Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 10:08
Behavioral task
behavioral1
Sample
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe
Resource
win10v2004-20240226-en
General
-
Target
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe
-
Size
775KB
-
MD5
c19084114c85192dacfed89a92da6837
-
SHA1
a1d6461e833813ccfb77a6929de43ab5383dbb98
-
SHA256
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675
-
SHA512
cbcc47dfd2f1e1a15b93ff2df067ebce74a3623b5b5fa1162b9076d25175ea0f3f687c24b5051e7de753697b2a860595cf15351168f999e447ee5d0bc70cc11e
-
SSDEEP
24576:+CsD9+OXLpMePfI8TgmBTCDqEbOpPtpFafxfq:YcOXLpMePfzVTCD7gPtLapfq
Malware Config
Extracted
C:\Users\Admin\Desktop\QlZZxj_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Desktop\QlZZxj_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\QlZZxj_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\QlZZxj_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\QlZZxj_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe family_avaddon -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exewmic.exewmic.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2524 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2524 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 2524 wmic.exe -
Processes:
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (194) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
Processes:
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exepid process 108 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe -
Processes:
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exedescription ioc process File opened (read-only) \??\Q: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\S: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\V: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\B: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\I: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\N: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\P: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\R: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\Y: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\F: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\G: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\H: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\K: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\T: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\U: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\X: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\A: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\J: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\L: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\W: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\Z: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\E: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\M: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\O: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 2728 vssadmin.exe 1800 vssadmin.exe 2240 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exepid process 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2392 wmic.exe Token: SeSecurityPrivilege 2392 wmic.exe Token: SeTakeOwnershipPrivilege 2392 wmic.exe Token: SeLoadDriverPrivilege 2392 wmic.exe Token: SeSystemProfilePrivilege 2392 wmic.exe Token: SeSystemtimePrivilege 2392 wmic.exe Token: SeProfSingleProcessPrivilege 2392 wmic.exe Token: SeIncBasePriorityPrivilege 2392 wmic.exe Token: SeCreatePagefilePrivilege 2392 wmic.exe Token: SeBackupPrivilege 2392 wmic.exe Token: SeRestorePrivilege 2392 wmic.exe Token: SeShutdownPrivilege 2392 wmic.exe Token: SeDebugPrivilege 2392 wmic.exe Token: SeSystemEnvironmentPrivilege 2392 wmic.exe Token: SeRemoteShutdownPrivilege 2392 wmic.exe Token: SeUndockPrivilege 2392 wmic.exe Token: SeManageVolumePrivilege 2392 wmic.exe Token: 33 2392 wmic.exe Token: 34 2392 wmic.exe Token: 35 2392 wmic.exe Token: SeIncreaseQuotaPrivilege 2740 wmic.exe Token: SeSecurityPrivilege 2740 wmic.exe Token: SeTakeOwnershipPrivilege 2740 wmic.exe Token: SeLoadDriverPrivilege 2740 wmic.exe Token: SeSystemProfilePrivilege 2740 wmic.exe Token: SeSystemtimePrivilege 2740 wmic.exe Token: SeProfSingleProcessPrivilege 2740 wmic.exe Token: SeIncBasePriorityPrivilege 2740 wmic.exe Token: SeCreatePagefilePrivilege 2740 wmic.exe Token: SeBackupPrivilege 2740 wmic.exe Token: SeRestorePrivilege 2740 wmic.exe Token: SeShutdownPrivilege 2740 wmic.exe Token: SeDebugPrivilege 2740 wmic.exe Token: SeSystemEnvironmentPrivilege 2740 wmic.exe Token: SeRemoteShutdownPrivilege 2740 wmic.exe Token: SeUndockPrivilege 2740 wmic.exe Token: SeManageVolumePrivilege 2740 wmic.exe Token: 33 2740 wmic.exe Token: 34 2740 wmic.exe Token: 35 2740 wmic.exe Token: SeIncreaseQuotaPrivilege 2628 wmic.exe Token: SeSecurityPrivilege 2628 wmic.exe Token: SeTakeOwnershipPrivilege 2628 wmic.exe Token: SeLoadDriverPrivilege 2628 wmic.exe Token: SeSystemProfilePrivilege 2628 wmic.exe Token: SeSystemtimePrivilege 2628 wmic.exe Token: SeProfSingleProcessPrivilege 2628 wmic.exe Token: SeIncBasePriorityPrivilege 2628 wmic.exe Token: SeCreatePagefilePrivilege 2628 wmic.exe Token: SeBackupPrivilege 2628 wmic.exe Token: SeRestorePrivilege 2628 wmic.exe Token: SeShutdownPrivilege 2628 wmic.exe Token: SeDebugPrivilege 2628 wmic.exe Token: SeSystemEnvironmentPrivilege 2628 wmic.exe Token: SeRemoteShutdownPrivilege 2628 wmic.exe Token: SeUndockPrivilege 2628 wmic.exe Token: SeManageVolumePrivilege 2628 wmic.exe Token: 33 2628 wmic.exe Token: 34 2628 wmic.exe Token: 35 2628 wmic.exe Token: SeIncreaseQuotaPrivilege 2392 wmic.exe Token: SeSecurityPrivilege 2392 wmic.exe Token: SeTakeOwnershipPrivilege 2392 wmic.exe Token: SeLoadDriverPrivilege 2392 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exetaskeng.exedescription pid process target process PID 2896 wrote to memory of 2476 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 2896 wrote to memory of 2476 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 2896 wrote to memory of 2476 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 2896 wrote to memory of 2476 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 2896 wrote to memory of 2728 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe vssadmin.exe PID 2896 wrote to memory of 2728 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe vssadmin.exe PID 2896 wrote to memory of 2728 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe vssadmin.exe PID 2896 wrote to memory of 2728 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe vssadmin.exe PID 2896 wrote to memory of 2332 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 2896 wrote to memory of 2332 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 2896 wrote to memory of 2332 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 2896 wrote to memory of 2332 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 2896 wrote to memory of 1800 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe vssadmin.exe PID 2896 wrote to memory of 1800 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe vssadmin.exe PID 2896 wrote to memory of 1800 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe vssadmin.exe PID 2896 wrote to memory of 1800 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe vssadmin.exe PID 2896 wrote to memory of 1124 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 2896 wrote to memory of 1124 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 2896 wrote to memory of 1124 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 2896 wrote to memory of 1124 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 2896 wrote to memory of 2240 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe vssadmin.exe PID 2896 wrote to memory of 2240 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe vssadmin.exe PID 2896 wrote to memory of 2240 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe vssadmin.exe PID 2896 wrote to memory of 2240 2896 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe vssadmin.exe PID 2132 wrote to memory of 108 2132 taskeng.exe 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe PID 2132 wrote to memory of 108 2132 taskeng.exe 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe PID 2132 wrote to memory of 108 2132 taskeng.exe 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe PID 2132 wrote to memory of 108 2132 taskeng.exe 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe"C:\Users\Admin\AppData\Local\Temp\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {F3179155-2F08-4738-BF40-442DB6E4F0C5} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Indicator Removal
2File Deletion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\QlZZxj_readme_.txtFilesize
3KB
MD5ecb21609a308dbc3d96cada66b6bf0da
SHA18d014444ee9f8c64963da7df3919c3cb065ac5a3
SHA2563df5a7e603f388148e3a864a39d07ff44888ec4d85fb293c1905453c8d7acd2c
SHA512cfe8446321541e290c93652e6f6b8a59002654ed4a8eed5dc33346ac36724a5f18e317dbe10e0cf64a3dd922d184159e364391dcddb59b401e8ad3ef6da7b74e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exeFilesize
775KB
MD5c19084114c85192dacfed89a92da6837
SHA1a1d6461e833813ccfb77a6929de43ab5383dbb98
SHA25646a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675
SHA512cbcc47dfd2f1e1a15b93ff2df067ebce74a3623b5b5fa1162b9076d25175ea0f3f687c24b5051e7de753697b2a860595cf15351168f999e447ee5d0bc70cc11e
-
C:\Users\Admin\Desktop\QlZZxj_readme_.txtFilesize
3KB
MD57165c8ec7196668008df9c816346d1f8
SHA1953d3d6d0d29ab142d7b628e25b7d4053de7e021
SHA256172e5172771334ec6a532d1e510ccf0c2f7e2d89086cd3ad5bc748bad9381a1e
SHA5129d27b33896aee9f57a5724f356c8d9444ac425de6791edb76f82c13e01e55e9907dd5b783e74e8194b96e6cf637f753e880d3223e57dbd9f45cefcc5444d5340
-
C:\Users\Admin\Desktop\QlZZxj_readme_.txtFilesize
3KB
MD54a8a0f6f001c2969ba7de041ab881316
SHA16943d6b37cc50ce3b53e1e81c65ff219f2791c71
SHA2562fe82817ec2f3475eb70b042d20f965e208c61db11a90150dd65d7dfeaeb79ce
SHA512ffdea0d4f79bef089a4ba4691abf582d61c0f08221c3ff83e9c576df1d477e7512565c5276bd4f556042604bb5cfb247e99f5ca16f2364b13a93a502be057adb
-
C:\Users\Admin\Documents\QlZZxj_readme_.txtFilesize
3KB
MD5c54637b64738c619faaa25de0e5e6324
SHA1dd0e1f11c5fd1085c0e405c4798026464a824b03
SHA2560669024616f98740541bca9c5b760d9c594b3e648ce84d9569e801567ae85781
SHA51245f105da9af2096c576bf1f6bc65ce5788603276f6afdb3e57a86b647b7efa45c10b38ce14187c66c4c44c67f2b3dc1768c70e82e957531ce1fdef1e0d99f1c2
-
C:\Users\Admin\Downloads\QlZZxj_readme_.txtFilesize
3KB
MD593cd79bfa82d29877434d6cf8c3a9ba3
SHA146578f53ccdc726c929e7c42f29602ddee1377cb
SHA2568cc5d9397412836bad352eb855d7ff49f5464cbd2d68cc62d159bb58554eb6d6
SHA51287300ea55e3cd3e19b63cb7a744c01066ca2bc600be3bc35bcb63b9152b252666d600c02571d27844858ffc04ab4843f0053563fd2d5e7e8ce2ce41829f50189