Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 10:08
Static task
static1
Behavioral task
behavioral1
Sample
bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
Resource
win10v2004-20240226-en
General
-
Target
bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
-
Size
881KB
-
MD5
c83f30c065f7f61428eac2370ddb4f53
-
SHA1
cfd70af0c89d7b00839c1d32852c53c603d35e32
-
SHA256
bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc
-
SHA512
26100fdf2bba32c0a2f5d27589e730e6af4a16b5cad16cb8ec6314e4291ca1858e35906645636617dacca7c72be6792b01f2bbc073c4468701326e8c889e1d51
-
SSDEEP
24576:WvdmYEBLExewPcf5WHHs3Ggo6EoI+/tH0q:WhEBLug5WnsWn9KN
Malware Config
Extracted
C:\Users\Admin\Desktop\readme.html
avaddon
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/1916-2-0x0000000001EA0000-0x0000000001FB9000-memory.dmp family_avaddon behavioral2/memory/1916-3-0x0000000000400000-0x0000000001B46000-memory.dmp family_avaddon behavioral2/memory/1916-429-0x0000000000400000-0x0000000001B46000-memory.dmp family_avaddon behavioral2/memory/1916-565-0x0000000000400000-0x0000000001B46000-memory.dmp family_avaddon behavioral2/memory/1916-567-0x0000000001EA0000-0x0000000001FB9000-memory.dmp family_avaddon behavioral2/memory/1424-576-0x0000000000400000-0x0000000001B46000-memory.dmp family_avaddon behavioral2/memory/1424-577-0x0000000000400000-0x0000000001B46000-memory.dmp family_avaddon -
Processes:
bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe -
Renames multiple (184) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
Processes:
bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exepid process 1424 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe" bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe" bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe -
Processes:
bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exedescription ioc process File opened (read-only) \??\X: bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe File opened (read-only) \??\A: bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe File opened (read-only) \??\B: bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe File opened (read-only) \??\H: bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe File opened (read-only) \??\K: bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe File opened (read-only) \??\T: bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe File opened (read-only) \??\W: bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe File opened (read-only) \??\L: bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe File opened (read-only) \??\Q: bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe File opened (read-only) \??\Y: bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe File opened (read-only) \??\Z: bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe File opened (read-only) \??\G: bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe File opened (read-only) \??\M: bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe File opened (read-only) \??\N: bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe File opened (read-only) \??\P: bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe File opened (read-only) \??\U: bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe File opened (read-only) \??\V: bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe File opened (read-only) \??\E: bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe File opened (read-only) \??\I: bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe File opened (read-only) \??\J: bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe File opened (read-only) \??\O: bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe File opened (read-only) \??\R: bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe File opened (read-only) \??\S: bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 api.myip.com 17 api.myip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 16 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3620 1916 WerFault.exe bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 656 1916 WerFault.exe bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 4460 1916 WerFault.exe bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 4504 1916 WerFault.exe bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 3864 1916 WerFault.exe bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 4580 1916 WerFault.exe bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 2456 1916 WerFault.exe bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1072 1916 WerFault.exe bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 2696 1916 WerFault.exe bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 3520 1916 WerFault.exe bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1556 1916 WerFault.exe bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 3400 1916 WerFault.exe bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 3108 1916 WerFault.exe bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 2156 1916 WerFault.exe bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 4048 1424 WerFault.exe bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 4676 1916 WerFault.exe bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exepid process 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
wmic.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2908 wmic.exe Token: SeSecurityPrivilege 2908 wmic.exe Token: SeTakeOwnershipPrivilege 2908 wmic.exe Token: SeLoadDriverPrivilege 2908 wmic.exe Token: SeSystemProfilePrivilege 2908 wmic.exe Token: SeSystemtimePrivilege 2908 wmic.exe Token: SeProfSingleProcessPrivilege 2908 wmic.exe Token: SeIncBasePriorityPrivilege 2908 wmic.exe Token: SeCreatePagefilePrivilege 2908 wmic.exe Token: SeBackupPrivilege 2908 wmic.exe Token: SeRestorePrivilege 2908 wmic.exe Token: SeShutdownPrivilege 2908 wmic.exe Token: SeDebugPrivilege 2908 wmic.exe Token: SeSystemEnvironmentPrivilege 2908 wmic.exe Token: SeRemoteShutdownPrivilege 2908 wmic.exe Token: SeUndockPrivilege 2908 wmic.exe Token: SeManageVolumePrivilege 2908 wmic.exe Token: 33 2908 wmic.exe Token: 34 2908 wmic.exe Token: 35 2908 wmic.exe Token: 36 2908 wmic.exe Token: SeIncreaseQuotaPrivilege 1188 wmic.exe Token: SeSecurityPrivilege 1188 wmic.exe Token: SeTakeOwnershipPrivilege 