Overview

overview

10

Static

static

3

93f3b587a2...56.exe

windows7-x64

10

93f3b587a2...56.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    17-04-2024 13:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    93f3b587a2a8e5515dc08ee47eef4d02805e5fccefde4a29e780946124257a56.exe

  • Size

    787KB

  • MD5

    481be8166b475e08c6fe7f377a8d8a2d

  • SHA1

    267259b38951597f51efbe482a78df324f11d093

  • SHA256

    93f3b587a2a8e5515dc08ee47eef4d02805e5fccefde4a29e780946124257a56

  • SHA512

    0a4616e3a7132020b2ea6bd582f9860fac5b5fdc9dc174e75cf27280419dc335ef356c936612ba64be41f7021d3c14845bfc0cb54406a36a47ed70713ed486af

  • SSDEEP

    12288:JiLCjBTgfnsFhPhNVV60QbFXl7iV+gXj7NUt1upQ1laJsUkqo:J1tTgPsHHVpQbF8V++VUt15MBo

Score
10/10
avaddonevasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

    ransomwareavaddon
  • Avaddon payload 6 IoCs
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (244) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\93f3b587a2a8e5515dc08ee47eef4d02805e5fccefde4a29e780946124257a56.exe
    "C:\Users\Admin\AppData\Local\Temp\93f3b587a2a8e5515dc08ee47eef4d02805e5fccefde4a29e780946124257a56.exe"
    1⤵
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1876
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:380
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2688
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1360
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1952
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1872
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1992
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2172
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {F6AF1CCB-7B11-49DA-940D-3B17C7730B4F} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Users\Admin\AppData\Roaming\Microsoft\93f3b587a2a8e5515dc08ee47eef4d02805e5fccefde4a29e780946124257a56.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\93f3b587a2a8e5515dc08ee47eef4d02805e5fccefde4a29e780946124257a56.exe
      2⤵
      • Executes dropped EXE
      PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab206E.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar222A.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\93f3b587a2a8e5515dc08ee47eef4d02805e5fccefde4a29e780946124257a56.exe
    Filesize

    787KB

    MD5

    481be8166b475e08c6fe7f377a8d8a2d

    SHA1

    267259b38951597f51efbe482a78df324f11d093

    SHA256

    93f3b587a2a8e5515dc08ee47eef4d02805e5fccefde4a29e780946124257a56

    SHA512

    0a4616e3a7132020b2ea6bd582f9860fac5b5fdc9dc174e75cf27280419dc335ef356c936612ba64be41f7021d3c14845bfc0cb54406a36a47ed70713ed486af

    Download Submit

  • memory/1488-603-0x0000000001CE0000-0x0000000001DE0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1488-605-0x0000000000400000-0x0000000001B2F000-memory.dmp

    Filesize

    23.2MB

    Download

  • memory/1488-604-0x0000000000400000-0x0000000001B2F000-memory.dmp

    Filesize

    23.2MB

    Download

  • memory/1876-3-0x0000000000400000-0x0000000001B2F000-memory.dmp

    Filesize

    23.2MB

    Download

  • memory/1876-2-0x0000000000220000-0x000000000033A000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1876-591-0x0000000000400000-0x0000000001B2F000-memory.dmp

    Filesize

    23.2MB

    Download

  • memory/1876-593-0x0000000001F70000-0x0000000002070000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1876-594-0x0000000000220000-0x000000000033A000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1876-1-0x0000000001F70000-0x0000000002070000-memory.dmp

    Filesize

    1024KB

    Download