Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 10:08
Behavioral task
behavioral1
Sample
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe
Resource
win10v2004-20240226-en
General
-
Target
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe
-
Size
4.8MB
-
MD5
affa6575a3ff529c583fab38ff9f59e5
-
SHA1
a4d2dde718cc10d6ac12e4ec1f602a1050746aa5
-
SHA256
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259
-
SHA512
c7ea550c214c3d4cf0686f50e2644b6fe569397bc1d4b0363da173e9a9889ce290f33f6a4e9215aba6cf1deef0be73abdf4b44a8070204d75868d845b34a8767
-
SSDEEP
98304:bw3OKBzMFxybbbbpNGWeEi4DtrRKm40djW1mGaHBad6s:bw3y6bbbbpNYwDdjW1zqEn
Malware Config
Extracted
C:\Users\Admin\Desktop\3kR3K_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\3kR3K_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Pictures\3kR3K_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 11 IoCs
Processes:
resource yara_rule behavioral1/memory/2172-0-0x00000000013C0000-0x0000000001898000-memory.dmp family_avaddon behavioral1/memory/2172-1-0x00000000013C0000-0x0000000001898000-memory.dmp family_avaddon behavioral1/memory/2172-3-0x00000000013C0000-0x0000000001898000-memory.dmp family_avaddon behavioral1/memory/2172-2-0x00000000013C0000-0x0000000001898000-memory.dmp family_avaddon behavioral1/memory/2172-570-0x00000000013C0000-0x0000000001898000-memory.dmp family_avaddon C:\Users\Admin\AppData\Roaming\Microsoft\Windows\c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe family_avaddon behavioral1/memory/2436-578-0x0000000000DA0000-0x0000000001278000-memory.dmp family_avaddon behavioral1/memory/2436-579-0x0000000000DA0000-0x0000000001278000-memory.dmp family_avaddon behavioral1/memory/2436-580-0x0000000000DA0000-0x0000000001278000-memory.dmp family_avaddon behavioral1/memory/2436-581-0x0000000000DA0000-0x0000000001278000-memory.dmp family_avaddon behavioral1/memory/2436-582-0x0000000000DA0000-0x0000000001278000-memory.dmp family_avaddon -
Processes:
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exec7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe -
Renames multiple (166) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exec7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe -
Executes dropped EXE 1 IoCs
Processes:
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exepid process 2436 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe -
Processes:
resource yara_rule behavioral1/memory/2172-0-0x00000000013C0000-0x0000000001898000-memory.dmp themida behavioral1/memory/2172-1-0x00000000013C0000-0x0000000001898000-memory.dmp themida behavioral1/memory/2172-3-0x00000000013C0000-0x0000000001898000-memory.dmp themida behavioral1/memory/2172-2-0x00000000013C0000-0x0000000001898000-memory.dmp themida behavioral1/memory/2172-570-0x00000000013C0000-0x0000000001898000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\Windows\c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe themida behavioral1/memory/2436-578-0x0000000000DA0000-0x0000000001278000-memory.dmp themida behavioral1/memory/2436-579-0x0000000000DA0000-0x0000000001278000-memory.dmp themida behavioral1/memory/2436-580-0x0000000000DA0000-0x0000000001278000-memory.dmp themida behavioral1/memory/2436-581-0x0000000000DA0000-0x0000000001278000-memory.dmp themida behavioral1/memory/2436-582-0x0000000000DA0000-0x0000000001278000-memory.dmp themida -
Processes:
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exec7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exedescription ioc process File opened (read-only) \??\M: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\P: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\R: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\S: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\U: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\E: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\L: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\O: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\Q: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\T: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\W: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\B: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\G: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\K: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\V: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\X: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\Z: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\A: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\I: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\N: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\Y: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\F: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\H: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\J: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 api.myip.com 17 api.myip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 2836 vssadmin.exe 1916 vssadmin.exe 1432 vssadmin.exe -
