avaddon | 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-03-2024 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
Size

775KB
MD5

4ecc7bbbed724a23a2d6b0037064a64d
SHA1

20b98609454cdbb242ff6102b344006f542f7f10
SHA256

2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b
SHA512

48dfe12630693864c4aa28732932beea2f75b9dfeb40ed03e9e1c6ad9aa0d03b2eaca235260dbc19073f59c68d854a45d04ad76c4c0d801b8fd095c06f26de52
SSDEEP

24576:+CsR9+OXLpMePfI8TgmBTCDqEbOpPtpFa0xfq:YKOXLpMePfzVTCD7gPtLasfq

Score

10^/10

avaddon evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\7DrXW_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .acdCcEbBBD You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTg5OC1GbkxiNGFpY08rL0RUaHFlMldhb25Lak1CSmZnNXRGZ1NZcTEzQTFDeTA2dFNvNlhOK1U0QWRmYytlMHAxdzY2d3BwNmpPNjhGT2hyTHZmQzdjaHNqeWxQOEYyVE94djJlbm1WWUJFSnFyNFZHWlNTYms1QllPVXZPSC9hV0N3WWt1NWRyMTVnRXI1dXgyYVI0Tno4QnFsUFZDd3BmbUx5Myt6SGJIdlRBKyt3c0phdEdRTERuK0tnR1RMMG9JNEZHQmNsT2RmNUkza0xKV1F4cFIySHlvd0lWOUF1U1RDQkZnbXRHMkk4UGVaU0RWYkNxQWpnMjU5UjBmZVpyYXBha0wyNzBLTVl6T1hROWRJWEhqVUJadnVjYytubThmc05ON1VERk9UdCtKZVI0TDA4dnRJNDgvQ0NUU2RuMWsybVA0N3E5N1FSb1JuWjZZOE4weEVIekErYlF6KytyOTVJK05MNHE2aHlIQkg2dmwrVVNHanYvRWZRWEwrVzZIRGVwelFvTXRObTlPaG44QXNlMGQ1dzR1eEpjdGlWTzVCVFBFclQ2V05LRXEyQ01Xc1o5U3hnemFNMWRhTVo1Q3JiYUs1bmJYcExvektmM3hZZGdIb1d0OFpUWCtaOGpzMVUvNGptQjJjQ0tTRCtHaTBUQVdIVjdXZmIzOGRZTmprTmpzZmZBNGlrTDJ4YTFjQkJwWlJ4V1pHd0VwMmZmMGtrcklRMEwwM1AvOTZhdVc0ekFHZGRDTWpLM3EyMjJDMk1hMkJwQXB2cTExTTlJQlhJVUwvNkxrVDE1UjJHclRlZ0pXWXFUSGEreTIxaENwK1hRR0RmQ3pONnJ4TUw0SnZFZGQwc3BaWmtwZXM2SVRlZGdoY2hQNndzcTF5cXIxR0FuUHlNMmpoYzBnTkF5djU0Yjk5THRmb0p5elhQaVBXSFcyMUVwUUNWVEdSZ3RuUHlhRU5zTFBtRGc5N01HaHBGSE1JNytOeHZzOWowU0RRNVhVOHRrdEdYMG8xeUFwSHR4UDUvWklPajdJWEc2VHd0ZFMyaEVYdHI3VXZ3MldjalBjOTBKOVhQYXJvYm1pcUJUdjV1dW5hVnQyNVE5VWFRa3hUYlFJajdvN1duK1llYW5vRzhqV1Z5aDZVSEN3K2tEbTk1aDZpVitnL0lwYXdnbEpwV2d3bmZNeXd1eE00Z3VINXJrdSs4MGd4aVcwVjJsQldOKy9LNkg3c2Y2Sk1TYkYzRjlMSG0xUkxWbStIOVZmQjBMU2Vta2JmMkk4SHpqNlc2QnFHaHJGSVhQVExQS2szUjM3VjYyR1BGK0RQc0FlMmpaZTZiVjkwZlpFeWpHVmwvR0U5enJtalQ3RTh1Q3lRK1dyR28rSGtZM3hqdDRETGZGNW81Q2x5Y1luQmtGb2RLZmhEU0NRQVlFTGk1aHdDUU9nbGxoaGdNbDdGUTNIUmFNUHNNV0lmTlY0b2lPWnQyckhndStDakdQZ0FqTURwaE1sak9Id0F6YUFSY0Q2OVNDYlFGSTdVVi84ZVVCaTJ6azlsOWFITWFQaDhqakxqNWFCUW54NFJHOTZFc0FOeTBFWFQ4Z1Rjd1BwR0phUmRYaTJFMDVXVGhSNW40UXJHcmcrSDdJRkJPYVBJUHgwYUQ3cWJQTXM1elhJU3NBWUNGU0gzV1NuYS8zdXpTdUtmNjVtM1h6amhIVEpDS3JaWEFCcWNJQmhFNWhRUVpLOEY3clg2VW01SjIrVnlqenU3aFJmY1Rrd09sdU9hOHZwVzNVdzZQK1NJVDNyRzVUQk43V20xODVBL2txQ0h3eE9uNmZTcE55MDFHeDJ1ZURuemxkNmlhZ3JINmRhTEJvQmZSV2FpKzFRcHBYY0pwSTRQeG96L2dlUDVIaVJING9nVGpDZEtjL3V2MHYyOHd4c0NJdlI4VmZ2S3B4VU96akUyZ2V5TzFlenJkaUNSRFZwL0hLS2lGTmxlL0daNGpBS0pZMjMrdzJpMC85N3BWRGJ1SnpIc1lZMTMraUdmWEh1U213TnJJdXFoOGVnRnIyWmgzcER4Vm51SFlPejlRYmhwbmtwQTMyMndYbExYdWpydXZnVWMrenFnZ05pTDJnMDNtUGlQaTA2Mm52cWowSm1tTnVhQlZqdWExTXQyWHB1RmhiUT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * g6f7WXMs0yf

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\7DrXW_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Pictures\7DrXW_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
ransomware avaddon

Avaddon payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012267-632.dat	family_avaddon

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2664	wmic.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2664	wmic.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2664	wmic.exe	28

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (210) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
1700	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-778096762-2241304387-192235952-1000\desktop.ini	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\Z:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\F:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\N:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\T:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\V:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\E:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\G:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\J:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\K:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\L:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\W:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\X:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\O:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\P:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\R:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\A:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\B:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\H:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\I:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\M:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\S:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\Y:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\Q:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1732	vssadmin.exe
1572	vssadmin.exe
2624	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2400	wmic.exe
Token: SeSecurityPrivilege	2400	wmic.exe
Token: SeTakeOwnershipPrivilege	2400	wmic.exe
Token: SeLoadDriverPrivilege	2400	wmic.exe
Token: SeSystemProfilePrivilege	2400	wmic.exe
Token: SeSystemtimePrivilege	2400	wmic.exe
Token: SeProfSingleProcessPrivilege	2400	wmic.exe
Token: SeIncBasePriorityPrivilege	2400	wmic.exe
Token: SeCreatePagefilePrivilege	2400	wmic.exe
Token: SeBackupPrivilege	2400	wmic.exe
Token: SeRestorePrivilege	2400	wmic.exe
Token: SeShutdownPrivilege	2400	wmic.exe
Token: SeDebugPrivilege	2400	wmic.exe
Token: SeSystemEnvironmentPrivilege	2400	wmic.exe
Token: SeRemoteShutdownPrivilege	2400	wmic.exe
Token: SeUndockPrivilege	2400	wmic.exe
Token: SeManageVolumePrivilege	2400	wmic.exe
Token: 33	2400	wmic.exe
Token: 34	2400	wmic.exe
Token: 35	2400	wmic.exe
Token: SeIncreaseQuotaPrivilege	2536	wmic.exe
Token: SeSecurityPrivilege	2536	wmic.exe
Token: SeTakeOwnershipPrivilege	2536	wmic.exe
Token: SeLoadDriverPrivilege	2536	wmic.exe
Token: SeSystemProfilePrivilege	2536	wmic.exe
Token: SeSystemtimePrivilege	2536	wmic.exe
Token: SeProfSingleProcessPrivilege	2536	wmic.exe
Token: SeIncBasePriorityPrivilege	2536	wmic.exe
Token: SeCreatePagefilePrivilege	2536	wmic.exe
Token: SeBackupPrivilege	2536	wmic.exe
Token: SeRestorePrivilege	2536	wmic.exe
Token: SeShutdownPrivilege	2536	wmic.exe
Token: SeDebugPrivilege	2536	wmic.exe
Token: SeSystemEnvironmentPrivilege	2536	wmic.exe
Token: SeRemoteShutdownPrivilege	2536	wmic.exe
Token: SeUndockPrivilege	2536	wmic.exe
Token: SeManageVolumePrivilege	2536	wmic.exe
Token: 33	2536	wmic.exe
Token: 34	2536	wmic.exe
Token: 35	2536	wmic.exe
Token: SeIncreaseQuotaPrivilege	2772	wmic.exe
Token: SeSecurityPrivilege	2772	wmic.exe
Token: SeTakeOwnershipPrivilege	2772	wmic.exe
Token: SeLoadDriverPrivilege	2772	wmic.exe
Token: SeSystemProfilePrivilege	2772	wmic.exe
Token: SeSystemtimePrivilege	2772	wmic.exe
Token: SeProfSingleProcessPrivilege	2772	wmic.exe
Token: SeIncBasePriorityPrivilege	2772	wmic.exe
Token: SeCreatePagefilePrivilege	2772	wmic.exe
Token: SeBackupPrivilege	2772	wmic.exe
Token: SeRestorePrivilege	2772	wmic.exe
Token: SeShutdownPrivilege	2772	wmic.exe
Token: SeDebugPrivilege	2772	wmic.exe
Token: SeSystemEnvironmentPrivilege	2772	wmic.exe
Token: SeRemoteShutdownPrivilege	2772	wmic.exe
Token: SeUndockPrivilege	2772	wmic.exe
Token: SeManageVolumePrivilege	2772	wmic.exe
Token: 33	2772	wmic.exe
Token: 34	2772	wmic.exe
Token: 35	2772	wmic.exe
Token: SeIncreaseQuotaPrivilege	2400	wmic.exe
Token: SeSecurityPrivilege	2400	wmic.exe
Token: SeTakeOwnershipPrivilege	2400	wmic.exe
Token: SeLoadDriverPrivilege	2400	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2420	2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	35
PID 2924 wrote to memory of 2420	2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	35
PID 2924 wrote to memory of 2420	2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	35
PID 2924 wrote to memory of 2420	2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	35
PID 2924 wrote to memory of 1732	2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	40
PID 2924 wrote to memory of 1732	2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	40
PID 2924 wrote to memory of 1732	2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	40
PID 2924 wrote to memory of 1732	2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	40
PID 2924 wrote to memory of 1684	2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	42
PID 2924 wrote to memory of 1684	2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	42
PID 2924 wrote to memory of 1684	2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	42
PID 2924 wrote to memory of 1684	2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	42
PID 2924 wrote to memory of 1572	2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	44
PID 2924 wrote to memory of 1572	2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	44
PID 2924 wrote to memory of 1572	2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	44
PID 2924 wrote to memory of 1572	2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	44
PID 2924 wrote to memory of 1540	2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	46
PID 2924 wrote to memory of 1540	2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	46
PID 2924 wrote to memory of 1540	2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	46
PID 2924 wrote to memory of 1540	2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	46
PID 2924 wrote to memory of 2624	2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	48
PID 2924 wrote to memory of 2624	2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	48
PID 2924 wrote to memory of 2624	2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	48
PID 2924 wrote to memory of 2624	2924	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	48
PID 2304 wrote to memory of 1700	2304	taskeng.exe	54
PID 2304 wrote to memory of 1700	2304	taskeng.exe	54
PID 2304 wrote to memory of 1700	2304	taskeng.exe	54
PID 2304 wrote to memory of 1700	2304	taskeng.exe	54

