General
-
Target
cd674d6aab60773d6af8554cbc28e902221aeec9b9734c98bb5a1a836c2f166c
-
Size
2.1MB
-
Sample
221005-sqyxpaefg8
-
MD5
bc52d18853a6b575d319692ae8f90fd7
-
SHA1
882b07d029ba27a64f442fa0e3047775667c2957
-
SHA256
cd674d6aab60773d6af8554cbc28e902221aeec9b9734c98bb5a1a836c2f166c
-
SHA512
de425b379f3a25be5df229a00ddf255e938a655595c50c5322b6d38ca7bb52abc611f4b74dbb1d8afe8121f36a9644ed8375de949e58286132f1c45be09fc8b3
-
SSDEEP
49152:Q6otv8NVQqr7XXpwM+DbhzFG13Dyz6fRG+A+85fbhl7zsPS0mc+8aue:QDB8XQqDXf+D9FG1dp9m5fb37zsf+ye
Static task
static1
Behavioral task
behavioral1
Sample
cd674d6aab60773d6af8554cbc28e902221aeec9b9734c98bb5a1a836c2f166c.exe
Resource
win10-20220812-en
Malware Config
Extracted
C:\odt\9hRxxz_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\9hRxxz_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\9hRxxz_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Favorites\9hRxxz_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Pictures\9hRxxz_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Searches\9hRxxz_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Targets
-
-
Target
cd674d6aab60773d6af8554cbc28e902221aeec9b9734c98bb5a1a836c2f166c
-
Size
2.1MB
-
MD5
bc52d18853a6b575d319692ae8f90fd7
-
SHA1
882b07d029ba27a64f442fa0e3047775667c2957
-
SHA256
cd674d6aab60773d6af8554cbc28e902221aeec9b9734c98bb5a1a836c2f166c
-
SHA512
de425b379f3a25be5df229a00ddf255e938a655595c50c5322b6d38ca7bb52abc611f4b74dbb1d8afe8121f36a9644ed8375de949e58286132f1c45be09fc8b3
-
SSDEEP
49152:Q6otv8NVQqr7XXpwM+DbhzFG13Dyz6fRG+A+85fbhl7zsPS0mc+8aue:QDB8XQqDXf+D9FG1dp9m5fb37zsf+ye
Score10/10-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-