avaddon | f9b748cf35278dc4bfaa2127ca1d6016fafbeb768b1a09c7ab58560632dbd637

General

Target

download.exe
Size

775KB
MD5

b1d5df48725672b525c8879670d10eaa
SHA1

6a6956aff077aeda5b22873cfb891632fbce6bc7
SHA256

f9b748cf35278dc4bfaa2127ca1d6016fafbeb768b1a09c7ab58560632dbd637
SHA512

7fc5fda6187a994cebc8d2e3eb895eabeea1b2b2f8195951e9b32375d23f0d9c709f69016813d97cbdf9d0a01f3e10aaf2360dfb712127aba06feef12c22035c

Score

10^/10

avaddon evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\Contacts\tEyFD_readme_.txt

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aDeDEeAaEd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTk2Mi1TeFRzNm9zbndLbW9ibXdOR0hQbm9qdDJrOE5xdkp0VFBhaFNOMWVnbHFrUmZOaDJnS2hKRUVXakg5M0FLK2VxYzRXa01jS2tiVzZOcUQ5WExtSmIxNGdnamtka2tNbGExajB4c1gzdWxaMlF5cVRxZ3hYYUtyUnplckpQQmgzcjhZTHhydXpwU3oxRDc1R3IzUW9sRVRXUDdRS2lySENJVVlvUkVINy9nNkxERmVqNmxVbWxKSUdFK2tOeWtzTjl0M0Q4ZitGZHhFSUkrL01LakZpNEQySERkNktMSGd6cDJJZytPcHlQVTk4NFZQaE44TnZEVUhtb01ZYUkrcDRVcndvME00VTZTell3NWcrQ0lLVC8zaHhYZC9TM1lzZE9PK3g3T1ZrMktCcGVCaEwwVnZ4bFZQU2tLU1lacHZZS2NyV24rQlN1bWVwR3B4OXJCaUtVTzRyWjRVMWVBdVRtWFV0UUh4SE15YjEwRnpuTFVkZlE2dVJTWUtHTW5zZmtRZS9wYkhCRm52ZDZsVzh0UDBrTlFIZHRqZW1rNjlMSFRNNm01d3J0aTBoSmJjK3YzV0Zzd2lGaWxRZU0yRHBZWUw0L3QwbndDZWhCZ2VkVDYxT2dTMUEzOThHRVJTTWd3MUd0bm05TnVzOEtDZFNDVndrYTR5ZWJoR1lPazhENHp2dm94YWgvSVZ1WEo2cFBZUDYwUzVzUGdndTFDWWNneGN5eHZ5aG9acFpjMVU4dkdjTmNoOWZyV0xqbVFkdk91