Analysis

  • max time kernel
    63s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    22-10-2023 17:04

General

  • Target

    d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe

  • Size

    441KB

  • MD5

    b1758767d10c75d1589c16763fca6fd3

  • SHA1

    2722f21a31859ea735e908a1c705d07b139e3b12

  • SHA256

    d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb

  • SHA512

    93bdfaf8a7b35e3c0110e931a35c5a901c8acf06b36dd9e8cba9b770be642525ba0350ae94d68556961b06b0d802cd2e1997fc73849c643f76eba721215abf5e

  • SSDEEP

    12288:5I7bv0KUN/9MISQBqz9xbwL5A++dMncx4wjSvh:K7QzuyErzrSwjMh

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\eioxO_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .baDEBBcEbC You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjAwNC05alJtMW5RUEtTTkhQNGl6RnRTM04zY3NEVkcrcXYxNnBJbGFXNm1ubFpjZkgydjA3QXp1aGxnbytEMkFsaCt0eVliOXR3SzBuWnA0d1ZBRGJpaFZvdUpnajJ2Q0sxZEtYWVpCWUpXSkpOclBnL3JnWnFWNXZ3ZDljbmZBTUdjNjRyZkg5SWVZRXNNUUpwTW94aURvVGEyVWltaHhqeU8zVml5eWp3anM4M3NNSWVXblBqZHVaRksvd0E2ajI1MDA0UGNCSmxXbkRZdGprUmgybGdxczRld1BEd1ZPMzRER1JwY1FwcU12bDl2ZnZibDZhNXREa29vV2twQmRPNGFaT3kyaE80OXVEZjJING9KTjVZbG5ydWVFZDlTbm5FOFBvNTA0bVNsNkN3NVJ6L0QwVXpraGtybHdEdnRtcWhFbW9VTjhrbGpqdlhlcmkrbVNqTEVHTXg5Y0ltRmcwalRGQnY3dUliNFdTdzIyTUVqd1ptMFp2d1EvTEJ6aW1FbTJVbkpNTWFsampIZXV5TXkwd0VEd3M3TlR1V0dZZG05M2pKRFlkaHU4NFIrckt0b0FtUkVucjhQb1lMaHRnK3JQcHNDbUpRQ0sxT2FuUWROb1V6TEJ5U0ozRVVCYkFIckkwY0VGUFZkcGFibk91dDhFazZGMEVaM1EyMDEyRGRsWFY0bS9Zbkh2ZnUzZmlkTTdmcUpjNTA2b0IxT2NDbjg1OENIZGNOZFloaEZaUFBLS0t4OEdYWkZ5ZSthNU1STHYxNTcvOWNHbW94d0ZoSU95alh2YkNPeFFvLzJYUG5kV2dvbE95ZXhVblFzZDBiWjZzdkdQcnN5ZFFxK1lJbDJBSU14SW9QY0xaRTlRNFVXbzZOQkllZHdSbFRuTU1CQkVQRlJ1bnhUTGhmbG9VcVhiTzNlS2MxRE9kN2pWL1hCdmd4S0IwU3daU0Zkc0hrYXJJalRwY0JEaFd6NW8rYXBhWGhqeEJvOEtwcmttQmpBT1VteFNBTGd2bXJRWlNBZm1UbEVxcjVyaENVNUxDRnMzd0o5S1JrcWlOLy9McFY5L01UaE1KckptMXExN3haZzVvYnR6S3NEcytiVWUxZGM0M0pVUjVTTlp6RmgxM1ZYd0VhSnRlOFZXL2hWcFNGdzdsR1B2all0cXNIOHdtYW1jelVPa3pudkJhZ2UxcDZzV2xCRENIUnh0aVMzYUtuaGFKVEtMUitXOWFncGlUM3hmaGJmNnRzY3lkMktUQkNGS0QybXFBL0dtMkhVbUZMYU1ON3NyaC90UWZrQkFrbHBiZGFzUC8wcHFyRTl2NXVrZUJDOGQ0TWFYQzk5YmRaZktBV3VXMXI0Nk5zOFFHeDBLNkdOb2hDb3cyT1JQcGliazJJY0xMWklQQ2JNTm5pZ240NGUvUnRnYUZZcFdNQk9ZSEMyYjFyRDJiN3A4czNxYWREWHFlZFg1M0dXRS94R2QyeE4vU1NHN2Nvc3ZzMWNtSHRUL1BSZk1QcXRDY21VOFpMRE1rMlNJczJqK3FYZ1luUUZ4WTM1ZWZxT3QwVzB5cWFVWVRCUDZJOEtaWXpsbUpxYitnZWRPWjQ4ZjFiNkxYQUFMSjMyRk5lbk84WWJlbDRLYWkveFhJdU41K2FuRHdYUTk2aVRLUU5sVjNjTWQ2SForZGY0ZE96dTdwSGZkYXhlRE5FR2hqRzd2TWo4MDlLWGN0VmlhZ2dKRmpvb0ptOXI4ZGpsMU5VZVJDbklHQTZzOHdqaXI3WWFBV21jQVNWbGZITXF5RlhZa0VwbGw0RkZ4OXFNVG5SN20wOExUalU3dktVeUNsNTRqQzdqemlMU2EvL28yQnpQSEswb2dyNUhlVDliVytWYjlRajF5czhQeEludjJhZjNIanB1MWJzWll6YnNVd3kveERJQ0FSL29yMVF5emVNRFlvdG9DdWl4SFRPcXkyaS9HSjEvbU1QSGZYbEFjVEtZem53USthUytjaXo2bHF4NTRiU290NnN1MUQxL1pRNXd6WmlJQzVHaG50RFhTU0VpbXpyY2RwQWNScCt4c0g0amF1R3poYmpjSFdLQ0VtUFhzL1hPa0cwUWxjRlQ3eXJPT2psQUswQlpjWThTVFY0YmNuenhzbW9SV0dWMCtqZUNlU013akkrbEdhZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * zQ9Mi
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\eioxO_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .baDEBBcEbC You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjAwNC05alJtMW5RUEtTTkhQNGl6RnRTM04zY3NEVkcrcXYxNnBJbGFXNm1ubFpjZkgydjA3QXp1aGxnbytEMkFsaCt0eVliOXR3SzBuWnA0d1ZBRGJpaFZvdUpnajJ2Q0sxZEtYWVpCWUpXSkpOclBnL3JnWnFWNXZ3ZDljbmZBTUdjNjRyZkg5SWVZRXNNUUpwTW94aURvVGEyVWltaHhqeU8zVml5eWp3anM4M3NNSWVXblBqZHVaRksvd0E2ajI1MDA0UGNCSmxXbkRZdGprUmgybGdxczRld1BEd1ZPMzRER1JwY1FwcU12bDl2ZnZibDZhNXREa29vV2twQmRPNGFaT3kyaE80OXVEZjJING9KTjVZbG5ydWVFZDlTbm5FOFBvNTA0bVNsNkN3NVJ6L0QwVXpraGtybHdEdnRtcWhFbW9VTjhrbGpqdlhlcmkrbVNqTEVHTXg5Y0ltRmcwalRGQnY3dUliNFdTdzIyTUVqd1ptMFp2d1EvTEJ6aW1FbTJVbkpNTWFsampIZXV5TXkwd0VEd3M3TlR1V0dZZG05M2pKRFlkaHU4NFIrckt0b0FtUkVucjhQb1lMaHRnK3JQcHNDbUpRQ0sxT2FuUWROb1V6TEJ5U0ozRVVCYkFIckkwY0VGUFZkcGFibk91dDhFazZGMEVaM1EyMDEyRGRsWFY0bS9Zbkh2ZnUzZmlkTTdmcUpjNTA2b0IxT2NDbjg1OENIZGNOZFloaEZaUFBLS0t4OEdYWkZ5ZSthNU1STHYxNTcvOWNHbW94d0ZoSU95alh2YkNPeFFvLzJYUG5kV2dvbE95ZXhVblFzZDBiWjZzdkdQcnN5ZFFxK1lJbDJBSU14SW9QY0xaRTlRNFVXbzZOQkllZHdSbFRuTU1CQkVQRlJ1bnhUTGhmbG9VcVhiTzNlS2MxRE9kN2pWL1hCdmd4S0IwU3daU0Zkc0hrYXJJalRwY0JEaFd6NW8rYXBhWGhqeEJvOEtwcmttQmpBT1VteFNBTGd2bXJRWlNBZm1UbEVxcjVyaENVNUxDRnMzd0o5S1JrcWlOLy9McFY5L01UaE1KckptMXExN3haZzVvYnR6S3NEcytiVWUxZGM0M0pVUjVTTlp6RmgxM1ZYd0VhSnRlOFZXL2hWcFNGdzdsR1B2all0cXNIOHdtYW1jelVPa3pudkJhZ2UxcDZzV2xCRENIUnh0aVMzYUtuaGFKVEtMUitXOWFncGlUM3hmaGJmNnRzY3lkMktUQkNGS0QybXFBL0dtMkhVbUZMYU1ON3NyaC90UWZrQkFrbHBiZGFzUC8wcHFyRTl2NXVrZUJDOGQ0TWFYQzk5YmRaZktBV3VXMXI0Nk5zOFFHeDBLNkdOb2hDb3cyT1JQcGliazJJY0xMWklQQ2JNTm5pZ240NGUvUnRnYUZZcFdNQk9ZSEMyYjFyRDJiN3A4czNxYWREWHFlZFg1M0dXRS94R2QyeE4vU1NHN2Nvc3ZzMWNtSHRUL1BSZk1QcXRDY21VOFpMRE1rMlNJczJqK3FYZ1luUUZ4WTM1ZWZxT3QwVzB5cWFVWVRCUDZJOEtaWXpsbUpxYitnZWRPWjQ4ZjFiNkxYQUFMSjMyRk5lbk84WWJlbDRLYWkveFhJdU41K2FuRHdYUTk2aVRLUU5sVjNjTWQ2SForZGY0ZE96dTdwSGZkYXhlRE5FR2hqRzd2TWo4MDlLWGN0VmlhZ2dKRmpvb0ptOXI4ZGpsMU5VZVJDbklHQTZzOHdqaXI3WWFBV21jQVNWbGZITXF5RlhZa0VwbGw0RkZ4OXFNVG5SN20wOExUalU3dktVeUNsNTRqQzdqemlMU2EvL28yQnpQSEswb2dyNUhlVDliVytWYjlRajF5czhQeEludjJhZjNIanB1MWJzWll6YnNVd3kveERJQ0FSL29yMVF5emVNRFlvdG9DdWl4SFRPcXkyaS9HSjEvbU1QSGZYbEFjVEtZem53USthUytjaXo2bHF4NTRiU290NnN1MUQxL1pRNXd6WmlJQzVHaG50RFhTU0VpbXpyY2RwQWNScCt4c0g0amF1R3poYmpjSFdLQ0VtUFhzL1hPa0cwUWxjRlQ3eXJPT2psQUswQlpjWThTVFY0YmNuenhzbW9SV0dWMCtqZUNlU013akkrbEdhZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * M2kDXq9jN
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\eioxO_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .baDEBBcEbC You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjAwNC05alJtMW5RUEtTTkhQNGl6RnRTM04zY3NEVkcrcXYxNnBJbGFXNm1ubFpjZkgydjA3QXp1aGxnbytEMkFsaCt0eVliOXR3SzBuWnA0d1ZBRGJpaFZvdUpnajJ2Q0sxZEtYWVpCWUpXSkpOclBnL3JnWnFWNXZ3ZDljbmZBTUdjNjRyZkg5SWVZRXNNUUpwTW94aURvVGEyVWltaHhqeU8zVml5eWp3anM4M3NNSWVXblBqZHVaRksvd0E2ajI1MDA0UGNCSmxXbkRZdGprUmgybGdxczRld1BEd1ZPMzRER1JwY1FwcU12bDl2ZnZibDZhNXREa