Overview

overview

10

Static

static

10

ab.exe

windows7-x64

10

ab.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/11/2023, 22:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab.exe

  • Size

    775KB

  • MD5

    0b486fe0503524cfe4726a4022fa6a68

  • SHA1

    297dea71d489768ce45d23b0f8a45424b469ab00

  • SHA256

    1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2

  • SHA512

    f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619

  • SSDEEP

    24576:TCs99+OXLpMePfI8TgmBTCDqEbOpPtpFhyxfq:5GOXLpMePfzVTCD7gPtLhSfq

Score
10/10
avaddonevasionransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\0vN0x_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .eaaDBadAB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1ZblUraVpWZHQ3UFVtUFlNQUNBV1BTcFpLM1d3L0tMdUNOYUhOd1ZWdjJodDl2bGxiaml0MjAvbnpKdk9kNi9PMWtSS0Yra3ZGSkJSNmVraDEvcGE5YTZqTVRGQTNnbzZjdStCY1hHNXFzWUVzL1hlS2ZZTmM4M2V6aU5YcWtGNnFEMHJ6STR1Y3c4a2VzUSt2WDIrODZUMENoeFlxbXcxTkFQUzVzelRvbHQybGFKU3IwWXhpS25na1F4UUN5R2U1S0NZYm0rZlc0eEZPZDkzZ1ZsMkc1STd0TDZVb3NyYmdXZGJEQ1JOcUlPOWJoOHZ5Q0l0Wnk2T1FiY2E4a1BGdEh4cmRnaitLeCt2MXh3cE9SQkFDVnQxb1U1Qm9nR0dxQkordHl4cFdrTy8zaDhmUTluK2dTZ0swbHJjUWxwYXdHb3BXbGtSNzZZcG52SXZsWWEwNmtxemdwUW04S0IzQVorWEdBSTJJZ3VKZHRIb0ltdHhaQU5FY0hmWFFyTXJEMVRwSkFPNHp0TVQwazE4SlNTek14bHJhNjkvditlM2FHYkdFUHk5eitwTUEycEt0UFhlSkFvNTRvZk82TlM2QmF3SFpad3ByUGlVQlhWWUtiQ013ZFVGN1ZIYlpuU2NDTmZXR3BiSStncmx3b3VHSnRFYkUrVHVKZFhyZHl1UXVic0JLRXF0dzA2SXZxU3E4NEZpanYvOE5OWmFZU1hYNjIvbXdSbm15M2xRWktPUzZzbk40QVZjN0dJM0FZYndYbml5dEJJRkhnOFFjbnV2ODU4UnNvb0k0T0xIS29FTjZtOHhzRkpjZkFkSmVoOEhzaExLVnJ2UXVCL3hibG93eTNTMnVpYW5RQnB1eks1aHpWa1h5MU5kUytHQ2ozUlhlQ0MyOUVPZUpPMDZtVm5RbmhxYStDSjdsZm1td3VKbkF0bmtJVTB0alJDZVhwdWtWYWFhdzFDR2xadW8yZVZiN1hQV2NMZGovU1BLMURoMFJTMkp1L0tYYlZuZ3lMS1FObmFwcGkySXJnb2JuSWZaS2x2K1RLNHJ6V2VHamxLWndFQnlvT1ZpOFBJZG1rbEtYV1VuOGpzYW9ZQml5ZzczUVRVQzYxc2RNTFlnNk5yNUFGaGY4cmFNUUordmVNVFhhUXR1N2ZzMDdFOXgzbFZXVkxzTFIrTHU0cU1XeHZEM2swU3JOS3p1bGdZVzQxRmR1MmZVUHpESzBJMWwzZHVLRVNvTWdNRWRWVjlZMUVmZlRBMlFYQnJ0d0ZtMkJtd2ExKzZpQlNLc1RjZ2pCOWxldnlBN2U2ZXAra09vZmRjQXdLaWZ1WXhqZGgrUFMySzRTYjYwbDlhQjVaZStjS3A4UW1CM2VjUEg4TUNGakc3WTJ2Q0dXWXpFcnRxTUI0L1hncjFpd2I4WmFCd0NWZDhaeGpYWE5JU1g1SmdQUUNxVzZlU2ZkZWc2elZkVGx5NWswMlAyR0VVMHdtMkRsajFXcWtBYmNhdmNtMFgvdE5xRzdnQ0p1blJueENYSGFHZ1I1a2RmMWFmNmZvd09yVXJvdThCTm8rWkcvdXFlT0hzbmZ3UUFzY1NCYUVwQnNpaHBCL2d0ZGRkSDZiMURiTUd2UTk2VmNqaDBKYVlWU1ZqWkU4THR6ZjNmcVFrazluWGxGd3FGRzRWcFFOc3NMZ2NiM3ZjWEQzYjBLa2lwOVdOb21VQmRNU3BGYzB2eDI3bEdPYmdXRzB6ZkhUTytWb0ZaMzlYcFhDeC8wWTRXc2FheXI3c1IxbjJSRXFjYy8vMEErN0lsdUNkSWtjSG01NVlPQUF0QkZWSTFkeUM3WFAzaEVFZVJoUkZzcEN3cFFTMHNxTk8zbWV5R2Y0SWZpOXNEcWo4bGJINzBhZ0pESStRL2E4NjdhY2hvOWJieUhuV2ZOeDlrc3Ara2dLMjRMZmxRazNiZW5kalV6bGxNUS9TaWE0ekN0YS8xUXlqTEM3SVFPWHgxYzFvUGcydU44TVhRZndoOUJzTlNCdnluVlQzUG82ZndXcDNOV0c3OEE4eFlOMmlBb1EzR2hIekJPbEJPbDFjZFRPWmdxR2ozRUhmRFBVbEo3TjBHS0NzSktYZEQ0THJ0VEhnZTc4ZnNQMXY1SXJldjZjRyt2c2hnN2xXSTZGNjhYZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 9
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\0vN0x_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .eaaDBadAB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1ZblUraVpWZHQ3UFVtUFlNQUNBV1BTcFpLM1d3L0tMdUNOYUhOd1ZWdjJodDl2bGxiaml0MjAvbnpKdk9kNi9PMWtSS0Yra3ZGSkJSNmVraDEvcGE5YTZqTVRGQTNnbzZjdStCY1hHNXFzWUVzL1hlS2ZZTmM4M2V6aU5YcWtGNnFEMHJ6STR1Y3c4a2VzUSt2WDIrODZUMENoeFlxbXcxTkFQUzVzelRvbHQybGFKU3IwWXhpS25na1F4UUN5R2U1S0NZYm0rZlc0eEZPZDkzZ1ZsMkc1STd0TDZVb3NyYmdXZGJEQ1JOcUlPOWJoOHZ5Q0l0Wnk2T1FiY2E4a1BGdEh4cmRnaitLeCt2MXh3cE9SQkFDVnQxb1U1Qm9nR0dxQkordHl4cFdrTy8zaDhmUTluK2dTZ0swbHJjUWxwYXdHb3BXbGtSNzZZcG52SXZsWWEwNmtxemdwUW04S0IzQVorWEdBSTJJZ3VKZHRIb0ltdHhaQU5FY0hmWFFyTXJEMVRwSkFPNHp0TVQwazE4SlNTek14bHJhNjkvditlM2FHYkdFUHk5eitwTUEycEt0UFhlSkFvNTRvZk82TlM2QmF3SFpad3ByUGlVQlhWWUtiQ013ZFVGN1ZIYlpuU2NDTmZXR3BiSStncmx3b3VHSnRFYkUrVHVKZFhyZHl1UXVic0JLRXF0dzA2SXZxU3E4NEZpanYvOE5OWmFZU1hYNjIvbXdSbm15M2xRWktPUzZzbk40QVZjN0dJM0FZYndYbml5dEJJRkhnOFFjbnV2ODU4UnNvb0k0T0xIS29FTjZtOHhzRkpjZkFkSmVoOEhzaExLVnJ2UXVCL3hibG93eTNTMnVpYW5RQnB1eks1aHpWa1h5MU5kUytHQ2ozUlhlQ0MyOUVPZUpPMDZtVm5RbmhxYStDSjdsZm1td3VKbkF0