Analysis Overview
SHA256
e09ed955d7210fb7141f24db4d7df1466c15cbc7aafd71d1f8b7857cbf7258e6
Threat Level: Known bad
The file e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.zip was found to be: Known bad.
Malicious Activity Summary
Avaddon payload
Avaddon
UAC bypass
Deletes shadow copies
Renames multiple (191) files with added filename extension
Renames multiple (159) files with added filename extension
Enumerates connected drives
Drops desktop.ini file(s)
Looks up external IP address via web service
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Enumerates physical storage devices
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Suspicious use of SetWindowsHookEx
System policy modification
Suspicious use of AdjustPrivilegeToken
Interacts with shadow copies
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-02 10:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-02 10:08
Reported
2024-04-02 10:14
Platform
win7-20240221-en
Max time kernel
150s
Max time network
126s
Command Line
Signatures
Avaddon
Avaddon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe | N/A |
Deletes shadow copies
Renames multiple (191) files with added filename extension
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\Z:\$RECYCLE.BIN\S-1-5-21-3787592910-3720486031-2929222812-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe | N/A |
Enumerates connected drives
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Users\Admin\AppData\Local\Temp\e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe | N/A |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe
"C:\Users\Admin\AppData\Local\Temp\e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | download.visualstudio.microsoft.com | udp |
| FR | 68.232.34.200:443 | download.visualstudio.microsoft.com | tcp |
| US | 8.8.8.8:53 | sls.update.microsoft.com | udp |
| US | 20.12.23.50:443 | sls.update.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 92.123.241.137:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | download.windowsupdate.com | udp |
| GB | 104.86.110.202:80 | download.windowsupdate.com | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.9.59:443 | api.myip.com | tcp |
Files
memory/2172-0-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/2172-1-0x0000000002D30000-0x0000000002E56000-memory.dmp
memory/2172-2-0x0000000000400000-0x00000000009C4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab69BD.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar6B3A.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\Desktop\xJqjQ_readme.txt
| MD5 | 68f3108a1903dc440599f8c1b0fa3493 |
| SHA1 | 9722726dd25495c9f535a20435c028607695b1fa |
| SHA256 | 7baf10f6b18a5f182a0eeb19fa5c7878b1a531294a7e7e6527ac1f94d9d677aa |
| SHA512 | d620fae7050737113bcd5d6be8d7d14e6149b5a0ca616822ca1900f487a9a8c5949a6c14d49eadce52ce3bb428478d44102d1484efaa67d64126f8a809caea8d |
C:\Users\Admin\Desktop\xJqjQ_readme.txt
| MD5 | 4c8db53792efc147035b417cd696a4c6 |
| SHA1 | b93cb218fa1be9c6a7b918c1ed64a1211b96ba7b |
| SHA256 | dbcf3438b9f7430bcdbc77654aa15607a8b976476ec46e6a51c3cc789c1de99d |
| SHA512 | 57cea79973b11933ed6b71c306bfb268552cb21874761135b521f2c128fd013d764c7abad327d1025ef79bc1f33c99291fbf2d39609a01c19cc625953c588667 |
C:\Users\Admin\Downloads\xJqjQ_readme.txt
| MD5 | 628ca676b18455e877b59d8a1672e4d2 |
| SHA1 | e3dd28a07930bdc27720cb366a22d77d72527ec0 |
| SHA256 | 7e01a3d421b95903eb6808b4dd827635d636485f1c2cf069a4adb4d37c930946 |
| SHA512 | c5ccaca37df4c85b7aaf72521f48b143b9ef052e500efa2f79df12e7e40e1c3d863ae7d120b50b07ca76c703e17c73af3099557c2a1239476c2071faafb77caa |
C:\Users\Admin\Favorites\MSN Websites\xJqjQ_readme.txt
| MD5 | 41abef554c1e7b9dae99e4718dd5158d |
| SHA1 | eb34b97080d6213a6afe9b9f4f6f29736691d614 |
| SHA256 | d0dec39643b3fc7d6e15838da95540c8c6878c11c7bb97aebc298ce89bff0db0 |
| SHA512 | 07c38a1ff50779a6481608d8b02fb9434d3065d7b77baf968ee350eb82e29b615da607425e6040db02635a573cc917727f20ca4f816e7cd6f77e41b25beed5c4 |
C:\Users\Admin\Pictures\xJqjQ_readme.txt
| MD5 | 8c4e29b5e072b4d79580706fc43279a1 |
| SHA1 | 7e8022748491db7feea7a5380c19dd81086ac0c9 |
| SHA256 | c5e964f38a7c7ac78c91a6a1cf9393f33024857637fc43f2402a151296a73379 |
| SHA512 | f9dd0d0dcac4d21ade47ea0ede5405bce47cda69fc4aeb6ebe5a0092c4b41e7e5b4c0f9886b9b93ca6a0ca4eb12d60cadd7195493660f0f91201538a2822a964 |
memory/2172-514-0x0000000000400000-0x00000000009C4000-memory.dmp
C:\Users\Public\Pictures\Sample Pictures\xJqjQ_readme.txt
| MD5 | a3e7fb312d07d44a81cfc79600c1f251 |
| SHA1 | 30c606884e695582f39a62fbc1bb738c0b638777 |
| SHA256 | f5e06113816673c5d2b27b82ca099b9e0b76215f526a8df4df80f5537bed23c1 |
| SHA512 | 7ea67b7b90120410a9ac9c7a5cb34b051af2c289e9e1310d6bedcb9befdc40465eaf26d67f2bda8ed0ffb4c51a05a681e064e3da206ff54e45c22d0806c7ba21 |