29vV2twQmRPNGFaT3kyaE80OXVEZjJING9KTjVZbG5ydWVFZDlTbm5FOFBvNTA0bVNsNkN3NVJ6L0QwVXpraGtybHdEdnRtcWhFbW9VTjhrbGpqdlhlcmkrbVNqTEVHTXg5Y0ltRmcwalRGQnY3dUliNFdTdzIyTUVqd1ptMFp2d1EvTEJ6aW1FbTJVbkpNTWFsampIZXV5TXkwd0VEd3M3TlR1V0dZZG05M2pKRFlkaHU4NFIrckt0b0FtUkVucjhQb1lMaHRnK3JQcHNDbUpRQ0sxT2FuUWROb1V6TEJ5U0ozRVVCYkFIckkwY0VGUFZkcGFibk91dDhFazZGMEVaM1EyMDEyRGRsWFY0bS9Zbkh2ZnUzZmlkTTdmcUpjNTA2b0IxT2NDbjg1OENIZGNOZFloaEZaUFBLS0t4OEdYWkZ5ZSthNU1STHYxNTcvOWNHbW94d0ZoSU95alh2YkNPeFFvLzJYUG5kV2dvbE95ZXhVblFzZDBiWjZzdkdQcnN5ZFFxK1lJbDJBSU14SW9QY0xaRTlRNFVXbzZOQkllZHdSbFRuTU1CQkVQRlJ1bnhUTGhmbG9VcVhiTzNlS2MxRE9kN2pWL1hCdmd4S0IwU3daU0Zkc0hrYXJJalRwY0JEaFd6NW8rYXBhWGhqeEJvOEtwcmttQmpBT1VteFNBTGd2bXJRWlNBZm1UbEVxcjVyaENVNUxDRnMzd0o5S1JrcWlOLy9McFY5L01UaE1KckptMXExN3haZzVvYnR6S3NEcytiVWUxZGM0M0pVUjVTTlp6RmgxM1ZYd0VhSnRlOFZXL2hWcFNGdzdsR1B2all0cXNIOHdtYW1jelVPa3pudkJhZ2UxcDZzV2xCRENIUnh0aVMzYUtuaGFKVEtMUitXOWFncGlUM3hmaGJmNnRzY3lkMktUQkNGS0QybXFBL0dtMkhVbUZMYU1ON3NyaC90UWZrQkFrbHBiZGFzUC8wcHFyRTl2NXVrZUJDOGQ0TWFYQzk5YmRaZktBV3VXMXI0Nk5zOFFHeDBLNkdOb2hDb3cyT1JQcGliazJJY0xMWklQQ2JNTm5pZ240NGUvUnRnYUZZcFdNQk9ZSEMyYjFyRDJiN3A4czNxYWREWHFlZFg1M0dXRS94R2QyeE4vU1NHN2Nvc3ZzMWNtSHRUL1BSZk1QcXRDY21VOFpMRE1rMlNJczJqK3FYZ1luUUZ4WTM1ZWZxT3QwVzB5cWFVWVRCUDZJOEtaWXpsbUpxYitnZWRPWjQ4ZjFiNkxYQUFMSjMyRk5lbk84WWJlbDRLYWkveFhJdU41K2FuRHdYUTk2aVRLUU5sVjNjTWQ2SForZGY0ZE96dTdwSGZkYXhlRE5FR2hqRzd2TWo4MDlLWGN0VmlhZ2dKRmpvb0ptOXI4ZGpsMU5VZVJDbklHQTZzOHdqaXI3WWFBV21jQVNWbGZITXF5RlhZa0VwbGw0RkZ4OXFNVG5SN20wOExUalU3dktVeUNsNTRqQzdqemlMU2EvL28yQnpQSEswb2dyNUhlVDliVytWYjlRajF5czhQeEludjJhZjNIanB1MWJzWll6YnNVd3kveERJQ0FSL29yMVF5emVNRFlvdG9DdWl4SFRPcXkyaS9HSjEvbU1QSGZYbEFjVEtZem53USthUytjaXo2bHF4NTRiU290NnN1MUQxL1pRNXd6WmlJQzVHaG50RFhTU0VpbXpyY2RwQWNScCt4c0g0amF1R3poYmpjSFdLQ0VtUFhzL1hPa0cwUWxjRlQ3eXJPT2psQUswQlpjWThTVFY0YmNuenhzbW9SV0dWMCtqZUNlU013akkrbEdhZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * CBrZs2w3DHv6
