Analysis
-
max time kernel
149s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 10:08
Behavioral task
behavioral1
Sample
ab.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ab.exe
Resource
win10v2004-20240226-en
General
-
Target
ab.exe
-
Size
775KB
-
MD5
0b486fe0503524cfe4726a4022fa6a68
-
SHA1
297dea71d489768ce45d23b0f8a45424b469ab00
-
SHA256
1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2
-
SHA512
f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619
-
SSDEEP
24576:TCs99+OXLpMePfI8TgmBTCDqEbOpPtpFhyxfq:5GOXLpMePfzVTCD7gPtLhSfq
Malware Config
Extracted
C:\Users\Admin\Documents\Bypu6_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\Bypu6_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe family_avaddon -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exewmic.exewmic.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3512 5040 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3164 5040 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4492 5040 wmic.exe -
Processes:
ab.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ab.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (174) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
Processes:
ab.exepid process 3708 ab.exe -
Processes:
ab.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ab.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
ab.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-557049126-2506969350-2798870634-1000\desktop.ini ab.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ab.exedescription ioc process File opened (read-only) \??\H: ab.exe File opened (read-only) \??\J: ab.exe File opened (read-only) \??\T: ab.exe File opened (read-only) \??\Q: ab.exe File opened (read-only) \??\R: ab.exe File opened (read-only) \??\S: ab.exe File opened (read-only) \??\V: ab.exe File opened (read-only) \??\A: ab.exe File opened (read-only) \??\I: ab.exe File opened (read-only) \??\O: ab.exe File opened (read-only) \??\W: ab.exe File opened (read-only) \??\Y: ab.exe File opened (read-only) \??\F: ab.exe File opened (read-only) \??\E: ab.exe File opened (read-only) \??\K: ab.exe File opened (read-only) \??\U: ab.exe File opened (read-only) \??\M: ab.exe File opened (read-only) \??\N: ab.exe File opened (read-only) \??\P: ab.exe File opened (read-only) \??\X: ab.exe File opened (read-only) \??\Z: ab.exe File opened (read-only) \??\B: ab.exe File opened (read-only) \??\G: ab.exe File opened (read-only) \??\L: ab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ab.exepid process 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe 2868 ab.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 3512 wmic.exe Token: SeSecurityPrivilege 3512 wmic.exe Token: SeTakeOwnershipPrivilege 3512 wmic.exe Token: SeLoadDriverPrivilege 3512 wmic.exe Token: SeSystemProfilePrivilege 3512 wmic.exe Token: SeSystemtimePrivilege 3512 wmic.exe Token: SeProfSingleProcessPrivilege 3512 wmic.exe Token: SeIncBasePriorityPrivilege 3512 wmic.exe Token: SeCreatePagefilePrivilege 3512 wmic.exe Token: SeBackupPrivilege 3512 wmic.exe Token: SeRestorePrivilege 3512 wmic.exe Token: SeShutdownPrivilege 3512 wmic.exe Token: SeDebugPrivilege 3512 wmic.exe Token: SeSystemEnvironmentPrivilege 3512 wmic.exe Token: SeRemoteShutdownPrivilege 3512 wmic.exe Token: SeUndockPrivilege 3512 wmic.exe Token: SeManageVolumePrivilege 3512 wmic.exe Token: 33 3512 wmic.exe Token: 34 3512 wmic.exe Token: 35 3512 wmic.exe Token: 36 3512 wmic.exe Token: SeIncreaseQuotaPrivilege 3164 wmic.exe Token: SeSecurityPrivilege 3164 wmic.exe Token: SeTakeOwnershipPrivilege 3164 wmic.exe Token: SeLoadDriverPrivilege 3164 wmic.exe Token: SeSystemProfilePrivilege 3164 wmic.exe Token: SeSystemtimePrivilege 3164 wmic.exe Token: SeProfSingleProcessPrivilege 3164 wmic.exe Token: SeIncBasePriorityPrivilege 3164 wmic.exe Token: SeCreatePagefilePrivilege 3164 wmic.exe Token: SeBackupPrivilege 3164 wmic.exe Token: SeRestorePrivilege 3164 wmic.exe Token: SeShutdownPrivilege 3164 wmic.exe Token: SeDebugPrivilege 3164 wmic.exe Token: SeSystemEnvironmentPrivilege 3164 wmic.exe Token: SeRemoteShutdownPrivilege 3164 wmic.exe Token: SeUndockPrivilege 3164 wmic.exe Token: SeManageVolumePrivilege 3164 wmic.exe Token: 33 3164 wmic.exe Token: 34 3164 wmic.exe Token: 35 3164 wmic.exe Token: 36 3164 wmic.exe Token: SeIncreaseQuotaPrivilege 4492 wmic.exe Token: SeSecurityPrivilege 4492 wmic.exe Token: SeTakeOwnershipPrivilege 4492 wmic.exe Token: SeLoadDriverPrivilege 4492 wmic.exe Token: SeSystemProfilePrivilege 4492 wmic.exe Token: SeSystemtimePrivilege 4492 wmic.exe Token: SeProfSingleProcessPrivilege 4492 wmic.exe Token: SeIncBasePriorityPrivilege 4492 wmic.exe Token: SeCreatePagefilePrivilege 4492 wmic.exe Token: SeBackupPrivilege 4492 wmic.exe Token: SeRestorePrivilege 4492 wmic.exe Token: SeShutdownPrivilege 4492 wmic.exe Token: SeDebugPrivilege 4492 wmic.exe Token: SeSystemEnvironmentPrivilege 4492 wmic.exe Token: SeRemoteShutdownPrivilege 4492 wmic.exe Token: SeUndockPrivilege 4492 wmic.exe Token: SeManageVolumePrivilege 4492 wmic.exe Token: 33 4492 wmic.exe Token: 34 4492 wmic.exe Token: 35 4492 wmic.exe Token: 36 4492 wmic.exe Token: SeIncreaseQuotaPrivilege 3512 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ab.exedescription pid process target process PID 2868 wrote to memory of 1692 2868 ab.exe wmic.exe PID 2868 wrote to memory of 1692 2868 ab.exe wmic.exe PID 2868 wrote to memory of 1692 2868 ab.exe wmic.exe PID 2868 wrote to memory of 4620 2868 ab.exe wmic.exe PID 2868 wrote to memory of 4620 2868 ab.exe wmic.exe PID 2868 wrote to memory of 4620 2868 ab.exe wmic.exe PID 2868 wrote to memory of 2564 2868 ab.exe wmic.exe PID 2868 wrote to memory of 2564 2868 ab.exe wmic.exe PID 2868 wrote to memory of 2564 2868 ab.exe wmic.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
ab.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" ab.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab.exe"C:\Users\Admin\AppData\Local\Temp\ab.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Indicator Removal
1File Deletion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exeFilesize
775KB
MD50b486fe0503524cfe4726a4022fa6a68
SHA1297dea71d489768ce45d23b0f8a45424b469ab00
SHA2561228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2
SHA512f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619
-
C:\Users\Admin\Documents\Bypu6_readme_.txtFilesize
3KB
MD517616647cae98bac1184664f34721e08
SHA1416e4d45123c54bd84c51791113f8fcaee8bf0ee
SHA256e7c01fce73e5d92c1ddab847507cba6c26fc315e3c2d33a5f183def3e9fb1bc7
SHA512a07d0dbcd4499c599399073b54b90c4aa0f37743ab6e98df505a0aa2092d1b24ccd18ba70bd6aba7f3e01a32287b5806041ac38faf1d15e159e4b1a86e407b90
-
C:\Users\Admin\Downloads\Bypu6_readme_.txtFilesize
3KB
MD59b78bb86ef9801447aaa11ec97a55ddd
SHA151989b9dc94c9ac0168cc7ffc4cff58a11253eb4
SHA256fa647dfdf8ddd14e26339bb6718fb6b6bb4aa47b28160ba71ec947019b743286
SHA51273263bb4051671721752a9fdfdb2c54f2f631a9ea7a0f14b3902ba9fbc3564b6cdae5dedff6cc1d232cf80563550dfd6cced99b8a850fb520277d21871f55869