avaddon | 987ceaaa1be12658ef0ab2e5b0c548830547d3f757a3120f8636902600dc231c

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
Size

775KB
MD5

2d2a5a22bc983829cfb4627a271fbd4e
SHA1

c0fc01350ae774f3817d71710d9a6e9adaba441f
SHA256

0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b
SHA512

8237f6db84a2339827e4044929df58597733d04f8e56c621394f2c2b79c06dc9fb3e64373d0205c0f14372173875b2487d178472eda6837da2ef20187285ad0d
SSDEEP

24576:+Csq9+OXLpMePfI8TgmBTCDqEbOpPtpFaoxfq:YxOXLpMePfzVTCD7gPtLa4fq

Score

10^/10

avaddon evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\Documents\RVeSR_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .abddeabDbe You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjAwNC12QVBES1NqNUZrY2hhY1hQNmZrZndxa0pHcWVJOXo5cld4THdlbHg1ZktyckMveXR0aWdUaXZ4VjBWdTlkaVd1RmE0ekhLV0lIUkV3clM4eW00Q3YzbjM2eEswd1hSbXQ1R1didStHSnlTL0o5aWlPemRYSGxkU3Y0NW9sOGRrNDM5UWFVU24yZmZxMUVrN043czd1dHVqS041M1h0TkJ3Nkl5TEFReFRGbzlsM2ZFMnVnYkFGWkREYjdvaGdyT2ZXdHErS1BlUXZMQlJoZTJPSTdFMGhaSnJyNlJWQ1NaU05FSDdSRVpPM2RmbWhXaGkrOVd0NGJEeXFCTjFTNGJrSUhFTTFOS1Q1TDRJV2hYUWplZ1hVS1NWQkJIV1ZuUFhxYkNrS1R2RHJ2djc2aXdSaVR6b1NzUzAvN0dKRHNteXlCK3pGYmNvMHJKU2s2KzIzb0NoaG13NVgySUdTOGpPV2FxdjFQOGdCVHllWVVoQVlLc1RqTFdYSHJYR2hEeXJpR04yTERXRVdtQzRzUFdvQXhzVjFmamM4ay95NHlSODRlQ1ZuVEUyUkhxbnJVQ0JnMndTckZhK1Z3TTFMM0hLWjFFTkxXdUx3emI1M091aW8rRStMOHZwd1RIczdpeXhxMTBFdUg0eEZMejY5ZTV5d1RYVTcyOEkrSWdzWXBkRWE0dU5JNEt3YlBVSzh0b3l0ajF0MStYRm5vOUdDOUczNTNDaGloQWd6empZcEIwYmZBaU95UE9YMm1nU1BWemQ5OEhyQy9ZT3FsSkpNaHJEN1I1Z3lHa01mNHdOZy9nMGdEK3B2ZmlOYmY1M1NTQk83ckw1ZlgrRGsvWFJQVm9pM002bENKMGpXSDV3aUNwK3Z0Q0xBckVDZWZ0MjlleXNTT2VyQVpUSW1zVnJTcFZkZHo1dGlIMklkQW51SmhibnlLTmZ2UUdQbXBJdERNZC9ucjdJb29iVzh3RFM5NHZ4TWdIMjdBOFVIck0yK0ZQZ1JpSmZHMkVFM0xZWHVMdmw2KzBFWFYwcUdNd2FaYVlyc2Q2a2RQTzZKTjNOcDVYMkxJNDdLT3RGUktxeEVFMmFCTGR6bFVRaGc3dGpEclNlYm9QTDNXR0gvUFpSeU84L1huN0FzZy9tcmtLTXBXN0xXVEFINUVMOFpoaTRaL0wzTW1nc0hoWFBYTWthdk5YZG5ucjl3M3RzaSt0eXROM0MvZnJxT1UyZXRickwvaVI5WTQxWjVrSU1ZNldMU2xySTlnS2dJUWN4ZTRxdVVQK3RJSXNZd0lCU3dyTTRlNmtyWm9RWWlOVU5rZjlJazl3bGJ1MG9Ock1uZFdNSitSUGlQRndXcVdiMThoWnRjcTk0RnJzWWp5Y3FsTkprWWtGLzllSGN1WWFvYi9VaUozMnZ0UitXZVJ2czZaMzBUaFZxanVkcEh2UldNZ0wvWkxzZnRyc0N5ams0QnM3UXVEK084MHJEaVRvVlkyaGlqQmYvdklOOURRZG1kUVV3SUxFb0psaUdtdzJIR2RVcis1L0MwSW5sbFVteHFPalhxT0JnSFljV3h6MUVVeFYxWElpc0k2andHTjNCc2Zob2FRMXNlMWtlai9kVUV3UzEyV3hpUkJNUksrSGhVZ0lYYldaQ3J0UkljZG9QNkUxYmNvVzk5V3p2RTdvWGdxRDZrYVo2cnd4Z1k3RTdSTUw2Z2tZN3hweEZLZTY3Q1FFQ25aQ3FEaTNWNlk5Z1hSQnRPMXhCNXhnR0p3NVlFMDE4QWVSazU0dGZtbDFqaThxNWNVTWJabmxUV3hnc05hdTE5UmlLVmViZU9RTEVsbVZVa240MzkwUklwRE9XN3E1cklpVDU3SnV6RzJsWXhjc3k4R2toVnNwSmR6RXVhS3JKTlRuekwvVEd0eEo0azVGd29zNTJjOWxSK3A5U2orMVp6TmhNZjZnUnExdm1tWHNRY3NPVTJPRnd2ZjlJZ0VIb3NIRXBhMUlZUU9MRzFaLzdGSERkdFpQTjBPUGFpd3l1N3JWckU3K1R0MjV2N1A4aVVzUnV0Y0diQVcxN09zRWppVmdqLzNVRHgzdTB6R01mK0dqdjJhYmFQZzYyb1RZUkxFN25aQUtJRSt1QlpoQjlReFlDckRWK0U3MEltY2ZGOXhhV01SdU5LUT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * H8FImaqkxBRlqeXIwpeBcMrrDV

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Favorites\Windows Live\RVeSR_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
ransomware avaddon

Avaddon payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000a000000012255-580.dat	family_avaddon

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wmic.exewmic.exewmic.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2472	wmic.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2472	wmic.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2472	wmic.exe	29

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (192) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

Processes:

0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

pid	Process
3044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

description	ioc	Process
File opened (read-only)	\??\G:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\J:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\M:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\N:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\Q:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\V:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\E:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\H:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\O:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\S:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\U:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\I:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\K:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\P:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\Y:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\A:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\B:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\L:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\R:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\T:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\W:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\X:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\Z:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\F:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid	Process
2040	vssadmin.exe
552	vssadmin.exe
1540	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

pid	Process
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exewmic.exewmic.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2500	wmic.exe
Token: SeSecurityPrivilege	2500	wmic.exe
Token: SeTakeOwnershipPrivilege	2500	wmic.exe
Token: SeLoadDriverPrivilege	2500	wmic.exe
Token: SeSystemProfilePrivilege	2500	wmic.exe
Token: SeSystemtimePrivilege	2500	wmic.exe
Token: SeProfSingleProcessPrivilege	2500	wmic.exe
Token: SeIncBasePriorityPrivilege	2500	wmic.exe
Token: SeCreatePagefilePrivilege	2500	wmic.exe
Token: SeBackupPrivilege	2500	wmic.exe
Token: SeRestorePrivilege	2500	wmic.exe
Token: SeShutdownPrivilege	2500	wmic.exe
Token: SeDebugPrivilege	2500	wmic.exe
Token: SeSystemEnvironmentPrivilege	2500	wmic.exe
Token: SeRemoteShutdownPrivilege	2500	wmic.exe
Token: SeUndockPrivilege	2500	wmic.exe
Token: SeManageVolumePrivilege	2500	wmic.exe
Token: 33	2500	wmic.exe
Token: 34	2500	wmic.exe
Token: 35	2500	wmic.exe
Token: SeIncreaseQuotaPrivilege	2436	wmic.exe
Token: SeSecurityPrivilege	2436	wmic.exe
Token: SeTakeOwnershipPrivilege	2436	wmic.exe
Token: SeLoadDriverPrivilege	2436	wmic.exe
Token: SeSystemProfilePrivilege	2436	wmic.exe
Token: SeSystemtimePrivilege	2436	wmic.exe
Token: SeProfSingleProcessPrivilege	2436	wmic.exe
Token: SeIncBasePriorityPrivilege	2436	wmic.exe
Token: SeCreatePagefilePrivilege	2436	wmic.exe
Token: SeBackupPrivilege	2436	wmic.exe
Token: SeRestorePrivilege	2436	wmic.exe
Token: SeShutdownPrivilege	2436	wmic.exe
Token: SeDebugPrivilege	2436	wmic.exe
Token: SeSystemEnvironmentPrivilege	2436	wmic.exe
Token: SeRemoteShutdownPrivilege	2436	wmic.exe
Token: SeUndockPrivilege	2436	wmic.exe
Token: SeManageVolumePrivilege	2436	wmic.exe
Token: 33	2436	wmic.exe
Token: 34	2436	wmic.exe
Token: 35	2436	wmic.exe
Token: SeIncreaseQuotaPrivilege	2456	wmic.exe
Token: SeSecurityPrivilege	2456	wmic.exe
Token: SeTakeOwnershipPrivilege	2456	wmic.exe
Token: SeLoadDriverPrivilege	2456	wmic.exe
Token: SeSystemProfilePrivilege	2456	wmic.exe
Token: SeSystemtimePrivilege	2456	wmic.exe
Token: SeProfSingleProcessPrivilege	2456	wmic.exe
Token: SeIncBasePriorityPrivilege	2456	wmic.exe
Token: SeCreatePagefilePrivilege	2456	wmic.exe
Token: SeBackupPrivilege	2456	wmic.exe
Token: SeRestorePrivilege	2456	wmic.exe
Token: SeShutdownPrivilege	2456	wmic.exe
Token: SeDebugPrivilege	2456	wmic.exe
Token: SeSystemEnvironmentPrivilege	2456	wmic.exe
Token: SeRemoteShutdownPrivilege	2456	wmic.exe
Token: SeUndockPrivilege	2456	wmic.exe
Token: SeManageVolumePrivilege	2456	wmic.exe
Token: 33	2456	wmic.exe
Token: 34	2456	wmic.exe
Token: 35	2456	wmic.exe
Token: SeIncreaseQuotaPrivilege	2500	wmic.exe
Token: SeSecurityPrivilege	2500	wmic.exe
Token: SeTakeOwnershipPrivilege	2500	wmic.exe
Token: SeLoadDriverPrivilege	2500	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exetaskeng.exe

