General
-
Target
e73b749260028b1b6957978b54201f289c56743c201b3a6aa1d4743540df23f4
-
Size
758KB
-
Sample
210113-y3e87wa59e
-
MD5
3a6551daf5dab06e71c14026ee84fd03
-
SHA1
cbb6763f76a926c2a0721664977fdbc6f205fff5
-
SHA256
e73b749260028b1b6957978b54201f289c56743c201b3a6aa1d4743540df23f4
-
SHA512
f092f2b791c6bf4d6817c5d325a1302a95da5336884fd91422aa446b8c918af439eee209009a18d36d81edee07b28055eae730efa834c9def40aef31bdc586a7
Static task
static1
Behavioral task
behavioral1
Sample
e73b749260028b1b6957978b54201f289c56743c201b3a6aa1d4743540df23f4.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
e73b749260028b1b6957978b54201f289c56743c201b3a6aa1d4743540df23f4.exe
Resource
win10v20201028
Malware Config
Extracted
C:\Users\Admin\Contacts\KhVy1_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\KhVy1_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Favorites\Links\KhVy1_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Public\Pictures\Sample Pictures\KhVy1_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Desktop\mWHhV_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Music\mWHhV_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Targets
-
-
Target
e73b749260028b1b6957978b54201f289c56743c201b3a6aa1d4743540df23f4
-
Size
758KB
-
MD5
3a6551daf5dab06e71c14026ee84fd03
-
SHA1
cbb6763f76a926c2a0721664977fdbc6f205fff5
-
SHA256
e73b749260028b1b6957978b54201f289c56743c201b3a6aa1d4743540df23f4
-
SHA512
f092f2b791c6bf4d6817c5d325a1302a95da5336884fd91422aa446b8c918af439eee209009a18d36d81edee07b28055eae730efa834c9def40aef31bdc586a7
Score10/10-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon Ransomware
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-