avaddon | b1c1cbadde188d81df31f6e9c19f412072af709c8581020bdc1b925ea7454316

Analysis

max time kernel
152s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-03-2024 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
Size

881KB
MD5

c83f30c065f7f61428eac2370ddb4f53
SHA1

cfd70af0c89d7b00839c1d32852c53c603d35e32
SHA256

bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc
SHA512

26100fdf2bba32c0a2f5d27589e730e6af4a16b5cad16cb8ec6314e4291ca1858e35906645636617dacca7c72be6792b01f2bbc073c4468701326e8c889e1d51
SSDEEP

24576:WvdmYEBLExewPcf5WHHs3Ggo6EoI+/tH0q:WhEBLug5WnsWn9KN

Score

10^/10

avaddon evasion persistence ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.html

Family

avaddon

Ransom Note

<!DOCTYPE html> <html> <head> <title>Avaddon</title> <style> *, :after, :before { box-sizing: border-box; } html, body { margin: 0; background: #f1f2f3; font-family: sans-serif; line-height: 1.5; color: #333; } h1 { margin: 0; font-size: 2rem; } h2 { margin: 0; font-size: 1.4rem; } h3 { margin: 0; font-size: 1.2rem; } li, p { margin-top: 0; margin-bottom: .7rem; font-size: 1.1rem; letter-spacing: .02rem; } .logo { display: flex; justify-content: center; padding: 1.3rem 0; } .title { background-color: #dc3545; padding: .5rem 0; } .title h1 { text-align: center; } .title h1 span{ color: #fff; } .description, .attention { width: 900px; max-width: 100%; margin: auto; padding: 1.3rem 0; } .copy-btn { opacity: .3; cursor: pointer; } .copy-btn svg { width: 18px; } .copy-btn:hover { opacity: 1; } .link { cursor: pointer; } .link:hover { text-shadow: 0 0 3px #828282; } .identity-head { display: flex; justify-content: space-between; } .identity { word-break: break-all; background-color: #e3f5eb; padding: 1rem; font-size: 1.1rem; font-family: monospace; margin-bottom: 1.3rem; } .attention p { text-transform: uppercase; color: #dc3545; text-align: center; } </style> </head> <body> <div class="logo"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="83" viewBox="0 0 200 83"> <image width="200" height="83" xlink:href="data:img/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQ0AAABwCAYAAAAE2SWjAAAgAElEQVR4nOxdBZhUZff/3Xunc2u2g24URFEwADEQsBAxUBTEFsxPvxBU7PxEFLARG0TsQBRbFCSkc4vtrskb/+e8987uzM7MssCi/D/3PM88U7fve8974nd+R0Cn/B2kFwA9gMbOu90pndIp+5PrAYgAlnZeqU7plE5pS04FsAaAor1IcTg7r1indEqntJYkAC+FKIvQ15zOq9UpndIpoXILgIpQRTG8W7fAcQMHitp3imlYO69Yp3RKp5Arsi5UWfCAOHvqVK8SCPhXr1ghhvz36N/+anVKp/yNJTWKKyJfeN55gT1lZX5FUSRFUZSmigoxXqcLKg6PlknplE7plL+Z3AigNlRh9O7ZU/xkxQqPUlrqVn76yae0iPzgjBn+kGVv7hwsndIpfx/pD+CX1kHOa++6yxfIz29Unn/eV56eLu4GxIb580lxyKQ6GsvKAno1g0LLl3aOl07plL+H3AFAClUWJ4wYEfhh9eom5eefm7zHHhvIBZTCuDhln9Op5PO8KObmBjR7Q54xaVKotTGxc8x0Sqf878qZANaHKovELl2kBa+/7lG2bWtS7rzTVwQo+Xq9Uty1q1KUlcXe8wCl7IwzKLYhktYo2b49EKJ0tnaOl07plP89OQfAJ6HKwuFySU+/+aan+O233cpjj/nqsrMlsi6KMjOVopwcpjCaX5mZSi4gN739drO1cf2ECaHWxrmdY6ZTDlS4zit2RIoFwAsAJjcfnNWKSZdc4nt80iQxe88ewf/QQ8aSwkJOSEyEYLdDkaTI8+B5iIWFMPTrJ6Vu2kS/CPX79onOrCye/gWQB6Dr3/pKd8oBS2fB2pEnlwBYDuDk4JH11uvFl0eNCtx9wgmKc/58Y/7ChQav0cjpkpOh0+lgUhRYOY5FOcXQmUBRwDud8O3axelSU0XDscfyRoeDy/v1V2nj7t107+MAvKZlYTqlU9olnZbGkSMDADwCYFzwiHhAnhUfL93hdMLGcUJZbi4fsNlgTUqCQZZpEcUNyHWKIhfJsmLjOC6H4/T+0FPiOMg1NWSJSBl798p8Sop+77p1ge5DhgiatTEbwP1/26veKQcsnUrjrxedVhPyr9AjOctsDjyemIj+RqMgiiLfIEkw8Tz8gFStKHK5oijlioIKReGqFYWrkmVM0OvRl+d19YoSdlKcTgdfbi5s55wTSPrwQ9qfctaQIfIX69bR53rN4lCOqKvSKUesdLonf60MB7AyNCBp53n50fh4cZ7LJSTrdLqmQAB1gFwNSHmAvEVRlE2KIuQDfA2g43heCHAc7+I4ZRjP8wGAk1ufkixDsNngWbuWNw4aJOr79NH17tJFfvGNN2jSMAHYp8HQO6VT9iudlsZfI4kA7tYKzJjEcZxyld0u3R0fr8SZTHxAFLFXFAPlisKVKArKJYmvVRROVBSeUxTRK8v6gKJIoqKIZGlMt1j4EwRBXyHL0W8qz0MqLQUfFydmFBZy0Ov5oV26iGvy8wlSXgAg53/7kndKR0mn0vhzhcrW7wVwWZDbggeUcQ6H/xKbjR+k13v3SJKw1ucT9oqiXBAIoFKSDB5ZJmXB+WVZ9igKvLIs+RQlWD+inGE2i5+npOhqZJn3KbG9DE4Q4M/Lg33SpEDCu+/q1v30kzzkpJN4bRxMB/Dy/9wV75QOl06l8efJdQAe0KyMZhEAZajFInoVRbfF75f9kqRobmP77g3HYWV6ujTaYBD2iSKLbLa1LAIB+EpKlK6rV4s4/nhdttOpFNbX02p1AK4BUAigWHsF/r9c3E7586RTaRx+yQQwH8DZh2NPF8fFiYsTEviGQID3tmcFDbthHjBAdG3ciP/cdRf/0GOPRdM1JRqOg5RIPoC9mhuzG0Bup0L5+0qn0ji8cotmXRwW4hurIMgfpqeLowTBUCJJ7b6ZHMfBW1CgdF21Sqw95RTEC0Iw/dpeCSqUvZoC2am979BIgDrlf1g6lUbHCz2A4wHMAjDkcO7oioQE/+NOJ2+SJJZmbffN5DhIxcWw9O0rJf7xhzzt0kv5V99+OyyTZtDr4A+IB3pIZOzs0RTKLk2J7NGUSv6BbqxTjkzpVBqHLoRx6A5gMICRAE4BkNWerRp0AjIyM5GV3QUZmRlISk7Bsccei+3bd+LhB+5rc900g0FemJIijuJ5fZMsR6ZZ9yeiCH9JidKlqUkp8HjknKQkPtTauO6GGXj8sUew6Y8N+O77H7Fnz27s3b0Lu3fvRkHhvoO5aEFlsl37vFtTLHmasumU/yfSqTTaFk7LeNg15WDXYhT9tZqNXprCaBfL9+mnn4ZTR42CyR6Hnj17Ijk5GWarHa6UVNjtFtQ1epHmMGHDpu0YfFTftjal3JiUJN5ks/HZsizUHIiVERSeRyA/H65bbxUtTz2Fc0eMwEfff68L/p2SloHbbr8Dd95+S9hqNQ1u7Nm9EwV5edi+fTtTJvl5eaivr0d9XR1qqqtRUVl5IEixci1WUhoSgN2nvddovKYNAJo0uPsBmz+d0rHyd1caFGtIC3llaEohVVMG9FuyBoA6ZLn+hpsw/7l5bDNucv4r6tDQUI+A34fa2jpYrBYcP7Avln24EhPPOz3m7k622eR/JCRIxwM6nlKxB3lgiscDsbpaymlqQkljI9JdLq51bKNv/4HM2hB4HgXltUhJjoMxyrYaAgr8Xg8CPh/qa2uwY/s2rF2zBl+v/Ao//fxzR1w+skaqtXhKgaZUSrRAbZn2uQhAVUfsrFNiy99BaZAS6AKgm2Yd0PdsmkwBpANwtbWy2WRCcrIL3br3QJLLhYysbBw7ZAhkhcOVUy6DLB3YxHfSKaPw8ccfIq+4nM3OPM+hqakJdmc8Tji6H3bs3ofx48/B3p3ro65v4Xn59uRk5SyDAYMAofpgrIygaLiN1EcfFU133sldcPLJyvs//qhrvdiECy7EsveWYG9xOYt16HR6cLwAncBDlCT4/QHwggCr1QqnkY84nt9++w133XUXvv3227DfMzIyMW3aVGzevAnr1q3Hvn37IEWr1m2/uDUrpVJTIEWaBVOgvUq0QG3Doezk7y7/K0ojJcRd6BaiJDK1+ELEg9BaDAY9Bh51NHp074Gcbt2Qk9MVNrsN3Xv1Rk52DuxOJ8SACKfN2LyxIccej3W//3bAB/v4U//FtTfdjF9X/wqvzwOHw4lBgwbBYeBx7gVT8NH7r8dcd5jFIs9ITJSPBfhkjuOb2gBztUcIJarv1y+QumEDv2XDBgwYPDjC2iBZuepbjB45Alv35MNgMIDnefh8Pnh8XgicAKPRALvNBpPZzEaVThBgMeig51uG2AMPPIBZs2Y1f+/arQdWfPU1enTLZt+Lioqwa9cubNu2DTt37sTGjRtZDIWUiXKI5xkiNZqVUqq98rW4SpmmcIKKpdMNiiH7fZiOEDGFWAbdNeWQoX0OuhQRLoTDbkNycgr69euHmro6/PD