avaddon | 0e24e53172ce33a41b18241c180ec91f13e475d3301aeba2587f7efb30d434eb

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-04-2024 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
Size

775KB
MD5

7fc5a1aafb84705745dba65e2a178217
SHA1

0825e3b2115c9053563a307402e32d28056223a7
SHA256

2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a
SHA512

b0a1ec5e8c28b4343457edf317e20fdd0489e983c01ab9205c10a409ab8a9aae1cf5645e625b2edebf7c7eb551b801a196b7e37616143dce4cb9d00b179be9d2
SSDEEP

24576:TCsB9+OXLpMePfI8TgmBTCDqEbOpPtpFhPxfq:56OXLpMePfzVTCD7gPtLh5fq

Score

10^/10

avaddon evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\AI0gkKN_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .CAdBcCbdd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjU5NC1xK0d6MGkwaE84WmgyRzZCN29NYzFXdU04VjVtM0ZHc2k2R2VyZjhVQnppeWFqQkRzOVhyTytnR2hBbGhvWi85ay9wWlJydk1rU2lSNUJuY2FRdTlxeDNRTmpoVGlUQmJoM0ZwQ211MWltZFFCcnJmS0FZbnJiN3UwUzYwQ3hrNG5xYzd3RjRPdFNZZTVIZ1RLZzZFNnVBc1JPdWlsU0liVHdHSmNYZ3hPWmllOXJXMG5PL3RnelNPMWxuYlFYcUorcFIvQVp2SjNWTkJyT21JTzc3R1V4d1Y2L2YvQVEvK1NNKzRza0FLNURHMEFSK2lmb2wxaEZGOHNaNWs2WkNkTVlZYm5USVljOVZHazdOK0R4UUp3Y21YWnV1WlIySzlZUUJyaW5ZNTN0bEdtcGJnNDkxd3lGdDFaU1lhUjUrYlkvWkEwWEh3WXcyY3BTdTVrcjBjU3VERDg3U1QvTmJqOUV2WEt2azFwZXdzOHNhU2NrVkZMQlZHZzA2WllpcUJBSW5UcS96RW92bkc0c3pyd3htQS9kaEo3OEZaN0tGT0lpZnovdFNMSzBzbjUvZ1hPTjhnL0dxZllVNE51SVpkT3k5RmswNnlkUVB4K2hUZmtnZ0lFK1dsYStWVW9vdWdJK2U4SHlWTFZHMVp3ZzJ5QkMraE4reVVJWk5LMzREb3NnYTMyellHNXFOVXRONnJwZy9tYTVCOW96bjlySXNyK2NYR2NtUXpBbjRQb0h1NWlCZUhnS0R0Y3pkaFdwL25qSW83cHFsaTNXV2RGd1FBdlAyMmtXSG5CMjl1OEtYZjQzbjVRcHBJQ0FFZnJYWC93V1FRZTJrVXhXU0xCTTNwY3J1bGx3OE4yVVJLa1hzaDFIWE5DZVZGK1BkWTF2ai83MHJrcERPOTNQdm1RUHZrdkdQQ3Z5RzJxeVN2Tm52WnJVdWVHTnpaNG1GUE5kalcwL0t2S3h6MHZ3aFM3WGlEbDkyMHMzNDNDM2VPNGpacUFVcE4vTmlDWlhDcTFZQkMxeGxyZE9YK1JlVnUvSnovbkJZYWU0VDVlbDFqNm1HK3ZlQ0Z0MVFBUW0xMDdCL0I3bXNGM0hSL2ZsckpBbDFlZjlxZUhaNk00VlFJVWNkOTJMcmh2OW53L2VSQnc4VUl2YTBmSHB0S2F2UjhwSk9GVGhrOUhoYUsrYUJjSktXZFdzQWt2N0FGWkVzWFpyTG90ZXlxYUROV2R6enk0VVNmM204Z0RBWmd3am4rMjNzclorSjl0ZTMvSTdxSTZ3Y2t1WDVuc1drNm1TN0FsT2pxUm0ycm1JSzhPV01zK3lUUUg0MW5SSzdWaTlZQW11aVJMa1lXaVU0Z1dIZHlCdm9XNHNPZmVXMUJleDFqZ3BNT3dkeTRWVVhTT2k5a1FaR1VTRlhmSDMxR1AyU3pqQVo3Mm5KVVljL2tmcnBka05QazNWTENaRW5uajNCUG9RRFdUTTBYd205OHNXb1hwaHkwbEVMM2RnSkVDeEN3dXMyVWY0T1U1YWh6cmpGNE0rNG9kMGhpc1VscTBkd0VTSmhvMWxjZE5CZnhQZGdtcXNaajg4eFpTcHZTc0F5K2ZoU25pWHVYYlI1NnYvQ0xMOS9TZitYaFk3S2Q3YWozLzhQQ3RKbEx3THdtZkZRQWk3N1h6MTBVemczdkMzZzd3RDVBTlg5QUJHVEhoa01NeTh5QmFVVFNDV3NXQXBBRTJ1WUM2cmF2OUNjUGZRZHBJZkszV2FDS0tQdVJadmduNk51MXlYdXB5bnJNbXgwUFhiRng1Y1F6Wlo5MGlqOVBGallWY2xmbTFHdWl3SS9VbURLZm9GNE1CMFozV1JRVXhxenNtUjhZajQrSnBKRDd0bFVFVis3bW84TmtkdXFFZ05qOUQvb3NPNC9Xb3Y1ZjlLSFFZT0h4UjhPVzlKY2RMeG9Kc3ptYmhUNjRLZkVydUcreXVoU3BONHpXTlp2c0c1T29sZWI2bW5rOVpVbGFweTh5YjlmVGY3eDZ4UTQ2Uk9GM3dxQzh1ZVU4eEp5Qy96SUlUZlFrM0hKaDB3Vk50UjF1OEtiOEYzaVBpSFJoaThEZ2xSdU5WcHoyc1kxWjdWL3pyai9sMjdHbldXV1Z1K0VFRGsrSlgzelh6Q2ZJRGhDSXpBTWQxdz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * XQc

