avaddon | cf386d392da4947fefc3940e5f51414ae837cca482b7168491533fe5db93ef72

Analysis

max time kernel
52s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2023, 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
Size

441KB
MD5

b1758767d10c75d1589c16763fca6fd3
SHA1

2722f21a31859ea735e908a1c705d07b139e3b12
SHA256

d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb
SHA512

93bdfaf8a7b35e3c0110e931a35c5a901c8acf06b36dd9e8cba9b770be642525ba0350ae94d68556961b06b0d802cd2e1997fc73849c643f76eba721215abf5e
SSDEEP

12288:5I7bv0KUN/9MISQBqz9xbwL5A++dMncx4wjSvh:K7QzuyErzrSwjMh

Score

10^/10

avaddon evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\89nVC_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bDACaDbCeC You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjAwNC14T1RvUmlHd0FSUTdJc3NoSmVEUDZaZFlZYWhRQmlReUhqSWsrV3hnMzNIMWpzTjlSL2x1WDl6VFFiemROTURhKzg2eGo2UXFKb1VhdjNUS1VnU2ZtalBBZlFlYmVDWCtreXp0MzlOd21MbDRUNjY4YWZVQjJyWkFhMlZKdUx6ak51RXd3L3BhQTRRSGpuZWhNV1N2S0prVVBEbExKSVRldllkSVd0TENOMDE1ODdkZURxcTNVQ2k0VG16SUpsZ29uWVFwekxFMEZtK2ZmNHMrdEZ3U3lNTzZCZ2E5NWVZZnQySHloZUdxUlZOZTlIN0lLUDBRY1JoZUZqenFtYnVSNm9lVXRBcjcyZWU3RDJ6a3lHYldPOVNKb0NaY3VSY1hQYVZTQzV0WXN0eVNVV2xCeDB6UWswNk03SFJoZnd1b2JuZFJVUlMzbjRtanRrRS9jSWR0WGhWWFNaeWVFMHUxWEZMQVA0bjdJMU92bkNDbldCc1J0d29qVmVXcVB1M2hxY0g3Uno3SnN3S09QRUw3dlYrSlJrMTA4cmxLMitkZTdXakR6SklZMlFiUUJXVGJxVHZBRWxMSzNZUm5jamVZRlBjcGVKYndadG16R2V0cmJJRS9XRmpVZ2VScUljY0pldkp6M21CYWxMblRPQXJtSmp5UmNKTVRYYmtZN3VETnhKNVlxOVMxREJPc3N0anVPVk9TSWUwRGEybVNsRjFjUENzWUVLdmJqWHVYN1dLdUZpRWRpY0djUUNPZ1Nqei9sSStmWUE4ZHpjOVJML0ZWTXA2MFF5MHFsMXZ2ZXk0b3Y1aUhZa3BNeExObWJoc3VFeW9mQVM5SXpmelZ1RE53QWFqQ2pJNzJGeFRXMEJEOEppeGlWRHZlYWQzM2JuL0lqQm5SN2lYcTdDcjBGYmsxQkdsZkZ6bEg3SStqSERKWkp0WnJXTkhLVlFmS1BRQUJrd2FFcCtONCtjVG0zOTJZS1pPSjhndzg2N0tVQnB5dGVzc3JtbVgyOHROTUFqVEVhaEVFT09MTTBMd1Qzc0MrKzlTVFY1TnAxV0s2UVdmRnF1ZDNQUTRwM3BvQWJxSlZyRWdvcWxGUEtHQkZYSWk4TU8xQUt5cUk3cU5iaDV1RC9DMFJsWElsTGxJd1ZyREhlVDRZZFluR05GV0pGbnBCWkZUKzJmSGhMLzdXdzRubnFreklVR0dreXRpOFFqWVZXa0sxNGRHcllXM1RpTzZBRDZTOTNIa0lwaUdkenlVS21lRUl4L1pUNVZSRGtUcElkK2JVL0lNbThvbzZtUGRPb2ZSQkxaZzdWbXNabFNnM01ma2w5czJ4dTVTbXpiRmpKK20yU1lsVGY4b2dsUEJmS3J3KzF3emlpUXZlRkxUTm0xaENmRkprdWYyc1VRNTNMcHMxUzVSbHFTS2ZLODZFWmQxUm5ZUzZERDNhWUhBTjN1aGhIbEtwK0pvL1l2OUZoYnNWRldKd3hHc1FvQk5uMHBrcmNPQkJxSGJxNEZFajE3MXkrblozS1FtVStDYnpYVXBKQTE5bEFqTlY2R3FibHZ3UlBIK1pyN2ZqTE9QY2RIMGZ0ekVPRSs5MHVSQWFqSHlPYWZ6NjAxR3lwK1h0U2FRbEs1WWZXanlYY0E0YjVVRis0U1k2ekovNFpVVXo4U0hpakwxaE83V3dRUzlqdXRMNTdNTWt2a05YVEZFMlYvanFSYnJOWFZmMWRZQ3VYTzdPTnBRVWNNaVYyUUlXQzFPZHhwMG5xOHJjek9XMDFoeFFTLzBBVGhDOUduNTFBdTN3emVxOHVwT2toNjY3TlFhT25IQkFVYm1XM2F2ZXJPdmltbkJWdVNQcjV5Vm5rMnJvMHQzYThjeDFlSDdxVXZ3cG01UzgxaTNRdDR4bjF3T09QY2NaWXJCc0haeGNOYzc3cDZidUkrV1gvTHEwOG5OMmdsVTNjS3dyWHJxb0hHRnI5R2xDUjUyYTQrakNOU3JTOVFGaUxZMlZ2L1JuOURkTWw1WlQyL3NQN3pLaUZSSWhwUE9nWVZwVXhWQmVjYzJ0TkVsdzZ4Q21uZkltOGVBNUlFb1RuOGl3dkRuMVhvYUpNYTBMczBWSitxdG10bDFWaVVKdU56ajY2VXBEY0dlNmlnMktYYUx3LzY4bWoyMWE4dz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * hk5brET0sBKXMe5s

