Static

static

10

Avaddon Ra...re.exe

windows7_x64

10

Avaddon Ra...re.exe

windows10_x64

10

Analysis

  • max time kernel
    133s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    01-09-2020 13:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Avaddon Ransomware.exe

  • Size

    719KB

  • MD5

    275e4a63fc63c995b3e0d464919f211b

  • SHA1

    51d85210c2f621ca14d92a8375ee24d62f9d7f44

  • SHA256

    cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46

  • SHA512

    1723fb4a624859cb49f1d00100a44c5104a8a6ee4685b0e0988fa54f929dc7d70d171034577a17db2e6529d6c19b49d2ba023c4c98e9637f92981a3c1a5c9dac

Score
10/10
ransomwarepersistenceevasiontrojan

Malware Config

Extracted

Path

C:\Users\Admin\Contacts\BOIxz_readme_.txt

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bcbDBdACDc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- NTc2LUltcDVsVFZYOW9hZ2xFU0JXY0xWU2dlRDNNTVRCVTlxUjFYUjcvNXFDNUtIOEszV1Z0OGRRVWVndnhacGVaZGp5aFdBMTFUZndYYUUwQWM3dnZrZjhoUkkraW4ySnRCN09EWVJ6MHYrRDBLTGp5VjZhOWxxOXZMZ2g1VEtOUWdaZTF0UnptUUFaTjA1TUcrWnhvc0szdzhkQUo4T2JuTWhUNlIrbXZqRVd6aVZBMVlsV1BLQzhqTTJ5SjVlcUd5QWRTU1hsMHJUQlJSUXZPYXJ5UjBqWFR4YUQrSW1TWU1tRjJZZHM1eTZmeCsrRmRsbjhFcWRoV0I0OTE2ZDl1MlpUbjUvV1JQQjA5UE1mNzdlYUc3TFQvQ1NIZjFxdjJ6dk9MRnN6WHdYK1B5MTl1MkI1ZjMrMnR5Z2dwaDJZb2U2RTRxUk1VbGxaakZmdXlZdUNtYTBacUhOUno3R01QRzJIRXJzZWw5NC9iemk0NWtHU0wzTG05Mit4RXNFaFg3SVNnQllHTng3OC91VzEwZlgrRHg1d2NFVmtJWHl4SnZXZnJyaHJmUlBzMHQ4MUdkRG05cG00dUVUdmVXRTFtVlUvQmpiVHRRM083T3J4WUxtVUQybVl0c0hRaDJaWTBobGRJOCszTFQyUVNtTkRyL1VrUUcwYjNTMUVscFYxb3RTT2F4aWJXYXBNK