Processes:
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exepid process 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
wmic.exevssvc.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2380 wmic.exe Token: SeSecurityPrivilege 2380 wmic.exe Token: SeTakeOwnershipPrivilege 2380 wmic.exe Token: SeLoadDriverPrivilege 2380 wmic.exe Token: SeSystemProfilePrivilege 2380 wmic.exe Token: SeSystemtimePrivilege 2380 wmic.exe Token: SeProfSingleProcessPrivilege 2380 wmic.exe Token: SeIncBasePriorityPrivilege 2380 wmic.exe Token: SeCreatePagefilePrivilege 2380 wmic.exe Token: SeBackupPrivilege 2380 wmic.exe Token: SeRestorePrivilege 2380 wmic.exe Token: SeShutdownPrivilege 2380 wmic.exe Token: SeDebugPrivilege 2380 wmic.exe Token: SeSystemEnvironmentPrivilege 2380 wmic.exe Token: SeRemoteShutdownPrivilege 2380 wmic.exe Token: SeUndockPrivilege 2380 wmic.exe Token: SeManageVolumePrivilege 2380 wmic.exe Token: 33 2380 wmic.exe Token: 34 2380 wmic.exe Token: 35 2380 wmic.exe Token: SeBackupPrivilege 2472 vssvc.exe Token: SeRestorePrivilege 2472 vssvc.exe Token: SeAuditPrivilege 2472 vssvc.exe Token: SeIncreaseQuotaPrivilege 2220 wmic.exe Token: SeSecurityPrivilege 2220 wmic.exe Token: SeTakeOwnershipPrivilege 2220 wmic.exe Token: SeLoadDriverPrivilege 2220 wmic.exe Token: SeSystemProfilePrivilege 2220 wmic.exe Token: SeSystemtimePrivilege 2220 wmic.exe Token: SeProfSingleProcessPrivilege 2220 wmic.exe Token: SeIncBasePriorityPrivilege 2220 wmic.exe Token: SeCreatePagefilePrivilege 2220 wmic.exe Token: SeBackupPrivilege 2220 wmic.exe Token: SeRestorePrivilege 2220 wmic.exe Token: SeShutdownPrivilege 2220 wmic.exe Token: SeDebugPrivilege 2220 wmic.exe Token: SeSystemEnvironmentPrivilege 2220 wmic.exe Token: SeRemoteShutdownPrivilege 2220 wmic.exe Token: SeUndockPrivilege 2220 wmic.exe Token: SeManageVolumePrivilege 2220 wmic.exe Token: 33 2220 wmic.exe Token: 34 2220 wmic.exe Token: 35 2220 wmic.exe Token: SeIncreaseQuotaPrivilege 1868 wmic.exe Token: SeSecurityPrivilege 1868 wmic.exe Token: SeTakeOwnershipPrivilege 1868 wmic.exe Token: SeLoadDriverPrivilege 1868 wmic.exe Token: SeSystemProfilePrivilege 1868 wmic.exe Token: SeSystemtimePrivilege 1868 wmic.exe Token: SeProfSingleProcessPrivilege 1868 wmic.exe Token: SeIncBasePriorityPrivilege 1868 wmic.exe Token: SeCreatePagefilePrivilege 1868 wmic.exe Token: SeBackupPrivilege 1868 wmic.exe Token: SeRestorePrivilege 1868 wmic.exe Token: SeShutdownPrivilege 1868 wmic.exe Token: SeDebugPrivilege 1868 wmic.exe Token: SeSystemEnvironmentPrivilege 1868 wmic.exe Token: SeRemoteShutdownPrivilege 1868 wmic.exe Token: SeUndockPrivilege 1868 wmic.exe Token: SeManageVolumePrivilege 1868 wmic.exe Token: 33 1868 wmic.exe Token: 34 1868 wmic.exe Token: 35 1868 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exetaskeng.exedescription pid process target process PID 2172 wrote to memory of 2380 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe wmic.exe PID 2172 wrote to memory of 2380 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe wmic.exe PID 2172 wrote to memory of 2380 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe wmic.exe PID 2172 wrote to memory of 2380 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe wmic.exe PID 2172 wrote to memory of 2836 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe vssadmin.exe PID 2172 wrote to memory of 2836 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe vssadmin.exe PID 2172 wrote to memory of 2836 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe vssadmin.exe PID 2172 wrote to memory of 2836 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe vssadmin.exe PID 2172 wrote to memory of 2220 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe wmic.exe PID 2172 wrote to memory of 2220 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe wmic.exe