avaddon | ca6c88a60221cb6ef36968bee531fedcb11d0d6f111e3b5527a5b1ca2a80ce93

Analysis

max time kernel
149s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
Size

881KB
MD5

c83f30c065f7f61428eac2370ddb4f53
SHA1

cfd70af0c89d7b00839c1d32852c53c603d35e32
SHA256

bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc
SHA512

26100fdf2bba32c0a2f5d27589e730e6af4a16b5cad16cb8ec6314e4291ca1858e35906645636617dacca7c72be6792b01f2bbc073c4468701326e8c889e1d51
SSDEEP

24576:WvdmYEBLExewPcf5WHHs3Ggo6EoI+/tH0q:WhEBLug5WnsWn9KN

Score

10^/10

avaddon evasion persistence ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.html

Family

avaddon

Ransom Note

<!DOCTYPE html> <html> <head> <title>Avaddon</title> <style> *, :after, :before { box-sizing: border-box; } html, body { margin: 0; background: #f1f2f3; font-family: sans-serif; line-height: 1.5; color: #333; } h1 { margin: 0; font-size: 2rem; } h2 { margin: 0; font-size: 1.4rem; } h3 { margin: 0; font-size: 1.2rem; } li, p { margin-top: 0; margin-bottom: .7rem; font-size: 1.1rem; letter-spacing: .02rem; } .logo { display: flex; justify-content: center; padding: 1.3rem 0; } .title { background-color: #dc3545; padding: .5rem 0; } .title h1 { text-align: center; } .title h1 span{ color: #fff; } .description, .attention { width: 900px; max-width: 100%; margin: auto; padding: 1.3rem 0; } .copy-btn { opacity: .3; cursor: pointer; } .copy-btn svg { width: 18px; } .copy-btn:hover { opacity: 1; } .link { cursor: pointer; } .link:hover { text-shadow: 0 0 3px #828282; } .identity-head { display: flex; justify-content: space-between; } .identity { word-break: break-all; background-color: #e3f5eb; padding: 1rem; font-size: 1.1rem; font-family: monospace; margin-bottom: 1.3rem; } .attention p { text-transform: uppercase; color: #dc3545; text-align: center; } </style> </head> <body> <div class="logo"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="83" viewBox="0 0 200 83"> <image width="200" height="83" xlink:href="data:img/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQ0AAABwCAYAAAAE2SWjAAAgAElEQVR4nOxdBZhUZff/3Xunc2u2g24URFEwADEQsBAxUBTEFsxPvxBU7PxEFLARG0TsQBRbFCSkc4vtrskb/+e8987uzM7MssCi/D/3PM88U7fve8974nd+R0Cn/B2kFwA9gMbOu90pndIp+5PrAYgAlnZeqU7plE5pS04FsAaAor1IcTg7r1indEqntJYkAC+FKIvQ15zOq9UpndIpoXILgIpQRTG8W7fAcQMHitp3imlYO69Yp3RKp5Arsi5UWfCAOHvqVK8SCPhXr1ghhvz36N/+anVKp/yNJTWKKyJfeN55gT1lZX5FUSRFUZSmigoxXqcLKg6PlknplE7plL+Z3AigNlRh9O7ZU/xkxQqPUlrqVn76yae0iPzgjBn+kGVv7hwsndIpfx/pD+CX1kHOa++6yxfIz29Unn/eV56eLu4GxIb580lxyKQ6GsvKAno1g0LLl3aOl07plL+H3AFAClUWJ4wYEfhh9eom5eefm7zHHhvIBZTCuDhln9Op5PO8KObmBjR7Q54xaVKotTGxc8x0Sqf878qZANaHKovELl2kBa+/7lG2bWtS7rzTVwQo+Xq9Uty1q1KUlcXe8wCl7IwzKLYhktYo2b49EKJ0tnaOl07plP89OQfAJ6HKwuFySU+/+aan+O233cpjj/nqsrMlsi6KMjOVopwcpjCaX5mZSi4gN739drO1cf2ECaHWxrmdY6ZTDlS4zit2RIoFwAsAJjcfnNWKSZdc4nt80iQxe88ewf/QQ8aSwkJOSEyEYLdDkaTI8+B5iIWFMPTrJ6Vu2kS/CPX79onOrCye/gWQB6Dr3/pKd8oBS2fB2pEnlwBYDuDk4JH11uvFl0eNCtx9wgmKc/58Y/7ChQav0cjpkpOh0+lgUhRYOY5FOcXQmUBRwDud8O3axelSU0XDscfyRoeDy/v1V2nj7t107+MAvKZlYTqlU9olnZbGkSMDADwCYFzwiHhAnhUfL93hdMLGcUJZbi4fsNlgTUqCQZZpEcUNyHWKIhfJsmLjOC6H4/T+0FPiOMg1NWSJSBl798p8Sop+77p1ge5DhgiatTEbwP1/26veKQcsnUrjrxedVhPyr9AjOctsDjyemIj+RqMgiiLfIEkw8Tz8gFStKHK5oijlioIKReGqFYWrkmVM0OvRl+d19YoSdlKcTgdfbi5s55wTSPrwQ9qfctaQIfIX69bR53rN4lCOqKvSKUesdLonf60MB7AyNCBp53n50fh4cZ7LJSTrdLqmQAB1gFwNSHmAvEVRlE2KIuQDfA2g43heCHAc7+I4ZRjP8wGAk1ufkixDsNngWbuWNw4aJOr79NH17tJFfvGNN2jSMAHYp8HQO6VT9iudlsZfI4kA7tYKzJjEcZxyld0u3R0fr8SZTHxAFLFXFAPlisKVKArKJYmvVRROVBSeUxTRK8v6gKJIoqKIZGlMt1j4EwRBXyHL0W8qz0MqLQUfFydmFBZy0Ov5oV26iGvy8wlSXgAg53/7kndKR0mn0vhzhcrW7wVwWZDbggeUcQ6H/xKbjR+k13v3SJKw1ucT9oqiXBAIoFKSDB5ZJmXB+WVZ9igKvLIs+RQlWD+inGE2i5+npOhqZJn3KbG9DE4Q4M/Lg33SpEDCu+/q1v30kzzkpJN4bRxMB/Dy/9wV75QOl06l8efJdQAe0KyMZhEAZajFInoVRbfF75f9kqRobmP77g3HYWV6ujTaYBD2iSKLbLa1LAIB+EpKlK6rV4s4/nhdttOpFNbX02p1AK4BUAigWHsF/r9c3E7586RTaRx+yQQwH8DZh2NPF8fFiYsTEviGQID3tmcFDbthHjBAdG3ciP/cdRf/0GOPRdM1JRqOg5RIPoC9mhuzG0Bup0L5+0qn0ji8cotmXRwW4hurIMgfpqeLowTBUCJJ7b6ZHMfBW1CgdF21Sqw95RTEC0Iw/dpeCSqUvZoC2am979BIgDrlf1g6lUbHCz2A4wHMAjDkcO7oioQE/+NOJ2+SJJZmbffN5DhIxcWw9O0rJf7xhzzt0kv5V99+OyyTZtDr4A+IB3pIZOzs0RTKLk2J7NGUSv6BbqxTjkzpVBqHLoRx6A5gMICRAE4BkNWerRp0AjIyM5GV3QUZmRlISk7Bsccei+3bd+LhB+5rc900g0FemJIijuJ5fZMsR6ZZ9yeiCH9JidKlqUkp8HjknKQkPtTauO6GGXj8sUew6Y8N+O77H7Fnz27s3b0Lu3fvRkHhvoO5aEFlsl37vFtTLHmasumU/yfSqTTaFk7LeNg15WDXYhT9tZqNXprCaBfL9+mnn4ZTR42CyR6Hnj17Ijk5GWarHa6UVNjtFtQ1epHmMGHDpu0YfFTftjal3JiUJN5ks/HZsizUHIiVERSeRyA/H65bbxUtTz2Fc0eMwEfff68L/p2SloHbbr8Dd95+S9hqNQ1u7Nm9EwV5edi+fTtTJvl5eaivr0d9XR1qqqtRUVl5IEixci1WUhoSgN2nvddovKYNAJo0uPsBmz+d0rHyd1caFGtIC3llaEohVVMG9FuyBoA6ZLn+hpsw/7l5bDNucv4r6tDQUI+A34fa2jpYrBYcP7Avln24EhPPOz3m7k622eR/JCRIxwM6nlKxB3lgiscDsbpaymlqQkljI9JdLq51bKNv/4HM2hB4HgXltUhJjoMxyrYaAgr8Xg8CPh/qa2uwY/s2rF2zBl+v/Ao//fxzR1w+skaqtXhKgaZUSrRAbZn2uQhAVUfsrFNiy99BaZAS6AKgm2Yd0PdsmkwBpANwtbWy2WRCcrIL3br3QJLLhYysbBw7ZAhkhcOVUy6DLB3YxHfSKaPw8ccfIq+4nM3OPM+hqakJdmc8Tji6H3bs3ofx48/B3p3ro65v4Xn59uRk5SyDAYMAofpgrIygaLiN1EcfFU133sldcPLJyvs//qhrvdiECy7EsveWYG9xOYt16HR6cLwAncBDlCT4/QHwggCr1QqnkY84nt9++w133XUXvv3227DfMzIyMW3aVGzevAnr1q3Hvn37IEWr1m2/uDUrpVJTIEWaBVOgvUq0QG3Doezk7y7/K0ojJcRd6BaiJDK1+ELEg9BaDAY9Bh51NHp074Gcbt2Qk9MVNrsN3Xv1Rk52DuxOJ8SACKfN2LyxIccej3W//3bAB/v4U//FtTfdjF9X/wqvzwOHw4lBgwbBYeBx7gVT8NH7r8dcd5jFIs9ITJSPBfhkjuOb2gBztUcIJarv1y+QumEDv2XDBgwYPDjC2iBZuepbjB45Alv35MNgMIDnefh8Pnh8XgicAKPRALvNBpPZzEaVThBgMeig51uG2AMPPIBZs2Y1f+/arQdWfPU1enTLZt+Lioqwa9cubNu2DTt37sTGjRtZDIWUiXKI5xkiNZqVUqq98rW4SpmmcIKKpdMNiiH7fZiOEDGFWAbdNeWQoX0OuhQRLoTDbkNycgr69euHmro6/PD99zHP5tmFL+LqqVewzw0SUF1VC8pEWm02NDQ0YOeuPUyxVBgNEAQdemam4Jghxx6U0thXuA8+fwA6vR4WgUd2dg5TGCSbN21oa1XlGIsFiRzHpwJcQwc8SEJSEgIbNwry9u1y/0GDhJP69JF+3L49QmnMuWc2Rn/3Hax2ByCJ8Hi97EUPM6dT07iBgB9+vx8cz8NqtUAvCBB4rlkD3X333SC7aPasu9n33L270bN7Dha+8AquvXoqMjIy2GvkyJEtJ6woTGns2bMHhYWFyM3NxY4dO5rfq6urD/SU47VX/xj/B7Q4S2kITqU45L1Ie/cc6I7/V+RIUhouLfMQr8USsjWFEFQWya1nQJrtkpKS0K1rF6SmZ6B3797IzMxE127d4EpORWp6Omx2JxJsqj7p0q078nP3Rt358wsWIM4ZjwkTzsGGdevh8/nRtWtXVFdVoramBnqDATqdAEmSkZ4cx9YxmOwHfJIOhx0XXnopexAMRgPinU44nGoc9cfVm7B3V2wWvmEWi3K0ySQnKAoncByvdISpqNcT/x/fuHSp5Jg1i7v/wQeVURdcELHp77//Hrtzc9G9a1ds31vAFAaJ0WCA0Whk7zLxd/AcTCYTc2HkKAc36+7/4KuvvsIP33/X/Nt110yD02nHxZMiaUtJGWVlZbFXa3G73diyZQs7tmXLluGXX3451KsBrb1DhvaKlTKv0KySMs3t2ae9F2mZoXItcPs/KUeSe3IagK/au3BWVjZ+X7cerqQEKheHIcoyZF/6JMDr8yPRYsCV067Ba6++2OZ2L5syFf+d9yz25OZDkgJsJjMZTbA77BB0OqaUUp1W7MqrwOhRI1GYd2BUm9ffcAOeeu45bPxjK5wOO5yOOCQm2NnxT7r0Wix9+4VYqyp3JycrA41G7hSOUwRF4TsKkskQomedFXB99hnDavRKSpJ3VVVFTCgPPvQQ/v2vf2H1xq3Q6wQY9HqmIEhhKBwHu80Km9moDiqOg46LPsB278lFzx7dIn6vqqpGQkL8QZ/H0qVLMX36dBYr+oulOiRQm6spld2aKxR0jf7fppmPJKVB0zf5DwPbszAN1muvuxGPP/EYRI5HQ6ObDViPzwevLwBJlCArMrNGAgER3TOScf+Dj2H23Xftd9u/rduItOwu2PzHRrYfm8PBrAyr2Yqe2WnYk1eME4aNQGXp7gM6QYvFglU//4qU9Exwiswo+gxmK9LiLNiysxAD+vYC5OhjabzdLo5zOvlUReHOEASutuN8fCiNjRQUFdM2bVL41FT9Z4sXB8ZdcYWu9fjo0iUH23buRmF5NXzuJnZtSHGQy+Fw2BBviZZXiS4TJ12MZUvfDftv7Ljx+PSTjw/pXIqLizFlyhR8/fXXh7SdwyzlrSyTIi04W6UpnFzNHTpg+M2fIQcCHT7cUnsgTXy8Xi/mPv0kZtx0I8zsLDiUVVSirKwC1VVVqK2tgbupEY0NDSxwB/bQmtu17dU//wi73Q6L1coCoLS+xWhiKVGSNb+tOWCFQTL9mmsx9OgBDNRFDxuZ806r6jrdP+ehmArDJQjyOQ4H55ZlLpvjpI4eSZzNBrGykvf+8APTRGOnTOH75+REpDHy8vLx0Ucfo2dGcrOFQeeg0wtMYXz62Ze4+fb/YNnyz1FU2nbm8/45kWRhn336CTZt3nxI55Keno6VK1ei/8CjDnobhJ85auAA9OrZAzaL5ZCOJ9YuAByr8ajcBuBJjRN2GYBVWiyFrBLSfPO0xlgjyLs9HAdzoHIkKQ1oF+ziAwky7dm1i70rsgyPxwNZVq0Lo8nI4hD0wAuCepqJrjazq82ybcsW2AwcLDY7szDMmt+u16nV6Dk5mQd8YjzH4eobZzCXiSwOZkLzOlj0PEoqGvDekjdirnu2w6EIPC/YAbkLzwuHmjGJEI4jMBYf2LSJ0xi8hPPGj49qhX6wfBl71+sNahCU42AyqhZGQJTwzFMPYeKEsejdqxf+PSs2qrVvn5446uhjIn5fuGBBh5zSe+8tO6Dl6f7OuvtubNq4EaUlJdj4xyasXr8J67dsx2dffIFbb7kZaakUXvvTJFPr0XsTxekBfKspkmf+xGOIKkea0iAhm/Wf7V14/HkT2LskiSxISYNYr9cxMJLA8TCZjPB6vMzOy87Obtc2d+/ehYBCBOBmZmHQgKKgpV6vlmf07tMbzvj2KaCgTJ4yBQN6dIVXBBrq69mxJieqE8e8eQshBRqjrpep18snWyxciSiiB88TTTnX4blACmBSbGPHDiVoEl81fboSzTxet0bNFtkcdvACx65vUJmee85YZGR1YZ+bGqrx8AP3YsnS92Lu9sqpUyN+e/vtdzqEd7BPrx4457wL2rUsoXMpzTvn/vsx4Kij4FF4NEpAvNWEHl2ycNaZZ+Kp/z6NvXn5ePSRR2JuhwLxI045hU0KByrx8fHQ6/fbYpdc+Bl0mQ54Bx0oRypOI0Erdkpqa6GcnGzk5uXDLSkoLS1nrgiZzWRZ8BzPHnZSJtU1dcjKzkJNZSWO7t8P7qa2A2XdunXDL+s3QeF4+N1u6PQ6GA2UV+SRoLkTg4ecgA3rfm33CW3ZsQv9evVAZYMXFRXlcMTFISPBAbdPQUZGNmqrotZzKDcS8tNq1ZWLojRRr4ddUYTDEUGTyspgGDhQTFmzhiwPimfIE046SVr+008RI3l3bh66d8lBWW0DTAYTDEYdzII6lG6YcQsWPDu3edkhxx7LkKHRpLS8ElkZGRDFcEzrlytW4IzToyNiKT5Fk0IsCSocOprf1q7H8cdFWjOhkpCQgL1798LpdDINWVpdD7/Px6zLDRs