Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
15/03/2024, 13:40
Behavioral task
behavioral1
Sample
bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe
Resource
win10v2004-20240226-en
General
-
Target
bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe
-
Size
775KB
-
MD5
21de830008ad31c83a09be67a3ae8b4d
-
SHA1
c95ac053d6f4284e41dfea342bb30aede7b02244
-
SHA256
bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac
-
SHA512
293dc967be7fd187116623cbc67d33b785c7e6d946b22e8793a7432a4eb044ab5f56af12d41c342d2ee06c6350b1615e6b15f9db170518abaad4dd219287d1b1
-
SSDEEP
24576:+Csr9+OXLpMePfI8TgmBTCDqEbOpPtpFadxfq:Y0OXLpMePfzVTCD7gPtLaffq
Malware Config
Extracted
C:\Users\Admin\Desktop\eM9UR_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Favorites\Microsoft Websites\eM9UR_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 1 IoCs
resource yara_rule behavioral1/files/0x000a000000012252-514.dat family_avaddon -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 2560 wmic.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2560 wmic.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2560 wmic.exe 28 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (170) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 2544 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\Z: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\K: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\O: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\P: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\N: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\W: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\X: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\G: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\H: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\M: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\L: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\V: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\Y: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\I: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\J: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\Q: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\R: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\S: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\A: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\B: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\E: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\T: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe File opened (read-only) \??\F: bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1628 vssadmin.exe 1816 vssadmin.exe 1596 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2904 wmic.exe Token: SeSecurityPrivilege 2904 wmic.exe Token: SeTakeOwnershipPrivilege 2904 wmic.exe Token: SeLoadDriverPrivilege 2904 wmic.exe Token: SeSystemProfilePrivilege 2904 wmic.exe Token: SeSystemtimePrivilege 2904 wmic.exe Token: SeProfSingleProcessPrivilege 2904 wmic.exe Token: SeIncBasePriorityPrivilege 2904 wmic.exe Token: SeCreatePagefilePrivilege 2904 wmic.exe Token: SeBackupPrivilege 2904 wmic.exe Token: SeRestorePrivilege 2904 wmic.exe Token: SeShutdownPrivilege 2904 wmic.exe Token: SeDebugPrivilege 2904 wmic.exe Token: SeSystemEnvironmentPrivilege 2904 wmic.exe Token: SeRemoteShutdownPrivilege 2904 wmic.exe Token: SeUndockPrivilege 2904 wmic.exe Token: SeManageVolumePrivilege 2904 wmic.exe Token: 33 2904 wmic.exe Token: 34 2904 wmic.exe Token: 35 2904 wmic.exe Token: SeIncreaseQuotaPrivilege 2472 wmic.exe Token: SeSecurityPrivilege 2472 wmic.exe Token: SeTakeOwnershipPrivilege 2472 wmic.exe Token: SeLoadDriverPrivilege 2472 wmic.exe Token: SeSystemProfilePrivilege 2472 wmic.exe Token: SeSystemtimePrivilege 2472 wmic.exe Token: SeProfSingleProcessPrivilege 2472 wmic.exe Token: SeIncBasePriorityPrivilege 2472 wmic.exe Token: SeCreatePagefilePrivilege 2472 wmic.exe Token: SeBackupPrivilege 2472 wmic.exe Token: SeRestorePrivilege 2472 wmic.exe Token: SeShutdownPrivilege 2472 wmic.exe Token: SeDebugPrivilege 2472 wmic.exe Token: SeSystemEnvironmentPrivilege 2472 wmic.exe Token: SeRemoteShutdownPrivilege 2472 wmic.exe Token: SeUndockPrivilege 2472 wmic.exe Token: SeManageVolumePrivilege 2472 wmic.exe Token: 33 2472 wmic.exe Token: 34 2472 wmic.exe Token: 35 2472 wmic.exe Token: SeIncreaseQuotaPrivilege 2612 wmic.exe Token: SeSecurityPrivilege 2612 wmic.exe Token: SeTakeOwnershipPrivilege 2612 wmic.exe Token: SeLoadDriverPrivilege 2612 wmic.exe Token: SeSystemProfilePrivilege 2612 wmic.exe Token: SeSystemtimePrivilege 2612 wmic.exe Token: SeProfSingleProcessPrivilege 2612 wmic.exe Token: SeIncBasePriorityPrivilege 2612 wmic.exe Token: SeCreatePagefilePrivilege 