Analysis

  • max time kernel
    151s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-04-2024 10:08

General

  • Target

    93f3b587a2a8e5515dc08ee47eef4d02805e5fccefde4a29e780946124257a56.exe

  • Size

    787KB

  • MD5

    481be8166b475e08c6fe7f377a8d8a2d

  • SHA1

    267259b38951597f51efbe482a78df324f11d093

  • SHA256

    93f3b587a2a8e5515dc08ee47eef4d02805e5fccefde4a29e780946124257a56

  • SHA512

    0a4616e3a7132020b2ea6bd582f9860fac5b5fdc9dc174e75cf27280419dc335ef356c936612ba64be41f7021d3c14845bfc0cb54406a36a47ed70713ed486af

  • SSDEEP

    12288:JiLCjBTgfnsFhPhNVV60QbFXl7iV+gXj7NUt1upQ1laJsUkqo:J1tTgPsHHVpQbF8V++VUt15MBo

Malware Config

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Avaddon payload 8 IoCs
  • UAC bypass 3 TTPs 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (280) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\93f3b587a2a8e5515dc08ee47eef4d02805e5fccefde4a29e780946124257a56.exe
    "C:\Users\Admin\AppData\Local\Temp\93f3b587a2a8e5515dc08ee47eef4d02805e5fccefde4a29e780946124257a56.exe"
    1⤵
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2700
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:472
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2728
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1780
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2360
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1952
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2328
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2768
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {B1570597-0A0C-4D16-ADD2-65F525F3A541} S-1-5-21-406356229-2805545415-1236085040-1000:IKJSPGIM\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:688
    • C:\Users\Admin\AppData\Roaming\Microsoft\93f3b587a2a8e5515dc08ee47eef4d02805e5fccefde4a29e780946124257a56.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\93f3b587a2a8e5515dc08ee47eef4d02805e5fccefde4a29e780946124257a56.exe
      2⤵
      • Executes dropped EXE
      PID:1972

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Discovery

System Information Discovery

3
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

  • C:\Users\Admin\AppData\Local\Temp\Tar9EF5.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

  • C:\Users\Admin\AppData\Roaming\Microsoft\93f3b587a2a8e5515dc08ee47eef4d02805e5fccefde4a29e780946124257a56.exe
    Filesize

    787KB

    MD5

    481be8166b475e08c6fe7f377a8d8a2d

    SHA1

    267259b38951597f51efbe482a78df324f11d093

    SHA256

    93f3b587a2a8e5515dc08ee47eef4d02805e5fccefde4a29e780946124257a56

    SHA512

    0a4616e3a7132020b2ea6bd582f9860fac5b5fdc9dc174e75cf27280419dc335ef356c936612ba64be41f7021d3c14845bfc0cb54406a36a47ed70713ed486af

  • memory/1972-637-0x0000000000400000-0x0000000001B2F000-memory.dmp
    Filesize

    23.2MB

  • memory/1972-636-0x0000000000400000-0x0000000001B2F000-memory.dmp
    Filesize

    23.2MB

  • memory/1972-635-0x0000000001C40000-0x0000000001D40000-memory.dmp
    Filesize

    1024KB

  • memory/2700-59-0x0000000001CF0000-0x0000000001DF0000-memory.dmp
    Filesize

    1024KB

  • memory/2700-221-0x0000000001B30000-0x0000000001C4A000-memory.dmp
    Filesize

    1.1MB

  • memory/2700-348-0x0000000000400000-0x0000000001B2F000-memory.dmp
    Filesize

    23.2MB

  • memory/2700-626-0x0000000000400000-0x0000000001B2F000-memory.dmp
    Filesize

    23.2MB

  • memory/2700-1-0x0000000001CF0000-0x0000000001DF0000-memory.dmp
    Filesize

    1024KB

  • memory/2700-57-0x0000000000400000-0x0000000001B2F000-memory.dmp
    Filesize

    23.2MB

  • memory/2700-3-0x0000000000400000-0x0000000001B2F000-memory.dmp
    Filesize

    23.2MB

  • memory/2700-2-0x0000000001B30000-0x0000000001C4A000-memory.dmp
    Filesize

    1.1MB