avaddon | 65721ca6532e1ed21b455712455269c583170778fc42727bf215b07e0bc0416b

Analysis

max time kernel
182s
max time network
134s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-04-2024 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
Size

775KB
MD5

117da2dd6fa24616f63eb43d5a15e5d3
SHA1

b4d70eecdef52ceef15f04a025d1ab08f193fb97
SHA256

48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275
SHA512

de2e5538e8dd8210b630eca0fc611f0ba0dcb805b3a745c38a6f46ee9acfe8785c917b9452e0d6f70f675030430b65b352d695106bae639b20e0dbb2dd95e375
SSDEEP

24576:TCsQ9+OXLpMePfI8TgmBTCDqEbOpPtpFhAxfq:5HOXLpMePfzVTCD7gPtLhQfq

Score

10^/10

avaddon evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\07qG0r_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .DcdAaAEAe You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjcwMS12SUNCZElORGdCVjFVT05Tc21CdzFTekM0b3VoN2ZBZkRYNU93WVVFNUhvUlVFdy9jd1NjQ0dLVXNVMWdMVkdrL1liRDBScjU0eTZaRDJmRS85R2hKZlRRMUVwUTQ1Y2tLdExvd3ZheUdyOXd5Um4wbzJwUU5zV21JMFFqdjlqKzdnbGtybTZheStiMGwrblBkZ3d1dHF3eGN3Yk0vVGNpWERkSi9kTE0xYWR5ZmJHNmJRb0xIQUx5a3BSWnhWcUZoVklrVkJiREVUY0hqdDhNbFVUdXF2TllhNk1OMmowVVJsSUZJSTIzL2xrem1LOXZOTFk3WnMzUmQ3TjJwRHc2amhSRFdWVklrb2EzRTIvWGpnOWowTEJTLzZsNG85c2tZVUFjRGQ3ZFl4SFVCRVJTSnNidVdRMjRQaTFBYVdsSHpBM2dMSVo1VXg1OHNDK0RweW9lb25qbktUL3JrTTFOQUlzV3FtRXNoRXc1Z2h0ZHNidUtWeXFyQnF3bFdzWFhkckFWbFE4MGZ5emxIT3NrSnV0MFhSaWtHWVdMUjlwVW1hQ3BGUHg1bmU3WWV2dFg2cEx4WkJMekNTL05nNzBHdGQzSWt5VUFkekFqZGpYU292UzZIRzA4ZjRiQW5mZlMrQ2VoZk80YU1DWkxFWjFBUXp5SndZcitWS25XZzI2RWpoMkM2WEhaenYxdlh0WWtzTjdFQkxENWdKZC92UEQ0YmlyYmt4YTBUVlB0UUxzYXlVTWx6VzBVRUFGMisxbjd2cC83bHFOcFo5WmRpWEhUdUgrZzJrRS9ubnhIS1lFRFRqNXNuN3R0TjF1NUVNMEl3dXUyeTM1K29RajJVRlpTcHllL2Jnajg0cnd3VDNMZytRSFZheDRockV5cVFsS0ZBU29IK1JxOG5rdlYvQml4cUdxQ3hBa3VGcWhUNUFNTG51WVE4S0dmS2VEWEhPQklQOWdiWitwWlZrZ1piWUx2M2w5TCtGalhiQkpSdXJBSGhoSHlWS0Qzc3BtOUlJK1A4VFlWZWUwOEtHZHhCOUNvNUtZcU5ZdTN5bDJ0Qy9ZamZJRDl3NjJuR2t4NUxYenBKelFDazJNSGhEaTB2TWp2eE9WU2ZVd002WVFvNmZjQTVZMUtKekpibkJ2UUNIcWVuODJnbjJmc3M0amZwQU93TGNsMlJoT2pNNTZlcHN4MjFvdGtrNldTNGV3TWdVSGQ0OElyTUYzcG8ydkxBZGtZQjBjK0kvT2ZBdU15NklReWtrNDdVT1JGME1mZ3FVK3AzZUhjbWt2d2dYV2NrazIrS092K1Ywa3VBNmFyaWYzaGZxMkNCMEJLYTRKM1c3dktUSldtY0FnWEtGUDNQOVdmeFQxY09DcDR1OGlOamlXd0RBYWYyZVY0dVhyYk8zYmo5SjFVV3EzTDNyT3cvdCsrNGUwTUhKelpMemZwcEg4eWpaR285Y1UvN0dONkM1WmN6Q0t2MVdCT0xoUTRWdFZOczhYVXRsL1pPRGpDejdFRDUwMm02NGNqUm9BMXhlRU1meXdQcEpwUEZ5a2xERnZqNE1manlGaWpadkpRcnh6QStwS2t4RDlTS3ZJQVFXbXFDMHhDK05iSEJFcFVrOWk5TFBwdWw4WTVkUTR2d00xUkdrYWU2d2FBNk1UVHoyZkNVenZlMVRRdUp5QmFJUU1VNXZPcmRVcHFSdGxTVnBXbGNoMWtld2VKV0x5clYyYWZZMHl0aDl2d3d0UjY5OEcrUmtMb0RKcTI3c1pCcDJMRm9GanpvUm9EUXVIZEs4UTRXWnBEWjkzcE80dE1OQVhiMUtvK0lQOXY2OFMzTjc0Vk8xbUE2OEhhbWpvN1ZTSklQRkFxYWJ5SlZzZ1VKbTZpb21zaHR1L21TZTZodzRPTFg1bU5IL3djeTh2MlN3MktkRTF3OWUwemhwemVZYjN6N2x0OEFGNUwzNGJsbGRPWGg4WERWVHpQSHF1L2VVUWZ6VGVIZkRrNUh3TjBuY0h2UW9qUWx2OTA0SW9qN21KcG9JTWQyQllZL1NvT1ZFTzVnOTBTZHIyN3Q4WnkrUGNEbCtES2NXR3g2VlRUanRCOXZkNjY2Mmt1aTVkNVZzN2lzOXhsSi9MZEhtL3JYNHNaS2UvazRvaXFtUFN2dDR1OU5JSlRxZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * qyw9zqxush6grORR