NzJaeGMzckU0Y1BCVUlGQ01uL0J4a01PZVp0eTlXc3JkamN0ZFc3ZFA5R1F6Z2lvNXkxcHlsaUFCVlpkaEp5aUt6OFI2clg4d0ZxZFp1dUROcXJVVjhEejZuT1o1UGlNSzZ6bzBnc2NHL3A0ZG43NlByZzBsOU1oZ0w3ZnFGbmszUFhiKzFDR3QrRXpycUcwN05EM3VLSUwrZFNycGpuWWpyNE1aMmcxSVV3SUZaOHZ0V08ydnFFZjREdzNHSkhmbEk3L3VUblJtNzRyQjcwcTVDSS80eUxSMnNGSjFjNllYQzZaWG9MNU9sdkl5VEtGWm01UU91czlRaUsxYWpmMDFnZ1NKcE1pUnhVcXkrOGRBM1BCU0ZHVXBtRkVlWWlNMlRUTFd5Q09ZK1ArSktpTyt5Qkg2akdVL1dTM0szQWdRWEdaSWFaWFZnQ3UwK291M3BoUjVYMjYvVVRmZkQ4SEc5MU0rT0JrU1Q0eCs4K0U2djJUM20zU1pHV1JydE1tMDBmVlRpRDlMcHZzNTBBY3ZKelpFZ3h2M1NjNlgwZHl6MEhKM1pQNm80S2t5MG8rVnRxdmVOZ3hlbllQYmdvQ2pPUGhIdENJRGhIZ0VERERMVFdldEpCWUhiV3VnZG05ZkRLY3BxK2hNOC9vSThBZitxbUJsMGdhbVRKaFgxSWZUTlNKYWU3aWc0eTJJNitaZGtyVHZXNFpBVDAvNzR3L0VSUEQzWWprWFJ3c2pzQW53VDZyRitRK04rN0hlaHNNRERaNlA1SisyL1FYbXc2SjIyU3FORTdwVS9HdUZGMVljNmp1QjRhTTk5ZHB4ZlZ1ZGFNZnExRmp3M0Q5bGtWMFZ5OHBBbzZEQkhDd3JkeVBUV2Z4UGx6R21EUVRrZDNLZ01ka3psbkgwZFhiZHdCMDdZT0RyM1NOaEJYMnRhTlFGSEk1NE9UQ3Y4cW9NajVwZ25YUTBteHNRbjdtR3N1NUFUcDNiZ1JBekFBY0xyOWc4eW9IaEhnSFZKRGNLa1FkS2V4ZzFKWGtNRVdXRUs3QTF6b25DWWxSanJ5RnIyRUE4eUsvdXV4VDZyeU1pSVhwNDRzMGxoaFp5a0lTM1dYSXB4NkIyb1YrZUFqSnI0aXBrZHkyQ3dralljOHI2QnJ2LzlmSStYN2x5Z2lpOG8vckRSNGdIeENsZ1lnN0IyVGpPQ2VQYlIyV2FjdzBLWXIwNkZxOTJxQzNJTFRqOHBVSVVrYTc2MFA2RXpvQXM3WW5WRXVXQUN6OEM0QlVDSHR5c1A4Zlc4SEdUamxZc3UyUjNadURyMTNoVFNZNWZvMFIyKy9naWlTOHdVPQ== -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * pitB2mwXSFsBdU

