Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 10:08
Behavioral task
behavioral1
Sample
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe
Resource
win10v2004-20240226-en
General
-
Target
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe
-
Size
4.8MB
-
MD5
affa6575a3ff529c583fab38ff9f59e5
-
SHA1
a4d2dde718cc10d6ac12e4ec1f602a1050746aa5
-
SHA256
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259
-
SHA512
c7ea550c214c3d4cf0686f50e2644b6fe569397bc1d4b0363da173e9a9889ce290f33f6a4e9215aba6cf1deef0be73abdf4b44a8070204d75868d845b34a8767
-
SSDEEP
98304:bw3OKBzMFxybbbbpNGWeEi4DtrRKm40djW1mGaHBad6s:bw3y6bbbbpNYwDdjW1zqEn
Malware Config
Extracted
C:\Users\Admin\Desktop\JxhOTKIU_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\JxhOTKIU_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Favorites\JxhOTKIU_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 10 IoCs
Processes:
resource yara_rule behavioral2/memory/4692-0-0x0000000000480000-0x0000000000958000-memory.dmp family_avaddon behavioral2/memory/4692-1-0x0000000000480000-0x0000000000958000-memory.dmp family_avaddon behavioral2/memory/4692-2-0x0000000000480000-0x0000000000958000-memory.dmp family_avaddon behavioral2/memory/4692-3-0x0000000000480000-0x0000000000958000-memory.dmp family_avaddon behavioral2/memory/4692-519-0x0000000000480000-0x0000000000958000-memory.dmp family_avaddon C:\Users\Admin\AppData\Roaming\Microsoft\Windows\c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe family_avaddon behavioral2/memory/1904-527-0x00000000009E0000-0x0000000000EB8000-memory.dmp family_avaddon behavioral2/memory/1904-528-0x00000000009E0000-0x0000000000EB8000-memory.dmp family_avaddon behavioral2/memory/1904-529-0x00000000009E0000-0x0000000000EB8000-memory.dmp family_avaddon behavioral2/memory/1904-530-0x00000000009E0000-0x0000000000EB8000-memory.dmp family_avaddon -
Processes:
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exec7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe -
Renames multiple (166) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exec7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe -
Executes dropped EXE 1 IoCs
Processes:
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exepid process 1904 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe -
Processes:
resource yara_rule behavioral2/memory/4692-0-0x0000000000480000-0x0000000000958000-memory.dmp themida behavioral2/memory/4692-1-0x0000000000480000-0x0000000000958000-memory.dmp themida behavioral2/memory/4692-2-0x0000000000480000-0x0000000000958000-memory.dmp themida behavioral2/memory/4692-3-0x0000000000480000-0x0000000000958000-memory.dmp themida behavioral2/memory/4692-519-0x0000000000480000-0x0000000000958000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\Windows\c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe themida behavioral2/memory/1904-527-0x00000000009E0000-0x0000000000EB8000-memory.dmp themida behavioral2/memory/1904-528-0x00000000009E0000-0x0000000000EB8000-memory.dmp themida behavioral2/memory/1904-529-0x00000000009E0000-0x0000000000EB8000-memory.dmp themida behavioral2/memory/1904-530-0x00000000009E0000-0x0000000000EB8000-memory.dmp themida -
Processes:
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exec7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exedescription ioc process File opened (read-only) \??\T: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\L: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\M: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\E: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\G: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\H: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\K: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\Q: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\U: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\A: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\B: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\Y: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\Z: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\V: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\X: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\J: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\W: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\O: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\P: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\R: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\S: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\F: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\I: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe File opened (read-only) \??\N: c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 25 api.myip.com 26 api.myip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exepid process 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