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\07qG0r_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\07qG0r_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Pictures\07qG0r_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\07qG0r_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\07qG0r_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
ransomware avaddon

Avaddon payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012241-546.dat	family_avaddon

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2704	wmic.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2704	wmic.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	2704	wmic.exe	29

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (197) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
1168	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-2461186416-2307104501-1787948496-1000\desktop.ini	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\J:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\L:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\M:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\Q:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\Y:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\F:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\B:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\N:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\P:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\S:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\U:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\W:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\E:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\I:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\K:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\O:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\A:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\G:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\R:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\T:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\V:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\X:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
File opened (read-only)	\??\Z:	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1288	vssadmin.exe
2068	vssadmin.exe
2788	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3012	wmic.exe
Token: SeSecurityPrivilege	3012	wmic.exe
Token: SeTakeOwnershipPrivilege	3012	wmic.exe
Token: SeLoadDriverPrivilege	3012	wmic.exe
Token: SeSystemProfilePrivilege	3012	wmic.exe
Token: SeSystemtimePrivilege	3012	wmic.exe
Token: SeProfSingleProcessPrivilege	3012	wmic.exe
Token: SeIncBasePriorityPrivilege	3012	wmic.exe
Token: SeCreatePagefilePrivilege	3012	wmic.exe
Token: SeBackupPrivilege	3012	wmic.exe
Token: SeRestorePrivilege	3012	wmic.exe
Token: SeShutdownPrivilege	3012	wmic.exe
Token: SeDebugPrivilege	3012	wmic.exe
Token: SeSystemEnvironmentPrivilege	3012	wmic.exe
Token: SeRemoteShutdownPrivilege	3012	wmic.exe
Token: SeUndockPrivilege	3012	wmic.exe
Token: SeManageVolumePrivilege	3012	wmic.exe
Token: 33	3012	wmic.exe
Token: 34	3012	wmic.exe
Token: 35	3012	wmic.exe
Token: SeIncreaseQuotaPrivilege	672	wmic.exe
Token: SeSecurityPrivilege	672	wmic.exe
Token: SeTakeOwnershipPrivilege	672	wmic.exe
Token: SeLoadDriverPrivilege	672	wmic.exe
Token: SeSystemProfilePrivilege	672	wmic.exe
Token: SeSystemtimePrivilege	672	wmic.exe
Token: SeProfSingleProcessPrivilege	672	wmic.exe
Token: SeIncBasePriorityPrivilege	672	wmic.exe
Token: SeCreatePagefilePrivilege	672	wmic.exe
Token: SeBackupPrivilege	672	wmic.exe
Token: SeRestorePrivilege	672	wmic.exe
Token: SeShutdownPrivilege	672	wmic.exe
Token: SeDebugPrivilege	672	wmic.exe
Token: SeSystemEnvironmentPrivilege	672	wmic.exe
Token: SeRemoteShutdownPrivilege	672	wmic.exe
Token: SeUndockPrivilege	672	wmic.exe
Token: SeManageVolumePrivilege	672	wmic.exe
Token: 33	672	wmic.exe
Token: 34	672	wmic.exe
