avaddon | 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e

Analysis

max time kernel
142s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
Size

775KB
MD5

66ef4802ece3a0d62cab8be7d6065c8d
SHA1

bf9bf0b3242ffb55726d8886480b23fc60b756c2
SHA256

33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e
SHA512

84f3122608910846ea3b9c23170a2dd371b7f14e63362f5082a8d1dde154911b68e75c05f947e594333d7bdad455e67e4b43cd79afbd4d8f6d6361a53ef6427c
SSDEEP

24576:+Csl9+OXLpMePfI8TgmBTCDqEbOpPtpFa8xfq:Y+OXLpMePfzVTCD7gPtLaUfq

Score

10^/10

avaddon evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\uxO27_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .CBeCbdDDbb You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTcyOC10TUo0VzFoNkpCQk1tOW1TdnJWUVlCNThYaTlpVytRcnhPVmFJYzE0b3pKeVp6bno5Q0FGRVk4UDF3aVFXVmp6RDRwSktCSEJhNlRmNU5tU200TXVDVjFnT2YwdWZGOEdnN041TFE3aWJ3eHlSS1FzdXRoMTlqelkyRmNMWTJKN0o0RGMxZ3ZINHFHcTNXNk1ZVk5qVWtQNzFWSDE1K3JRMjJvR000OHpnelUvaGlFOFFLZWFEalFIaVY5RldtLzFPcWFPcFMvRWZHODExUTF6aHc1MTNWZTV0UHJBeC84dVdzS09DdHRWQjFJT2ZpRGlueDgwem1TaTRnczVOQzNFMXdIVmVSenFmOGdVNDYwcGRqcklETlZFaVp5ak5Dbk1PcE02MXl4N3dIZFNRZDFFRWxCSWl6NW1WNlMwUHI1UXgzMEdodkdkczdTQnByVmo5SUhtcFcrWGxNOW5WQk1aTUdNY2FiRGJ6SjM2VUR2Nm9hNytGWWNnQW1aUmJiTm9yb1cxbDR2eWZ4RC9oZHJLNVBIUXlJUlpzb3FVUWZtempiRHE3dnVTSG8wZEp0ZjFPVnR5bFloVVd3WVBodkdIbEZwbWEzdDBhbzFzaTRZVVB6Q085cDMycnZXRFAyNEd2c1hFSHFDREV4Z1FneTFTQktjeCs4TkRvWDdrTy9iZkZKcXZpUUpIWFFXV2FsMlM4RmVTOEJDWkU4cVB0Nk1mYVRyaGZVTUJ2MVJrdWdabnJBV0JrZDJuRlBiOFVzUzhBRWNONCtvOEwvRUNxSGJsbUQwOXUySUNYSXR1d0JmMy9sUnl0SFZxclN2SHlTRTNLVkdrZXYyZTRybUdlM2o1RFBCSnF6eE45dG5XbVVoQXdVRTdBMWlXYnlXQllDYitSZmVPUXdIQ051TXRJb3FJZzRRRW9lblA4OU41MHRhWGEyT0VRZzhCZmVtZmtKdzg0M0F1Sk5TdEtjN1NUSi95ODJLcTdnOHRUNzdNVjRMT01kM0doSi9XY2FBenlxRlhuZmE4Ymc0YjBrcUk1cVVSYTEydURKRWRmV05YYWVqQm5PVHppd2R4UXRQZ3d3Y2xIWVdNV2lQZGQyVG05R0RjZ2JUdktZRjlsTVZudnpMaENJTGF4d1Z4UVB1d01Vei9zc2ZONThXUExjK3FEaytKeVptcXlOZUxBdW9QWWp3cFRCdmRLaFd0YVl1UTVLU1N6eXVJcDc5cHh4b0FBSUtwUS9TS0dSbTlFZktzU2JjRW1jTHAxYUdjWHFtVE1JcUZDZE84M1lCampkU1JtaUVxc3V6Qk9YTVFoamRUUGdOSi9wVkk1T3M5aGwxcGNrVE55enZHVW8yZXpyWm1IbHpLcHB4QXBoTzFUbkxPOVM2V2VJOGlLRHM3TlF1SE01MFRUdmlxdTBsY3lPaFgxZXltbS9xY2lac1E0dll5Ym1ZWitOb2R4blFtT0c1eWkzS3drQ0htYWtOczZ5NVVKWGRSazRyYW85Ri9TMm81WlBmd1BLQmhwYW9wWGJwcCs4a1cwOXNYNXNNbHlHeVc5OVVnbkQ3KzU0cmxKWHZYYlVUemhqUklsTkdyVG45bTBTZmpnN25EQmVaKzhyMmlENlZHSlJGbmhJY21pNnkyWjBmU1pnLzJrNFV5Mm9jZHl6ZVBkZkFoSDA5OG1MRFV3UlMvWG9OdWZFQ1d5ZmZMNGRQSWIvQzdaQzV0aXJoc3N5RWNSMGRyWkF0cnpQUGxOOXVLUXpwalY3WXZVSGZQN1dyelNSMXNsMXhmSm1OZXNvQitTNFVPNFExblIrdHZCeHEyQkRucmlqamd4MENBQkl5U2tpMEFXbFNFWjFLZzlhR3VrZ05qV3pFcnlzdXlseEpMZWQ1U1BLdU4wZFQzdjJ1TGpsZkZtbnRnMm5uU0Qxd0UrNjhScEx5QlFOWWR1UW4vVTR6MytFOTcxS2dUNGc1RHVlb1JjVitMQkloM04rR01tQXRQWHgvcTRHZ1lWTlA4YTRhMVNudy9KOENoWkw1dWJteDl2cXRsdHJiQVZjUll3ZThBR3V2SG5VQk5xNm9zTnVPNWd3TlVKeXNkYmxNb281RXRyblpSVU1WUWhjRnlTRGMyUVVvRVZFWGVWTW1VNWRYVDNOK3hmRWRLb0RQWTNDdW5uZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * NgNYmsP7wsPUclfkGleyJNk