99zHP5tmFL+LqqVewzw0SUF1VC8pEWm02NDQ0YOeuPUyxVBgNEAQdemam4Jghxx6U0thXuA8+fwA6vR4WgUd2dg5TGCSbN21oa1XlGIsFiRzHpwJcQwc8SEJSEgIbNwry9u1y/0GDhJP69JF+3L49QmnMuWc2Rn/3Hax2ByCJ8Hi97EUPM6dT07iBgB9+vx8cz8NqtUAvCBB4rlkD3X333SC7aPasu9n33L270bN7Dha+8AquvXoqMjIy2GvkyJEtJ6woTGns2bMHhYWFyM3NxY4dO5rfq6urD/SU47VX/xj/B7Q4S2kITqU45L1Ie/cc6I7/V+RIUhouLfMQr8USsjWFEFQWya1nQJrtkpKS0K1rF6SmZ6B3797IzMxE127d4EpORWp6Omx2JxJsqj7p0q078nP3Rt358wsWIM4ZjwkTzsGGdevh8/nRtWtXVFdVoramBnqDATqdAEmSkZ4cx9YxmOwHfJIOhx0XXnopexAMRgPinU44nGoc9cfVm7B3V2wWvmEWi3K0ySQnKAoncByvdISpqNcT/x/fuHSp5Jg1i7v/wQeVURdcELHp77//Hrtzc9G9a1ds31vAFAaJ0WCA0Whk7zLxd/AcTCYTc2HkKAc36+7/4KuvvsIP33/X/Nt110yD02nHxZMiaUtJGWVlZbFXa3G73diyZQs7tmXLluGXX3451KsBrb1DhvaKlTKv0KySMs3t2ae9F2mZoXItcPs/KUeSe3IagK/au3BWVjZ+X7cerqQEKheHIcoyZF/6JMDr8yPRYsCV067Ba6++2OZ2L5syFf+d9yz25OZDkgJsJjMZTbA77BB0OqaUUp1W7MqrwOhRI1GYd2BUm9ffcAOeeu45bPxjK5wOO5yOOCQm2NnxT7r0Wix9+4VYqyp3JycrA41G7hSOUwRF4TsKkskQomedFXB99hnDavRKSpJ3VVVFTCgPPvQQ/v2vf2H1xq3Q6wQY9HqmIEhhKBwHu80Km9moDiqOg46LPsB278lFzx7dIn6vqqpGQkL8QZ/H0qVLMX36dBYr+oulOiRQm6spld2aKxR0jf7fppmPJKVB0zf5DwPbszAN1muvuxGPP/EYRI5HQ6ObDViPzwevLwBJlCArMrNGAgER3TOScf+Dj2H23Xftd9u/rduItOwu2PzHRrYfm8PBrAyr2Yqe2WnYk1eME4aNQGXp7gM6QYvFglU//4qU9Exwiswo+gxmK9LiLNiysxAD+vYC5OhjabzdLo5zOvlUReHOEASutuN8fCiNjRQUFdM2bVL41FT9Z4sXB8ZdcYWu9fjo0iUH23buRmF5NXzuJnZtSHGQy+Fw2BBviZZXiS4TJ12MZUvfDftv7Ljx+PSTjw/pXIqLizFlyhR8/fXXh7SdwyzlrSyTIi04W6UpnFzNHTpg+M2fIQcCHT7cUnsgTXy8Xi/mPv0kZtx0I8zsLDiUVVSirKwC1VVVqK2tgbupEY0NDSxwB/bQmtu17dU//wi73Q6L1coCoLS+xWhiKVGSNb+tOWCFQTL9mmsx9OgBDNRFDxuZ806r6jrdP+ehmArDJQjyOQ4H55ZlLpvjpI4eSZzNBrGykvf+8APTRGOnTOH75+REpDHy8vLx0Ucfo2dGcrOFQeeg0wtMYXz62Ze4+fb/YNnyz1FU2nbm8/45kWRhn336CTZt3nxI55Keno6VK1ei/8CjDnobhJ85auAA9OrZAzaL5ZCOJ9YuAByr8ajcBuBJjRN2GYBVWiyFrBLSfPO0xlgjyLs9HAdzoHIkKQ1oF+ziAwky7dm1i70rsgyPxwNZVq0Lo8nI4hD0wAuCepqJrjazq82ybcsW2AwcLDY7szDMmt+u16nV6Dk5mQd8YjzH4eobZzCXiSwOZkLzOlj0PEoqGvDekjdirnu2w6EIPC/YAbkLzwuHmjGJEI4jMBYf2LSJ0xi8hPPGj49qhX6wfBl71+sNahCU42AyqhZGQJTwzFMPYeKEsejdqxf+PSs2qrVvn5446uhjIn5fuGBBh5zSe+8tO6Dl6f7OuvtubNq4EaUlJdj4xyasXr8J67dsx2dffIFbb7kZaakUXvvTJFPr0XsTxekBfKspkmf+xGOIKkea0iAhm/Wf7V14/HkT2LskiSxISYNYr9cxMJLA8TCZjPB6vMzOy87Obtc2d+/ehYBCBOBmZmHQgKKgpV6vlmf07tMbzvj2KaCgTJ4yBQN6dIVXBBrq69mxJieqE8e8eQshBRqjrpep18snWyxciSiiB88TTTnX4blACmBSbGPHDiVoEl81fboSzTxet0bNFtkcdvACx65vUJmee85YZGR1YZ+bGqrx8AP3YsnS92Lu9sqpUyN+e/vtdzqEd7BPrx4457wL2rUsoXMpzTvn/vsx4Kij4FF4NEpAvNWEHl2ycNaZZ+Kp/z6NvXn5ePSRR2JuhwLxI045hU0KByrx8fHQ6/fbYpdc+Bl0mQ54Bx0oRypOI0Erdkpqa6GcnGzk5uXDLSkoLS1nrgiZzWRZ8BzPHnZSJtU1dcjKzkJNZSWO7t8P7qa2A2XdunXDL+s3QeF4+N1u6PQ6GA2UV+SRoLkTg4ecgA3rfm33CW3ZsQv9evVAZYMXFRXlcMTFISPBAbdPQUZGNmqrotZzKDcS8tNq1ZWLojRRr4ddUYTDEUGTyspgGDhQTFmzhiwPimfIE046SVr+008RI3l3bh66d8lBWW0DTAYTDEYdzII6lG6YcQsWPDu3edkhxx7LkKHRpLS8ElkZGRDFcEzrlytW4IzToyNiKT5Fk0IsCSocOprf1q7H8cdFWjOhkpCQgL1798LpdDINWVpdD7/Px6zLDRs2o3+/XshMc2FHYSm6Z6WydONPP/2Iiy66mOFKQmXkqaOx6uuV7BcCtNF2d+7YgZ27dmHr1q3YtGkTRDG6yn/r7bcxauRIprxoPUopb926BQX5Bdibm4uamprWq3yjkVB31u1oYtUizkpbr0Wvv8E6AO0uLle25+5T8suqlF0FxcqewlKlsLxKKSitVDZs26Ws3riF/dfgDSgDjhrc5jbpFedwKIWlFQq1JiuraVAq65uUqga3UtXgae6ofPa5F+x3O8HXWWPOYuvU+yUlr6RS2VlQovhE1mJVeWbhmzHX62EwSK9nZopz0tKUZRkZgabsbDmsGVIHvvYlJCj7UlICUmGhP3iOf3z7baB1G0h63X///ez/Wk9AcUuy2ppek69X/RBxHtU1NUosGXLs0IjlL7l0cszla2rrlNPHnKdMveom5ZVF7yiN7ubDZU1r6RWQW5bv1ad/m/dmzn33seWoBV1pbYOyI7+YfX/syfns//jEFOXTz79kv1XUNzVvt66uThk5alTE9gYdc5xSVlkd9dgLCwuVrOycqMcxY8bMmOfc2Nio3HzLrdHW276/ifVwyJHonkBDc6a3tUCXnGxccdlkVDV54PP60LVLBrKTE2CzWaE36CBLEmpqa+Hx+qATdGhobILVqEP3bt33u/O6+nr4vW6WsDcY9er9Id/dZIBPm8q6d9//doJy9gTVhWps9ECURLjinTBoM/P8Z5+Oud65DofCcZxAz0IPnufoKA4XZThvtUIsKxP861vg6wNHjOBP7tMnwkV55ZVX2LvDpIMpBLxFcurIk5CWEY6p+OTj2BmRESNGRPy2/P1l8PmjV9TEOR1Y/fMqvPrys5h25cUMuLdt+072H11RUWl5okiuuuqqNs/7fO3e1DR6UVZazoK6JN+tUi2GmqoyjDvrTBQUFCLJbmn21xwOB1Z98w0mTrwwbHsb1q1B1y45qK5RW8mIITeM0vXfffstg9y3lsWLFzX/0ugXEZCV5nMgeP7T/30KKSkRMZXeAD5t8wQPgxypSuOU/blO819UB25pWSW6Z6Vjw+/r8cILLyEl3sECcuSSEAAp6CfW1tbCLcno3qvXfnfO2qoXae4CJ7A6C7PRwEzLimrVtTnqqPZF5zMz0nH55MnwSpSYlBnU2mlTszjf/bwO2zdHN92HWyzSULOZ2xsIoDvPK104jm84lDqTWMKrQ8BfWAjebBY5hyNUSfALX3wxIrZBpvOXX65gxxLteG644aaw74SfiCXXXnddxD+UGWsrIPqvf93d/LkgbzfGjh3T/J0YDekVfFhvuP46BvCLJoMHDcKAAQPgERVUVFRAFAPgOfWBPmbI0WFrTLpoknpBWl2MpUuX4L775oQt625swOkh7lVtk4/df3JMunbtgt9+jUQR19XV4/GnVLfOZtBBVDg0+iX45Ratc+mUa6OdxlA63JgX6zDIkao0prX15/Bhw3DW6aNRVN3A6kOMOh4PPvgk5s6dywZxY2MTAoEA6z5GA8jv96GGpWEbMGBAu2Ag2KK2MWTxEbPRyAqzamrq4POoiZ2cLl3atZ2Zt9wOm8UMt19igCin3dr8oM1/LjaQaxTN/AAvAkpPQSCrhzukUq4oQkTDhNHwFxYq5jFjfOnbtyvGESPCcHL9TjpJOH3QoIhdz5s3L+Z2p2pw/KD8+mvs2E+vHt1w8imnRvz+cRvWyYQLJoR9z8vNxR9//ME+s4Cu3KLMbFYzLpx0UdTtnKJZOSUV1fB5vbBZ1XtDj+no088IP4fVq7Frt5pm5xBuzcyePQvXXBuu/Nb9vhYfffwxA7gRp5okK/AGZGapDhlyTNQAMdEQXD71WuzcnQezABZ4N2i1O4vf/hgfLl8e65JcEeuPwyFHotI4d3+a854HHmbvjY0NyHTFM9TnR8vfg6epFl5JnW70RjUlSIEz4nlocrspL8tmlvbIpi1b2FKUEg0qDLI0KJ1LgyUtIwN6Q9u4D6q/uPraa9nyZgPPalk8fhXHmbuvCsuWvhl1vR4Gg9LDaOSIKDiV4+QcjuMaO9jKoAZKUmUlxKoqKX72bF/y558LQna2IYrxwN93//1cyDPC5NNPP2XWWzTJSEvBKSNHN/9TXl6OH374IeaxRMuiULFaLOndsxsGtkrX0vFAswLI89OFnMWkSZOibik9Q02d+30elvEwmy3wej0orW3EkGMGIzExPFzw2mvUwVK9QJRd88otFs3zCxegf6sJ6Z7Z97D3OKsBkiwzwKGirXvhxAtw+x3/iDimNxa9gH79+mL16l9h4lqsmiceexB7d2+KdUkujPXH4ZAjUWnc09afJ514Is44dQRK6hphtVgZt95zCxYTYJxVXVIcg/xNSiPSQ058FQ2NDSw6bjCakJySDGf8/mNHRDADbYDU1zcwy4UeeirKqmrysZqX4KCLJTfcOANxdisbWLKkMPo8UVJH2cIFL8ZMsxIuw8hxPFH4dRMEYvjhD5YzI5qQwhALCiA1NkrJS5eKzvvuM0SpQwoELfFh48dzg7KzW1kbCt58662Y+2itCBYuXBhz2UkXToDJHE6jWllZic8+/zzmOpS9CJXl76uzMJ2EvpXaO3H4CawEoLUYTWomzGI2M6yJ2+NmLi2l6AldPP7sc8LWeOP1lupjshxkeoVo02effS5s+Q0b1mPz5i1sjJKXQZaDFJBQ7/bBJwNPPP4Yhg49PuK4pIAXl16inl/wvk+9cnLEciGSpjXe+lPkSFMal2q0eTHlsmlqYKuhvhEZSU40eWTcf6/q41ZU1qCqopxVppLCoBRsXW0trBYbUpJTGKMUAbYoL78/2bZ1KxsMEgMtiRocPQB/IMD8X6PJgpz94D5u1WYSGsO19Q1ocnuQYDWgrimAF55/Luo6/YxGaYjJhDJRJPif3I3j4Ouo3DjHqb1PcnMJhy+mfPGFZJ440aiNAzYJitu3+xpfeslXOmKE5H7tNTEI9ppzzz1Ka2vjpRdj1/FcOJEUQQteYcmSpXC7o2P2bFYLzp8Qialoa/uXXBKuNNasXdPsPrQWqokZPvykiN/9PjVbSQBAt8fDFIbVbIHTrhYiXnzJpWHL5+fnY01z+phjFbzQapzowowccTKOG3pC2Dpz56qBbpNBB0VW4PF4IQb8THGA4VKiQy5y8/JQWFTcTHh05ZVXQqdvE6Z/aVt/dqQcSUqD1xogxxTiaDh7/Nlo8ktw2m3sQXrk8XmorSpkq9DDXVFexrIcVM5O5rPBaERSkgs+v5fVJcQ5zBFmZDTZV1SE3PwCNnMRUCwgBuALBOD1+lBWWkb8NejRRlB18mWXI82ltjhp9HhRT3B2o5Gd5OLX342JyzhHy5gQuU4WzyupHMe7OwIBSvELjwe+vDyYzzgjkNXYqJjOPJPKdgO+b77x1d9zj7/81FPlsmHD+KqrrzZ4v//eVDl9uiDl5zN/6uxp07hMmy3M2tiwYQMrWY8mFMc597yW2AMFGd95952Yhzd1WmQY68MPP0RjU/Ri0W5dsnD88JPDflv5Vex6x4kXRsY1aqpVqHtDU1OzwqCCOatVfTjPPGM0El3hGYtg5oiSLBrQmLpeMqwQyQutFN0bb7zJLBITD5bJE2UJHK8W8zUFFHTr1hXPvxA9tvXN1yvZGK92+xHvtOPcc8+LeX50im392ZFyJCmNR/ZHyPvv2fcgPTkJpdV1SImzobisFo8+fG/YMjQbkEYnhUGEMCkpqSzNSd+JB4NyKf37x6JSCJcdO7azm0bWBfFfULl8fX0dM2MNeh69evWOue6cOWpEnVJnZRVVrFQ8NcEOvww8/d8noq4z1GyWjzKZ+ApRJGXFAqBCtN6sByGK2w3ebhcd06d74p95Rgr8/jvq7rxTLD3mGKVs9GihZs4co3fVKiMdqD4rizN27QpFFIWK887jIcukLHQP33dfhLXx7HPRLSaSG2+4Iez73Kfnxlz29FNHILtLeOUrlQQsenVR2G+hqZxrr7km7L9VrZjBSPza0V500STo9OG10Ll7c9Vl/AGW1SKFYbeZYeDU/dC9nzIlPMb49jvvsMkp6OzIzFWRIflFFuwedNQAnHd+i7KkGMmi19Rz8EsSG4M6nvXgZuOKsirXXH01ZsycGXHs/33qKfYetDJvmjkj5vXTKCROa2uBjpIjRWlQGDsyKhQi6WmpuG/2LNR5RaTGq+bjFVOvR8AbHoyjWhSyBswWC9LS0hlegx50QoraNbPzqKPal0HZuE7tiez1+1kakIrgRMrKCAIa3T707tsn6npUnk0cH2S27iurhCSKMFvV+Muri5Zg787IIJ+J45SL4uLgUxS+TlGQw/NyD47jOizNqihEuKMoHo9QMX68sfTYY4Xaxx83BnbsMOjS03X67GzosrLAmdXgriKKMHTpAu+GDbqqK65grvtlt90m9HG5wqyNBQsWsIcumpx80jAMOua45n/++GMjfvzxx5iHeOutt0X89kgr2DaLD2mfp1w+GQmJLXD+pUuWoLS0tPm7l9wBrx+VDR6kuBJw+eVTwrb1888/ockvIjM9FS6XC3a7qjAkzS0lmdnqYSZ3d+MGlSiJ4hSSKEMUJaZIvKK61vwF4fGb++fMYcccb7cyikSqQyJVQNaXx6deu2fmzsUVU8OtLQoGf/f9D4i3GFDn9WPkySdi0OA2uxQW5QIAACAASURBVGJc3dafHSVHgtKgY3h+fwvdc/9D7L22wQ2rUY+V3/2OlZ9Hmrv5+XmwmvSMsYtuCj3oFOQihRGsdu3Zszd0hv1zBW/ZolZc+v0iGhsbmcIgYA5VdvoCfvTt1z+qn3nPvar1U1nnRlNjIyvucsXZ2G8E0okmZ9jtUrZez9dIEhtg3XieM6kp1w4RzmpFIDdX73n/fYNSU8MJ6ek8KQohOZm5LojiAlERoCEtDQ1vvCF4v/iCDoW/4847w5ahVOXS92LjMKZfNT3s+7xnn4257ORLL2WYmFApKtqHn35SiYmDmQoumCXhOVzWShG8qlkmZGHQfaMYQmWVyu41ecqVYctSK4Yd27bBadLDalKtUDG4bW2ZLtkZOOHEU8LWW7FiBXtnSkOSWIaOChtNRj18soK0FBcumNjiDuXl5SEvPx9mndo2l2Bbkiwx5WHQ8c048EWvvIyBrapzg+OlpkGNB1173fUxrx+Ao9v6s6PkSFAat2jItpiSmpKCq6+aCo8ow+VUo+z/+Ed0w6SkuAgWvcDSrXV1tazS1Wq3M8wGA2ixmpV0dOkSSQLTWvbs2g2fRLOVh/GD0jYowGo2m2ExW5CTmc56loTKhAkTkJmRgTpvAJ6mJijE6aHXw8hz+PLrX7F9cyRmwc7zymlWK2olibkiZHUkcRzn78g0K3VgM5nAJyWBo4KqGIoiTOh/o5EyD3z1jTfSoUgTrrlGaA32erGtgOWlF4e5Bcvee48RKUcTV1I8xo6L7F75gubzU9yR0qmEwwhinlojPp9/Xp1/aDmKIVCAUxID2FdZi1EjTkTPXuHW4dZNqtWnC1EY+hDFRHLZ5PDMxSsvq3ENIw9mZZD1QFSQZNV6/Kq1ccst4a0fvvlKVTQU+iB3hs6FeFWJGlH0SahqUvMk3333XXNWh+SDDz5AVXUt0hLszPqZeOGFMJpipvp7apmUwyp/tdKgs//X/ha694EH2U0kEI7FIGDZx99iw5pVUZctKS5GRW0DfH4fDAayMBwMFWoyGBgDV0BWZ5H2ZFB27tqJvIJCZqlQkRSZoBTMJCVGnNsmPY+cLjlh6/zzbpU4t6HJA6/HzRClaUkqG9UTTz4ZdT9j7HYpVa8XGqi8X1Hg4jg5ieOUI4KEkvzwjAz49+7VeRcskOMdDvmMQYPClAZBo0vLyqKunhDnwAUXtOAkaGZ+883o+BSSaVECokuWvMvS6bz20PEhOIyjBvQNK7EnS/OXX1eze9zQ0MjcSsLZUGCc1m9tmRDvKEIURFBhMNY37ceLJl0IQddSt7dn7x6sX7+ebY8sT6qApqplisEQVwoYNOAERpwclHnzVAvLZtarFoZe5ZqVtUmJFBu53vHxcfjqq5Vhx7j4tUUwCjz2ldUgKd6B4cNjZlfpkKIj2TpQ/mqlceH+Cm5Sk5Nx7fSrmO9JlaZNAeDuf8fWM0TaW1y0D3ZHHOPe1Bl0MOn1zDpg1ZHaDEVlzPuTquoaxilKmAyKevO8wHxfQg42NrnZ2qHB0JNOOhHHDR6EOp8E0e9jEXlHnJNZPhu35mLl55FmfIIgyIT+rJEk5un6AaUbz1NXpg5zTQ5ZiGjHbkflv//NQF73v/RSBNhr8eLFMfdy/oRzw77PbwMiPn7cWDjjEsJ+owf//fffZ5/pIrXGYbTOvCzQ8BIUi6I0OU0YDNWrABe0Anr9sno1e+dDFAZLs0tKMwN6UmI8zjxrXNh6ixapbpDZpGeYDVKGZInSOpTtAEuTtmBVCLFKBEMmgWeWF68TmGVCwXWyPFj6VpGZhXrySSfiiSdb3Nj5z6kKJ3jBR506Gm3IJW392RHyVyuN/Z7g/Q+rgbAtu/YiIzEOn326Ets3r465fB3DZtQhOysDep0ORh3xWJpZPIOUBt0gEip0ao/sKyxQiX8VICUlGXEOB2PcDmIOeoVYLLffpSozin/QzGa2WJHhUq2MuU9H9+XPtNmUJJ1OaJJlBuRxcpzcleOYxXHE8BZQEDUxEWJtrc43fz43dMgQDExPDwuIBlOR0eTkk8IxEhRI3L07eqrWoBdYn5XWEkxLRiuKv/SS8GH07pIlqGloQmpyksq6ZrawTEVucRn69+qOk0e0wNa//OKLsOI4Oimq9yB9IVDPW+33yy+7LGwfb2nANiOnZnnUcn0OHreXKTmwtHv4Os9p8RyjQWAmk9dHKViRWcKEA6KAMgVuKR5z+223oncftcve7j17sHrNWnRJiUeN24czorhwITJUa/Z12OSvVBqUZB/T1gI9unXD9GlTUVhRgzi7Gkh8/NEH97vh8tJiOPUqo5TVYoHRZFCrVekGK6rS6NO3zbaHzbJ962bG4pWSmorEhHgW0yCloTeo5ioxloPNOEacetoZLO7i9XjYIEhJdrFBXlBcjbfeeDli21aeV060WrmglUGMXD15HtTP5Ejjx6egqKDXo1pNsXLPvPoqQq2NHdu3N9d/tBbKfJ12evitfuzxx2Lu68abboz4jVwgCiZGk2RXAiaEBB7p/rz60gusKpWC0L6AavVBw1LcGRIPo2WXvLuEfW5WGLIaZOVCYNznnjM+LFNDiNVPPvmEfRbIJVGgArdICeh0zA3u3jUbI0e1ZEEXL36dlTOQonGT2ySKDGVM7gp9Vi0OBRU1DezCrvjyC7goUA3g0YfUcU/ZuOMHDcCYs8a3dbvaLu09RPkrlcZD+1tg3kI1wLZrbx56Zadj+affYc3qyFx8a9m7R0UGWixWmMwq+S3YPEDRanWu6t6jJ8zW/VMu/rFxI3vwCVEqSzIC/gCbvRw2Fe3YtZuqNKZcORUOkx4VNfXM7ExMTEScBhKiwJnPUxex7TNsNjlZp+PIyhDVAI/ch+dp8B62EviDFrI2UlLg37qVk374QR55xhn8sO7dwzyob775JubW77wrnND5xRdeiBkQHTJoIIafFFky/8wzkUx3Xi0ievMtt4b9/tQTKhbGarcxJK7daoVLA9uNHzcmLID9rGYBsIdB4VgbBir+VTTgFtWK0KRwZauU6BPaPkwCx4KuBAAkuDqBARu9air1xptaKn49HjcWaLiWALNO1PgGWRgUE6H9+n0ByGIAxdUNjGnup59+YstTQDS3cB+yUlVv/tY77oh1qUnaTLEcqvxVSuNECgG0tQAVDI05/VRs2F2Avj3VG3znHbe3a+NF+1S0pcliVun1GV+2annQzfFLCovU9+y5/zJ5Yl6StW0xC0OvZ02YqNGRKCvMZaE02dnnTYBblKFj/KQmFkMJXtwPPvgwYrsOnpdPtVqVWs3KoIK0bEFQ0jiO7+jitA4TlQeCr37kEZWM56mnwmIbBBWPJaePHon0Vjwbb4VAqJVWwK1JF0a6KG+8Ec6jSgrD5xNZhuvkE49H9x4t97OouJh1hUuNs7GAeHx8AqzmlmDm5MtaAqK//fYrQwuz1nKCyhZA7gm9KIjq9qm68bJW7gZlOqqqqljQNSCJLChKFJNEOaloFi3FaCi+FpQgGC7BYQXH8SweQoqGp0B7QFSJmgUBnCxhT1E5evbogbfeUaEFTz/xOOLMRuwpqcToUSPQpWtMTpe2erYcsvxVSuOW/S1w9z0qW3VjQz3SEuLx8uLl2L3993ZtnEqlwSLVBgbZhUZ+SzeoprYOtW4v9Hz7MihkEufmFcCqA1MUVpuFWS8Umad+rC5XEh5+