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\89nVC_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Music\89nVC_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\89nVC_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
ransomware avaddon

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	3124	wmic.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	3124	wmic.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	3124	wmic.exe	90

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-3777073499-70821052-905318652-1000\desktop.ini	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
File opened (read-only)	\??\O:	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
File opened (read-only)	\??\Q:	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
File opened (read-only)	\??\R:	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
File opened (read-only)	\??\V:	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
File opened (read-only)	\??\W:	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
File opened (read-only)	\??\X:	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
File opened (read-only)	\??\G:	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
File opened (read-only)	\??\H:	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
File opened (read-only)	\??\I:	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
File opened (read-only)	\??\M:	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
File opened (read-only)	\??\U:	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
File opened (read-only)	\??\A:	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
File opened (read-only)	\??\N:	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
File opened (read-only)	\??\T:	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
File opened (read-only)	\??\Y:	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
File opened (read-only)	\??\L:	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
File opened (read-only)	\??\E:	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
File opened (read-only)	\??\J:	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
File opened (read-only)	\??\P:	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
File opened (read-only)	\??\S:	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
File opened (read-only)	\??\Z:	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
File opened (read-only)	\??\F:	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
File opened (read-only)	\??\B:	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3912	wmic.exe
Token: SeSecurityPrivilege	3912	wmic.exe
Token: SeTakeOwnershipPrivilege	3912	wmic.exe
Token: SeLoadDriverPrivilege	3912	wmic.exe
Token: SeSystemProfilePrivilege	3912	wmic.exe
Token: SeSystemtimePrivilege	3912	wmic.exe
Token: SeProfSingleProcessPrivilege	3912	wmic.exe
Token: SeIncBasePriorityPrivilege	3912	wmic.exe
Token: SeCreatePagefilePrivilege	3912	wmic.exe
Token: SeBackupPrivilege	3912	wmic.exe
Token: SeRestorePrivilege	3912	wmic.exe
Token: SeShutdownPrivilege	3912	wmic.exe
Token: SeDebugPrivilege	3912	wmic.exe
Token: SeSystemEnvironmentPrivilege	3912	wmic.exe
Token: SeRemoteShutdownPrivilege	3912	wmic.exe
Token: SeUndockPrivilege	3912	wmic.exe
Token: SeManageVolumePrivilege	3912	wmic.exe
Token: 33	3912	wmic.exe
Token: 34	3912	wmic.exe
Token: 35	3912	wmic.exe
Token: 36	3912	wmic.exe
Token: SeIncreaseQuotaPrivilege	1328	wmic.exe
Token: SeSecurityPrivilege	1328	wmic.exe
Token: SeTakeOwnershipPrivilege	1328	wmic.exe
Token: SeLoadDriverPrivilege	1328	wmic.exe
Token: SeSystemProfilePrivilege	1328	wmic.exe
Token: SeSystemtimePrivilege	1328	wmic.exe
Token: SeProfSingleProcessPrivilege	1328	wmic.exe
Token: SeIncBasePriorityPrivilege	1328	wmic.exe
Token: SeCreatePagefilePrivilege	1328	wmic.exe
Token: SeBackupPrivilege	1328	wmic.exe
Token: SeRestorePrivilege	1328	wmic.exe
Token: SeShutdownPrivilege	1328	wmic.exe
Token: SeDebugPrivilege	1328	wmic.exe
Token: SeSystemEnvironmentPrivilege	1328	wmic.exe
Token: SeRemoteShutdownPrivilege	1328	wmic.exe
Token: SeUndockPrivilege	1328	wmic.exe
Token: SeManageVolumePrivilege	1328	wmic.exe
Token: 33	1328	wmic.exe
Token: 34	1328	wmic.exe
Token: 35	1328	wmic.exe
Token: 36	1328	wmic.exe
Token: SeIncreaseQuotaPrivilege	4036	wmic.exe
Token: SeSecurityPrivilege	4036	wmic.exe
Token: SeTakeOwnershipPrivilege	4036	wmic.exe
Token: SeLoadDriverPrivilege	4036	wmic.exe
Token: SeSystemProfilePrivilege	4036	wmic.exe
Token: SeSystemtimePrivilege	4036	wmic.exe
Token: SeProfSingleProcessPrivilege	4036	wmic.exe
Token: SeIncBasePriorityPrivilege	4036	wmic.exe
Token: SeCreatePagefilePrivilege	4036	wmic.exe
Token: SeBackupPrivilege	4036	wmic.exe
Token: SeRestorePrivilege	4036	wmic.exe
Token: SeShutdownPrivilege	4036	wmic.exe
Token: SeDebugPrivilege	4036	wmic.exe
Token: SeSystemEnvironmentPrivilege	4036	wmic.exe
Token: SeRemoteShutdownPrivilege	4036	wmic.exe
Token: SeUndockPrivilege	4036	wmic.exe
Token: SeManageVolumePrivilege	4036	wmic.exe
Token: 33	4036	wmic.exe
Token: 34	4036	wmic.exe
Token: 35	4036	wmic.exe
Token: 36	4036	wmic.exe
Token: SeIncreaseQuotaPrivilege	3912	wmic.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 2572	872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe	98
PID 872 wrote to memory of 2572	872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe	98
PID 872 wrote to memory of 2572	872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe	98
PID 872 wrote to memory of 5060	872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe	104
PID 872 wrote to memory of 5060	872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe	104
PID 872 wrote to memory of 5060	872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe	104
PID 872 wrote to memory of 4536	872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe	106
PID 872 wrote to memory of 4536	872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe	106
PID 872 wrote to memory of 4536	872	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe	106