2JIbXgxWXpUdk4vZmZYOTRMc3dkcGVLZk01bDN4eEd5OFRYRGZucVNsdFZLdk55T0l2c3M3UHlwQ3lEcFRqL21SaVlSWndmM1BGNC9LMFowMTFxbmZQbEN5OURmSm1JNkFCVkpJUlJVNkp6UFh4RmxtV0poYXRaeEhBUE1LNkdReGV5cWV0YUIyQkdDbXZ3SC9CbFVtRDB1bHV1OWRnOHdHUnVDaS9mRW9hcmhBQ0l6eDhnRFpkdnA2STFkd1RqY1ZLZ2p0dzl5THRhVEU5UU5BRGJFZnRvTlFxYkw3ZVQrL002VFdkYndkcTJlSStaTjNYdHE2Tjlvd0hOYmlrbzFXT3pBbjNHM3JKTkp1UU1zcTl1aml5OXpyODBjSjlHc1VOU0pNZ0JwbHhCYXc5NXlaR2I0UGs1dVp1biszVC9Cd0ZKWklidmxYWHpSTHpHekdERU53S2x3YzhFa2Y5eGtBVGxybDAxTDlCczFKRlpVcUVOdkpkQkdvdUMzUnFTTUJxem1yMlhFbEJUdzY1NkJxemlGZTJlV2NlRDVPYlBrOFNxMkVJa0EwRExnUWdwQ2h6TTQwKzZSdGhJV0VQL25DODlKUFZvemJXTnR1T085bkxmL1U0RjZFbEpIS01RQ1pTK2VmckNRL1hNQ0dVTVVmcWZIcHVWcmpxQVpqZ3FuVEo5dWFBdFp5K2xCUmZiaTlNWFVJSXM3OXQzTkNsNUFEQys5cnhPR25GS3JFS2dCMVBwVnFzM2tPN2RyWUFrSlcrYnpwWFBiQTZETzlYOCsrNVFyQnU5TDNWWU93aUZsSG1TWFZlaldpUmpQT2VGRTk3OWs0NTZsZ1hlQjUzcXdBL29taWV3S1VWZHM3aHJ4bkNsT2dpVEhpOHZGSUtXSnpNV3FuT29pZU50R1ZCeGZuclp4VFE2VlFSZFN6a3M1WDg5YnRsSEI2MVVHMzFSQ0tPcnFrSzhVTnpKME1mY2tUaW0xbGxDb2VqSE1OZXF2YkZUekNpbGcrSmRLKzdtczNPZVhueVhpRXFaOS9qL3I2M0lGNjZONGs2L1ZBZGNxODN0dXN5WFFhRDk3KytZVVdvK1VYNlV0ZmZkazRJSzR0M2dpaVlVZ25DdFdIbTU1QVdjSG5oaXVsdndxajQ0S1R5QkxIUzBKODJmUkRsY1RpdzhXa1E4L29uUzdXRnYxbmVXbFJaMTY3V2RHZklheklyN0tKYUVOV24wU0dhSWNOTHZMS1VhRW5nK0F1T1A5dFhrTi9zS0hVWGdDTWc0cjU5NS9hZUw2V1lUMjQ4NS96bk9mYXlmeXZwVnpCUFhUbTNVTjJWS0dHeDUvOHpMbzFPeTAyQ0QxV29LMmN3R25XeTd0akx2ZlNhSFg3QjBpTnQwUTM0aFFTa0lReDVIa0k9 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * u81gfw9cvjDccP7v8yAtpxcUokVp0r
URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\BOIxz_readme_.txt