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\tEyFD_readme_.txt

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aDeDEeAaEd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTk2Mi1TeFRzNm9zbndLbW9ibXdOR0hQbm9qdDJrOE5xdkp0VFBhaFNOMWVnbHFrUmZOaDJnS2hKRUVXakg5M0FLK2VxYzRXa01jS2tiVzZOcUQ5WExtSmIxNGdnamtka2tNbGExajB4c1gzdWxaMlF5cVRxZ3hYYUtyUnplckpQQmgzcjhZTHhydXpwU3oxRDc1R3IzUW9sRVRXUDdRS2lySENJVVlvUkVINy9nNkxERmVqNmxVbWxKSUdFK2tOeWtzTjl0M0Q4ZitGZHhFSUkrL01LakZpNEQySERkNktMSGd6cDJJZytPcHlQVTk4NFZQaE44TnZEVUhtb01ZYUkrcDRVcndvME00VTZTell3NWcrQ0lLVC8zaHhYZC9TM1lzZE9PK3g3T1ZrMktCcGVCaEwwVnZ4bFZQU2tLU1lacHZZS2NyV24rQlN1bWVwR3B4OXJCaUtVTzRyWjRVMWVBdVRtWFV0UUh4SE15YjEwRnpuTFVkZlE2dVJTWUtHTW5zZmtRZS9wYkhCRm52ZDZsVzh0UDBrTlFIZHRqZW1rNjlMSFRNNm01d3J0aTBoSmJjK3YzV0Zzd2lGaWxRZU0yRHBZWUw0L3QwbndDZWhCZ2VkVDYxT2dTMUEzOThHRVJTTWd3MUd0bm05TnVzOEtDZFNDVndrYTR5ZWJoR1lPazhENHp2dm94YWgvSVZ1WEo2cFBZUDYwUzVzUGdndTFDWWNneGN5eHZ5aG9acFpjMVU4dkdjTmNoOWZyV0xqbVFkdk91NzJaeGMzckU0Y1BCVUlGQ01uL0J4a01PZVp0eTlXc3JkamN0ZFc3ZFA5R1F6Z2lvNXkxcHlsaUFCVlpkaEp5aUt6OFI2clg4d0ZxZFp1dUROcXJVVjhEejZuT1o1UGlNSzZ6bzBnc2NHL3A0ZG43NlByZzBsOU1oZ0w3ZnFGbmszUFhiKzFDR3QrRXpycUcwN05EM3VLSUwrZFNycGpuWWpyNE1aMmcxSVV3SUZaOHZ0V08ydnFFZjREdzNHSkhmbEk3L3VUblJtNzRyQjcwcTVDSS80eUxSMnNGSjFjNllYQzZaWG9MNU9sdkl5VEtGWm01UU91czlRaUsxYWpmMDFnZ1NKcE1pUnhVcXkrOGRBM1BCU0ZHVXBtRkVlWWlNMlRUTFd5Q09ZK1ArSktpTyt5Qkg2akdVL1dTM0szQWdRWEdaSWFaWFZnQ3UwK291M3BoUjVYMjYvVVRmZkQ4SEc5MU0rT0JrU1Q0eCs4K0U2djJUM20zU1pHV1JydE1tMDBmVlRpRDlMcHZzNTBBY3ZKelpFZ3h2M1NjNlgwZHl6MEhKM1pQNm80S2t5MG8rVnRxdmVOZ3hlbllQYmdvQ2pPUGhIdENJRGhIZ0VERERMVFdldEpCWUhiV3VnZG05ZkRLY3BxK2hNOC9vSThBZitxbUJsMGdhbVRKaFgxSWZUTlNKYWU3aWc0eTJJNitaZGtyVHZXNFpBVDAvNzR3L0VSUEQzWWprWFJ3c2pzQW53VDZyRitRK04rN0hlaHNNRERaNlA1SisyL1FYbXc2SjIyU3FORTdwVS9HdUZGMVljNmp1QjRhTTk5ZHB4ZlZ1ZGFNZnExRmp3M0Q5bGtWMFZ5OHBBbzZEQkhDd3JkeVBUV2Z4UGx6R21EUVRrZDNLZ01ka3psbkgwZFhiZHdCMDdZT0RyM1NOaEJYMnRhTlFGSEk1NE9UQ3Y4cW9NajVwZ25YUTBteHNRbjdtR3N1NUFUcDNiZ1JBekFBY0xyOWc4eW9IaEhnSFZKRGNLa1FkS2V4ZzFKWGtNRVdXRUs3QTF6b25DWWxSanJ5RnIyRUE4eUsvdXV4VDZyeU1pSVhwNDRzMGxoaFp5a0lTM1dYSXB4NkIyb1YrZUFqSnI0aXBrZHkyQ3dralljOHI2QnJ2LzlmSStYN2x5Z2lpOG8vckRSNGdIeENsZ1lnN0IyVGpPQ2VQYlIyV2FjdzBLWXIwNkZxOTJxQzNJTFRqOHBVSVVrYTc2MFA2RXpvQXM3WW5WRXVXQUN6OEM0QlVDSHR5c1A4Zlc4SEdUamxZc3UyUjNadURyMTNoVFNZNWZvMFIyKy9naWlTOHdVPQ== -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * BrU1NSFLIrakVQpnZg

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Favorites\Links\tEyFD_readme_.txt