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
"C:\Users\Admin\AppData\Local\Temp\d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:872
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:2572
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:5060
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:4536

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\89nVC_readme_.txt

Filesize
3KB

MD5
870ef98a552bde1daa9777b7b2abb49f

SHA1
07a0af3cd9347d5bef96047607e762f49a707fa4

SHA256
7ad691d6430bdb09dfc9231ef9397c19d313fc2c1da50968c90690ec280b816a

SHA512
e8b32494698897bb57a43007ff6a9ee0f9324a999d4dc3fb9f61c38663343764780e2cf610d1312d32c8ada474f246cf7c1cc49d3db9cfb4100d0353dc93557e

Download Submit
C:\Users\Admin\Desktop\89nVC_readme_.txt

Filesize
3KB

MD5
cd16225d64837a2247af73d8ea226b13

SHA1
c140a38bab51d2c60dfc23b56ea1fe8a26e0fd6b

SHA256
b3de589f15fc50a49ab811e0d9c2e9edd365592634f8448c79b2ad5af87dc803

SHA512
f8695281a059018e448ba55330b8c6e5a4b57641d4c406b7936d7bf03fa2983358330ba1947664767d7f911e91e0d34f4f77b9cf16ab820f01b3ff60736dce50

Download Submit
C:\Users\Admin\Documents\89nVC_readme_.txt

Filesize
3KB

MD5
03e358f8dcbab0680cbbc41f7d49b4da

SHA1
00ebfc67d1d541c23bdfa3bfd1b2144bc6433064

SHA256
c236182006524e5e8b7578cc015d8bb08b17f3655c756f3dfa58247e185e4872

SHA512
13b86f8c931925149e2822b3e6431b3ca4c4ffcb9f0cda50280c88b5ea7edfe62cda3fd281f909cd717416cc27a96c627c36bd7bc45c17cb082da4a5ffc0f715

Download Submit
C:\Users\Admin\Music\89nVC_readme_.txt

Filesize
3KB

MD5
cfc9bfc8a9364a3b94a08751d6bec95e

SHA1
1b9daae49158c863348559a67397090dd1133aae

SHA256
25f5626bbace0aee368fe6bb393a18efa5df2ccf930aba84eb806c94489e764d

SHA512
594a5b75f3e59621087b82818f3db7c114aa5d72613a26d07b53fc2de20368934b193aeb0ccfd83a88f1cd18b2b8927ebb501b3501837a1d698adf6effc5a51b

Download Submit
memory/872-0-0x0000000000400000-0x00000000005E3204-memory.dmp

Filesize
1.9MB

Download