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\uxO27_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Music\uxO27_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\uxO27_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
ransomware avaddon

Avaddon payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023250-486.dat	family_avaddon

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	2064	wmic.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	2064	wmic.exe	101
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2064	wmic.exe	101

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (164) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
860	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\J:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\K:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\M:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\U:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\X:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\Z:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\B:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\R:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\T:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\Y:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\O:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\E:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\P:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\Q:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\S:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\V:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\W:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\A:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\H:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\L:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\N:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\G:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5012	wmic.exe
Token: SeSecurityPrivilege	5012	wmic.exe
Token: SeTakeOwnershipPrivilege	5012	wmic.exe
Token: SeLoadDriverPrivilege	5012	wmic.exe
Token: SeSystemProfilePrivilege	5012	wmic.exe
Token: SeSystemtimePrivilege	5012	wmic.exe
Token: SeProfSingleProcessPrivilege	5012	wmic.exe
Token: SeIncBasePriorityPrivilege	5012	wmic.exe
Token: SeCreatePagefilePrivilege	5012	wmic.exe
Token: SeBackupPrivilege	5012	wmic.exe
Token: SeRestorePrivilege	5012	wmic.exe
Token: SeShutdownPrivilege	5012	wmic.exe
Token: SeDebugPrivilege	5012	wmic.exe
Token: SeSystemEnvironmentPrivilege	5012	wmic.exe
Token: SeRemoteShutdownPrivilege	5012	wmic.exe
Token: SeUndockPrivilege	5012	wmic.exe
Token: SeManageVolumePrivilege	5012	wmic.exe
Token: 33	5012	wmic.exe
Token: 34	5012	wmic.exe
Token: 35	5012	wmic.exe
Token: 36	5012	wmic.exe
Token: SeIncreaseQuotaPrivilege	4404	wmic.exe
Token: SeSecurityPrivilege	4404	wmic.exe
Token: SeTakeOwnershipPrivilege	4404	wmic.exe
Token: SeLoadDriverPrivilege	4404	wmic.exe
Token: SeSystemProfilePrivilege	4404	wmic.exe
Token: SeSystemtimePrivilege	4404	wmic.exe
Token: SeProfSingleProcessPrivilege	4404	wmic.exe
Token: SeIncBasePriorityPrivilege	4404	wmic.exe
Token: SeCreatePagefilePrivilege	4404	wmic.exe
Token: SeBackupPrivilege	4404	wmic.exe
Token: SeRestorePrivilege	4404	wmic.exe
Token: SeShutdownPrivilege	4404	wmic.exe
Token: SeDebugPrivilege	4404	wmic.exe
Token: SeSystemEnvironmentPrivilege	4404	wmic.exe
Token: SeRemoteShutdownPrivilege	4404	wmic.exe
Token: SeUndockPrivilege	4404	wmic.exe
Token: SeManageVolumePrivilege	4404	wmic.exe
Token: 33	4404	wmic.exe
Token: 34	4404	wmic.exe
Token: 35	4404	wmic.exe
Token: 36	4404	wmic.exe
Token: SeIncreaseQuotaPrivilege	1004	wmic.exe
Token: SeSecurityPrivilege	1004	wmic.exe
Token: SeTakeOwnershipPrivilege	1004	wmic.exe
Token: SeLoadDriverPrivilege	1004	wmic.exe
Token: SeSystemProfilePrivilege	1004	wmic.exe
Token: SeSystemtimePrivilege	1004	wmic.exe
Token: SeProfSingleProcessPrivilege	1004	wmic.exe
Token: SeIncBasePriorityPrivilege	1004	wmic.exe
Token: SeCreatePagefilePrivilege	1004	wmic.exe
Token: SeBackupPrivilege	1004	wmic.exe
Token: SeRestorePrivilege	1004	wmic.exe
Token: SeShutdownPrivilege	1004	wmic.exe
Token: SeDebugPrivilege	1004	wmic.exe
Token: SeSystemEnvironmentPrivilege	1004	wmic.exe
Token: SeRemoteShutdownPrivilege	1004	wmic.exe
Token: SeUndockPrivilege	1004	wmic.exe
Token: SeManageVolumePrivilege	1004	wmic.exe
Token: 33	1004	wmic.exe
Token: 34	1004	wmic.exe
Token: 35	1004	wmic.exe
Token: 36	1004	wmic.exe
Token: SeIncreaseQuotaPrivilege	4404	wmic.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 1120	1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	108
PID 1648 wrote to memory of 1120	1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	108
PID 1648 wrote to memory of 1120	1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	108
PID 1648 wrote to memory of 1588	1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	113
PID 1648 wrote to memory of 1588	1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	113
PID 1648 wrote to memory of 1588	1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	113
PID 1648 wrote to memory of 2104	1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	115
PID 1648 wrote to memory of 2104	1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	115
PID 1648 wrote to memory of 2104	1648	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	115

