Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 10:08
Static task
static1
Behavioral task
behavioral1
Sample
48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe
Resource
win10v2004-20240226-en
General
-
Target
48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe
-
Size
645KB
-
MD5
79cdf459683c39e9704a37a6be9bc877
-
SHA1
450d4f351c3dd168e313b309da4bd8a817453d1d
-
SHA256
48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c
-
SHA512
2cc3f164e92650c4d4aed7012da7d303d24cdc63565ed744a28cb6d59465189233a128a01f4b807aa972057e0d0d98742c5ca9b41a67bf59f0f115de30eb6bd4
-
SSDEEP
12288:Ya8gND5n7gG2WERaCyDVbdlSQLeYBgdAULx9mutZo5B:YgNDBg3JRaCyDVplSUBgrHtZor
Malware Config
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2484-2-0x0000000003310000-0x0000000003427000-memory.dmp family_avaddon behavioral1/memory/2484-3-0x0000000000400000-0x000000000330D000-memory.dmp family_avaddon behavioral1/memory/2484-159-0x0000000000400000-0x000000000330D000-memory.dmp family_avaddon behavioral1/memory/2484-404-0x0000000003310000-0x0000000003427000-memory.dmp family_avaddon behavioral1/memory/2484-405-0x0000000000400000-0x000000000330D000-memory.dmp family_avaddon -
Processes:
48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (197) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-778096762-2241304387-192235952-1000\desktop.ini 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exedescription ioc process File opened (read-only) \??\M: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\O: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\P: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\T: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\U: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\V: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\Y: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\B: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\E: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\J: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\K: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\N: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\Q: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\S: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\A: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\G: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\H: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\L: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\W: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\X: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\Z: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\F: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\I: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe File opened (read-only) \??\R: 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 2840 vssadmin.exe 2776 vssadmin.exe 2572 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exepid process 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
wmic.exevssvc.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2496 wmic.exe Token: SeSecurityPrivilege 2496 wmic.exe Token: SeTakeOwnershipPrivilege 2496 wmic.exe Token: SeLoadDriverPrivilege 2496 wmic.exe Token: SeSystemProfilePrivilege 2496 wmic.exe Token: SeSystemtimePrivilege 2496 wmic.exe Token: SeProfSingleProcessPrivilege 2496 wmic.exe Token: SeIncBasePriorityPrivilege 2496 wmic.exe Token: SeCreatePagefilePrivilege 2496 wmic.exe Token: SeBackupPrivilege 2496 wmic.exe Token: SeRestorePrivilege 2496 wmic.exe Token: SeShutdownPrivilege 2496 wmic.exe Token: SeDebugPrivilege 2496 wmic.exe Token: SeSystemEnvironmentPrivilege 2496 wmic.exe Token: SeRemoteShutdownPrivilege 2496 wmic.exe Token: SeUndockPrivilege 2496 wmic.exe Token: SeManageVolumePrivilege 2496 wmic.exe Token: 33 2496 wmic.exe Token: 34 2496 wmic.exe Token: 35 2496 wmic.exe Token: SeBackupPrivilege 2200 vssvc.exe Token: SeRestorePrivilege 2200 vssvc.exe Token: SeAuditPrivilege 2200 vssvc.exe Token: SeIncreaseQuotaPrivilege 2584 wmic.exe Token: SeSecurityPrivilege 2584 wmic.exe Token: SeTakeOwnershipPrivilege 2584 wmic.exe Token: SeLoadDriverPrivilege 2584 wmic.exe Token: SeSystemProfilePrivilege 2584 wmic.exe Token: SeSystemtimePrivilege 2584 wmic.exe Token: SeProfSingleProcessPrivilege 2584 wmic.exe Token: SeIncBasePriorityPrivilege 2584 wmic.exe Token: SeCreatePagefilePrivilege 2584 wmic.exe Token: SeBackupPrivilege 2584 wmic.exe Token: SeRestorePrivilege 2584 wmic.exe Token: SeShutdownPrivilege 2584 wmic.exe Token: SeDebugPrivilege 2584 wmic.exe Token: SeSystemEnvironmentPrivilege 2584 wmic.exe Token: SeRemoteShutdownPrivilege 2584 wmic.exe Token: SeUndockPrivilege 2584 wmic.exe Token: SeManageVolumePrivilege 2584 wmic.exe Token: 33 2584 wmic.exe Token: 34 2584 wmic.exe Token: 35 2584 wmic.exe Token: SeIncreaseQuotaPrivilege 2416 wmic.exe Token: SeSecurityPrivilege 2416 wmic.exe Token: SeTakeOwnershipPrivilege 2416 wmic.exe Token: SeLoadDriverPrivilege 2416 wmic.exe Token: SeSystemProfilePrivilege 2416 wmic.exe Token: SeSystemtimePrivilege 2416 wmic.exe Token: SeProfSingleProcessPrivilege 2416 wmic.exe Token: SeIncBasePriorityPrivilege 2416 wmic.exe Token: SeCreatePagefilePrivilege 2416 wmic.exe Token: SeBackupPrivilege 2416 wmic.exe Token: SeRestorePrivilege 2416 wmic.exe Token: SeShutdownPrivilege 2416 wmic.exe Token: SeDebugPrivilege 2416 wmic.exe Token: SeSystemEnvironmentPrivilege 2416 wmic.exe Token: SeRemoteShutdownPrivilege 2416 wmic.exe Token: SeUndockPrivilege 2416 wmic.exe Token: SeManageVolumePrivilege 2416 wmic.exe Token: 33 2416 wmic.exe Token: 34 2416 wmic.exe Token: 35 2416 wmic.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exedescription pid process target process PID 2484 wrote to memory of 2496 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe wmic.exe PID 2484 wrote to memory of 2496 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe wmic.exe PID 2484 wrote to memory of 2496 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe wmic.exe PID 2484 wrote to memory of 2496 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe wmic.exe PID 2484 wrote to memory of 2776 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe vssadmin.exe PID 2484 wrote to memory of 2776 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe vssadmin.exe PID 2484 wrote to memory of 2776 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe vssadmin.exe PID 2484 wrote to memory of 2776 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe vssadmin.exe PID 2484 wrote to memory of 2584 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe wmic.exe PID 2484 wrote to memory of 2584 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe wmic.exe PID 2484 wrote to memory of 2584 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe wmic.exe PID 2484 wrote to memory of 2584 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe wmic.exe PID 2484 wrote to memory of 2572 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe vssadmin.exe PID 2484 wrote to memory of 2572 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe vssadmin.exe PID 2484 wrote to memory of 2572 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe vssadmin.exe PID 2484 wrote to memory of 2572 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe vssadmin.exe PID 2484 wrote to memory of 2416 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe wmic.exe PID 2484 wrote to memory of 2416 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe wmic.exe PID 2484 wrote to memory of 2416 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe wmic.exe PID 2484 wrote to memory of 2416 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe wmic.exe PID 2484 wrote to memory of 2840 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe vssadmin.exe PID 2484 wrote to memory of 2840 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe vssadmin.exe PID 2484 wrote to memory of 2840 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe vssadmin.exe PID 2484 wrote to memory of 2840 2484 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe vssadmin.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe"C:\Users\Admin\AppData\Local\Temp\48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Indicator Removal
2File Deletion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2484-1-0x00000000034B0000-0x00000000035B0000-memory.dmpFilesize
1024KB
-
memory/2484-2-0x0000000003310000-0x0000000003427000-memory.dmpFilesize
1.1MB
-
memory/2484-3-0x0000000000400000-0x000000000330D000-memory.dmpFilesize
47.1MB
-
memory/2484-159-0x0000000000400000-0x000000000330D000-memory.dmpFilesize
47.1MB
-
memory/2484-342-0x00000000034B0000-0x00000000035B0000-memory.dmpFilesize
1024KB
-
memory/2484-404-0x0000000003310000-0x0000000003427000-memory.dmpFilesize
1.1MB
-
memory/2484-405-0x0000000000400000-0x000000000330D000-memory.dmpFilesize
47.1MB