Analysis
-
max time kernel
152s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 10:08
Behavioral task
behavioral1
Sample
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
Resource
win10v2004-20240226-en
General
-
Target
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
-
Size
775KB
-
MD5
7fc5a1aafb84705745dba65e2a178217
-
SHA1
0825e3b2115c9053563a307402e32d28056223a7
-
SHA256
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a
-
SHA512
b0a1ec5e8c28b4343457edf317e20fdd0489e983c01ab9205c10a409ab8a9aae1cf5645e625b2edebf7c7eb551b801a196b7e37616143dce4cb9d00b179be9d2
-
SSDEEP
24576:TCsB9+OXLpMePfI8TgmBTCDqEbOpPtpFhPxfq:56OXLpMePfzVTCD7gPtLh5fq
Malware Config
Extracted
C:\Users\Admin\Desktop\HvQEW_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\HvQEW_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\HvQEW_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\HvQEW_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Music\HvQEW_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Pictures\HvQEW_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\HvQEW_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe family_avaddon -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exewmic.exewmic.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2392 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1280 2392 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2392 wmic.exe -
Processes:
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (161) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
Processes:
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exepid process 3112 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe -
Processes:
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-609813121-2907144057-1731107329-1000\desktop.ini 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exedescription ioc process File opened (read-only) \??\Z: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\A: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\N: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\O: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\V: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\X: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\Y: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\U: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\W: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\E: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\H: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\I: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\M: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\R: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\S: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\T: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\F: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\G: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\J: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\K: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\L: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\P: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\Q: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe File opened (read-only) \??\B: 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exepid process 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 1652 wmic.exe Token: SeSecurityPrivilege 1652 wmic.exe Token: SeTakeOwnershipPrivilege 1652 wmic.exe Token: SeLoadDriverPrivilege 1652 wmic.exe Token: SeSystemProfilePrivilege 1652 wmic.exe Token: SeSystemtimePrivilege 1652 wmic.exe Token: SeProfSingleProcessPrivilege 1652 wmic.exe Token: SeIncBasePriorityPrivilege 1652 wmic.exe Token: SeCreatePagefilePrivilege 1652 wmic.exe Token: SeBackupPrivilege 1652 wmic.exe Token: SeRestorePrivilege 1652 wmic.exe Token: SeShutdownPrivilege 1652 wmic.exe Token: SeDebugPrivilege 1652 wmic.exe Token: SeSystemEnvironmentPrivilege 1652 wmic.exe Token: SeRemoteShutdownPrivilege 1652 wmic.exe Token: SeUndockPrivilege 1652 wmic.exe Token: SeManageVolumePrivilege 1652 wmic.exe Token: 33 1652 wmic.exe Token: 34 1652 wmic.exe Token: 35 1652 wmic.exe Token: 36 1652 wmic.exe Token: SeIncreaseQuotaPrivilege 1280 wmic.exe Token: SeSecurityPrivilege 1280 wmic.exe Token: SeTakeOwnershipPrivilege 1280 wmic.exe Token: SeLoadDriverPrivilege 1280 wmic.exe Token: SeSystemProfilePrivilege 1280 wmic.exe Token: SeSystemtimePrivilege 1280 wmic.exe Token: SeProfSingleProcessPrivilege 1280 wmic.exe Token: SeIncBasePriorityPrivilege 1280 wmic.exe Token: SeCreatePagefilePrivilege 1280 wmic.exe Token: SeBackupPrivilege 1280 wmic.exe Token: SeRestorePrivilege 1280 wmic.exe Token: SeShutdownPrivilege 1280 wmic.exe Token: SeDebugPrivilege 1280 wmic.exe Token: SeSystemEnvironmentPrivilege 1280 wmic.exe Token: SeRemoteShutdownPrivilege 1280 wmic.exe Token: SeUndockPrivilege 1280 wmic.exe Token: SeManageVolumePrivilege 1280 wmic.exe Token: 33 1280 wmic.exe Token: 34 1280 wmic.exe Token: 35 1280 wmic.exe Token: 36 1280 wmic.exe Token: SeIncreaseQuotaPrivilege 1652 wmic.exe Token: SeSecurityPrivilege 1652 wmic.exe Token: SeTakeOwnershipPrivilege 1652 wmic.exe Token: SeLoadDriverPrivilege 1652 wmic.exe Token: SeSystemProfilePrivilege 1652 wmic.exe Token: SeSystemtimePrivilege 1652 wmic.exe Token: SeProfSingleProcessPrivilege 1652 wmic.exe Token: SeIncBasePriorityPrivilege 1652 wmic.exe Token: SeCreatePagefilePrivilege 1652 wmic.exe Token: SeBackupPrivilege 1652 wmic.exe Token: SeRestorePrivilege 1652 wmic.exe Token: SeShutdownPrivilege 1652 wmic.exe Token: SeDebugPrivilege 1652 wmic.exe Token: SeSystemEnvironmentPrivilege 1652 wmic.exe Token: SeRemoteShutdownPrivilege 1652 wmic.exe Token: SeUndockPrivilege 1652 wmic.exe Token: SeManageVolumePrivilege 1652 wmic.exe Token: 33 1652 wmic.exe Token: 34 1652 wmic.exe Token: 35 1652 wmic.exe Token: 36 1652 wmic.exe Token: SeIncreaseQuotaPrivilege 2672 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exedescription pid process target process PID 1800 wrote to memory of 4440 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe wmic.exe PID 1800 wrote to memory of 4440 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe wmic.exe PID 1800 wrote to memory of 4440 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe wmic.exe PID 1800 wrote to memory of 4036 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe wmic.exe PID 1800 wrote to memory of 4036 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe wmic.exe PID 1800 wrote to memory of 4036 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe wmic.exe PID 1800 wrote to memory of 2984 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe wmic.exe PID 1800 wrote to memory of 2984 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe wmic.exe PID 1800 wrote to memory of 2984 1800 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe wmic.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe"C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Indicator Removal
1File Deletion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\HvQEW_readme_.txtFilesize
3KB
MD534b14b49181ad24018960171f12af755
SHA1768d79715d51a8dd7e873d8250a35e276f9fd857
SHA2560894aa873b979a61c9ca8ba2f03a5bd812d1b5a8bff4afd802e58cda17f919d9
SHA5120c4efbe1c9d05ae3bd0bbd3db73e9a5d22b648e0d41eef9d5e317252bd554975d838800314f20e97dd560c5e5b673f292f64f8c74e2f48969a17cb3be92a4061
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exeFilesize
775KB
MD57fc5a1aafb84705745dba65e2a178217
SHA10825e3b2115c9053563a307402e32d28056223a7
SHA2562462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a
SHA512b0a1ec5e8c28b4343457edf317e20fdd0489e983c01ab9205c10a409ab8a9aae1cf5645e625b2edebf7c7eb551b801a196b7e37616143dce4cb9d00b179be9d2
-
C:\Users\Admin\Desktop\HvQEW_readme_.txtFilesize
3KB
MD5babe3f8b201410fdf88449b5fb730df3
SHA172214a8d729c62974aefde55857ac997f69c3657
SHA256db6c2f3dd836ac9f328a37624a24c4161746b4d7618497ce135620d65d7f1474
SHA512a7ab2565ffa5ed2d9126511149a2fac881967152f81848c8a2f8c849e53118d2d7f1d7acd704c2e4ea197634f30de604eff2b2f196355073a696bf2b75b32ba1
-
C:\Users\Admin\Documents\HvQEW_readme_.txtFilesize
3KB
MD5df891e75fa75c7929ac20e4c2d007acf
SHA11697f9bf909d1718c1648a5e190dd809fe31f385
SHA256b4f110795d45f61ef36d55274080eee1de2d876cfc99d394e57adf9a8e0131d2
SHA5129b39d41ebb3ce85a624c779065ab6b11aa624bf2bbee1b16d93ca21521ef7172865dab0bd93efbffd66dbf9c02550497e7e4a4788a2de13a3aad088cbcecdae6
-
C:\Users\Admin\Documents\HvQEW_readme_.txtFilesize
3KB
MD5b19661ca55a40cf0a18f6ec124c59553
SHA16954e9c666e904601f916c5375d79aa2c7dc6891
SHA256f78a0f1e572a75a6c354fa831f058e7d14e5f4a9742d32a3a9ec0c8787bfe30f
SHA512113e05f423290e67431b2dc2435b496eef2496e77744baf8604d5f46a6f21694eb1886bf7e92fef9366c35ed7af306598030f6fbda0b8a05292707914721de75
-
C:\Users\Admin\Downloads\HvQEW_readme_.txtFilesize
3KB
MD53d5c8a685abc1a8ccdeeeb02d95b74b5
SHA1463cb0048fb96a6ac85f1d0b595631739885ef27
SHA2560468301bfc918239137457b261ed86ab62a13aef9d6408314d4473d05548d652
SHA51249e555f6fe6e542b52fef261ccff6fa3ec0e80d5663ea44dd4806c82b43ccff705011b6395afa16bb11ff54e40b56f7ce441e479c88e43730556e36708ab518e
-
C:\Users\Admin\Music\HvQEW_readme_.txtFilesize
3KB
MD552a2c7c007219b7dcd315d10d390a57b
SHA1b29da740a53c88de05c97e4d8ce60cdf6a1c2c1f
SHA256cad50eba719ccbc8fbd2fd6abfd96d94eab0b7491513cd1dd26ba3650e8ffb2e
SHA5125eca9350c57c692d05d07b66ef5c17752b847dffb382e634c34fc20489f68df12f075c59002ab10b27843e1c2cb8f0211a9e777fac94baddb0f867733fb0e33a
-
C:\Users\Admin\Pictures\HvQEW_readme_.txtFilesize
3KB
MD57fc2bdee0b5116623e21150a840fb924
SHA1af88afc55fc336ac5730c30ab0e9f777d86ae793
SHA2569e4ab18e7f0a308a2f54d18d3c4787f77f91fbe792ba4ea058644d36b57c0c16
SHA5122d126289c6fdd5a690bba41e9daf6aff9867bec43d2c2c51dd8ccfce591d2def6c97374df0142102cf815458980f07ef53539c609c8f7b3395c54fbf1155b8eb