Analysis

  • max time kernel
    148s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240319-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2024 10:08

General

  • Target

    7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe

  • Size

    4.8MB

  • MD5

    6ff1ca648505fe8bea6b4a26616b9722

  • SHA1

    7020b4d9e700b697d507a61bffea12c9475a23d2

  • SHA256

    7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365

  • SHA512

    e65d67e22807e1a539997bd763fc6063226fce207c57b3b0316ef7640471f460016fa5f58feb006ff96dd7a2cf5bcff7c17f0af763e8518431fe13ce6d8c9db2

  • SSDEEP

    98304:zDAjjvoF+Cp+/bbbbp7FO1gTL9M5gmoZHOoOVsHalI:zuvAObbbbp78+VwzV0alI

Malware Config

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Avaddon payload 6 IoCs
  • UAC bypass 3 TTPs 2 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Renames multiple (185) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe
    "C:\Users\Admin\AppData\Local\Temp\7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.exe"
    1⤵
    • UAC bypass
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1876
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2940
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2952
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4396
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4648 --field-trial-handle=2252,i,11231798169170618717,17890004712654885282,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:224

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    2
    T1112

    Virtualization/Sandbox Evasion

    1
    T1497

    Discovery

    Query Registry

    3
    T1012

    Virtualization/Sandbox Evasion

    1
    T1497

    System Information Discovery

    4
    T1082

    Peripheral Device Discovery

    1
    T1120

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1876-0-0x0000000000D10000-0x00000000011E7000-memory.dmp
      Filesize

      4.8MB

    • memory/1876-1-0x0000000000D10000-0x00000000011E7000-memory.dmp
      Filesize

      4.8MB

    • memory/1876-2-0x0000000000D10000-0x00000000011E7000-memory.dmp
      Filesize

      4.8MB

    • memory/1876-3-0x0000000000D10000-0x00000000011E7000-memory.dmp
      Filesize

      4.8MB

    • memory/1876-142-0x0000000000D10000-0x00000000011E7000-memory.dmp
      Filesize

      4.8MB

    • memory/1876-391-0x0000000000D10000-0x00000000011E7000-memory.dmp
      Filesize

      4.8MB