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\AI0gkKN_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Pictures\AI0gkKN_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
ransomware avaddon

Avaddon payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001224f-564.dat	family_avaddon

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2544	wmic.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2544	wmic.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2544	wmic.exe	28

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (187) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
1532	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
File opened (read-only)	\??\H:	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
File opened (read-only)	\??\M:	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
File opened (read-only)	\??\N:	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
File opened (read-only)	\??\T:	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
File opened (read-only)	\??\W:	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
File opened (read-only)	\??\I:	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
File opened (read-only)	\??\K:	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
File opened (read-only)	\??\O:	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
File opened (read-only)	\??\U:	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
File opened (read-only)	\??\Y:	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
File opened (read-only)	\??\G:	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
File opened (read-only)	\??\R:	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
File opened (read-only)	\??\S:	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
File opened (read-only)	\??\V:	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
File opened (read-only)	\??\X:	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
File opened (read-only)	\??\A:	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
File opened (read-only)	\??\E:	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
File opened (read-only)	\??\J:	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
File opened (read-only)	\??\L:	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
File opened (read-only)	\??\P:	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
File opened (read-only)	\??\Q:	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
File opened (read-only)	\??\Z:	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
File opened (read-only)	\??\F:	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1048	vssadmin.exe
2128	vssadmin.exe
2916	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2684	wmic.exe
Token: SeSecurityPrivilege	2684	wmic.exe
Token: SeTakeOwnershipPrivilege	2684	wmic.exe
Token: SeLoadDriverPrivilege	2684	wmic.exe
Token: SeSystemProfilePrivilege	2684	wmic.exe
Token: SeSystemtimePrivilege	2684	wmic.exe
Token: SeProfSingleProcessPrivilege	2684	wmic.exe
Token: SeIncBasePriorityPrivilege	2684	wmic.exe
Token: SeCreatePagefilePrivilege	2684	wmic.exe
Token: SeBackupPrivilege	2684	wmic.exe
Token: SeRestorePrivilege	2684	wmic.exe
Token: SeShutdownPrivilege	2684	wmic.exe
Token: SeDebugPrivilege	2684	wmic.exe
Token: SeSystemEnvironmentPrivilege	2684	wmic.exe
Token: SeRemoteShutdownPrivilege	2684	wmic.exe
Token: SeUndockPrivilege	2684	wmic.exe
Token: SeManageVolumePrivilege	2684	wmic.exe
Token: 33	2684	wmic.exe
Token: 34	2684	wmic.exe
Token: 35	2684	wmic.exe
Token: SeIncreaseQuotaPrivilege	2496	wmic.exe
Token: SeSecurityPrivilege	2496	wmic.exe
Token: SeTakeOwnershipPrivilege	2496	wmic.exe
Token: SeLoadDriverPrivilege	2496	wmic.exe
Token: SeSystemProfilePrivilege	2496	wmic.exe
Token: SeSystemtimePrivilege	2496	wmic.exe
Token: SeProfSingleProcessPrivilege	2496	wmic.exe
Token: SeIncBasePriorityPrivilege	2496	wmic.exe