Signatures

Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
ransomware avaddon

Avaddon payload 9 IoCs

resource	yara_rule
behavioral2/memory/2760-2-0x0000000001EF0000-0x0000000002009000-memory.dmp	family_avaddon
behavioral2/memory/2760-3-0x0000000000400000-0x0000000001B46000-memory.dmp	family_avaddon
behavioral2/memory/2760-4-0x0000000000400000-0x0000000001B46000-memory.dmp	family_avaddon
behavioral2/memory/2760-5-0x0000000000400000-0x0000000001B46000-memory.dmp	family_avaddon
behavioral2/memory/2760-7-0x0000000001EF0000-0x0000000002009000-memory.dmp	family_avaddon
behavioral2/memory/2760-15-0x0000000000400000-0x0000000001B46000-memory.dmp	family_avaddon
behavioral2/memory/2760-58-0x0000000000400000-0x0000000001B46000-memory.dmp	family_avaddon
behavioral2/memory/2760-554-0x0000000000400000-0x0000000001B46000-memory.dmp	family_avaddon
behavioral2/memory/2364-559-0x0000000000400000-0x0000000001B46000-memory.dmp	family_avaddon

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe

Renames multiple (177) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
2364	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe"	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe"	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\L:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\Y:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\T:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\W:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\X:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\Z:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\K:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\M:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\N:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\A:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\E:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\G:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\H:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\I:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\Q:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\R:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\V:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\J:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\O:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\P:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\S:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\U:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
48	api.myip.com
49	api.myip.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
3308	2760	WerFault.exe	93
5256	2760	WerFault.exe	93
1092	2760	WerFault.exe	93
5844	2760	WerFault.exe	93
3924	2760	WerFault.exe	93
3968	2760	WerFault.exe	93
4124	2760	WerFault.exe	93
2692	2760	WerFault.exe	93
5180	2760	WerFault.exe	93
5144	2760	WerFault.exe	93
5212	2760	WerFault.exe	93
4584	2760	WerFault.exe	93
5548	2760	WerFault.exe	93
1516	2364	WerFault.exe	145
3236	2760	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2244	wmic.exe
Token: SeSecurityPrivilege	2244	wmic.exe
Token: SeTakeOwnershipPrivilege	2244	wmic.exe
Token: SeLoadDriverPrivilege	2244	wmic.exe
Token: SeSystemProfilePrivilege	2244	wmic.exe
Token: SeSystemtimePrivilege	2244	wmic.exe
Token: SeProfSingleProcessPrivilege	2244	wmic.exe
Token: SeIncBasePriorityPrivilege	2244	wmic.exe
Token: SeCreatePagefilePrivilege	2244	wmic.exe
Token: SeBackupPrivilege	2244	wmic.exe
Token: SeRestorePrivilege	2244	wmic.exe
Token: SeShutdownPrivilege	2244	wmic.exe
Token: SeDebugPrivilege	2244	wmic.exe
Token: SeSystemEnvironmentPrivilege	2244	wmic.exe
Token: SeRemoteShutdownPrivilege	2244	wmic.exe
Token: SeUndockPrivilege	2244	wmic.exe
Token: SeManageVolumePrivilege	2244	wmic.exe
Token: 33	2244	wmic.exe
Token: 34	2244	wmic.exe
Token: 35	2244	wmic.exe
Token: 36	2244	wmic.exe
Token: SeIncreaseQuotaPrivilege	5928	wmic.exe
Token: SeSecurityPrivilege	5928	wmic.exe
Token: SeTakeOwnershipPrivilege	5928	wmic.exe
Token: SeLoadDriverPrivilege	5928	wmic.exe
Token: SeSystemProfilePrivilege	5928	wmic.exe
Token: SeSystemtimePrivilege	5928	wmic.exe
Token: SeProfSingleProcessPrivilege	5928	wmic.exe
Token: SeIncBasePriorityPrivilege	5928	wmic.exe
Token: SeCreatePagefilePrivilege	5928	wmic.exe
Token: SeBackupPrivilege	5928	wmic.exe
Token: SeRestorePrivilege	5928	wmic.exe
Token: SeShutdownPrivilege	5928	wmic.exe
Token: SeDebugPrivilege	5928	wmic.exe
Token: SeSystemEnvironmentPrivilege	5928	wmic.exe
Token: SeRemoteShutdownPrivilege	5928	wmic.exe
Token: SeUndockPrivilege	5928	wmic.exe
Token: SeManageVolumePrivilege	5928	wmic.exe
Token: 33	5928	wmic.exe
Token: 34	5928	wmic.exe
Token: 35	5928	wmic.exe
Token: 36	5928	wmic.exe
Token: SeIncreaseQuotaPrivilege	5512	wmic.exe
Token: SeSecurityPrivilege	5512	wmic.exe
Token: SeTakeOwnershipPrivilege	5512	wmic.exe
Token: SeLoadDriverPrivilege	5512	wmic.exe
Token: SeSystemProfilePrivilege	5512	wmic.exe
Token: SeSystemtimePrivilege	5512	wmic.exe
Token: SeProfSingleProcessPrivilege	5512	wmic.exe
Token: SeIncBasePriorityPrivilege	5512	wmic.exe
Token: SeCreatePagefilePrivilege	5512	wmic.exe
Token: SeBackupPrivilege	5512	wmic.exe
Token: SeRestorePrivilege	5512	wmic.exe
Token: SeShutdownPrivilege	5512	wmic.exe
Token: SeDebugPrivilege	5512	wmic.exe
Token: SeSystemEnvironmentPrivilege	5512	wmic.exe
Token: SeRemoteShutdownPrivilege	5512	wmic.exe
Token: SeUndockPrivilege	5512	wmic.exe
Token: SeManageVolumePrivilege	5512	wmic.exe
Token: 33	5512	wmic.exe
Token: 34	5512	wmic.exe
Token: 35	5512	wmic.exe
Token: 36	5512	wmic.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2244	2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe	132
PID 2760 wrote to memory of 2244	2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe	132
PID 2760 wrote to memory of 2244	2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe	132
PID 2760 wrote to memory of 5928	2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe	134
PID 2760 wrote to memory of 5928	2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe	134
PID 2760 wrote to memory of 5928	2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe	134
PID 2760 wrote to memory of 5512	2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe	136
PID 2760 wrote to memory of 5512	2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe	136
PID 2760 wrote to memory of 5512	2760	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe	136