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aDeDEeAaEd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTk2Mi1TeFRzNm9zbndLbW9ibXdOR0hQbm9qdDJrOE5xdkp0VFBhaFNOMWVnbHFrUmZOaDJnS2hKRUVXakg5M0FLK2VxYzRXa01jS2tiVzZOcUQ5WExtSmIxNGdnamtka2tNbGExajB4c1gzdWxaMlF5cVRxZ3hYYUtyUnplckpQQmgzcjhZTHhydXpwU3oxRDc1R3IzUW9sRVRXUDdRS2lySENJVVlvUkVINy9nNkxERmVqNmxVbWxKSUdFK2tOeWtzTjl0M0Q4ZitGZHhFSUkrL01LakZpNEQySERkNktMSGd6cDJJZytPcHlQVTk4NFZQaE44TnZEVUhtb01ZYUkrcDRVcndvME00VTZTell3NWcrQ0lLVC8zaHhYZC9TM1lzZE9PK3g3T1ZrMktCcGVCaEwwVnZ4bFZQU2tLU1lacHZZS2NyV24rQlN1bWVwR3B4OXJCaUtVTzRyWjRVMWVBdVRtWFV0UUh4SE15YjEwRnpuTFVkZlE2dVJTWUtHTW5zZmtRZS9wYkhCRm52ZDZsVzh0UDBrTlFIZHRqZW1rNjlMSFRNNm01d3J0aTBoSmJjK3YzV0Zzd2lGaWxRZU0yRHBZWUw0L3QwbndDZWhCZ2VkVDYxT2dTMUEzOThHRVJTTWd3MUd0bm05TnVzOEtDZFNDVndrYTR5ZWJoR1lPazhENHp2dm94YWgvSVZ1WEo2cFBZUDYwUzVzUGdndTFDWWNneGN5eHZ5aG9acFpjMVU4dkdjTmNoOWZyV0xqbVFkdk91NzJaeGMzckU0Y1BCVUlGQ01uL0J4a01PZVp0eTlXc3JkamN0ZFc3ZFA5R1F6Z2lvNXkxcHlsaUFCVlpkaEp5aUt6OFI2clg4d0ZxZFp1dUROcXJVVjhEejZuT1o1UGlNSzZ6bzBnc2NHL3A0ZG43NlByZzBsOU1oZ0w3ZnFGbmszUFhiKzFDR3QrRXpycUcwN05EM3VLSUwrZFNycGpuWWpyNE1aMmcxSVV3SUZaOHZ0V08ydnFFZjREdzNHSkhmbEk3L3VUblJtNzRyQjcwcTVDSS80eUxSMnNGSjFjNllYQzZaWG9MNU9sdkl5VEtGWm01UU91czlRaUsxYWpmMDFnZ1NKcE1pUnhVcXkrOGRBM1BCU0ZHVXBtRkVlWWlNMlRUTFd5Q09ZK1ArSktpTyt5Qkg2akdVL1dTM0szQWdRWEdaSWFaWFZnQ3UwK291M3BoUjVYMjYvVVRmZkQ4SEc5MU0rT0JrU1Q0eCs4K0U2djJUM20zU1pHV1JydE1tMDBmVlRpRDlMcHZzNTBBY3ZKelpFZ3h2M1NjNlgwZHl6MEhKM1pQNm80S2t5MG8rVnRxdmVOZ3hlbllQYmdvQ2pPUGhIdENJRGhIZ0VERERMVFdldEpCWUhiV3VnZG05ZkRLY3BxK2hNOC9vSThBZitxbUJsMGdhbVRKaFgxSWZUTlNKYWU3aWc0eTJJNitaZGtyVHZXNFpBVDAvNzR3L0VSUEQzWWprWFJ3c2pzQW53VDZyRitRK04rN0hlaHNNRERaNlA1SisyL1FYbXc2SjIyU3FORTdwVS9HdUZGMVljNmp1QjRhTTk5ZHB4ZlZ1ZGFNZnExRmp3M0Q5bGtWMFZ5OHBBbzZEQkhDd3JkeVBUV2Z4UGx6R21EUVRrZDNLZ01ka3psbkgwZFhiZHdCMDdZT0RyM1NOaEJYMnRhTlFGSEk1NE9UQ3Y4cW9NajVwZ25YUTBteHNRbjdtR3N1NUFUcDNiZ1JBekFBY0xyOWc4eW9IaEhnSFZKRGNLa1FkS2V4ZzFKWGtNRVdXRUs3QTF6b25DWWxSanJ5RnIyRUE4eUsvdXV4VDZyeU1pSVhwNDRzMGxoaFp5a0lTM1dYSXB4NkIyb1YrZUFqSnI0aXBrZHkyQ3dralljOHI2QnJ2LzlmSStYN2x5Z2lpOG8vckRSNGdIeENsZ1lnN0IyVGpPQ2VQYlIyV2FjdzBLWXIwNkZxOTJxQzNJTFRqOHBVSVVrYTc2MFA2RXpvQXM3WW5WRXVXQUN6OEM0QlVDSHR5c1A4Zlc4SEdUamxZc3UyUjNadURyMTNoVFNZNWZvMFIyKy9naWlTOHdVPQ== -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 2TcOif2e8TIpsqypEDSaJ

