Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23/12/2024, 15:26
Static task
static1
Behavioral task
behavioral1
Sample
840ab447e0f3a2a982ff8f0c3c336338a6df691c8b0b74b0f153c0f6a15662e2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
840ab447e0f3a2a982ff8f0c3c336338a6df691c8b0b74b0f153c0f6a15662e2.exe
Resource
win10v2004-20241007-en
General
-
Target
840ab447e0f3a2a982ff8f0c3c336338a6df691c8b0b74b0f153c0f6a15662e2.exe
-
Size
1.3MB
-
MD5
fd61adfce25d440ef8994d124cfce67c
-
SHA1
4c7d496c02177037f58588579239caa1d95d509c
-
SHA256
840ab447e0f3a2a982ff8f0c3c336338a6df691c8b0b74b0f153c0f6a15662e2
-
SHA512
67aeb813bc7be2bf61117a04ee995de70c7b248d044699b33fe1d040476a8d7963ce4831a195591237dcd4e2df07c06971281ffa8c9a70f233469721580e35fc
-
SSDEEP
24576:Ks6JmdFn5KLOCgHWcAvcrOcEsKfR9uA7rmFbbbbpccfA6QJfSQccc2IhuOnA:Ks6JY5KLOCyWcDUfRAA3mFbbbbpc4A6s
Malware Config
Extracted
C:\Users\Admin\Desktop\576127-readme.html
avaddon
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" file.exe -
Renames multiple (132) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 1328 file.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\file.exe" file.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\file.exe" file.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini file.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: file.exe File opened (read-only) \??\B: file.exe File opened (read-only) \??\H: file.exe File opened (read-only) \??\I: file.exe File opened (read-only) \??\K: file.exe File opened (read-only) \??\N: file.exe File opened (read-only) \??\O: file.exe File opened (read-only) \??\S: file.exe File opened (read-only) \??\Z: file.exe File opened (read-only) \??\F: file.exe File opened (read-only) \??\A: file.exe File opened (read-only) \??\E: file.exe File opened (read-only) \??\P: file.exe File opened (read-only) \??\R: file.exe File opened (read-only) \??\U: file.exe File opened (read-only) \??\W: file.exe File opened (read-only) \??\J: file.exe File opened (read-only) \??\M: file.exe File opened (read-only) \??\V: file.exe File opened (read-only) \??\Y: file.exe File opened (read-only) \??\G: file.exe File opened (read-only) \??\L: file.exe File opened (read-only) \??\Q: file.exe File opened (read-only) \??\T: file.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 api.myip.com 5 api.myip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe 1328 file.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 5012 wmic.exe Token: SeSecurityPrivilege 5012 wmic.exe Token: SeTakeOwnershipPrivilege 5012 wmic.exe Token: SeLoadDriverPrivilege 5012 wmic.exe Token: SeSystemProfilePrivilege 5012 wmic.exe Token: SeSystemtimePrivilege 5012 wmic.exe Token: SeProfSingleProcessPrivilege 5012 wmic.exe Token: SeIncBasePriorityPrivilege 5012 wmic.exe Token: SeCreatePagefilePrivilege 5012 wmic.exe Token: SeBackupPrivilege 5012 wmic.exe Token: SeRestorePrivilege 5012 wmic.exe Token: SeShutdownPrivilege 5012 wmic.exe Token: SeDebugPrivilege 5012 wmic.exe Token: SeSystemEnvironmentPrivilege 5012 wmic.exe Token: SeRemoteShutdownPrivilege 5012 wmic.exe Token: SeUndockPrivilege 5012 wmic.exe Token: SeManageVolumePrivilege 5012 wmic.exe Token: 33 5012 wmic.exe Token: 34 5012 wmic.exe Token: 35 5012 wmic.exe Token: 36 5012 wmic.exe Token: SeIncreaseQuotaPrivilege 2300 wmic.exe Token: SeSecurityPrivilege 2300 wmic.exe Token: SeTakeOwnershipPrivilege 2300 wmic.exe Token: SeLoadDriverPrivilege 2300 wmic.exe Token: SeSystemProfilePrivilege 2300 wmic.exe Token: SeSystemtimePrivilege 2300 wmic.exe Token: SeProfSingleProcessPrivilege 2300 wmic.exe Token: SeIncBasePriorityPrivilege 2300 wmic.exe Token: SeCreatePagefilePrivilege 2300 wmic.exe Token: SeBackupPrivilege 2300 wmic.exe Token: SeRestorePrivilege 2300 wmic.exe Token: SeShutdownPrivilege 2300 wmic.exe Token: SeDebugPrivilege 2300 wmic.exe Token: SeSystemEnvironmentPrivilege 2300 wmic.exe Token: SeRemoteShutdownPrivilege 2300 wmic.exe Token: SeUndockPrivilege 2300 wmic.exe Token: SeManageVolumePrivilege 2300 wmic.exe Token: 33 2300 wmic.exe Token: 34 2300 wmic.exe Token: 35 2300 wmic.exe Token: 36 2300 wmic.exe Token: SeIncreaseQuotaPrivilege 112 wmic.exe Token: SeSecurityPrivilege 112 wmic.exe Token: SeTakeOwnershipPrivilege 112 wmic.exe Token: SeLoadDriverPrivilege 112 wmic.exe Token: SeSystemProfilePrivilege 112 wmic.exe Token: SeSystemtimePrivilege 112 wmic.exe Token: SeProfSingleProcessPrivilege 112 wmic.exe Token: SeIncBasePriorityPrivilege 112 wmic.exe Token: SeCreatePagefilePrivilege 112 wmic.exe Token: SeBackupPrivilege 112 wmic.exe Token: SeRestorePrivilege 112 wmic.exe Token: SeShutdownPrivilege 112 wmic.exe Token: SeDebugPrivilege 112 wmic.exe Token: SeSystemEnvironmentPrivilege 112 wmic.exe Token: SeRemoteShutdownPrivilege 112 wmic.exe Token: SeUndockPrivilege 112 wmic.exe Token: SeManageVolumePrivilege 112 wmic.exe Token: 33 112 wmic.exe Token: 34 112 wmic.exe Token: 35 112 wmic.exe Token: 36 112 wmic.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1348 wrote to memory of 1328 1348 840ab447e0f3a2a982ff8f0c3c336338a6df691c8b0b74b0f153c0f6a15662e2.exe 83 PID 1348 wrote to memory of 1328 1348 840ab447e0f3a2a982ff8f0c3c336338a6df691c8b0b74b0f153c0f6a15662e2.exe 83 PID 1348 wrote to memory of 1328 1348 840ab447e0f3a2a982ff8f0c3c336338a6df691c8b0b74b0f153c0f6a15662e2.exe 83 PID 1328 wrote to memory of 5012 1328 file.exe 84 PID 1328 wrote to memory of 5012 1328 file.exe 84 PID 1328 wrote to memory of 5012 1328 file.exe 84 PID 1328 wrote to memory of 2300 1328 file.exe 88 PID 1328 wrote to memory of 2300 1328 file.exe 88 PID 1328 wrote to memory of 2300 1328 file.exe 88 PID 1328 wrote to memory of 112 1328 file.exe 90 PID 1328 wrote to memory of 112 1328 file.exe 90 PID 1328 wrote to memory of 112 1328 file.exe 90 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" file.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\840ab447e0f3a2a982ff8f0c3c336338a6df691c8b0b74b0f153c0f6a15662e2.exe"C:\Users\Admin\AppData\Local\Temp\840ab447e0f3a2a982ff8f0c3c336338a6df691c8b0b74b0f153c0f6a15662e2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\file.exe"file.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1328 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5012
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:112
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5c9ec0d9ff44f445ce5614cc87398b38d
SHA1591ffe54bac2c50af61737a28749ff8435168182
SHA25605af0cf40590aef24b28fa04c6b4998b7ab3b7f26e60c507adb84f3d837778f2
SHA512c340baeb66fc46830b6b77b2583033ade6e10b3de04d82ece7e241107afe741442585bf2ea9d6496af93143c37e9676d4f1e1d301d55632b88b12daadadd43f0
-
Filesize
49KB
MD5f91efe190cf62829345447a8a33926d0
SHA1e092f603a9f728f8edf504116937c02ec3b4986e
SHA2560ca5c06784c9abf6c67b922513133964b490b8337d203f10e1e23ea558915106
SHA512f5fe4397b3f67c593a8465433e03844dc917d1b8f3b9c2d7b37bd0b1f012f1792fe8448108f6b145b70f0a171bf04111db67263c0eec7aedb9bcee5708e04257