Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 10:08
Behavioral task
behavioral1
Sample
ab.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ab.exe
Resource
win10v2004-20240226-en
General
-
Target
ab.exe
-
Size
775KB
-
MD5
0b486fe0503524cfe4726a4022fa6a68
-
SHA1
297dea71d489768ce45d23b0f8a45424b469ab00
-
SHA256
1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2
-
SHA512
f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619
-
SSDEEP
24576:TCs99+OXLpMePfI8TgmBTCDqEbOpPtpFhyxfq:5GOXLpMePfzVTCD7gPtLhSfq
Malware Config
Extracted
C:\Users\Admin\Desktop\jA7qS_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\jA7qS_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Pictures\jA7qS_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe family_avaddon -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exewmic.exewmic.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 2700 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2700 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 2700 wmic.exe -
Processes:
ab.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ab.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (191) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
Processes:
ab.exepid process 840 ab.exe -
Processes:
ab.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ab.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
ab.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini ab.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ab.exedescription ioc process File opened (read-only) \??\P: ab.exe File opened (read-only) \??\S: ab.exe File opened (read-only) \??\V: ab.exe File opened (read-only) \??\A: ab.exe File opened (read-only) \??\B: ab.exe File opened (read-only) \??\H: ab.exe File opened (read-only) \??\K: ab.exe File opened (read-only) \??\N: ab.exe File opened (read-only) \??\X: ab.exe File opened (read-only) \??\I: ab.exe File opened (read-only) \??\J: ab.exe File opened (read-only) \??\R: ab.exe File opened (read-only) \??\F: ab.exe File opened (read-only) \??\G: ab.exe File opened (read-only) \??\Q: ab.exe File opened (read-only) \??\U: ab.exe File opened (read-only) \??\W: ab.exe File opened (read-only) \??\Y: ab.exe File opened (read-only) \??\E: ab.exe File opened (read-only) \??\L: ab.exe File opened (read-only) \??\M: ab.exe File opened (read-only) \??\O: ab.exe File opened (read-only) \??\T: ab.exe File opened (read-only) \??\Z: ab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 828 vssadmin.exe 948 vssadmin.exe 2020 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ab.exepid process 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe 1056 ab.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2516 wmic.exe Token: SeSecurityPrivilege 2516 wmic.exe Token: SeTakeOwnershipPrivilege 2516 wmic.exe Token: SeLoadDriverPrivilege 2516 wmic.exe Token: SeSystemProfilePrivilege 2516 wmic.exe Token: SeSystemtimePrivilege 2516 wmic.exe Token: SeProfSingleProcessPrivilege 2516 wmic.exe Token: SeIncBasePriorityPrivilege 2516 wmic.exe Token: SeCreatePagefilePrivilege 2516 wmic.exe Token: SeBackupPrivilege 2516 wmic.exe Token: SeRestorePrivilege 2516 wmic.exe Token: SeShutdownPrivilege 2516 wmic.exe Token: SeDebugPrivilege 2516 wmic.exe Token: SeSystemEnvironmentPrivilege 2516 wmic.exe Token: SeRemoteShutdownPrivilege 2516 wmic.exe Token: SeUndockPrivilege 2516 wmic.exe Token: SeManageVolumePrivilege 2516 wmic.exe Token: 33 2516 wmic.exe Token: 34 2516 wmic.exe Token: 35 2516 wmic.exe Token: SeIncreaseQuotaPrivilege 2464 wmic.exe Token: SeSecurityPrivilege 2464 wmic.exe Token: SeTakeOwnershipPrivilege 2464 wmic.exe Token: SeLoadDriverPrivilege 2464 wmic.exe Token: SeSystemProfilePrivilege 2464 wmic.exe Token: SeSystemtimePrivilege 2464 wmic.exe Token: SeProfSingleProcessPrivilege 2464 wmic.exe Token: SeIncBasePriorityPrivilege 2464 wmic.exe Token: SeCreatePagefilePrivilege 2464 wmic.exe Token: SeBackupPrivilege 2464 wmic.exe Token: SeRestorePrivilege 2464 wmic.exe Token: SeShutdownPrivilege 2464 wmic.exe Token: SeDebugPrivilege 2464 wmic.exe Token: SeSystemEnvironmentPrivilege 2464 wmic.exe Token: SeRemoteShutdownPrivilege 2464 wmic.exe Token: SeUndockPrivilege 2464 wmic.exe Token: SeManageVolumePrivilege 2464 wmic.exe Token: 33 2464 wmic.exe Token: 34 2464 wmic.exe Token: 35 2464 wmic.exe Token: SeIncreaseQuotaPrivilege 1540 wmic.exe Token: SeSecurityPrivilege 1540 wmic.exe Token: SeTakeOwnershipPrivilege 1540 wmic.exe Token: SeLoadDriverPrivilege 1540 wmic.exe Token: SeSystemProfilePrivilege 1540 wmic.exe Token: SeSystemtimePrivilege 1540 wmic.exe Token: SeProfSingleProcessPrivilege 1540 wmic.exe Token: SeIncBasePriorityPrivilege 1540 wmic.exe Token: SeCreatePagefilePrivilege 1540 wmic.exe Token: SeBackupPrivilege 1540 wmic.exe Token: SeRestorePrivilege 1540 wmic.exe Token: SeShutdownPrivilege 1540 wmic.exe Token: SeDebugPrivilege 1540 wmic.exe Token: SeSystemEnvironmentPrivilege 1540 wmic.exe Token: SeRemoteShutdownPrivilege 1540 wmic.exe Token: SeUndockPrivilege 1540 wmic.exe Token: SeManageVolumePrivilege 1540 wmic.exe Token: 33 1540 wmic.exe Token: 34 1540 wmic.exe Token: 35 1540 wmic.exe Token: SeIncreaseQuotaPrivilege 2556 wmic.exe Token: SeSecurityPrivilege 2556 wmic.exe Token: SeTakeOwnershipPrivilege 2556 wmic.exe Token: SeLoadDriverPrivilege 2556 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
ab.exetaskeng.exedescription pid process target process PID 1056 wrote to memory of 2556 1056 ab.exe wmic.exe PID 1056 wrote to memory of 2556 1056 ab.exe wmic.exe PID 1056 wrote to memory of 2556 1056 ab.exe wmic.exe PID 1056 wrote to memory of 2556 1056 ab.exe wmic.exe PID 1056 wrote to memory of 828 1056 ab.exe vssadmin.exe PID 1056 wrote to memory of 828 1056 ab.exe vssadmin.exe PID 1056 wrote to memory of 828 1056 ab.exe vssadmin.exe PID 1056 wrote to memory of 828 1056 ab.exe vssadmin.exe PID 1056 wrote to memory of 1476 1056 ab.exe wmic.exe PID 1056 wrote to memory of 1476 1056 ab.exe wmic.exe PID 1056 wrote to memory of 1476 1056 ab.exe wmic.exe PID 1056 wrote to memory of 1476 1056 ab.exe wmic.exe PID 1056 wrote to memory of 948 1056 ab.exe vssadmin.exe PID 1056 wrote to memory of 948 1056 ab.exe vssadmin.exe PID 1056 wrote to memory of 948 1056 ab.exe vssadmin.exe PID 1056 wrote to memory of 948 1056 ab.exe vssadmin.exe PID 1056 wrote to memory of 1360 1056 ab.exe wmic.exe PID 1056 wrote to memory of 1360 1056 ab.exe wmic.exe PID 1056 wrote to memory of 1360 1056 ab.exe wmic.exe PID 1056 wrote to memory of 1360 1056 ab.exe wmic.exe PID 1056 wrote to memory of 2020 1056 ab.exe vssadmin.exe PID 1056 wrote to memory of 2020 1056 ab.exe vssadmin.exe PID 1056 wrote to memory of 2020 1056 ab.exe vssadmin.exe PID 1056 wrote to memory of 2020 1056 ab.exe vssadmin.exe PID 1624 wrote to memory of 840 1624 taskeng.exe ab.exe PID 1624 wrote to memory of 840 1624 taskeng.exe ab.exe PID 1624 wrote to memory of 840 1624 taskeng.exe ab.exe PID 1624 wrote to memory of 840 1624 taskeng.exe ab.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
ab.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" ab.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab.exe"C:\Users\Admin\AppData\Local\Temp\ab.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {01EA538C-CF3C-4FE0-8AC5-A33344EAF6D4} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Indicator Removal
2File Deletion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exeFilesize
775KB
MD50b486fe0503524cfe4726a4022fa6a68
SHA1297dea71d489768ce45d23b0f8a45424b469ab00
SHA2561228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2
SHA512f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619
-
C:\Users\Admin\Desktop\jA7qS_readme_.txtFilesize
3KB
MD57e8ba9bef068919afb9945cec8d8facd
SHA1d513718829342a50c6aaaeed67bcb9cfc3fb5842
SHA256801cb9c8ce3ef09b3b0d3509073b55a794499e89b1e9942dac48bef35929a0cc
SHA512915ce203cb551838949215df4227cf5a9c0ccb1ad34c27317a269b27cdabb0b72643751db6d8e352f1fc37789d575d60c5072237ab159d856b13f5820469edf8
-
C:\Users\Admin\Downloads\jA7qS_readme_.txtFilesize
3KB
MD57b8ea4c2f454b42aba253eee2124a796
SHA14cca29ff0a9e0d8e2f87166c25a68bc518490f02
SHA2564f56806b83b59f9c705777337b15cdbcb6bf4fa442d570254397762eaa73351f
SHA51275a3562001c168fe3184682be44e4df552ed070988dd8227ad3650b0f7674c288108815232b6ba1db88fecf0adbfa02834526731d33910213e34922dd63dcdfb
-
C:\Users\Admin\Pictures\jA7qS_readme_.txtFilesize
3KB
MD550a246802161203af6b9db28b98064b2
SHA16920e10d10d334cda7b76b55e1e2e357452e1d5b
SHA25615e71dac6200a52a02ca2d21a7308b07bc38875142eb0e49a685369da68e4f12
SHA512f0102dd0a17f4b7746f6b13eecbc81f2b687157052db23b0e3a4449a22755e6c850e38eb4881aaac81ea23c127b859b7ce546e82989e91d8310605841b19e8f2