avaddon | 5aad14becf4a00091f7a1ce97c4685adaebc07a4b8edd9708d2cb4bd1e1c7c59

Analysis

max time kernel
179s
max time network
134s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-04-2024 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
Size

775KB
MD5

117da2dd6fa24616f63eb43d5a15e5d3
SHA1

b4d70eecdef52ceef15f04a025d1ab08f193fb97
SHA256

48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275
SHA512

de2e5538e8dd8210b630eca0fc611f0ba0dcb805b3a745c38a6f46ee9acfe8785c917b9452e0d6f70f675030430b65b352d695106bae639b20e0dbb2dd95e375
SSDEEP

24576:TCsQ9+OXLpMePfI8TgmBTCDqEbOpPtpFhAxfq:5HOXLpMePfzVTCD7gPtLhQfq

Score

10^/10

avaddon evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\txi8v_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bEBEDdCbeE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjcwMS1rZ1RJNmxHd1V6YUhPV3V3MmJDNlh5TlZuVnAwVVNkTFI2SnVrMFVuNDFxcjdud0dtTktKY0lKTkN0ekhic2k4b3BaWnZTNUlMY3krRDdjMUxqclJmdkJRcUNzYmpUSzUvSXlxSklhMlFjM0VDa1BFK3p3ajNUdXcrVXZXNEFkMXJ5NEpVR0hoS1JIdG1vSDg5QXpCT2RMdExvVmVvb0VEMTRJSmtVWFhQUG5NS2RMTWZWZmRTZERiR3oxVldxakgvanA1VXFIb01xWFhIbFQ0YTJ6UTU4dUFkV29Fdko2cWNyRmFIRXgrODBnSUduRGo1M2prU2Y0SkV0WGFEb2V3UUd6NDNmbUc2SE5nQ1ZhbVRrVGYvbDBibG1NcC9FazlkaVpoOU9HRXprRUhUVlFodE9Zb0l0aWduU3FqcTlHY2Zuemo2UUlvaXA2QmpRZC9HQ0c0bG9EM0NENzZBNEpQYmxxSDNFNm9aMUVybXJYd1pRSTMvVEtkN1d3YlFrd0N6VHczN0xLcWNjUW9NM0k2UG5JV1Q5ZzYvcko2YzdmTVRqTTdmSDhNekpFb0o1U0toTnA4RmxCSmw1L3phV05QUGhBRllIR01CNEpOOTduekxJNmM2Mm1nNzk4ZWJ0eDE3Y0taU2t0NG9vcm9MY0t6ZGtuMmJHcHVwOUc2NUN2a0RNRHZJMnh3SXJFSHNWYzJJQWhYRFYzRlBJeHBwR211NzN4TG1nTzhMN2hCUnF5WUVmNllSQkhhSXRRSlJ5RDYvVXMwdG5NOUJ5ZGRzeWlJOXYzR292cGlOME5IOGM0S2x5a3dLRHB1NlhHSUZDVzl5UC84SzhOSDZPSXI2Nlc3c0JIK2dUMmYwc2hHYWFvUjRaclVtMXJWUnRjeGJ3Z3Vqb29GR3M0VW9wQkZmRlVIaGpBcmgyVzU4S1NleXB2QjQ2bGtIai8rajVIYXNGcHFBR2RTa0FSLzVaREM3ME43b3BFMHYxbXJWZnI4MHNsWUI1WWwzbGJnY25HZG5xK0hPTjYydHFKRmMyekQrc0NUZUFFQlBSQTE1clQ5NnVZK2pLd0lNdms3LzVHck1mUURvd3k0OVptSHBGRHExUnRhVitRbkYrNUQ2ODY0enhiWkZQRFIwampSQmhlYUdMMGZrYVhFNkh2UlI2WTVMTjJyaVR4RWl1RkMxM2MwNU1Mc2MwNVA2VWxQaUkwVmRZTUF2VjJBV1o0S2JVTnZWK2U3UXRGT3BiNlBiS2VTQUgxVzJTSm0zSjhyVTRhYjhIODMxeHhVN2JuWTdLb2JXK1NTejN6U3ZtY3VBSVc1NHA5bmRVd3FBM21QSHY3aUtFNUREd1VzRHhTZWJQL0Z1eEhpaC9POHF2V0FrT1RlQ2tLcGxFakpoRTJBODlGSmp2MXFXZmdPN2J0a0E2OTVnZ0NzTFphU3VCUW8yMFVQTncxUE95ZnNmTG9tMWpSdUlTNE5lVHZpR2NEczgraTMwbUY3bG82aENDTHNNMUM4ZmcrZTl2ZnNLSzV5VlJSbFo4Sm1EbnZWa0NWVjZzRDlmbHplSFhBdTJjOTM0V01rZ3NiN25WdkhwQ09uQmF4aWZmeGNWR0pIbjlRdDdYektEUmt4ZVFwSFlZbDUvT1VsR01HZWJTNmdudk1tRkVla1lKK015djFOYlhhNUNyZ2dWUkNqbHQzMDU4aElxTGhscUQyaVhQanBVNVh1eGxKYzRIOGFsMlRzYVlIc0NFVGo1azR5TWYyY2craWJIMlBIRWZ3UnpLbldzQXFaYmdMdjQvTloyYW5RcW9IVUtKMm96NHVjUXVOTk1KQllBWmo1cjhCZVNXT1dXeFRKNnFsMlNjRk41dnhWcitWYm1ZVkR4SjZ1NmU3Z1lVdFordHhrdDE0S0hqKzNaM1h1VUJCS2RLK2ZGc0tQb0drN2VaOXg1QVpoYmdDSVBpd3FqK3R5Q0lGcE5hOEVTTnNKKzhSZVpoZnJjL2JXYVZvSEp1ZjBEVHg3VzNaSS9iYkpQVFp5QWxrZGdFb2V4Z0toRjM3V2szZ2Fwb2VmdW53WVFUNDJ5WHd3WjlQQ3JZOFhBSWpSaWtXTitIV2FRdDFTekxJUERCRzZ3Zk9aY0hrbVJLTGdpSHdsT1VOVFAvME4xT2t3QzM5cEhnRXhpUT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * HGL9NKJ6HPhr6vJByqr

