avaddon | 9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3

Analysis

max time kernel
163s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
Size

762KB
MD5

763217378a83acd3712728a51bec6862
SHA1

62b23d984ba0539b263bf929847a6f79ed7e5a89
SHA256

9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3
SHA512

d566ac0460aa76ea63d49308690dc6f8113bc5f811a1862218d09f92bffbeaee1b6e9771766f8b8e23b34a2026f80c1fe9dcb0d39f2aca3f267e75e24b63b486
SSDEEP

12288:wovdmyrrMXMNK+A+JLxkpheaiTOYqLNMhL3q/Pn75K1/LnBuueiFZMmmk3:woQEY+A+JLxcheaiTOYI+xOPn75+D/ZL

Score

10^/10

avaddon evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\Documents\OvtlQeYE_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aBdaEDCeec You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTIyMy00SkVCeC9VMitMNS95cVBMUHpCNXlWd1hPK1pSbFJMYVVkZ0lxTVNsaUNnejExaXdxNC9wN1A4aWpwUTNmTjlUOTNLRzRjZm5Qc2RFNVIrRUFkeU56Yk9INlBqSkhlUHE3R2RZdXBFcHp5dzdEQ1o1NTI2NVR6clhYQnl6MDRwcS85VGFraUlJSHRQOHVDdjlsa3Z6cHo5ZkpYNTAza0FpdG1DdGtFc2FUT1d0bmNFMnlKVDJWZGhVVnZsdTBYVXpyZXZqOHpuUVl2Q283d1V4R2lMSHMzanloanR4bVdXQ21qbmZONmVIRFhQcG9iSGNKcVY0bVVtMlp0dHZjT05MZ2xxVjQxSXFDL0RJV3ZrLytuWVdzQThleVhWVjNINU9yRGtmM29QUTZIY0V5dW5LcE5QZkxSNzRLYnVUWWZxbW5ITmlHK1Arc2JKbGFqOXNON2d5Z3I2amtKaTFKelJyczNRdEZGRGVkRDhxYW52SG9HbzBmc2tWTGFQQXZGNzJHcnY4S21KTlRyRjJWSXc3THluR0dUR2Y3aHE3ODhsa29xNTgzbFQyWDc4cTlnaEJmZ01aZ0ZMbVhWYkIwMDhodXNxS3plT0JWN1ZjZko1VmdpUEdIQ3AvN0N0TkgwZyswYlhPUjlPYytYNGFDazBCSUQ0dDZNVE85eFFDN3pSck1NZmpPc2tBeXBmYVA0M2Y2cVA2WG9CaUxwTmVZcWlvM3czKzl4WnRjWmpTeEI2VFpNRHZtNEFmLzFkbDdFSUlhYzJScHlMNzlram8vK0FVM05EWmdzSTVHTHY4d2pCdVhLSW5hcUpHUFh2akQvQmhxK2VrNHFCMDNoVmRiTHoveHM2Sm9FVVZScEVSa3pSMUt4TWpia3JoUDY0TWhWS0tUcDM4ZjVZbkF6WmpVRGJaTHdTclJzRm1pVmgzSEl5Z1NUYW5rYWliRytIQ2RNYTFldWExSk5JcGY0V2FHMlg1M2ROMHhWa3V1eWNsbjJYaU8xclBLM05YK05oaE1MbTRwZjZNNWh3eE43ZlpxOUdPbEFBOG9GRHo5eVh3eHV6TEtIb215RlVDL053MWw5d2RxWlJrb0hPTGlwZWIwa0t3VjhwMWFOZEhMeE5kalgwY1k4ejFsUGdrWjliKzg4NytPSzdNVXZuMUNCc2c4VDJoMVlaREVDc2R5VkhhM1lnazNLZ0k3ZllQcFFhMjFYUFVVN3BYYmZ4VXVFcldTQXZUQTduUExxeFJqc3VQU2lsYldBYWJZeGxwV3hVTXNpUlkvdlZNWHUvMWZqcVJFY0J1VklzU3Jwc0JyV0V5ZVg0R081bVMvUFd6cEptUUU0WGZtNDVrYkJQdUFMQWdYMzdGNUVvYkxGbFliaU1iKzhObm5LSXlUR2kwUnUveXl0WE90L1RvQlpQVHVkSk90MzlyWC9UV2xzdk41WndMZjlSTlJCLzBOSWlDU1IrdFB6NktuVTZPa3prb2ZxWUhsY1J5bXFGcTkrZlJRc3VIOHIyUEdwY1poTW9LcEk3TzBucUJocEROUlJXNlhVREN3U0tJV29Zbm5vSHJNQUpOQjJtRWtXNFFKK01WU3ZCN0NxelU5eEVWL3gyblh5SllLajMxZG9LQmtkd05rMUZFMy91ODh1RE5DbTEwS2Q2bm1ETllPUGozeXA5ZjQrZi9IclFzTlVrRmNad1BmU08zK05BS2ZWUVdHRHI4R2xrOXlKVW9MeDZtSEl4T3cycTVqMldWbnJKOUlRbktja25aQTJIRDR4YnR4NDlwUi8veHVGNS82N3h6V0xqVmFYY1Y2SnpwY0hEZ3EyQWZLQmxKcXo1blNGMnArb24yT2xjdG15RXFuY091N2daU1ROSVl1dVhpZWl0b3hDRDAyQTI5ZS82TzJKd29RZklHcnh1WXN6Um4xandZRXc3clIySFpwK3VlS0JhZU5sbHhnbW9lTzlid1ZPdXZ6bEJqVnVVQmRReEYwVE82bUloR3J1UHlnSTZRM0o2ZTlzT0Jpb3B0ZXNWUzg4ZEdPRHhrVlBUSXRYOTRra3FoejlnZ2Y1ZXkxcFgrSXNkQUtBNUxiaXE1WlZadDhwWTIxaTVXQ3RtQWdpYmdOYzY0dHVKczN5NlQwajRsejJvckxuS3d0Q2VBOGVzUFJWdWFWQT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * mz2jE7E

