Analysis Overview
SHA256
7878cf70c5dd089c1ba2cebb2d76b16b4e2a21e3fe8241f06d1e360f037c3cff
Threat Level: Known bad
The file 1d7051ad6ad4f278e54651e289fb01c034261bdb3e366ccea8c55fa834979118.zip was found to be: Known bad.
Malicious Activity Summary
Avaddon payload
Process spawned unexpected child process
UAC bypass
Avaddon
Avaddon family
Renames multiple (128) files with added filename extension
Deletes shadow copies
Renames multiple (183) files with added filename extension
Executes dropped EXE
Enumerates connected drives
Drops desktop.ini file(s)
Checks whether UAC is enabled
Unsigned PE
Enumerates physical storage devices
System policy modification
Interacts with shadow copies
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-02 10:37
Signatures
Avaddon family
Avaddon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-02 10:37
Reported
2024-04-02 10:41
Platform
win7-20240221-en
Max time kernel
150s
Max time network
128s
Command Line
Signatures
Avaddon
Avaddon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\wbem\wmic.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\wbem\wmic.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\wbem\wmic.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ab.exe | N/A |
Deletes shadow copies
Renames multiple (183) files with added filename extension
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ab.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\Z:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ab.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Users\Admin\AppData\Local\Temp\ab.exe | N/A |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\ab.exe
"C:\Users\Admin\AppData\Local\Temp\ab.exe"
C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
C:\Windows\system32\taskeng.exe
taskeng.exe {E749BE6E-21BC-47F7-B135-D50D9BBD07FC} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe
Network
Files
C:\Users\Admin\Desktop\jBfcT_readme_.txt
| MD5 | 7e12e0be842647442088e9e2ef860b72 |
| SHA1 | d111ff0ac7ca5d446ce5283a919bc569de906746 |
| SHA256 | cd206f963edae2f936fe854c65832ad5f432a6a67cb37a79ac91e2ffe58cc0a3 |
| SHA512 | df88cc88eac883423e746ffc9516673d8c7f962ccf3d0a732353846581fc9fe3654aad51910ec16cfca2fe4c0fa6ec8369affcf0129e7369e3a7a423c0542d1b |
C:\Users\Admin\Documents\jBfcT_readme_.txt
| MD5 | a3a0053caab46f82e6d3cfa7096ddadb |
| SHA1 | c33cd0a0bb5df96c69b21cea1559b9430f542e60 |
| SHA256 | fff9f2ce1df7ef7d47daa6ab12167271798cc02db00ce094a23a1dedc81f8e03 |
| SHA512 | 6e3beaa534146c5726741be040b1cfda9b3847806efbd75083ed8a81ae187f1b0e25299fbff149b6d0c267de7ded85f1ddd1e0c95426ae371c7b79f9689ea879 |
C:\Users\Admin\Music\jBfcT_readme_.txt
| MD5 | 4b97d220514ce849e0be544f76f6ac48 |
| SHA1 | 8b81e1907fd44dbee6b8ea1c683bb7dd9128d72a |
| SHA256 | 769d3a1cb3d79029993e6df995bd05d781dd721a886aa370bbe77ff61cd8b023 |
| SHA512 | df9e881236d6dfe9bada00ad65d390bda1e34b43596ccfc8c5c69030f28ff4eec8e3c9d3d06a014a98782ed9d154b20572a15cd8defb05997219d674788f97c0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe
| MD5 | 0b486fe0503524cfe4726a4022fa6a68 |
| SHA1 | 297dea71d489768ce45d23b0f8a45424b469ab00 |
| SHA256 | 1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2 |
| SHA512 | f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-02 10:37
Reported
2024-04-02 10:41
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Avaddon
Avaddon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\wbem\wmic.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\wbem\wmic.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\wbem\wmic.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ab.exe | N/A |
Deletes shadow copies
Renames multiple (128) files with added filename extension
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ab.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\Z:\$RECYCLE.BIN\S-1-5-21-983155329-280873152-1838004294-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ab.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Users\Admin\AppData\Local\Temp\ab.exe | N/A |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\ab.exe
"C:\Users\Admin\AppData\Local\Temp\ab.exe"
C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.110.86.104.in-addr.arpa | udp |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.0.1:139 | tcp | |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| N/A | 10.127.0.2:445 | tcp | |
| N/A | 10.127.0.2:139 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.3:445 | tcp | |
| N/A | 10.127.0.3:139 | tcp | |
| US | 8.8.8.8:53 | 218.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.4:445 | tcp | |
| N/A | 10.127.0.4:139 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.5:445 | tcp | |
| N/A | 10.127.0.5:139 | tcp | |
| US | 8.8.8.8:53 | 5.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.6:445 | tcp | |
| N/A | 10.127.0.6:139 | tcp | |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\Desktop\4sU1n_readme_.txt
| MD5 | d70fca0e168c54291649c8c56d458997 |
| SHA1 | f1e6ed918148508c7b25e171009e7e1cc8f98ab7 |
| SHA256 | d9b62c4a3968eceb660e938c385934ab2b9128cddaec219e6302cb0b01431073 |
| SHA512 | 7e8054ae7ea71e0e2afef9daa7195171e43dacd7e9b39c54e8a837accb251e7aa3844b201b2f6b0bb6a442b9053bdb4d2788e1f43529a11d7a849d88caf628ef |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe
| MD5 | 0b486fe0503524cfe4726a4022fa6a68 |
| SHA1 | 297dea71d489768ce45d23b0f8a45424b469ab00 |
| SHA256 | 1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2 |
| SHA512 | f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619 |