Overview

overview

10

Static

static

90e38cf92c...2e.exe

windows7_x64

10

90e38cf92c...2e.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 01:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe

  • Size

    570KB

  • MD5

    4cb6d61ad2425bede38804cc18113e01

  • SHA1

    faa8c450493e4ac9fdd95bed030dc2051da6c6b6

  • SHA256

    90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e

  • SHA512

    318461bddb899f0883a54c2a3cd9814aa5a789d0f2aab0b64f340ea36256536350bfbc971f36c76dc929efbdbd6227dbb815a7a447322f806fb721f3e6ae8f24

Score
10/10
avaddonevasionransomwaresuricatatrojan

Malware Config

Extracted

Path

C:\Users\Admin\Contacts\buziFcJU_readme.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BCdCCbEbbA You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzg1LWpDeXNTOG5WQzUzVW9MNEVzTjFpMU5mVnErY0YzT0o4ejdGT2h3ZjFhWGEraVJESXFWOW81Q2VDakFBRFFtNzFoczU0b3dON2J5ZHNvWVZwQ3ZsMGsxdHVDaHI0WmMwSkx1dVF1V2VKRDFiS1NPR09USVJ0bExQOXNreDZaTmZTcmRyTHplc3VkeTQrVzMrT0tYUENuanBLdDlDeHlneWJjNDB6aG03YUJ2SkdwWVpvN21tcFZWN2pDV1RLb0U0eXFzUmg0ckw3bFdJTDZadk1ueFVqRHczQUZLWTdjYldlblowWEV0aUNzaENKYlRRS3Q2VWUrUlNIakdZRTBXNXQweXU3QUpIZk9paHYvWEdoWUZOcHVlYk5Zc3hBSHZiRytjVzBQeHhZMjdpUHltTFkrRHdzem1ML1lNb3JpbWJLeFJHSHBzZm4yakRRRjg5OFdPeFd3cVg1SDhNNHoyWS9BbzZNd09xYzR4RVVIZmt0RmwvYTVQTWVOckUySmprbFJkSkRONG5pUHIwL1AyU3FmRVI4UVg2UXBrUXhGRFEwZmVtMEdzOWpsYUJzVTFCSVh6eXFXeHVuVlVZWGZ0Mzcvc3hqbVBGWENISGlpWnhnOVJ3Y2VibUg5QWI3TnV2UExYS01Ka05sbHBESFB2R3kwWW1iTW5sR3VmdXNMMi9DR2sxSjV3Z3V1QUdHb0JKNW56NmZNMEFwbU42ZzJEZUQ3Ymlrc3g0Y1hEK2ZYL0Erd1N2MTEzN2orQ3EvYjlXYXE1YkUrdnBGQ0UvcnZkVm9xUE53TFVtQmxKQ3pWSXVGai8rSTZUejFhNEczSkZ0aWJXVGs3S0h1elo4eG5KUTdBY0kyTVpJV2NQS2l4V2hRRjBLbVAwR0hTeHBlNmJ2OVZQdjArMS9yRDNUTERXOUZRWTArQlBJL3lxT2Nxa3dPOG5tUmxLUkVCTjFIb0tYcFlwallQZTJETDlBbFBzVVp2Vy82eXlzYUxzTmlNZng5L3R2YW1yWUxXRlA2NEZ1ZHd1MTZCcGJoVmJWUDRzQTU0TW5POHpqc2x0ZUlabFJPMUJ5ZnZ5bWhWUkU4SDVRL1lnaVV3Sm1Ka1hDa3Fyb1o1NzYySGYwWnBwSERxNGFPNFkrb0ZPRmRHSXNIejI1SmhiSVNOM0l3NStDcDU4dHJXM0pyWndTbUE3QzlBY0k2VThBb2RCYlZPNVZkK0ppRllZdThyU29NOW1kcERkMnpTSlF4WHRycUZLZUsrTE5QMTZMemdkdTRCU3RPUFNManFmSVhOQU80SHp6cTRicEJXa3E0SlNtMlJZTHYyQ3BpN0hnTSt6MTVvV1U4TmpGaWYvWU9