Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 10:08
Static task
static1
Behavioral task
behavioral1
Sample
e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe
Resource
win10v2004-20240226-en
General
-
Target
e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe
-
Size
2.1MB
-
MD5
ccede1200a6e8eff54a358fa1e6d119a
-
SHA1
e62fbe82dc5c1efbdecfd94791e023002d3c178b
-
SHA256
e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf
-
SHA512
d4c7e45c2f509e43b521bfbcd67474ef271fa12088f7a57794ba866cdd41ddd3e9ee8fc776b31dd0a0811e62542b813e97c0f3404f4e416066c1338193f7f6c7
-
SSDEEP
49152:Q6otv8NVQqr7XXpwM+DbhzFG13Dyz6fRG+A+85fbhl7zsPS0mc+8aun:QDB8XQqDXf+D9FG1dp9m5fb37zsf+yn
Malware Config
Extracted
C:\Users\Admin\Desktop\solfF_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\solfF_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Music\solfF_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\solfF_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 16 IoCs
Processes:
resource yara_rule behavioral2/memory/1764-2-0x0000000000400000-0x00000000009C4000-memory.dmp family_avaddon behavioral2/memory/1764-496-0x0000000000400000-0x00000000009C4000-memory.dmp family_avaddon behavioral2/memory/1764-497-0x0000000000400000-0x00000000009C4000-memory.dmp family_avaddon behavioral2/memory/1764-498-0x0000000000400000-0x00000000009C4000-memory.dmp family_avaddon behavioral2/memory/1764-499-0x0000000000400000-0x00000000009C4000-memory.dmp family_avaddon behavioral2/memory/1764-500-0x0000000000400000-0x00000000009C4000-memory.dmp family_avaddon behavioral2/memory/1764-501-0x0000000000400000-0x00000000009C4000-memory.dmp family_avaddon behavioral2/memory/1764-502-0x0000000000400000-0x00000000009C4000-memory.dmp family_avaddon behavioral2/memory/1764-503-0x0000000000400000-0x00000000009C4000-memory.dmp family_avaddon behavioral2/memory/1764-504-0x0000000000400000-0x00000000009C4000-memory.dmp family_avaddon behavioral2/memory/1764-505-0x0000000000400000-0x00000000009C4000-memory.dmp family_avaddon behavioral2/memory/1764-506-0x0000000000400000-0x00000000009C4000-memory.dmp family_avaddon behavioral2/memory/1764-507-0x0000000000400000-0x00000000009C4000-memory.dmp family_avaddon behavioral2/memory/1764-508-0x0000000000400000-0x00000000009C4000-memory.dmp family_avaddon behavioral2/memory/1764-509-0x0000000000400000-0x00000000009C4000-memory.dmp family_avaddon behavioral2/memory/1764-510-0x0000000000400000-0x00000000009C4000-memory.dmp family_avaddon -
Processes:
e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe -
Renames multiple (159) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-399997616-3400990511-967324271-1000\desktop.ini e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exedescription ioc process File opened (read-only) \??\A: e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe File opened (read-only) \??\B: e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe File opened (read-only) \??\P: e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe File opened (read-only) \??\F: e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe File opened (read-only) \??\V: e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe File opened (read-only) \??\W: e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe File opened (read-only) \??\E: e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe File opened (read-only) \??\K: e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe File opened (read-only) \??\N: e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe File opened (read-only) \??\R: e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe File opened (read-only) \??\U: e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe File opened (read-only) \??\Z: e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe File opened (read-only) \??\G: e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe File opened (read-only) \??