1188 wmic.exe Token: SeLoadDriverPrivilege 1188 wmic.exe Token: SeSystemProfilePrivilege 1188 wmic.exe Token: SeSystemtimePrivilege 1188 wmic.exe Token: SeProfSingleProcessPrivilege 1188 wmic.exe Token: SeIncBasePriorityPrivilege 1188 wmic.exe Token: SeCreatePagefilePrivilege 1188 wmic.exe Token: SeBackupPrivilege 1188 wmic.exe Token: SeRestorePrivilege 1188 wmic.exe Token: SeShutdownPrivilege 1188 wmic.exe Token: SeDebugPrivilege 1188 wmic.exe Token: SeSystemEnvironmentPrivilege 1188 wmic.exe Token: SeRemoteShutdownPrivilege 1188 wmic.exe Token: SeUndockPrivilege 1188 wmic.exe Token: SeManageVolumePrivilege 1188 wmic.exe Token: 33 1188 wmic.exe Token: 34 1188 wmic.exe Token: 35 1188 wmic.exe Token: 36 1188 wmic.exe Token: SeIncreaseQuotaPrivilege 5060 wmic.exe Token: SeSecurityPrivilege 5060 wmic.exe Token: SeTakeOwnershipPrivilege 5060 wmic.exe Token: SeLoadDriverPrivilege 5060 wmic.exe Token: SeSystemProfilePrivilege 5060 wmic.exe Token: SeSystemtimePrivilege 5060 wmic.exe Token: SeProfSingleProcessPrivilege 5060 wmic.exe Token: SeIncBasePriorityPrivilege 5060 wmic.exe Token: SeCreatePagefilePrivilege 5060 wmic.exe Token: SeBackupPrivilege 5060 wmic.exe Token: SeRestorePrivilege 5060 wmic.exe Token: SeShutdownPrivilege 5060 wmic.exe Token: SeDebugPrivilege 5060 wmic.exe Token: SeSystemEnvironmentPrivilege 5060 wmic.exe Token: SeRemoteShutdownPrivilege 5060 wmic.exe Token: SeUndockPrivilege 5060 wmic.exe Token: SeManageVolumePrivilege 5060 wmic.exe Token: 33 5060 wmic.exe Token: 34 5060 wmic.exe Token: 35 5060 wmic.exe Token: 36 5060 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exedescription pid process target process PID 1916 wrote to memory of 2908 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe wmic.exe PID 1916 wrote to memory of 2908 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe wmic.exe PID 1916 wrote to memory of 2908 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe wmic.exe PID 1916 wrote to memory of 1188 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe wmic.exe PID 1916 wrote to memory of 1188 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe wmic.exe PID 1916 wrote to memory of 1188 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe wmic.exe PID 1916 wrote to memory of 5060 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe wmic.exe PID 1916 wrote to memory of 5060 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe wmic.exe PID 1916 wrote to memory of 5060 1916 bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe wmic.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe"C:\Users\Admin\AppData\Local\Temp\bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe"1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 8762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 8842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 9202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 9682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 10322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 10402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 15362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 16002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 18162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 18042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 15802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 18282⤵
- Program crash
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 16522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 17842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 11282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1916 -ip 19161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1916 -ip 19161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1916 -ip 19161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1916 -ip 19161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1916 -ip 19161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1916 -ip 19161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1916 -ip 19161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1916 -ip 19161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1916 -ip 19161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1916 -ip 19161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1916 -ip 19161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1916 -ip 19161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1916 -ip 19161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1916 -ip 19161⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exeC:\Users\Admin\AppData\Roaming\Microsoft\bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 6002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1424 -ip 14241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1916 -ip 19161⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exeFilesize
881KB
MD5c83f30c065f7f61428eac2370ddb4f53
SHA1cfd70af0c89d7b00839c1d32852c53c603d35e32
SHA256bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc
SHA51226100fdf2bba32c0a2f5d27589e730e6af4a16b5cad16cb8ec6314e4291ca1858e35906645636617dacca7c72be6792b01f2bbc073c4468701326e8c889e1d51
-
C:\Users\Admin\Desktop\readme.htmlFilesize
50KB
MD5bd6a4a28f9a4bb6998642b5b635504a9
SHA1c4dbeceb2dcff338c479a31e6a4c89548102f798
SHA2569ee3fe5f4034eaa6db6961bec1e757167aedfefef3c5ee3bdd951fcd3bd199d5
SHA5126576302c1485c51a501314bf05a4e4c6811a0c300fe3043ad23fdcafc2e06e997cceb247d9b4f6a4508eb5a25cadfc6fe114c9cf7e0d910a8a5a82b9621a2389
-
memory/1424-575-0x0000000001CE0000-0x0000000001D69000-memory.dmpFilesize
548KB
-
memory/1424-576-0x0000000000400000-0x0000000001B46000-memory.dmpFilesize
23.3MB
-
memory/1424-577-0x0000000000400000-0x0000000001B46000-memory.dmpFilesize
23.3MB
-
memory/1916-1-0x0000000001DE0000-0x0000000001E66000-memory.dmpFilesize
536KB
-
memory/1916-2-0x0000000001EA0000-0x0000000001FB9000-memory.dmpFilesize
1.1MB
-
memory/1916-3-0x0000000000400000-0x0000000001B46000-memory.dmpFilesize
23.3MB
-
memory/1916-429-0x0000000000400000-0x0000000001B46000-memory.dmpFilesize
23.3MB
-
memory/1916-565-0x0000000000400000-0x0000000001B46000-memory.dmpFilesize
23.3MB
-
memory/1916-566-0x0000000001DE0000-0x0000000001E66000-memory.dmpFilesize
536KB
-
memory/1916-567-0x0000000001EA0000-0x0000000001FB9000-memory.dmpFilesize
1.1MB