Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    02-04-2024 10:08

General

  • Target

    c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe

  • Size

    4.8MB

  • MD5

    affa6575a3ff529c583fab38ff9f59e5

  • SHA1

    a4d2dde718cc10d6ac12e4ec1f602a1050746aa5

  • SHA256

    c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259

  • SHA512

    c7ea550c214c3d4cf0686f50e2644b6fe569397bc1d4b0363da173e9a9889ce290f33f6a4e9215aba6cf1deef0be73abdf4b44a8070204d75868d845b34a8767

  • SSDEEP

    98304:bw3OKBzMFxybbbbpNGWeEi4DtrRKm40djW1mGaHBad6s:bw3y6bbbbpNYwDdjW1zqEn

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\3kR3K_readme.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bdcBcBaDEc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzc3LXhDanV4T0ZlVkJaQjd5aG5FakVrRVJsNHNhRDkwa2VLbTV1bEc5S0pSYkVEbUF5Q1dQeVJWaGdIT2tKaHBpSUhEN3hkNVV6TTRES3VCS29oTkNVMWtTN0M3WmdjRXloa2F5eVpBSFV6cEpGTzJUVERyeXVwaFNLVEhXbC9JM0c1WkpCR2kxSEtJeCt3WkQ4UnVWOW1XTyt1WDk4bkFaVENCTENGZnlaRDJtajdpQ3gwSlpMc0F3WnlIaTZJYkRrcE9wRGZrVFNBdDFqbHlsSFlqSmZkL1pWTloraGxNRHlVeGdJV1JkWUFHVWxKL2dQdnlPM0J6bWxSVUZUZW54Qk1QbGZXcm56WUhiKzhHcFI0aytUT0hMWGUyN0J4MHhKeUhuTE5KYlhoVlRyZy94dW5ReDJ6a3R1Q1NMUlo2MTRqVzBOcEE5ZkdzNU54NW1CMFZucU9Od0x4bTBVcFdUajJ1Tksvenc3TEhWL1U2YldVdHFCcTI3RmFWYmJXVHF3aUFBTWQ3L1MxbE5iYVZwMjAwZmRLbTJ3dU9DVkp2N3czZ3U2WGF6RmQ2NjA5NStPRm03NmtxdTdieElzK09UbUpvTlZhUGRGaFNHZ0lFSzZHeXNBM2FKMDBaWG1sVUNacnBiMERicUZpcFRNT1ZEM2lVT2x3N2Z0SG02b3dzN1pESU0yOFRmeVM3RmxVay9oRit3eGcwamJtM1pubnlaOEhrM1h0R2liVGVjMzY3ZnBibmRmaFpNb1VCTWxXTk9DQStZNUxlOEZONFNSNHpYOVd3QS85d054cHZsTEVLQm5TUUs1VlNQbTJkeXZ5Q1FoYU1XTXRLc01NRGdyNG1oWkx0c21pdnZUT1pXQnRVMVNjcElMekN3SEdXUkpZL2pMMlJKWVhIT1ZpWkdlMjg4VzRYYmxjR2FQeE9Pdml0ZVM5d1lVb1pMT0JiM3BwMUpWVjc3SGkzQVBMQXVHL2RWb3JaNG5GQVNDUnF4dUlnQWlSSFBjM1FCdDBVSGFDdUVqS0ErN1RaSTNDaTJZMXZ1QmlvUnBVLzNDTHFXR1VQaVR2WlZkZ01QQ21uMDYvbXJhVG1zTXVQM3pMQm5Vcmp4eG5sNkNRSzkvdlhlTjJJSi9GK1dvYk9uOFhpaFRJSFdVR3M4NW9jeUIrLzFjR0tob0dKVnNFMHc2VW9vSXJBS1E1MEhIa281ZE9BcmV6NG14cjJYRCtsaEdvblRRT2VOckRNNkQvQzZqclFvaDJHeElLTXBNMERDanMrNTFiSU1rMkhkdVNQMWltTmorWCsrdEhoS2tDdk5WdXNuMkh3cmdBeDJwN1Y5cXdqM2Jrd1B0Ukl4eEg4NnV3KzdrYThvV0pxRDFBTDNvT1JMVC9XZ1luMHd3cHQzVmI5WjhWZ1BOWFJnU1Bub09GQXBLbXRqelhPUXY0Tml3TUgyYnd4b2JQcUJKUk9TeEZHaFlYSzRnNU01eFo1OWZDQWVlbFNMT1g1c0oybW95YkE2MElsZ3hvaHNUa2dGTSsyZ3FFWnNoL0x2ZXFlamJjWU92dDBhKzRzYnRiQ0ozNTE1K3VFM0dweEdkVmJObXQ0RVF2RzNSRnJ6ZjdMVWdjVU1EZzJ6T1Y2WTgraDFBeFFxc1ZVK3JvODdCUlFVbWFJYkp6YVlBWVNhU3lCK1lGRm9RZWVQTkVFWnBraTBMR2RvQi9wci8yeW90Y2ZvSWQxYTN5ai9BYWRkQjFLajNra3pjTHFCN1hXSXZLbU9DU0NyQ0YyVEtCYzBPR3hoeEx5MDAxODZpSGVianpuRkZuZEhwNDhjT1Q3RlpUVnlJT0V6U1M1QmZxY1RPUWFtTUpLWnRKY2FIK0pVK2ppaUZHTnZKL2Nlelh5WWFkbm44MjJxbzd1aExYWWVtSG10dXBSakR5N1dtQU9qeFhLc1AwS2NzTHVVNWZEVzFxSE9LUzY5eitiVDBsWXU5Y1hQUDdmdTVBbE8wRTQ0L2tQQ3NLMjVZcFRPQjdJTzkzT2FYYi9zRkppbDBjenJ6QTRmZzE0OGpHRFJScThCYzNXa0FHaDRoRHNDcDZ6ZW9tU3pVbFZZSUI5U2hxOVJlNnV1b0ZoZGdCNURkeU1CbnArMSt5d2FjbUdYdU0rWmh4Y2hwNkN4V1A0djVMbk82eGViVUhIcWw4RXI1dXhJOXJvWTNuOE1oSktNeU9ycXJvd2RyMGpVVHVvTUhs -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * pNyp09l1Hote7R1y9T
URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\3kR3K_readme.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bdcBcBaDEc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzc3LXhDanV4T0ZlVkJaQjd5aG5FakVrRVJsNHNhRDkwa2VLbTV1bEc5S0pSYkVEbUF5Q1dQeVJWaGdIT2tKaHBpSUhEN3hkNVV6TTRES3VCS29oTkNVMWtTN0M3WmdjRXloa2F5eVpBSFV6cEpGTzJUVERyeXVwaFNLVEhXbC9JM0c1WkpCR2kxSEtJeCt3WkQ4UnVWOW1XTyt1WDk4bkFaVENCTENGZnlaRDJtajdpQ3gwSlpMc0F3WnlIaTZJYkRrcE9wRGZrVFNBdDFqbHlsSFlqSmZkL1pWTloraGxNRHlVeGdJV1JkWUFHVWxKL2dQdnlPM0J6bWxSVUZUZW54Qk1QbGZXcm56WUhiKzhHcFI0aytUT0hMWGUyN0J4MHhKeUhuTE5KYlhoVlRyZy94dW5ReDJ6a3R1Q1NMUlo2MTRqVzBOcEE5ZkdzNU54NW1CMFZucU9Od0x4bTBVcFdUajJ1Tksvenc3TEhWL1U2YldVdHFCcTI3RmFWYmJXVHF3aUFBTWQ3L1MxbE5iYVZwMjAwZmRLbTJ3dU9DVkp2N3czZ3U2WGF6RmQ2NjA5NStPRm03NmtxdTdieElzK09UbUpvTlZhUGRGaFNHZ0lFSzZHeXNBM2FKMDBaWG1sVUNacnBiMERicUZpcFRNT1ZEM2lVT2x3N2Z0SG02b3dzN1pESU0yOFRmeVM3RmxVay9oRit3eGcwamJtM1pubnlaOEhrM1h0R2liVGVjMzY3ZnBibmRmaFpNb1VCTWxXTk9DQStZNUxlOEZONFNSNHpYOVd3QS85d054cHZsTEVLQm5TUUs1VlNQbTJkeXZ5Q1FoYU1XTXRLc01NRGdyNG1oWkx0c21pdnZUT1pXQnRVMVNjcElMekN3SEdXUkpZL2pMMlJKWVhIT1ZpWkdlMjg4VzRYYmxjR2FQeE9Pdml0ZVM5d1lVb1pMT0JiM3BwMUpWVjc3SGkzQVBMQXVHL2RWb3JaNG5GQVNDUnF4dUlnQWlSSFBjM1FCdDBVSGFDdUVqS0ErN1RaSTNDaTJZMXZ1QmlvUnBVLzNDTHFXR1VQaVR2WlZkZ01QQ21uMDYvbXJhVG1zTXVQM3pMQm5Vcmp4eG5sNkNRSzkvdlhlTjJJSi9GK1dvYk9uOFhpaFRJSFdVR3M4NW9jeUIrLzFjR0tob0dKVnNFMHc2VW9vSXJBS1E1MEhIa281ZE9BcmV6NG14cjJYRCtsaEdvblRRT2VOckRNNkQvQzZqclFvaDJHeElLTXBNMERDanMrNTFiSU1rMkhkdVNQMWltTmorWCsrdEhoS2tDdk5WdXNuMkh3cmdBeDJwN1Y5cXdqM2Jrd1B0Ukl4eEg4NnV3KzdrYThvV0pxRDFBTDNvT1JMVC9XZ1luMHd3cHQzVmI5WjhWZ1BOWFJnU1Bub09GQXBLbXRqelhPUXY0Tml3TUgyYnd4b2JQcUJKUk9TeEZHaFlYSzRnNU01eFo1OWZDQWVlbFNMT1g1c0oybW95YkE2MElsZ3hvaHNUa2dGTSsyZ3FFWnNoL0x2ZXFlamJjWU92dDBhKzRzYnRiQ0ozNTE1K3VFM0dweEdkVmJObXQ0RVF2RzNSRnJ6ZjdMVWdjVU1EZzJ6T1Y2WTgraDFBeFFxc1ZVK3JvODdCUlFVbWFJYkp6YVlBWVNhU3lCK1lGRm9RZWVQTkVFWnBraTBMR2RvQi9wci8yeW90Y2ZvSWQxYTN5ai9BYWRkQjFLajNra3pjTHFCN1hXSXZLbU9DU0NyQ0YyVEtCYzBPR3hoeEx5MDAxODZpSGVianpuRkZuZEhwNDhjT1Q3RlpUVnlJT0V6U1M1QmZxY1RPUWFtTUpLWnRKY2FIK0pVK2ppaUZHTnZKL2Nlelh5WWFkbm44MjJxbzd1aExYWWVtSG10dXBSakR5N1dtQU9qeFhLc1AwS2NzTHVVNWZEVzFxSE9LUzY5eitiVDBsWXU5Y1hQUDdmdTVBbE8wRTQ0L2tQQ3NLMjVZcFRPQjdJTzkzT2FYYi9zRkppbDBjenJ6QTRmZzE0OGpHRFJScThCYzNXa0FHaDRoRHNDcDZ6ZW9tU3pVbFZZSUI5U2hxOVJlNnV1b0ZoZGdCNURkeU1CbnArMSt5d2FjbUdYdU0rWmh4Y2hwNkN4V1A0djVMbk82eGViVUhIcWw4RXI1dXhJOXJvWTNuOE1oSktNeU9ycXJvd2RyMGpVVHVvTUhs -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * Bz5CLLYL7QbDTr90o0x9d
URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Pictures\3kR3K_readme.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bdcBcBaDEc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzc3LXhDanV4T0ZlVkJaQjd5aG5FakVrRVJsNHNhRDkwa2VLbTV1bEc5S0pSYkVEbUF5Q1dQeVJWaGdIT2tKaHBpSUhEN3hkNVV6TTRES3VCS29oTkNVMWtTN0M3WmdjRXloa2F5eVpBSFV6cEpGTzJUVERyeXVwaFNLVEhXbC9JM0c1WkpCR2kxSEtJeCt3WkQ4UnVWOW1XTyt1WDk4bkFaVENCTENGZnlaRDJtajdpQ3gwSlpMc0F3WnlIaTZJYkRrcE9wRGZrVFNBdDFqbHlsSFlqSmZkL1pWTloraGxNRHlVeGdJV1JkWUFHVWxKL2dQdnlPM0J6bWxSVUZUZW54Qk1QbGZXcm56WUhiKzhHcFI0aytUT0hMWGUyN0J4MHhKeUhuTE5KYlhoVlRyZy94dW5ReDJ6a3R1Q1NMUlo2MTRqVzBOcEE5ZkdzNU54NW1CMFZucU9Od0x4bTBVcFdUajJ1Tksvenc3TEhWL1U2YldVdHFCcTI3RmFWYmJXVHF3aUFBTWQ3L1MxbE5iYVZwMjAwZmRLbTJ3dU9DVkp2N3czZ3U2WGF6RmQ2NjA5NStPRm03NmtxdTdieElzK09UbUpvTlZhUGRGaFNHZ0lFSzZHeXNBM2FKMDBaWG1sVUNacnBiMERicUZpcFRNT1ZEM2lVT2x3N2Z0SG02b3dzN1pESU0yOFRmeVM3RmxVay9oRit3eGcwamJtM1pubnlaOEhrM1h0R2liVGVjMzY3ZnBibmRmaFpNb1VCTWxXTk9DQStZNUxlOEZONFNSNHpYOVd3QS85d054cHZsTEVLQm5TUUs1VlNQbTJkeXZ5Q1FoYU1XTXRLc01NRGdyNG1oWkx0c21pdnZUT1pXQnRVMVNjcElMekN3SEdXUkpZL2pMMlJKWVhIT1ZpWkdlMjg4VzRYYmxjR2FQeE9Pdml0ZVM5d1lVb1pMT0JiM3BwMUpWVjc3SGkzQVBMQXVHL2RWb3JaNG5GQVNDUnF4dUlnQWlSSFBjM1FCdDBVSGFDdUVqS0ErN1RaSTNDaTJZMXZ1QmlvUnBVLzNDTHFXR1VQaVR2WlZkZ01QQ21uMDYvbXJhVG1zTXVQM3pMQm5Vcmp4eG5sNkNRSzkvdlhlTjJJSi9GK1dvYk9uOFhpaFRJSFdVR3M4NW9jeUIrLzFjR0tob0dKVnNFMHc2VW9vSXJBS1E1MEhIa281ZE9BcmV6NG14cjJYRCtsaEdvblRRT2VOckRNNkQvQzZqclFvaDJHeElLTXBNMERDanMrNTFiSU1rMkhkdVNQMWltTmorWCsrdEhoS2tDdk5WdXNuMkh3cmdBeDJwN1Y5cXdqM2Jrd1B0Ukl4eEg4NnV3KzdrYThvV0pxRDFBTDNvT1JMVC9XZ1luMHd3cHQzVmI5WjhWZ1BOWFJnU1Bub09GQXBLbXRqelhPUXY0Tml3TUgyYnd4b2JQcUJKUk9TeEZHaFlYSzRnNU01eFo1OWZDQWVlbFNMT1g1c0oybW95YkE2MElsZ3hvaHNUa2dGTSsyZ3FFWnNoL0x2ZXFlamJjWU92dDBhKzRzYnRiQ0ozNTE1K3VFM0dweEdkVmJObXQ0RVF2RzNSRnJ6ZjdMVWdjVU1EZzJ6T1Y2WTgraDFBeFFxc1ZVK3JvODdCUlFVbWFJYkp6YVlBWVNhU3lCK1lGRm9RZWVQTkVFWnBraTBMR2RvQi9wci8yeW90Y2ZvSWQxYTN5ai9BYWRkQjFLajNra3pjTHFCN1hXSXZLbU9DU0NyQ0YyVEtCYzBPR3hoeEx5MDAxODZpSGVianpuRkZuZEhwNDhjT1Q3RlpUVnlJT0V6U1M1QmZxY1RPUWFtTUpLWnRKY2FIK0pVK2ppaUZHTnZKL2Nlelh5WWFkbm44MjJxbzd1aExYWWVtSG10dXBSakR5N1dtQU9qeFhLc1AwS2NzTHVVNWZEVzFxSE9LUzY5eitiVDBsWXU5Y1hQUDdmdTVBbE8wRTQ0L2tQQ3NLMjVZcFRPQjdJTzkzT2FYYi9zRkppbDBjenJ6QTRmZzE0OGpHRFJScThCYzNXa0FHaDRoRHNDcDZ6ZW9tU3pVbFZZSUI5U2hxOVJlNnV1b0ZoZGdCNURkeU1CbnArMSt5d2FjbUdYdU0rWmh4Y2hwNkN4V1A0djVMbk82eGViVUhIcWw4RXI1dXhJOXJvWTNuOE1oSktNeU9ycXJvd2RyMGpVVHVvTUhs -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * YbgZfYK8T2JIMHn2TXOGKntS
URLs