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Music\OvtlQeYE_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Pictures\OvtlQeYE_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
ransomware avaddon

Avaddon payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023259-383.dat	family_avaddon
behavioral2/files/0x0008000000023259-384.dat	family_avaddon

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	4908	wmic.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	4908	wmic.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	4908	wmic.exe	100

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (136) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
5388	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
File opened (read-only)	\??\R:	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
File opened (read-only)	\??\Y:	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
File opened (read-only)	\??\E:	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
File opened (read-only)	\??\K:	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
File opened (read-only)	\??\V:	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
File opened (read-only)	\??\Z:	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
File opened (read-only)	\??\H:	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
File opened (read-only)	\??\L:	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
File opened (read-only)	\??\M:	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
File opened (read-only)	\??\N:	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
File opened (read-only)	\??\S:	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
File opened (read-only)	\??\X:	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
File opened (read-only)	\??\B:	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
File opened (read-only)	\??\J:	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
File opened (read-only)	\??\I:	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
File opened (read-only)	\??\O:	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
File opened (read-only)	\??\P:	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
File opened (read-only)	\??\T:	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
File opened (read-only)	\??\U:	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
File opened (read-only)	\??\W:	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
File opened (read-only)	\??\A:	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
File opened (read-only)	\??\G:	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
File opened (read-only)	\??\F:	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4332	wmic.exe
Token: SeSecurityPrivilege	4332	wmic.exe
Token: SeTakeOwnershipPrivilege	4332	wmic.exe
Token: SeLoadDriverPrivilege	4332	wmic.exe
Token: SeSystemProfilePrivilege	4332	wmic.exe
Token: SeSystemtimePrivilege	4332	wmic.exe
Token: SeProfSingleProcessPrivilege	4332	wmic.exe
Token: SeIncBasePriorityPrivilege	4332	wmic.exe
Token: SeCreatePagefilePrivilege	4332	wmic.exe
Token: SeBackupPrivilege	4332	wmic.exe
Token: SeRestorePrivilege	4332	wmic.exe
Token: SeShutdownPrivilege	4332	wmic.exe
Token: SeDebugPrivilege	4332	wmic.exe
Token: SeSystemEnvironmentPrivilege	4332	wmic.exe
Token: SeRemoteShutdownPrivilege	4332	wmic.exe
Token: SeUndockPrivilege	4332	wmic.exe
Token: SeManageVolumePrivilege	4332	wmic.exe
Token: 33	4332	wmic.exe
Token: 34	4332	wmic.exe
Token: 35	4332	wmic.exe
Token: 36	4332	wmic.exe
Token: SeIncreaseQuotaPrivilege	452	wmic.exe
Token: SeSecurityPrivilege	452	wmic.exe
Token: SeTakeOwnershipPrivilege	452	wmic.exe
Token: SeLoadDriverPrivilege	452	wmic.exe
Token: SeSystemProfilePrivilege	452	wmic.exe
Token: SeSystemtimePrivilege	452	wmic.exe
Token: SeProfSingleProcessPrivilege	452	wmic.exe
Token: SeIncBasePriorityPrivilege	452	wmic.exe
Token: SeCreatePagefilePrivilege	452	wmic.exe
Token: SeBackupPrivilege	452	wmic.exe
Token: SeRestorePrivilege	452	wmic.exe
Token: SeShutdownPrivilege	452	wmic.exe
Token: SeDebugPrivilege	452	wmic.exe
Token: SeSystemEnvironmentPrivilege	452	wmic.exe
Token: SeRemoteShutdownPrivilege	452	wmic.exe
Token: SeUndockPrivilege	452	wmic.exe
Token: SeManageVolumePrivilege	452	wmic.exe
Token: 33	452	wmic.exe
Token: 34	452	wmic.exe
Token: 35	452	wmic.exe
Token: 36	452	wmic.exe
Token: SeIncreaseQuotaPrivilege	2764	wmic.exe
Token: SeSecurityPrivilege	2764	wmic.exe
Token: SeTakeOwnershipPrivilege	2764	wmic.exe
Token: SeLoadDriverPrivilege	2764	wmic.exe
Token: SeSystemProfilePrivilege	2764	wmic.exe
Token: SeSystemtimePrivilege	2764	wmic.exe
Token: SeProfSingleProcessPrivilege	2764	wmic.exe
Token: SeIncBasePriorityPrivilege	2764	wmic.exe
Token: SeCreatePagefilePrivilege	2764	wmic.exe
Token: SeBackupPrivilege	2764	wmic.exe
Token: SeRestorePrivilege	2764	wmic.exe
Token: SeShutdownPrivilege	2764	wmic.exe
Token: SeDebugPrivilege	2764	wmic.exe
Token: SeSystemEnvironmentPrivilege	2764	wmic.exe
Token: SeRemoteShutdownPrivilege	2764	wmic.exe
Token: SeUndockPrivilege	2764	wmic.exe
Token: SeManageVolumePrivilege	2764	wmic.exe
Token: 33	2764	wmic.exe
Token: 34	2764	wmic.exe
Token: 35	2764	wmic.exe
Token: 36	2764	wmic.exe
Token: SeIncreaseQuotaPrivilege	3456	wmic.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 3456	780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe	109
PID 780 wrote to memory of 3456	780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe	109
PID 780 wrote to memory of 3456	780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe	109
PID 780 wrote to memory of 3748	780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe	115
PID 780 wrote to memory of 3748	780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe	115
PID 780 wrote to memory of 3748	780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe	115
PID 780 wrote to memory of 1696	780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe	117
PID 780 wrote to memory of 1696	780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe	117
PID 780 wrote to memory of 1696	780	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe	117