PID 2172 wrote to memory of 2220 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe wmic.exe PID 2172 wrote to memory of 2220 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe wmic.exe PID 2172 wrote to memory of 1916 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe vssadmin.exe PID 2172 wrote to memory of 1916 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe vssadmin.exe PID 2172 wrote to memory of 1916 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe vssadmin.exe PID 2172 wrote to memory of 1916 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe vssadmin.exe PID 2172 wrote to memory of 1868 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe wmic.exe PID 2172 wrote to memory of 1868 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe wmic.exe PID 2172 wrote to memory of 1868 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe wmic.exe PID 2172 wrote to memory of 1868 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe wmic.exe PID 2172 wrote to memory of 1432 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe vssadmin.exe PID 2172 wrote to memory of 1432 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe vssadmin.exe PID 2172 wrote to memory of 1432 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe vssadmin.exe PID 2172 wrote to memory of 1432 2172 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe vssadmin.exe PID 2544 wrote to memory of 2436 2544 taskeng.exe c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe PID 2544 wrote to memory of 2436 2544 taskeng.exe c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe PID 2544 wrote to memory of 2436 2544 taskeng.exe c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe PID 2544 wrote to memory of 2436 2544 taskeng.exe c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe"C:\Users\Admin\AppData\Local\Temp\c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe"1⤵
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {26E15877-AA87-4F7F-9ACF-345B975F7F9E} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Indicator Removal
2File Deletion
2Virtualization/Sandbox Evasion
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\Cab197C.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Tar1ABB.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exeFilesize
4.8MB
MD5affa6575a3ff529c583fab38ff9f59e5
SHA1a4d2dde718cc10d6ac12e4ec1f602a1050746aa5
SHA256c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259
SHA512c7ea550c214c3d4cf0686f50e2644b6fe569397bc1d4b0363da173e9a9889ce290f33f6a4e9215aba6cf1deef0be73abdf4b44a8070204d75868d845b34a8767
-
C:\Users\Admin\Desktop\3kR3K_readme.txtFilesize
3KB
MD572afd1424c2e8d41287d890ec57edf04
SHA11db5c80207692ed78f0de1a01e16d55ce0e9d8e5
SHA2567c9319357807f9e426b750ac40312169c098569160742819292f813d5c29de7d
SHA5123665735ba50e85df6de72338dc10eb257f531bf4b7793e07106a493149df5e7f1d2f12108657bfd4aaa9d087d9d37403894b04f089482a803b3623b70b3f302e
-
C:\Users\Admin\Downloads\3kR3K_readme.txtFilesize
3KB
MD55de218f20d327b7d94330196e8861e10
SHA15dd45e90557ace33704951cbdc73d2e03ff3befc
SHA256ef65cbcc0044e02645e3086f7d7fff200b128c07ef42d82267923e1e6983a0d5
SHA512b86b69759f6331bc50b40a3aa8385454b88a1943d05a5868a2bfe3fb96a9536b237c5544055ce12beabb82d6001d3dabffb4238c927bd85b63c544334e012d10
-
C:\Users\Admin\Pictures\3kR3K_readme.txtFilesize
3KB
MD5f41401c67b56561ac3994755af5781a9
SHA13af43857b1e43614ea7a5bd20951bb828ad8dfe6
SHA2563031d8362e4c440bc2604f3807fec44dccef7a00b7dc2acb5108a769ad990d9e
SHA512bb34dedb638dbc74bab70c149087415eaf049785b5eccab90ea00d876b3bf455012516a739fd5cec48b7f4b82a9702b854be6d18c664be2ea9ee35d2e6efaa0a
-
memory/2172-2-0x00000000013C0000-0x0000000001898000-memory.dmpFilesize
4.8MB
-
memory/2172-3-0x00000000013C0000-0x0000000001898000-memory.dmpFilesize
4.8MB
-
memory/2172-0-0x00000000013C0000-0x0000000001898000-memory.dmpFilesize
4.8MB
-
memory/2172-570-0x00000000013C0000-0x0000000001898000-memory.dmpFilesize
4.8MB
-
memory/2172-1-0x00000000013C0000-0x0000000001898000-memory.dmpFilesize
4.8MB
-
memory/2436-578-0x0000000000DA0000-0x0000000001278000-memory.dmpFilesize
4.8MB
-
memory/2436-579-0x0000000000DA0000-0x0000000001278000-memory.dmpFilesize
4.8MB
-
memory/2436-580-0x0000000000DA0000-0x0000000001278000-memory.dmpFilesize
4.8MB
-
memory/2436-581-0x0000000000DA0000-0x0000000001278000-memory.dmpFilesize
4.8MB
-
memory/2436-582-0x0000000000DA0000-0x0000000001278000-memory.dmpFilesize
4.8MB