avaddon | bb3097aeb6e7fda5480e1de4ec140734b57d66df89bb4315c3947a43494d6f3e

Analysis

max time kernel
223s
max time network
157s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
Size

483KB
MD5

53717dc73f61b0f9551cb62d6fca2e4a
SHA1

1ca9304e86632b147852767c85c57e08bdfc8855
SHA256

c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028
SHA512

ae6ff8377d89cd3d1686c5a6bd7bb398bb975e4e52f7db5fbb0550783d77648558f03a13a9751d0cb6ed993621b12980d54777385802dd4c014ec22ae8d33552
SSDEEP

12288:WcvbX8rMmSZJ8t9ZITyDpFGIOyA4muT5WFExk8y:/zMr1SZJ8t9ZITyNzOt4dVy

Score

10^/10

avaddon ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\4aGp2X_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .baaDeDdadB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTgwNS03L0t0SWdOM1NPQ2wyVlh3VS9hSlN2R1Y1TzhDV0JPRmFaWGhBcmxUY1B0bmZ1K0plQnZwdVJhdC9HVW82Vjl3Y05QdE83SFpvYkk2RU8vbmR3REFjZEUwRTI0QWNiRFBScWlnbXlralZCVWkwNmtDbVd6eStVZVE5aUJBSFRkWUdyWVVldVRLTlRLeWlEcDBvakJLaXBSZVNXTXdCRjNXRGhPT1lCWS8vWXZMSVViTkt5ZmtEd3g0T2dVbWNQcys3VFFxUDlHK0xJaXlHVFhTRXNvZ0RIYXlXNWE5bXpsUmJEVk5ObDFmdHZ5WWFHN0JxanZzQU5oWDBOU0NRaFNueXdVdEIxN2dpYlhWRkRtdXM1b29SdVNUYjM2RlJLTElLY0w0UStvTjYzTmN4VU92NzdsaW05VVlRdUZLM3ppOHNIUi9XaGtoTmsrVEhLa2YyT2k4M0NXb2VJTzVUL2dpa2srQzQzRlMySkxRUjN4SDlscytaZStuazFXQjZnaE1yMzM4UUZBcXNKLzQ1YnBOdGVvejVmbWN5L0FWZEg3ait4ZHdqMjFqNkNuTTY4L0VWTGR1TU5IcHZTVHB5aGtYSU85alFmS05CZURkSTVwcmlSYktYVUhQM1VDSkpnUDQ3akJsU2Nna1J4UTZHd1lJamlNL1JmZ29sUTZJNTVOOHdORmtseFFXYW95R0ZKMFBUS0RJa0Eya3JpY3VOOGJvNXpOVUc2N1NzOEp3WUhRd3FxMXBXZWpPUU1lV3Yvdkx4dDdGc3hERmsrK0s1a2JMdCt1OVd1aHphR3JRNmRJV3g3cWV2TDhyT01BeUFNTnFFMkF4YXdoL1dnTnlCVnVQV0dOeFBUdDh2QThFR1ErOU1nUHI3M0ZLK1BwMDFwc3dvdUllZ1B0alpZUEhjcEVRR2c4WmtNNDVBTC9TczRMUTVTWWprWDhnQStac1BPbEtDR09HWi8yTGlIc0Z5RnJaT0QzK0hIcFZGWHdJa29KTFhPQ21ZMU9Dc1J5ckxPMzIzWTRIcU5WMmVSU2ZqSXIzRHFBTXQ0bW1EeWhESHlVM1hRL0MrUUcvd0FNYWJVK2xxangyYkgwK25sYjI2ZVh0Y2N0VlVJK1RPV05IeHdYZGkwWW1xbUJpRXUwTUtLN3lNMVRicyt3em1Fc3E5TldQQTByUkZzK041ODEzeW4xSXd0YzcrWkl6cHlsQkpEWTlIZVJ5MXVucGF2UWpocHAxbDlXcGNMU3l3eitwUmNUZVJpay9oanFOd2dFR1dYcU92SWdDZEZKYXh3b1NtMytDQlRUTjhFa2R3VW1RbnRXWGUzYUZZSGN0QUNxNTFxY2tCRVF0aEtxSU9FR2pTUU04Vk9KRGhGdkhHM0lxWmMxcDR2OE9hVTVYV3k1cEFpaTNpTU42cHpPUHFZN2JaNzh2UURPNWZaOWFLQzdmWGtFbzdEOTQybitqQmxYV09CWUlkcnRWMlQwKzd5RFhNTWFPczdGWjZqVStrTCs0ZTdka2RGMXo2VUxsT2xmRk53YnZEN2NYTkF5dWpoTTFoOEVCY0RmRW1KOU0wVUJsNXQ2aUF1MjVyQW5Obkd1S01TbUtjblNCcXdUektFRU9oc1VFNjlnQzUvL0lad3Y3RmRQcy9PWWpxZ3Brb3VnRUVZVlN3Ylo1TVpTaWJBT2xvVDVObTlmTTVVaDQzeld5dC84K2tJSko3OFRtNitNTVNYaVJ0bktvR0R0R1pnV3RlNVY0cTZHbFd1a3d2dEFDNjhYV2RUSnRvOUZWdWVjTUpZL29hVlhCUmI2emNZa3ZpR0c1NEN0MHIyM3RVbE8zNC95OGc0M1dNZVZ5dHI2QjIwYkMrL3dmQVRBODNyemJ2aFpxQmFhcHc0c2RtUHhyM1pOdlZkR1NlUWhReTh4QlV1MFl3RU9WUlY4dzRWb2orZWxIMHdIaWY5V0NqRjc4cU5hUWJsaElqY1lXUDhYMXN4eE9hSSt5dDBNVE4zOHhiSjB0YUo2c21QVzgvbHhHekwweUJvYnBBMFEyS3FLN0Qyd2JyRmJRdlVqYUpST1VaOE1ybm5JUXhHTXNQbDFscENZanZuWTBCdTlvQ3NDclRmVHNzbmFici9uT3N4ajh1Rkkxb09rNVpBUG9NbzFUaU5nY3d0YmlzQT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * acY