bmtJVTB0alJDZVhwdWtWYWFhdzFDR2xadW8yZVZiN1hQV2NMZGovU1BLMURoMFJTMkp1L0tYYlZuZ3lMS1FObmFwcGkySXJnb2JuSWZaS2x2K1RLNHJ6V2VHamxLWndFQnlvT1ZpOFBJZG1rbEtYV1VuOGpzYW9ZQml5ZzczUVRVQzYxc2RNTFlnNk5yNUFGaGY4cmFNUUordmVNVFhhUXR1N2ZzMDdFOXgzbFZXVkxzTFIrTHU0cU1XeHZEM2swU3JOS3p1bGdZVzQxRmR1MmZVUHpESzBJMWwzZHVLRVNvTWdNRWRWVjlZMUVmZlRBMlFYQnJ0d0ZtMkJtd2ExKzZpQlNLc1RjZ2pCOWxldnlBN2U2ZXAra09vZmRjQXdLaWZ1WXhqZGgrUFMySzRTYjYwbDlhQjVaZStjS3A4UW1CM2VjUEg4TUNGakc3WTJ2Q0dXWXpFcnRxTUI0L1hncjFpd2I4WmFCd0NWZDhaeGpYWE5JU1g1SmdQUUNxVzZlU2ZkZWc2elZkVGx5NWswMlAyR0VVMHdtMkRsajFXcWtBYmNhdmNtMFgvdE5xRzdnQ0p1blJueENYSGFHZ1I1a2RmMWFmNmZvd09yVXJvdThCTm8rWkcvdXFlT0hzbmZ3UUFzY1NCYUVwQnNpaHBCL2d0ZGRkSDZiMURiTUd2UTk2VmNqaDBKYVlWU1ZqWkU4THR6ZjNmcVFrazluWGxGd3FGRzRWcFFOc3NMZ2NiM3ZjWEQzYjBLa2lwOVdOb21VQmRNU3BGYzB2eDI3bEdPYmdXRzB6ZkhUTytWb0ZaMzlYcFhDeC8wWTRXc2FheXI3c1IxbjJSRXFjYy8vMEErN0lsdUNkSWtjSG01NVlPQUF0QkZWSTFkeUM3WFAzaEVFZVJoUkZzcEN3cFFTMHNxTk8zbWV5R2Y0SWZpOXNEcWo4bGJINzBhZ0pESStRL2E4NjdhY2hvOWJieUhuV2ZOeDlrc3Ara2dLMjRMZmxRazNiZW5kalV6bGxNUS9TaWE0ekN0YS8xUXlqTEM3SVFPWHgxYzFvUGcydU44TVhRZndoOUJzTlNCdnluVlQzUG82ZndXcDNOV0c3OEE4eFlOMmlBb1EzR2hIekJPbEJPbDFjZFRPWmdxR2ozRUhmRFBVbEo3TjBHS0NzSktYZEQ0THJ0VEhnZTc4ZnNQMXY1SXJldjZjRyt2c2hnN2xXSTZGNjhYZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * zmcW
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\0vN0x_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .eaaDBadAB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1ZblUraVpWZHQ3UFVtUFlNQUNBV1BTcFpLM1d3L0tMdUNOYUhOd1ZWdjJodDl2bGxiaml0MjAvbnpKdk9kNi9PMWtSS0Yra3ZGSkJSNmVraDEvcGE5YTZqTVRGQTNnbzZjdStCY1hHNXFzWUVzL1hlS2ZZTmM4M2V6aU5YcWtGNnFEMHJ6STR1Y3c4a2VzUSt2WDIrODZUMENoeFlxbXcxTkFQUzVzelRvbHQybGFKU3IwWXhpS25na1F4UUN5R2U1S0NZYm0rZlc0eEZPZDkzZ1ZsMkc1STd0TDZVb3NyYmdXZGJEQ1JOcUlPOWJoOHZ5Q0l0Wnk2T1FiY2E4a1BGdEh4cmRnaitLeCt2MXh3cE9SQkFDVnQxb1U1Qm9nR0dxQkordHl4cFdrTy8zaDhmUTluK2dTZ0swbHJjUWxwYXdHb3BXbGtSNzZZcG52SXZsWWEwNmtxemdwUW04S0IzQVorWEdBSTJJZ3VKZHRIb0ltdHhaQU5FY0hmWFFyTXJEMVRwSkFPNHp0TVQwazE4SlNTek14bHJhNjkvditlM2FHYkdFUHk5eitwTUEycEt0UFhlSkFvNTRvZk82