Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 10:08
Behavioral task
behavioral1
Sample
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
Resource
win10v2004-20240226-en
General
-
Target
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
-
Size
775KB
-
MD5
7fc5a1aafb84705745dba65e2a178217
-
SHA1
0825e3b2115c9053563a307402e32d28056223a7
-
SHA256
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a
-
SHA512
b0a1ec5e8c28b4343457edf317e20fdd0489e983c01ab9205c10a409ab8a9aae1cf5645e625b2edebf7c7eb551b801a196b7e37616143dce4cb9d00b179be9d2
-
SSDEEP
24576:TCsB9+OXLpMePfI8TgmBTCDqEbOpPtpFhPxfq:56OXLpMePfzVTCD7gPtLh5fq
Malware Config
Extracted
C:\Users\Admin\Desktop\P9o5m_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Favorites\MSN Websites\P9o5m_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe family_avaddon -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exewmic.exewmic.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2708 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2708 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2708 wmic.exe -
Processes:
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (222) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
Processes:
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exepid process 1772 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe -
Processes:
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exedescription ioc process File opened (read-only) \??\E: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\H: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\O: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\P: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\V: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\B: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\G: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\I: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\K: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\M: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\N: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\R: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\F: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\A: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\T: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\W: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\X: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\Y: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\J: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\Q: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\S: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\U: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\Z: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\L: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 2348 vssadmin.exe 1304 vssadmin.exe 1772 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exepid process 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2684 wmic.exe Token: SeSecurityPrivilege 2684 wmic.exe Token: SeTakeOwnershipPrivilege 2684 wmic.exe Token: SeLoadDriverPrivilege 2684 wmic.exe Token: SeSystemProfilePrivilege 2684 wmic.exe Token: SeSystemtimePrivilege 2684 wmic.exe Token: SeProfSingleProcessPrivilege 2684 wmic.exe Token: SeIncBasePriorityPrivilege 2684 wmic.exe Token: SeCreatePagefilePrivilege 2684 wmic.exe Token: SeBackupPrivilege 2684 wmic.exe Token: SeRestorePrivilege 2684 wmic.exe Token: SeShutdownPrivilege 2684 wmic.exe Token: SeDebugPrivilege 2684 wmic.exe Token: SeSystemEnvironmentPrivilege 2684 wmic.exe Token: SeRemoteShutdownPrivilege 2684 wmic.exe Token: SeUndockPrivilege 2684 wmic.exe Token: SeManageVolumePrivilege 2684 wmic.exe Token: 33 2684 wmic.exe Token: 34 2684 wmic.exe Token: 35 2684 wmic.exe Token: SeIncreaseQuotaPrivilege 3024 wmic.exe Token: SeSecurityPrivilege 3024 wmic.exe Token: SeTakeOwnershipPrivilege 3024 wmic.exe Token: SeLoadDriverPrivilege 3024 wmic.exe Token: SeSystemProfilePrivilege 3024 wmic.exe Token: SeSystemtimePrivilege 3024 wmic.exe Token: SeProfSingleProcessPrivilege 3024 wmic.exe Token: SeIncBasePriorityPrivilege 3024 wmic.exe Token: SeCreatePagefilePrivilege 3024 wmic.exe Token: SeBackupPrivilege 3024 wmic.exe Token: SeRestorePrivilege 3024 wmic.exe Token: SeShutdownPrivilege 3024 wmic.exe Token: SeDebugPrivilege 3024 wmic.exe Token: SeSystemEnvironmentPrivilege 3024 wmic.exe Token: SeRemoteShutdownPrivilege 3024 wmic.exe Token: SeUndockPrivilege 3024 wmic.exe Token: SeManageVolumePrivilege 3024 wmic.exe Token: 33 3024 wmic.exe Token: 34 3024 wmic.exe Token: 35 3024 wmic.exe Token: SeIncreaseQuotaPrivilege 2580 wmic.exe Token: SeSecurityPrivilege 2580 wmic.exe Token: SeTakeOwnershipPrivilege 2580 wmic.exe Token: SeLoadDriverPrivilege 2580 wmic.exe Token: SeSystemProfilePrivilege 2580 wmic.exe Token: SeSystemtimePrivilege 2580 wmic.exe