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\txi8v_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Music\txi8v_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
ransomware avaddon

Avaddon payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001225c-511.dat	family_avaddon

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	1652	wmic.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	1652	wmic.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	1652	wmic.exe	30

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (171) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
880	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-2461186416-2307104501-1787948496-1000\desktop.ini	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\R:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\S:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\G:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\L:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\U:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\X:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\Y:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\F:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\H:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\E:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\I:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\K:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\Q:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\T:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\V:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\B:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\J:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\M:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\N:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\O:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\W:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\Z:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\A:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2108	vssadmin.exe
2352	vssadmin.exe
3040	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1468	wmic.exe
Token: SeSecurityPrivilege	1468	wmic.exe
Token: SeTakeOwnershipPrivilege	1468	wmic.exe
Token: SeLoadDriverPrivilege	1468	wmic.exe
Token: SeSystemProfilePrivilege	1468	wmic.exe
Token: SeSystemtimePrivilege	1468	wmic.exe
Token: SeProfSingleProcessPrivilege	1468	wmic.exe
Token: SeIncBasePriorityPrivilege	1468	wmic.exe
Token: SeCreatePagefilePrivilege	1468	wmic.exe
Token: SeBackupPrivilege	1468	wmic.exe
Token: SeRestorePrivilege	1468	wmic.exe
Token: SeShutdownPrivilege	1468	wmic.exe
Token: SeDebugPrivilege	1468	wmic.exe
Token: SeSystemEnvironmentPrivilege	1468	wmic.exe
Token: SeRemoteShutdownPrivilege	1468	wmic.exe
Token: SeUndockPrivilege	1468	wmic.exe
Token: SeManageVolumePrivilege	1468	wmic.exe
Token: 33	1468	wmic.exe
Token: 34	1468	wmic.exe
Token: 35	1468	wmic.exe
Token: SeIncreaseQuotaPrivilege	1984	wmic.exe
Token: SeSecurityPrivilege	1984	wmic.exe
Token: SeTakeOwnershipPrivilege	1984	wmic.exe
Token: SeLoadDriverPrivilege	1984	wmic.exe
Token: SeSystemProfilePrivilege	1984	wmic.exe
Token: SeSystemtimePrivilege	1984	wmic.exe
Token: SeProfSingleProcessPrivilege	1984	wmic.exe
Token: SeIncBasePriorityPrivilege	1984	wmic.exe
Token: SeCreatePagefilePrivilege	1984	wmic.exe
Token: SeBackupPrivilege	1984	wmic.exe
Token: SeRestorePrivilege	1984	wmic.exe
Token: SeShutdownPrivilege	1984	wmic.exe
Token: SeDebugPrivilege	1984	wmic.exe
Token: SeSystemEnvironmentPrivilege	1984	wmic.exe
Token: SeRemoteShutdownPrivilege	1984	wmic.exe
Token: SeUndockPrivilege	1984	wmic.exe
Token: SeManageVolumePrivilege	1984	wmic.exe
Token: 33	1984	wmic.exe
Token: 34	1984	wmic.exe
Token: 35	1984	wmic.exe
Token: SeIncreaseQuotaPrivilege	2768	wmic.exe
Token: SeSecurityPrivilege	2768	wmic.exe
Token: SeTakeOwnershipPrivilege	2768	wmic.exe
Token: SeLoadDriverPrivilege	2768	wmic.exe
Token: SeSystemProfilePrivilege	2768	wmic.exe
Token: SeSystemtimePrivilege	2768	wmic.exe
Token: SeProfSingleProcessPrivilege	2768	wmic.exe
Token: SeIncBasePriorityPrivilege	2768	wmic.exe
Token: SeCreatePagefilePrivilege	2768	wmic.exe
Token: SeBackupPrivilege	2768	wmic.exe
Token: SeRestorePrivilege	2768	wmic.exe
Token: SeShutdownPrivilege	2768	wmic.exe
Token: SeDebugPrivilege	2768	wmic.exe
Token: SeSystemEnvironmentPrivilege	2768	wmic.exe
Token: SeRemoteShutdownPrivilege	2768	wmic.exe
Token: SeUndockPrivilege	2768	wmic.exe
Token: SeManageVolumePrivilege	2768	wmic.exe
Token: 33	2768	wmic.exe
Token: 34	2768	wmic.exe
Token: 35	2768	wmic.exe
Token: SeIncreaseQuotaPrivilege	1468	wmic.exe
Token: SeSecurityPrivilege	1468	wmic.exe
Token: SeTakeOwnershipPrivilege	1468	wmic.exe
Token: SeLoadDriverPrivilege	1468	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 2684	2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	37
PID 2620 wrote to memory of 2684	2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	37
PID 2620 wrote to memory of 2684	2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	37
PID 2620 wrote to memory of 2684	2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	37
PID 2620 wrote to memory of 2108	2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	42
PID 2620 wrote to memory of 2108	2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	42
PID 2620 wrote to memory of 2108	2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	42
PID 2620 wrote to memory of 2108	2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	42
PID 2620 wrote to memory of 2304	2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	44
PID 2620 wrote to memory of 2304	2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	44
PID 2620 wrote to memory of 2304	2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	44
PID 2620 wrote to memory of 2304	2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	44
PID 2620 wrote to memory of 2352	2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	46
PID 2620 wrote to memory of 2352	2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	46
PID 2620 wrote to memory of 2352	2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	46
PID 2620 wrote to memory of 2352	2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	46
PID 2620 wrote to memory of 2148	2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	48
PID 2620 wrote to memory of 2148	2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	48
PID 2620 wrote to memory of 2148	2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	48
PID 2620 wrote to memory of 2148	2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	48
PID 2620 wrote to memory of 3040	2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	50
PID 2620 wrote to memory of 3040	2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	50
PID 2620 wrote to memory of 3040	2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	50
PID 2620 wrote to memory of 3040	2620	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	50
PID 1512 wrote to memory of 880	1512	taskeng.exe	54
PID 1512 wrote to memory of 880	1512	taskeng.exe	54
PID 1512 wrote to memory of 880	1512	taskeng.exe	54
PID 1512 wrote to memory of 880	1512	taskeng.exe	54

