Overview

overview

10

Static

static

10

8b921d2333...90.exe

windows7-x64

10

8b921d2333...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2024 19:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8b921d2333babce2c668096229f4fb6942bad3c7a1436b9d209ee05432ede990.exe

  • Size

    775KB

  • MD5

    2ceaaae95cdd7c53b2285289c2c8219c

  • SHA1

    dad6ab33bdfc9ee19611e22addce66169b6fc3ab

  • SHA256

    8b921d2333babce2c668096229f4fb6942bad3c7a1436b9d209ee05432ede990

  • SHA512

    8613363d3a5e28d7db3ca535fca9281acbc952629f6bf6b665ff8e2fc48ba0c583019654a6987cee2f62022ff9311ac3a33f07c63b534f3fc54f0462a5d01b7e

  • SSDEEP

    24576:+Csw9+OXLpMePfI8TgmBTCDqEbOpPtpFaFxfq:YnOXLpMePfzVTCD7gPtLaHfq

Score
10/10
avaddondefense_evasiondiscoveryevasionexecutionimpactransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\9FFAw_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bDEDBCAACB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTU5Mi1URHhsS1BxdlV6bVphUG5VYlB3T29pQkxoME9IVnN5QmpsTElMTTJ3K2NMTHhubUFuVkZUS1FLb2hGdFVGOEVFYXM5QTRSU1FScXhXS1RYME1LM1I2cjdvRzJYc0VuNW1Sc0NHWWg0ZWhGM2lhUktYL3ljNm5jTmUra1dGanNVUUV1ZFBSZjI0Z3puQWM0QUljdG5FK1I0LzgxSk45NndXU2hrcFlNZklaUStsSlJ6TFZJYkRJVTR2TGFFMGZUWC9aV0dDdW5wS1hteVQwNy96U3RNN2RsZldua0ZKbGZnNGhTKzk3YUFxcHMvbjcvUEpnUnNCeGFWbjFtZjAyL1FHT0RnVTZIZWd0Qm16QlMvKzJ5cTJUNnRxRFZiTkdJZHdTMnR3MDZSYXpDaFZsaDFWT3ZDdnVRUU5mTFVkUlhCaDJndm15TDRzdEliZ255THAzZEZWbGVlMTFVUlAwNDREMVdpa0tWdTRpUEUwYU9BdFNJTUdId2hrUjVzUDBZMmNNdUtZMnM5TGZvTzY5QTNkNjZSNGV3T081amk2bTRBWTM5MzlTKzJyWEkvcTZ0V1A3Rk1ZM0NKN0JobHpoYS8xcERRTjRoL256Si9YMnBrd0FVUFYrNHFJdVQ3N0pvcGF4S0pMZWtQbm55YlZOT1RKNW5nQmJUdXFaVFB4ZkhHZE54ZTh6bFlEZzlvbnpqKzlDcklOdUVRWEhLMGk4di82NFEyZDVKQVh2emw5RXRZaWRiZlFjUEZSQUZwOWJuN1R5cmV2bjBxQWVjNEY0YTlYb1A2YU5lYmV4UnlxdDlmSTJxMlQ2Vk9oV2NyaHVvaHRrTVl1cG5oODV5c2YyanRteUhHamgyUW9QTjhDZHVySGxkYjgwbTVnVlJTc2VWVFlwMnZUcEFCS0dHRU9XeWJ0UmJxN1EzMERWOEw1Z3dGdGNkeklXZnduc2Y3R1Vsa04zUGZWSjk5RUM0eHhJdmdUN2RjaldNVStyV3AxVnNoZU1mVHVTVWFUNXQxUjQ2RHoxY01wa3NmZWU1ZTE3TDFzYitoajgvSmZ5ZVhOOVNRdTJyeFR1ajlRSS82N3UvVGZBcy9HdVduSnhhTXo3d2VQSWdHWHNlZDJoSCs5Ulh2bmJ1QkFVNVpIWWZtTmZjSnF5ODFyREdwckVKK05HZVloOXVRL3pPQVVwQjRaMkFJbFpJT010Q2QxTWY5MjhIUGdKOXJrTGZlbFlNNjYzU3hSYUpjRWNPSE96Nml4R3lLMDUxUGYrcFJiOVpMMFc0YnBsZUgydXlkRDlLOGVSc2NzNkVCR1NxdjlSWEMwNFkwUzBxR0VURnBldVUrRVpMMGNLYWlwcnB4bFd5VHM0dytpaE94cXo5dEc5RHRHNnN5Y21YMjNOQ0NEVlRuWTZlOXlyQWFrcVc4OWg3S0FqeGcxQ1pHSjdzeEpHeGllekpic1JjbnFMNEtnNUJHYTNWUnNOWG1IaVl4MjU5YkFCRmZWa1M1UHhIZlBOQmZXanZoMGZmYVdzaGxqelIzN0EwVjBaQm5vK00yTmgzejQrRkd2WjJwNW1YQzN3S1l1dlRPSG5SNzhIU2VRckFVeGRNbDNaVXJaZjBXd1R3aFFFY0RJZ0Mza2NkeTU2M3J3Z0I1NkFiaTAyQ2hqbGdLSnR2RE5YNVRSTnlobkdpYWpxWmZoQ3RxZVZsa2hyWlg0QTArbW5HbjVqRForWXdtWEVsVHVqR0dwdStEcjRJZ2JtVGxUcFlmRTU2RHRUaWxQcTFJNEo3L3lQRzVNWllROW1jazNGQ3ZKQzVNVElsY0pXSnZ0em9ZbkwrcTFobmxaU1BDNENGbm5HRUhYVEdzRlJzVkQxTXhlRHh5SG4zVEZxNzhPYmFkSnlNTWdFdkx3M1p5SUR1cEFPYWlJa21VK2liTmZBbWI0emROSVJMdi8zTVV6bGZ4TFluUkhxTW50M2hBeEhtSVdrdURuMzJrN0RBTEEzTDc3Y3dXbDBESW4ybVBTa09pN2VleTlvTW5FeHpGUHZHNGFiSVlCK1RsTTlMZzdSSndrVHhNcmNYRVYxZTZHd2trUVU5aXZERUNDSHZJbjZ4NVBVbTFIVTY1RVlBVUNrVjdmQ2EycWs5WDBiN1B1QUgzTGtXSzkzVUwreHZxUFZycVhoZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * VrqWHspobxhbrLtgXM12gY0
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\9FFAw_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bDEDBCAACB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTU5Mi1URHhsS1BxdlV6bVphUG5VYlB3T29pQkxoME9IVnN5QmpsTElMTTJ3K2NMTHhubUFuVkZUS1FLb2hGdFVGOEVFYXM5QTRSU1FScXhXS1RYME1LM1I2cjdvRzJYc0VuNW1Sc0NHWWg0ZWhGM2lhUktYL3ljNm5jTmUra1dGanNVUUV1ZFBSZjI0Z3puQWM0QUljdG5FK1I0LzgxSk45NndXU2hrcFlNZklaUStsSlJ6TFZJYkRJVTR2TGFFMGZUWC9aV0dDdW5wS1hteVQwNy96U3RNN2RsZldua0ZKbGZnNGhTKzk3YUFxcHMvbjcvUEpnUnNCeGFWbjFtZjAyL1FHT0RnVTZIZWd0Qm16QlMvKzJ5cTJUNnRxRFZiTkdJZHdTMnR3MDZSYXpDaFZsaDFWT3ZDdnVRUU5mTFVkUlhCaDJndm15TDRzdEliZ255THAzZEZWbGVlMTFVUlAwNDREMVdpa0tWdTRpUEUwYU9BdFNJTUdId2hrUjVzUDBZMmNNdUtZMnM5TGZvTzY5QTNkNjZSNGV3T081amk2bTRBWTM5MzlTKzJyWEkvcTZ0V1A3Rk1ZM0NKN0JobHpoYS8xcERRTjRoL256Si9YMnBrd0FVUFYrNHFJdVQ3N0pvcGF4S0pMZWtQbm55YlZOT1RKNW5nQmJUdXFaVFB4ZkhHZE54ZTh6bFlEZzlvbnpqKzlDcklOdUVRWEhLMGk4di82NFEyZDVKQVh2emw5RXRZaWRiZlFjUEZSQUZwOWJuN1R5cmV2bjBxQWVjNEY0YTlYb1A2YU5lYmV4UnlxdDlmSTJxMlQ2Vk9oV2NyaHVvaHRrTVl1cG5oODV5c2YyanRteUhHamgyUW9QTjhDZHVySGxkYjgwbTVnVlJTc2VWVFlwMnZUcEFCS0dHRU9XeWJ0UmJxN1EzMERWOEw1Z3dGdGNkeklXZnduc2Y3R1Vsa04zUGZWSjk5RUM0eHhJdmdUN2RjaldNVStyV3AxVnNoZU1mVHVTVWFUNXQxUjQ2RHoxY01wa3NmZWU1ZTE3TDFzYitoajgvSmZ5ZVhOOVNRdTJyeFR1ajlRSS82N3UvVGZBcy9HdVduSnhhTXo3d2VQSWdHWHNlZDJoSCs5Ulh2bmJ1QkFVNVpIWWZtTmZjSnF5ODFyREdwckVKK05HZVloOXVRL3pPQVVwQjRaMkFJbFpJT010Q2QxTWY5MjhIUGdKOXJrTGZlbFlNNjYzU3hSYUpjRWNPSE96Nml4R3lLMDUxUGYrcFJiOVpMMFc0YnBsZUgydXlkRDlLOGVSc2NzNkVCR1NxdjlSWEMwNFkwUzBxR0VURnBldVUrRVpMMGNLYWlwcnB4bFd5VHM0dytpaE94cXo5dEc5RHRHNnN5Y21YMjNOQ0NEVlRuWTZlOXlyQWFrcVc4OWg3S0FqeGcxQ1pHSjdzeEpHeGllekpic1JjbnFMNEtnNUJHYTNWUnNOWG1IaVl4MjU5YkFCRmZWa1M1UHhIZlBOQmZXanZoMGZmYVdzaGxqelIzN0EwVjBaQm5vK00yTmgzejQrRkd2WjJwNW1YQzN3S1l1dlRPSG5SNzhIU2VRckFVeGRNbDNaVXJaZjBXd1R3aFFFY0RJZ0Mza2NkeTU2M3J3Z0I1NkFiaTAyQ2hqbGdLSnR2RE5YNVRSTnlobkdpYWpxWmZoQ3RxZVZsa2hyWlg0QTArbW5HbjVqRForWXdtWEVsVHVqR0dwdStEcjRJZ2JtVGxUcFlmRTU2RHRUaWxQcTFJNEo3L3lQRzVNWllROW1jazNGQ3ZKQzVNVElsY0pXSnZ0em9ZbkwrcTFobmxaU1BDNENGbm5HRUhYVEdzRlJzVkQxTXhlRHh5SG4zVEZxNzhPYmFkSnlNTWdFdkx3M1p5SUR1cEFPYWlJa21VK2liTmZBbWI0emROSVJMdi8zTVV6bGZ4TFluUkhxTW50M2hBeEhtSVdrdURuMzJrN0RBTEEzTDc3Y3dXbDBESW4ybVBTa09pN2VleTlvTW5FeHpGUHZHNGFiSVlCK1RsTTlMZzdSSndrVHhNcmNYRVYxZTZHd2trUVU5aXZERUNDSHZJbjZ4NVBVbTFIVTY1RVlBVUNrVjdmQ2EycWs5WDBiN1B1QUgzTGtXSzkzVUwreHZxUFZycVhoZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * rzyNc5bbxZPADHYiiNRAND8sP2
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Music\9FFAw_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bDEDBCAACB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTU5Mi1URHhsS1BxdlV6bVphUG5VYlB3T29pQkxoME9IVnN5QmpsTElMTTJ3K2NMTHhubUFuVkZUS1FLb2hGdFVGOEVFYXM5QTRSU1FScXhXS1RYME1LM1I2cjdvRzJYc0VuNW1Sc0NHWWg0ZWhGM2lhUktYL3ljNm5jTmUra1dGanNVUUV1ZFBSZjI0Z3puQWM0QUljdG5FK1I0LzgxSk45NndXU2hrcFlNZklaUStsSlJ6TFZJYkRJVTR2TGFFMGZUWC9aV0dDdW5wS1hteVQwNy96U3RNN2RsZldua0ZKbGZnNGhTKzk3YUFxcHMvbjcvUEpnUnNCeGFWbjFtZjAyL1FHT0RnVTZIZWd0Qm16QlMvKzJ5cTJUNnRxRFZiTkdJZHdTMnR3MDZSYXpDaFZsaDFWT3ZDdnVRUU5mTFVkUlhCaDJndm15TDRzdEliZ255THAzZEZWbGVlMTFVUlAwNDREMVdpa0tWdTRpUEUwYU9BdFNJTUdId2hrUjVzUDBZMmNNdUtZMnM5TGZvTzY5QTNkNjZSNGV3T081amk2bTRBWTM5MzlTKzJyWEkvcTZ0V1A3Rk1ZM0NKN0JobHpoYS8xcERRTjRoL256Si9YMnBrd0FVUFYrNHFJdVQ3N0pvcGF4S0pMZWtQbm55YlZOT1RKNW5nQmJUdXFaVFB4ZkhHZE54ZTh6bFlEZzlvbnpqKzlDcklOdUVRWEhLMGk4di82NFEyZDVKQVh2emw5RXRZaWRiZlFjUEZSQUZwOWJuN1R5cmV2bjBxQWVjNEY0YTlYb1A2YU5lYmV4UnlxdDlmSTJxMlQ2Vk9oV2NyaHVvaHRrTVl1cG5oODV5c2YyanRteUhHamgyUW9QTjhDZHVySGxkYjgwbTVnVlJTc2VWVFlwMnZUcEFCS0dHRU9XeWJ0UmJxN1EzMERWOEw1Z3dGdGNkeklXZnduc2Y3R1Vsa04zUGZWSjk5RUM0eHhJdmdUN2RjaldNVStyV3AxVnNoZU1mVHVTVWFUNXQxUjQ2RHoxY01wa3NmZWU1ZTE3TDFzYitoajgvSmZ5ZVhOOVNRdTJyeFR1ajlRSS82N3UvVGZBcy9HdVduSnhhTXo3d2VQSWdHWHNlZDJoSCs5Ulh2bmJ1QkFVNVpIWWZtTmZjSnF5ODFyREdwckVKK05HZVloOXVRL3pPQVVwQjRaMkFJbFpJT010Q2QxTWY5MjhIUGdKOXJrTGZlbFlNNjYzU3hSYUpjRWNPSE96Nml4R3lLMDUxUGYrcFJiOVpMMFc0YnBsZUgydXlkRDlLOGVSc2NzNkVCR1NxdjlSWEMwNFkwUzBxR0VURnBldVUrRVpMMGNLYWlwcnB4bFd5VHM0dytpaE94cXo5dEc5RHRHNnN5Y21YMjNOQ0NEVlRuWTZlOXlyQWFrcVc4OWg3S0FqeGcxQ1pHSjdzeEpHeGllekpic1JjbnFMNEtnNUJHYTNWUnNOWG1IaVl4MjU5YkFCRmZWa1M1UHhIZlBOQmZXanZoMGZmYVdzaGxqelIzN0EwVjBaQm5vK00yTmgzejQrRkd2WjJwNW1YQzN3S1l1dlRPSG5SNzhIU2VRckFVeGRNbDNaVXJaZjBXd1R3aFFFY0RJZ0Mza2NkeTU2M3J3Z0I1NkFiaTAyQ2hqbGdLSnR2RE5YNVRSTnlobkdpYWpxWmZoQ3RxZVZsa2hyWlg0QTArbW5HbjVqRForWXdtWEVsVHVqR0dwdStEcjRJZ2JtVGxUcFlmRTU2RHRUaWxQcTFJNEo3L3lQRzVNWllROW1jazNGQ3ZKQzVNVElsY0pXSnZ0em9ZbkwrcTFobmxaU1BDNENGbm5HRUhYVEdzRlJzVkQxTXhlRHh5SG4zVEZxNzhPYmFkSnlNTWdFdkx3M1p5SUR1cEFPYWlJa21VK2liTmZBbWI0emROSVJMdi8zTVV6bGZ4TFluUkhxTW50M2hBeEhtSVdrdURuMzJrN0RBTEEzTDc3Y3dXbDBESW4ybVBTa09pN2VleTlvTW5FeHpGUHZHNGFiSVlCK1RsTTlMZzdSSndrVHhNcmNYRVYxZTZHd2trUVU5aXZERUNDSHZJbjZ4NVBVbTFIVTY1RVlBVUNrVjdmQ2EycWs5WDBiN1B1QUgzTGtXSzkzVUwreHZxUFZycVhoZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * ibZkwHOvnB7F6hgkOuMHYNltmCO4H
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

