avaddon | 2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b

Analysis

max time kernel
146s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
Size

775KB
MD5

4ecc7bbbed724a23a2d6b0037064a64d
SHA1

20b98609454cdbb242ff6102b344006f542f7f10
SHA256

2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b
SHA512

48dfe12630693864c4aa28732932beea2f75b9dfeb40ed03e9e1c6ad9aa0d03b2eaca235260dbc19073f59c68d854a45d04ad76c4c0d801b8fd095c06f26de52
SSDEEP

24576:+CsR9+OXLpMePfI8TgmBTCDqEbOpPtpFa0xfq:YKOXLpMePfzVTCD7gPtLasfq

Score

10^/10

avaddon evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\Documents\Ky4kB_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BcaEeBcAAd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTg5OC1PZVdlQlE5dEFDZGNCK1dVV3A3YVBDUGlUd1hNeFhWZVRkaStZall3K0cxL3pCZ1M5OU1ZTkVtRWJOMHBuL2hCb3JpUVVJdzdFTTNYbEVvN09MTFBBVTFvaFI0NnYzdTc1Z1FCRERwYWZpMmlqemd1VXJaMUZJOVY0ME02TGZhQnNtZDBUOFA2M1cvSkVYQTFnaytRcExnYzBFL09xN0RCczQ3UnJjSFQ4N1FndlRMR2ZiMzFmTm9zQkVKcWhtcUsxOU5hNVRjRUFMemEyREtQWldTZFBaN0ErbmdjUkFLbm5uQmZkNFlla1NUVGI0M1U0ZnA2bHpGbGV2dG1oRmQ4WGJMZlBpK3hKaExWWEhmUmczV1p0YmNKT3JsTnJQS1NDOThLcU9PTmdVOHFuWDhUbkd6cjFFSktaTUM1MVZzMnhvWHFBd3pmZ0UvbHVLL2IxUnZydWl2bDArS0t5UjlyRGltSzFoNlkwS2hMUlptalhNRy9aeWpvbFpHbVlzL1pzeDRpbEw3R3ZQRGlMcXdSZEV4ZmFFejZjUlVjN0RyWHJyNGpxQU5NdVQxYXQ0aCtNRkZwWHY4dWNjR1FaZUd5bWNNRjNQOUh1NW1QdWh6eFIrMkh0eGx1cm5Wdm8vdFhnNTN2OHlBLzc4RmYxSnhUZkZoOUUvRU9BSGxZTTlNUkJpRU9sNG55Y2x1NitXZHZtNXJvRExxYkJpTk1tSzVxd3ZqcWlUYmxLNFZ6UFI2UE9NZVpUb21zMXRVNGtwdFZmSUR5MG54NTBSVG5XNUtGNEhxdjhqOE44L0g1akFJank0alRkU0VhM21PNGVubjV6U28rTm1iVFhIMEhqOG51ZTJBRVA4OGdIay9qdWZUYkp5QUZjZCtLeEJvSUUzUVlBckdTTGRHNXlTUHZJK3ZtRkJaaFppNjAycGJWam9WOEpja21MZWRkQXNwYjNObmpOaFg1UHdwc3ZGUXFQYmhiT1ZoUS9OV0R0NVJBODY0WkxTMmYyRUJzdjl4Y3ZlYU9vUmZYQ0hiZERCVTNLUFNLYWpEUlNUWGxjL205ZmJYUzlHV2FNWmJqQmU5b0V3UzAvdGZqS0szQW1rSStXamp5WDloVFBmcHNYQ1ZCUlVlbXRHTndRRFMxTy8vT1FkamxhMjdUTEQ3anB0RlpnQ3dsdllIMzk1SWNWbDZyN1IxTVd3VlFZakhBUkpvY3hzRHlvSFRJbkdGcGZaWG11VTV6eHdWU3djWlZGUnB3d0VsVXJxNnE4SXlIejdaNThoMkRaY3Jpa3V3NFRlanIraGpUOGltcktvSkZxNWFRVFhuNVZDR0FMbjBOZXRORk43aEdxU2lhQTFuTWRYRzR6dTNxNWRTSFN5NUNDRDBHYkpNK0NVWDFVcVljWDlMTUwwN1NzUkxxdXdGZlpvWHhjN2Iwdjh4cmYxTjdFMjNqT2pkbjgvdDFYeHlYYXZUVlFCbUVVN1lkc3FHQzFud0tja25aNllCZ2lHdCtNTm5CKzB0WHJ4N3o3ZmFqeVZjK2lsNHZOWmt2MUNTNmhWMURobVU1MVNtb3M0VzVWNEVtcytFN2V0bVExeS9pTXhkM0V4ZVhEMFcvVXZtaUo5ME9pUzEzbkpPZlBHbEpiRWtKOERNN2Fsbis2WlNTMHdUV1k4UUo5ZjNtVStKK0UxQUllSWptcy9OSmVpdHR2emVhT29nNVJYZHZPUkY3Ykhqa0JkYS9ucEI4SG5JUE5NOWNHN3pVMm1ZUHJ2SWxYR0pJMzE4U29wUW1TV2p4VEhZcjF3SnF3WXNocVlYM3hHLyt0U0gvcThwWnQrNHNlOXNJKy9YOTRRNHRGRWFGM09GWG5DQ2x2Vy8yWjJKRHpPQ29RTHViMjN3VW1MemxZQ1gzZkJ3ZXFiU3dDQ0V5RHlCdC80QnNIeTQzVEpuQUdxQTJNU1ZQZm1ZSXJlUGxrTDFIQ291b1JNekI5VDdobENVQlpkVHhEMXBPRTUxWExUa2h4WjFHaUJyQkNZRE9odFlBY3dhdUMza0xGOWdWaFRDNjRUaDdjWE9xNlloaklVWkF1dm5QMHpvaXRKRkc3a2VpbEwxcHhib0JjRDArZkpnSVpvcWFEcDhaK3Z2cE5OVHpwa0YxZTYwUUowdTFrYnV6eFpQV1NnYVFWZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * FSzhW8in2pn92WGTB85rh