Token: 35	672	wmic.exe
Token: SeIncreaseQuotaPrivilege	2212	wmic.exe
Token: SeSecurityPrivilege	2212	wmic.exe
Token: SeTakeOwnershipPrivilege	2212	wmic.exe
Token: SeLoadDriverPrivilege	2212	wmic.exe
Token: SeSystemProfilePrivilege	2212	wmic.exe
Token: SeSystemtimePrivilege	2212	wmic.exe
Token: SeProfSingleProcessPrivilege	2212	wmic.exe
Token: SeIncBasePriorityPrivilege	2212	wmic.exe
Token: SeCreatePagefilePrivilege	2212	wmic.exe
Token: SeBackupPrivilege	2212	wmic.exe
Token: SeRestorePrivilege	2212	wmic.exe
Token: SeShutdownPrivilege	2212	wmic.exe
Token: SeDebugPrivilege	2212	wmic.exe
Token: SeSystemEnvironmentPrivilege	2212	wmic.exe
Token: SeRemoteShutdownPrivilege	2212	wmic.exe
Token: SeUndockPrivilege	2212	wmic.exe
Token: SeManageVolumePrivilege	2212	wmic.exe
Token: 33	2212	wmic.exe
Token: 34	2212	wmic.exe
Token: 35	2212	wmic.exe
Token: SeIncreaseQuotaPrivilege	3012	wmic.exe
Token: SeSecurityPrivilege	3012	wmic.exe
Token: SeTakeOwnershipPrivilege	3012	wmic.exe
Token: SeLoadDriverPrivilege	3012	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2288	2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	36
PID 2472 wrote to memory of 2288	2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	36
PID 2472 wrote to memory of 2288	2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	36
PID 2472 wrote to memory of 2288	2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	36
PID 2472 wrote to memory of 1288	2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	41
PID 2472 wrote to memory of 1288	2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	41
PID 2472 wrote to memory of 1288	2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	41
PID 2472 wrote to memory of 1288	2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	41
PID 2472 wrote to memory of 1776	2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	43
PID 2472 wrote to memory of 1776	2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	43
PID 2472 wrote to memory of 1776	2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	43
PID 2472 wrote to memory of 1776	2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	43
PID 2472 wrote to memory of 2068	2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	45
PID 2472 wrote to memory of 2068	2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	45
PID 2472 wrote to memory of 2068	2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	45
PID 2472 wrote to memory of 2068	2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	45
PID 2472 wrote to memory of 3052	2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	47
PID 2472 wrote to memory of 3052	2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	47
PID 2472 wrote to memory of 3052	2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	47
PID 2472 wrote to memory of 3052	2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	47
PID 2472 wrote to memory of 2788	2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	49
PID 2472 wrote to memory of 2788	2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	49
PID 2472 wrote to memory of 2788	2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	49
PID 2472 wrote to memory of 2788	2472	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe	49
PID 2800 wrote to memory of 1168	2800	taskeng.exe	53
PID 2800 wrote to memory of 1168	2800	taskeng.exe	53
PID 2800 wrote to memory of 1168	2800	taskeng.exe	53
PID 2800 wrote to memory of 1168	2800	taskeng.exe	53

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
"C:\Users\Admin\AppData\Local\Temp\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2472
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:2288
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1288
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:1776
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2068
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:3052
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2788

