General
-
Target
146712f0832c4e2fbe24245d18f2913746436e38d5438f5eca15dfd0fb50ec24
-
Size
775KB
-
Sample
210528-4l9b5qbfw6
-
MD5
c20560cdc2f07c61a83c24653ac5930c
-
SHA1
91c5f43a5faab411fdddb238e5a2c89ae6c9667c
-
SHA256
146712f0832c4e2fbe24245d18f2913746436e38d5438f5eca15dfd0fb50ec24
-
SHA512
145051b477a598b8f66d1151938c8135509cc71212a92d8ab92d5f2480f8a103be4bca21e14ebf0c91c53f76b464d15d8986ba2e40f0a3287baddc14e60953d9
Static task
static1
Behavioral task
behavioral1
Sample
146712f0832c4e2fbe24245d18f2913746436e38d5438f5eca15dfd0fb50ec24.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
146712f0832c4e2fbe24245d18f2913746436e38d5438f5eca15dfd0fb50ec24.exe
Resource
win10v20210408
Malware Config
Extracted
C:\Users\Admin\Desktop\Z7qUIbG_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\Z7qUIbG_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Pictures\Z7qUIbG_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Public\Videos\Sample Videos\Z7qUIbG_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Desktop\hzcht_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\hzcht_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Links\hzcht_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Targets
-
-
Target
146712f0832c4e2fbe24245d18f2913746436e38d5438f5eca15dfd0fb50ec24
-
Size
775KB
-
MD5
c20560cdc2f07c61a83c24653ac5930c
-
SHA1
91c5f43a5faab411fdddb238e5a2c89ae6c9667c
-
SHA256
146712f0832c4e2fbe24245d18f2913746436e38d5438f5eca15dfd0fb50ec24
-
SHA512
145051b477a598b8f66d1151938c8135509cc71212a92d8ab92d5f2480f8a103be4bca21e14ebf0c91c53f76b464d15d8986ba2e40f0a3287baddc14e60953d9
Score10/10-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon Ransomware
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-