Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 10:08
Behavioral task
behavioral1
Sample
cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe
Resource
win10v2004-20240226-en
General
-
Target
cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe
-
Size
719KB
-
MD5
275e4a63fc63c995b3e0d464919f211b
-
SHA1
51d85210c2f621ca14d92a8375ee24d62f9d7f44
-
SHA256
cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46
-
SHA512
1723fb4a624859cb49f1d00100a44c5104a8a6ee4685b0e0988fa54f929dc7d70d171034577a17db2e6529d6c19b49d2ba023c4c98e9637f92981a3c1a5c9dac
-
SSDEEP
12288:OR8hjUV679Aa4Auw3gveB17cOT1WHWEQTe0udkuHgCNU7SY/qgjjmJ/:quK679Aa4Auw3gveB1TGWEQSzXY/tjq/
Malware Config
Extracted
C:\Users\Admin\Music\cbVK6_readme_.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Desktop\cbVK6_readme_.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Desktop\cbVK6_readme_.txt
avaddon
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Processes:
cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (188) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-406356229-2805545415-1236085040-1000\desktop.ini cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exedescription ioc process File opened (read-only) \??\V: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\H: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\J: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\N: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\S: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\W: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\X: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\Z: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\F: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\B: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\E: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\I: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\L: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\U: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\Y: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\K: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\M: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\O: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\R: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\T: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\A: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\G: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\P: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe File opened (read-only) \??\Q: cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 2768 vssadmin.exe 2948 vssadmin.exe 2972 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exepid process 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
wmic.exevssvc.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2516 wmic.exe Token: SeSecurityPrivilege 2516 wmic.exe Token: SeTakeOwnershipPrivilege 2516 wmic.exe Token: SeLoadDriverPrivilege 2516 wmic.exe Token: SeSystemProfilePrivilege 2516 wmic.exe Token: SeSystemtimePrivilege 2516 wmic.exe Token: SeProfSingleProcessPrivilege 2516 wmic.exe Token: SeIncBasePriorityPrivilege 2516 wmic.exe Token: SeCreatePagefilePrivilege 2516 wmic.exe Token: SeBackupPrivilege 2516 wmic.exe Token: SeRestorePrivilege 2516 wmic.exe Token: SeShutdownPrivilege 2516 wmic.exe Token: SeDebugPrivilege 2516 wmic.exe Token: SeSystemEnvironmentPrivilege 2516 wmic.exe Token: SeRemoteShutdownPrivilege 2516 wmic.exe Token: SeUndockPrivilege 2516 wmic.exe Token: SeManageVolumePrivilege 2516 wmic.exe Token: 33 2516 wmic.exe Token: 34 2516 wmic.exe Token: 35 2516 wmic.exe Token: SeBackupPrivilege 2464 vssvc.exe Token: SeRestorePrivilege 2464 vssvc.exe Token: SeAuditPrivilege 2464 vssvc.exe Token: SeIncreaseQuotaPrivilege 2484 wmic.exe Token: SeSecurityPrivilege 2484 wmic.exe Token: SeTakeOwnershipPrivilege 2484 wmic.exe Token: SeLoadDriverPrivilege 2484 wmic.exe Token: SeSystemProfilePrivilege 2484 wmic.exe Token: SeSystemtimePrivilege 2484 wmic.exe Token: SeProfSingleProcessPrivilege 2484 wmic.exe Token: SeIncBasePriorityPrivilege 2484 wmic.exe Token: SeCreatePagefilePrivilege 2484 wmic.exe Token: SeBackupPrivilege 2484 wmic.exe Token: SeRestorePrivilege 2484 wmic.exe Token: SeShutdownPrivilege 2484 wmic.exe Token: SeDebugPrivilege 2484 wmic.exe Token: SeSystemEnvironmentPrivilege 2484 wmic.exe Token: SeRemoteShutdownPrivilege 2484 wmic.exe Token: SeUndockPrivilege 2484 wmic.exe Token: SeManageVolumePrivilege 2484 wmic.exe Token: 33 2484 wmic.exe Token: 34 2484 