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Avaddon payload 11 IoCs
  • UAC bypass 3 TTPs 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Renames multiple (166) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Themida packer 11 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe
    "C:\Users\Admin\AppData\Local\Temp\c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe"
    1⤵
    • UAC bypass
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2172
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2380
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2836
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2220
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1916
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1868
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1432
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2472
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {26E15877-AA87-4F7F-9ACF-345B975F7F9E} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      PID:2436

Network

MITRE ATT&CK Matrix ATT&CK v13

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Virtualization/Sandbox Evasion

1
T1497

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

  • C:\Users\Admin\AppData\Local\Temp\Cab197C.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

  • C:\Users\Admin\AppData\Local\Temp\Tar1ABB.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe
    Filesize

    4.8MB

    MD5

    affa6575a3ff529c583fab38ff9f59e5

    SHA1

    a4d2dde718cc10d6ac12e4ec1f602a1050746aa5

    SHA256

    c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259

    SHA512

    c7ea550c214c3d4cf0686f50e2644b6fe569397bc1d4b0363da173e9a9889ce290f33f6a4e9215aba6cf1deef0be73abdf4b44a8070204d75868d845b34a8767

  • C:\Users\Admin\Desktop\3kR3K_readme.txt
    Filesize

    3KB

    MD5

    72afd1424c2e8d41287d890ec57edf04

    SHA1

    1db5c80207692ed78f0de1a01e16d55ce0e9d8e5

    SHA256

    7c9319357807f9e426b750ac40312169c098569160742819292f813d5c29de7d

    SHA512

    3665735ba50e85df6de72338dc10eb257f531bf4b7793e07106a493149df5e7f1d2f12108657bfd4aaa9d087d9d37403894b04f089482a803b3623b70b3f302e

  • C:\Users\Admin\Downloads\3kR3K_readme.txt
    Filesize

    3KB

    MD5

    5de218f20d327b7d94330196e8861e10

    SHA1

    5dd45e90557ace33704951cbdc73d2e03ff3befc

    SHA256

    ef65cbcc0044e02645e3086f7d7fff200b128c07ef42d82267923e1e6983a0d5

    SHA512

    b86b69759f6331bc50b40a3aa8385454b88a1943d05a5868a2bfe3fb96a9536b237c5544055ce12beabb82d6001d3dabffb4238c927bd85b63c544334e012d10

  • C:\Users\Admin\Pictures\3kR3K_readme.txt
    Filesize

    3KB

    MD5

    f41401c67b56561ac3994755af5781a9

    SHA1

    3af43857b1e43614ea7a5bd20951bb828ad8dfe6

    SHA256

    3031d8362e4c440bc2604f3807fec44dccef7a00b7dc2acb5108a769ad990d9e

    SHA512

    bb34dedb638dbc74bab70c149087415eaf049785b5eccab90ea00d876b3bf455012516a739fd5cec48b7f4b82a9702b854be6d18c664be2ea9ee35d2e6efaa0a

  • memory/2172-2-0x00000000013C0000-0x0000000001898000-memory.dmp
    Filesize

    4.8MB

  • memory/2172-3-0x00000000013C0000-0x0000000001898000-memory.dmp
    Filesize

    4.8MB

  • memory/2172-0-0x00000000013C0000-0x0000000001898000-memory.dmp
    Filesize

    4.8MB

  • memory/2172-570-0x00000000013C0000-0x0000000001898000-memory.dmp
    Filesize

    4.8MB

  • memory/2172-1-0x00000000013C0000-0x0000000001898000-memory.dmp
    Filesize

    4.8MB

  • memory/2436-578-0x0000000000DA0000-0x0000000001278000-memory.dmp
    Filesize

    4.8MB

  • memory/2436-579-0x0000000000DA0000-0x0000000001278000-memory.dmp
    Filesize

    4.8MB

  • memory/2436-580-0x0000000000DA0000-0x0000000001278000-memory.dmp
    Filesize

    4.8MB

  • memory/2436-581-0x0000000000DA0000-0x0000000001278000-memory.dmp
    Filesize

    4.8MB

  • memory/2436-582-0x0000000000DA0000-0x0000000001278000-memory.dmp
    Filesize

    4.8MB