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
"C:\Users\Admin\AppData\Local\Temp\9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:780
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3456
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:3748
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:1696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4356 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:1980

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2120

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe
1⤵
- Executes dropped EXE
PID:5388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe

Filesize
603KB

MD5
e0d030515788c3a1b736300c1a4a21a9

SHA1
4d2405468dcb9b3b53cf132523ab177fa709076c

SHA256
c90010d606a6fbe7bbc854533b98dd3abf3bed231398d7d932544179d00f6a67

SHA512
6f6a210b2319fb6327a72583053e6994a9b6f9f42c8976ee3bba87cf68fb1b50ff95ec8421c4195b7d3bf7f5b777e5b7c5a70990161f204ac0caa8c09d802c24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9f8f217060e6f2d821f1f0bb17bbd97a26d4ea4b9e70316e6a4b836273eaccd3.exe

Filesize
256KB

MD5
128b92b2d3118ad2d1d038291171c536

SHA1
2fa6f92c0d9f9903405296122fc1e18435090ce8

SHA256
8bb8e3d7627cd3d7dd8ad7e00d1f01f6b60314cb4f0b2bffc652420d42eb89b4

SHA512
c4ce522fa1ca08a51d20617892147dd17eeb30aa4263e4498f67eb65baf6d42fae727d53144ebf9a4d6fe9c310039b723d379cecd6183416692901239bbebcac

Download Submit
C:\Users\Admin\Documents\OvtlQeYE_readme_.txt

Filesize
3KB

MD5
81d175b5839845551e1b411328225971

SHA1
688ad44dcad08c6e3d3f9e58a907ba76e5242a5a

SHA256
c28c848e61cb04377ccd7e5bf4c9d9c54b92e38758326e92c043c1c60df1ae3b

SHA512
65badcf027cbf848d718e04f396b2c19190f7e6e4e8748d84d3d713248c4b20cbd7df5fbb1491848521d1737fb81fd9478328e69d24802624618c62af3f8387b

Download Submit
C:\Users\Admin\Music\OvtlQeYE_readme_.txt

Filesize
3KB

MD5
6ee17c04daf626d9d523b6850c5f5f55

SHA1
186bd74d86cb5770aa3d4ea395ec812d23f6e4cd

SHA256
b9496526a4e4b3ce16bb025acc443692ed54e77eefb62d64ce58d459744fa05d

SHA512
bb99c4694da24f8820e60c58e4e2f7ca3ec73ea825970672a6c6d792a90a636359d41edf89afd2c1223a01955350dd073d36227124b2da9be05b9160726a02c3

Download Submit
C:\Users\Admin\Pictures\OvtlQeYE_readme_.txt

Filesize
3KB

MD5
97face70852745de28d777d9e4305415

SHA1
4698f7dfdf07cec46ec6a2b2d143b665de6a1ee7

SHA256
6badf7c306581a3565ff9409637dbbe244157bc65709d35b9813dc789c08f9ec

SHA512
33e9cb9d4c9a713a4ae187a096fa1cd4da6ae2b077a80f5991bc69178dd3c375855afcccc6c191acc9ab0092a3a6c654a76143d6040ea838bc81546b69e5187a

Download Submit