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe

C:\Users\Admin\AppData\Local\Temp\bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
"C:\Users\Admin\AppData\Local\Temp\bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe"
1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 876
  2⤵
  - Program crash
  PID:3308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 916
  2⤵
  - Program crash
  PID:5256
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 876
  2⤵
  - Program crash
  PID:1092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 968
  2⤵
  - Program crash
  PID:5844
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 1032
  2⤵
  - Program crash
  PID:3924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 1264
  2⤵
  - Program crash
  PID:3968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 1532
  2⤵
  - Program crash
  PID:4124
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 1616
  2⤵
  - Program crash
  PID:2692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 1812
  2⤵
  - Program crash
  PID:5180
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 1676
  2⤵
  - Program crash
  PID:5144
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 1664
  2⤵
  - Program crash
  PID:5212
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5928
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 1664
  2⤵
  - Program crash
  PID:4584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 1644
  2⤵
  - Program crash
  PID:5548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 924
  2⤵
  - Program crash
  PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 2760 -ip 2760
1⤵
PID:6020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2760 -ip 2760
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2760 -ip 2760
1⤵
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 2760 -ip 2760
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2760 -ip 2760
1⤵
PID:6032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2760 -ip 2760
1⤵
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2760 -ip 2760
1⤵
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2760 -ip 2760
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2760 -ip 2760
1⤵
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2760 -ip 2760
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2760 -ip 2760
1⤵
PID:6056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:5300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2760 -ip 2760
1⤵
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2760 -ip 2760
1⤵
PID:1716

C:\Users\Admin\AppData\Roaming\Microsoft\bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
C:\Users\Admin\AppData\Roaming\Microsoft\bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
1⤵
- Executes dropped EXE
PID:2364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 592
  2⤵
  - Program crash
  PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2364 -ip 2364
1⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2760 -ip 2760
1⤵
PID:5164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe

Filesize
881KB

MD5
c83f30c065f7f61428eac2370ddb4f53

SHA1
cfd70af0c89d7b00839c1d32852c53c603d35e32

SHA256
bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc

SHA512
26100fdf2bba32c0a2f5d27589e730e6af4a16b5cad16cb8ec6314e4291ca1858e35906645636617dacca7c72be6792b01f2bbc073c4468701326e8c889e1d51

Download Submit
C:\Users\Admin\Desktop\readme.html

Filesize
50KB

MD5
9c40d4d8a799feee68b9ebba648fd6ae

SHA1
3dd8a96771ad88f76b546b3045e0b50ef0f793dd

SHA256
092cbc0219216bf83bc0de3555cc7710ebb92b0c14cae3c99fa9959b8805848c

SHA512
ca739e2b8a95411e558b773846b1a05735a043696ed75b8f8bf3dee44dcbf4ec8832f6a2f6142fbde5448dffa566c244e7069bde647ebd19831495015521e7bb

Download Submit
memory/2364-559-0x0000000000400000-0x0000000001B46000-memory.dmp

Filesize
23.3MB

Download
memory/2364-558-0x0000000001C20000-0x0000000001CAE000-memory.dmp

Filesize
568KB

Download
memory/2760-7-0x0000000001EF0000-0x0000000002009000-memory.dmp

Filesize
1.1MB

Download
memory/2760-6-0x0000000001DC0000-0x0000000001E4D000-memory.dmp

Filesize
564KB

Download
memory/2760-1-0x0000000001DC0000-0x0000000001E4D000-memory.dmp

Filesize
564KB

Download
memory/2760-15-0x0000000000400000-0x0000000001B46000-memory.dmp

Filesize
23.3MB

Download
memory/2760-5-0x0000000000400000-0x0000000001B46000-memory.dmp

Filesize
23.3MB

Download
memory/2760-58-0x0000000000400000-0x0000000001B46000-memory.dmp

Filesize
23.3MB

Download
memory/2760-554-0x0000000000400000-0x0000000001B46000-memory.dmp

Filesize
23.3MB

Download
memory/2760-4-0x0000000000400000-0x0000000001B46000-memory.dmp

Filesize
23.3MB

Download
memory/2760-3-0x0000000000400000-0x0000000001B46000-memory.dmp

Filesize
23.3MB

Download
memory/2760-2-0x0000000001EF0000-0x0000000002009000-memory.dmp

Filesize
1.1MB

Download