Analysis
-
max time kernel
151s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
13-10-2023 14:40
General
-
Target
1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
-
Size
775KB
-
MD5
0b486fe0503524cfe4726a4022fa6a68
-
SHA1
297dea71d489768ce45d23b0f8a45424b469ab00
-
SHA256
1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2
-
SHA512
f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619
-
SSDEEP
24576:TCs99+OXLpMePfI8TgmBTCDqEbOpPtpFhyxfq:5GOXLpMePfzVTCD7gPtLhSfq
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\deinSg_readme_.txt
Family
avaddon
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .BdEBCaadaA
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
MjY2NC01di9Od1Z2K3dPTFkraWRTcjg2aExxeW9vMFFtYU9IeUdFT2d1bmFGRTUyWUxicHhYbXd4QnljOWRPY2dXNU1KRjJmMDRTaVhWekZKU3c4SnFuWHExekloY2RUbkpud0R1OURhblJrd0dLbG8vTnA3TUsxZUVFb2lPalZlT1pxVm1Pd0tGT0NzZUpVcVh5NUtVOS9iOFFBazFsU2RBcmxOTk95VU1EczZ6dWliN3dzeHNQUU11Z0NDN0I2bXhyRDh3ZTRrcm5UTXNCY3ZLOTA2Z3JWNFNhSng4Wk9HaENQK2VxQ05XRll5dHlUaWwzMjRqUlJCd2xKdXBMM29udWs4a2k3Z1NoM3E1allJbHV2TU1HSzdsZ2N5MTBSeTZSU1NUeHluUzBMVWNTdERKdXUyYm1hK3o1dWRXS043UjhpeTNkMk12SUxLMjBVQmV5MzR3eG9tQTczcHBjSnRuaXdnS1FnOVIwdlRzZ0EvQklIUzZGazh2VXBCTFNEUDZudFR4bXIwQWxDUXFhM29KTU1zbGZYTFFjZk5qaUlUcWtaZ09jcHhCVGo0SHhwN0dKNzhxM2VnUTRxbDVRK1krMnBMUVBKd3Bua3pCd3ZmdG9MQ2tBWEVYc2dydEdHZ0JHZFU0aFk1Y2p1N0N0NURsV3JyNy9mdk5TeEorSmUrSE81bC9sZlBEN1BPbTdMODRJWGVNdXRweVhsNXlJZk9LQ3phczZuZXdtSkhGVGpxbFhnRCt4RFJRdTFmenF6QWVWNGoyaEtHMUxKZzJBazR6RVBsNWJnSHlmeHp1T0E5L1JlRU9hUWEzMEd5RFdrR1JzNCswSkdkd2lRSTdyQk1OdFVrSnZJK2Z6TVB5OUZtRzVjaUduT0xsSGxnWmlERVlUTXVPekoranVsNEZpZ0hobDJTZ29QTUFwa1pzR3czUHl6cndZMy9qYVlYWnNxRWc2Z2d1bzAxL0hsTk0wbHo1WGxFTjFOazRVMjQxN01UbzVCWW1zNE5vK3dqVjU1bG1ZSUExcDVIWjZoUWNqaUl1d3hKUGZWdUhmYTZsUVFBcHVScGFMVE9ZaC84Z1cwRk9LTHJpd29iSllhclN5SWloampXd2hpZnlXNTMvMjZlNGhiaE9zYWxrRVkwbG9vVXVvU2dId05KaXdEemx2cVBVUUFPR0Rzd3dOTUs3NjBTVVV2bG1QbHNWZEpJaXF3d2dnRWhDYzM3TFFGb3JwYkdjdjZETnpVOThjZzVIYkxnNkoxMWFTZDREQ1FmaGhrYUo1SmlQaEswUGN5Y3M1OVAwQ1dxck5kYlIxcFcvTjFBOThXMXNFTEprbFJ6ZHFwYjRia3U0cjJkV0xsZTQxS2wzUEUxMFNsQ1pNeDZUUEhsd0thTWhnTytFdE15Z0hlOFEvRThFRzJkNFhjVjh0VEtxdjBQMHNSWHRNcmVZSS9uaHNNN2RrRFdlbE5kL1V5aVNqWkx5QWMxZlRybG15ZmJvbTY0aHBaamRVQzk3c3pBenlLUVpQcmtIcnVjcC9nN1BlVUpNZmdSTHN3MTVjZHpPWVhBZ3ZVT3FCN0hFM285SkJqcUROSC9VMEtLSTRzU1JpSVpTRmdDd0NlckxmQnpsZWFUNGJBSnkvalVyUHg1MG1iT2xSL21Db25ab1k0SGtHVkpDNzlNUS9Gbk9wNVVKd0VCemtPN01vMDFIZ3hCUVZvUUczVWZEdjM2SWJDbWpmaW5jN3lsczlCN3RqaHoyQjk3RUVmUUt6bENsNjl3cC9oQ1FkcDV1Z2NYS2lYQmZtZnpmUWhQVUJsT3JibGg3QjBiaUFsUDFJbTM3RTcwTFBxNkRWR1BEMjZZdldxNnR2SXk0Q1Q1WERTanVEZ1NMUk5CeXk5RGtjZXlmN01kOEtQZXRNajc1bFU5WjA4c0pwWDRFekswSXVvb0FncVM5WG1qbXoyY0htb2Q4ZFU4SHdIeCt3d0JpRE5QVWtQdjR2RFR1VDFjSytVSE9takdqVzV4WVVkdUprcVVTaWxEZU04blJJbGJJM1l6bjZKR1Y4T3BsQS9PRk05eXBiZVFmY2pRV0hwSDdQTHFLWmxqRzAyd2VKU2FsNkFVVGdsTkRmVnRnS1luT2pkOVNZT25FeDR6SmxpQWlRYnVqSFFEaU9zTE5GOEdoQT09
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
C02NSmMpRauiqwjcjW9zZw5rlCcA2Ck
URLs
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
Path
C:\Users\Admin\Documents\deinSg_readme_.txt
Family
avaddon
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .BdEBCaadaA
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
MjY2NC01di9Od1Z2K3dPTFkraWRTcjg2aExxeW9vMFFtYU9IeUdFT2d1bmFGRTUyWUxicHhYbXd4QnljOWRPY2dXNU1KRjJmMDRTaVhWekZKU3c4SnFuWHExekloY2RUbkpud0R1OURhblJrd0dLbG8vTnA3TUsxZUVFb2lPalZlT1pxVm1Pd0tGT0NzZUpVcVh5NUtVOS9iOFFBazFsU2RBcmxOTk95VU1EczZ6dWliN3dzeHNQUU11Z0NDN0I2bXhyRDh3ZTRrcm5UTXNCY3ZLOTA2Z3JWNFNhSng4Wk9HaENQK2VxQ05XRll5dHlUaWwzMjRqUlJCd2xKdXBMM29udWs4a2k3Z1NoM3E1allJbHV2TU1HSzdsZ2N5MTBSeTZSU1NUeHluUzBMVWNTdERKdXUyYm1hK3o1dWRXS043UjhpeTNkMk12SUxLMjBVQmV5MzR3eG9tQTczcHBjSnRuaXdnS1FnOVIwdlRzZ0EvQklIUzZGazh2VXBCTFNEUDZudFR4bXIwQWxDUXFhM29KTU1zbGZYTFFjZk5qaUlUcWtaZ09jcHhCVGo0SHhwN0dKNzhxM2VnUTRxbDVRK1krMnBMUVBKd3Bua3pCd3ZmdG9MQ2tBWEVYc2dydEdHZ0JHZFU0aFk1Y2p1N0N0NURsV3JyNy9mdk5TeEorSmUrSE81bC9sZlBEN1BPbTdMODRJWGVNdXRweVhsNXlJZk9LQ3phczZuZXdtSkhGVGpxbFhnRCt4RFJRdTFmenF6QWVWNGoyaEtHMUxKZzJBazR6RVBsNWJnSHlmeHp1T0E5L1JlRU9hUWEzMEd5RFdrR1JzNCswSkdkd2lRSTdyQk1OdFVrSnZJK2Z6TVB5OUZtRzVjaUduT0xsSGxnWmlERVlUTXVPekoranVsNEZpZ0hobDJTZ29QTUFwa1pzR3czUHl6cndZMy9qYVlYWnNxRWc2Z2d1bzAxL0