\H: e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe File opened (read-only) \??\I: e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe File opened (read-only) \??\L: e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe File opened (read-only) \??\Q: e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe File opened (read-only) \??\X: e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe File opened (read-only) \??\Y: e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe File opened (read-only) \??\J: e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe File opened (read-only) \??\M: e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe File opened (read-only) \??\O: e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe File opened (read-only) \??\S: e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe File opened (read-only) \??\T: e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 25 api.myip.com 24 api.myip.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
Processes:
e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exepid process 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exepid process 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
wmic.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2400 wmic.exe Token: SeSecurityPrivilege 2400 wmic.exe Token: SeTakeOwnershipPrivilege 2400 wmic.exe Token: SeLoadDriverPrivilege 2400 wmic.exe Token: SeSystemProfilePrivilege 2400 wmic.exe Token: SeSystemtimePrivilege 2400 wmic.exe Token: SeProfSingleProcessPrivilege 2400 wmic.exe Token: SeIncBasePriorityPrivilege 2400 wmic.exe Token: SeCreatePagefilePrivilege 2400 wmic.exe Token: SeBackupPrivilege 2400 wmic.exe Token: SeRestorePrivilege 2400 wmic.exe Token: SeShutdownPrivilege 2400 wmic.exe Token: SeDebugPrivilege 2400 wmic.exe Token: SeSystemEnvironmentPrivilege 2400 wmic.exe Token: SeRemoteShutdownPrivilege 2400 wmic.exe Token: SeUndockPrivilege 2400 wmic.exe Token: SeManageVolumePrivilege 2400 wmic.exe Token: 33 2400 wmic.exe Token: 34 2400 wmic.exe Token: 35 2400 wmic.exe Token: 36 2400 wmic.exe Token: SeIncreaseQuotaPrivilege 4856 wmic.exe Token: SeSecurityPrivilege 4856 wmic.exe Token: SeTakeOwnershipPrivilege 4856 wmic.exe Token: SeLoadDriverPrivilege 4856 wmic.exe Token: SeSystemProfilePrivilege 4856 wmic.exe Token: SeSystemtimePrivilege 4856 wmic.exe Token: SeProfSingleProcessPrivilege 4856 wmic.exe Token: SeIncBasePriorityPrivilege 4856 wmic.exe Token: SeCreatePagefilePrivilege 4856 wmic.exe Token: SeBackupPrivilege 4856 wmic.exe Token: SeRestorePrivilege 4856 wmic.exe Token: SeShutdownPrivilege 4856 wmic.exe Token: SeDebugPrivilege 4856 wmic.exe Token: SeSystemEnvironmentPrivilege 4856 wmic.exe Token: SeRemoteShutdownPrivilege 4856 wmic.exe Token: SeUndockPrivilege 4856 wmic.exe Token: SeManageVolumePrivilege 4856 wmic.exe Token: 33 4856 wmic.exe Token: 34 4856 wmic.exe Token: 35 4856 wmic.exe Token: 36 4856 wmic.exe Token: SeIncreaseQuotaPrivilege 3628 wmic.exe Token: SeSecurityPrivilege 3628 wmic.exe Token: SeTakeOwnershipPrivilege 3628 wmic.exe Token: SeLoadDriverPrivilege 3628 wmic.exe Token: SeSystemProfilePrivilege 3628 wmic.exe Token: SeSystemtimePrivilege 3628 wmic.exe Token: SeProfSingleProcessPrivilege 3628 wmic.exe Token: SeIncBasePriorityPrivilege 3628 wmic.exe Token: SeCreatePagefilePrivilege 3628 wmic.exe Token: SeBackupPrivilege 3628 wmic.exe Token: SeRestorePrivilege 3628 wmic.exe Token: SeShutdownPrivilege 3628 wmic.exe Token: SeDebugPrivilege 3628 wmic.exe Token: SeSystemEnvironmentPrivilege 3628 wmic.exe Token: SeRemoteShutdownPrivilege 3628 wmic.exe Token: SeUndockPrivilege 3628 wmic.exe Token: SeManageVolumePrivilege 3628 wmic.exe Token: 33 3628 wmic.exe Token: 34 3628 wmic.exe Token: 35 3628 wmic.exe Token: 36 3628 wmic.