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Music\eioxO_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .baDEBBcEbC You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjAwNC05alJtMW5RUEtTTkhQNGl6RnRTM04zY3NEVkcrcXYxNnBJbGFXNm1ubFpjZkgydjA3QXp1aGxnbytEMkFsaCt0eVliOXR3SzBuWnA0d1ZBRGJpaFZvdUpnajJ2Q0sxZEtYWVpCWUpXSkpOclBnL3JnWnFWNXZ3ZDljbmZBTUdjNjRyZkg5SWVZRXNNUUpwTW94aURvVGEyVWltaHhqeU8zVml5eWp3anM4M3NNSWVXblBqZHVaRksvd0E2ajI1MDA0UGNCSmxXbkRZdGprUmgybGdxczRld1BEd1ZPMzRER1JwY1FwcU12bDl2ZnZibDZhNXREa29vV2twQmRPNGFaT3kyaE80OXVEZjJING9KTjVZbG5ydWVFZDlTbm5FOFBvNTA0bVNsNkN3NVJ6L0QwVXpraGtybHdEdnRtcWhFbW9VTjhrbGpqdlhlcmkrbVNqTEVHTXg5Y0ltRmcwalRGQnY3dUliNFdTdzIyTUVqd1ptMFp2d1EvTEJ6aW1FbTJVbkpNTWFsampIZXV5TXkwd0VEd3M3TlR1V0dZZG05M2pKRFlkaHU4NFIrckt0b0FtUkVucjhQb1lMaHRnK3JQcHNDbUpRQ0sxT2FuUWROb1V6TEJ5U0ozRVVCYkFIckkwY0VGUFZkcGFibk91dDhFazZGMEVaM1EyMDEyRGRsWFY0bS9Zbkh2ZnUzZmlkTTdmcUpjNTA2b0IxT2NDbjg1OENIZGNOZFloaEZaUFBLS0t4OEdYWkZ5ZSthNU1STHYxNTcvOWNHbW94d0ZoSU95alh2YkNPeFFvLzJYUG5kV2dvbE95ZXhVblFzZDBiWjZzdkdQcnN5ZFFxK1lJbDJBSU14SW9QY0xaRTlRNFVXbzZOQkllZHdSbFRuTU1CQkVQRlJ1bnhUTGhmbG9VcVhiTzNlS2MxRE9kN2pWL1hCdmd4S0IwU3daU0Zkc0hrYXJJalRwY0JEaFd6NW8rYXBhWGhqeEJvOEtwcmttQmpBT1VteFNBTGd2bXJRWlNBZm1UbEVxcjVyaENVNUxDRnMzd0o5S1JrcWlOLy9McFY5L01UaE1KckptMXExN3haZzVvYnR6S3NEcytiVWUxZGM0M0pVUjVTTlp6RmgxM1ZYd0VhSnRlOFZXL2hWcFNGdzdsR1B2all0cXNIOHdtYW1jelVPa3pudkJhZ2UxcDZzV2xCRENIUnh0aVMzYUtuaGFKVEtMUitXOWFncGlUM3hmaGJmNnRzY3lkMktUQkNGS0QybXFBL0dtMkhVbUZMYU1ON3NyaC90UWZrQkFrbHBiZGFzUC8wcHFyRTl2NXVrZUJDOGQ0TWFYQzk5YmRaZktBV3VXMXI0Nk5zOFFHeDBLNkdOb2hDb3cyT1JQcGliazJJY0xMWklQQ2JNTm5pZ240NGUvUnRnYUZZcFdNQk9ZSEMyYjFyRDJiN3A4czNxYWREWHFlZFg1M0dXRS94R2QyeE4vU1NHN2Nvc3ZzMWNtSHRUL1BSZk1QcXRDY21VOFpMRE1rMlNJczJqK3FYZ1luUUZ4WTM1ZWZxT3QwVzB5cWFVWVRCUDZJOEtaWXpsbUpxYitnZWRPWjQ4ZjFiNkxYQUFMSjMyRk5lbk84WWJlbDRLYWkveFhJdU41K2FuRHdYUTk2aVRLUU5sVjNjTWQ2SForZGY0ZE96dTdwSGZkYXhlRE5FR2hqRzd2TWo4MDlLWGN0VmlhZ2dKRmpvb0ptOXI4ZGpsMU5VZVJDbklHQTZzOHdqaXI3WWFBV21jQVNWbGZITXF5RlhZa0VwbGw0RkZ4OXFNVG5SN20wOExUalU3dktVeUNsNTRqQzdqemlMU2EvL28yQnpQSEswb2dyNUhlVDliVytWYjlRajF5czhQeEludjJhZjNIanB1MWJzWll6YnNVd3kveERJQ0FSL29yMVF5emVNRFlvdG9DdWl4SFRPcXkyaS9HSjEvbU1QSGZYbEFjVEtZem53USthUytjaXo2bHF4NTRiU290NnN1MUQxL1pRNXd6WmlJQzVHaG50RFhTU0VpbXpyY2RwQWNScCt4c0g0amF1R3poYmpjSFdLQ0VtUFhzL1hPa0cwUWxjRlQ3eXJPT2psQUswQlpjWThTVFY0YmNuenhzbW9SV0dWMCtqZUNlU013akkrbEdhZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * ZnTwCFiq3tdBzaq
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Public\Pictures\Sample Pictures\eioxO_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .baDEBBcEbC You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjAwNC05alJtMW5RUEtTTkhQNGl6RnRTM04zY3NEVkcrcXYxNnBJbGFXNm1ubFpjZkgydjA3QXp1aGxnbytEMkFsaCt0eVliOXR3SzBuWnA0d1ZBRGJpaFZvdUpnajJ2Q0sxZEtYWVpCWUpXSkpOclBnL3JnWnFWNXZ3ZDljbmZBTUdjNjRyZkg5SWVZRXNNUUpwTW94aURvVGEyVWltaHhqeU8zVml5eWp3anM4M3NNSWVXblBqZHVaRksvd0E2ajI1MDA0UGNCSmxXbkRZdGprUmgybGdxczRld1BEd1ZPMzRER1JwY1FwcU12bDl2ZnZibDZhNXREa29vV2twQmRPNGFaT3kyaE80OXVEZjJING9KTjVZbG5ydWVFZDlTbm5FOFBvNTA0bVNsNkN3NVJ6L0QwVXpraGtybHdEdnRtcWhFbW9VTjhrbGpqdlhlcmkrbVNqTEVHTXg5Y0ltRmcwalRGQnY3dUliNFdTdzIyTUVqd1ptMFp2d1EvTEJ6aW1FbTJVbkpNTWFsampIZXV5TXkwd0VEd3M3TlR1V0dZZG05M2pKRFlkaHU4NFIrckt0b0FtUkVucjhQb1lMaHRnK3JQcHNDbUpRQ0sxT2FuUWROb1V6TEJ5U0ozRVVCYkFIckkwY0VGUFZkcGFibk91dDhFazZGMEVaM1EyMDEyRGRsWFY0bS9Zbkh2ZnUzZmlkTTdmcUpjNTA2b0IxT2NDbjg1OENIZGNOZFloaEZaUFBLS0t4OEdYWkZ5ZSthNU1STHYxNTcvOWNHbW94d0ZoSU95alh2YkNPeFFvLzJYUG5kV2dvbE95ZXhVblFzZDBiWjZzdkdQcnN5ZFFxK1lJbDJBSU14SW9QY0xaRTlRNFVXbzZOQkllZHdSbFRuTU1CQkVQRlJ1bnhUTGhmbG9VcVhiTzNlS2MxRE9kN2pWL1hCdmd4S0IwU3daU0Zkc0hrYXJJalRwY0JEaFd6NW8rYXBhWGhqeEJvOEtwcmttQmpBT1VteFNBTGd2bXJRWlNBZm1UbEVxcjVyaENVNUxDRnMzd0o5S1JrcWlOLy9McFY5L01UaE1KckptMXExN3haZzVvYnR6S3NEcytiVWUxZGM0M0pVUjVTTlp6RmgxM1ZYd0VhSnRlOFZXL2hWcFNGdzdsR1B2all0cXNIOHdtYW1jelVPa3pudkJhZ2UxcDZzV2xCRENIUnh0aVMzYUtuaGFKVEtMUitXOWFncGlUM3hmaGJmNnRzY3lkMktUQkNGS0QybXFBL0dtMkhVbUZMYU1ON3NyaC90UWZrQkFrbHBiZGFzUC8wcHFyRTl2NXVrZUJDOGQ0TWFYQzk5YmRaZktBV3VXMXI0Nk5zOFFHeDBLNkdOb2hDb3cyT1JQcGliazJJY0xMWklQQ2JNTm5