Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 13:35
Behavioral task
behavioral1
Sample
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe
Resource
win10v2004-20240226-en
General
-
Target
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe
-
Size
775KB
-
MD5
c19084114c85192dacfed89a92da6837
-
SHA1
a1d6461e833813ccfb77a6929de43ab5383dbb98
-
SHA256
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675
-
SHA512
cbcc47dfd2f1e1a15b93ff2df067ebce74a3623b5b5fa1162b9076d25175ea0f3f687c24b5051e7de753697b2a860595cf15351168f999e447ee5d0bc70cc11e
-
SSDEEP
24576:+CsD9+OXLpMePfI8TgmBTCDqEbOpPtpFafxfq:YcOXLpMePfzVTCD7gPtLapfq
Malware Config
Extracted
C:\Users\Admin\Desktop\nONLa_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe family_avaddon -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exewmic.exewmic.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 3032 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4572 3032 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 660 3032 wmic.exe -
Processes:
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (155) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
Processes:
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exepid process 4376 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe -
Processes:
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-983155329-280873152-1838004294-1000\desktop.ini 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exedescription ioc process File opened (read-only) \??\W: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\A: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\P: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\U: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\H: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\J: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\M: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\Q: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\V: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\B: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\E: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\G: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\X: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\R: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\T: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\F: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\I: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\L: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\N: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\Y: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\Z: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\K: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\O: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe File opened (read-only) \??\S: 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exepid process 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2972 wmic.exe Token: SeSecurityPrivilege 2972 wmic.exe Token: SeTakeOwnershipPrivilege 2972 wmic.exe Token: SeLoadDriverPrivilege 2972 wmic.exe Token: SeSystemProfilePrivilege 2972 wmic.exe Token: SeSystemtimePrivilege 2972 wmic.exe Token: SeProfSingleProcessPrivilege 2972 wmic.exe Token: SeIncBasePriorityPrivilege 2972 wmic.exe Token: SeCreatePagefilePrivilege 2972 wmic.exe Token: SeBackupPrivilege 2972 wmic.exe Token: SeRestorePrivilege 2972 wmic.exe Token: SeShutdownPrivilege 2972 wmic.exe Token: SeDebugPrivilege 2972 wmic.exe Token: SeSystemEnvironmentPrivilege 2972 wmic.exe Token: SeRemoteShutdownPrivilege 2972 wmic.exe Token: SeUndockPrivilege 2972 wmic.exe Token: SeManageVolumePrivilege 2972 wmic.exe Token: 33 2972 wmic.exe Token: 34 2972 wmic.exe Token: 35 2972 wmic.exe Token: 36 2972 wmic.exe Token: SeIncreaseQuotaPrivilege 3320 wmic.exe Token: SeSecurityPrivilege 3320 wmic.exe Token: SeTakeOwnershipPrivilege 3320 wmic.exe Token: SeLoadDriverPrivilege 3320 wmic.exe Token: SeSystemProfilePrivilege 3320 wmic.exe Token: SeSystemtimePrivilege 3320 wmic.exe Token: SeProfSingleProcessPrivilege 3320 wmic.exe Token: SeIncBasePriorityPrivilege 3320 wmic.exe Token: SeCreatePagefilePrivilege 3320 wmic.exe Token: SeBackupPrivilege 3320 wmic.exe Token: SeRestorePrivilege 3320 wmic.exe Token: SeShutdownPrivilege 3320 wmic.exe Token: SeDebugPrivilege 3320 wmic.exe Token: SeSystemEnvironmentPrivilege 3320 wmic.exe Token: SeRemoteShutdownPrivilege 3320 wmic.exe Token: SeUndockPrivilege 3320 wmic.exe Token: SeManageVolumePrivilege 3320 wmic.exe Token: 33 3320 wmic.exe Token: 34 3320 wmic.exe Token: 35 3320 wmic.exe Token: 36 3320 wmic.exe Token: SeIncreaseQuotaPrivilege 4572 wmic.exe Token: SeSecurityPrivilege 4572 wmic.exe Token: SeTakeOwnershipPrivilege 4572 wmic.exe Token: SeLoadDriverPrivilege 4572 wmic.exe Token: SeSystemProfilePrivilege 4572 wmic.exe Token: SeSystemtimePrivilege 4572 wmic.exe Token: SeProfSingleProcessPrivilege 4572 wmic.exe Token: SeIncBasePriorityPrivilege 4572 wmic.exe Token: SeCreatePagefilePrivilege 4572 wmic.exe Token: SeBackupPrivilege 4572 wmic.exe Token: SeRestorePrivilege 4572 wmic.exe Token: SeShutdownPrivilege 4572 wmic.exe Token: SeDebugPrivilege 4572 wmic.exe Token: SeSystemEnvironmentPrivilege 4572 wmic.exe Token: SeRemoteShutdownPrivilege 4572 wmic.exe Token: SeUndockPrivilege 4572 wmic.exe Token: SeManageVolumePrivilege 4572 wmic.exe Token: 33 4572 wmic.exe Token: 34 4572 wmic.exe Token: 35 4572 wmic.exe Token: 36 4572 wmic.exe Token: SeIncreaseQuotaPrivilege 660 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exedescription pid process target process PID 5068 wrote to memory of 3320 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 5068 wrote to memory of 3320 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 5068 wrote to memory of 3320 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 5068 wrote to memory of 220 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 5068 wrote to memory of 220 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 5068 wrote to memory of 220 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 5068 wrote to memory of 2900 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 5068 wrote to memory of 2900 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe PID 5068 wrote to memory of 2900 5068 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe wmic.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe"C:\Users\Admin\AppData\Local\Temp\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Indicator Removal
1File Deletion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exeFilesize
775KB
MD5c19084114c85192dacfed89a92da6837
SHA1a1d6461e833813ccfb77a6929de43ab5383dbb98
SHA25646a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675
SHA512cbcc47dfd2f1e1a15b93ff2df067ebce74a3623b5b5fa1162b9076d25175ea0f3f687c24b5051e7de753697b2a860595cf15351168f999e447ee5d0bc70cc11e
-
C:\Users\Admin\Desktop\nONLa_readme_.txtFilesize
3KB
MD5f341396bb774e7cd26fd7ad619b359df
SHA15d69a996e47cf1ea2ee226480251ade3b5f7832c
SHA2566c33f3d19e74bc5a3785a5fdb9054eae635643897f5a1bd57bc21f54b6644f33
SHA512182e00d5376f0b382109139119b0ca950887e31bae9385dd33a7eabb748a1e9223063bc469c0d6ab4ed0d02180fc98f8fe2c3e39315a22694803891fccd55834