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bcbDBdACDc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- NTc2LUltcDVsVFZYOW9hZ2xFU0JXY0xWU2dlRDNNTVRCVTlxUjFYUjcvNXFDNUtIOEszV1Z0OGRRVWVndnhacGVaZGp5aFdBMTFUZndYYUUwQWM3dnZrZjhoUkkraW4ySnRCN09EWVJ6MHYrRDBLTGp5VjZhOWxxOXZMZ2g1VEtOUWdaZTF0UnptUUFaTjA1TUcrWnhvc0szdzhkQUo4T2JuTWhUNlIrbXZqRVd6aVZBMVlsV1BLQzhqTTJ5SjVlcUd5QWRTU1hsMHJUQlJSUXZPYXJ5UjBqWFR4YUQrSW1TWU1tRjJZZHM1eTZmeCsrRmRsbjhFcWRoV0I0OTE2ZDl1MlpUbjUvV1JQQjA5UE1mNzdlYUc3TFQvQ1NIZjFxdjJ6dk9MRnN6WHdYK1B5MTl1MkI1ZjMrMnR5Z2dwaDJZb2U2RTRxUk1VbGxaakZmdXlZdUNtYTBacUhOUno3R01QRzJIRXJzZWw5NC9iemk0NWtHU0wzTG05Mit4RXNFaFg3SVNnQllHTng3OC91VzEwZlgrRHg1d2NFVmtJWHl4SnZXZnJyaHJmUlBzMHQ4MUdkRG05cG00dUVUdmVXRTFtVlUvQmpiVHRRM083T3J4WUxtVUQybVl0c0hRaDJaWTBobGRJOCszTFQyUVNtTkRyL1VrUUcwYjNTMUVscFYxb3RTT2F4aWJXYXBNK2JIbXgxWXpUdk4vZmZYOTRMc3dkcGVLZk01bDN4eEd5OFRYRGZucVNsdFZLdk55T0l2c3M3UHlwQ3lEcFRqL21SaVlSWndmM1BGNC9LMFowMTFxbmZQbEN5OURmSm1JNkFCVkpJUlJVNkp6UFh4RmxtV0poYXRaeEhBUE1LNkdReGV5cWV0YUIyQkdDbXZ3SC9CbFVtRDB1bHV1OWRnOHdHUnVDaS9mRW9hcmhBQ0l6eDhnRFpkdnA2STFkd1RqY1ZLZ2p0dzl5THRhVEU5UU5BRGJFZnRvTlFxYkw3ZVQrL002VFdkYndkcTJlSStaTjNYdHE2Tjlvd0hOYmlrbzFXT3pBbjNHM3JKTkp1UU1zcTl1aml5OXpyODBjSjlHc1VOU0pNZ0JwbHhCYXc5NXlaR2I0UGs1dVp1biszVC9Cd0ZKWklidmxYWHpSTHpHekdERU53S2x3YzhFa2Y5eGtBVGxybDAxTDlCczFKRlpVcUVOdkpkQkdvdUMzUnFTTUJxem1yMlhFbEJUdzY1NkJxemlGZTJlV2NlRDVPYlBrOFNxMkVJa0EwRExnUWdwQ2h6TTQwKzZSdGhJV0VQL25DODlKUFZvemJXTnR1T085bkxmL1U0RjZFbEpIS01RQ1pTK2VmckNRL1hNQ0dVTVVmcWZIcHVWcmpxQVpqZ3FuVEo5dWFBdFp5K2xCUmZiaTlNWFVJSXM3OXQzTkNsNUFEQys5cnhPR25GS3JFS2dCMVBwVnFzM2tPN2RyWUFrSlcrYnpwWFBiQTZETzlYOCsrNVFyQnU5TDNWWU93aUZsSG1TWFZlaldpUmpQT2VGRTk3OWs0NTZsZ1hlQjUzcXdBL29taWV3S1VWZHM3aHJ4bkNsT2dpVEhpOHZGSUtXSnpNV3FuT29pZU50R1ZCeGZuclp4VFE2VlFSZFN6a3M1WDg5YnRsSEI2MVVHMzFSQ0tPcnFrSzhVTnpKME1mY2tUaW0xbGxDb2VqSE1OZXF2YkZUekNpbGcrSmRLKzdtczNPZVhueVhpRXFaOS9qL3I2M0lGNjZONGs2L1ZBZGNxODN0dXN5WFFhRDk3KytZVVdvK1VYNlV0ZmZkazRJSzR0M2dpaVlVZ25DdFdIbTU1QVdjSG5oaXVsdndxajQ0S1R5QkxIUzBKODJmUkRsY1RpdzhXa1E4L29uUzdXRnYxbmVXbFJaMTY3V2RHZklheklyN0tKYUVOV24wU0dhSWNOTHZMS1VhRW5nK0F1T1A5dFhrTi9zS0hVWGdDTWc0cjU5NS9hZUw2V1lUMjQ4NS96bk9mYXlmeXZwVnpCUFhUbTNVTjJWS0dHeDUvOHpMbzFPeTAyQ0QxV29LMmN3R25XeTd0akx2ZlNhSFg3QjBpTnQwUTM0aFFTa0lReDVIa0k9 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * l
URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Pictures\BOIxz_readme_.txt