Token: SeProfSingleProcessPrivilege 2580 wmic.exe Token: SeIncBasePriorityPrivilege 2580 wmic.exe Token: SeCreatePagefilePrivilege 2580 wmic.exe Token: SeBackupPrivilege 2580 wmic.exe Token: SeRestorePrivilege 2580 wmic.exe Token: SeShutdownPrivilege 2580 wmic.exe Token: SeDebugPrivilege 2580 wmic.exe Token: SeSystemEnvironmentPrivilege 2580 wmic.exe Token: SeRemoteShutdownPrivilege 2580 wmic.exe Token: SeUndockPrivilege 2580 wmic.exe Token: SeManageVolumePrivilege 2580 wmic.exe Token: 33 2580 wmic.exe Token: 34 2580 wmic.exe Token: 35 2580 wmic.exe Token: SeIncreaseQuotaPrivilege 2684 wmic.exe Token: SeSecurityPrivilege 2684 wmic.exe Token: SeTakeOwnershipPrivilege 2684 wmic.exe Token: SeLoadDriverPrivilege 2684 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exetaskeng.exedescription pid process target process PID 2960 wrote to memory of 2444 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe wmic.exe PID 2960 wrote to memory of 2444 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe wmic.exe PID 2960 wrote to memory of 2444 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe wmic.exe PID 2960 wrote to memory of 2444 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe wmic.exe PID 2960 wrote to memory of 1772 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe vssadmin.exe PID 2960 wrote to memory of 1772 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe vssadmin.exe PID 2960 wrote to memory of 1772 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe vssadmin.exe PID 2960 wrote to memory of 1772 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe vssadmin.exe PID 2960 wrote to memory of 1932 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe wmic.exe PID 2960 wrote to memory of 1932 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe wmic.exe PID 2960 wrote to memory of 1932 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe wmic.exe PID 2960 wrote to memory of 1932 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe wmic.exe PID 2960 wrote to memory of 2348 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe vssadmin.exe PID 2960 wrote to memory of 2348 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe vssadmin.exe PID 2960 wrote to memory of 2348 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe vssadmin.exe PID 2960 wrote to memory of 2348 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe vssadmin.exe PID 2960 wrote to memory of 2788 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe wmic.exe PID 2960 wrote to memory of 2788 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe wmic.exe PID 2960 wrote to memory of 2788 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe wmic.exe PID 2960 wrote to memory of 2788 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe wmic.exe PID 2960 wrote to memory of 1304 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe vssadmin.exe PID 2960 wrote to memory of 1304 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe vssadmin.exe PID 2960 wrote to memory of 1304 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe vssadmin.exe PID 2960 wrote to memory of 1304 2960 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe vssadmin.exe PID 1632 wrote to memory of 1772 1632 taskeng.exe 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe PID 1632 wrote to memory of 1772 1632 taskeng.exe 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe PID 1632 wrote to memory of 1772 1632 taskeng.exe 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe PID 1632 wrote to memory of 1772 1632 taskeng.exe 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe"C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {9B448E15-34E5-475D-BBDD-ED4E6759692C} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Indicator Removal
2File Deletion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exeFilesize
775KB
MD57fc5a1aafb84705745dba65e2a178217
SHA10825e3b2115c9053563a307402e32d28056223a7
SHA2562462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a
SHA512b0a1ec5e8c28b4343457edf317e20fdd0489e983c01ab9205c10a409ab8a9aae1cf5645e625b2edebf7c7eb551b801a196b7e37616143dce4cb9d00b179be9d2
-
C:\Users\Admin\Desktop\P9o5m_readme_.txtFilesize
3KB
MD5b173b134f57bc0f86df4a6a16fc09206
SHA11b0dbd384436538a56b58d0d6aed107128a95ddc
SHA2569db99c60d7ad614183f70bb744eed68f73acc7b6d37d482df1fcc374449aa62e
SHA5125570e3bd0419c41d2ea4c72f42e4631f199ec89e9c8baa5387386b2f8c35f7a5020aa5f31255fcf0aa2b3450403c7dbe40cdf63438ff0e170474172d4534eb19
-
C:\Users\Admin\Favorites\MSN Websites\P9o5m_readme_.txtFilesize
3KB
MD5439f2b3e15e4c3be23c96aacfc95e692
SHA1d61c60e918b7dc9ceb64ec4a3b048dcb3a44db97
SHA25669dfe8212476e820811d81c7a348a657a8211c549a7c36380612bf530f8cbac1
SHA51280f368770c9675ea12e71a4a3022dda1aea093965e00e34cef434f315c9077e7da66c951e10856333e91af0531661b6e801bb05930809a088339d036b23683ea