Token: SeCreatePagefilePrivilege	2496	wmic.exe
Token: SeBackupPrivilege	2496	wmic.exe
Token: SeRestorePrivilege	2496	wmic.exe
Token: SeShutdownPrivilege	2496	wmic.exe
Token: SeDebugPrivilege	2496	wmic.exe
Token: SeSystemEnvironmentPrivilege	2496	wmic.exe
Token: SeRemoteShutdownPrivilege	2496	wmic.exe
Token: SeUndockPrivilege	2496	wmic.exe
Token: SeManageVolumePrivilege	2496	wmic.exe
Token: 33	2496	wmic.exe
Token: 34	2496	wmic.exe
Token: 35	2496	wmic.exe
Token: SeIncreaseQuotaPrivilege	2520	wmic.exe
Token: SeSecurityPrivilege	2520	wmic.exe
Token: SeTakeOwnershipPrivilege	2520	wmic.exe
Token: SeLoadDriverPrivilege	2520	wmic.exe
Token: SeSystemProfilePrivilege	2520	wmic.exe
Token: SeSystemtimePrivilege	2520	wmic.exe
Token: SeProfSingleProcessPrivilege	2520	wmic.exe
Token: SeIncBasePriorityPrivilege	2520	wmic.exe
Token: SeCreatePagefilePrivilege	2520	wmic.exe
Token: SeBackupPrivilege	2520	wmic.exe
Token: SeRestorePrivilege	2520	wmic.exe
Token: SeShutdownPrivilege	2520	wmic.exe
Token: SeDebugPrivilege	2520	wmic.exe
Token: SeSystemEnvironmentPrivilege	2520	wmic.exe
Token: SeRemoteShutdownPrivilege	2520	wmic.exe
Token: SeUndockPrivilege	2520	wmic.exe
Token: SeManageVolumePrivilege	2520	wmic.exe
Token: 33	2520	wmic.exe
Token: 34	2520	wmic.exe
Token: 35	2520	wmic.exe
Token: SeIncreaseQuotaPrivilege	2684	wmic.exe
Token: SeSecurityPrivilege	2684	wmic.exe
Token: SeTakeOwnershipPrivilege	2684	wmic.exe
Token: SeLoadDriverPrivilege	2684	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2396	2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe	35
PID 2192 wrote to memory of 2396	2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe	35
PID 2192 wrote to memory of 2396	2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe	35
PID 2192 wrote to memory of 2396	2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe	35
PID 2192 wrote to memory of 2128	2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe	40
PID 2192 wrote to memory of 2128	2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe	40
PID 2192 wrote to memory of 2128	2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe	40
PID 2192 wrote to memory of 2128	2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe	40
PID 2192 wrote to memory of 332	2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe	42
PID 2192 wrote to memory of 332	2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe	42
PID 2192 wrote to memory of 332	2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe	42
PID 2192 wrote to memory of 332	2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe	42
PID 2192 wrote to memory of 2916	2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe	44
PID 2192 wrote to memory of 2916	2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe	44
PID 2192 wrote to memory of 2916	2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe	44
PID 2192 wrote to memory of 2916	2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe	44
PID 2192 wrote to memory of 1616	2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe	46
PID 2192 wrote to memory of 1616	2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe	46
PID 2192 wrote to memory of 1616	2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe	46
PID 2192 wrote to memory of 1616	2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe	46
PID 2192 wrote to memory of 1048	2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe	48
PID 2192 wrote to memory of 1048	2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe	48
PID 2192 wrote to memory of 1048	2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe	48
PID 2192 wrote to memory of 1048	2192	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe	48
PID 984 wrote to memory of 1532	984	taskeng.exe	54
PID 984 wrote to memory of 1532	984	taskeng.exe	54
PID 984 wrote to memory of 1532	984	taskeng.exe	54
PID 984 wrote to memory of 1532	984	taskeng.exe	54

