avaddon | 43a6a97fd9a5f8d1c37aa46e7891d19da546167387e57eec8fb4111fc48fefc7

Analysis

max time kernel
95s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2024, 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
Size

758KB
MD5

37576c3c5af9c1bad5ff73229a77d1f6
SHA1

965256f9a4920e6ecd224a14cdae296f4f34f88b
SHA256

2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312
SHA512

c0ded35602d2bbed73c62f33951a9a317393e02f600d4e6c3c92f5a427ae0fc97175c5e14f0aabeb47d7cf3fca1f8b6cf92b9f61d29869a07db68d81885011b9
SSDEEP

12288:s1vm9KObJ8AUczIEHySmv+QaxwQPATjcM+OEAW7Z5S3gRmhLI4c7uQ+oqUfTMZ0p:NdJTcUW+QaxwQPATjcM+FAK/dRmh0h9v

Score

10^/10

avaddon defense_evasion discovery evasion execution impact ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\Documents\Pt7UH_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aeaBebACBB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTA4Mi1DdjBmM1M5YXVEYXEvSTFCdHZLQ1JrVkJXNCtVeHNuMTExMCtCRXhDRTA2Z2xQckJwNkpRa0owQlh2cVlUaUhqb0EyeXhXQlFYNnFEREc2cjk2V3BEekxsVG1QZGRhMHhQZ1hxS2dnZStPS0pkejBjbSs3ZzdsZVZ0Z2E0M2IrUmdCbStRT3hGMTFPWHNBUjBtY1FpWUdBNmtZQytHY2RpYnhUZXNBMUpZUWhEMmQxM01LT1NHUXBNby9zVjdJMXgzcWdVTEFaWXhCZFpOMDBNOXpsTks2SW4xUnBySm1JNmJYZm14ODFWa3JIU1QzWmhiem9XL3NwYjNQc1NRSUlzSkg2TXl6NjZLL0FkOG1zTzZTTGdhb1BuUzRvSnRMVGVOSDBkR0FYa3B3clpYU0Zjand2VFU0SHlGNm9EakVsNGV1ZHhiMTh4RFFnQnFSd0JtZlY0dWN6QzZnK29wSWtJMldWaTZWQTdZN0t4UDRHb0QvTG43RFZZOVc1TWtzcU9rSExSdXlZcWJLZEgweUhvVWFQM2laQ25mTXh5YzZpa01iSW96UFhRaHcxT2xDQzRDSTNueDJ2eGU0NWN1My9Ba3ZPNXlSRmc2dGNUQ29WRGxDYWVIV0JnOGtEeXRPbDQ1a1NqNnBSTzR6UEZ3K0JDOEV0L2djbHZVQWxBZ1ovMFBWMmtvM3UxYXpwSW5BVmxGcnVsajJQQkFEaG9LVVJldmVRRC94cS9DY2xuaHR5VTJLTnJkV0NHSkFOYlBSbUR2YlJOR0xXSlg3Q014WDFRQ0R3UVJGam1jaHhNeEhWTTBLVEJtVUZPU2V6dEU0TkNlSVcreERKbFRaN0dFK1VKT2pLWUdMVXBoek1nR1FrVjhVVWRXOGxxdjZqdjJQNXF1aGppYm9pU3Q0bnpEazBHWi9WcE1jTTI4N0VreVlQN05KRCtBNGVwc1NDcHNPN0hlMzhDU3BIUXc4amhKVDBzZ2s2Y2I0L1MzYUhxUjRWVGtGRkxRQ0daY21VTTFvRlpiRVp1UE03ay93SnNhN1ZCQ0lYTCtjMGxudTR0Z055QTRWd3dESW5hWGR2N0dEa2xjV1N3ZjIzUmxoVWRDQlJ0Mjg3QTd2MFd5OXcrUjdBTEd0dDlGYUR2aG1HVlFnVTNvWU14Z1FpUEcvRW1vQkNmb3A4eUkyUlU5SDJ1cm12L0lQUS9Qd2VrWXZ5RjhQWmRNb3FqSDk5ZTJOZ3dWa1VrMTF2aTVGUzcwbWFJcE5IZDY4eU1TOU03a2xzYUhDOEM2OUFZK3Axa01ROFBBMVVZMTVZNFJmWWd1a3dVNFFDaDJYS1o5NkZsM0hLMlZ4c0xZVDFMN3VidFRJS2RRTzA1dGU3MmZqenFGc1VJeGFhMjRoY1dLSFFXVlpxaU9Lcmx4SitZd1hlMVBZRm9TcXJ2S3hSNE1TUkFWQnJENXlpQ3g0L2pxUktFZUgvTk9ZVktBQ3lHcVdkNGJZUWtCZlZXanpIajAxNm55TG1aZVE5SkhKeXp4TVN4MUtCOE5jNEQ0elFZMDZjOERUN2F4d3NJVVU3YUZWbE85YkVQV3VFd1BIWXpTaTdLSGttd1hvcVVabzh5NzJNcFZ2RE1WdkhLTFVVY012Zk5mazcxWTQrV0pTWmVEQ3EzTGkxd1ZHM0tFYjlabWJjTUE4bkkyZE56dmxBSVhXRnFTWHhtVHBVUlJTeUdWYmhnN1VydDFmTGpjSjVZMG8wMTdQZjM3emszOW9kd3pmUkVVZjhBdjdja1RkbmVFMWRxbzhsNU5QM2g0OGJHMmNMQytVbFFibFNuQTFwMmIrZ1JURkcrTmRRRyt1aDBUemFzTEJibERHSStCTmw2T1dtc1pHUHZ2OThTVWNRSGNmL0hLZDkwdUFqblMyRkNGbWtHNnlqejl4WmEyQWtXMGhKRVRwaDlkd3ZtRFE2Y3pQQnpPL1VTZjVxVXU4V1BxNFVOREtwNmZCUmJGdERwL2E5cVJDeVc1am9uUVk2US9sUnpzK0N0TmZoVjBHRW9BQnJZQnFZMG1FMDNnSG1adlAvSHREZTkxalRSQU9maGFFeGxDTzJoTDNrWEJUTlcycnNad3E0RFBGT0grelpkZmxFaXM4UjlUYzNsdW5MdDJ6bHRaYVFLT2dmMFNweithZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * lVircTRrSWRBVlxuSHHIERq446Qp