TlM2QmF3SFpad3ByUGlVQlhWWUtiQ013ZFVGN1ZIYlpuU2NDTmZXR3BiSStncmx3b3VHSnRFYkUrVHVKZFhyZHl1UXVic0JLRXF0dzA2SXZxU3E4NEZpanYvOE5OWmFZU1hYNjIvbXdSbm15M2xRWktPUzZzbk40QVZjN0dJM0FZYndYbml5dEJJRkhnOFFjbnV2ODU4UnNvb0k0T0xIS29FTjZtOHhzRkpjZkFkSmVoOEhzaExLVnJ2UXVCL3hibG93eTNTMnVpYW5RQnB1eks1aHpWa1h5MU5kUytHQ2ozUlhlQ0MyOUVPZUpPMDZtVm5RbmhxYStDSjdsZm1td3VKbkF0bmtJVTB0alJDZVhwdWtWYWFhdzFDR2xadW8yZVZiN1hQV2NMZGovU1BLMURoMFJTMkp1L0tYYlZuZ3lMS1FObmFwcGkySXJnb2JuSWZaS2x2K1RLNHJ6V2VHamxLWndFQnlvT1ZpOFBJZG1rbEtYV1VuOGpzYW9ZQml5ZzczUVRVQzYxc2RNTFlnNk5yNUFGaGY4cmFNUUordmVNVFhhUXR1N2ZzMDdFOXgzbFZXVkxzTFIrTHU0cU1XeHZEM2swU3JOS3p1bGdZVzQxRmR1MmZVUHpESzBJMWwzZHVLRVNvTWdNRWRWVjlZMUVmZlRBMlFYQnJ0d0ZtMkJtd2ExKzZpQlNLc1RjZ2pCOWxldnlBN2U2ZXAra09vZmRjQXdLaWZ1WXhqZGgrUFMySzRTYjYwbDlhQjVaZStjS3A4UW1CM2VjUEg4TUNGakc3WTJ2Q0dXWXpFcnRxTUI0L1hncjFpd2I4WmFCd0NWZDhaeGpYWE5JU1g1SmdQUUNxVzZlU2ZkZWc2elZkVGx5NWswMlAyR0VVMHdtMkRsajFXcWtBYmNhdmNtMFgvdE5xRzdnQ0p1blJueENYSGFHZ1I1a2RmMWFmNmZvd09yVXJvdThCTm8rWkcvdXFlT0hzbmZ3UUFzY1NCYUVwQnNpaHBCL2d0ZGRkSDZiMURiTUd2UTk2VmNqaDBKYVlWU1ZqWkU4THR6ZjNmcVFrazluWGxGd3FGRzRWcFFOc3NMZ2NiM3ZjWEQzYjBLa2lwOVdOb21VQmRNU3BGYzB2eDI3bEdPYmdXRzB6ZkhUTytWb0ZaMzlYcFhDeC8wWTRXc2FheXI3c1IxbjJSRXFjYy8vMEErN0lsdUNkSWtjSG01NVlPQUF0QkZWSTFkeUM3WFAzaEVFZVJoUkZzcEN3cFFTMHNxTk8zbWV5R2Y0SWZpOXNEcWo4bGJINzBhZ0pESStRL2E4NjdhY2hvOWJieUhuV2ZOeDlrc3Ara2dLMjRMZmxRazNiZW5kalV6bGxNUS9TaWE0ekN0YS8xUXlqTEM3SVFPWHgxYzFvUGcydU44TVhRZndoOUJzTlNCdnluVlQzUG82ZndXcDNOV0c3OEE4eFlOMmlBb1EzR2hIekJPbEJPbDFjZFRPWmdxR2ozRUhmRFBVbEo3TjBHS0NzSktYZEQ0THJ0VEhnZTc4ZnNQMXY1SXJldjZjRyt2c2hnN2xXSTZGNjhYZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * LOjNd4R
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Pictures\0vN0x_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .eaaDBadAB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1ZblUraVpWZHQ3UFVtUFlNQUNBV1BTcFpLM1d3L0tMdUNOYUhOd1ZWdjJodDl2bGxiaml0MjAvbnpKdk9kNi9PMWtSS0Yra3ZGSkJSNmVraDEvcGE5YTZqTVRGQTNnbzZjdStCY1hHNXFzWUVzL1hlS2ZZTmM4M2V6aU5YcWtGNnFEMHJ6STR1Y3c4a2VzUSt2WDIrODZUMENoeFlxbXcxTkFQUzVzelRvbHQybGFKU3IwWXhpS25na1F4UUN5R2U1S0NZYm0rZlc0eEZPZDkzZ1ZsMkc1STd0TDZVb3NyYmdXZGJEQ1JOcUlPOWJoOHZ5Q0l0Wnk2T1FiY2E4a1BGdEh4cmRnaitLeCt2MXh3cE9SQkFDVnQxb1U1Qm9nR0dxQkordHl4cFdrTy8zaDhmUTluK2dTZ0swbHJjUWxwYXdHb3BXbGtSNzZZcG52SXZsWWEwNmtxemdwUW04S0IzQVorWEdBSTJJZ3VKZHRIb0ltdHhaQU5FY0hmWFFyTXJEMVRwSkFPNHp0TVQwazE4SlNTek14bHJhNjkvditlM2FHYkdFUHk5eitwTUEycEt0UFhlSkFvNTRvZk82TlM2QmF3SFpad3ByUGlVQlhWWUtiQ013ZFVGN1ZIYlpuU2NDTmZXR3BiSStncmx3b3VHSnRFYkUrVHVKZFhyZHl1UXVic0JLRXF0dzA2SXZxU3E4NEZpanYvOE5OWmFZU1hYNjIvbXdSbm15M2xRWktPUzZzbk40QVZjN0dJM0FZYndYbml5dEJJRkhnOFFjbnV2ODU4UnNvb0k0T0xIS29FTjZtOHhzRkpjZkFkSmVoOEhzaExLVnJ2UXVCL3hibG93eTNTMnVpYW5RQnB1eks1aHpWa1h5MU5kUytHQ2ozUlhlQ0MyOUVPZUpPMDZtVm5RbmhxYStDSjdsZm1td3VKbkF0bmtJVTB0alJDZVhwdWtWYWFhdzFDR2xadW8yZVZiN1hQV2NMZGovU1BLMURoMFJTMkp1L0tYYlZuZ3lMS1FObmFwcGkySXJnb2JuSWZaS2x2K1RLNHJ6V2VHamxLWndFQnlvT1ZpOFBJZG1rbEtYV1VuOGpzYW9ZQml5ZzczUVRVQzYxc2RNTFlnNk5yNUFGaGY4cmFNUUordmVNVFhhUXR1N2ZzMDdFOXgzbFZXVkxzTFIrTHU0cU1XeHZEM2swU3JOS3p1bGdZVzQxRmR1MmZVUHpESzBJMWwzZHVLRVNvTWdNRWRWVjlZMUVmZlRBMlFYQnJ0d0ZtMkJtd2ExKzZpQlNLc1RjZ2pCOWxldnlBN2U2ZXAra09vZmRjQXdLaWZ1WXhqZGgrUFMySzRTYjYwbDlhQjVaZStjS3A4UW1CM2VjUEg4TUNGakc3WTJ2Q0dXWXpFcnRxTUI0L1hncjFpd2I4WmFCd0NWZDhaeGpYWE5JU1g1SmdQUUNxVzZlU2ZkZWc2elZkVGx5NWswMlAyR0VVMHdtMkRsajFXcWtBYmNhdmNtMFgvdE5xRzdnQ0p1blJueENYSGFHZ1I1a2RmMWFmNmZvd09yVXJvdThCTm8rWkcvdXFlT0hzbmZ3UUFzY1NCYUVwQnNpaHBCL2d0ZGRkSDZiMURiTUd2UTk2VmNqaDBKYVlWU1ZqWkU4THR6ZjNmcVFrazluWGxGd3FGRzRWcFFOc3NMZ2NiM3ZjWEQzYjBLa2lwOVdOb21VQmRNU3BGYzB2eDI3bEdPYmdXRzB6ZkhUTytWb0ZaMzlYcFhDeC8wWTRXc2FheXI3c1IxbjJSRXFjYy8vMEErN0lsdUNkSWtjSG01NVlPQUF0QkZWSTFkeUM3WFAzaEVFZVJoUkZzcEN3cFFTMHNxTk8zbWV5R2Y0SWZpOXNEcWo4bGJINzBhZ0pESStRL2E4NjdhY2hvOWJieUhuV2ZOeDlrc3Ara2dLMjRMZmxRazNiZW5kalV6bGxNUS9TaWE0ekN0YS8xUXlqTEM3SVFPWHgxYzFvUGcydU44TVhRZndoOUJzTlNCdnluVlQzUG82ZndXcDNOV0c3OEE4eFlOMmlBb1EzR2hIekJPbEJPbDFjZFRPWmdxR2ozRUhmRFBVbEo3TjBHS0NzSktYZEQ0THJ0VEhnZTc4ZnNQMXY1SXJldjZjRyt2c2hnN2xXSTZGNjhYZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * iWKjSHER7or
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

