Analysis
-
max time kernel
75s -
max time network
112s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
01-09-2020 13:28
General
-
Target
Avaddon Ransomware.exe
-
Size
719KB
-
MD5
275e4a63fc63c995b3e0d464919f211b
-
SHA1
51d85210c2f621ca14d92a8375ee24d62f9d7f44
-
SHA256
cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46
-
SHA512
1723fb4a624859cb49f1d00100a44c5104a8a6ee4685b0e0988fa54f929dc7d70d171034577a17db2e6529d6c19b49d2ba023c4c98e9637f92981a3c1a5c9dac
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\LwZt1_readme_.txt
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .adDAaaDeCc
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
NTc2LUpaRjQ3NTRpcFQ2MTVRTDZNWFZQV3J5MHdoVmVLdXVkdXBGTEYxT2w2N1lIeUgzRkhKUDZjWEVuOUZIaXl4clF1dGY3NEVmUndaR3JYa3lpNS90NXpVL3lqakFWbzRrRlc3OEs1YkZwYmNxREFBS0xXcHdaY2xIdnhpdzE4RjRyQzJNQVl4WW1naEhjU0RLYXZsOWR1aWE4VmhXREZoQnFYUk50bERoNGpXUThsaHFLYW9DRXA2WUxlL2RFUDlpcWlUV2VWbVRmRERtc2dhQm9YdVJYemNLZUpIbUxEQnlUcTgzRkFNWmVEUXFiMDVQVzAyMVNyQVV6MmJnNldBQThZNzB1MlBrWFhOWEVlMTg0b1AybExRYXMxN3c4enlGTXRCSzZhRmVJV05pcUhuandjYTFjTXJTL2Y2STdIN0UzelpjWU5HeHN3ODlyS2hrY0M0MklENWswV2xhTUNockRBeXBQNTVXNmRnNDlraWdJYnpGckI2Zmh0a3lubEVBZXR1TTZDN2MvczdBazZOSXdqbFNZMGdnV3RzQ2RzbTVIQkRIbmMzUXptUWhHU2E3TUNGczRHT1h4WUtzZEp2SVc0ellRdGF2N0pCMnExTEczTXo5VXlVRTdmTzJJaExNNzM1NHl1cmlYNVA2M3JFdXYzcWxLa09iQ043WGsxTnVJZEtFYVZFRTM2MEF0Vy85Ymd1UG1WblY2TEtKQm9kNW1VUlkyem1iVXRBbmI0b2NURkRqSU5Cd0d5UEFzZXhPZXZ3NHNuTXFmZWx2Rm5uQ0M4dEViQkFpeUxGUFNsLzNvOTlyZ2pSK1d3KzhQSXFKUWRLSWF3YnQ3WkZDckJkd1dxUkF3K0dMb0VRcmk4YUpORHN2amwxU2k5azhxR3pucDdVRUt6WjNOYy8zWGFpdzRZZzhXZndoMHp4OFFkQlNFUFh4OTVTalVPYW13NWQweEdoblI4RndxdkdMNFFnaVhtdVJ0VDFvbEFVQmgwNG5NMVMwR2l6K1loY1B1blJGYnFEcjZkQmFMUzlITG85ZHhoR1JjUTZhV1JBV3lERFFuWjU3UDlkMDFyUGdONm1nZUFPQ1BHVDRaT1RXSHVxa2FpUWZDUFVxL2liRy90eDh1OTkzbGEzcEdJV1JhbDZMWkxKMTdSeDdXenRFQXVmLzUzVGxHZHJvcEQ2U1ZGdlVkRCt5NUtmd2h2YXovMzQ1RThxc0E3S1RSV1BsV09aT01QRk9HNVZMeldrWG9veHNoYjVWQ25WS29jalZWUjN0cXdPUzYrL1hsRC90Qndja25NTi81ZlhlRzhPZVplRzJ5a0VnUzhJT21nUUthd2RFbndzQmVieWpqMlRWeGIxNThueTB0THhJWkIyWk16NHdIN1JvbU96N0p2K2