Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 10:08
Behavioral task
behavioral1
Sample
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
Resource
win10v2004-20240226-en
General
-
Target
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
-
Size
775KB
-
MD5
117da2dd6fa24616f63eb43d5a15e5d3
-
SHA1
b4d70eecdef52ceef15f04a025d1ab08f193fb97
-
SHA256
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275
-
SHA512
de2e5538e8dd8210b630eca0fc611f0ba0dcb805b3a745c38a6f46ee9acfe8785c917b9452e0d6f70f675030430b65b352d695106bae639b20e0dbb2dd95e375
-
SSDEEP
24576:TCsQ9+OXLpMePfI8TgmBTCDqEbOpPtpFhAxfq:5HOXLpMePfzVTCD7gPtLhQfq
Malware Config
Extracted
C:\Users\Admin\Desktop\93YwZa4_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Favorites\Microsoft Websites\93YwZa4_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe family_avaddon -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exewmic.exewmic.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2472 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2472 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 2472 wmic.exe -
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (170) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exepid process 2068 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exedescription ioc process File opened (read-only) \??\S: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\B: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\E: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\G: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\J: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\K: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\P: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\Q: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\Z: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\L: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\N: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\O: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\T: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\A: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\I: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\R: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\U: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\V: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\W: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\X: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\H: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\M: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\Y: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\F: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 1748 vssadmin.exe 1568 vssadmin.exe 2248 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exepid process 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2644 wmic.exe Token: SeSecurityPrivilege 2644 wmic.exe Token: SeTakeOwnershipPrivilege 2644 wmic.exe Token: SeLoadDriverPrivilege 2644 wmic.exe Token: SeSystemProfilePrivilege 2644 wmic.exe Token: SeSystemtimePrivilege 2644 wmic.exe Token: SeProfSingleProcessPrivilege 2644 wmic.exe Token: SeIncBasePriorityPrivilege 2644 wmic.exe Token: SeCreatePagefilePrivilege 2644 wmic.exe Token: SeBackupPrivilege 2644 wmic.exe Token: SeRestorePrivilege 2644 wmic.exe Token: SeShutdownPrivilege 2644 wmic.exe Token: SeDebugPrivilege 2644 wmic.exe Token: SeSystemEnvironmentPrivilege 2644 wmic.exe Token: SeRemoteShutdownPrivilege 2644 wmic.exe Token: SeUndockPrivilege 2644 wmic.exe Token: SeManageVolumePrivilege 2644 wmic.exe Token: 33 2644 wmic.exe Token: 34 2644 wmic.exe Token: 35 2644 wmic.exe Token: SeIncreaseQuotaPrivilege 2492 wmic.exe Token: SeSecurityPrivilege 2492 wmic.exe Token: SeTakeOwnershipPrivilege 2492 wmic.exe Token: SeLoadDriverPrivilege 2492 wmic.exe Token: SeSystemProfilePrivilege 2492 wmic.exe Token: SeSystemtimePrivilege 2492 wmic.exe Token: SeProfSingleProcessPrivilege 2492 wmic.exe Token: SeIncBasePriorityPrivilege 2492 wmic.exe Token: SeCreatePagefilePrivilege 2492 wmic.exe Token: SeBackupPrivilege 2492 wmic.exe Token: SeRestorePrivilege 2492 wmic.exe Token: SeShutdownPrivilege 2492 wmic.exe Token: SeDebugPrivilege 2492 wmic.exe Token: SeSystemEnvironmentPrivilege 2492 wmic.exe Token: SeRemoteShutdownPrivilege 2492 wmic.exe Token: SeUndockPrivilege 2492 wmic.exe Token: SeManageVolumePrivilege 2492 wmic.exe Token: 33 2492 wmic.exe Token: 34 2492 wmic.exe Token: 35 2492 wmic.exe Token: SeIncreaseQuotaPrivilege 2488 wmic.exe Token: SeSecurityPrivilege 2488 wmic.exe Token: SeTakeOwnershipPrivilege 2488 wmic.exe Token: SeLoadDriverPrivilege 2488 wmic.exe Token: SeSystemProfilePrivilege 2488 wmic.exe Token: SeSystemtimePrivilege 2488 wmic.exe