Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 13:07
Behavioral task
behavioral1
Sample
2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
Resource
win10v2004-20241007-en
General
-
Target
2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
-
Size
758KB
-
MD5
37576c3c5af9c1bad5ff73229a77d1f6
-
SHA1
965256f9a4920e6ecd224a14cdae296f4f34f88b
-
SHA256
2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312
-
SHA512
c0ded35602d2bbed73c62f33951a9a317393e02f600d4e6c3c92f5a427ae0fc97175c5e14f0aabeb47d7cf3fca1f8b6cf92b9f61d29869a07db68d81885011b9
-
SSDEEP
12288:s1vm9KObJ8AUczIEHySmv+QaxwQPATjcM+OEAW7Z5S3gRmhLI4c7uQ+oqUfTMZ0p:NdJTcUW+QaxwQPATjcM+FAK/dRmh0h9v
Malware Config
Extracted
C:\Users\Admin\Documents\Pt7UH_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Music\Pt7UH_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon family
-
Avaddon payload 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023c5f-530.dat family_avaddon -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 1324 wmic.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 1324 wmic.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4816 1324 wmic.exe 85 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (183) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 2976 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-1045960512-3948844814-3059691613-1000\desktop.ini 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe File opened (read-only) \??\O: 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe File opened (read-only) \??\Y: 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe File opened (read-only) \??\F: 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe File opened (read-only) \??\A: 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe File opened (read-only) \??\G: 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe File opened (read-only) \??\M: 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe File opened (read-only) \??\I: 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe File opened (read-only) \??\R: 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe File opened (read-only) \??\S: 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe File opened (read-only) \??\U: 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe File opened (read-only) \??\V: 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe File opened (read-only) \??\W: 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe File opened (read-only) \??\X: 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe File opened (read-only) \??\Z: 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe File opened (read-only) \??\E: 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe File opened (read-only) \??\H: 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe File opened (read-only) \??\K: 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe File opened (read-only) \??\P: 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe File opened (read-only) \??\Q: 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe File opened (read-only) \??\T: 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe File opened (read-only) \??\B: 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe File opened (read-only) \??\J: 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe File opened (read-only) \??\L: 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2620 wmic.exe Token: SeSecurityPrivilege 2620 wmic.exe Token: SeTakeOwnershipPrivilege 2620 wmic.exe Token: SeLoadDriverPrivilege 2620 wmic.exe Token: SeSystemProfilePrivilege 2620 wmic.exe Token: SeSystemtimePrivilege 2620 wmic.exe Token: SeProfSingleProcessPrivilege 2620 wmic.exe Token: SeIncBasePriorityPrivilege 2620 wmic.exe Token: SeCreatePagefilePrivilege 2620 wmic.exe Token: SeBackupPrivilege 2620 wmic.exe Token: SeRestorePrivilege 2620 wmic.exe Token: SeShutdownPrivilege 2620 wmic.exe Token: SeDebugPrivilege 2620 wmic.exe Token: SeSystemEnvironmentPrivilege 2620 wmic.exe Token: SeRemoteShutdownPrivilege 2620 wmic.exe Token: SeUndockPrivilege 2620 wmic.exe Token: SeManageVolumePrivilege 2620 wmic.exe Token: 33 2620 wmic.exe Token: 34 2620 wmic.exe Token: 35 2620 wmic.exe Token: 36 2620 wmic.exe