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Searches\tEyFD_readme_.txt

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aDeDEeAaEd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTk2Mi1TeFRzNm9zbndLbW9ibXdOR0hQbm9qdDJrOE5xdkp0VFBhaFNOMWVnbHFrUmZOaDJnS2hKRUVXakg5M0FLK2VxYzRXa01jS2tiVzZOcUQ5WExtSmIxNGdnamtka2tNbGExajB4c1gzdWxaMlF5cVRxZ3hYYUtyUnplckpQQmgzcjhZTHhydXpwU3oxRDc1R3IzUW9sRVRXUDdRS2lySENJVVlvUkVINy9nNkxERmVqNmxVbWxKSUdFK2tOeWtzTjl0M0Q4ZitGZHhFSUkrL01LakZpNEQySERkNktMSGd6cDJJZytPcHlQVTk4NFZQaE44TnZEVUhtb01ZYUkrcDRVcndvME00VTZTell3NWcrQ0lLVC8zaHhYZC9TM1lzZE9PK3g3T1ZrMktCcGVCaEwwVnZ4bFZQU2tLU1lacHZZS2NyV24rQlN1bWVwR3B4OXJCaUtVTzRyWjRVMWVBdVRtWFV0UUh4SE15YjEwRnpuTFVkZlE2dVJTWUtHTW5zZmtRZS9wYkhCRm52ZDZsVzh0UDBrTlFIZHRqZW1rNjlMSFRNNm01d3J0aTBoSmJjK3YzV0Zzd2lGaWxRZU0yRHBZWUw0L3QwbndDZWhCZ2VkVDYxT2dTMUEzOThHRVJTTWd3MUd0bm05TnVzOEtDZFNDVndrYTR5ZWJoR1lPazhENHp2dm94YWgvSVZ1WEo2cFBZUDYwUzVzUGdndTFDWWNneGN5eHZ5aG9acFpjMVU4dkdjTmNoOWZyV0xqbVFkdk91NzJaeGMzckU0Y1BCVUlGQ01uL0J4a01PZVp0eTlXc3JkamN0ZFc3ZFA5R1F6Z2lvNXkxcHlsaUFCVlpkaEp5aUt6OFI2clg4d0ZxZFp1dUROcXJVVjhEejZuT1o1UGlNSzZ6bzBnc2NHL3A0ZG43NlByZzBsOU1oZ0w3ZnFGbmszUFhiKzFDR3QrRXpycUcwN05EM3VLSUwrZFNycGpuWWpyNE1aMmcxSVV3SUZaOHZ0V08ydnFFZjREdzNHSkhmbEk3L3VUblJtNzRyQjcwcTVDSS80eUxSMnNGSjFjNllYQzZaWG9MNU9sdkl5VEtGWm01UU91czlRaUsxYWpmMDFnZ1NKcE1pUnhVcXkrOGRBM1BCU0ZHVXBtRkVlWWlNMlRUTFd5Q09ZK1ArSktpTyt5Qkg2akdVL1dTM0szQWdRWEdaSWFaWFZnQ3UwK291M3BoUjVYMjYvVVRmZkQ4SEc5MU0rT0JrU1Q0eCs4K0U2djJUM20zU1pHV1JydE1tMDBmVlRpRDlMcHZzNTBBY3ZKelpFZ3h2M1NjNlgwZHl6MEhKM1pQNm80S2t5MG8rVnRxdmVOZ3hlbllQYmdvQ2pPUGhIdENJRGhIZ0VERERMVFdldEpCWUhiV3VnZG05ZkRLY3BxK2hNOC9vSThBZitxbUJsMGdhbVRKaFgxSWZUTlNKYWU3aWc0eTJJNitaZGtyVHZXNFpBVDAvNzR3L0VSUEQzWWprWFJ3c2pzQW53VDZyRitRK04rN0hlaHNNRERaNlA1SisyL1FYbXc2SjIyU3FORTdwVS9HdUZGMVljNmp1QjRhTTk5ZHB4ZlZ1ZGFNZnExRmp3M0Q5bGtWMFZ5OHBBbzZEQkhDd3JkeVBUV2Z4UGx6R21EUVRrZDNLZ01ka3psbkgwZFhiZHdCMDdZT0RyM1NOaEJYMnRhTlFGSEk1NE9UQ3Y4cW9NajVwZ25YUTBteHNRbjdtR3N1NUFUcDNiZ1JBekFBY0xyOWc4eW9IaEhnSFZKRGNLa1FkS2V4ZzFKWGtNRVdXRUs3QTF6b25DWWxSanJ5RnIyRUE4eUsvdXV4VDZyeU1pSVhwNDRzMGxoaFp5a0lTM1dYSXB4NkIyb1YrZUFqSnI0aXBrZHkyQ3dralljOHI2QnJ2LzlmSStYN2x5Z2lpOG8vckRSNGdIeENsZ1lnN0IyVGpPQ2VQYlIyV2FjdzBLWXIwNkZxOTJxQzNJTFRqOHBVSVVrYTc2MFA2RXpvQXM3WW5WRXVXQUN6OEM0QlVDSHR5c1A4Zlc4SEdUamxZc3UyUjNadURyMTNoVFNZNWZvMFIyKy9naWlTOHdVPQ== -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * O5Dl2rpSy60OkGcNPjMC0a3y