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\Ky4kB_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
ransomware avaddon

Avaddon payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023313-422.dat	family_avaddon

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	3788	wmic.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	3788	wmic.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	3788	wmic.exe	96

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (150) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
5140	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-1904519900-954640453-4250331663-1000\desktop.ini	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\U:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\V:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\X:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\F:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\B:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\G:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\O:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\P:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\R:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\I:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\L:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\Q:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\T:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\W:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\Y:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\Z:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\A:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\M:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\J:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\N:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\S:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\E:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
File opened (read-only)	\??\H:	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1312	wmic.exe
Token: SeSecurityPrivilege	1312	wmic.exe
Token: SeTakeOwnershipPrivilege	1312	wmic.exe
Token: SeLoadDriverPrivilege	1312	wmic.exe
Token: SeSystemProfilePrivilege	1312	wmic.exe
Token: SeSystemtimePrivilege	1312	wmic.exe
Token: SeProfSingleProcessPrivilege	1312	wmic.exe
Token: SeIncBasePriorityPrivilege	1312	wmic.exe
Token: SeCreatePagefilePrivilege	1312	wmic.exe
Token: SeBackupPrivilege	1312	wmic.exe
Token: SeRestorePrivilege	1312	wmic.exe
Token: SeShutdownPrivilege	1312	wmic.exe
Token: SeDebugPrivilege	1312	wmic.exe
Token: SeSystemEnvironmentPrivilege	1312	wmic.exe
Token: SeRemoteShutdownPrivilege	1312	wmic.exe
Token: SeUndockPrivilege	1312	wmic.exe
Token: SeManageVolumePrivilege	1312	wmic.exe
Token: 33	1312	wmic.exe
Token: 34	1312	wmic.exe
Token: 35	1312	wmic.exe
Token: 36	1312	wmic.exe
Token: SeIncreaseQuotaPrivilege	1140	wmic.exe
Token: SeSecurityPrivilege	1140	wmic.exe
Token: SeTakeOwnershipPrivilege	1140	wmic.exe
Token: SeLoadDriverPrivilege	1140	wmic.exe
Token: SeSystemProfilePrivilege	1140	wmic.exe
Token: SeSystemtimePrivilege	1140	wmic.exe
Token: SeProfSingleProcessPrivilege	1140	wmic.exe
Token: SeIncBasePriorityPrivilege	1140	wmic.exe
Token: SeCreatePagefilePrivilege	1140	wmic.exe
Token: SeBackupPrivilege	1140	wmic.exe
Token: SeRestorePrivilege	1140	wmic.exe
Token: SeShutdownPrivilege	1140	wmic.exe
Token: SeDebugPrivilege	1140	wmic.exe
Token: SeSystemEnvironmentPrivilege	1140	wmic.exe
Token: SeRemoteShutdownPrivilege	1140	wmic.exe
Token: SeUndockPrivilege	1140	wmic.exe
Token: SeManageVolumePrivilege	1140	wmic.exe
Token: 33	1140	wmic.exe
Token: 34	1140	wmic.exe
Token: 35	1140	wmic.exe
Token: 36	1140	wmic.exe
Token: SeIncreaseQuotaPrivilege	3888	wmic.exe
Token: SeSecurityPrivilege	3888	wmic.exe
Token: SeTakeOwnershipPrivilege	3888	wmic.exe
Token: SeLoadDriverPrivilege	3888	wmic.exe
Token: SeSystemProfilePrivilege	3888	wmic.exe
Token: SeSystemtimePrivilege	3888	wmic.exe
Token: SeProfSingleProcessPrivilege	3888	wmic.exe
Token: SeIncBasePriorityPrivilege	3888	wmic.exe
Token: SeCreatePagefilePrivilege	3888	wmic.exe
Token: SeBackupPrivilege	3888	wmic.exe
Token: SeRestorePrivilege	3888	wmic.exe
Token: SeShutdownPrivilege	3888	wmic.exe
Token: SeDebugPrivilege	3888	wmic.exe
Token: SeSystemEnvironmentPrivilege	3888	wmic.exe
Token: SeRemoteShutdownPrivilege	3888	wmic.exe
Token: SeUndockPrivilege	3888	wmic.exe
Token: SeManageVolumePrivilege	3888	wmic.exe
Token: 33	3888	wmic.exe
Token: 34	3888	wmic.exe
Token: 35	3888	wmic.exe
Token: 36	3888	wmic.exe
Token: SeIncreaseQuotaPrivilege	4632	wmic.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 4632	2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	103
PID 2424 wrote to memory of 4632	2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	103
PID 2424 wrote to memory of 4632	2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	103
PID 2424 wrote to memory of 552	2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	109
PID 2424 wrote to memory of 552	2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	109
PID 2424 wrote to memory of 552	2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	109
PID 2424 wrote to memory of 2880	2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	111
PID 2424 wrote to memory of 2880	2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	111
PID 2424 wrote to memory of 2880	2424	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe	111