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\4aGp2X_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\4aGp2X_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Music\4aGp2X_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Music\4aGp2X_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Music\4aGp2X_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Pictures\4aGp2X_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Default\4aGp2X_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\4aGp2X_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
ransomware avaddon
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (206) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\P:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\V:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\Z:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\A:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\G:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\H:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\R:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\U:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\Y:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\E:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\I:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\O:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\S:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\T:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\J:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\L:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\N:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\W:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\X:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\F:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\B:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\M:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
File opened (read-only)	\??\Q:	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2884	vssadmin.exe
1592	vssadmin.exe
1904	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	524	wmic.exe
Token: SeSecurityPrivilege	524	wmic.exe
Token: SeTakeOwnershipPrivilege	524	wmic.exe
Token: SeLoadDriverPrivilege	524	wmic.exe
Token: SeSystemProfilePrivilege	524	wmic.exe
Token: SeSystemtimePrivilege	524	wmic.exe
Token: SeProfSingleProcessPrivilege	524	wmic.exe
Token: SeIncBasePriorityPrivilege	524	wmic.exe
Token: SeCreatePagefilePrivilege	524	wmic.exe
Token: SeBackupPrivilege	524	wmic.exe
Token: SeRestorePrivilege	524	wmic.exe
Token: SeShutdownPrivilege	524	wmic.exe
Token: SeDebugPrivilege	524	wmic.exe
Token: SeSystemEnvironmentPrivilege	524	wmic.exe
Token: SeRemoteShutdownPrivilege	524	wmic.exe
Token: SeUndockPrivilege	524	wmic.exe
Token: SeManageVolumePrivilege	524	wmic.exe
Token: 33	524	wmic.exe
Token: 34	524	wmic.exe
Token: 35	524	wmic.exe
Token: SeIncreaseQuotaPrivilege	524	wmic.exe
Token: SeSecurityPrivilege	524	wmic.exe
Token: SeTakeOwnershipPrivilege	524	wmic.exe
Token: SeLoadDriverPrivilege	524	wmic.exe
Token: SeSystemProfilePrivilege	524	wmic.exe
Token: SeSystemtimePrivilege	524	wmic.exe
Token: SeProfSingleProcessPrivilege	524	wmic.exe
Token: SeIncBasePriorityPrivilege	524	wmic.exe
Token: SeCreatePagefilePrivilege	524	wmic.exe
Token: SeBackupPrivilege	524	wmic.exe
Token: SeRestorePrivilege	524	wmic.exe
Token: SeShutdownPrivilege	524	wmic.exe
Token: SeDebugPrivilege	524	wmic.exe
Token: SeSystemEnvironmentPrivilege	524	wmic.exe
Token: SeRemoteShutdownPrivilege	524	wmic.exe
Token: SeUndockPrivilege	524	wmic.exe
Token: SeManageVolumePrivilege	524	wmic.exe
Token: 33	524	wmic.exe
Token: 34	524	wmic.exe
Token: 35	524	wmic.exe
Token: SeBackupPrivilege	1976	vssvc.exe
Token: SeRestorePrivilege	1976	vssvc.exe
Token: SeAuditPrivilege	1976	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1644	wmic.exe
Token: SeSecurityPrivilege	1644	wmic.exe
Token: SeTakeOwnershipPrivilege	1644	wmic.exe
Token: SeLoadDriverPrivilege	1644	wmic.exe
Token: SeSystemProfilePrivilege	1644	wmic.exe
Token: SeSystemtimePrivilege	1644	wmic.exe
Token: SeProfSingleProcessPrivilege	1644	wmic.exe
Token: SeIncBasePriorityPrivilege	1644	wmic.exe
Token: SeCreatePagefilePrivilege	1644	wmic.exe
Token: SeBackupPrivilege	1644	wmic.exe
Token: SeRestorePrivilege	1644	wmic.exe
Token: SeShutdownPrivilege	1644	wmic.exe
Token: SeDebugPrivilege	1644	wmic.exe
Token: SeSystemEnvironmentPrivilege	1644	wmic.exe
Token: SeRemoteShutdownPrivilege	1644	wmic.exe
Token: SeUndockPrivilege	1644	wmic.exe
Token: SeManageVolumePrivilege	1644	wmic.exe
Token: 33	1644	wmic.exe
Token: 34	1644	wmic.exe
Token: 35	1644	wmic.exe
Token: SeIncreaseQuotaPrivilege	1644	wmic.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 524	2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	28
PID 2000 wrote to memory of 524	2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	28
PID 2000 wrote to memory of 524	2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	28
PID 2000 wrote to memory of 524	2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	28
PID 2000 wrote to memory of 2884	2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	32
PID 2000 wrote to memory of 2884	2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	32
PID 2000 wrote to memory of 2884	2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	32
PID 2000 wrote to memory of 2884	2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	32
PID 2000 wrote to memory of 1644	2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	34
PID 2000 wrote to memory of 1644	2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	34
PID 2000 wrote to memory of 1644	2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	34
PID 2000 wrote to memory of 1644	2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	34
PID 2000 wrote to memory of 1592	2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	36
PID 2000 wrote to memory of 1592	2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	36
PID 2000 wrote to memory of 1592	2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	36
PID 2000 wrote to memory of 1592	2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	36
PID 2000 wrote to memory of 1900	2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	38
PID 2000 wrote to memory of 1900	2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	38
PID 2000 wrote to memory of 1900	2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	38
PID 2000 wrote to memory of 1900	2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	38
PID 2000 wrote to memory of 1904	2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	40
PID 2000 wrote to memory of 1904	2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	40
PID 2000 wrote to memory of 1904	2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	40
PID 2000 wrote to memory of 1904	2000	c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe	40

