 wmic.exe Token: SeRestorePrivilege 2488 wmic.exe Token: SeShutdownPrivilege 2488 wmic.exe Token: SeDebugPrivilege 2488 wmic.exe Token: SeSystemEnvironmentPrivilege 2488 wmic.exe Token: SeRemoteShutdownPrivilege 2488 wmic.exe Token: SeUndockPrivilege 2488 wmic.exe Token: SeManageVolumePrivilege 2488 wmic.exe Token: 33 2488 wmic.exe Token: 34 2488 wmic.exe Token: 35 2488 wmic.exe Token: SeIncreaseQuotaPrivilege 2544 wmic.exe Token: SeSecurityPrivilege 2544 wmic.exe Token: SeTakeOwnershipPrivilege 2544 wmic.exe Token: SeLoadDriverPrivilege 2544 wmic.exe Token: SeSystemProfilePrivilege 2544 wmic.exe Token: SeSystemtimePrivilege 2544 wmic.exe Token: SeProfSingleProcessPrivilege 2544 wmic.exe Token: SeIncBasePriorityPrivilege 2544 wmic.exe Token: SeCreatePagefilePrivilege 2544 wmic.exe Token: SeBackupPrivilege 2544 wmic.exe Token: SeRestorePrivilege 2544 wmic.exe Token: SeShutdownPrivilege 2544 wmic.exe Token: SeDebugPrivilege 2544 wmic.exe Token: SeSystemEnvironmentPrivilege 2544 wmic.exe Token: SeRemoteShutdownPrivilege 2544 wmic.exe Token: SeUndockPrivilege 2544 wmic.exe Token: SeManageVolumePrivilege 2544 wmic.exe Token: 33 2544 wmic.exe Token: 34 2544 wmic.exe Token: 35 2544 wmic.exe Token: SeIncreaseQuotaPrivilege 2540 wmic.exe Token: SeSecurityPrivilege 2540 wmic.exe Token: SeTakeOwnershipPrivilege 2540 wmic.exe Token: SeLoadDriverPrivilege 2540 wmic.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2412 wrote to memory of 1912 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 35 PID 2412 wrote to memory of 1912 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 35 PID 2412 wrote to memory of 1912 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 35 PID 2412 wrote to memory of 1912 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 35 PID 2412 wrote to memory of 2152 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 42 PID 2412 wrote to memory of 2152 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 42 PID 2412 wrote to memory of 2152 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 42 PID 2412 wrote to memory of 2152 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 42 PID 2412 wrote to memory of 2424 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 44 PID 2412 wrote to memory of 2424 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 44 PID 2412 wrote to memory of 2424 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 44 PID 2412 wrote to memory of 2424 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 44 PID 2412 wrote to memory of 308 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 46 PID 2412 wrote to memory of 308 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 46 PID 2412 wrote to memory of 308 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 46 PID 2412 wrote to memory of 308 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 46 PID 2412 wrote to memory of 1432 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 48 PID 2412 wrote to memory of 1432 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 48 PID 2412 wrote to memory of 1432 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 48 PID 2412 wrote to memory of 1432 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 48 PID 2412 wrote to memory of 792 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 50 PID 2412 wrote to memory of 792 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 50 PID 2412 wrote to memory of 792 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 50 PID 2412 wrote to memory of 792 2412 d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe 50 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe"C:\Users\Admin\AppData\Local\Temp\d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2412 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵PID:1912
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:2152
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵PID:2424
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:308
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵PID:1432
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:792
-
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1348
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5240c739a8fc1e0e6286fdd9793bcbd0b
SHA1852ac1658e94d7d03f35af64d620a44c304395ab
SHA2564d1d72cc104b60a14b30cb06758117949310dcf355795a1e476eb5e66c2e86c8
SHA5120317ed8b3ca6834d9d74217b116ad9512d59ad25581d7191a93c1c519889d5809a2733ffe0ae4d9d977227f288ea1934543c1cae8cef0186201855d947ba1922
-
Filesize
3KB
MD54a9b4ad3984026cff2b0a94a952e251d
SHA17c3cf5b3dc7ecd037b9c8fa9a6bb2e9c23bb54e6
SHA256558e5c64efd7ae0aca5b2f1d18dd072fc7a29ce128ddb933893f616d1819d8b3
SHA512e3ef37cf7ac801d285a1f29b005c23b279b5f358ce981d2a4cf131cd9666f83dd2d1bb802a7fbf1f74a15eff45b14e7462b0c9f174b6ec433f567df05b63ad76
-
Filesize
3KB
MD593278123e968a9162aa4ede999a6dc60
SHA199ffdc184775ab3d8bb68acaa616e4f3fce82d5c
SHA25670ff21c77f709583243caa092efb11b26b9a2de446a6220b9f65be22121dca9c
SHA5122ca699fe6d662c125f86f81f6b617470fc4c71a8c4997c11feb90cfa675bd697113cb94cc5eba1400f9a51833be9a62260085a41a163496fcf77079533c9c8ad
-
Filesize
3KB
MD595b672ff6ff604ff48b5cf2f71e4755e
SHA14e1f273b09a8443089124cd62e262e991b6b792a
SHA256d1ddbbae08cd7525fd214af1c9002284a5ec1753bc6c81babdb16d5e43649a72
SHA512c7b7904806b2960546a831e12fa8aff6871fb0bcf329e07b0f85d0d1e6931f7e51deb83c825c6dafc2913e902f03bb061f3b8a76ef3b08089bd995482be7db09
-
Filesize
3KB
MD5b65dbcb8f6d7fa6b8a6ddbe1b06fb993
SHA1fb80bb177da4d151c5cb0a2840b769a8e0e20b78
SHA256c768d6e12eec3990a37832ddea5bfa44a653b715906a70028090a52c52d8dd5f
SHA5121bc1c2f1684c39ecfcd08bd3341f4dcb5f39fd492bc078574b051e43789e2e771aa82091bc42deeaf66d040cc9322c58096572fd592542e8ea673599a7b0c576