Token: SeIncreaseQuotaPrivilege 3020 wmic.exe Token: SeSecurityPrivilege 3020 wmic.exe Token: SeTakeOwnershipPrivilege 3020 wmic.exe Token: SeLoadDriverPrivilege 3020 wmic.exe Token: SeSystemProfilePrivilege 3020 wmic.exe Token: SeSystemtimePrivilege 3020 wmic.exe Token: SeProfSingleProcessPrivilege 3020 wmic.exe Token: SeIncBasePriorityPrivilege 3020 wmic.exe Token: SeCreatePagefilePrivilege 3020 wmic.exe Token: SeBackupPrivilege 3020 wmic.exe Token: SeRestorePrivilege 3020 wmic.exe Token: SeShutdownPrivilege 3020 wmic.exe Token: SeDebugPrivilege 3020 wmic.exe Token: SeSystemEnvironmentPrivilege 3020 wmic.exe Token: SeRemoteShutdownPrivilege 3020 wmic.exe Token: SeUndockPrivilege 3020 wmic.exe Token: SeManageVolumePrivilege 3020 wmic.exe Token: 33 3020 wmic.exe Token: 34 3020 wmic.exe Token: 35 3020 wmic.exe Token: 36 3020 wmic.exe Token: SeIncreaseQuotaPrivilege 4816 wmic.exe Token: SeSecurityPrivilege 4816 wmic.exe Token: SeTakeOwnershipPrivilege 4816 wmic.exe Token: SeLoadDriverPrivilege 4816 wmic.exe Token: SeSystemProfilePrivilege 4816 wmic.exe Token: SeSystemtimePrivilege 4816 wmic.exe Token: SeProfSingleProcessPrivilege 4816 wmic.exe Token: SeIncBasePriorityPrivilege 4816 wmic.exe Token: SeCreatePagefilePrivilege 4816 wmic.exe Token: SeBackupPrivilege 4816 wmic.exe Token: SeRestorePrivilege 4816 wmic.exe Token: SeShutdownPrivilege 4816 wmic.exe Token: SeDebugPrivilege 4816 wmic.exe Token: SeSystemEnvironmentPrivilege 4816 wmic.exe Token: SeRemoteShutdownPrivilege 4816 wmic.exe Token: SeUndockPrivilege 4816 wmic.exe Token: SeManageVolumePrivilege 4816 wmic.exe Token: 33 4816 wmic.exe Token: 34 4816 wmic.exe Token: 35 4816 wmic.exe Token: 36 4816 wmic.exe Token: SeIncreaseQuotaPrivilege 4912 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4108 wrote to memory of 4912 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 92 PID 4108 wrote to memory of 4912 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 92 PID 4108 wrote to memory of 4912 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 92 PID 4108 wrote to memory of 3984 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 97 PID 4108 wrote to memory of 3984 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 97 PID 4108 wrote to memory of 3984 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 97 PID 4108 wrote to memory of 3948 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 99 PID 4108 wrote to memory of 3948 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 99 PID 4108 wrote to memory of 3948 4108 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe 99 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe"C:\Users\Admin\AppData\Local\Temp\2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4108 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4912
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
- System Location Discovery: System Language Discovery
PID:3984
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
- System Location Discovery: System Language Discovery
PID:3948
-
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:4816
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1876
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2976
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1File Deletion
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
Filesize758KB
MD537576c3c5af9c1bad5ff73229a77d1f6
SHA1965256f9a4920e6ecd224a14cdae296f4f34f88b
SHA2562a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312
SHA512c0ded35602d2bbed73c62f33951a9a317393e02f600d4e6c3c92f5a427ae0fc97175c5e14f0aabeb47d7cf3fca1f8b6cf92b9f61d29869a07db68d81885011b9
-
Filesize
3KB
MD5357b66f39316dde427dc7695fafb6c23
SHA16f729180969335957b35754eb64a306cf22fbb23
SHA256b4b36e32579eb112ff82585d8ef637da237219979c5d71152fc122ffc947af19
SHA5124fbfd423ed4494dbbac7f860a53fe7cfa22ba328dd11b47de36e6c151666a866d460223c897b2a981af2049110b01f984cd129bf89581449e78b040e79272955
-
Filesize
3KB
MD5197e62d51476f7a4c1e03432309f37ca
SHA1de8272e9773c1316f6449fc4adb27a17924eaa4b
SHA25683a59b21ab5e9ce715233b40d695d12925a1d480af728841f003bc13a936bfdf
SHA512871e6c3d564063fad384bf6032691fc1b1fcd6f50567bcba1516e5c883c02eca1401bc70e849a819441177f60b9e969505bcf040d074b07430dc7de4ed7c1b61