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2584

C:\Windows\system32\taskeng.exe
taskeng.exe {49AE2172-B32E-485A-AEB6-EA911101467D} S-1-5-21-2461186416-2307104501-1787948496-1000:MGILJUBR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
  2⤵
  - Executes dropped EXE
  PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\07qG0r_readme_.txt

Filesize
3KB

MD5
6c41c1a90a5091f18ae4476e92bd5e1a

SHA1
438e0fa28990ac0927fd5eab90c0097e43cf33dd

SHA256
3dd5967eecd7781a58d3af6789ea58aa0b84f96769e6477af5d4652d13357246

SHA512
904c64d5e0d4bf0f88c6a424a2030083b97aafc4c7aa2cbb2afb15583b376d192ec7f45df0de510ecca3780ba9e02780e1b96cf434ce3c4d9efe9837ed042dd2

Download Submit
C:\07qG0r_readme_.txt

Filesize
3KB

MD5
c6a4abf040c2f842b2e152ab5f369816

SHA1
2fead43ae31495aeb7108823037b89f760612446

SHA256
b954b4aec41d5f85e9d4d4aea71f2030279aea156be720f4909a9b6885429e22

SHA512
2f4f8b59c0eda7482b1280cbafc525a68071982999b1f1df12f954a0c8c4fb2b6ceb6d3f604326ce069aaa3453faef727bc487fba55bfaaab431f9c4c4aa5cf3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe

Filesize
775KB

MD5
117da2dd6fa24616f63eb43d5a15e5d3

SHA1
b4d70eecdef52ceef15f04a025d1ab08f193fb97

SHA256
48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275

SHA512
de2e5538e8dd8210b630eca0fc611f0ba0dcb805b3a745c38a6f46ee9acfe8785c917b9452e0d6f70f675030430b65b352d695106bae639b20e0dbb2dd95e375

Download Submit
C:\Users\Admin\Desktop\07qG0r_readme_.txt

Filesize
3KB

MD5
a03a8c092bc766b9cffaaf634b09e443

SHA1
72fbc47b0d6e0b74ed012f9dcb345d579a222bcc

SHA256
7a36cda1af20d4eb80919ceec46f7293e7983b4d610e3d1ad09bd2ebde1885c6

SHA512
2e109cd0a2d582c8babe204a7ebc61354e37fa6aad3cb73dfe8c792c69f7261345118548fbd1fdae63d3e21313965246652e1bf468ead9f4eaeb84b2b065f9c0

Download Submit
C:\Users\Admin\Documents\07qG0r_readme_.txt

Filesize
3KB

MD5
1bbaf10f95ad049dd8a7c67070533bdc

SHA1
28ab6ffb8002e092c66428828ec4915900f19f01

SHA256
3b953ce4b08596278d5a00018f50eada67926c5707fba469806d86c204c9cd76

SHA512
ac67e52b9bec0d91dd7e1beef4ae9160deeceb7c135a61b6fd9e212320912bd7a0a532b678034009d24e1a29b75aba83a755ef2c670134a4b914bdee2e923d01

Download Submit
C:\Users\Admin\Downloads\07qG0r_readme_.txt

Filesize
3KB

MD5
fc6edaf9416e36f68b6aae6d24749916

SHA1
9f0244b9befdba1d94cace7f4e8c64112956ba94

SHA256
afdc528f240978e09bd2dc275a8ca41e403b0d8dcb1a4de120bc217dd640819b

SHA512
27137b8cbde873af96f14659ff94203b21c7bda79abd2fd5ef26a4caa0781bb42321e9cb64bad3bfe1c69c297edf509d15098d3eec4d9322169dc02b8b23ea5e

Download Submit
C:\Users\Admin\Pictures\07qG0r_readme_.txt

Filesize
3KB

MD5
939dd1b4c55d108ba453ceec951de1ce

SHA1
166da4da7d522c8ca8f12f5d9167a0c85fd7f436

SHA256
310a8a8eff8c5a91c56a7637bc084c3aa0a53d686b1971ee183eb3a5940184af

SHA512
caf38f8884d0e917678820c149af151c38c58e272c033ae52fd05c7bc173836d6f4a3822ebac29e0519471f1100460cbbd3a2ca12ad35982eb4c450b66e3cd1b

Download Submit