memory/2172-644-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/2172-645-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/2172-646-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/2172-647-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/2172-648-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/2172-649-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/2172-651-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/2172-652-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/2172-653-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/2172-654-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/2172-655-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/2172-656-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/2172-657-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/2172-658-0x0000000000400000-0x00000000009C4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-02 10:08
Reported
2024-04-02 10:14
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Avaddon
Avaddon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe | N/A |
Renames multiple (159) files with added filename extension
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\Z:\$RECYCLE.BIN\S-1-5-21-399997616-3400990511-967324271-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe | N/A |
Enumerates connected drives
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Users\Admin\AppData\Local\Temp\e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe
"C:\Users\Admin\AppData\Local\Temp\e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.visualstudio.microsoft.com | udp |
| FR | 68.232.34.200:443 | download.visualstudio.microsoft.com | tcp |
| US | 8.8.8.8:53 | sls.update.microsoft.com | udp |
| US | 8.8.8.8:53 | 200.34.232.68.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.windowsupdate.com | udp |
| GB | 104.86.111.161:80 | download.windowsupdate.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.111.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.8.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | 59.8.26.104.in-addr.arpa | udp |
| N/A | 10.127.1.1:445 | tcp | |
| N/A | 10.127.1.1:139 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| N/A | 10.127.1.2:445 | tcp | |
| US | 8.8.8.8:53 | 9.66.18.2.in-addr.arpa | udp |
| N/A | 10.127.1.2:139 | tcp | |
| US | 8.8.8.8:53 | 2.1.127.10.in-addr.arpa | udp |
| N/A | 10.127.1.3:445 | tcp | |
| US | 8.8.8.8:53 | 218.110.86.104.in-addr.arpa | udp |
| N/A | 10.127.1.3:139 | tcp | |
| US | 8.8.8.8:53 | 3.1.127.10.in-addr.arpa | udp |
| N/A | 10.127.1.4:445 | tcp | |
| N/A | 10.127.1.4:139 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.1.127.10.in-addr.arpa | udp |
| N/A | 10.127.1.5:445 | tcp | |
| N/A | 10.127.1.5:139 | tcp | |
| US | 8.8.8.8:53 | 5.1.127.10.in-addr.arpa | udp |
| N/A | 10.127.1.6:445 | tcp | |
| N/A | 10.127.1.6:139 | tcp | |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
memory/1764-0-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/1764-1-0x00000000030F0000-0x0000000003216000-memory.dmp
memory/1764-2-0x0000000000400000-0x00000000009C4000-memory.dmp
C:\Users\Admin\Desktop\solfF_readme.txt
| MD5 | 2856a86eb4b7ac80b267e882439b2e32 |
| SHA1 | be6a7479d961cd04f8456a512a474b889ff7923f |
| SHA256 | 8307400e90d6d047cceb1023d26a4af07677f92d88e027ac239ad95484ceec90 |
| SHA512 | 671ba8a38cea45c035ddb7914662c08defab27135251cdd6caed86ec8cfdd73ca9d0f4ea930878a8a86cab88d6c103b342adb7f0e4c1a55beae8dbaa1f05e919 |
C:\Users\Admin\Documents\solfF_readme.txt
| MD5 | e86a1ee8f401a61a5c9ea92713dc208c |
| SHA1 | c841adbfd46c645bb4bc1d66e18e0a6a8d1a9786 |
| SHA256 | 1fa8d0809b94be4da487c9ae2d2832d578e177ce0d56e8dac5ec2349d890d453 |
| SHA512 | 3dfa11ad5e96e30c8d1c0223fb15986da91d2fd82c219c63923ca87584abdad4776fa2424ceb16a3927567483064817927128c32d44fe63729468207b15cdfbc |
C:\Users\Admin\Music\solfF_readme.txt
| MD5 | 073ffcea51e2136e20f244a982bafe7d |
| SHA1 | fa8daa1f7c8df534348404897c9667216cb86576 |
| SHA256 | 8c9b0228c9f544cb272ee30cb7ee5be6e32ac9c3f88b614c37a5542b829c8b07 |
| SHA512 | 73c38b78cd838855ac2371549e77bd19f1661b149d37c018426dfb080a379ccf211ae5519a3b11d9c3e660d8306645cdb4c8613ce827324a8361855cac1c61ca |
C:\solfF_readme.txt
| MD5 | 27a4a1216ce4e9934360f623ee16e00d |
| SHA1 | 0697332c015123a1316c6fd070da97d78f0a4de4 |
| SHA256 | 56431d861beeeda03c9493a727a46ee5609094fb8d57e0be827d90ed71a87573 |
| SHA512 | 97f545c3eed26231e7287e95ef719155abf052144417c36464e2feb9b0aeadf85e2fe2676b2ebe5537c1aa60bc0b746f5acd3f81a8e0e7e988e2ccae98a6b480 |
memory/1764-496-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/1764-497-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/1764-498-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/1764-499-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/1764-500-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/1764-501-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/1764-502-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/1764-503-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/1764-504-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/1764-505-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/1764-506-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/1764-507-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/1764-508-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/1764-509-0x0000000000400000-0x00000000009C4000-memory.dmp
memory/1764-510-0x0000000000400000-0x00000000009C4000-memory.dmp