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
ransomware avaddon

Avaddon Ransomware 2 IoCs

ransomware

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\download.exe	avaddon_ransomware
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\download.exe	avaddon_ransomware

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wmic.exewmic.exewmic.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1728	wmic.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	1728	wmic.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	1728	wmic.exe

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

download.exe

pid process

2176 download.exe

pid	process
2176	download.exe

Modifies extensions of user files 14 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

download.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SyncOpen.png => C:\Users\Admin\Pictures\SyncOpen.png.aDeDEeAaEd	download.exe
File renamed	C:\Users\Admin\Pictures\SwitchRestart.tif => C:\Users\Admin\Pictures\SwitchRestart.tif.aDeDEeAaEd	download.exe
File renamed	C:\Users\Admin\Pictures\ResumeSync.crw => C:\Users\Admin\Pictures\ResumeSync.crw.aDeDEeAaEd	download.exe
File renamed	C:\Users\Admin\Pictures\WatchHide.tif => C:\Users\Admin\Pictures\WatchHide.tif.aDeDEeAaEd	download.exe
File renamed	C:\Users\Admin\Pictures\ReadRegister.tiff => C:\Users\Admin\Pictures\ReadRegister.tiff.aDeDEeAaEd	download.exe
File renamed	C:\Users\Admin\Pictures\GrantFind.png => C:\Users\Admin\Pictures\GrantFind.png.aDeDEeAaEd	download.exe
File renamed	C:\Users\Admin\Pictures\RenameTest.raw => C:\Users\Admin\Pictures\RenameTest.raw.aDeDEeAaEd	download.exe
File renamed	C:\Users\Admin\Pictures\RepairSearch.crw => C:\Users\Admin\Pictures\RepairSearch.crw.aDeDEeAaEd	download.exe
File renamed	C:\Users\Admin\Pictures\TraceStop.raw => C:\Users\Admin\Pictures\TraceStop.raw.aDeDEeAaEd	download.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeConvert.tiff	download.exe
File renamed	C:\Users\Admin\Pictures\GetFind.png => C:\Users\Admin\Pictures\GetFind.png.aDeDEeAaEd	download.exe
File renamed	C:\Users\Admin\Pictures\OutInitialize.crw => C:\Users\Admin\Pictures\OutInitialize.crw.aDeDEeAaEd	download.exe
File opened for modification	C:\Users\Admin\Pictures\ReadRegister.tiff	download.exe
File renamed	C:\Users\Admin\Pictures\InitializeConvert.tiff => C:\Users\Admin\Pictures\InitializeConvert.tiff.aDeDEeAaEd	download.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

download.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" download.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

download.exe

description ioc process

File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini download.exe

description	ioc	process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini	download.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

download.exe

description	ioc	process
File opened (read-only)	\??\E:	download.exe
File opened (read-only)	\??\O:	download.exe
File opened (read-only)	\??\Q:	download.exe
File opened (read-only)	\??\V:	download.exe
File opened (read-only)	\??\X:	download.exe
File opened (read-only)	\??\Z:	download.exe
File opened (read-only)	\??\F:	download.exe
File opened (read-only)	\??\G:	download.exe
File opened (read-only)	\??\J:	download.exe
File opened (read-only)	\??\U:	download.exe
File opened (read-only)	\??\H:	download.exe
File opened (read-only)	\??\P:	download.exe
File opened (read-only)	\??\S:	download.exe
File opened (read-only)	\??\T:	download.exe
File opened (read-only)	\??\W:	download.exe
File opened (read-only)	\??\A:	download.exe
File opened (read-only)	\??\B:	download.exe
File opened (read-only)	\??\I:	download.exe
File opened (read-only)	\??\K:	download.exe
File opened (read-only)	\??\L:	download.exe
File opened (read-only)	\??\M:	download.exe
File opened (read-only)	\??\N:	download.exe
File opened (read-only)	\??\R:	download.exe
File opened (read-only)	\??\Y:	download.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