2612 wmic.exe Token: SeBackupPrivilege 2612 wmic.exe Token: SeRestorePrivilege 2612 wmic.exe Token: SeShutdownPrivilege 2612 wmic.exe Token: SeDebugPrivilege 2612 wmic.exe Token: SeSystemEnvironmentPrivilege 2612 wmic.exe Token: SeRemoteShutdownPrivilege 2612 wmic.exe Token: SeUndockPrivilege 2612 wmic.exe Token: SeManageVolumePrivilege 2612 wmic.exe Token: 33 2612 wmic.exe Token: 34 2612 wmic.exe Token: 35 2612 wmic.exe Token: SeIncreaseQuotaPrivilege 2904 wmic.exe Token: SeSecurityPrivilege 2904 wmic.exe Token: SeTakeOwnershipPrivilege 2904 wmic.exe Token: SeLoadDriverPrivilege 2904 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2308 wrote to memory of 2360 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 35 PID 2308 wrote to memory of 2360 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 35 PID 2308 wrote to memory of 2360 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 35 PID 2308 wrote to memory of 2360 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 35 PID 2308 wrote to memory of 1628 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 40 PID 2308 wrote to memory of 1628 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 40 PID 2308 wrote to memory of 1628 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 40 PID 2308 wrote to memory of 1628 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 40 PID 2308 wrote to memory of 1760 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 42 PID 2308 wrote to memory of 1760 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 42 PID 2308 wrote to memory of 1760 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 42 PID 2308 wrote to memory of 1760 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 42 PID 2308 wrote to memory of 1816 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 44 PID 2308 wrote to memory of 1816 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 44 PID 2308 wrote to memory of 1816 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 44 PID 2308 wrote to memory of 1816 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 44 PID 2308 wrote to memory of 2364 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 46 PID 2308 wrote to memory of 2364 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 46 PID 2308 wrote to memory of 2364 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 46 PID 2308 wrote to memory of 2364 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 46 PID 2308 wrote to memory of 1596 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 48 PID 2308 wrote to memory of 1596 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 48 PID 2308 wrote to memory of 1596 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 48 PID 2308 wrote to memory of 1596 2308 bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe 48 PID 3008 wrote to memory of 2544 3008 taskeng.exe 54 PID 3008 wrote to memory of 2544 3008 taskeng.exe 54 PID 3008 wrote to memory of 2544 3008 taskeng.exe 54 PID 3008 wrote to memory of 2544 3008 taskeng.exe 54 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe"C:\Users\Admin\AppData\Local\Temp\bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2308 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵PID:2360
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1628
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵PID:1760
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1816
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵PID:2364
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1596
-
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1664
-
C:\Windows\system32\taskeng.exetaskeng.exe {407A6F1E-7166-4E86-AFC8-E73D94C17F14} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe2⤵
- Executes dropped EXE
PID:2544
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe
Filesize775KB
MD521de830008ad31c83a09be67a3ae8b4d
SHA1c95ac053d6f4284e41dfea342bb30aede7b02244
SHA256bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac
SHA512293dc967be7fd187116623cbc67d33b785c7e6d946b22e8793a7432a4eb044ab5f56af12d41c342d2ee06c6350b1615e6b15f9db170518abaad4dd219287d1b1
-
Filesize
3KB
MD57b22d8d9d994e328b61064ee93888782
SHA10410dec396738cc17718f4fb24f862ea54fbc846
SHA25651caf465250d13bb55b24242f77972890810f0e0fd0012436b8824d479a3d951
SHA512b5823ca1f864efbf7042784e34ecb10b427e58d8516e3f2d786823ffd033089f55223bf9f72f56ef9500ac98599d2d6bcf242120ff64066f0285746c76f49698
-
Filesize
3KB
MD512c59a4fb36018ad6163f598d7b343b5
SHA191e37e2dc52bc2f6ef8631da1375a59810cbd38d
SHA256d1a7b98f090cf1e04f224bd89fe7391488691a0433cf98c25acb29c1d91bb2ac
SHA5128a47b8cdfa26e9dbd20002caf66fcfa907cee647af9356f7ecb9023a4962842d5d4aa9bd6932c660e63ea611e839040e7439fe1d8fafead360a8655a4d4bad01