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
"C:\Users\Admin\AppData\Local\Temp\c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:524
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2884
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1592
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:1900
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4aGp2X_readme_.txt

Filesize
3KB

MD5
c153711073c443901fa6f9323142f39b

SHA1
bd485948417592ebb4c929d2c9c32e2c013d76e8

SHA256
e25f607e1764fdc38753d5f3a7afdc174bb40e8c9784ba8761756041edae068e

SHA512
2aa3e770967ac3cadba074806a708fa6f0cfdd86beb79608f5cee722cb1c6338d41382addfe48b044952d9eec45ed95c0c2e4929bd7966828c0e446d313ccf27

Download Submit
C:\Users\Admin\Desktop\4aGp2X_readme_.txt

Filesize
3KB

MD5
812a5dcb10c9e46fa043af7ae92214e2

SHA1
925d43598a8f55f996a462f0411b6d357a3aa2f3

SHA256
7302ee778d1d289d84c7dca822f03531135454414a915bc484e0b3f880d5caba

SHA512
8e1f5ce7d2ac55b934d1a51e4c05600ee7d0ad8b9fb0357c6015609fd8e4342a8e1d35792b278315add8f6d24747dba41f82850a989133583ad96d69d58207a8

Download Submit
C:\Users\Admin\Documents\4aGp2X_readme_.txt

Filesize
3KB

MD5
8252d6ecbc8dfa7388cb903d7f0de53a

SHA1
430fe7d20151d043d19ea40c0601e62bc31a30e5

SHA256
4d52a859cb57b68cec15c2e72d41c5c2601846ed39aa4271825c96a0c8d7bbbe

SHA512
ff12b922d059d053f3893990dd70052543344f6dcce6f7d8ca6289e21ecebba43afb038616d10323d94e131e254c1f239626b15cee25259ddb3640ec715ede19

Download Submit
C:\Users\Admin\Downloads\4aGp2X_readme_.txt

Filesize
3KB

MD5
074dd5bd55d74eaf8002648c56f59092

SHA1
9fea01fccf6037c11bb1bddc2651ba1a2ab195c5

SHA256
3002d618f4fcee09f2e402c136e0545144a2ca4da34844cba0a306c90f5b7c94

SHA512
fe7abfe0ed9d1dfafbfe97b1cf8eb72209591648fae0b9401b1755e1095d396a702b142616e6d6b4e4e4f1ea9c572d97c8b7072da50a575ef59c85a2ac16629c

Download Submit
C:\Users\Admin\Music\4aGp2X_readme_.txt

Filesize
3KB

MD5
9fac5622a60389974d37c665f507428f

SHA1
9805145289a67ccc46a13bebbd96d8d0cebcbd7e

SHA256
30e6e5b687f45c0deef322bf7db813a48a813827ecb978b3e61c00b37bd68910

SHA512
972efcbff18b14fcdce3d5f5d6adbf7050a17036e4b4987e9fc51cc0abda8625e3716b5f03ee715d7afbbaf4c26f3c02e0c5519281672d49c9922b07152b0dd4

Download Submit
C:\Users\Admin\Music\4aGp2X_readme_.txt

Filesize
3KB

MD5
26173571e18acd7e343b5b3a188fbf6e

SHA1
ea158d565af5a7c74c5078896aba6f4a22c04928

SHA256
47a8c0d905edc81f95e4a0a7ea25bc7b9315a0448682bdc69247363b72bb3147

SHA512
81b0b9578975db2d41315ad01c520bc1b204556ac8e9c2ac262e1fa81e5705dac9ae392dfb48f289c4aada62f36b69a729279131a4c1275bf5ed8bd12bc54ca7

Download Submit
C:\Users\Admin\Music\4aGp2X_readme_.txt

Filesize
3KB

MD5
d8810e21147fd919577823c20c1ef097

SHA1
90a8bb17be7dc26f2aa9ea6388bb819156dc758b

SHA256
c3415f2f4e4929deb7d77223ef7d6aca81b203dd4343e52e692c5093e9f95c7e

SHA512
ee517a084101e5fd793e4df19a06761b77581e7dbbb2778899a42e89b64a44d8f3902bdf5d22539ef06796a35008ddebf8aa2326134a6bffb12d934ffef2733f

Download Submit
C:\Users\Admin\Pictures\4aGp2X_readme_.txt

Filesize
3KB

MD5
9bbf056809a0bbb7c31020314670a683

SHA1
60be0c7792c721e5bbd5c4dd41199e6852223e8c

SHA256
b9e53f98e2cbc314892464cf43ea2af089c43d6c06afa6d8c287b6ba1e6f603d

SHA512
cc14675330bed992e4cb1df1157df5a0751c2b46427fb5251af96e7d582ee14c61627a528f3177e810d5ab94b54435a0a5949044e45d17645809842bb60f2da5

Download Submit
C:\Users\Default\4aGp2X_readme_.txt

Filesize
3KB

MD5
f7d297dfc22e26437b95afb6c34eaa40

SHA1
efb2fc7a961b30537ed54973fcfd1b2ff5931f4b

SHA256
dcb29a0d53242f1bda0d0ad93d973faf575e5260176d0169fb8157db5e1b38a6

SHA512
ea399122eb741fe76586a7cf4dedc6941e6ed4010695fb1e0e73fa366faa0ce3cb1bbabaf8ca23cb24bad84aee9db7e2779fc970f12654daaea0a66bc0472aa6

Download Submit