wmic.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 3920 wmic.exe Token: SeSecurityPrivilege 3920 wmic.exe Token: SeTakeOwnershipPrivilege 3920 wmic.exe Token: SeLoadDriverPrivilege 3920 wmic.exe Token: SeSystemProfilePrivilege 3920 wmic.exe Token: SeSystemtimePrivilege 3920 wmic.exe Token: SeProfSingleProcessPrivilege 3920 wmic.exe Token: SeIncBasePriorityPrivilege 3920 wmic.exe Token: SeCreatePagefilePrivilege 3920 wmic.exe Token: SeBackupPrivilege 3920 wmic.exe Token: SeRestorePrivilege 3920 wmic.exe Token: SeShutdownPrivilege 3920 wmic.exe Token: SeDebugPrivilege 3920 wmic.exe Token: SeSystemEnvironmentPrivilege 3920 wmic.exe Token: SeRemoteShutdownPrivilege 3920 wmic.exe Token: SeUndockPrivilege 3920 wmic.exe Token: SeManageVolumePrivilege 3920 wmic.exe Token: 33 3920 wmic.exe Token: 34 3920 wmic.exe Token: 35 3920 wmic.exe Token: 36 3920 wmic.exe Token: SeIncreaseQuotaPrivilege 2532 wmic.exe Token: SeSecurityPrivilege 2532 wmic.exe Token: SeTakeOwnershipPrivilege 2532 wmic.exe Token: SeLoadDriverPrivilege 2532 wmic.exe Token: SeSystemProfilePrivilege 2532 wmic.exe Token: SeSystemtimePrivilege 2532 wmic.exe Token: SeProfSingleProcessPrivilege 2532 wmic.exe Token: SeIncBasePriorityPrivilege 2532 wmic.exe Token: SeCreatePagefilePrivilege 2532 wmic.exe Token: SeBackupPrivilege 2532 wmic.exe Token: SeRestorePrivilege 2532 wmic.exe Token: SeShutdownPrivilege 2532 wmic.exe Token: SeDebugPrivilege 2532 wmic.exe Token: SeSystemEnvironmentPrivilege 2532 wmic.exe Token: SeRemoteShutdownPrivilege 2532 wmic.exe Token: SeUndockPrivilege 2532 wmic.exe Token: SeManageVolumePrivilege 2532 wmic.exe Token: 33 2532 wmic.exe Token: 34 2532 wmic.exe Token: 35 2532 wmic.exe Token: 36 2532 wmic.exe Token: SeIncreaseQuotaPrivilege 464 wmic.exe Token: SeSecurityPrivilege 464 wmic.exe Token: SeTakeOwnershipPrivilege 464 wmic.exe Token: SeLoadDriverPrivilege 464 wmic.exe Token: SeSystemProfilePrivilege 464 wmic.exe Token: SeSystemtimePrivilege 464 wmic.exe Token: SeProfSingleProcessPrivilege 464 wmic.exe Token: SeIncBasePriorityPrivilege 464 wmic.exe Token: SeCreatePagefilePrivilege 464 wmic.exe Token: SeBackupPrivilege 464 wmic.exe Token: SeRestorePrivilege 464 wmic.exe Token: SeShutdownPrivilege 464 wmic.exe Token: SeDebugPrivilege 464 wmic.exe Token: SeSystemEnvironmentPrivilege 464 wmic.exe Token: SeRemoteShutdownPrivilege 464 wmic.exe Token: SeUndockPrivilege 464 wmic.exe Token: SeManageVolumePrivilege 464 wmic.exe Token: 33 464 wmic.exe Token: 34 464 wmic.exe Token: 35 464 wmic.exe Token: 36 464 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exedescription pid process target process PID 4692 wrote to memory of 3920 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe wmic.exe PID 4692 wrote to memory of 3920 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe wmic.exe PID 4692 wrote to memory of 3920 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe wmic.exe PID 4692 wrote to memory of 2532 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe wmic.exe PID 4692 wrote to memory of 2532 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe wmic.exe PID 4692 wrote to memory of 2532 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe wmic.exe PID 4692 wrote to memory of 464 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe wmic.exe PID 4692 wrote to memory of 464 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe wmic.exe PID 4692 wrote to memory of 464 4692 c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe wmic.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe"C:\Users\Admin\AppData\Local\Temp\c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe"1⤵
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exeFilesize
4.8MB
MD5affa6575a3ff529c583fab38ff9f59e5
SHA1a4d2dde718cc10d6ac12e4ec1f602a1050746aa5
SHA256c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259
SHA512c7ea550c214c3d4cf0686f50e2644b6fe569397bc1d4b0363da173e9a9889ce290f33f6a4e9215aba6cf1deef0be73abdf4b44a8070204d75868d845b34a8767
-
C:\Users\Admin\Desktop\JxhOTKIU_readme.txtFilesize
3KB
MD5b404d572fad72706e2f051abb2519c73
SHA199cf095c05f8ec91790b88da82459238a96ee17d
SHA2561d87f7b1ef89abb34f4fdc291f8c2fc9d39e2aad187375238bf95609fe787e4a
SHA5122350e0fa35996aeb82965093f8602d7f32319c56ab4da48ec8e57dfc187abf60b04b1ad8b5a176b71da2d76730f14a7905f941d276f3ac4cdf5b4c16b46ead2c
-
C:\Users\Admin\Documents\JxhOTKIU_readme.txtFilesize
3KB
MD518ddc90e23060dcb9dfcc967929086c1
SHA19ccd4dd1894fd5b5561760951e7c0a92cfe7a8f9
SHA2566dd6c340b55f0e609b4f00d7df65f982046ef98a3b383929090bcd04c8597944
SHA51231be62ff69932009d1a70709522f74dc2600e31b47f0bb1ea88651717281b5832b106240af7ee3144feed1fb3ae70c298cb3db2f51f04ce85a3bb587d2903cfe
-
C:\Users\Admin\Favorites\JxhOTKIU_readme.txtFilesize
3KB
MD581057a0ab4c405bca6a3b44ba19bfe6f
SHA1dc0d358301512c3a69e197b02175e4281c44f366
SHA25609a2488d00e34d07c32df49e7a6b5fd99efa54314bf05981d1827a721c5b6f94
SHA5121ecfd37b51512b6218f037a068b61b243f2684b6416fa670895f63a8495bbbaad147a05268c57ae417eda205d5fd5542578f7e5c2e1aa16857a76b43f1d7d881
-
memory/1904-527-0x00000000009E0000-0x0000000000EB8000-memory.dmpFilesize
4.8MB
-
memory/1904-528-0x00000000009E0000-0x0000000000EB8000-memory.dmpFilesize
4.8MB
-
memory/1904-529-0x00000000009E0000-0x0000000000EB8000-memory.dmpFilesize
4.8MB
-
memory/1904-530-0x00000000009E0000-0x0000000000EB8000-memory.dmpFilesize
4.8MB
-
memory/4692-3-0x0000000000480000-0x0000000000958000-memory.dmpFilesize
4.8MB
-
memory/4692-2-0x0000000000480000-0x0000000000958000-memory.dmpFilesize
4.8MB
-
memory/4692-519-0x0000000000480000-0x0000000000958000-memory.dmpFilesize
4.8MB
-
memory/4692-1-0x0000000000480000-0x0000000000958000-memory.dmpFilesize
4.8MB
-
memory/4692-0-0x0000000000480000-0x0000000000958000-memory.dmpFilesize
4.8MB