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exepid process 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exedescription pid process target process PID 1764 wrote to memory of 2400 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe wmic.exe PID 1764 wrote to memory of 2400 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe wmic.exe PID 1764 wrote to memory of 2400 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe wmic.exe PID 1764 wrote to memory of 4856 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe wmic.exe PID 1764 wrote to memory of 4856 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe wmic.exe PID 1764 wrote to memory of 4856 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe wmic.exe PID 1764 wrote to memory of 3628 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe wmic.exe PID 1764 wrote to memory of 3628 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe wmic.exe PID 1764 wrote to memory of 3628 1764 e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe wmic.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe"C:\Users\Admin\AppData\Local\Temp\e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\solfF_readme.txtFilesize
3KB
MD52856a86eb4b7ac80b267e882439b2e32
SHA1be6a7479d961cd04f8456a512a474b889ff7923f
SHA2568307400e90d6d047cceb1023d26a4af07677f92d88e027ac239ad95484ceec90
SHA512671ba8a38cea45c035ddb7914662c08defab27135251cdd6caed86ec8cfdd73ca9d0f4ea930878a8a86cab88d6c103b342adb7f0e4c1a55beae8dbaa1f05e919
-
C:\Users\Admin\Documents\solfF_readme.txtFilesize
3KB
MD5e86a1ee8f401a61a5c9ea92713dc208c
SHA1c841adbfd46c645bb4bc1d66e18e0a6a8d1a9786
SHA2561fa8d0809b94be4da487c9ae2d2832d578e177ce0d56e8dac5ec2349d890d453
SHA5123dfa11ad5e96e30c8d1c0223fb15986da91d2fd82c219c63923ca87584abdad4776fa2424ceb16a3927567483064817927128c32d44fe63729468207b15cdfbc
-
C:\Users\Admin\Music\solfF_readme.txtFilesize
3KB
MD5073ffcea51e2136e20f244a982bafe7d
SHA1fa8daa1f7c8df534348404897c9667216cb86576
SHA2568c9b0228c9f544cb272ee30cb7ee5be6e32ac9c3f88b614c37a5542b829c8b07
SHA51273c38b78cd838855ac2371549e77bd19f1661b149d37c018426dfb080a379ccf211ae5519a3b11d9c3e660d8306645cdb4c8613ce827324a8361855cac1c61ca
-
C:\solfF_readme.txtFilesize
3KB
MD527a4a1216ce4e9934360f623ee16e00d
SHA10697332c015123a1316c6fd070da97d78f0a4de4
SHA25656431d861beeeda03c9493a727a46ee5609094fb8d57e0be827d90ed71a87573
SHA51297f545c3eed26231e7287e95ef719155abf052144417c36464e2feb9b0aeadf85e2fe2676b2ebe5537c1aa60bc0b746f5acd3f81a8e0e7e988e2ccae98a6b480
-
memory/1764-499-0x0000000000400000-0x00000000009C4000-memory.dmpFilesize
5.8MB
-
memory/1764-502-0x0000000000400000-0x00000000009C4000-memory.dmpFilesize
5.8MB
-
memory/1764-1-0x00000000030F0000-0x0000000003216000-memory.dmpFilesize
1.1MB
-
memory/1764-496-0x0000000000400000-0x00000000009C4000-memory.dmpFilesize
5.8MB
-
memory/1764-497-0x0000000000400000-0x00000000009C4000-memory.dmpFilesize
5.8MB
-
memory/1764-498-0x0000000000400000-0x00000000009C4000-memory.dmpFilesize
5.8MB
-
memory/1764-0-0x0000000000400000-0x00000000009C4000-memory.dmpFilesize
5.8MB
-
memory/1764-500-0x0000000000400000-0x00000000009C4000-memory.dmpFilesize
5.8MB
-
memory/1764-501-0x0000000000400000-0x00000000009C4000-memory.dmpFilesize
5.8MB
-
memory/1764-2-0x0000000000400000-0x00000000009C4000-memory.dmpFilesize
5.8MB
-
memory/1764-503-0x0000000000400000-0x00000000009C4000-memory.dmpFilesize
5.8MB
-
memory/1764-504-0x0000000000400000-0x00000000009C4000-memory.dmpFilesize
5.8MB
-
memory/1764-505-0x0000000000400000-0x00000000009C4000-memory.dmpFilesize
5.8MB
-
memory/1764-506-0x0000000000400000-0x00000000009C4000-memory.dmpFilesize
5.8MB
-
memory/1764-507-0x0000000000400000-0x00000000009C4000-memory.dmpFilesize
5.8MB
-
memory/1764-508-0x0000000000400000-0x00000000009C4000-memory.dmpFilesize
5.8MB
-
memory/1764-509-0x0000000000400000-0x00000000009C4000-memory.dmpFilesize
5.8MB
-
memory/1764-510-0x0000000000400000-0x00000000009C4000-memory.dmpFilesize
5.8MB