General
-
Target
ddee9852f4a2b0bfa861eadce78e0366b3554b03f5619a1dc7507cd285b8a393
-
Size
775KB
-
Sample
210528-1qd5spgbp2
-
MD5
50f8f413864ce79776024ff4682a2de2
-
SHA1
ffb280abe92fcb2f7921002b90b66ff70408b52a
-
SHA256
ddee9852f4a2b0bfa861eadce78e0366b3554b03f5619a1dc7507cd285b8a393
-
SHA512
569ef560e0ddb09d057bf8c474668229da4384109fe0c928e7260a58f494eb6fa7c4bed022f51155881d16de0055c1e14d19b41110f14af8126e0169a5346f5e
Static task
static1
Behavioral task
behavioral1
Sample
ddee9852f4a2b0bfa861eadce78e0366b3554b03f5619a1dc7507cd285b8a393.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
ddee9852f4a2b0bfa861eadce78e0366b3554b03f5619a1dc7507cd285b8a393.exe
Resource
win10v20210410
Malware Config
Extracted
C:\Users\Admin\Contacts\DClJ7_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\DClJ7_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Favorites\Links\DClJ7_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Pictures\DClJ7_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\.oracle_jre_usage\DClJ7_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Favorites\DClJ7_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Targets
-
-
Target
ddee9852f4a2b0bfa861eadce78e0366b3554b03f5619a1dc7507cd285b8a393
-
Size
775KB
-
MD5
50f8f413864ce79776024ff4682a2de2
-
SHA1
ffb280abe92fcb2f7921002b90b66ff70408b52a
-
SHA256
ddee9852f4a2b0bfa861eadce78e0366b3554b03f5619a1dc7507cd285b8a393
-
SHA512
569ef560e0ddb09d057bf8c474668229da4384109fe0c928e7260a58f494eb6fa7c4bed022f51155881d16de0055c1e14d19b41110f14af8126e0169a5346f5e
Score10/10-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon Ransomware
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-