hNG1tZWNRSFBabktRUXhFdzB4L1R4V2FEaWpqZlQ0M1FNbWtZSnE1dnFuQ2R6U3FMWkl3Wmp4SjlDMnFOL3VUR045QVNxSFJMNnNQZ25YalJzN0JwNzNHbEhOM0lYRkJ4RmVvVjd4T3RpaVFvWTVxV0RtS1BEZHNwVnlESEF4WU54VXJrS29jd3IzR2EyOUI5MEExWXRNNDV2TGlUdEtjeFVTbVgrZnUyRmZsT2JFSVRHZU95YWxmeGlpdmN2Zyt5ME01d0V2ZkxKV2J3dnFYRnRpNzlPdVlMR0l5S05JV0pLN29NbFg1RUpWKzZJV0dNN3dxa1BRRnVJcjAxSW1YbjZZaXoxMWlIMW0xRG1tNHJZcnM1Y3VGNW1POHllOWpGM1FRLzd1bU9kQjM3UHNCWGxkd0xBM3VvY1RmaFE3dE5uMFB5V09DZnBMMkxZNnpsQ1dPcVJsSzVXRTJmVW1NTzV6THUrNnQ2cFZqY0hDa0hqY3FnSVJEN053cHZTU2pJU0lYTSsvbnFKbTloTEo5TGRHNGRDVzJwcHIwSUFxSE5abm1Uekx6ZzlDbmhWL3V0aHlFY1dhcXE2REduS1RBcW13TUJBSk5wWGhKVTVsTFM0MDdyK3A0QnhPc1RkVlFRQ1FvZmlNSlZaYkkySm5kekZWRmRXZmhJdlVNcmEzZng4NWIrNU1VUVZCQkNmeStpaDA4eXI4NFFDQUFMM0RLSnVNbktQeUZLaDRLSkMzTGF1MUJnTGtVS1ExV0l3bGxSRXQ4Y1YwQjZ5R3I= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * Ae2o47g4vU7G245dKovEEAa
URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\buziFcJU_readme.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BCdCCbEbbA You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzg1LWpDeXNTOG5WQzUzVW9MNEVzTjFpMU5mVnErY0YzT0o4ejdGT2h3ZjFhWGEraVJESXFWOW81Q2VDakFBRFFtNzFoczU0b3dON2J5ZHNvWVZwQ3ZsMGsxdHVDaHI0WmMwSkx1dVF1V2VKRDFiS1NPR09USVJ0bExQOXNreDZaTmZTcmRyTHplc3VkeTQrVzMrT0tYUENuanBLdDlDeHlneWJjNDB6aG03YUJ2SkdwWVpvN21tcFZWN2pDV1RLb0U0eXFzUmg0ckw3bFdJTDZadk1ueFVqRHczQUZLWTdjYldlblowWEV0aUNzaENKYlRRS3Q2VWUrUlNIakdZRTBXNXQweXU3QUpIZk9paHYvWEdoWUZOcHVlYk5Zc3hBSHZiRytjVzBQeHhZMjdpUHltTFkrRHdzem1ML1lNb3JpbWJLeFJHSHBzZm4yakRRRjg5OFdPeFd3cVg1SDhNNHoyWS9BbzZNd09xYzR4RVVIZmt0RmwvYTVQTWVOckUySmprbFJkSkRONG5pUHIwL1AyU3FmRVI4UVg2UXBrUXhGRFEwZmVtMEdzOWpsYUJzVTFCSVh6eXFXeHVuVlVZWGZ0Mzcvc3hqbVBGWENISGlpWnhnOVJ3Y2VibUg5QWI3TnV2UExYS01Ka05sbHBESFB2R3kwWW1iTW5sR3VmdXNMMi9DR2sxSjV3Z3V1QUdHb0JKNW56NmZNMEFwbU42ZzJEZUQ3Ymlrc3g0Y1hEK2ZYL0Erd1N2MTEzN2orQ3EvYjlXYXE1YkUrdnBGQ0UvcnZkVm9xUE53TFVtQmxKQ3pWSXVGai8rSTZUejFhNEczSkZ0aWJXVGs3S0h1elo4eG5KUTdBY0kyTVpJV2NQS2l4V2hRRjBLbVAwR0hTeHBlNmJ2OVZQdjArMS9yRDNUTERXOUZRWTArQlBJL3lxT2Nxa3dPOG5tUmxLUkVCTjFIb0tYcFlwallQZTJETDlBbFBzVVp2Vy82eXlzYUxzTmlNZng5L3R2YW1yWUxXRlA2NEZ1ZHd1MTZCcGJoVmJWUDRzQTU0TW5POHpqc2x0ZUlabFJPMUJ5ZnZ5bWhWUkU4SDVRL1lnaVV3Sm1Ka1hDa3Fyb1o1NzYySGYwWnBwSERxNGFPNFkrb0ZPRmRHSXNIejI1SmhiSVNOM0l3NStDcDU4dHJXM0pyWndTbUE3QzlBY0k2VThBb2RCYlZPNVZkK0ppRllZdThyU29NOW1kcERkMnpTSlF4WHRycUZLZUsrTE5QMTZMemdkdTRCU3RPUFNManFmSVhOQU80SHp6cTRicEJXa3E0SlNtMlJZTHYyQ3BpN0hnTSt6MTVvV1U4TmpGaWYvWU9hNG1tZWNRSFBabktRUXhFdzB4L1R4V2FEaWpqZlQ0M1FNbWtZSnE1dnFuQ2R6U3FMWkl3Wmp4SjlDMnFOL3VUR045QVNxSFJMNnNQZ25YalJzN0JwNzNHbEhOM0lYRkJ4RmVvVjd4T3RpaVFvWTVxV0RtS1BEZHNwVnlESEF4WU54VXJrS29jd3IzR2EyOUI5MEExWXRNNDV2TGlUdEtjeFVTbVgrZnUyRmZsT2JFSVRHZU95YWxmeGlpdmN2Zyt5ME01d0V2ZkxKV2J3dnFYRnRpNzlPdVlMR0l5S05JV0pLN29NbFg1RUpWKzZJV0dNN3dxa1BRRnVJcjAxSW1YbjZZaXoxMWlIMW0xRG1tNHJZcnM1Y3VGNW1POHllOWpGM1FRLzd1bU9kQjM3UHNCWGxkd0xBM3VvY1RmaFE3dE5uMFB5V09DZnBMMkxZNnpsQ1dPcVJsSzVXRTJmVW1NTzV6THUrNnQ2cFZqY0hDa0hqY3FnSVJEN053cHZTU2pJU0lYTSsvbnFKbTloTEo5TGRHNGRDVzJwcHIwSUFxSE5abm1Uekx6ZzlDbmhWL3V0aHlFY1dhcXE2REduS1RBcW13TUJBSk5wWGhKVTVsTFM0MDdyK3A0QnhPc1RkVlFRQ1FvZmlNSlZaYkkySm5kekZWRmRXZmhJdlVNcmEzZng4NWIrNU1VUVZCQkNmeStpaDA4eXI4NFFDQUFMM0RLSnVNbktQeUZLaDRLSkMzTGF1MUJnTGtVS1ExV0l3bGxSRXQ4Y1YwQjZ5R3I= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * WGdePJTsl6ppO1jfVLpLvoDQZk
URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\buziFcJU_readme.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BCdCCbEbbA You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzg1LWpDeXNTOG5WQzUzVW9MNEVzTjFpMU5mVnErY0YzT0o4ejdGT2h3ZjFhWGEraVJESXFWOW81Q2VDakFBRFFtNzFoczU0b3dON2J5ZHNvWVZwQ3ZsMGsxdHVDaHI0WmMwSkx1dVF1V2VKRDFiS1NPR09USVJ0bExQOXNreDZaTmZTcmRyTHplc3VkeTQrVzMrT0tYUENuanBLdDlDeHlneWJjNDB6aG03YUJ2SkdwWVpvN21tcFZWN2pDV1RLb0U0eXFzUmg0ckw3bFdJTDZadk1ueFVqRHczQUZLWTdjYldlblowWEV0aUNzaENKYlRRS3Q2VWUrUlNIakdZRTBXNXQweXU3QUpIZk9paHYvWEdoWUZOcHVlYk5Zc3hBSHZiRytjVzBQeHhZMjdpUHltTFkrRHdzem1ML1lNb3JpbWJLeFJHSHBzZm4yakRRRjg5OFdPeFd3cVg1SDhNNHoyWS9BbzZNd09xYzR4RVVIZmt0RmwvYTVQTWVOckUySmprbFJkSkRONG5pUHIwL1AyU3FmRVI4UVg2UXBrUXhGRFEwZmVtMEdzOWpsYUJzVTFCSVh6eXFXeHVuVlVZWGZ0Mzcvc3hqbVBGWENISGlpWnhnOVJ3Y2VibUg5QWI3TnV2UExYS01Ka05sbHBESFB2R3kwWW1iTW5sR3VmdXNMMi9DR2sxSjV3Z3V1QUdHb0JKNW56NmZNMEFwbU42ZzJEZUQ3Ymlrc3g0Y1hEK2ZYL0Erd1N2MTEzN2orQ3EvYjlXYXE1YkUrdnBGQ0UvcnZkVm9xUE53TFVtQmxKQ3pWSXVGai8rSTZUejFhNEczSkZ0aWJXVGs3S0h1elo4eG5KUTdBY0kyTVpJV2NQS2l4V2hRRjBLbVAwR0hTeHBlNmJ2OVZQdjArMS9yRDNUTERXOUZRWTArQlBJL3lxT2Nxa3dPOG5tUmxLUkVCTjFIb0tYcFlwallQZTJETDlBbFBzVVp2Vy82eXlzYUxzTmlNZng5L3R2YW1yWUxXRlA2NEZ1ZHd1MTZCcGJoVmJWUDRzQTU0TW5POHpqc2x0ZUlabFJPMUJ5ZnZ5bWhWUkU4SDVRL1lnaVV3Sm1Ka1hDa3Fyb1o1NzYySGYwWnBwSERxNGFPNFkrb0ZPRmRHSXNIejI1SmhiSVNOM0l3NStDcDU4dHJXM0pyWndTbUE3QzlBY0k2VThBb2RCYlZPNVZkK0ppRllZdThyU29NOW1kcERkMnpTSlF4WHRycUZLZUsrTE5QMTZMemdkdTRCU3RPUFNManFmSVhOQU80SHp6cTRicEJXa3E0SlNtMlJZTHYyQ3BpN0hnTSt6MTVvV1U4TmpGaWYvWU9hNG1tZWNRSFBabktRUXhFdzB4L1R4V2FEaWpqZlQ0M1FNbWtZSnE1dnFuQ2R6U3FMWkl3Wmp4SjlDMnFOL3VUR045QVNxSFJMNnNQZ25YalJzN0JwNzNHbEhOM0lYRkJ4RmVvVjd4T3RpaVFvWTVxV0RtS1BEZHNwVnlESEF4WU54VXJrS29jd3IzR2EyOUI5MEExWXRNNDV2TGlUdEtjeFVTbVgrZnUyRmZsT2JFSVRHZU95YWxmeGlpdmN2Zyt5ME01d0V2ZkxKV2J3dnFYRnRpNzlPdVlMR0l5S05JV0pLN29NbFg1RUpWKzZJV0dNN3dxa1BRRnVJcjAxSW1YbjZZaXoxMWlIMW0xRG1tNHJZcnM1Y3VGNW1POHllOWpGM1FRLzd1bU9kQjM3UHNCWGxkd0xBM3VvY1RmaFE3dE5uMFB5V09DZnBMMkxZNnpsQ1dPcVJsSzVXRTJmVW1NTzV6THUrNnQ2cFZqY0hDa0hqY3FnSVJEN053cHZTU2pJU0lYTSsvbnFKbTloTEo5TGRHNGRDVzJwcHIwSUFxSE5abm1Uekx6ZzlDbmhWL3V0aHlFY1dhcXE2REduS1RBcW13TUJBSk5wWGhKVTVsTFM0MDdyK3A0QnhPc1RkVlFRQ1FvZmlNSlZaYkkySm5kekZWRmRXZmhJdlVNcmEzZng4NWIrNU1VUVZCQkNmeStpaDA4eXI4NFFDQUFMM0RLSnVNbktQeUZLaDRLSkMzTGF1MUJnTGtVS1ExV0l3bGxSRXQ4Y1YwQjZ5R3I= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * j
URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Favorites\Links\buziFcJU_readme.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BCdCCbEbbA You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzg1LWpDeXNTOG5WQzUzVW9MNEVzTjFpMU5mVnErY0YzT0o4ejdGT2h3ZjFhWGEraVJESXFWOW81Q2VDakFBRFFtNzFoczU0b3dON2J5ZHNvWVZwQ3ZsMGsxdHVDaHI0WmMwSkx1dVF1V2VKRDFiS1NPR09USVJ0bExQOXNreDZaTmZTcmRyTHplc3VkeTQrVzMrT0tYUENuanBLdDlDeHlneWJjNDB6aG03YUJ2SkdwWVpvN21tcFZWN2pDV1RLb0U0eXFzUmg0ckw3bFdJTDZadk1ueFVqRHczQUZLWTdjYldlblowWEV0aUNzaENKYlRRS3Q2VWUrUlNIakdZRTBXNXQweXU3QUpIZk9paHYvWEdoWUZOcHVlYk5Zc3hBSHZiRytjVzBQeHhZMjdpUHltTFkrRHdzem1ML1lNb3JpbWJLeFJHSHBzZm4yakRRRjg5OFdPeFd3cVg1SDhNNHoyWS9BbzZNd09xYzR4RVVIZmt0RmwvYTVQTWVOckUySmprbFJkSkRONG5pUHIwL1AyU3FmRVI4UVg2UXBrUXhGRFEwZmVtMEdzOWpsYUJzVTFCSVh6eXFXeHVuVlVZWGZ0Mzcvc3hqbVBGWENISGlpWnhnOVJ3Y2VibUg5QWI3TnV2UExYS01Ka05sbHBESFB2R3kwWW1iTW5sR3VmdXNMMi9DR2sxSjV3Z3V1QUdHb0JKNW56NmZNMEFwbU42ZzJEZUQ3Ymlrc3g0Y1hEK2ZYL0Erd1N2MTEzN2orQ3EvYjlXYXE1YkUrdnBGQ0UvcnZkVm9xUE53TFVtQmxKQ3pWSXVGai8rSTZUejFhNEczSkZ0aWJXVGs3S0h1elo4eG5KUTdBY0kyTVpJV2NQS2l4V2hRRjBLbVAwR0hTeHBlNmJ2OVZQdjArMS9yRDNUTERXOUZRWTArQlBJL3lxT2Nxa3dPOG5tUmxLUkVCTjFIb0tYcFlwallQZTJETDlBbFBzVVp2Vy82eXlzYUxzTmlNZng5L3R2YW1yWUxXRlA2NEZ1ZHd1MTZCcGJoVmJWUDRzQTU0TW5POHpqc2x0ZUlabFJPMUJ5ZnZ5bWhWUkU4SDVRL1lnaVV3Sm1Ka1hDa3Fyb1o1NzYySGYwWnBwSERxNGFPNFkrb0ZPRmRHSXNIejI1SmhiSVNOM0l3NStDcDU4dHJXM0pyWndTbUE3QzlBY0k2VThBb2RCYlZPNVZkK0ppRllZdThyU29NOW1kcERkMnpTSlF4WHRycUZLZUsrTE5QMTZMemdkdTRCU3RPUFNManFmSVhOQU80SHp6cTRicEJXa3E0SlNtMlJZTHYyQ3BpN0hnTSt6MTVvV1U4TmpGaWYvWU9hNG1tZWNRSFBabktRUXhFdzB4L1R4V2FEaWpqZlQ0M1FNbWtZSnE1dnFuQ2R6U3FMWkl3Wmp4SjlDMnFOL3VUR045QVNxSFJMNnNQZ25YalJzN0JwNzNHbEhOM0lYRkJ4RmVvVjd4T3RpaVFvWTVxV0RtS1BEZHNwVnlESEF4WU54VXJrS29jd3IzR2EyOUI5MEExWXRNNDV2TGlUdEtjeFVTbVgrZnUyRmZsT2JFSVRHZU95YWxmeGlpdmN2Zyt5ME01d0V2ZkxKV2J3dnFYRnRpNzlPdVlMR0l5S05JV0pLN29NbFg1RUpWKzZJV0dNN3dxa1BRRnVJcjAxSW1YbjZZaXoxMWlIMW0xRG1tNHJZcnM1Y3VGNW1POHllOWpGM1FRLzd1bU9kQjM3UHNCWGxkd0xBM3VvY1RmaFE3dE5uMFB5V09DZnBMMkxZNnpsQ1dPcVJsSzVXRTJmVW1NTzV6THUrNnQ2cFZqY0hDa0hqY3FnSVJEN053cHZTU2pJU0lYTSsvbnFKbTloTEo5TGRHNGRDVzJwcHIwSUFxSE5abm1Uekx6ZzlDbmhWL3V0aHlFY1dhcXE2REduS1RBcW13TUJBSk5wWGhKVTVsTFM0MDdyK3A0QnhPc1RkVlFRQ1FvZmlNSlZaYkkySm5kekZWRmRXZmhJdlVNcmEzZng4NWIrNU1VUVZCQkNmeStpaDA4eXI4NFFDQUFMM0RLSnVNbktQeUZLaDRLSkMzTGF1MUJnTGtVS1ExV0l3bGxSRXQ4Y1YwQjZ5R3I= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 59xE
URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Searches\buziFcJU_readme.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BCdCCbEbbA You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzg1LWpDeXNTOG5WQzUzVW9MNEVzTjFpMU5mVnErY0YzT0o4ejdGT2h3ZjFhWGEraVJESXFWOW81Q2VDakFBRFFtNzFoczU0b3dON2J5ZHNvWVZwQ3ZsMGsxdHVDaHI0WmMwSkx1dVF1V2VKRDFiS1NPR09USVJ0bExQOXNreDZaTmZTcmRyTHplc3VkeTQrVzMrT0tYUENuanBLdDlDeHlneWJjNDB6aG03YUJ2SkdwWVpvN21tcFZWN2pDV1RLb0U0eXFzUmg0ckw3bFdJTDZadk1ueFVqRHczQUZLWTdjYldlblowWEV0aUNzaENKYlRRS3Q2VWUrUlNIakdZRTBXNXQweXU3QUpIZk9paHYvWEdoWUZOcHVlYk5Zc3hBSHZiRytjVzBQeHhZMjdpUHltTFkrRHdzem1ML1lNb3JpbWJLeFJHSHBzZm4yakRRRjg5OFdPeFd3cVg1SDhNNHoyWS9BbzZNd09xYzR4RVVIZmt0RmwvYTVQTWVOckUySmprbFJkSkRONG5pUHIwL1AyU3FmRVI4UVg2UXBrUXhGRFEwZmVtMEdzOWpsYUJzVTFCSVh6eXFXeHVuVlVZWGZ0Mzcvc3hqbVBGWENISGlpWnhnOVJ3Y2VibUg5QWI3TnV2UExYS01Ka05sbHBESFB2R3kwWW1iTW5sR3VmdXNMMi9DR2sxSjV3Z3V1QUdHb0JKNW56NmZNMEFwbU42ZzJEZUQ3Ymlrc3g0Y1hEK2ZYL0Erd1N2MTEzN2orQ3EvYjlXYXE1YkUrdnBGQ0UvcnZkVm9xUE53TFVtQmxKQ3pWSXVGai8rSTZUejFhNEczSkZ0aWJXVGs3S0h1elo4eG5KUTdBY0kyTVpJV2NQS2l4V2hRRjBLbVAwR0hTeHBlNmJ2OVZQdjArMS9yRDNUTERXOUZRWTArQlBJL3lxT2Nxa3dPOG5tUmxLUkVCTjFIb0tYcFlwallQZTJETDlBbFBzVVp2Vy82eXlzYUxzTmlNZng5L3R2YW1yWUxXRlA2NEZ1ZHd1MTZCcGJoVmJWUDRzQTU0TW5POHpqc2x0ZUlabFJPMUJ5ZnZ5bWhWUkU4SDVRL1lnaVV3Sm1Ka1hDa3Fyb1o1NzYySGYwWnBwSERxNGFPNFkrb0ZPRmRHSXNIejI1SmhiSVNOM0l3NStDcDU4dHJXM0pyWndTbUE3QzlBY0k2VThBb2RCYlZPNVZkK0ppRllZdThyU29NOW1kcERkMnpTSlF4WHRycUZLZUsrTE5QMTZMemdkdTRCU3RPUFNManFmSVhOQU80SHp6cTRicEJXa3E0SlNtMlJZTHYyQ3BpN0hnTSt6MTVvV1U4TmpGaWYvWU9hNG1tZWNRSFBabktRUXhFdzB4L1R4V2FEaWpqZlQ0M1FNbWtZSnE1dnFuQ2R6U3FMWkl3Wmp4SjlDMnFOL3VUR045QVNxSFJMNnNQZ25YalJzN0JwNzNHbEhOM0lYRkJ4RmVvVjd4T3RpaVFvWTVxV0RtS1BEZHNwVnlESEF4WU54VXJrS29jd3IzR2EyOUI5MEExWXRNNDV2TGlUdEtjeFVTbVgrZnUyRmZsT2JFSVRHZU95YWxmeGlpdmN2Zyt5ME01d0V2ZkxKV2J3dnFYRnRpNzlPdVlMR0l5S05JV0pLN29NbFg1RUpWKzZJV0dNN3dxa1BRRnVJcjAxSW1YbjZZaXoxMWlIMW0xRG1tNHJZcnM1Y3VGNW1POHllOWpGM1FRLzd1bU9kQjM3UHNCWGxkd0xBM3VvY1RmaFE3dE5uMFB5V09DZnBMMkxZNnpsQ1dPcVJsSzVXRTJmVW1NTzV6THUrNnQ2cFZqY0hDa0hqY3FnSVJEN053cHZTU2pJU0lYTSsvbnFKbTloTEo5TGRHNGRDVzJwcHIwSUFxSE5abm1Uekx6ZzlDbmhWL3V0aHlFY1dhcXE2REduS1RBcW13TUJBSk5wWGhKVTVsTFM0MDdyK3A0QnhPc1RkVlFRQ1FvZmlNSlZaYkkySm5kekZWRmRXZmhJdlVNcmEzZng4NWIrNU1VUVZCQkNmeStpaDA4eXI4NFFDQUFMM0RLSnVNbktQeUZLaDRLSkMzTGF1MUJnTGtVS1ExV0l3bGxSRXQ4Y1YwQjZ5R3I= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * Sl5bkbc
URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Public\Recorded TV\Sample Media\buziFcJU_readme.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BCdCCbEbbA You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzg1LWpDeXNTOG5WQzUzVW9MNEVzTjFpMU5mVnErY0YzT0o4ejdGT2h3ZjFhWGEraVJESXFWOW81Q2VDakFBRFFtNzFoczU0b3dON2J5ZHNvWVZwQ3ZsMGsxdHVDaHI0WmMwSkx1dVF1V2VKRDFiS1NPR09USVJ0bExQOXNreDZaTmZTcmRyTHplc3VkeTQrVzMrT0tYUENuanBLdDlDeHlneWJjNDB6aG03YUJ2SkdwWVpvN21tcFZWN2pDV1RLb0U0eXFzUmg0ckw3bFdJTDZadk1ueFVqRHczQUZLWTdjYldlblowWEV0aUNzaENKYlRRS3Q2VWUrUlNIakdZRTBXNXQweXU3QUpIZk9paHYvWEdoWUZOcHVlYk5Zc3hBSHZiRytjVzBQeHhZMjdpUHltTFkrRHdzem1ML1lNb3JpbWJLeFJHSHBzZm4yakRRRjg5OFdPeFd3cVg1SDhNNHoyWS9BbzZNd09xYzR4RVVIZmt0RmwvYTVQTWVOckUySmprbFJkSkRONG5pUHIwL1AyU3FmRVI4UVg2UXBrUXhGRFEwZmVtMEdzOWpsYUJzVTFCSVh6eXFXeHVuVlVZWGZ0Mzcvc3hqbVBGWENISGlpWnhnOVJ3Y2VibUg5QWI3TnV2UExYS01Ka05sbHBESFB2R3kwWW1iTW5sR3VmdXNMMi9DR2sxSjV3Z3V1QUdHb0JKNW56NmZNMEFwbU42ZzJEZUQ3Ymlrc3g0Y1hEK2ZYL0Erd1N2MTEzN2orQ3EvYjlXYXE1YkUrdnBGQ0UvcnZkVm9xUE53TFVtQmxKQ3pWSXVGai8rSTZUejFhNEczSkZ0aWJXVGs3S0h1elo4eG5KUTdBY0kyTVpJV2NQS2l4V2hRRjBLbVAwR0hTeHBlNmJ2OVZQdjArMS9yRDNUTERXOUZRWTArQlBJL3lxT2Nxa3dPOG5tUmxLUkVCTjFIb0tYcFlwallQZTJETDlBbFBzVVp2Vy82eXlzYUxzTmlNZng5L3R2YW1yWUxXRlA2NEZ1ZHd1MTZCcGJoVmJWUDRzQTU0TW5POHpqc2x0ZUlabFJPMUJ5ZnZ5bWhWUkU4SDVRL1lnaVV3Sm1Ka1hDa3Fyb1o1NzYySGYwWnBwSERxNGFPNFkrb0ZPRmRHSXNIejI1SmhiSVNOM0l3NStDcDU4dHJXM0pyWndTbUE3QzlBY0k2VThBb2RCYlZPNVZkK0ppRllZdThyU29NOW1kcERkMnpTSlF4WHRycUZLZUsrTE5QMTZMemdkdTRCU3RPUFNManFmSVhOQU80SHp6cTRicEJXa3E0SlNtMlJZTHYyQ3BpN0hnTSt6MTVvV1U4TmpGaWYvWU9hNG1tZWNRSFBabktRUXhFdzB4L1R4V2FEaWpqZlQ0M1FNbWtZSnE1dnFuQ2R6U3FMWkl3Wmp4SjlDMnFOL3VUR045QVNxSFJMNnNQZ25YalJzN0JwNzNHbEhOM0lYRkJ4RmVvVjd4T3RpaVFvWTVxV0RtS1BEZHNwVnlESEF4WU54VXJrS29jd3IzR2EyOUI5MEExWXRNNDV2TGlUdEtjeFVTbVgrZnUyRmZsT2JFSVRHZU95YWxmeGlpdmN2Zyt5ME01d0V2ZkxKV2J3dnFYRnRpNzlPdVlMR0l5S05JV0pLN29NbFg1RUpWKzZJV0dNN3dxa1BRRnVJcjAxSW1YbjZZaXoxMWlIMW0xRG1tNHJZcnM1Y3VGNW1POHllOWpGM1FRLzd1bU9kQjM3UHNCWGxkd0xBM3VvY1RmaFE3dE5uMFB5V09DZnBMMkxZNnpsQ1dPcVJsSzVXRTJmVW1NTzV6THUrNnQ2cFZqY0hDa0hqY3FnSVJEN053cHZTU2pJU0lYTSsvbnFKbTloTEo5TGRHNGRDVzJwcHIwSUFxSE5abm1Uekx6ZzlDbmhWL3V0aHlFY1dhcXE2REduS1RBcW13TUJBSk5wWGhKVTVsTFM0MDdyK3A0QnhPc1RkVlFRQ1FvZmlNSlZaYkkySm5kekZWRmRXZmhJdlVNcmEzZng4NWIrNU1VUVZCQkNmeStpaDA4eXI4NFFDQUFMM0RLSnVNbktQeUZLaDRLSkMzTGF1MUJnTGtVS1ExV0l3bGxSRXQ4Y1YwQjZ5R3I= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * INgx4nOQTBN
URLs