pZ240NGUvUnRnYUZZcFdNQk9ZSEMyYjFyRDJiN3A4czNxYWREWHFlZFg1M0dXRS94R2QyeE4vU1NHN2Nvc3ZzMWNtSHRUL1BSZk1QcXRDY21VOFpMRE1rMlNJczJqK3FYZ1luUUZ4WTM1ZWZxT3QwVzB5cWFVWVRCUDZJOEtaWXpsbUpxYitnZWRPWjQ4ZjFiNkxYQUFMSjMyRk5lbk84WWJlbDRLYWkveFhJdU41K2FuRHdYUTk2aVRLUU5sVjNjTWQ2SForZGY0ZE96dTdwSGZkYXhlRE5FR2hqRzd2TWo4MDlLWGN0VmlhZ2dKRmpvb0ptOXI4ZGpsMU5VZVJDbklHQTZzOHdqaXI3WWFBV21jQVNWbGZITXF5RlhZa0VwbGw0RkZ4OXFNVG5SN20wOExUalU3dktVeUNsNTRqQzdqemlMU2EvL28yQnpQSEswb2dyNUhlVDliVytWYjlRajF5czhQeEludjJhZjNIanB1MWJzWll6YnNVd3kveERJQ0FSL29yMVF5emVNRFlvdG9DdWl4SFRPcXkyaS9HSjEvbU1QSGZYbEFjVEtZem53USthUytjaXo2bHF4NTRiU290NnN1MUQxL1pRNXd6WmlJQzVHaG50RFhTU0VpbXpyY2RwQWNScCt4c0g0amF1R3poYmpjSFdLQ0VtUFhzL1hPa0cwUWxjRlQ3eXJPT2psQUswQlpjWThTVFY0YmNuenhzbW9SV0dWMCtqZUNlU013akkrbEdhZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * vP4mXvVAtVLksXyi2x
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (183) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
    "C:\Users\Admin\AppData\Local\Temp\d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2412
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
        PID:1912
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin Delete Shadows /All /Quiet
        2⤵
        • Interacts with shadow copies
        PID:2152
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        2⤵
          PID:2424
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /All /Quiet
          2⤵
          • Interacts with shadow copies
          PID:308
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          2⤵
            PID:1432
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin Delete Shadows /All /Quiet
            2⤵
            • Interacts with shadow copies
            PID:792
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:2540
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:2488
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:2544
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
            PID:1348

