Analysis
-
max time kernel
160s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 10:08
Behavioral task
behavioral1
Sample
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
Resource
win10v2004-20240226-en
General
-
Target
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
-
Size
775KB
-
MD5
117da2dd6fa24616f63eb43d5a15e5d3
-
SHA1
b4d70eecdef52ceef15f04a025d1ab08f193fb97
-
SHA256
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275
-
SHA512
de2e5538e8dd8210b630eca0fc611f0ba0dcb805b3a745c38a6f46ee9acfe8785c917b9452e0d6f70f675030430b65b352d695106bae639b20e0dbb2dd95e375
-
SSDEEP
24576:TCsQ9+OXLpMePfI8TgmBTCDqEbOpPtpFhAxfq:5HOXLpMePfzVTCD7gPtLhQfq
Malware Config
Extracted
C:\Users\Admin\Documents\tZHda_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\tZHda_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\tZHda_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\tZHda_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Music\tZHda_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Music\tZHda_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Pictures\tZHda_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe family_avaddon -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exewmic.exewmic.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 4644 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 4644 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4756 4644 wmic.exe -
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (172) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exepid process 4152 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-609813121-2907144057-1731107329-1000\desktop.ini 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exedescription ioc process File opened (read-only) \??\A: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\B: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\L: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\M: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\Z: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\F: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\E: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\I: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\J: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\N: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\O: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\V: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\X: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\G: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\K: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\P: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\Q: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\S: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\T: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\W: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\H: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\R: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\U: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe File opened (read-only) \??\Y: 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exepid process 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2424 wmic.exe Token: SeSecurityPrivilege 2424 wmic.exe Token: SeTakeOwnershipPrivilege 2424 wmic.exe Token: SeLoadDriverPrivilege 2424 wmic.exe Token: SeSystemProfilePrivilege 2424 wmic.exe Token: SeSystemtimePrivilege 2424 wmic.exe Token: SeProfSingleProcessPrivilege 2424 wmic.exe Token: SeIncBasePriorityPrivilege 2424 wmic.exe Token: SeCreatePagefilePrivilege 2424 wmic.exe Token: SeBackupPrivilege 2424 wmic.exe Token: SeRestorePrivilege 2424 wmic.exe Token: SeShutdownPrivilege 2424 wmic.exe Token: SeDebugPrivilege 2424 wmic.exe Token: SeSystemEnvironmentPrivilege 2424 wmic.exe Token: SeRemoteShutdownPrivilege 2424 wmic.exe Token: SeUndockPrivilege 2424 wmic.exe Token: SeManageVolumePrivilege 2424 wmic.exe Token: 33 2424 wmic.exe Token: 34 2424 wmic.exe Token: 35 2424 wmic.exe Token: 36 2424 wmic.exe Token: SeIncreaseQuotaPrivilege 4432 wmic.exe Token: SeSecurityPrivilege 4432 wmic.exe Token: SeTakeOwnershipPrivilege 4432 wmic.exe Token: SeLoadDriverPrivilege 4432 wmic.exe Token: SeSystemProfilePrivilege 4432 wmic.exe Token: SeSystemtimePrivilege 4432 wmic.exe Token: SeProfSingleProcessPrivilege 4432 wmic.exe Token: SeIncBasePriorityPrivilege 4432 wmic.exe Token: SeCreatePagefilePrivilege 4432 wmic.exe Token: SeBackupPrivilege 4432 wmic.exe Token: SeRestorePrivilege 4432 wmic.exe Token: SeShutdownPrivilege 4432 wmic.exe Token: SeDebugPrivilege 4432 wmic.exe Token: SeSystemEnvironmentPrivilege 4432 wmic.exe Token: SeRemoteShutdownPrivilege 4432 wmic.exe Token: SeUndockPrivilege 4432 wmic.exe Token: SeManageVolumePrivilege 4432 