RmVUs0OStzOVNSdStjMDUyOVdaOEk0UjdkcHdEN3ZOOGJDK05jMmJJdnQ4V3hDWEh4Q2RraTh2V0dka3huUEZhUmtadmRwNXBVa09RRGlscVIrMkxiQmd3UVcyLzNKbzVjaGRxc0V0VlVmWE80VVpteE52ZEltdGpVRDF6bXpIUlVSQ2dueHMxYnExanIydCsxRnZNT0dEUjhyeFkyb1hKM1NZWnNpT0JRbWUxQVFZdjl5UjNldTg0MWNhSm41ZzFkWW1xdHJ0UmVJZ0Y4QmtaOUpITzFGNDBLL1lGTEFQYWwzN2x6UE11V0pzTVAwc09MNFhGMWl0djZmZUZWbjVmblJSVnhldUEzNHdyK2RMQmxVLzRkcW5rOVYxMy92cHA2M3o2SFZudERodzN2ZkhwUndqUW1KL3hqN3lZa1dFam82VHQ2TnpIdHU1Q3ZUTHVPTkZMWnFoY3hqSXBUbWZnbkZiTDllaWxKdEM2RFluekJMMGtuNExQc1NaQkZtTEdlcm1jYzlNOXdHOVNWbkQrQXUrNjNsb2xKRzQvT0tXc3BGMHRrQWFiTjVwK0VXWnlKRndJemlna0RkRm5UZml0WTlrTVhqYmtBNGc3cmEvRFhoamkwSEQ5QmE1MENCbmFtWHFzYzNmT1QxMFBFMFhzTUVSdGRCVnE3WkRSNmw3VXc1aDZBWVFvc3EyMW12YTQ9
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
725ghpBBgBvRDsc
URLs
http://avaddonbotrxmuyl.onion
Extracted
Path
C:\Users\Admin\Documents\LwZt1_readme_.txt
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .adDAaaDeCc
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
NTc2LUpaRjQ3NTRpcFQ2MTVRTDZNWFZQV3J5MHdoVmVLdXVkdXBGTEYxT2w2N1lIeUgzRkhKUDZjWEVuOUZIaXl4clF1dGY3NEVmUndaR3JYa3lpNS90NXpVL3lqakFWbzRrRlc3OEs1YkZwYmNxREFBS0xXcHdaY2xIdnhpdzE4RjRyQzJNQVl4WW1naEhjU0RLYXZsOWR1aWE4VmhXREZoQnFYUk50bERoNGpXUThsaHFLYW9DRXA2WUxlL2RFUDlpcWlUV2VWbVRmRERtc2dhQm9YdVJYemNLZUpIbUxEQnlUcTgzRkFNWmVEUXFiMDVQVzAyMVNyQVV6MmJnNldBQThZNzB1MlBrWFhOWEVlMTg0b1AybExRYXMxN3c4enlGTXRCSzZhRmVJV05pcUhuandjYTFjTXJTL2Y2STdIN0UzelpjWU5HeHN3ODlyS2hrY0M0MklENWswV2xhTUNockRBeXBQNTVXNmRnNDlraWdJYnpGckI2Zmh0a3lubEVBZXR1TTZDN2MvczdBazZOSXdqbFNZMGdnV3RzQ2RzbTVIQkRIbmMzUXptUWhHU2E3TUNGczRHT1h4WUtzZEp2SVc0ellRdGF2N0pCMnExTEczTXo5VXlVRTdmTzJJaExNNzM1NHl1cmlYNVA2M3JFdXYzcWxLa09iQ043WGsxTnVJZEtFYVZFRTM2MEF0Vy85Ymd1UG1WblY2TEtKQm9kNW1VUlkyem1iVXRBbmI0b2NURkRqSU5Cd0d5UEFzZXhPZXZ3NHNuTXFmZWx2Rm5uQ0M4dEViQkFpeUxGUFNsLzNvOTlyZ2pSK1d3KzhQSXFKUWRLSWF3YnQ3WkZDckJkd1dxUkF3K0dMb0VRcmk4YUpORHN2amwxU2k5azhxR3pucDdVRUt6WjNOYy8zWGFpdzRZZzhXZndoMHp4OFFkQlNFUFh4OTVTalVPYW13NWQweEdoblI4RndxdkdMNFFnaVhtdVJ0VDFvbEFVQmgwNG5NMVMwR2l6K1loY1B1blJGYnFEcjZkQmFMUzlITG85ZHhoR1JjUTZhV1JBV3lERFFuWjU3UDlkMDFyUGdONm1nZUFPQ1BHVDRaT1RXSHVxa2FpUWZDUFVxL2liRy90eDh1OTkzbGEzcEdJV1JhbDZMWkxKMTdSeDdXenRFQXVmLzUzVGxHZHJvcEQ2U1ZGdlVkRCt5NUtmd2h2YXovMzQ1RThxc0E3S1RSV1BsV09aT01QRk9HNVZMeldrWG9veHNoYjVWQ25WS29jalZWUjN0cXdPUzYrL1hsRC90Qndja25NTi81ZlhlRzhPZVplRzJ5a0VnUzhJT21nUUthd2RFbndzQmVieWpqMlRWeGIxNThueTB0THhJWkIyWk16NHdIN1JvbU96N0p2K2RmVUs0OStzOVNSdStjMDUyOVdaOEk0UjdkcHdEN3ZOOGJDK05jMmJJdnQ4V3hDWEh4Q2RraTh2V0dka3huUEZhUmtadmRwNXBVa09RRGlscVIrMkxiQmd3UVcyLzNKbzVjaGRxc0V0VlVmWE80VVpteE52ZEltdGpVRDF6bXpIUlVSQ2dueHMxYnExanIydCsxRnZNT0dEUjhyeFkyb1hKM1NZWnNpT0JRbWUxQVFZdjl5UjNldTg0MWNhSm41ZzFkWW1xdHJ0UmVJZ0Y4QmtaOUpITzFGNDBLL1lGTEFQYWwzN2x6UE11V0pzTVAwc09MNFhGMWl0djZmZUZWbjVmblJSVnhldUEzNHdyK2RMQmxVLzRkcW5rOVYxMy92cHA2M3o2SFZudERodzN2ZkhwUndqUW1KL3hqN3lZa1dFam82VHQ2TnpIdHU1Q3ZUTHVPTkZMWnFoY3hqSXBUbWZnbkZiTDllaWxKdEM2RFluekJMMGtuNExQc1NaQkZtTEdlcm1jYzlNOXdHOVNWbkQrQXUrNjNsb2xKRzQvT0tXc3BGMHRrQWFiTjVwK0VXWnlKRndJemlna0RkRm5UZml0WTlrTVhqYmtBNGc3cmEvRFhoamkwSEQ5QmE1MENCbmFtWHFzYzNmT1QxMFBFMFhzTUVSdGRCVnE3WkRSNmw3VXc1aDZBWVFvc3EyMW12YTQ9
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
TfC321yU2nd0ZIGZBhU
URLs
http://avaddonbotrxmuyl.onion
Extracted
Path
C:\Users\Admin\Pictures\LwZt1_readme_.txt
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .adDAaaDeCc
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
NTc2LUpaRjQ3NTRpcFQ2MTVRTDZNWFZQV3J5MHdoVmVLdXVkdXBGTEYxT2w2N1lIeUgzRkhKUDZjWEVuOUZIaXl4clF1dGY3NEVmUndaR3JYa3lpNS90NXpVL3lqakFWbzRrRlc3OEs1YkZwYmNxREFBS0xXcHdaY2xIdnhpdzE4RjRyQzJNQVl4WW1naEhjU0RLYXZsOWR1aWE4VmhXREZoQnFYUk50bERoNGpXUThsaHFLYW9DRXA2WUxlL2RFUDlpcWlUV2VWbVRmRERtc2dhQm9YdVJYemNLZUpIbUxEQnlUcTgzRkFNWmVEUXFiMDVQVzAyMVNyQVV6MmJnNldBQThZNzB1MlBrWFhOWEVlMTg0b1AybExRYXMxN3c4enlGTXRCSzZhRmVJV05pcUhuandjYTFjTXJTL2Y2STdIN0UzelpjWU5HeHN3ODlyS2hrY0M0MklENWswV2xhTUNockRBeXBQNTVXNmRnNDlraWdJYnpGckI2Zmh0a3lubEVBZXR1TTZDN2MvczdBazZOSXdqbFNZMGdnV3RzQ2RzbTVIQkRIbmMzUXptUWhHU2E3TUNGczRHT1h4WUtzZEp2SVc0ellRdGF2N0pCMnExTEczTXo5VXlVRTdmTzJJaExNNzM1NHl1cmlYNVA2M3JFdXYzcWxLa09iQ043WGsxTnVJZEtFYVZFRTM2MEF0Vy85Ymd1UG1WblY2TEtKQm9kNW1VUlkyem1iVXRBbmI