Token: SeProfSingleProcessPrivilege 2488 wmic.exe Token: SeIncBasePriorityPrivilege 2488 wmic.exe Token: SeCreatePagefilePrivilege 2488 wmic.exe Token: SeBackupPrivilege 2488 wmic.exe Token: SeRestorePrivilege 2488 wmic.exe Token: SeShutdownPrivilege 2488 wmic.exe Token: SeDebugPrivilege 2488 wmic.exe Token: SeSystemEnvironmentPrivilege 2488 wmic.exe Token: SeRemoteShutdownPrivilege 2488 wmic.exe Token: SeUndockPrivilege 2488 wmic.exe Token: SeManageVolumePrivilege 2488 wmic.exe Token: 33 2488 wmic.exe Token: 34 2488 wmic.exe Token: 35 2488 wmic.exe Token: SeIncreaseQuotaPrivilege 2520 wmic.exe Token: SeSecurityPrivilege 2520 wmic.exe Token: SeTakeOwnershipPrivilege 2520 wmic.exe Token: SeLoadDriverPrivilege 2520 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exetaskeng.exedescription pid process target process PID 2228 wrote to memory of 2520 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 2228 wrote to memory of 2520 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 2228 wrote to memory of 2520 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 2228 wrote to memory of 2520 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 2228 wrote to memory of 1748 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe vssadmin.exe PID 2228 wrote to memory of 1748 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe vssadmin.exe PID 2228 wrote to memory of 1748 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe vssadmin.exe PID 2228 wrote to memory of 1748 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe vssadmin.exe PID 2228 wrote to memory of 1768 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 2228 wrote to memory of 1768 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 2228 wrote to memory of 1768 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 2228 wrote to memory of 1768 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 2228 wrote to memory of 1568 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe vssadmin.exe PID 2228 wrote to memory of 1568 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe vssadmin.exe PID 2228 wrote to memory of 1568 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe vssadmin.exe PID 2228 wrote to memory of 1568 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe vssadmin.exe PID 2228 wrote to memory of 2704 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 2228 wrote to memory of 2704 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 2228 wrote to memory of 2704 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 2228 wrote to memory of 2704 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 2228 wrote to memory of 2248 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe vssadmin.exe PID 2228 wrote to memory of 2248 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe vssadmin.exe PID 2228 wrote to memory of 2248 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe vssadmin.exe PID 2228 wrote to memory of 2248 2228 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe vssadmin.exe PID 1204 wrote to memory of 2068 1204 taskeng.exe 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe PID 1204 wrote to memory of 2068 1204 taskeng.exe 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe PID 1204 wrote to memory of 2068 1204 taskeng.exe 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe PID 1204 wrote to memory of 2068 1204 taskeng.exe 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe"C:\Users\Admin\AppData\Local\Temp\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {2931EFE9-2912-43D9-BEE4-E3073D8318D3} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Indicator Removal
2File Deletion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exeFilesize
775KB
MD5117da2dd6fa24616f63eb43d5a15e5d3
SHA1b4d70eecdef52ceef15f04a025d1ab08f193fb97
SHA25648d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275
SHA512de2e5538e8dd8210b630eca0fc611f0ba0dcb805b3a745c38a6f46ee9acfe8785c917b9452e0d6f70f675030430b65b352d695106bae639b20e0dbb2dd95e375
-
C:\Users\Admin\Desktop\93YwZa4_readme_.txtFilesize
3KB
MD5f185351620ebbecb1ba64d46c3cfa970
SHA1c175c7e6c85fe819d4bd02b8ea415ed33f185b2d
SHA2561ea6a3e11b115f3b3a74954ef4f3f2b9d46b6c03098c23b208e7a0aa32f2e41d
SHA5125ca0a1b4c3cf763114fdf83290a1e385910023320577a1d86b7db0c6f2e14fa4dd3d6ca3889681e2c858e7d0cb01eee8476390872e474b2e2abc62c631441894
-
C:\Users\Admin\Favorites\Microsoft Websites\93YwZa4_readme_.txtFilesize
3KB
MD5cad1e533c84b32fb309a391bde398ddf
SHA1b631f448786fbf4a781763ff33ba173d8aabc794
SHA256747620912e24fbfb2ea5da44e22dd8adb3fa4a4f4cf6fbf5e2d7c1a258f11bb1
SHA512ddb0508001859628a4b26b3a7b9b5f97e00e3877e155df3ffbe40734f41b2036911d82745a866be768fc8e36c22fe3a89512397da8470707f1f809fb74eeb9d4