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
"C:\Users\Admin\AppData\Local\Temp\2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2424
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4632
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:552
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:2880

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3952 --field-trial-handle=2264,i,7010714054498059916,1862725710331979271,262144 --variations-seed-version /prefetch:8
1⤵
PID:6136

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
1⤵
- Executes dropped EXE
PID:5140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe

Filesize
775KB

MD5
4ecc7bbbed724a23a2d6b0037064a64d

SHA1
20b98609454cdbb242ff6102b344006f542f7f10

SHA256
2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b

SHA512
48dfe12630693864c4aa28732932beea2f75b9dfeb40ed03e9e1c6ad9aa0d03b2eaca235260dbc19073f59c68d854a45d04ad76c4c0d801b8fd095c06f26de52

Download Submit
C:\Users\Admin\Documents\Ky4kB_readme_.txt

Filesize
3KB

MD5
6a0fecfd8a8bea3817efb368e38f768e

SHA1
8a4cb7b271c3b2fe17ba4341aa9f1e44761d5665

SHA256
a2f5bcae413c50b442ff4608ceefbc426f728722e49ad7797a90f5c807e640ce

SHA512
065b01127ad6b0145e0c4b1a21b33bbff7bc036262c96b40d2239c45b044bf5987164dd9c0968266eb2c013a1fbedff32c534979dfa5e3a9647357c4113b5f94

Download Submit
C:\Users\Admin\Downloads\Ky4kB_readme_.txt

Filesize
3KB

MD5
aaab96729edcaae738dc536554e264fe

SHA1
006a86178457dd9b7a7ce0fb8e8207699f5c728b

SHA256
0f3585284decb3af4bdd6115331b6a5150e098439323b405a3bf16a83c2f3cc3

SHA512
b7e790ae9895d51529fd3849e52b586ea8f92208b3f6bfb844eb2447ea7bb5c6f86e82bd65e4d0d0ec0b58a0a9fa21be31d0129bcabe19ad0a3baad20f62c01f

Download Submit