0b2NURkRqSU5Cd0d5UEFzZXhPZXZ3NHNuTXFmZWx2Rm5uQ0M4dEViQkFpeUxGUFNsLzNvOTlyZ2pSK1d3KzhQSXFKUWRLSWF3YnQ3WkZDckJkd1dxUkF3K0dMb0VRcmk4YUpORHN2amwxU2k5azhxR3pucDdVRUt6WjNOYy8zWGFpdzRZZzhXZndoMHp4OFFkQlNFUFh4OTVTalVPYW13NWQweEdoblI4RndxdkdMNFFnaVhtdVJ0VDFvbEFVQmgwNG5NMVMwR2l6K1loY1B1blJGYnFEcjZkQmFMUzlITG85ZHhoR1JjUTZhV1JBV3lERFFuWjU3UDlkMDFyUGdONm1nZUFPQ1BHVDRaT1RXSHVxa2FpUWZDUFVxL2liRy90eDh1OTkzbGEzcEdJV1JhbDZMWkxKMTdSeDdXenRFQXVmLzUzVGxHZHJvcEQ2U1ZGdlVkRCt5NUtmd2h2YXovMzQ1RThxc0E3S1RSV1BsV09aT01QRk9HNVZMeldrWG9veHNoYjVWQ25WS29jalZWUjN0cXdPUzYrL1hsRC90Qndja25NTi81ZlhlRzhPZVplRzJ5a0VnUzhJT21nUUthd2RFbndzQmVieWpqMlRWeGIxNThueTB0THhJWkIyWk16NHdIN1JvbU96N0p2K2RmVUs0OStzOVNSdStjMDUyOVdaOEk0UjdkcHdEN3ZOOGJDK05jMmJJdnQ4V3hDWEh4Q2RraTh2V0dka3huUEZhUmtadmRwNXBVa09RRGlscVIrMkxiQmd3UVcyLzNKbzVjaGRxc0V0VlVmWE80VVpteE52ZEltdGpVRDF6bXpIUlVSQ2dueHMxYnExanIydCsxRnZNT0dEUjhyeFkyb1hKM1NZWnNpT0JRbWUxQVFZdjl5UjNldTg0MWNhSm41ZzFkWW1xdHJ0UmVJZ0Y4QmtaOUpITzFGNDBLL1lGTEFQYWwzN2x6UE11V0pzTVAwc09MNFhGMWl0djZmZUZWbjVmblJSVnhldUEzNHdyK2RMQmxVLzRkcW5rOVYxMy92cHA2M3o2SFZudERodzN2ZkhwUndqUW1KL3hqN3lZa1dFam82VHQ2TnpIdHU1Q3ZUTHVPTkZMWnFoY3hqSXBUbWZnbkZiTDllaWxKdEM2RFluekJMMGtuNExQc1NaQkZtTEdlcm1jYzlNOXdHOVNWbkQrQXUrNjNsb2xKRzQvT0tXc3BGMHRrQWFiTjVwK0VXWnlKRndJemlna0RkRm5UZml0WTlrTVhqYmtBNGc3cmEvRFhoamkwSEQ5QmE1MENCbmFtWHFzYzNmT1QxMFBFMFhzTUVSdGRCVnE3WkRSNmw3VXc1aDZBWVFvc3EyMW12YTQ9
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
pnoPqDGIsPL5SiObqDPk09
URLs
http://avaddonbotrxmuyl.onion
Signatures
-
UAC bypass 3 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 13 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs
-
Modifies service 2 TTPs 4 IoCs
-
Drops file in Windows directory 1 IoCs
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies data under HKEY_USERS 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 614 IoCs
-
Suspicious use of AdjustPrivilegeToken 68 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Avaddon Ransomware.exe"C:\Users\Admin\AppData\Local\Temp\Avaddon Ransomware.exe"1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken