Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 21:07
Behavioral task
behavioral1
Sample
2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe
-
Size
775KB
-
MD5
2ceaaae95cdd7c53b2285289c2c8219c
-
SHA1
dad6ab33bdfc9ee19611e22addce66169b6fc3ab
-
SHA256
8b921d2333babce2c668096229f4fb6942bad3c7a1436b9d209ee05432ede990
-
SHA512
8613363d3a5e28d7db3ca535fca9281acbc952629f6bf6b665ff8e2fc48ba0c583019654a6987cee2f62022ff9311ac3a33f07c63b534f3fc54f0462a5d01b7e
-
SSDEEP
24576:+Csw9+OXLpMePfI8TgmBTCDqEbOpPtpFaFxfq:YnOXLpMePfzVTCD7gPtLaHfq
Malware Config
Extracted
C:\Users\Admin\jRKyo_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Desktop\jRKyo_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 1 IoCs
resource yara_rule behavioral1/files/0x000700000001211b-520.dat family_avaddon -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2892 wmic.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2892 wmic.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2892 wmic.exe 30 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (173) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 1724 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe File opened (read-only) \??\L: 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe File opened (read-only) \??\M: 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe File opened (read-only) \??\O: 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe File opened (read-only) \??\Q: 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe File opened (read-only) \??\S: 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe File opened (read-only) \??\H: 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe File opened (read-only) \??\I: 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe File opened (read-only) \??\T: 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe File opened (read-only) \??\U: 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe File opened (read-only) \??\N: 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe File opened (read-only) \??\E: 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe File opened (read-only) \??\G: 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe File opened (read-only) \??\K: 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe File opened (read-only) \??\P: 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe File opened (read-only) \??\R: 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe File opened (read-only) \??\V: 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe File opened (read-only) \??\A: 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe File opened (read-only) \??\B: 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe File opened (read-only) \??\Y: 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe File opened (read-only) \??\Z: 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe File opened (read-only) \??\F: 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe File opened (read-only) \??\W: 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe File opened (read-only) \??\X: 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe -
Interacts with shadow copies 3 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1284 vssadmin.exe 2968 vssadmin.exe 1992 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2648 wmic.exe Token: SeSecurityPrivilege 2648 wmic.exe Token: SeTakeOwnershipPrivilege 2648 wmic.exe Token: SeLoadDriverPrivilege 2648 wmic.exe Token: SeSystemProfilePrivilege 2648 wmic.exe Token: SeSystemtimePrivilege 2648 wmic.exe Token: SeProfSingleProcessPrivilege 2648 wmic.exe Token: SeIncBasePriorityPrivilege 2648 wmic.exe Token: SeCreatePagefilePrivilege 2648 wmic.exe Token: SeBackupPrivilege 2648 wmic.exe Token: SeRestorePrivilege 2648 wmic.exe Token: SeShutdownPrivilege 2648 wmic.exe Token: SeDebugPrivilege 2648 wmic.exe Token: SeSystemEnvironmentPrivilege 2648 wmic.exe Token: SeRemoteShutdownPrivilege 2648 wmic.exe Token: SeUndockPrivilege 2648 wmic.exe Token: SeManageVolumePrivilege 2648 wmic.exe Token: 33 2648 wmic.exe Token: 34 2648 wmic.exe Token: 35 2648 wmic.exe Token: SeIncreaseQuotaPrivilege 2572 wmic.exe Token: SeSecurityPrivilege 2572 wmic.exe Token: SeTakeOwnershipPrivilege 2572 wmic.exe Token: SeLoadDriverPrivilege 2572 wmic.exe Token: SeSystemProfilePrivilege 2572 wmic.exe Token: SeSystemtimePrivilege 2572 wmic.exe Token: SeProfSingleProcessPrivilege 2572 wmic.exe Token: SeIncBasePriorityPrivilege 2572 wmic.exe Token: SeCreatePagefilePrivilege 2572 wmic.exe Token: SeBackupPrivilege 2572 wmic.exe Token: SeRestorePrivilege 2572 wmic.exe Token: SeShutdownPrivilege 2572 wmic.exe Token: SeDebugPrivilege 2572 wmic.exe Token: SeSystemEnvironmentPrivilege 2572 wmic.exe Token: SeRemoteShutdownPrivilege 2572 wmic.exe Token: SeUndockPrivilege 2572 wmic.exe Token: SeManageVolumePrivilege 2572 wmic.exe Token: 33 2572 wmic.exe Token: 34 2572 wmic.exe Token: 35 2572 wmic.exe Token: SeIncreaseQuotaPrivilege 1808 wmic.exe Token: SeSecurityPrivilege 1808 wmic.exe Token: SeTakeOwnershipPrivilege 