Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 10:08
Behavioral task
behavioral1
Sample
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
Resource
win10v2004-20240226-en
General
-
Target
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
-
Size
775KB
-
MD5
2d2a5a22bc983829cfb4627a271fbd4e
-
SHA1
c0fc01350ae774f3817d71710d9a6e9adaba441f
-
SHA256
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b
-
SHA512
8237f6db84a2339827e4044929df58597733d04f8e56c621394f2c2b79c06dc9fb3e64373d0205c0f14372173875b2487d178472eda6837da2ef20187285ad0d
-
SSDEEP
24576:+Csq9+OXLpMePfI8TgmBTCDqEbOpPtpFaoxfq:YxOXLpMePfzVTCD7gPtLa4fq
Malware Config
Extracted
C:\Users\Admin\Documents\DuLAL_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\DuLAL_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Pictures\DuLAL_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe family_avaddon -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exewmic.exewmic.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2772 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2772 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2772 wmic.exe -
Processes:
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (207) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
Processes:
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exepid process 1728 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe -
Processes:
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2610426812-2871295383-373749122-1000\desktop.ini 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exedescription ioc process File opened (read-only) \??\Y: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\Z: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\I: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\J: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\K: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\L: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\T: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\X: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\A: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\G: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\Q: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\U: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\V: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\E: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\N: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\F: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\R: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\S: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\W: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\B: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\H: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\M: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\O: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\P: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 1096 vssadmin.exe 676 vssadmin.exe 564 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exepid process 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2704 wmic.exe Token: SeSecurityPrivilege 2704 wmic.exe Token: SeTakeOwnershipPrivilege 2704 wmic.exe Token: SeLoadDriverPrivilege 2704 wmic.exe Token: SeSystemProfilePrivilege 2704 wmic.exe Token: SeSystemtimePrivilege 2704 wmic.exe Token: SeProfSingleProcessPrivilege 2704 wmic.exe Token: SeIncBasePriorityPrivilege 2704 wmic.exe Token: SeCreatePagefilePrivilege 2704 wmic.exe Token: SeBackupPrivilege 2704 wmic.exe Token: SeRestorePrivilege 2704 wmic.exe Token: SeShutdownPrivilege 2704 wmic.exe Token: SeDebugPrivilege 2704 wmic.exe Token: SeSystemEnvironmentPrivilege 2704 wmic.exe Token: SeRemoteShutdownPrivilege 2704 wmic.exe Token: SeUndockPrivilege 2704 wmic.exe Token: SeManageVolumePrivilege 2704 wmic.exe Token: 33 2704 wmic.exe Token: 34 2704 wmic.exe Token: 35 2704 wmic.exe Token: SeIncreaseQuotaPrivilege 2592 wmic.exe Token: SeSecurityPrivilege 2592 wmic.exe Token: SeTakeOwnershipPrivilege 2592 wmic.exe Token: SeLoadDriverPrivilege 2592 wmic.exe Token: SeSystemProfilePrivilege 2592 wmic.exe Token: SeSystemtimePrivilege 2592 wmic.exe Token: SeProfSingleProcessPrivilege 2592 wmic.exe Token: SeIncBasePriorityPrivilege 2592 wmic.exe Token: SeCreatePagefilePrivilege 2592 wmic.exe Token: SeBackupPrivilege 2592 wmic.exe Token: SeRestorePrivilege 2592 wmic.exe Token: SeShutdownPrivilege 2592 wmic.exe Token: SeDebugPrivilege 2592 wmic.exe Token: SeSystemEnvironmentPrivilege 2592 wmic.exe Token: SeRemoteShutdownPrivilege 2592 wmic.exe Token: SeUndockPrivilege 2592 wmic.exe Token: SeManageVolumePrivilege 2592 wmic.exe Token: 33 2592 wmic.exe Token: 34 2592 wmic.exe Token: 35 2592 wmic.exe Token: SeIncreaseQuotaPrivilege 2652 wmic.exe Token: SeSecurityPrivilege 2652 wmic.exe Token: SeTakeOwnershipPrivilege 2652 wmic.exe Token: SeLoadDriverPrivilege 2652 wmic.exe Token: SeSystemProfilePrivilege 2652 wmic.exe Token: SeSystemtimePrivilege 2652 wmic.exe Token: SeProfSingleProcessPrivilege 2652 wmic.exe Token: SeIncBasePriorityPrivilege 2652 wmic.exe Token: SeCreatePagefilePrivilege 