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bcbDBdACDc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- NTc2LUltcDVsVFZYOW9hZ2xFU0JXY0xWU2dlRDNNTVRCVTlxUjFYUjcvNXFDNUtIOEszV1Z0OGRRVWVndnhacGVaZGp5aFdBMTFUZndYYUUwQWM3dnZrZjhoUkkraW4ySnRCN09EWVJ6MHYrRDBLTGp5VjZhOWxxOXZMZ2g1VEtOUWdaZTF0UnptUUFaTjA1TUcrWnhvc0szdzhkQUo4T2JuTWhUNlIrbXZqRVd6aVZBMVlsV1BLQzhqTTJ5SjVlcUd5QWRTU1hsMHJUQlJSUXZPYXJ5UjBqWFR4YUQrSW1TWU1tRjJZZHM1eTZmeCsrRmRsbjhFcWRoV0I0OTE2ZDl1MlpUbjUvV1JQQjA5UE1mNzdlYUc3TFQvQ1NIZjFxdjJ6dk9MRnN6WHdYK1B5MTl1MkI1ZjMrMnR5Z2dwaDJZb2U2RTRxUk1VbGxaakZmdXlZdUNtYTBacUhOUno3R01QRzJIRXJzZWw5NC9iemk0NWtHU0wzTG05Mit4RXNFaFg3SVNnQllHTng3OC91VzEwZlgrRHg1d2NFVmtJWHl4SnZXZnJyaHJmUlBzMHQ4MUdkRG05cG00dUVUdmVXRTFtVlUvQmpiVHRRM083T3J4WUxtVUQybVl0c0hRaDJaWTBobGRJOCszTFQyUVNtTkRyL1VrUUcwYjNTMUVscFYxb3RTT2F4aWJXYXBNK2JIbXgxWXpUdk4vZmZYOTRMc3dkcGVLZk01bDN4eEd5OFRYRGZucVNsdFZLdk55T0l2c3M3UHlwQ3lEcFRqL21SaVlSWndmM1BGNC9LMFowMTFxbmZQbEN5OURmSm1JNkFCVkpJUlJVNkp6UFh4RmxtV0poYXRaeEhBUE1LNkdReGV5cWV0YUIyQkdDbXZ3SC9CbFVtRDB1bHV1OWRnOHdHUnVDaS9mRW9hcmhBQ0l6eDhnRFpkdnA2STFkd1RqY1ZLZ2p0dzl5THRhVEU5UU5BRGJFZnRvTlFxYkw3ZVQrL002VFdkYndkcTJlSStaTjNYdHE2Tjlvd0hOYmlrbzFXT3pBbjNHM3JKTkp1UU1zcTl1aml5OXpyODBjSjlHc1VOU0pNZ0JwbHhCYXc5NXlaR2I0UGs1dVp1biszVC9Cd0ZKWklidmxYWHpSTHpHekdERU53S2x3YzhFa2Y5eGtBVGxybDAxTDlCczFKRlpVcUVOdkpkQkdvdUMzUnFTTUJxem1yMlhFbEJUdzY1NkJxemlGZTJlV2NlRDVPYlBrOFNxMkVJa0EwRExnUWdwQ2h6TTQwKzZSdGhJV0VQL25DODlKUFZvemJXTnR1T085bkxmL1U0RjZFbEpIS01RQ1pTK2VmckNRL1hNQ0dVTVVmcWZIcHVWcmpxQVpqZ3FuVEo5dWFBdFp5K2xCUmZiaTlNWFVJSXM3OXQzTkNsNUFEQys5cnhPR25GS3JFS2dCMVBwVnFzM2tPN2RyWUFrSlcrYnpwWFBiQTZETzlYOCsrNVFyQnU5TDNWWU93aUZsSG1TWFZlaldpUmpQT2VGRTk3OWs0NTZsZ1hlQjUzcXdBL29taWV3S1VWZHM3aHJ4bkNsT2dpVEhpOHZGSUtXSnpNV3FuT29pZU50R1ZCeGZuclp4VFE2VlFSZFN6a3M1WDg5YnRsSEI2MVVHMzFSQ0tPcnFrSzhVTnpKME1mY2tUaW0xbGxDb2VqSE1OZXF2YkZUekNpbGcrSmRLKzdtczNPZVhueVhpRXFaOS9qL3I2M0lGNjZONGs2L1ZBZGNxODN0dXN5WFFhRDk3KytZVVdvK1VYNlV0ZmZkazRJSzR0M2dpaVlVZ25DdFdIbTU1QVdjSG5oaXVsdndxajQ0S1R5QkxIUzBKODJmUkRsY1RpdzhXa1E4L29uUzdXRnYxbmVXbFJaMTY3V2RHZklheklyN0tKYUVOV24wU0dhSWNOTHZMS1VhRW5nK0F1T1A5dFhrTi9zS0hVWGdDTWc0cjU5NS9hZUw2V1lUMjQ4NS96bk9mYXlmeXZwVnpCUFhUbTNVTjJWS0dHeDUvOHpMbzFPeTAyQ0QxV29LMmN3R25XeTd0akx2ZlNhSFg3QjBpTnQwUTM0aFFTa0lReDVIa0k9 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 7tDtK
URLs

http://avaddonbotrxmuyl.onion

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 739 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Avaddon Ransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\Avaddon Ransomware.exe"
    1⤵
    • Modifies extensions of user files
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1344
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1704
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1820
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1892
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2004
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:108
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:512
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:1620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

3
T1112

File Deletion

2
T1107

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/108-4-0x0000000000000000-mapping.dmp
    Download
  • memory/512-5-0x0000000000000000-mapping.dmp
    Download
  • memory/1704-0-0x0000000000000000-mapping.dmp
    Download
  • memory/1820-1-0x0000000000000000-mapping.dmp
    Download
  • memory/1892-2-0x0000000000000000-mapping.dmp
    Download
  • memory/2004-3-0x0000000000000000-mapping.dmp
    Download