1808 wmic.exe Token: SeLoadDriverPrivilege 1808 wmic.exe Token: SeSystemProfilePrivilege 1808 wmic.exe Token: SeSystemtimePrivilege 1808 wmic.exe Token: SeProfSingleProcessPrivilege 1808 wmic.exe Token: SeIncBasePriorityPrivilege 1808 wmic.exe Token: SeCreatePagefilePrivilege 1808 wmic.exe Token: SeBackupPrivilege 1808 wmic.exe Token: SeRestorePrivilege 1808 wmic.exe Token: SeShutdownPrivilege 1808 wmic.exe Token: SeDebugPrivilege 1808 wmic.exe Token: SeSystemEnvironmentPrivilege 1808 wmic.exe Token: SeRemoteShutdownPrivilege 1808 wmic.exe Token: SeUndockPrivilege 1808 wmic.exe Token: SeManageVolumePrivilege 1808 wmic.exe Token: 33 1808 wmic.exe Token: 34 1808 wmic.exe Token: 35 1808 wmic.exe Token: SeIncreaseQuotaPrivilege 2648 wmic.exe Token: SeSecurityPrivilege 2648 wmic.exe Token: SeTakeOwnershipPrivilege 2648 wmic.exe Token: SeLoadDriverPrivilege 2648 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2756 wrote to memory of 1340 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 37 PID 2756 wrote to memory of 1340 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 37 PID 2756 wrote to memory of 1340 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 37 PID 2756 wrote to memory of 1340 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 37 PID 2756 wrote to memory of 2968 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 42 PID 2756 wrote to memory of 2968 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 42 PID 2756 wrote to memory of 2968 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 42 PID 2756 wrote to memory of 2968 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 42 PID 2756 wrote to memory of 2336 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 44 PID 2756 wrote to memory of 2336 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 44 PID 2756 wrote to memory of 2336 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 44 PID 2756 wrote to memory of 2336 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 44 PID 2756 wrote to memory of 1992 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 46 PID 2756 wrote to memory of 1992 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 46 PID 2756 wrote to memory of 1992 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 46 PID 2756 wrote to memory of 1992 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 46 PID 2756 wrote to memory of 2040 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 48 PID 2756 wrote to memory of 2040 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 48 PID 2756 wrote to memory of 2040 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 48 PID 2756 wrote to memory of 2040 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 48 PID 2756 wrote to memory of 1284 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 50 PID 2756 wrote to memory of 1284 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 50 PID 2756 wrote to memory of 1284 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 50 PID 2756 wrote to memory of 1284 2756 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe 50 PID 2680 wrote to memory of 1724 2680 taskeng.exe 55 PID 2680 wrote to memory of 1724 2680 taskeng.exe 55 PID 2680 wrote to memory of 1724 2680 taskeng.exe 55 PID 2680 wrote to memory of 1724 2680 taskeng.exe 55 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2756 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
- System Location Discovery: System Language Discovery
PID:1340
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2968
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
- System Location Discovery: System Language Discovery
PID:2336
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1992
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
- System Location Discovery: System Language Discovery
PID:2040
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1284
-
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2032
-
C:\Windows\system32\taskeng.exetaskeng.exe {183436A0-58D1-4EFC-941C-795174D2677A} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1724
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe
Filesize775KB
MD52ceaaae95cdd7c53b2285289c2c8219c
SHA1dad6ab33bdfc9ee19611e22addce66169b6fc3ab
SHA2568b921d2333babce2c668096229f4fb6942bad3c7a1436b9d209ee05432ede990
SHA5128613363d3a5e28d7db3ca535fca9281acbc952629f6bf6b665ff8e2fc48ba0c583019654a6987cee2f62022ff9311ac3a33f07c63b534f3fc54f0462a5d01b7e
-
Filesize
3KB
MD5521c3580d16c8da52d610c37d3ed239b
SHA172cc5ced79174b1cf24a78b855dfe810331ee3d2
SHA2560360f19265533b7b38b0b20a07904919900b8a168d2889c3dc5f2a70a5025c3f
SHA512f6bfd7987cb5fb7757aaeffe97454b014002a491978bfba27bd0e2dc1cbcb00fe64738c5f9451430ca1c0b78d4eac4ea1be12953daca9766df1957d195bb083c
-
Filesize
3KB
MD501a108c1f0ecb7f097b478b7a4f266bd
SHA17cad9c3aedfac22cc7b5ee3c3295354debc68f57
SHA2568b3f5d418cae85db320a69dd2ed21553ebbe51853b4bdb7ac516a2a2f42dc862
SHA51274af7acda0504cfa0b5d2086db01a720ced66c75ac0d7ecf33bf974366647d575a1351ba57b5fd322c96c06a4e5f17a8226b2b91032a8a63faae4a51058c982a