hsTk0wbHo1WGxFTjFOazRVMjQxN01UbzVCWW1zNE5vK3dqVjU1bG1ZSUExcDVIWjZoUWNqaUl1d3hKUGZWdUhmYTZsUVFBcHVScGFMVE9ZaC84Z1cwRk9LTHJpd29iSllhclN5SWloampXd2hpZnlXNTMvMjZlNGhiaE9zYWxrRVkwbG9vVXVvU2dId05KaXdEemx2cVBVUUFPR0Rzd3dOTUs3NjBTVVV2bG1QbHNWZEpJaXF3d2dnRWhDYzM3TFFGb3JwYkdjdjZETnpVOThjZzVIYkxnNkoxMWFTZDREQ1FmaGhrYUo1SmlQaEswUGN5Y3M1OVAwQ1dxck5kYlIxcFcvTjFBOThXMXNFTEprbFJ6ZHFwYjRia3U0cjJkV0xsZTQxS2wzUEUxMFNsQ1pNeDZUUEhsd0thTWhnTytFdE15Z0hlOFEvRThFRzJkNFhjVjh0VEtxdjBQMHNSWHRNcmVZSS9uaHNNN2RrRFdlbE5kL1V5aVNqWkx5QWMxZlRybG15ZmJvbTY0aHBaamRVQzk3c3pBenlLUVpQcmtIcnVjcC9nN1BlVUpNZmdSTHN3MTVjZHpPWVhBZ3ZVT3FCN0hFM285SkJqcUROSC9VMEtLSTRzU1JpSVpTRmdDd0NlckxmQnpsZWFUNGJBSnkvalVyUHg1MG1iT2xSL21Db25ab1k0SGtHVkpDNzlNUS9Gbk9wNVVKd0VCemtPN01vMDFIZ3hCUVZvUUczVWZEdjM2SWJDbWpmaW5jN3lsczlCN3RqaHoyQjk3RUVmUUt6bENsNjl3cC9oQ1FkcDV1Z2NYS2lYQmZtZnpmUWhQVUJsT3JibGg3QjBiaUFsUDFJbTM3RTcwTFBxNkRWR1BEMjZZdldxNnR2SXk0Q1Q1WERTanVEZ1NMUk5CeXk5RGtjZXlmN01kOEtQZXRNajc1bFU5WjA4c0pwWDRFekswSXVvb0FncVM5WG1qbXoyY0htb2Q4ZFU4SHdIeCt3d0JpRE5QVWtQdjR2RFR1VDFjSytVSE9takdqVzV4WVVkdUprcVVTaWxEZU04blJJbGJJM1l6bjZKR1Y4T3BsQS9PRk05eXBiZVFmY2pRV0hwSDdQTHFLWmxqRzAyd2VKU2FsNkFVVGdsTkRmVnRnS1luT2pkOVNZT25FeDR6SmxpQWlRYnVqSFFEaU9zTE5GOEdoQT09
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
Y9
URLs
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
Path
C:\Users\Admin\Downloads\deinSg_readme_.txt
Family
avaddon
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .BdEBCaadaA
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
MjY2NC01di9Od1Z2K3dPTFkraWRTcjg2aExxeW9vMFFtYU9IeUdFT2d1bmFGRTUyWUxicHhYbXd4QnljOWRPY2dXNU1KRjJmMDRTaVhWekZKU3c4SnFuWHExekloY2RUbkpud0R1OURhblJrd0dLbG8vTnA3TUsxZUVFb2lPalZlT1pxVm1Pd0tGT0NzZUpVcVh5NUtVOS9iOFFBazFsU2RBcmxOTk95VU1EczZ6dWliN3dzeHNQUU11Z0NDN0I2bXhyRDh3ZTRrcm5UTXNCY3ZLOTA2Z3JWNFNhSng4Wk9HaENQK2VxQ05XRll5dHlUaWwzMjRqUlJCd2xKdXBMM29udWs4a2k3Z1NoM3E1allJbHV2TU1HSzdsZ2N5MTBSeTZSU1NUeHluUzBMVWNTdERKdXUyYm1hK3o1dWRXS043UjhpeTNkMk12SUxLMjBVQmV5MzR3eG9tQTczcHBjSnRuaXdnS1FnOVIwdlRzZ0EvQklIUzZGazh2VXBCTFNEUDZudFR4bXIwQWxDUXFhM29KTU1zbGZYTFFjZk5qaUlUcWtaZ09jcHhCVGo0SHhwN0dKNzhxM2VnUTRxbDVRK1krMnBMUVBKd3Bua3pCd3ZmdG9MQ2tBWEVYc2dydEdHZ0JHZFU0aFk1Y2p1N0N0NURsV3JyNy9mdk5TeEorSmUrSE81bC9sZlBEN1BPbTdMODRJWGVNdXRweVhsNXlJZk9LQ3phczZuZXdtSkhGVGpxbFhnRCt4RFJRdTFmenF6QWVWNGoyaEtHMUxKZzJBazR6RVBsNWJnSHlmeHp1T0E5L1JlRU9hUWEzMEd5RFdrR1JzNCswSkdkd2lRSTdyQk1OdFVrSnZJK2Z6TVB5OUZtRzVjaUduT0xsSGxnWmlERVlUTXVPekoranVsNEZpZ0hobDJTZ29QTUFwa1pzR3czUHl6cndZMy9qYVlYWnNxRWc2Z2d1bzAxL0hsTk0wbHo1WGxFTjFOazRVMjQxN01UbzVCWW1zNE5vK3dqVjU1bG1ZSUExcDVIWjZoUWNqaUl1d3hKUGZWdUhmYTZsUVFBcHVScGFMVE9ZaC84Z1cwRk9LTHJpd29iSllhclN5SWloampXd2hpZnlXNTMvMjZlNGhiaE9zYWxrRVkwbG9vVXVvU2dId05KaXdEemx2cVBVUUFPR0Rzd3dOTUs3NjBTVVV2bG1QbHNWZEpJaXF3d2dnRWhDYzM3TFFGb3JwYkdjdjZETnpVOThjZzVIYkxnNkoxMWFTZDREQ1FmaGhrYUo1SmlQaEswUGN5Y3M1OVAwQ1dxck5kYlIxcFcvTjFBOThXMXNFTEprbFJ6ZHFwYjRia3U0cjJkV0xsZTQxS2wzUEUxMFNsQ1pNeDZUUEhsd0thTWhnTytFdE15Z0hlOFEvRThFRzJkNFhjVjh0VEtxdjBQMHNSWHRNcmVZSS9uaHNNN2RrRFdlbE5kL1V5aVNqWkx5QWMxZlRybG15ZmJvbTY0aHBaamRVQzk3c3pBenlLUVpQcmtIcnVjcC9nN1BlVUpNZmdSTHN3MTVjZHpPWVhBZ3ZVT3FCN0hFM285SkJqcUROSC9VMEtLSTRzU1JpSVpTRmdDd0NlckxmQnpsZWFUNGJBSnkvalVyUHg1MG1iT2xSL21Db25ab1k0SGtHVkpDNzlNUS9Gbk9wNVVKd0VCemtPN01vMDFIZ3hCUVZvUUczVWZEdjM2SWJDbWpmaW5jN3lsczlCN3RqaHoyQjk3RUVmUUt6bENsNjl3cC9oQ1FkcDV1Z2NYS2lYQmZtZnpmUWhQVUJsT3JibGg3QjBiaUFsUDFJbTM3RTcwTFBxNkRWR1BEMjZZdldxNnR2SXk0Q1Q1WERTanVEZ1NMUk5CeXk5RGtjZXlmN01kOEtQZXRNajc1bFU5WjA4c0pwWDRFekswSXVvb0FncVM5WG1qbXoyY0htb2Q4ZFU4SHdIeCt3d0JpRE5QVWtQdjR2RFR1VDFjSytVSE9takdqVzV4WVVkdUprcVVTaWxEZU04blJJbGJJM1l6bjZKR1Y4T3BsQS9PRk05eXBiZVFmY2pRV0hwSDdQTHFLWmxqRzAyd2VKU2FsNkFVVGdsTkRmVnRnS1luT2pkOVNZT25FeDR6SmxpQWlRYnVqSFFEaU9zTE5GOEdoQT09
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
Plla8
URLs
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
Path
C:\Users\Admin\Pictures\deinSg_readme_.txt
Family
avaddon
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .BdEBCaadaA
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