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
"C:\Users\Admin\AppData\Local\Temp\33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1648
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:1120
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:1588
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:2104

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:652

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1⤵
- Executes dropped EXE
PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe

Filesize
775KB

MD5
66ef4802ece3a0d62cab8be7d6065c8d

SHA1
bf9bf0b3242ffb55726d8886480b23fc60b756c2

SHA256
33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e

SHA512
84f3122608910846ea3b9c23170a2dd371b7f14e63362f5082a8d1dde154911b68e75c05f947e594333d7bdad455e67e4b43cd79afbd4d8f6d6361a53ef6427c

Download Submit
C:\Users\Admin\Desktop\uxO27_readme_.txt

Filesize
3KB

MD5
09d2b2a1d67631e434d176445742ddcf

SHA1
fd3b47b2e9d88f274b388f9fad3e5594165d9e7c

SHA256
3c4b6c5671340916bc769563f175821f462eb735edb4cdbd2f2809a5bc7ffd40

SHA512
d8b6a75aa395e6d309255a0c00b4f0870f3a9a3fc8174ea38ae758f6013e30b5cbd2050966d8ed69153e3bd2306ef5f732f5ca25bd0f8bd072a95399d0485bff

Download Submit
C:\Users\Admin\Documents\uxO27_readme_.txt

Filesize
3KB

MD5
4bc35a0f93902ea2dfc129fe8d813975

SHA1
0b3d227dfb54c84ee69ea9d59bea1c392ff007aa

SHA256
0a0374a370f542fb45bc5d7886da1ecc1b8006fc0b3246b7991b141e318d564f

SHA512
8cc1886866e4db1ac80da1a85427f3924f30af26f9b2686fe937c3d260806e4a532343a36f3e2e3ac89ae025a4934eadeb14182d9d31c287eef3ffd8dd34642b

Download Submit
C:\Users\Admin\Music\uxO27_readme_.txt

Filesize
3KB

MD5
419381675e3356a110db3ba4813d76d1

SHA1
d08086d9d86526d81239fa1ce12b3f107041b5b2

SHA256
b9c669f0de7df79d987b76aa62aee0c9804d9afdd1601db802b32802faf3cd9a

SHA512
24281ab49586070d1ca546234039572a514467eed455d883e21847052fbbaa2693f44ea7317bec6d80f409df7a0aa75ab7ce303fb87230325103074831bd55c2

Download Submit