description	pid	Process	procid_target
PID 2940 wrote to memory of 2512	2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	36
PID 2940 wrote to memory of 2512	2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	36
PID 2940 wrote to memory of 2512	2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	36
PID 2940 wrote to memory of 2512	2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	36
PID 2940 wrote to memory of 2040	2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	41
PID 2940 wrote to memory of 2040	2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	41
PID 2940 wrote to memory of 2040	2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	41
PID 2940 wrote to memory of 2040	2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	41
PID 2940 wrote to memory of 1908	2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	43
PID 2940 wrote to memory of 1908	2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	43
PID 2940 wrote to memory of 1908	2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	43
PID 2940 wrote to memory of 1908	2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	43
PID 2940 wrote to memory of 552	2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	45
PID 2940 wrote to memory of 552	2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	45
PID 2940 wrote to memory of 552	2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	45
PID 2940 wrote to memory of 552	2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	45
PID 2940 wrote to memory of 1720	2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	47
PID 2940 wrote to memory of 1720	2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	47
PID 2940 wrote to memory of 1720	2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	47
PID 2940 wrote to memory of 1720	2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	47
PID 2940 wrote to memory of 1540	2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	49
PID 2940 wrote to memory of 1540	2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	49
PID 2940 wrote to memory of 1540	2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	49
PID 2940 wrote to memory of 1540	2940	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	49
PID 1068 wrote to memory of 3044	1068	taskeng.exe	54
PID 1068 wrote to memory of 3044	1068	taskeng.exe	54
PID 1068 wrote to memory of 3044	1068	taskeng.exe	54
PID 1068 wrote to memory of 3044	1068	taskeng.exe	54

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
"C:\Users\Admin\AppData\Local\Temp\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2940
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:2512
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2040
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:1908
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:552
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:1720
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1540

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2680

C:\Windows\system32\taskeng.exe
taskeng.exe {A7E1B299-C5FE-4963-88F2-7837BACA3F9D} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
  2⤵
  - Executes dropped EXE
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

Filesize
775KB

MD5
2d2a5a22bc983829cfb4627a271fbd4e

SHA1
c0fc01350ae774f3817d71710d9a6e9adaba441f

SHA256
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b

SHA512
8237f6db84a2339827e4044929df58597733d04f8e56c621394f2c2b79c06dc9fb3e64373d0205c0f14372173875b2487d178472eda6837da2ef20187285ad0d

Download Submit
C:\Users\Admin\Documents\RVeSR_readme_.txt

Filesize
3KB

MD5
5aed5de6046d4b1b43e2ed37ee17832d

SHA1
302fa74e409307e64e96f4e73a63d2b5b166552d

SHA256
a28f1eab13ca18a4f1fc5aed1774d5cad18c983920b649cad4f1465a8dc54f04

SHA512
b64cba0eb8e5a0613f456273aef1be709da5f55537de7ca659786d2c8e300867c4f967a1cf57e82a4302aa58a19934b473d10d8e1c868d3a4a80a9dd0c7e884d

Download Submit
C:\Users\Admin\Favorites\Windows Live\RVeSR_readme_.txt

Filesize
3KB

MD5
5f064abb55b08e1e4b7cc37911550b65

SHA1
f9e5993a0d8653ec5a38ebbd872a8922e5893449

SHA256
465d7561ceb1b680d66c3b56fe6ec71f95215e4ae33bc6a14ba489e3b39f7a6b

SHA512
365cfab851c18079028d0c789add7a6b6e9a4ab63759b35554d9fe53249442d65d491ddb3ff70e3368ec47f84e51a6222406c2611b0e87f11d17718dbdf9a9cd

Download Submit