Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 10:08
Behavioral task
behavioral1
Sample
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe
Resource
win10v2004-20240226-en
General
-
Target
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe
-
Size
775KB
-
MD5
c19084114c85192dacfed89a92da6837
-
SHA1
a1d6461e833813ccfb77a6929de43ab5383dbb98
-
SHA256
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675
-
SHA512
cbcc47dfd2f1e1a15b93ff2df067ebce74a3623b5b5fa1162b9076d25175ea0f3f687c24b5051e7de753697b2a860595cf15351168f999e447ee5d0bc70cc11e
-
SSDEEP
24576:+CsD9+OXLpMePfI8TgmBTCDqEbOpPtpFafxfq:YcOXLpMePfzVTCD7gPtLapfq
Malware Config
Extracted
C:\Users\Admin\Desktop\BCJwk_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\BCJwk_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe family_avaddon -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exewmic.exewmic.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4896 4536 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 4536 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 4536 wmic.exe -
Processes:
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (150) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
Processes:
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exepid process 4524 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe -
Processes:
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3045580317-3728985860-206385570-1000\desktop.ini 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exedescription ioc process File opened (read-only) \??\U: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\Z: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\F: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\J: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\O: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\R: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\S: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\Y: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\I: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\Q: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\L: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\M: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\N: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\P: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\E: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\G: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\H: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\K: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\T: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\V: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\W: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\X: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\A: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\B: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exepid process 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 4896 wmic.exe Token: SeSecurityPrivilege 4896 wmic.exe Token: SeTakeOwnershipPrivilege 4896 wmic.exe Token: SeLoadDriverPrivilege 4896 wmic.exe Token: SeSystemProfilePrivilege 4896 wmic.exe Token: SeSystemtimePrivilege 4896 wmic.exe Token: SeProfSingleProcessPrivilege 4896 wmic.exe Token: SeIncBasePriorityPrivilege 4896 wmic.exe Token: SeCreatePagefilePrivilege 4896 wmic.exe Token: SeBackupPrivilege 4896 wmic.exe Token: SeRestorePrivilege 4896 wmic.exe Token: SeShutdownPrivilege 4896 wmic.exe Token: SeDebugPrivilege 4896 wmic.exe Token: SeSystemEnvironmentPrivilege 4896 wmic.exe Token: SeRemoteShutdownPrivilege 4896 wmic.exe Token: SeUndockPrivilege 4896 wmic.exe Token: SeManageVolumePrivilege 4896 wmic.exe Token: 33 4896 wmic.exe Token: 34 4896 wmic.exe Token: 35 4896 wmic.exe Token: 36 4896 wmic.exe Token: SeIncreaseQuotaPrivilege 1548 wmic.exe Token: SeSecurityPrivilege 1548 wmic.exe Token: SeTakeOwnershipPrivilege 1548 wmic.exe Token: SeLoadDriverPrivilege 1548 wmic.exe Token: SeSystemProfilePrivilege 1548 wmic.exe Token: SeSystemtimePrivilege 1548 wmic.exe Token: SeProfSingleProcessPrivilege 1548 wmic.exe Token: SeIncBasePriorityPrivilege 1548 wmic.exe Token: SeCreatePagefilePrivilege 1548 wmic.exe Token: SeBackupPrivilege 1548 wmic.exe Token: SeRestorePrivilege 1548 wmic.exe Token: SeShutdownPrivilege 1548 wmic.exe Token: SeDebugPrivilege 1548 wmic.exe Token: SeSystemEnvironmentPrivilege 1548 wmic.exe Token: SeRemoteShutdownPrivilege 1548 wmic.exe Token: SeUndockPrivilege 1548 wmic.exe Token: SeManageVolumePrivilege 1548 wmic.exe Token: 33 1548 wmic.exe Token: 34 1548 wmic.exe Token: 35 1548 wmic.exe Token: 36 1548 wmic.exe Token: SeIncreaseQuotaPrivilege 776 wmic.exe Token: SeSecurityPrivilege 776 wmic.exe Token: SeTakeOwnershipPrivilege 776 wmic.exe Token: SeLoadDriverPrivilege 776 wmic.exe Token: SeSystemProfilePrivilege 776 wmic.exe Token: SeSystemtimePrivilege 776 wmic.exe Token: SeProfSingleProcessPrivilege 776 wmic.exe Token: SeIncBasePriorityPrivilege 776 wmic.exe Token: SeCreatePagefilePrivilege 776 wmic.exe Token: SeBackupPrivilege 776 wmic.exe Token: SeRestorePrivilege 776 wmic.exe Token: SeShutdownPrivilege 776 wmic.exe Token: SeDebugPrivilege 776 wmic.exe Token: SeSystemEnvironmentPrivilege 776 wmic.exe Token: SeRemoteShutdownPrivilege 776 wmic.exe Token: SeUndockPrivilege 776 wmic.exe Token: SeManageVolumePrivilege 776 wmic.exe Token: 33 776 wmic.exe Token: 34 776 wmic.exe Token: 35 776 wmic.exe Token: 36 776 wmic.exe Token: SeIncreaseQuotaPrivilege 4896 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exedescription pid process target process PID 1520 wrote to memory of 1132 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 1520 wrote to memory of 1132 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 1520 wrote to memory of 1132 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 1520 wrote to memory of 2776 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 1520 wrote to memory of 2776 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 1520 wrote to memory of 2776 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 1520 wrote to memory of 3192 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 1520 wrote to memory of 3192 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 1520 wrote to memory of 3192 1520 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe"C:\Users\Admin\AppData\Local\Temp\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Indicator Removal
1File Deletion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exeFilesize
775KB
MD5c19084114c85192dacfed89a92da6837
SHA1a1d6461e833813ccfb77a6929de43ab5383dbb98
SHA25646a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675
SHA512cbcc47dfd2f1e1a15b93ff2df067ebce74a3623b5b5fa1162b9076d25175ea0f3f687c24b5051e7de753697b2a860595cf15351168f999e447ee5d0bc70cc11e
-
C:\Users\Admin\Desktop\BCJwk_readme_.txtFilesize
3KB
MD52a7e91ea0b6a11f933d764582691ad5b
SHA1991036746189ef3926225b6cebce0584ba026b15
SHA25696e8e6cd27b62fb247159ead4c22b1b9a7ddec43d4145975f1fcabca7b402aff
SHA512341e84e45e4ae4ea8797642fa5f31e3fdd144234d750699388c625a7a42885ebaf62a5afc2ea1351f110d51473694430f9a8328fd7d9f115cad8672aff1107e5
-
C:\Users\Admin\Downloads\BCJwk_readme_.txtFilesize
3KB
MD5229d31f6cec29ae41bd13f1e618d9408
SHA151618e8067d8a66073252fc07cab6d956bb68c8e
SHA256b6e6b3d190833ad9ef992ced89dc8e8c4d997f8e00ce19deb698f9bf51ed4d3e
SHA51257dac91d63c0bddb6b4ef1205a655f0a911e7aa0493ce80b3f15750d6150cb3945b10ad45ac67efd6de2257063f331698160e456c89d74685e87936ecd6b1365
-
memory/4524-434-0x0000000075640000-0x000000007564B000-memory.dmpFilesize
44KB
-
memory/4524-433-0x0000000075650000-0x000000007566D000-memory.dmpFilesize
116KB
-
memory/4524-432-0x00000000758F0000-0x0000000075909000-memory.dmpFilesize
100KB