    ransomwareavaddon
  • Avaddon payload 2 IoCs
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (152) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab.exe
    "C:\Users\Admin\AppData\Local\Temp\ab.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2904
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3384
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
        PID:3732
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        2⤵
          PID:1004
      • C:\Windows\system32\wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:1236
      • C:\Windows\system32\wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:4052
      • C:\Windows\system32\wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:4948
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
          PID:3380
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe
          1⤵
          • Executes dropped EXE
          PID:3712

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe
          Filesize

          775KB

          MD5

          0b486fe0503524cfe4726a4022fa6a68

          SHA1

          297dea71d489768ce45d23b0f8a45424b469ab00

          SHA256

          1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2

          SHA512

          f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe
          Filesize

          775KB

          MD5

          0b486fe0503524cfe4726a4022fa6a68

          SHA1

          297dea71d489768ce45d23b0f8a45424b469ab00

          SHA256

          1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2

          SHA512

          f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619

          Download Submit

        • C:\Users\Admin\Desktop\0vN0x_readme_.txt
          Filesize

          3KB

          MD5

          a387b53b1249b34e042dedf19921f430

          SHA1

          0d7bc31cf4bb9e1a415387fd03cf7369b0665df1

          SHA256

          b5da5779ffa3531128ecbf796c62e09242e9b7e462e868cd58b4e865fac387ca

          SHA512

          d59d7de9a4efb55729b919f47880a4f83ca324a35fbd12eb6499494fdce55f70bedd475a77b58055d8d6adc2ff0dc36e286d9c7ce4ee6373c30975e77481ce63

          Download Submit

        • C:\Users\Admin\Documents\0vN0x_readme_.txt
          Filesize

          3KB

          MD5

          c15041c40b0fd6a67e572e807da000c5

          SHA1

          25ab3599edbc4f2a65719fefc1a631692423610a

          SHA256

          fb2aad78bc70fc5156c833fd2591a0f8b91170da874050a716fd7ce6398a2216

          SHA512

          eef63049e3fa6fcf92da1d05a80d9cadf7549544d53313a3510928660a977b898ea36df62e09dfb1ba407a0e0473f5f8ba793464a9a42a72f992e452f43df50a

          Download Submit

        • C:\Users\Admin\Downloads\0vN0x_readme_.txt
          Filesize

          3KB

          MD5

          9c684cae64bbd3bf9a7c76998f991663

          SHA1

          560d400d641b7b19cbb17d1e94c08e3d9d54b957

          SHA256

          9f525cdd328df6860aa631a5c946c507fc23969d6f2ac28c6bf1e2de8352f566

          SHA512

          d69ab25d58d94d49196e6b340ad9d1003b733e176f2aee90c90456c842df5c317934837979f951bd51fdbcbc859a29a70769b39f210a32b9558632a92e3d5bd2

          Download Submit

        • C:\Users\Admin\Pictures\0vN0x_readme_.txt
          Filesize

          3KB

          MD5

          b323dac712625ab8df370f783f0c6f58

          SHA1

          6762540021b6b3502e0925c6ab574e93925d1d0a

          SHA256

          69457ed5d634838e9aec27a88428d600380d684c82779711690632c4f5cf7a35

          SHA512

          251ede10a70ea8e3c7201dcdb05fc44a087fc6c7cfb5132ebb05cb00cb618550664ba82a7cc9cc23ef1fdda1d91b05e1c6c27c1f24f125470bebcc9a046be488

          Download Submit