General
-
Target
8d14c0c8faf6249b67a1d19b7bd1404eb416304d8f5c73b3bdc9c69367e829de
-
Size
775KB
-
Sample
210528-7p5rf2cm4s
-
MD5
5d0717ef985e4414ca0081ff7ddbb737
-
SHA1
5ddb793327e1e89ef8f406be11f97e5489f7a5c1
-
SHA256
8d14c0c8faf6249b67a1d19b7bd1404eb416304d8f5c73b3bdc9c69367e829de
-
SHA512
e9f40b2cb52873700cd29e9e0d4040458da30598d02c1af0f2a99114eb929fb84b2f559fff8f08e8b283ddc133355fc3ccab5c48e31f219125a99379fbd2137b
Static task
static1
Behavioral task
behavioral1
Sample
8d14c0c8faf6249b67a1d19b7bd1404eb416304d8f5c73b3bdc9c69367e829de.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
8d14c0c8faf6249b67a1d19b7bd1404eb416304d8f5c73b3bdc9c69367e829de.exe
Resource
win10v20210410
Malware Config
Extracted
C:\Users\Admin\Desktop\TxF3hlp_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\TxF3hlp_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Favorites\Links\TxF3hlp_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Pictures\TxF3hlp_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Desktop\TxF3hlp_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Favorites\TxF3hlp_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Searches\TxF3hlp_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Targets
-
-
Target
8d14c0c8faf6249b67a1d19b7bd1404eb416304d8f5c73b3bdc9c69367e829de
-
Size
775KB
-
MD5
5d0717ef985e4414ca0081ff7ddbb737
-
SHA1
5ddb793327e1e89ef8f406be11f97e5489f7a5c1
-
SHA256
8d14c0c8faf6249b67a1d19b7bd1404eb416304d8f5c73b3bdc9c69367e829de
-
SHA512
e9f40b2cb52873700cd29e9e0d4040458da30598d02c1af0f2a99114eb929fb84b2f559fff8f08e8b283ddc133355fc3ccab5c48e31f219125a99379fbd2137b
Score10/10-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon Ransomware
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-