General
-
Target
41302ba84885fcc5960d4e474d71f6af7c2a631c24d691179ff0a733eb1a4970
-
Size
762KB
-
Sample
210528-jfnwjyy9z6
-
MD5
478a9f66d35a88127f95e1704055e6c1
-
SHA1
d8cb65339cc2c753c0919b74de1440a0160e9334
-
SHA256
41302ba84885fcc5960d4e474d71f6af7c2a631c24d691179ff0a733eb1a4970
-
SHA512
471db2fc9d718999b02ca4dbebd7a592c9c61f75d09556af23ac239af4762cf8443780f3deeadeef9d9c4e2f1947bbd148f6ea288c5d98b88a866b2e84f1d3a1
Static task
static1
Behavioral task
behavioral1
Sample
41302ba84885fcc5960d4e474d71f6af7c2a631c24d691179ff0a733eb1a4970.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
41302ba84885fcc5960d4e474d71f6af7c2a631c24d691179ff0a733eb1a4970.exe
Resource
win10v20210408
Malware Config
Extracted
C:\Users\Admin\Contacts\SZVGBQzo_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\SZVGBQzo_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Favorites\Links for United States\SZVGBQzo_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Searches\SZVGBQzo_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\.oracle_jre_usage\oYiCG_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Favorites\oYiCG_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Public\Libraries\oYiCG_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Targets
-
-
Target
41302ba84885fcc5960d4e474d71f6af7c2a631c24d691179ff0a733eb1a4970
-
Size
762KB
-
MD5
478a9f66d35a88127f95e1704055e6c1
-
SHA1
d8cb65339cc2c753c0919b74de1440a0160e9334
-
SHA256
41302ba84885fcc5960d4e474d71f6af7c2a631c24d691179ff0a733eb1a4970
-
SHA512
471db2fc9d718999b02ca4dbebd7a592c9c61f75d09556af23ac239af4762cf8443780f3deeadeef9d9c4e2f1947bbd148f6ea288c5d98b88a866b2e84f1d3a1
Score10/10-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon Ransomware
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-