General
-
Target
81493b11fc6acd0d4d8bb653dd9fcdaec16affbcbb509c01f6377db68efceee3
-
Size
762KB
-
Sample
210528-e2swzmt4we
-
MD5
f1033b3ec73b8996f2ea0aaf9445c47d
-
SHA1
e1daedeb38e99236fdae68ab63d7f411202cc02d
-
SHA256
81493b11fc6acd0d4d8bb653dd9fcdaec16affbcbb509c01f6377db68efceee3
-
SHA512
13013dba87bed734bf958fe28f1ff9d8a4a00a4b4f87b62060c502537180a2db6df1b137c26c4403b97316d7e3c8bbc945cd7d85409825f446b332f10980960a
Static task
static1
Behavioral task
behavioral1
Sample
81493b11fc6acd0d4d8bb653dd9fcdaec16affbcbb509c01f6377db68efceee3.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
81493b11fc6acd0d4d8bb653dd9fcdaec16affbcbb509c01f6377db68efceee3.exe
Resource
win10v20210408
Malware Config
Extracted
C:\Users\Admin\4qiZs_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\4qiZs_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Pictures\4qiZs_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Searches\4qiZs_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\odt\9G3b4_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Favorites\9G3b4_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\9G3b4_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Targets
-
-
Target
81493b11fc6acd0d4d8bb653dd9fcdaec16affbcbb509c01f6377db68efceee3
-
Size
762KB
-
MD5
f1033b3ec73b8996f2ea0aaf9445c47d
-
SHA1
e1daedeb38e99236fdae68ab63d7f411202cc02d
-
SHA256
81493b11fc6acd0d4d8bb653dd9fcdaec16affbcbb509c01f6377db68efceee3
-
SHA512
13013dba87bed734bf958fe28f1ff9d8a4a00a4b4f87b62060c502537180a2db6df1b137c26c4403b97316d7e3c8bbc945cd7d85409825f446b332f10980960a
Score10/10-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon Ransomware
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-