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
"C:\Users\Admin\AppData\Local\Temp\2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2924
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:2420
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1732
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:1684
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1572
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:1540
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2624

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2276

C:\Windows\system32\taskeng.exe
taskeng.exe {BC3EB2A2-6982-4438-B394-37D722B94D2D} S-1-5-21-778096762-2241304387-192235952-1000:AYFLYVMK\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
  2⤵
  - Executes dropped EXE
  PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe

Filesize
775KB

MD5
4ecc7bbbed724a23a2d6b0037064a64d

SHA1
20b98609454cdbb242ff6102b344006f542f7f10

SHA256
2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b

SHA512
48dfe12630693864c4aa28732932beea2f75b9dfeb40ed03e9e1c6ad9aa0d03b2eaca235260dbc19073f59c68d854a45d04ad76c4c0d801b8fd095c06f26de52

Download Submit
C:\Users\Admin\Desktop\7DrXW_readme_.txt

Filesize
3KB

MD5
76bc09761135d518e68d0ecd5e74509e

SHA1
fb1211c24e474bda8c2ff7edd89c4145dde5e8ec

SHA256
f5ffe695d8d3f68852408bbdde9d170635dde74936e6c4c1022c6454bccd71f2

SHA512
bfb745d03ae4edaec80ad09030349f8f70dbce7343270196c89b46372c3c4a8ce918aff88988a9d3ab2437f64c1a1741f5f23edf42d9b5677fcc1ce44a4771f4

Download Submit
C:\Users\Admin\Documents\7DrXW_readme_.txt

Filesize
3KB

MD5
a0622d159edb00f1b77dbd7c728767cb

SHA1
08104b009b753c7a114337191b8438bcedecf62d

SHA256
efa0646cd8ebc29c31caaca8e15cec554ac6f718d45d91884e35a6ac908aa553

SHA512
be588366b78fa34e35bc70792cb7bbea19656d724d6fa99ea1e14f48d147ca481c0207b02c5b9936b2fac70837c0627c0912d33514bc852d4432e8c8010ea5dd

Download Submit
C:\Users\Admin\Pictures\7DrXW_readme_.txt

Filesize
3KB

MD5
d4712bcb2f698493917cf9b0dc15878d

SHA1
da25ed3f02810ef1876344c8d4fcc411f80c07e3

SHA256
f05dfd58a3a94eabd91de8621811708059319012876cde1cfd8798ef874e610e

SHA512
24e1c30782d0b2ceeb64f3fdb9597afba442a55c47ac9349edb5a5d1c3898b43409bf83826d420eb7382e23bc9248014c11423c8ff9127eb466d0cc0d4689aff

Download Submit