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

    ransomwareavaddon
  • Avaddon Payload 2 IoCs
  • UAC bypass 3 TTPs
    evasiontrojan
  • suricata: ET MALWARE Win32/Avaddon Ransomware Style External IP Address Check

    suricata: ET MALWARE Win32/Avaddon Ransomware Style External IP Address Check

    suricata
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
    "C:\Users\Admin\AppData\Local\Temp\90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe"
    1⤵
    • Modifies extensions of user files
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2024
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1884
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:288
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2012
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:740
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:520
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:564
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

3
T1112

File Deletion

2
T1107

Install Root Certificate

1
T1130

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/288-59-0x0000000000000000-mapping.dmp
    Download
  • memory/520-62-0x0000000000000000-mapping.dmp
    Download
  • memory/564-63-0x0000000000000000-mapping.dmp
    Download
  • memory/740-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1884-58-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-60-0x0000000000000000-mapping.dmp
    Download
  • memory/2024-54-0x0000000076011000-0x0000000076013000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2024-55-0x0000000000309000-0x0000000000383000-memory.dmp
    Filesize

    488KB

    Download
  • memory/2024-56-0x0000000000D30000-0x0000000000E4C000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2024-57-0x0000000000400000-0x0000000000CBD000-memory.dmp
    Filesize

    8.7MB

    Download