    ransomwareavaddon
  • Avaddon payload 1 IoCs
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (193) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b921d2333babce2c668096229f4fb6942bad3c7a1436b9d209ee05432ede990.exe
    "C:\Users\Admin\AppData\Local\Temp\8b921d2333babce2c668096229f4fb6942bad3c7a1436b9d209ee05432ede990.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:268
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2548
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /All /Quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:2828
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1996
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /All /Quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:1292
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      PID:496
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /All /Quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:2612
  • C:\Windows\system32\wbem\wmic.exe
    wmic SHADOWCOPY DELETE /nointeractive
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    PID:2900
  • C:\Windows\system32\wbem\wmic.exe
    wmic SHADOWCOPY DELETE /nointeractive
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    PID:2636
  • C:\Windows\system32\wbem\wmic.exe
    wmic SHADOWCOPY DELETE /nointeractive
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    PID:2352
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:2576
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {2511FB33-85AD-4E6F-8BC8-8DD1001512FA} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8b921d2333babce2c668096229f4fb6942bad3c7a1436b9d209ee05432ede990.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8b921d2333babce2c668096229f4fb6942bad3c7a1436b9d209ee05432ede990.exe
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2076

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8b921d2333babce2c668096229f4fb6942bad3c7a1436b9d209ee05432ede990.exe
      Filesize

      775KB

      MD5

      2ceaaae95cdd7c53b2285289c2c8219c

      SHA1

      dad6ab33bdfc9ee19611e22addce66169b6fc3ab

      SHA256

      8b921d2333babce2c668096229f4fb6942bad3c7a1436b9d209ee05432ede990

      SHA512

      8613363d3a5e28d7db3ca535fca9281acbc952629f6bf6b665ff8e2fc48ba0c583019654a6987cee2f62022ff9311ac3a33f07c63b534f3fc54f0462a5d01b7e

      Download Submit

    • C:\Users\Admin\Desktop\9FFAw_readme_.txt
      Filesize

      3KB

      MD5

      a8eb6569733552620c715d5c12ab388a

      SHA1

      b0b0e6e2d7a38641548cb1363ae3cd58eb828cb6

      SHA256

      454719915849fac66634addca28a2a2275f6d5125269f32de3c0febe75c60f2b

      SHA512

      fb335000e1004d82cd20922a74959e66337f12658f7f82884faf1e022c85b7339a4502989e3b93ab57266b01a1aeac4f586b92605722954fbd86b5c671a0b551

      Download Submit

    • C:\Users\Admin\Documents\9FFAw_readme_.txt
      Filesize

      3KB

      MD5

      6d5bac8b495d1f1f71f113adcb59b071

      SHA1

      a47b0825a099b3a0a0206b15cb064956b97d3207

      SHA256

      95fbd1e8062534c3c05721eca5a8b17dd4e2489ee3c4cb7511a1ca9d4d37961d

      SHA512

      dbab32b8512b632c7079550105d4bfa7206d098d9b074a29a84c296c5dd154a20967a07ea4f9558c03f2f5467bf0bd0a74bca1bbd57e7734ba5fa92e7e42c430

      Download Submit

    • C:\Users\Admin\Music\9FFAw_readme_.txt
      Filesize

      3KB

      MD5

      f35753a2089a0f2a2614a89fcfe5a563

      SHA1

      12b87c667df9a2552b62906acfa1e3b93bf1b50c

      SHA256

      ce6099fb1f790fa2c604c6e459d0ac321f5fc44944f48a0b1f39d59b6a6f6bf7

      SHA512

      15cf7c1d928c2f0055ca2772bdbdae0a3c7ab56ccc3fcba98f2e7477164e0393fa8f5fc0dc4a13741858dab44ae673cf401788dc165e200a5dd931f663a926eb

      Download Submit