2o3+/XshMc2FHYSm6Z6WydONPP/2Iiy66mOFKQmXkqaOx6uuV7BcCtNF2d+7YgZ27dmHr1q3YtGkTRDG6yn/r7bcxauRIprxoPUopb926BQX5Bdibm4uamprWq3yjkVB31u1oYtUizkpbr0Wvv8E6AO0uLle25+5T8suqlF0FxcqewlKlsLxKKSitVDZs26Ws3riF/dfgDSgDjhrc5jbpFedwKIWlFQq1JiuraVAq65uUqga3UtXgae6ofPa5F+x3O8HXWWPOYuvU+yUlr6RS2VlQovhE1mJVeWbhmzHX62EwSK9nZopz0tKUZRkZgabsbDmsGVIHvvYlJCj7UlICUmGhP3iOf3z7baB1G0h63X///ez/Wk9AcUuy2ppek69X/RBxHtU1NUosGXLs0IjlL7l0cszla2rrlNPHnKdMveom5ZVF7yiN7ubDZU1r6RWQW5bv1ad/m/dmzn33seWoBV1pbYOyI7+YfX/syfns//jEFOXTz79kv1XUNzVvt66uThk5alTE9gYdc5xSVlkd9dgLCwuVrOycqMcxY8bMmOfc2Nio3HzLrdHW276/ifVwyJHonkBDc6a3tUCXnGxccdlkVDV54PP60LVLBrKTE2CzWaE36CBLEmpqa+Hx+qATdGhobILVqEP3bt33u/O6+nr4vW6WsDcY9er9Id/dZIBPm8q6d9//doJy9gTVhWps9ECURLjinTBoM/P8Z5+Oud65DofCcZxAz0IPnufoKA4XZThvtUIsKxP861vg6wNHjOBP7tMnwkV55ZVX2LvDpIMpBLxFcurIk5CWEY6p+OTj2BmRESNGRPy2/P1l8PmjV9TEOR1Y/fMqvPrys5h25cUMuLdt+072H11RUWl5okiuuuqqNs/7fO3e1DR6UVZazoK6JN+tUi2GmqoyjDvrTBQUFCLJbmn21xwOB1Z98w0mTrwwbHsb1q1B1y45qK5RW8mIITeM0vXfffstg9y3lsWLFzX/0ugXEZCV5nMgeP7T/30KKSkRMZXeAD5t8wQPgxypSuOU/blO819UB25pWSW6Z6Vjw+/r8cILLyEl3sECcuSSEAAp6CfW1tbCLcno3qvXfnfO2qoXae4CJ7A6C7PRwEzLimrVtTnqqPZF5zMz0nH55MnwSpSYlBnU2mlTszjf/bwO2zdHN92HWyzSULOZ2xsIoDvPK104jm84lDqTWMKrQ8BfWAjebBY5hyNUSfALX3wxIrZBpvOXX65gxxLteG644aaw74SfiCXXXnddxD+UGWsrIPqvf93d/LkgbzfGjh3T/J0YDekVfFhvuP46BvCLJoMHDcKAAQPgERVUVFRAFAPgOfWBPmbI0WFrTLpoknpBWl2MpUuX4L775oQt625swOkh7lVtk4/df3JMunbtgt9+jUQR19XV4/GnVLfOZtBBVDg0+iX45Ratc+mUa6OdxlA63JgX6zDIkao0prX15/Bhw3DW6aNRVN3A6kOMOh4PPvgk5s6dywZxY2MTAoEA6z5GA8jv96GGpWEbMGBAu2Ag2KK2MWTxEbPRyAqzamrq4POoiZ2cLl3atZ2Zt9wOm8UMt19igCin3dr8oM1/LjaQaxTN/AAvAkpPQSCrhzukUq4oQkTDhNHwFxYq5jFjfOnbtyvGESPCcHL9TjpJOH3QoIhdz5s3L+Z2p2pw/KD8+mvs2E+vHt1w8imnRvz+cRvWyYQLJoR9z8vNxR9//ME+s4Cu3KLMbFYzLpx0UdTtnKJZOSUV1fB5vbBZ1XtDj+no088IP4fVq7Frt5pm5xBuzcyePQvXXBuu/Nb9vhYfffwxA7gRp5okK/AGZGapDhlyTNQAMdEQXD71WuzcnQezABZ4N2i1O4vf/hgfLl8e65JcEeuPwyFHotI4d3+a854HHmbvjY0NyHTFM9TnR8vfg6epFl5JnW70RjUlSIEz4nlocrspL8tmlvbIpi1b2FKUEg0qDLI0KJ1LgyUtIwN6Q9u4D6q/uPraa9nyZgPPalk8fhXHmbuvCsuWvhl1vR4Gg9LDaOSIKDiV4+QcjuMaO9jKoAZKUmUlxKoqKX72bF/y558LQna2IYrxwN93//1cyDPC5NNPP2XWWzTJSEvBKSNHN/9TXl6OH374IeaxRMuiULFaLOndsxsGtkrX0vFAswLI89OFnMWkSZOibik9Q02d+30elvEwmy3wej0orW3EkGMGIzExPFzw2mvUwVK9QJRd88otFs3zCxegf6sJ6Z7Z97D3OKsBkiwzwKGirXvhxAtw+x3/iDimNxa9gH79+mL16l9h4lqsmiceexB7d2+KdUkujPXH4ZAjUWnc09afJ514Is44dQRK6hphtVgZt95zCxYTYJxVXVIcg/xNSiPSQ058FQ2NDSw6bjCakJySDGf8/mNHRDADbYDU1zcwy4UeeirKqmrysZqX4KCLJTfcOANxdisbWLKkMPo8UVJH2cIFL8ZMsxIuw8hxPFH4dRMEYvjhD5YzI5qQwhALCiA1NkrJS5eKzvvuM0SpQwoELfFh48dzg7KzW1kbCt58662Y+2itCBYuXBhz2UkXToDJHE6jWllZic8+/zzmOpS9CJXl76uzMJ2EvpXaO3H4CawEoLUYTWomzGI2M6yJ2+NmLi2l6AldPP7sc8LWeOP1lupjshxkeoVo02effS5s+Q0b1mPz5i1sjJKXQZaDFJBQ7/bBJwNPPP4Yhg49PuK4pIAXl16inl/wvk+9cnLEciGSpjXe+lPkSFMal2q0eTHlsmlqYKuhvhEZSU40eWTcf6/q41ZU1qCqopxVppLCoBRsXW0trBYbUpJTGKMUAbYoL78/2bZ1KxsMEgMtiRocPQB/IMD8X6PJgpz94D5u1WYSGsO19Q1ocnuQYDWgrimAF55/Luo6/YxGaYjJhDJRJPif3I3j4Ouo3DjHqb1PcnMJhy+mfPGFZJ440aiNAzYJitu3+xpfeslXOmKE5H7tNTEI9ppzzz1Ka2vjpRdj1/FcOJEUQQteYcmSpXC7o2P2bFYLzp8Qialoa/uXXBKuNNasXdPsPrQWqokZPvykiN/9PjVbSQBAt8fDFIbVbIHTrhYiXnzJpWHL5+fnY01z+phjFbzQapzowowccTKOG3pC2Dpz56qBbpNBB0VW4PF4IQb8THGA4VKiQy5y8/JQWFTcTHh05ZVXQqdvE6Z/aVt/dqQcSUqD1xogxxTiaDh7/Nlo8ktw2m3sQXrk8XmorSpkq9DDXVFexrIcVM5O5rPBaERSkgs+v5fVJcQ5zBFmZDTZV1SE3PwCNnMRUCwgBuALBOD1+lBWWkb8NejRRlB18mWXI82ltjhp9HhRT3B2o5Gd5OLX342JyzhHy5gQuU4WzyupHMe7OwIBSvELjwe+vDyYzzgjkNXYqJjOPJPKdgO+b77x1d9zj7/81FPlsmHD+KqrrzZ4v//eVDl9uiDl5zN/6uxp07hMmy3M2tiwYQMrWY8mFMc597yW2AMFGd95952Yhzd1WmQY68MPP0RjU/Ri0W5dsnD88JPDflv5Vex6x4kXRsY1aqpVqHtDU1OzwqCCOatVfTjPPGM0El3hGYtg5oiSLBrQmLpeMqwQyQutFN0bb7zJLBITD5bJE2UJHK8W8zUFFHTr1hXPvxA9tvXN1yvZGK92+xHvtOPcc8+LeX50im392ZFyJCmNR/ZHyPvv2fcgPTkJpdV1SImzobisFo8+fG/YMjQbkEYnhUGEMCkpqSzNSd+JB4NyKf37x6JSCJcdO7azm0bWBfFfULl8fX0dM2MNeh69evWOue6cOWpEnVJnZRVVrFQ8NcEOvww8/d8noq4z1GyWjzKZ+ApRJGXFAqBCtN6sByGK2w3ebhcd06d74p95Rgr8/jvq7rxTLD3mGKVs9GihZs4co3fVKiMdqD4rizN27QpFFIWK887jIcukLHQP33dfhLXx7HPRLSaSG2+4Iez73Kfnxlz29FNHILtLeOUrlQQsenVR2G+hqZxrr7km7L9VrZjBSPza0V500STo9OG10Ll7c9Vl/AGW1SKFYbeZYeDU/dC9nzIlPMb49jvvsMkp6OzIzFWRIflFFuwedNQAnHd+i7KkGMmi19Rz8EsSG4M6nvXgZuOKsirXXH01ZsycGXHs/33qKfYetDJvmjkj5vXTKCROa2uBjpIjRWlQGDsyKhQi6WmpuG/2LNR5RaTGq+bjFVOvR8AbHoyjWhSyBswWC9LS0hlegx50QoraNbPzqKPal0HZuE7tiez1+1kakIrgRMrKCAIa3T707tsn6npUnk0cH2S27iurhCSKMFvV+Muri5Zg787IIJ+J45SL4uLgUxS+TlGQw/NyD47jOizNqihEuKMoHo9QMX68sfTYY4Xaxx83BnbsMOjS03X67GzosrLAmdXgriKKMHTpAu+GDbqqK65grvtlt90m9HG5wqyNBQsWsIcumpx80jAMOua45n/++GMjfvzxx5iHeOutt0X89kgr2DaLD2mfp1w+GQmJLXD+pUuWoLS0tPm7l9wBrx+VDR6kuBJw+eVTwrb1888/ockvIjM9FS6XC3a7qjAkzS0lmdnqYSZ3d+MGlSiJ4hSSKEMUJaZIvKK61vwF4fGb++fMYcccb7cyikSqQyJVQNaXx6deu2fmzsUVU8OtLQoGf/f9D4i3GFDn9WPkySdi0OA2uxQW5QIAACAASURBVGJc3dafHSVHgtKgY3h+fwvdc/9D7L22wQ2rUY+V3/2OlZ9Hmrv5+XmwmvSMsYtuCj3oFOQihRGsdu3Zszd0hv1zBW/ZolZc+v0iGhsbmcIgYA5VdvoCfvTt1z+qn3nPvar1U1nnRlNjIyvucsXZ2G8E0okmZ9jtUrZez9dIEhtg3XieM6kp1w4RzmpFIDdX73n/fYNSU8MJ6ek8KQohOZm5LojiAlERoCEtDQ1vvCF4v/iCDoW/4847w5ahVOXS92LjMKZfNT3s+7xnn4257ORLL2WYmFApKtqHn35SiYmDmQoumCXhOVzWShG8qlkmZGHQfaMYQmWVyu41ecqVYctSK4Yd27bBadLDalKtUDG4bW2ZLtkZOOHEU8LWW7FiBXtnSkOSWIaOChtNRj18soK0FBcumNjiDuXl5SEvPx9mndo2l2Bbkiwx5WHQ8c048EWvvIyBrapzg+OlpkGNB1173fUxrx+Ao9v6s6PkSFAat2jItpiSmpKCq6+aCo8ow+VUo+z/+Ed0w6SkuAgWvcDSrXV1tazS1Wq3M8wGA2ixmpV0dOkSSQLTWvbs2g2fRLOVh/GD0jYowGo2m2ExW5CTmc56loTKhAkTkJmRgTpvAJ6mJijE6aHXw8hz+PLrX7F9cyRmwc7zymlWK2olibkiZHUkcRzn78g0K3VgM5nAJyWBo4KqGIoiTOh/o5EyD3z1jTfSoUgTrrlGaA32erGtgOWlF4e5Bcvee48RKUcTV1I8xo6L7F75gubzU9yR0qmEwwhinlojPp9/Xp1/aDmKIVCAUxID2FdZi1EjTkTPXuHW4dZNqtWnC1EY+hDFRHLZ5PDMxSsvq3ENIw9mZZD1QFSQZNV6/Kq1ccst4a0fvvlKVTQU+iB3hs6FeFWJGlH0SahqUvMk3333XXNWh+SDDz5AVXUt0hLszPqZeOGFMJpipvp7apmUwyp/tdKgs//X/ha694EH2U0kEI7FIGDZx99iw5pVUZctKS5GRW0DfH4fDAayMBwMFWoyGBgDV0BWZ5H2ZFB27tqJvIJCZqlQkRSZoBTMJCVGnNsmPY+cLjlh6/zzbpU4t6HJA6/HzRClaUkqG9UTTz4ZdT9j7HYpVa8XGqi8X1Hg4jg5ieOUI4KEkvzwjAz49+7VeRcskOMdDvmMQYPClAZBo0vLyqKunhDnwAUXtOAkaGZ+883o+BSSaVECokuWvMvS6bz20PEhOIyjBvQNK7EnS/OXX1eze9zQ0MjcSsLZUGCc1m9tmRDvKEIURFBhMNY37ceLJl0IQddSt7dn7x6sX7+ebY8sT6qApqplisEQVwoYNOAERpwclHnzVAvLZtarFoZe5ZqVtUmJFBu53vHxcfjqq5Vhx7j4tUUwCjz2ldUgKd6B4cNjZlfpkKIj2TpQ/mqlceH+Cm5Sk5Nx7fSrmO9JlaZNAeDuf8fWM0TaW1y0D3ZHHOPe1Bl0MOn1zDpg1ZHaDEVlzPuTquoaxilKmAyKevO8wHxfQg42NrnZ2qHB0JNOOhHHDR6EOp8E0e9jEXlHnJNZPhu35mLl55FmfIIgyIT+rJEk5un6AaUbz1NXpg5zTQ5ZiGjHbkflv//NQF73v/RSBNhr8eLFMfdy/oRzw77PbwMiPn7cWDjjEsJ+owf//fffZ5/pIrXGYbTOvCzQ8BIUi6I0OU0YDNWrABe0Anr9sno1e+dDFAZLs0tKMwN6UmI8zjxrXNh6ixapbpDZpGeYDVKGZInSOpTtAEuTtmBVCLFKBEMmgWeWF68TmGVCwXWyPFj6VpGZhXrySSfiiSdb3Nj5z6kKJ3jBR506Gm3IJW392RHyVyuN/Z7g/Q+rgbAtu/YiIzEOn326Ets3r465fB3DZtQhOysDep0ORh3xWJpZPIOUBt0gEip0ao/sKyxQiX8VICUlGXEOB2PcDmIOeoVYLLffpSozin/QzGa2WJHhUq2MuU9H9+XPtNmUJJ1OaJJlBuRxcpzcleOYxXHE8BZQEDUxEWJtrc43fz43dMgQDExPDwuIBlOR0eTkk8IxEhRI3L07eqrWoBdYn5XWEkxLRiuKv/SS8GH07pIlqGloQmpyksq6ZrawTEVucRn69+qOk0e0wNa//OKLsOI4Oimq9yB9IVDPW+33yy+7LGwfb2nANiOnZnnUcn0OHreXKTmwtHv4Os9p8RyjQWAmk9dHKViRWcKEA6KAMgVuKR5z+223oncftcve7j17sHrNWnRJiUeN24czorhwITJUa/Z12OSvVBqUZB/T1gI9unXD9GlTUVhRgzi7Gkh8/NEH97vh8tJiOPUqo5TVYoHRZFCrVekGK6rS6NO3zbaHzbJ962bG4pWSmorEhHgW0yCloTeo5ioxloPNOEacetoZLO7i9XjYIEhJdrFBXlBcjbfeeDli21aeV060WrmglUGMXD15HtTP5Ejjx6egqKDXo1pNsXLPvPoqQq2NHdu3N9d/tBbKfJ12evitfuzxx2Lu68abboz4jVwgCiZGk2RXAiaEBB7p/rz60gusKpWC0L6AavVBw1LcGRIPo2WXvLuEfW5WGLIaZOVCYNznnjM+LFNDiNVPPvmEfRbIJVGgArdICeh0zA3u3jUbI0e1ZEEXL36dlTOQonGT2ySKDGVM7gp9Vi0OBRU1DezCrvjyC7goUA3g0YfUcU/ZuOMHDcCYs8a3dbvaLu09RPkrlcZD+1tg3kI1wLZrbx56Zadj+affYc3qyFx8a9m7R0UGWixWmMwq+S3YPEDRanWu6t6jJ8zW/VMu/rFxI3vwCVEqSzIC/gCbvRw2Fe3YtZuqNKZcORUOkx4VNfXM7ExMTEScBhKiwJnPUxex7TNsNjlZp+PIyhDVAI/ch+dp8B62EviDFrI2UlLg37qVk374QR55xhn8sO7dwzyob775JubW77wrnND5xRdeiBkQHTJoIIafFFky/8wzkUx3Xi0ievMtt4b9/tQTKhbGarcxJK7daoVLA9uNHzcmLID9rGYBsIdB4VgbBir+VTTgFtWK0KRwZauU6BPaPkwCx4KuBAAkuDqBARu9air1xptaKn49HjcWaLiWALNO1PgGWRgUE6H9+n0ByGIAxdUNjGnup59+YstTQDS3cB+yUlVv/tY77oh1qUnaTLEcqvxVSuNECgG0tQAVDI05/VRs2F2Avj3VG3znHbe3a+NF+1S0pcliVun1GV+2annQzfFLCovU9+y5/zJ5Yl6StW0xC0OvZ02YqNGRKCvMZaE02dnnTYBblKFj/KQmFkMJXtwPPvgwYrsOnpdPtVqVWs3KoIK0bEFQ0jiO7+jitA4TlQeCr37kEZWM56mnwmIbBBWPJaePHon0Vjwbb4VAqJVWwK1JF0a6KG+8Ec6jSgrD5xNZhuvkE49H9x4t97OouJh1hUuNs7GAeHx8AqzmlmDm5MtaAqK//fYrQwuz1nKCyhZA7gm9KIjq9qm68bJW7gZlOqqqqljQNSCJLChKFJNEOaloFi3FaCi+FpQgGC7BYQXH8SweQoqGp0B7QFSJmgUBnCxhT1E5evbogbfeUaEFTz/xOOLMRuwpqcToUSPQpWtMTpe2erYcsvxVSuOW/S1w9z0qW3VjQz3SEuLx8uLl2L3993ZtnEqlwSLVBgbZhUZ+SzeoprYOtW4v9Hz7MihkEufmFcCqA1MUVpuFWS8Umad+rC5XEh5+