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\Desktop\eioxO_readme_.txt

            Filesize

            3KB

            MD5

            240c739a8fc1e0e6286fdd9793bcbd0b

            SHA1

            852ac1658e94d7d03f35af64d620a44c304395ab

            SHA256

            4d1d72cc104b60a14b30cb06758117949310dcf355795a1e476eb5e66c2e86c8

            SHA512

            0317ed8b3ca6834d9d74217b116ad9512d59ad25581d7191a93c1c519889d5809a2733ffe0ae4d9d977227f288ea1934543c1cae8cef0186201855d947ba1922

          • C:\Users\Admin\Documents\eioxO_readme_.txt

            Filesize

            3KB

            MD5

            4a9b4ad3984026cff2b0a94a952e251d

            SHA1

            7c3cf5b3dc7ecd037b9c8fa9a6bb2e9c23bb54e6

            SHA256

            558e5c64efd7ae0aca5b2f1d18dd072fc7a29ce128ddb933893f616d1819d8b3

            SHA512

            e3ef37cf7ac801d285a1f29b005c23b279b5f358ce981d2a4cf131cd9666f83dd2d1bb802a7fbf1f74a15eff45b14e7462b0c9f174b6ec433f567df05b63ad76

          • C:\Users\Admin\Documents\eioxO_readme_.txt

            Filesize

            3KB

            MD5

            93278123e968a9162aa4ede999a6dc60

            SHA1

            99ffdc184775ab3d8bb68acaa616e4f3fce82d5c

            SHA256

            70ff21c77f709583243caa092efb11b26b9a2de446a6220b9f65be22121dca9c

            SHA512

            2ca699fe6d662c125f86f81f6b617470fc4c71a8c4997c11feb90cfa675bd697113cb94cc5eba1400f9a51833be9a62260085a41a163496fcf77079533c9c8ad

          • C:\Users\Admin\Music\eioxO_readme_.txt

            Filesize

            3KB

            MD5

            95b672ff6ff604ff48b5cf2f71e4755e

            SHA1

            4e1f273b09a8443089124cd62e262e991b6b792a

            SHA256

            d1ddbbae08cd7525fd214af1c9002284a5ec1753bc6c81babdb16d5e43649a72

            SHA512

            c7b7904806b2960546a831e12fa8aff6871fb0bcf329e07b0f85d0d1e6931f7e51deb83c825c6dafc2913e902f03bb061f3b8a76ef3b08089bd995482be7db09

          • C:\Users\Public\Pictures\Sample Pictures\eioxO_readme_.txt

            Filesize

            3KB

            MD5

            b65dbcb8f6d7fa6b8a6ddbe1b06fb993

            SHA1

            fb80bb177da4d151c5cb0a2840b769a8e0e20b78

            SHA256

            c768d6e12eec3990a37832ddea5bfa44a653b715906a70028090a52c52d8dd5f

            SHA512

            1bc1c2f1684c39ecfcd08bd3341f4dcb5f39fd492bc078574b051e43789e2e771aa82091bc42deeaf66d040cc9322c58096572fd592542e8ea673599a7b0c576

          • memory/2412-0-0x0000000000400000-0x00000000005E3204-memory.dmp

            Filesize

            1.9MB