wmic.exe Token: 35 2484 wmic.exe Token: SeIncreaseQuotaPrivilege 528 wmic.exe Token: SeSecurityPrivilege 528 wmic.exe Token: SeTakeOwnershipPrivilege 528 wmic.exe Token: SeLoadDriverPrivilege 528 wmic.exe Token: SeSystemProfilePrivilege 528 wmic.exe Token: SeSystemtimePrivilege 528 wmic.exe Token: SeProfSingleProcessPrivilege 528 wmic.exe Token: SeIncBasePriorityPrivilege 528 wmic.exe Token: SeCreatePagefilePrivilege 528 wmic.exe Token: SeBackupPrivilege 528 wmic.exe Token: SeRestorePrivilege 528 wmic.exe Token: SeShutdownPrivilege 528 wmic.exe Token: SeDebugPrivilege 528 wmic.exe Token: SeSystemEnvironmentPrivilege 528 wmic.exe Token: SeRemoteShutdownPrivilege 528 wmic.exe Token: SeUndockPrivilege 528 wmic.exe Token: SeManageVolumePrivilege 528 wmic.exe Token: 33 528 wmic.exe Token: 34 528 wmic.exe Token: 35 528 wmic.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exedescription pid process target process PID 2224 wrote to memory of 2516 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe wmic.exe PID 2224 wrote to memory of 2516 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe wmic.exe PID 2224 wrote to memory of 2516 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe wmic.exe PID 2224 wrote to memory of 2516 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe wmic.exe PID 2224 wrote to memory of 2972 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe vssadmin.exe PID 2224 wrote to memory of 2972 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe vssadmin.exe PID 2224 wrote to memory of 2972 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe vssadmin.exe PID 2224 wrote to memory of 2972 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe vssadmin.exe PID 2224 wrote to memory of 2484 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe wmic.exe PID 2224 wrote to memory of 2484 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe wmic.exe PID 2224 wrote to memory of 2484 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe wmic.exe PID 2224 wrote to memory of 2484 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe wmic.exe PID 2224 wrote to memory of 2948 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe vssadmin.exe PID 2224 wrote to memory of 2948 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe vssadmin.exe PID 2224 wrote to memory of 2948 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe vssadmin.exe PID 2224 wrote to memory of 2948 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe vssadmin.exe PID 2224 wrote to memory of 528 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe wmic.exe PID 2224 wrote to memory of 528 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe wmic.exe PID 2224 wrote to memory of 528 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe wmic.exe PID 2224 wrote to memory of 528 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe wmic.exe PID 2224 wrote to memory of 2768 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe vssadmin.exe PID 2224 wrote to memory of 2768 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe vssadmin.exe PID 2224 wrote to memory of 2768 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe vssadmin.exe PID 2224 wrote to memory of 2768 2224 cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe vssadmin.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe"C:\Users\Admin\AppData\Local\Temp\cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Indicator Removal
2File Deletion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\cbVK6_readme_.txtFilesize
3KB
MD54634bd7ec6218551fc899a8275a77f09
SHA1c348ecbca7a25903ab6a2e4f537201bde1d15a6f
SHA256031c90634ae78942b49156325757ddcbd2753ab1d621e9e3dfafc12598c6de60
SHA51204e3613e9431644b6d2d6050470d880400c6cb11ad813213d0452cbd7d86c72714049f4a4adce75090d99ce708da4698321b58f4d7f4626c3d7f097d48ee5f0d
-
C:\Users\Admin\Desktop\cbVK6_readme_.txtFilesize
3KB
MD5c0d5c9ad5c8ec584e96b2ba8e957229c
SHA1ea7f40cc34f94b899773bb25451f9d4fa858d70f
SHA256baf2dc4468d8b63f93024fe7e159308f826a8e392a0fb186c2ed675e82961505
SHA512971ed48ae399dfc1da1b182f51438c31928bd7e69f4bd6ae414f7f6aa493e7804c02bb8c2ee747dd329b7ff7a58efb6073136df5ceb8802c0228b623da6b7612
-
C:\Users\Admin\Music\cbVK6_readme_.txtFilesize
3KB
MD5155ba49d93898abfed31f410ed73ef7f
SHA1ca9488889f653e3e4bf6d1ef62afe7eacdc2dfd9
SHA256bcce9f31be32c94a3482a4ff045d35df6fe23f7006c1d7a6c092502a5fd2f7dc
SHA5122d67fc23554e4c4c27c53629c66d470fcb130ecf9b5d209bc91f1d264fec3a13cc7f73256b73a71e696304f7aed7e94398829297f16257cf4349cbc6921fe85b