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
"C:\Users\Admin\AppData\Local\Temp\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2620
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:2684
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2108
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:2304
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2352
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:2148
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:3040

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1336

C:\Windows\system32\taskeng.exe
taskeng.exe {AC0194F3-2F10-421E-BBB9-602C84C80A1F} S-1-5-21-2461186416-2307104501-1787948496-1000:MGILJUBR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
  2⤵
  - Executes dropped EXE
  PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe

Filesize
775KB

MD5
117da2dd6fa24616f63eb43d5a15e5d3

SHA1
b4d70eecdef52ceef15f04a025d1ab08f193fb97

SHA256
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275

SHA512
de2e5538e8dd8210b630eca0fc611f0ba0dcb805b3a745c38a6f46ee9acfe8785c917b9452e0d6f70f675030430b65b352d695106bae639b20e0dbb2dd95e375

Download Submit
C:\Users\Admin\Desktop\txi8v_readme_.txt

Filesize
3KB

MD5
64dfc460bae2367283a76161bab64e72

SHA1
96bf44292760efbac6b1ddd9bfdbab69649fa3a8

SHA256
cc7f165fb08812111fefcde9c13444d706ac3d7ba86b169d0026e0e5af4200ba

SHA512
cfa846099f17ad12c471727bd36e7c7d07c024073c7b7609a2cc4e0c73c133e478f5b0e9640ebad063f99a0ced3f3dd53906bd8f18c381ce34da49c515fa887c

Download Submit
C:\Users\Admin\Documents\txi8v_readme_.txt

Filesize
3KB

MD5
4dfc5a42083c964e934447c07aad8c66

SHA1
3d0027c6f504b5da6a8fc5b8d20e70f67bf259cc

SHA256
a2563c1e8d642365024649a7a52b20b3ff94e78e8062e1849d7299de4e43c94b

SHA512
b702a96f8c08cbd1ba26db53b3ba2215f5f8e77a5c1eb661e81410f4bcab8379ec6f146425f9168e9316dfee72b2f1ad760f3c998876c6a161a2780681a16a69

Download Submit
C:\Users\Admin\Music\txi8v_readme_.txt

Filesize
3KB

MD5
3c7f4779828d096c041f94868fb0dfe1

SHA1
c1e7441b54cda9f60504d5a4380600abfb1f29d3

SHA256
ebfbe8d7e6a8c9df97de5eade6b233ed6c845fdf256184cc7fb0599b5c9eaf90

SHA512
0a67352bc5100e9db0f52cc480e292524f964b1d2543f5cd2cdcbeb7d3ad0b49dd597d61eaaf452e5c8b2dfe73aac4fab2f8d483c0c73a169da3dea2a7e0c8e7

Download Submit