Signatures

Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
ransomware avaddon

Avaddon payload 6 IoCs

resource	yara_rule
behavioral2/memory/992-2-0x0000000001E50000-0x0000000001F69000-memory.dmp	family_avaddon
behavioral2/memory/992-3-0x0000000000400000-0x0000000001B46000-memory.dmp	family_avaddon
behavioral2/memory/992-239-0x0000000000400000-0x0000000001B46000-memory.dmp	family_avaddon
behavioral2/memory/992-441-0x0000000001E50000-0x0000000001F69000-memory.dmp	family_avaddon
behavioral2/memory/992-535-0x0000000000400000-0x0000000001B46000-memory.dmp	family_avaddon
behavioral2/memory/2360-544-0x0000000000400000-0x0000000001B46000-memory.dmp	family_avaddon

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe

Renames multiple (172) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
2360	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe"	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe"	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-4092317236-2027488869-1227795436-1000\desktop.ini	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\L:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\P:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\R:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\V:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\A:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\E:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\H:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\Q:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\S:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\X:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\B:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\T:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\U:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\W:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\F:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\Z:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\G:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\I:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\K:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\M:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\N:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\O:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
File opened (read-only)	\??\Y:	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	api.myip.com
26	api.myip.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 17 IoCs

pid	pid_target	Process	procid_target
3648	992	WerFault.exe	81
348	992	WerFault.exe	81
2128	992	WerFault.exe	81
2892	992	WerFault.exe	81
4604	992	WerFault.exe	81
1112	992	WerFault.exe	81
3928	992	WerFault.exe	81
3536	992	WerFault.exe	81
2340	992	WerFault.exe	81
4860	992	WerFault.exe	81
3452	992	WerFault.exe	81
3008	992	WerFault.exe	81
1692	992	WerFault.exe	81
556	992	WerFault.exe	81
436	992	WerFault.exe	81
2264	2360	WerFault.exe	128
3548	992	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2832	wmic.exe
Token: SeSecurityPrivilege	2832	wmic.exe
Token: SeTakeOwnershipPrivilege	2832	wmic.exe
Token: SeLoadDriverPrivilege	2832	wmic.exe
Token: SeSystemProfilePrivilege	2832	wmic.exe
Token: SeSystemtimePrivilege	2832	wmic.exe
Token: SeProfSingleProcessPrivilege	2832	wmic.exe
Token: SeIncBasePriorityPrivilege	2832	wmic.exe
Token: SeCreatePagefilePrivilege	2832	wmic.exe
Token: SeBackupPrivilege	2832	wmic.exe
Token: SeRestorePrivilege	2832	wmic.exe
Token: SeShutdownPrivilege	2832	wmic.exe
Token: SeDebugPrivilege	2832	wmic.exe
Token: SeSystemEnvironmentPrivilege	2832	wmic.exe
Token: SeRemoteShutdownPrivilege	2832	wmic.exe
Token: SeUndockPrivilege	2832	wmic.exe
Token: SeManageVolumePrivilege	2832	wmic.exe
Token: 33	2832	wmic.exe
Token: 34	2832	wmic.exe
Token: 35	2832	wmic.exe
Token: 36	2832	wmic.exe
Token: SeIncreaseQuotaPrivilege	4996	wmic.exe
Token: SeSecurityPrivilege	4996	wmic.exe
Token: SeTakeOwnershipPrivilege	4996	wmic.exe
Token: SeLoadDriverPrivilege	4996	wmic.exe
Token: SeSystemProfilePrivilege	4996	wmic.exe
Token: SeSystemtimePrivilege	4996	wmic.exe
Token: SeProfSingleProcessPrivilege	4996	wmic.exe
Token: SeIncBasePriorityPrivilege	4996	wmic.exe
Token: SeCreatePagefilePrivilege	4996	wmic.exe
Token: SeBackupPrivilege	4996	wmic.exe
Token: SeRestorePrivilege	4996	wmic.exe
Token: SeShutdownPrivilege	4996	wmic.exe
Token: SeDebugPrivilege	4996	wmic.exe
Token: SeSystemEnvironmentPrivilege	4996	wmic.exe
Token: SeRemoteShutdownPrivilege	4996	wmic.exe
Token: SeUndockPrivilege	4996	wmic.exe
Token: SeManageVolumePrivilege	4996	wmic.exe
Token: 33	4996	wmic.exe
Token: 34	4996	wmic.exe
Token: 35	4996	wmic.exe
Token: 36	4996	wmic.exe
Token: SeIncreaseQuotaPrivilege	1368	wmic.exe
Token: SeSecurityPrivilege	1368	wmic.exe
Token: SeTakeOwnershipPrivilege	1368	wmic.exe
Token: SeLoadDriverPrivilege	1368	wmic.exe
Token: SeSystemProfilePrivilege	1368	wmic.exe
Token: SeSystemtimePrivilege	1368	wmic.exe
Token: SeProfSingleProcessPrivilege	1368	wmic.exe
Token: SeIncBasePriorityPrivilege	1368	wmic.exe
Token: SeCreatePagefilePrivilege	1368	wmic.exe
Token: SeBackupPrivilege	1368	wmic.exe
Token: SeRestorePrivilege	1368	wmic.exe
Token: SeShutdownPrivilege	1368	wmic.exe
Token: SeDebugPrivilege	1368	wmic.exe
Token: SeSystemEnvironmentPrivilege	1368	wmic.exe
Token: SeRemoteShutdownPrivilege	1368	wmic.exe
Token: SeUndockPrivilege	1368	wmic.exe
Token: SeManageVolumePrivilege	1368	wmic.exe
Token: 33	1368	wmic.exe
Token: 34	1368	wmic.exe
Token: 35	1368	wmic.exe
Token: 36	1368	wmic.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 2832	992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe	115
PID 992 wrote to memory of 2832	992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe	115
PID 992 wrote to memory of 2832	992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe	115
PID 992 wrote to memory of 4996	992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe	118
PID 992 wrote to memory of 4996	992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe	118
PID 992 wrote to memory of 4996	992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe	118
PID 992 wrote to memory of 1368	992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe	120
PID 992 wrote to memory of 1368	992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe	120
PID 992 wrote to memory of 1368	992	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe	120