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Music\Pt7UH_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
ransomware avaddon
Avaddon family
avaddon

Avaddon payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023c5f-530.dat	family_avaddon

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	1324	wmic.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	1324	wmic.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	1324	wmic.exe	85

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (183) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
2976	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-1045960512-3948844814-3059691613-1000\desktop.ini	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
File opened (read-only)	\??\O:	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
File opened (read-only)	\??\Y:	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
File opened (read-only)	\??\F:	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
File opened (read-only)	\??\A:	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
File opened (read-only)	\??\G:	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
File opened (read-only)	\??\M:	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
File opened (read-only)	\??\I:	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
File opened (read-only)	\??\R:	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
File opened (read-only)	\??\S:	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
File opened (read-only)	\??\U:	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
File opened (read-only)	\??\V:	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
File opened (read-only)	\??\W:	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
File opened (read-only)	\??\X:	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
File opened (read-only)	\??\Z:	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
File opened (read-only)	\??\E:	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
File opened (read-only)	\??\H:	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
File opened (read-only)	\??\K:	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
File opened (read-only)	\??\P:	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
File opened (read-only)	\??\Q:	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
File opened (read-only)	\??\T:	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
File opened (read-only)	\??\B:	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
File opened (read-only)	\??\J:	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
File opened (read-only)	\??\L:	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2620	wmic.exe
Token: SeSecurityPrivilege	2620	wmic.exe
Token: SeTakeOwnershipPrivilege	2620	wmic.exe
Token: SeLoadDriverPrivilege	2620	wmic.exe
Token: SeSystemProfilePrivilege	2620	wmic.exe
Token: SeSystemtimePrivilege	2620	wmic.exe
Token: SeProfSingleProcessPrivilege	2620	wmic.exe
Token: SeIncBasePriorityPrivilege	2620	wmic.exe
Token: SeCreatePagefilePrivilege	2620	wmic.exe
Token: SeBackupPrivilege	2620	wmic.exe
Token: SeRestorePrivilege	2620	wmic.exe
Token: SeShutdownPrivilege	2620	wmic.exe
Token: SeDebugPrivilege	2620	wmic.exe
Token: SeSystemEnvironmentPrivilege	2620	wmic.exe
Token: SeRemoteShutdownPrivilege	2620	wmic.exe
Token: SeUndockPrivilege	2620	wmic.exe
Token: SeManageVolumePrivilege	2620	wmic.exe
Token: 33	2620	wmic.exe
Token: 34	2620	wmic.exe
Token: 35	2620	wmic.exe
Token: 36	2620	wmic.exe
Token: SeIncreaseQuotaPrivilege	3020	wmic.exe
Token: SeSecurityPrivilege	3020	wmic.exe
Token: SeTakeOwnershipPrivilege	3020	wmic.exe
Token: SeLoadDriverPrivilege	3020	wmic.exe
Token: SeSystemProfilePrivilege	3020	wmic.exe
Token: SeSystemtimePrivilege	3020	wmic.exe
Token: SeProfSingleProcessPrivilege	3020	wmic.exe