MjY2NC01di9Od1Z2K3dPTFkraWRTcjg2aExxeW9vMFFtYU9IeUdFT2d1bmFGRTUyWUxicHhYbXd4QnljOWRPY2dXNU1KRjJmMDRTaVhWekZKU3c4SnFuWHExekloY2RUbkpud0R1OURhblJrd0dLbG8vTnA3TUsxZUVFb2lPalZlT1pxVm1Pd0tGT0NzZUpVcVh5NUtVOS9iOFFBazFsU2RBcmxOTk95VU1EczZ6dWliN3dzeHNQUU11Z0NDN0I2bXhyRDh3ZTRrcm5UTXNCY3ZLOTA2Z3JWNFNhSng4Wk9HaENQK2VxQ05XRll5dHlUaWwzMjRqUlJCd2xKdXBMM29udWs4a2k3Z1NoM3E1allJbHV2TU1HSzdsZ2N5MTBSeTZSU1NUeHluUzBMVWNTdERKdXUyYm1hK3o1dWRXS043UjhpeTNkMk12SUxLMjBVQmV5MzR3eG9tQTczcHBjSnRuaXdnS1FnOVIwdlRzZ0EvQklIUzZGazh2VXBCTFNEUDZudFR4bXIwQWxDUXFhM29KTU1zbGZYTFFjZk5qaUlUcWtaZ09jcHhCVGo0SHhwN0dKNzhxM2VnUTRxbDVRK1krMnBMUVBKd3Bua3pCd3ZmdG9MQ2tBWEVYc2dydEdHZ0JHZFU0aFk1Y2p1N0N0NURsV3JyNy9mdk5TeEorSmUrSE81bC9sZlBEN1BPbTdMODRJWGVNdXRweVhsNXlJZk9LQ3phczZuZXdtSkhGVGpxbFhnRCt4RFJRdTFmenF6QWVWNGoyaEtHMUxKZzJBazR6RVBsNWJnSHlmeHp1T0E5L1JlRU9hUWEzMEd5RFdrR1JzNCswSkdkd2lRSTdyQk1OdFVrSnZJK2Z6TVB5OUZtRzVjaUduT0xsSGxnWmlERVlUTXVPekoranVsNEZpZ0hobDJTZ29QTUFwa1pzR3czUHl6cndZMy9qYVlYWnNxRWc2Z2d1bzAxL0hsTk0wbHo1WGxFTjFOazRVMjQxN01UbzVCWW1zNE5vK3dqVjU1bG1ZSUExcDVIWjZoUWNqaUl1d3hKUGZWdUhmYTZsUVFBcHVScGFMVE9ZaC84Z1cwRk9LTHJpd29iSllhclN5SWloampXd2hpZnlXNTMvMjZlNGhiaE9zYWxrRVkwbG9vVXVvU2dId05KaXdEemx2cVBVUUFPR0Rzd3dOTUs3NjBTVVV2bG1QbHNWZEpJaXF3d2dnRWhDYzM3TFFGb3JwYkdjdjZETnpVOThjZzVIYkxnNkoxMWFTZDREQ1FmaGhrYUo1SmlQaEswUGN5Y3M1OVAwQ1dxck5kYlIxcFcvTjFBOThXMXNFTEprbFJ6ZHFwYjRia3U0cjJkV0xsZTQxS2wzUEUxMFNsQ1pNeDZUUEhsd0thTWhnTytFdE15Z0hlOFEvRThFRzJkNFhjVjh0VEtxdjBQMHNSWHRNcmVZSS9uaHNNN2RrRFdlbE5kL1V5aVNqWkx5QWMxZlRybG15ZmJvbTY0aHBaamRVQzk3c3pBenlLUVpQcmtIcnVjcC9nN1BlVUpNZmdSTHN3MTVjZHpPWVhBZ3ZVT3FCN0hFM285SkJqcUROSC9VMEtLSTRzU1JpSVpTRmdDd0NlckxmQnpsZWFUNGJBSnkvalVyUHg1MG1iT2xSL21Db25ab1k0SGtHVkpDNzlNUS9Gbk9wNVVKd0VCemtPN01vMDFIZ3hCUVZvUUczVWZEdjM2SWJDbWpmaW5jN3lsczlCN3RqaHoyQjk3RUVmUUt6bENsNjl3cC9oQ1FkcDV1Z2NYS2lYQmZtZnpmUWhQVUJsT3JibGg3QjBiaUFsUDFJbTM3RTcwTFBxNkRWR1BEMjZZdldxNnR2SXk0Q1Q1WERTanVEZ1NMUk5CeXk5RGtjZXlmN01kOEtQZXRNajc1bFU5WjA4c0pwWDRFekswSXVvb0FncVM5WG1qbXoyY0htb2Q4ZFU4SHdIeCt3d0JpRE5QVWtQdjR2RFR1VDFjSytVSE9takdqVzV4WVVkdUprcVVTaWxEZU04blJJbGJJM1l6bjZKR1Y4T3BsQS9PRk05eXBiZVFmY2pRV0hwSDdQTHFLWmxqRzAyd2VKU2FsNkFVVGdsTkRmVnRnS1luT2pkOVNZT25FeDR6SmxpQWlRYnVqSFFEaU9zTE5GOEdoQT09
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
ltMwxNEjw
URLs
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 2 IoCs