2652 wmic.exe Token: SeBackupPrivilege 2652 wmic.exe Token: SeRestorePrivilege 2652 wmic.exe Token: SeShutdownPrivilege 2652 wmic.exe Token: SeDebugPrivilege 2652 wmic.exe Token: SeSystemEnvironmentPrivilege 2652 wmic.exe Token: SeRemoteShutdownPrivilege 2652 wmic.exe Token: SeUndockPrivilege 2652 wmic.exe Token: SeManageVolumePrivilege 2652 wmic.exe Token: 33 2652 wmic.exe Token: 34 2652 wmic.exe Token: 35 2652 wmic.exe Token: SeIncreaseQuotaPrivilege 2704 wmic.exe Token: SeSecurityPrivilege 2704 wmic.exe Token: SeTakeOwnershipPrivilege 2704 wmic.exe Token: SeLoadDriverPrivilege 2704 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exetaskeng.exedescription pid process target process PID 2084 wrote to memory of 2716 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe wmic.exe PID 2084 wrote to memory of 2716 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe wmic.exe PID 2084 wrote to memory of 2716 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe wmic.exe PID 2084 wrote to memory of 2716 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe wmic.exe PID 2084 wrote to memory of 1096 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe vssadmin.exe PID 2084 wrote to memory of 1096 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe vssadmin.exe PID 2084 wrote to memory of 1096 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe vssadmin.exe PID 2084 wrote to memory of 1096 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe vssadmin.exe PID 2084 wrote to memory of 1604 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe wmic.exe PID 2084 wrote to memory of 1604 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe wmic.exe PID 2084 wrote to memory of 1604 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe wmic.exe PID 2084 wrote to memory of 1604 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe wmic.exe PID 2084 wrote to memory of 676 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe vssadmin.exe PID 2084 wrote to memory of 676 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe vssadmin.exe PID 2084 wrote to memory of 676 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe vssadmin.exe PID 2084 wrote to memory of 676 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe vssadmin.exe PID 2084 wrote to memory of 1312 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe wmic.exe PID 2084 wrote to memory of 1312 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe wmic.exe PID 2084 wrote to memory of 1312 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe wmic.exe PID 2084 wrote to memory of 1312 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe wmic.exe PID 2084 wrote to memory of 564 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe vssadmin.exe PID 2084 wrote to memory of 564 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe vssadmin.exe PID 2084 wrote to memory of 564 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe vssadmin.exe PID 2084 wrote to memory of 564 2084 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe vssadmin.exe PID 2468 wrote to memory of 1728 2468 taskeng.exe 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe PID 2468 wrote to memory of 1728 2468 taskeng.exe 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe PID 2468 wrote to memory of 1728 2468 taskeng.exe 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe PID 2468 wrote to memory of 1728 2468 taskeng.exe 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe"C:\Users\Admin\AppData\Local\Temp\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {66E98408-2658-4764-8BE6-5FF835A6E596} S-1-5-21-2610426812-2871295383-373749122-1000:UEITMFAB\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Indicator Removal
2File Deletion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exeFilesize
775KB
MD52d2a5a22bc983829cfb4627a271fbd4e
SHA1c0fc01350ae774f3817d71710d9a6e9adaba441f
SHA2560ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b
SHA5128237f6db84a2339827e4044929df58597733d04f8e56c621394f2c2b79c06dc9fb3e64373d0205c0f14372173875b2487d178472eda6837da2ef20187285ad0d
-
C:\Users\Admin\Documents\DuLAL_readme_.txtFilesize
3KB
MD5f9f8f3a6a30fd29a278a1f855febff67
SHA1db5ccdf0a295d89018cb72b3916f4264f0abf02d
SHA25676b4dce6c729396aad78f2fbb31ae5e132d88e4471f949ef3e99e20524ec5aa7
SHA512735e41835f0a2acffaeb38f067470140a2c46bc03e4262d75671651abee1dbc3fdc15ac390bbd01b62d4f2e7efbc214f24f741afa28c53482d64cb0ac3f16e6e
-
C:\Users\Admin\Downloads\DuLAL_readme_.txtFilesize
3KB
MD5138b6f556dc942f3fe13c343b89d06b1
SHA1c14b0dd92c2a835b2016a521ab0b419ee895b049
SHA25625a70e02f3ecbbc55cd0f6ab2f5bb052286674981f7e6c7014ab7d33d8327f82
SHA512075761d34936b7bd9018031d737634665bf752591aaff364bc9694d317ca305554fcfe825c43a6d119328e20999b0d2c563d7903447a2d9c9dcf16fa48269bc1
-
C:\Users\Admin\Pictures\DuLAL_readme_.txtFilesize
3KB
MD562903e3d694bf16677a4985becaf9de3
SHA14c85eedb72216623be2fae746e1689df93d94f8b
SHA25640b70ecc81cde8aca3d45847d4851e3a2819d627a1ce94588bd93a5fa66a6b32
SHA51229bab13e91c9bd856720ff42d99182350e14e74717e2408bd13fed00cb6e4dddaa9be76184f1937a28ef63a08587274c33919ea52fa80e624962e1edaf071766