General

  • Target

    4c7d496c02177037f58588579239caa1d95d509c.zip

  • Size

    560KB

  • Sample

    210413-t8xwt19k6x

  • MD5

    2fa81856c7734d054f5eb3a0363638ab

  • SHA1

    0bf72720ee93c9ee297e182aa90473d7aa867bef

  • SHA256

    946b58a1341ed568aa967d9c24b638fb9cb0277c3c27b8eabfdc31cfcf4d6fd6

  • SHA512

    a40469660290a813b43732b49095bb9b99c6dc9bf58681b220be6c01a23ebf78088a320fd5d8d038dcea6ea6b1021a12af7f5141964906c43f24f4162e1d94fd

Malware Config

Targets

    • Target

      840ab447e0f3a2a982ff8f0c3c336338a6df691c8b0b74b0f153c0f6a15662e2

    • Size

      1.3MB

    • MD5

      fd61adfce25d440ef8994d124cfce67c

    • SHA1

      4c7d496c02177037f58588579239caa1d95d509c

    • SHA256

      840ab447e0f3a2a982ff8f0c3c336338a6df691c8b0b74b0f153c0f6a15662e2

    • SHA512

      67aeb813bc7be2bf61117a04ee995de70c7b248d044699b33fe1d040476a8d7963ce4831a195591237dcd4e2df07c06971281ffa8c9a70f233469721580e35fc

    • Avaddon

      Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

    • UAC bypass

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

3
T1112

File Deletion

2
T1107

Discovery

System Information Discovery

3
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Impact

Inhibit System Recovery

2
T1490

Tasks