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 2 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (208) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe"C:\Users\Admin\AppData\Local\Temp\1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {D378771F-D78E-4CB9-B880-679F958D54CF} S-1-5-21-2180306848-1874213455-4093218721-1000:XEBBURHY\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
775KB
MD50b486fe0503524cfe4726a4022fa6a68
SHA1297dea71d489768ce45d23b0f8a45424b469ab00
SHA2561228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2
SHA512f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619
-
Filesize
775KB
MD50b486fe0503524cfe4726a4022fa6a68
SHA1297dea71d489768ce45d23b0f8a45424b469ab00
SHA2561228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2
SHA512f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619
-
Filesize
3KB
MD5b5e76f3c51122fb72a76762bffdecd67
SHA16e8c793e22b4317f914010fd1916c66c36549ef3
SHA256653d403e31918f845cc140843e7e4681f1ff0094b2576fdb0fe762c9edb80802
SHA5129166619da32e3e1082d22d04620790add3e7099dadc3fd51055c0efa932c6aec7f64ed48c6162688177eadd25b3c1100bd4b48f54ed5c4f97a74ac3d78d258f9
-
Filesize
3KB
MD5761cdb88f865c274bb925310ef18fae2
SHA152c09b8caba1b4cd3e00afba59ea230bc9c8a0b2
SHA25671c840bd66727abe428c2ff4871c1f466333e97bd81330c06d2f47a5df4cb05f
SHA512af517fa05e57ecde0eb69bf9cbf0d47d0a3883ab44e219481e68ee6ea0de190919e7741bb117c14c829174684710090f03095e098a7789866427b37e533d7d7c
-
Filesize
3KB
MD53ad82abae69da298952f3a3b55359ec8
SHA1f7604252bad212ec6c2d7a21dff34a9ea770b871
SHA256269c919739cd346dbf2ddc45f56a41537012c9cd82fe1857729fb5996b4deca1
SHA512e850e44fcb40442fc3fa1df2b579a55745361be07869305c5fac9f02b3e0d8e4ab929e11b596671b8eb33107b3fcc500baa8c1f072bcb0ea847a8b1ff32ef350
-
Filesize
3KB
MD5432e9dc47962c07f976983f892238f8f
SHA19d8e1fb9551b7ce55a990aa81dd6f775904ea3d3
SHA256589dcb6b18ad9a4659e9a56660f52b77fa1fa6e4a70844997f3c9ee7828eb722
SHA51224d1360f79bf54780ae26d1c1cde3a5466b5aed09b43d6c92d73fdb2735c6598593cb23b9cfec54300e13b38ef4506c1db2c4a5e610d4b0bb6a5ea85f72a3e73