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
"C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2192
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:2396
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2128
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:332
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2916
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:1616
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1048

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2716

C:\Windows\system32\taskeng.exe
taskeng.exe {A089C78C-21AD-4385-AE57-615C079D2D8D} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:984
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
  2⤵
  - Executes dropped EXE
  PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe

Filesize
775KB

MD5
7fc5a1aafb84705745dba65e2a178217

SHA1
0825e3b2115c9053563a307402e32d28056223a7

SHA256
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a

SHA512
b0a1ec5e8c28b4343457edf317e20fdd0489e983c01ab9205c10a409ab8a9aae1cf5645e625b2edebf7c7eb551b801a196b7e37616143dce4cb9d00b179be9d2

Download Submit
C:\Users\Admin\Desktop\AI0gkKN_readme_.txt

Filesize
3KB

MD5
834e819a47c2ce96ac1955613f409220

SHA1
8ba12715e274b354a63545a4bbd4b06ba1ccbf2f

SHA256
24f15ee46adb2e132b39bf4ac6e207441b723f060cd02a16937b484a73c11c34

SHA512
2313c71496e403e2162de6ae466af9d479641c5e9b798121b271db3cc94964d56573d3df1187a610db7cbfc392f3d463aad42ee9a4ec67fe1a0d4816f4388da9

Download Submit
C:\Users\Admin\Documents\AI0gkKN_readme_.txt

Filesize
3KB

MD5
66c12339ab222028ba2fbcda7c8de5d4

SHA1
0554febee874025c7dddae00d2dc5a0789019e3b

SHA256
246576187858a33fb875123caf51c8b9a72ed01a2391b77fc925949ab06c37ec

SHA512
7fa20616a1d8dc8d8d12514e833804a62881d5e236c627372878f6a185334e6fb4e44c8c3bf5208704c60ddbe563d731de895bde0a7fb992f59839b8554725ef

Download Submit
C:\Users\Admin\Pictures\AI0gkKN_readme_.txt

Filesize
3KB

MD5
47c4f44e96f949244a00fbd573bbfb4f

SHA1
174e826859019d2168d557e61802fd6f7c3dee26

SHA256
26891b36baa5984991a872988d11cd73fc9f1c9f20c60c51d7c3b5c9f1f7f1ba

SHA512
ed9e01882eb54dea91a49dfd1f58a6d7394473841e1c41a7e9ded4ff8e70c098aebf1f0f13844a1976c5dbbbbcbf1c6cb72625f83a3239832828aa88d542a816

Download Submit