1800 vssadmin.exe
408 vssadmin.exe
1808 vssadmin.exe

pid	process
1800	vssadmin.exe
408	vssadmin.exe
1808	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

download.exe

pid	process
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe
1612	download.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exewmic.exewmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	316	wmic.exe
Token: SeSecurityPrivilege	316	wmic.exe
Token: SeTakeOwnershipPrivilege	316	wmic.exe
Token: SeLoadDriverPrivilege	316	wmic.exe
Token: SeSystemProfilePrivilege	316	wmic.exe
Token: SeSystemtimePrivilege	316	wmic.exe
Token: SeProfSingleProcessPrivilege	316	wmic.exe
Token: SeIncBasePriorityPrivilege	316	wmic.exe
Token: SeCreatePagefilePrivilege	316	wmic.exe
Token: SeBackupPrivilege	316	wmic.exe
Token: SeRestorePrivilege	316	wmic.exe
Token: SeShutdownPrivilege	316	wmic.exe
Token: SeDebugPrivilege	316	wmic.exe
Token: SeSystemEnvironmentPrivilege	316	wmic.exe
Token: SeRemoteShutdownPrivilege	316	wmic.exe
Token: SeUndockPrivilege	316	wmic.exe
Token: SeManageVolumePrivilege	316	wmic.exe
Token: 33	316	wmic.exe
Token: 34	316	wmic.exe
Token: 35	316	wmic.exe
Token: SeIncreaseQuotaPrivilege	856	wmic.exe
Token: SeSecurityPrivilege	856	wmic.exe
Token: SeTakeOwnershipPrivilege	856	wmic.exe
Token: SeLoadDriverPrivilege	856	wmic.exe
Token: SeSystemProfilePrivilege	856	wmic.exe
Token: SeSystemtimePrivilege	856	wmic.exe
Token: SeProfSingleProcessPrivilege	856	wmic.exe
Token: SeIncBasePriorityPrivilege	856	wmic.exe
Token: SeCreatePagefilePrivilege	856	wmic.exe
Token: SeBackupPrivilege	856	wmic.exe
Token: SeRestorePrivilege	856	wmic.exe
Token: SeShutdownPrivilege	856	wmic.exe
Token: SeDebugPrivilege	856	wmic.exe
Token: SeSystemEnvironmentPrivilege	856	wmic.exe
Token: SeRemoteShutdownPrivilege	856	wmic.exe
Token: SeUndockPrivilege	856	wmic.exe
Token: SeManageVolumePrivilege	856	wmic.exe
Token: 33	856	wmic.exe
Token: 34	856	wmic.exe
Token: 35	856	wmic.exe
Token: SeIncreaseQuotaPrivilege	1672	wmic.exe
Token: SeSecurityPrivilege	1672	wmic.exe
Token: SeTakeOwnershipPrivilege	1672	wmic.exe
Token: SeLoadDriverPrivilege	1672	wmic.exe
Token: SeSystemProfilePrivilege	1672	wmic.exe
Token: SeSystemtimePrivilege	1672	wmic.exe
Token: SeProfSingleProcessPrivilege	1672	wmic.exe
Token: SeIncBasePriorityPrivilege	1672	wmic.exe
Token: SeCreatePagefilePrivilege	1672	wmic.exe
Token: SeBackupPrivilege	1672	wmic.exe
Token: SeRestorePrivilege	1672	wmic.exe
Token: SeShutdownPrivilege	1672	wmic.exe
Token: SeDebugPrivilege	1672	wmic.exe
Token: SeSystemEnvironmentPrivilege	1672	wmic.exe
Token: SeRemoteShutdownPrivilege	1672	wmic.exe
Token: SeUndockPrivilege	1672	wmic.exe
Token: SeManageVolumePrivilege	1672	wmic.exe
Token: 33	1672	wmic.exe
Token: 34	1672	wmic.exe
Token: 35	1672	wmic.exe
Token: SeIncreaseQuotaPrivilege	336	wmic.exe
Token: SeSecurityPrivilege	336	wmic.exe
Token: SeTakeOwnershipPrivilege	336	wmic.exe
Token: SeLoadDriverPrivilege	336	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

download.exetaskeng.exe

description	pid	process	target process
PID 1612 wrote to memory of 336	1612	download.exe	wmic.exe
PID 1612 wrote to memory of 336	1612	download.exe	wmic.exe
PID 1612 wrote to memory of 336	1612	download.exe	wmic.exe
PID 1612 wrote to memory of 336	1612	download.exe	wmic.exe
PID 1612 wrote to memory of 1800	1612	download.exe	vssadmin.exe
PID 1612 wrote to memory of 1800	1612	download.exe	vssadmin.exe
PID 1612 wrote to memory of 1800	1612	download.exe	vssadmin.exe
PID 1612 wrote to memory of 1800	1612	download.exe	vssadmin.exe
PID 1612 wrote to memory of 1964	1612	download.exe	wmic.exe
PID 1612 wrote to memory of 1964	1612	download.exe	wmic.exe
PID 1612 wrote to memory of 1964	1612	download.exe	wmic.exe
PID 1612 wrote to memory of 1964	1612	download.exe	wmic.exe
PID 1612 wrote to memory of 408	1612	download.exe	vssadmin.exe
PID 1612 wrote to memory of 408	1612	download.exe	vssadmin.exe
PID 1612 wrote to memory of 408	1612	download.exe	vssadmin.exe
PID 1612 wrote to memory of 408	1612	download.exe	vssadmin.exe
PID 1612 wrote to memory of 1584	1612	download.exe	wmic.exe
PID 1612 wrote to memory of 1584	1612	download.exe	wmic.exe
PID 1612 wrote to memory of 1584	1612	download.exe	wmic.exe
PID 1612 wrote to memory of 1584	1612	download.exe	wmic.exe
PID 1612 wrote to memory of 1808	1612	download.exe	vssadmin.exe
PID 1612 wrote to memory of 1808	1612	download.exe	vssadmin.exe
PID 1612 wrote to memory of 1808	1612	download.exe	vssadmin.exe
PID 1612 wrote to memory of 1808	1612	download.exe	vssadmin.exe
PID 2140 wrote to memory of 2176	2140	taskeng.exe	download.exe
PID 2140 wrote to memory of 2176	2140	taskeng.exe	download.exe
PID 2140 wrote to memory of 2176	2140	taskeng.exe	download.exe
PID 2140 wrote to memory of 2176	2140	taskeng.exe	download.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

download.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	download.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	download.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	download.exe

C:\Users\Admin\AppData\Local\Temp\download.exe
"C:\Users\Admin\AppData\Local\Temp\download.exe"
1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1612

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:336

C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:1800

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
2⤵
PID:1964

C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:408

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
2⤵
PID:1584

C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:1808

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:884

C:\Windows\system32\taskeng.exe
taskeng.exe {59A17974-5DCB-4FD6-BCF5-FA1A4BA02BDD} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2140

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\download.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\download.exe
2⤵
- Executes dropped EXE
PID:2176

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

File Deletion

2

T1107

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\download.exe
MD5
b1d5df48725672b525c8879670d10eaa

SHA1
6a6956aff077aeda5b22873cfb891632fbce6bc7

SHA256
f9b748cf35278dc4bfaa2127ca1d6016fafbeb768b1a09c7ab58560632dbd637

SHA512
7fc5fda6187a994cebc8d2e3eb895eabeea1b2b2f8195951e9b32375d23f0d9c709f69016813d97cbdf9d0a01f3e10aaf2360dfb712127aba06feef12c22035c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\download.exe
MD5
b1d5df48725672b525c8879670d10eaa

SHA1
6a6956aff077aeda5b22873cfb891632fbce6bc7

SHA256
f9b748cf35278dc4bfaa2127ca1d6016fafbeb768b1a09c7ab58560632dbd637

SHA512
7fc5fda6187a994cebc8d2e3eb895eabeea1b2b2f8195951e9b32375d23f0d9c709f69016813d97cbdf9d0a01f3e10aaf2360dfb712127aba06feef12c22035c

Download Submit
memory/336-60-0x0000000000000000-mapping.dmp

Download
memory/408-63-0x0000000000000000-mapping.dmp

Download
memory/1584-64-0x0000000000000000-mapping.dmp

Download
memory/1612-59-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download
memory/1800-61-0x0000000000000000-mapping.dmp

Download
memory/1808-65-0x0000000000000000-mapping.dmp

Download
memory/1964-62-0x0000000000000000-mapping.dmp

Download
memory/2176-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads