Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 10:08
Behavioral task
behavioral1
Sample
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
Resource
win10v2004-20240226-en
General
-
Target
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
-
Size
775KB
-
MD5
117da2dd6fa24616f63eb43d5a15e5d3
-
SHA1
b4d70eecdef52ceef15f04a025d1ab08f193fb97
-
SHA256
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275
-
SHA512
de2e5538e8dd8210b630eca0fc611f0ba0dcb805b3a745c38a6f46ee9acfe8785c917b9452e0d6f70f675030430b65b352d695106bae639b20e0dbb2dd95e375
-
SSDEEP
24576:TCsQ9+OXLpMePfI8TgmBTCDqEbOpPtpFhAxfq:5HOXLpMePfzVTCD7gPtLhQfq
Malware Config
Extracted
C:\Users\Admin\Desktop\DuLAL_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Desktop\DuLAL_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Favorites\MSN Websites\DuLAL_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Music\DuLAL_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\DuLAL_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe family_avaddon -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exewmic.exewmic.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 2616 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2616 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 936 2616 wmic.exe -
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (178) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exepid process 840 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exedescription ioc process File opened (read-only) \??\J: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\Q: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\I: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\N: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\P: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\H: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\E: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\K: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\L: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\M: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\S: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\T: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\U: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\B: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\W: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\X: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\F: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\V: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\G: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\O: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\R: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\Y: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\Z: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\A: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 2248 vssadmin.exe 1984 vssadmin.exe 2000 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exepid process 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 936 wmic.exe Token: SeSecurityPrivilege 936 wmic.exe Token: SeTakeOwnershipPrivilege 936 wmic.exe Token: SeLoadDriverPrivilege 936 wmic.exe Token: SeSystemProfilePrivilege 936 wmic.exe Token: SeSystemtimePrivilege 936 wmic.exe Token: SeProfSingleProcessPrivilege 936 wmic.exe Token: SeIncBasePriorityPrivilege 936 wmic.exe Token: SeCreatePagefilePrivilege 936 wmic.exe Token: SeBackupPrivilege 936 wmic.exe Token: SeRestorePrivilege 936 wmic.exe Token: SeShutdownPrivilege 936 wmic.exe Token: SeDebugPrivilege 936 wmic.exe Token: SeSystemEnvironmentPrivilege 936 wmic.exe Token: SeRemoteShutdownPrivilege 936 wmic.exe Token: SeUndockPrivilege 936 wmic.exe Token: SeManageVolumePrivilege 936 wmic.exe Token: 33 936 wmic.exe Token: 34 936 wmic.exe Token: 35 936 wmic.exe Token: SeIncreaseQuotaPrivilege 2428 wmic.exe Token: SeSecurityPrivilege 2428 wmic.exe Token: SeTakeOwnershipPrivilege 2428 wmic.exe Token: SeLoadDriverPrivilege 2428 wmic.exe Token: SeSystemProfilePrivilege 2428 wmic.exe Token: SeSystemtimePrivilege 2428 wmic.exe Token: SeProfSingleProcessPrivilege 2428 wmic.exe Token: SeIncBasePriorityPrivilege 2428 wmic.exe Token: SeCreatePagefilePrivilege 2428 wmic.exe Token: SeBackupPrivilege 2428 wmic.exe Token: SeRestorePrivilege 2428 wmic.exe Token: SeShutdownPrivilege 2428 wmic.exe Token: SeDebugPrivilege 2428 wmic.exe Token: SeSystemEnvironmentPrivilege 2428 wmic.exe Token: SeRemoteShutdownPrivilege 2428 wmic.exe Token: SeUndockPrivilege 2428 wmic.exe Token: SeManageVolumePrivilege 2428 wmic.exe Token: 33 2428 wmic.exe Token: 34 2428 wmic.exe Token: 35 2428 wmic.exe Token: SeIncreaseQuotaPrivilege 2484 wmic.exe Token: SeSecurityPrivilege 2484 wmic.exe Token: SeTakeOwnershipPrivilege 2484 wmic.exe Token: SeLoadDriverPrivilege 2484 wmic.exe Token: SeSystemProfilePrivilege 2484 wmic.exe Token: SeSystemtimePrivilege 2484 wmic.exe Token: SeProfSingleProcessPrivilege 2484 wmic.exe Token: SeIncBasePriorityPrivilege 2484 wmic.exe Token: SeCreatePagefilePrivilege 2484 wmic.exe Token: SeBackupPrivilege 2484 wmic.exe Token: SeRestorePrivilege 2484 wmic.exe Token: SeShutdownPrivilege 2484 wmic.exe Token: SeDebugPrivilege 2484 wmic.exe Token: SeSystemEnvironmentPrivilege 2484 wmic.exe Token: SeRemoteShutdownPrivilege 2484 wmic.exe Token: SeUndockPrivilege 2484 wmic.exe Token: SeManageVolumePrivilege 2484 wmic.exe Token: 33 2484 wmic.exe Token: 34 2484 wmic.exe Token: 35 2484 wmic.exe Token: SeIncreaseQuotaPrivilege 936 wmic.exe Token: SeSecurityPrivilege 936 wmic.exe Token: SeTakeOwnershipPrivilege 936 wmic.exe Token: SeLoadDriverPrivilege 936 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exetaskeng.exedescription pid process target process PID 2656 wrote to memory of 2840 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 2656 wrote to memory of 2840 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 2656 wrote to memory of 2840 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 2656 wrote to memory of 2840 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 2656 wrote to memory of 2248 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe vssadmin.exe PID 2656 wrote to memory of 2248 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe vssadmin.exe PID 2656 wrote to memory of 2248 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe vssadmin.exe PID 2656 wrote to memory of 2248 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe vssadmin.exe PID 2656 wrote to memory of 1944 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 2656 wrote to memory of 1944 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 2656 wrote to memory of 1944 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 2656 wrote to memory of 1944 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 2656 wrote to memory of 1984 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe vssadmin.exe PID 2656 wrote to memory of 1984 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe vssadmin.exe PID 2656 wrote to memory of 1984 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe vssadmin.exe PID 2656 wrote to memory of 1984 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe vssadmin.exe PID 2656 wrote to memory of 1936 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 2656 wrote to memory of 1936 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 2656 wrote to memory of 1936 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 2656 wrote to memory of 1936 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 2656 wrote to memory of 2000 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe vssadmin.exe PID 2656 wrote to memory of 2000 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe vssadmin.exe PID 2656 wrote to memory of 2000 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe vssadmin.exe PID 2656 wrote to memory of 2000 2656 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe vssadmin.exe PID 2588 wrote to memory of 840 2588 taskeng.exe 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe PID 2588 wrote to memory of 840 2588 taskeng.exe 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe PID 2588 wrote to memory of 840 2588 taskeng.exe 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe PID 2588 wrote to memory of 840 2588 taskeng.exe 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe"C:\Users\Admin\AppData\Local\Temp\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {E5487F54-5F19-4E84-A55C-0DB05EF81785} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Indicator Removal
2File Deletion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\DuLAL_readme_.txtFilesize
3KB
MD584989f395d9092fa15e0cf3d21501c6d
SHA19b01453b0f97bb71c1ef9fce338e82bec7ce9ec0
SHA256de555dc601225676d09ae840d6a3ea759257ec731f1fd909c09aa06fd796bf1a
SHA512ea3c6e2ac4341b84474e538fbdb3115872b70532b4d9053ba9ddaa0e975f72f4d360948a90450db22f411992dc4e8e240632c152bbc7faff5177ae82b3e68b90
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exeFilesize
775KB
MD5117da2dd6fa24616f63eb43d5a15e5d3
SHA1b4d70eecdef52ceef15f04a025d1ab08f193fb97
SHA25648d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275
SHA512de2e5538e8dd8210b630eca0fc611f0ba0dcb805b3a745c38a6f46ee9acfe8785c917b9452e0d6f70f675030430b65b352d695106bae639b20e0dbb2dd95e375
-
C:\Users\Admin\Desktop\DuLAL_readme_.txtFilesize
3KB
MD5a6ddb178d2cfcc2f91282fcc617535f4
SHA113b2bffe3eda0eb76e40cc696ece164a3fe49fb6
SHA2568809253c6f49448d01077f398618997ae9ea48b787cdc1c0c74073dab5739012
SHA512a3577a0b3293275dd5e50f73f2a5ab9dfed652d0dbe06530ef28968fc1d41f04242f125d0d43b8d253a4faea64f176d5c3b61284327da0db498d4e0dfc74d4b8
-
C:\Users\Admin\Desktop\DuLAL_readme_.txtFilesize
3KB
MD555e669c9697f82882f9e5e2553a42877
SHA1a9b94c465d18af2e817dd4b106c5b7ade75003e4
SHA256b47d5a54ea81cf1dc4502fd6d61d35f69fabd5c2b674b3764d3b2c17f12c4790
SHA5125f1a847c612e993294166effc2d21191459d5b80ab958a8d56dbdc8ce703ec23ff7de753e577fd5c67931f0808002c8120ab36729f68af27250e41cd3abc7bea
-
C:\Users\Admin\Favorites\MSN Websites\DuLAL_readme_.txtFilesize
3KB
MD5280b802a1c84a420afce39afaa5dadc2
SHA154f2d618bacd3029dcaedfc145e19cdd7e8957d0
SHA2569f488ae750b3d845e909e2c1e92a4a230bf8f632add10b6fb7a3569c56233d51
SHA5123480f19482dd3d9d50fa7d934dbb42bd02e2c77b20f473dce5e4fec0228a6c33bc7baece452aa02dfeb7705f929bc177f8ed87220a1cd676a6a03eac637eb2e6
-
C:\Users\Admin\Music\DuLAL_readme_.txtFilesize
3KB
MD50704dd9e5f27f4d153ae53220306f216
SHA1be93c9dc4098fd60ea01281fcf4d3384f12a9fbb
SHA256ac6572b530adfb487cfba60230d17a3830d90076e90d7e1219d6c74942fad2e4
SHA5121cbd7973a136e6bf70bcf8bf63aa54e25c9271c710550b2205508ac468b185588056ad502d70a910bed2f03f2e2b04c21a67cee7af83d26869eab0e7ebe53167