General
-
Target
433875f694fb7f96b4fe51e4c3d9a45515e849d1ffd9aa528fb9b23f6323e106
-
Size
759KB
-
Sample
210528-68c86tkqsa
-
MD5
1b9b6cb037e83d9b95603eb024718e63
-
SHA1
ac8aea93d1939a45c9d4dc59bcde109eb9d400c7
-
SHA256
433875f694fb7f96b4fe51e4c3d9a45515e849d1ffd9aa528fb9b23f6323e106
-
SHA512
d3b3fbf002711727b30b9d76283d7f2ea6c78428647017843f531ed0119f9faa7c4c2ac81fca180399747ef216e0f4ff1c8230f559da475807a1405f9f2e6bd7
Static task
static1
Behavioral task
behavioral1
Sample
433875f694fb7f96b4fe51e4c3d9a45515e849d1ffd9aa528fb9b23f6323e106.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
433875f694fb7f96b4fe51e4c3d9a45515e849d1ffd9aa528fb9b23f6323e106.exe
Resource
win10v20210410
Malware Config
Extracted
C:\Users\Admin\Contacts\ch95x_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\ch95x_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Pictures\ch95x_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Public\Recorded TV\Sample Media\ch95x_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\odt\yKkwI_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\yKkwI_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Pictures\yKkwI_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Targets
-
-
Target
433875f694fb7f96b4fe51e4c3d9a45515e849d1ffd9aa528fb9b23f6323e106
-
Size
759KB
-
MD5
1b9b6cb037e83d9b95603eb024718e63
-
SHA1
ac8aea93d1939a45c9d4dc59bcde109eb9d400c7
-
SHA256
433875f694fb7f96b4fe51e4c3d9a45515e849d1ffd9aa528fb9b23f6323e106
-
SHA512
d3b3fbf002711727b30b9d76283d7f2ea6c78428647017843f531ed0119f9faa7c4c2ac81fca180399747ef216e0f4ff1c8230f559da475807a1405f9f2e6bd7
Score10/10-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon Ransomware
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-