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe

C:\Users\Admin\AppData\Local\Temp\bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
"C:\Users\Admin\AppData\Local\Temp\bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe"
1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 876
  2⤵
  - Program crash
  PID:3648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 880
  2⤵
  - Program crash
  PID:348
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 880
  2⤵
  - Program crash
  PID:2128
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 932
  2⤵
  - Program crash
  PID:2892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1032
  2⤵
  - Program crash
  PID:4604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1132
  2⤵
  - Program crash
  PID:1112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1536
  2⤵
  - Program crash
  PID:3928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1624
  2⤵
  - Program crash
  PID:3536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1812
  2⤵
  - Program crash
  PID:2340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1548
  2⤵
  - Program crash
  PID:4860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1552
  2⤵
  - Program crash
  PID:3452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1784
  2⤵
  - Program crash
  PID:3008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1632
  2⤵
  - Program crash
  PID:1692
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4996
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1812
  2⤵
  - Program crash
  PID:556
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1668
  2⤵
  - Program crash
  PID:436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 892
  2⤵
  - Program crash
  PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 992 -ip 992
1⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 992 -ip 992
1⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 992 -ip 992
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 992 -ip 992
1⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 992 -ip 992
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 992 -ip 992
1⤵
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 992 -ip 992
1⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 992 -ip 992
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 992 -ip 992
1⤵
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 992 -ip 992
1⤵
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 992 -ip 992
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 992 -ip 992
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 992 -ip 992
1⤵
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 992 -ip 992
1⤵
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 992 -ip 992
1⤵
PID:4412

C:\Users\Admin\AppData\Roaming\Microsoft\bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
C:\Users\Admin\AppData\Roaming\Microsoft\bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe
1⤵
- Executes dropped EXE
PID:2360
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 592
  2⤵
  - Program crash
  PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2360 -ip 2360
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 992 -ip 992
1⤵
PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc.exe

Filesize
881KB

MD5
c83f30c065f7f61428eac2370ddb4f53

SHA1
cfd70af0c89d7b00839c1d32852c53c603d35e32

SHA256
bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc

SHA512
26100fdf2bba32c0a2f5d27589e730e6af4a16b5cad16cb8ec6314e4291ca1858e35906645636617dacca7c72be6792b01f2bbc073c4468701326e8c889e1d51

Download Submit
C:\Users\Admin\Desktop\readme.html

Filesize
50KB

MD5
2817fb32eabacc4d6d41948d809eac4e

SHA1
9c67482b9091773d77f8667287646c686350e71b

SHA256
3e7d44e773758cabe794e125e49a15bd23471ab540752b398014c57b368cc7bd

SHA512
5a4ebd9506b0e37e288eeefbaa3b82e76b32175b1af7a6731613b376e0361db5aebf15cc0a8a8f638e0cafba3f5315a7d90f606f013b711ddad1a43566d70682

Download Submit
memory/992-1-0x0000000001DC0000-0x0000000001E48000-memory.dmp

Filesize
544KB

Download
memory/992-2-0x0000000001E50000-0x0000000001F69000-memory.dmp

Filesize
1.1MB

Download
memory/992-3-0x0000000000400000-0x0000000001B46000-memory.dmp

Filesize
23.3MB

Download
memory/992-61-0x0000000001DC0000-0x0000000001E48000-memory.dmp

Filesize
544KB

Download
memory/992-239-0x0000000000400000-0x0000000001B46000-memory.dmp

Filesize
23.3MB

Download
memory/992-441-0x0000000001E50000-0x0000000001F69000-memory.dmp

Filesize
1.1MB

Download
memory/992-535-0x0000000000400000-0x0000000001B46000-memory.dmp

Filesize
23.3MB

Download
memory/2360-543-0x0000000001C50000-0x0000000001CDD000-memory.dmp

Filesize
564KB

Download
memory/2360-544-0x0000000000400000-0x0000000001B46000-memory.dmp

Filesize
23.3MB

Download