Token: SeIncBasePriorityPrivilege	3020	wmic.exe
Token: SeCreatePagefilePrivilege	3020	wmic.exe
Token: SeBackupPrivilege	3020	wmic.exe
Token: SeRestorePrivilege	3020	wmic.exe
Token: SeShutdownPrivilege	3020	wmic.exe
Token: SeDebugPrivilege	3020	wmic.exe
Token: SeSystemEnvironmentPrivilege	3020	wmic.exe
Token: SeRemoteShutdownPrivilege	3020	wmic.exe
Token: SeUndockPrivilege	3020	wmic.exe
Token: SeManageVolumePrivilege	3020	wmic.exe
Token: 33	3020	wmic.exe
Token: 34	3020	wmic.exe
Token: 35	3020	wmic.exe
Token: 36	3020	wmic.exe
Token: SeIncreaseQuotaPrivilege	4816	wmic.exe
Token: SeSecurityPrivilege	4816	wmic.exe
Token: SeTakeOwnershipPrivilege	4816	wmic.exe
Token: SeLoadDriverPrivilege	4816	wmic.exe
Token: SeSystemProfilePrivilege	4816	wmic.exe
Token: SeSystemtimePrivilege	4816	wmic.exe
Token: SeProfSingleProcessPrivilege	4816	wmic.exe
Token: SeIncBasePriorityPrivilege	4816	wmic.exe
Token: SeCreatePagefilePrivilege	4816	wmic.exe
Token: SeBackupPrivilege	4816	wmic.exe
Token: SeRestorePrivilege	4816	wmic.exe
Token: SeShutdownPrivilege	4816	wmic.exe
Token: SeDebugPrivilege	4816	wmic.exe
Token: SeSystemEnvironmentPrivilege	4816	wmic.exe
Token: SeRemoteShutdownPrivilege	4816	wmic.exe
Token: SeUndockPrivilege	4816	wmic.exe
Token: SeManageVolumePrivilege	4816	wmic.exe
Token: 33	4816	wmic.exe
Token: 34	4816	wmic.exe
Token: 35	4816	wmic.exe
Token: 36	4816	wmic.exe
Token: SeIncreaseQuotaPrivilege	4912	wmic.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 4912	4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe	92
PID 4108 wrote to memory of 4912	4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe	92
PID 4108 wrote to memory of 4912	4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe	92
PID 4108 wrote to memory of 3984	4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe	97
PID 4108 wrote to memory of 3984	4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe	97
PID 4108 wrote to memory of 3984	4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe	97
PID 4108 wrote to memory of 3948	4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe	99
PID 4108 wrote to memory of 3948	4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe	99
PID 4108 wrote to memory of 3948	4108	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe	99

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
"C:\Users\Admin\AppData\Local\Temp\2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4108
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4912
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3984
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3948

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1876

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe

Filesize
758KB

MD5
37576c3c5af9c1bad5ff73229a77d1f6

SHA1
965256f9a4920e6ecd224a14cdae296f4f34f88b

SHA256
2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312

SHA512
c0ded35602d2bbed73c62f33951a9a317393e02f600d4e6c3c92f5a427ae0fc97175c5e14f0aabeb47d7cf3fca1f8b6cf92b9f61d29869a07db68d81885011b9

Download Submit
C:\Users\Admin\Documents\Pt7UH_readme_.txt

Filesize
3KB

MD5
357b66f39316dde427dc7695fafb6c23

SHA1
6f729180969335957b35754eb64a306cf22fbb23

SHA256
b4b36e32579eb112ff82585d8ef637da237219979c5d71152fc122ffc947af19

SHA512
4fbfd423ed4494dbbac7f860a53fe7cfa22ba328dd11b47de36e6c151666a866d460223c897b2a981af2049110b01f984cd129bf89581449e78b040e79272955

Download Submit
C:\Users\Admin\Music\Pt7UH_readme_.txt

Filesize
3KB

MD5
197e62d51476f7a4c1e03432309f37ca

SHA1
de8272e9773c1316f6449fc4adb27a17924eaa4b

SHA256
83a59b21ab5e9ce715233b40d695d12925a1d480af728841f003bc13a936bfdf

SHA512
871e6c3d564063fad384bf6032691fc1b1fcd6f50567bcba1516e5c883c02eca1401bc70e849a819441177f60b9e969505bcf040d074b07430dc7de4ed7c1b61

Download Submit