wmic.exe Token: 33 4432 wmic.exe Token: 34 4432 wmic.exe Token: 35 4432 wmic.exe Token: 36 4432 wmic.exe Token: SeIncreaseQuotaPrivilege 4756 wmic.exe Token: SeSecurityPrivilege 4756 wmic.exe Token: SeTakeOwnershipPrivilege 4756 wmic.exe Token: SeLoadDriverPrivilege 4756 wmic.exe Token: SeSystemProfilePrivilege 4756 wmic.exe Token: SeSystemtimePrivilege 4756 wmic.exe Token: SeProfSingleProcessPrivilege 4756 wmic.exe Token: SeIncBasePriorityPrivilege 4756 wmic.exe Token: SeCreatePagefilePrivilege 4756 wmic.exe Token: SeBackupPrivilege 4756 wmic.exe Token: SeRestorePrivilege 4756 wmic.exe Token: SeShutdownPrivilege 4756 wmic.exe Token: SeDebugPrivilege 4756 wmic.exe Token: SeSystemEnvironmentPrivilege 4756 wmic.exe Token: SeRemoteShutdownPrivilege 4756 wmic.exe Token: SeUndockPrivilege 4756 wmic.exe Token: SeManageVolumePrivilege 4756 wmic.exe Token: 33 4756 wmic.exe Token: 34 4756 wmic.exe Token: 35 4756 wmic.exe Token: 36 4756 wmic.exe Token: SeIncreaseQuotaPrivilege 2532 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exedescription pid process target process PID 708 wrote to memory of 4432 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 708 wrote to memory of 4432 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 708 wrote to memory of 4432 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 708 wrote to memory of 2624 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 708 wrote to memory of 2624 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 708 wrote to memory of 2624 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 708 wrote to memory of 3296 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 708 wrote to memory of 3296 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe PID 708 wrote to memory of 3296 708 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe wmic.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe"C:\Users\Admin\AppData\Local\Temp\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Indicator Removal
1File Deletion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exeFilesize
775KB
MD5117da2dd6fa24616f63eb43d5a15e5d3
SHA1b4d70eecdef52ceef15f04a025d1ab08f193fb97
SHA25648d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275
SHA512de2e5538e8dd8210b630eca0fc611f0ba0dcb805b3a745c38a6f46ee9acfe8785c917b9452e0d6f70f675030430b65b352d695106bae639b20e0dbb2dd95e375
-
C:\Users\Admin\Documents\tZHda_readme_.txtFilesize
3KB
MD51e2273b0b8f6e573073eb6d75ce37e9d
SHA1489a03cbcade5b7f630a925bbde127915257c548
SHA2564b7db329f68d2f706a47b7825d2761466bead2cde4adeb1b55d0cc88ecb2c240
SHA51244b569eb81f9ef522cb978e3de4eb36fa712985130214d8b5d27cfbe5c09b32700a4cfd5ae2ff408d37f80143fe4f17f8eec1ec71ae2caaa3eec1601eae4f501
-
C:\Users\Admin\Documents\tZHda_readme_.txtFilesize
3KB
MD56541e2d8d9a02ac283d3f9c2f0a7ba8c
SHA1442eae09fe85c0eb2de379f2dcffcf741becd0a5
SHA2567bc3d5fd9082dcc1040cf9ee24ee2082e2172f0d78518af34e4e97195551c232
SHA512b32f44bbc4839aaf74dfd31ab91989b3aa6bef598d4bc36a06515be26d13d2fc5750fe235e1ddb71b6c7bedbe7e2849b1561b872481ff800112c7eeebf6cc039
-
C:\Users\Admin\Downloads\tZHda_readme_.txtFilesize
3KB
MD5279ca6a9aead0d20776c492440086d7c
SHA15e52a038fc41baa8c4bd1d159d3d8fbcd32205a0
SHA2565c5341326ecb5a81995b0447a89d361b963dd6307ac551c4ededffa72f6b8f93
SHA5126efaeb596f64246482b15bf3249afcb2edd91d43b75a33fdfd4cc10b864bdda7054a57b193776d231930857c82a23eee47bf6073da2b6ad6762a66c855845a3d
-
C:\Users\Admin\Downloads\tZHda_readme_.txtFilesize
3KB
MD503f1d33695afa8046a22b481b8669f6b
SHA11c6b5b0915584b22ca77b1dc287594de44c79860
SHA25650b84f54d473d5fc7be84bd2965433bc0610ef23de7d61de7330acc200a053fe
SHA512f1d16f31e5b4d43d092e4917b3ff68e1e15c64f148c093abc55ad74a23967bc40b726961a4e0ffc7b83d6d7ba0f177bcbf36bd1e8e7b6bf067a06ef2f305857b
-
C:\Users\Admin\Music\tZHda_readme_.txtFilesize
3KB
MD5b84db797ddba733ed67db3dcd64bdece
SHA1416af6186f1affc888e32d6fa92b329e9bc78e3e
SHA25687343073520c6bc506223641906f4b2308362e4bfd5f797140caf85972af635b
SHA512e349615bcb664c90934edc6a7b2a71871682d86fce6766df0291ef0639901dc41b8f7fa00e47a604822b5be800dd3158032e6b5e000bf82af01bbb00d9219ab5
-
C:\Users\Admin\Music\tZHda_readme_.txtFilesize
3KB
MD592fef6b97acaa23e8c7c20e9ec7e6c92
SHA1281bdf7698c0260d846641dc2904ec66d32163c0
SHA2564a869527415b1f70b057166087c69411fcb6f86b6bf3d567164888a89b3ee0c4
SHA512e0ff5385185e6418e0b0ee3e4e0557f95c9f5bce935f0b69d07f12ba48a72bbb191b4deb74847d03d34575a5b8c13988efb9a10e628663ce23f3f2c45a345ecf
-
C:\Users\Admin\Pictures\tZHda_readme_.txtFilesize
3KB
MD54cf936e1303d89e719532efb5d3d4c6c
SHA165606cfbb9c4e6b85b4c218a1008733b67654847
SHA256986e73ea02ff72de8aa98c5848e1006030577ee36a6698d8ce278bb1536f3f7b
SHA512155f53ef175a59cb4cd2394f79414a748f32e94cd8aeaad5907a245d6437f15aa32329ebc9b4a398ac1f68949bc89705b1646b51fcc8fb323f886fe40c67b6a7