Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

48d7cd572f...75.exe

windows7-x64

10

48d7cd572f...75.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/11/2023, 21:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe

  • Size

    775KB

  • MD5

    117da2dd6fa24616f63eb43d5a15e5d3

  • SHA1

    b4d70eecdef52ceef15f04a025d1ab08f193fb97

  • SHA256

    48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275

  • SHA512

    de2e5538e8dd8210b630eca0fc611f0ba0dcb805b3a745c38a6f46ee9acfe8785c917b9452e0d6f70f675030430b65b352d695106bae639b20e0dbb2dd95e375

  • SSDEEP

    24576:TCsQ9+OXLpMePfI8TgmBTCDqEbOpPtpFhAxfq:5HOXLpMePfzVTCD7gPtLhQfq

Score
10/10
avaddonevasionransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\87hbL_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bEcbdecee You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjcwMS1VT3NtamtuMnU4dEtoR3ZZS09qdDdTTkZocmpDSWt2MEpycWZrZE04cFNDdzRqc1BrZVJtcm5pd2Y3QVRQMDdpeFB6M0RiekRjREJvekJuMC9Fd3NXTzlUdHhXdTlaY3lkVXRTd3hoYmd1NkY0UHdiL1dkY0JUUnllUE0wME9kZ1lBR2M2RllIdXBCc3FuVnJTODNxMmovbG1LRTJpYWpqbWFvY01SRFZqd1hDeWgza0pHYXZYaDFhbXIxcEtzMEpCcmNsRnJDNVpWSUsxMlozeEV2QjlQUjVsK0YwVURvT1hEcWlYUUFYQjVqMkIvWXNINVNNaisvTWQ0Z0VIQ0VybVJERGc4YWpnZ3c0Vng4VlNGV1F0VGFPaElyeXgrM0dsZEFhOWZwNGRZd1VPcDBuaEF2V2NueE5WejJTY1FXc2pHYnBPUEdyMHdLbDBhU1VKMWhyTWdIaUZqRm9zUHNJVkZ2WW5jTVZOWGsvUHdyc0FOTFc1SWc0RHF2MlVqcHExaVIxK2xTblU5NnRvZWF2UmFUWGY5dnJlOUhyWFZZdTdRZW52ZzhMYUdXOFNsNmZTVURBRHM4WHloODl5OGRFb2NJUVlydFR3eU9Ka2dNMFpzWUJRQ1BXMkdSZnV1NDBoY1pBQ3lKWVpHMHZhSkVWQUJsREdYSHNkK3hJYlkzTWNYTEVFS0VwTnkrMkdGYnZ4NHZPek44V0tWOHE0Q0hkRS9rSklFRVlPaU4zOWFRSHIyQlAvdENXLzVHZ2JGYnRFR2lMYzlvQWQ3QlhhQThoc1hOUXg5QUZPcXo5VmJtdUdpaU1VYXAyT0JlMSsvNEk1M2p4Z1IzOHRldWFKZmY2TUk4T1c5YzNsNTVScTlBSmNlbFU1SkdVOGtGVzhOU0dBNGhZbEc0bjcvYmlEYWpYTjBFMGh4ZCt3K1ZpYnhOZHI0NEh2a2svODYrYlEzMUl5V0FGOG9iNW1qaC9UQjBnVG8zWGtEZWI0TmtrQklFR1pMQ2w1bVRlTzhmdzdBdXYycmtaSGkrN1RDMHBhK3NLM0xjazVpcWFHYjhnRnJMN3M4MkRjTXBUejlwTi9GVkpHV2hIeUlzNmZwUlREWVJoTHFoT3dadGpIL1pGY2U5WFFTTjhHMDhXUDNBQ09td2JNRlp4eGpidEx1VXExTGN5eU5Ecnk4eW90cGRoSjkxdmxGYzg4VGJzWUljL29IUHltL2VDRTlsSUUxdEJGOFNLNEVPTjVkWW92UXlDdml2STZoc2NUZ2M5N3I2djhjZ0lBQ1BtU21YRUFCZlA4Vmx6OHFyTEhad2dMRVZlSElIaUVuYlEyMFlNUWliY3ZiUlNodGo5cExKdXpCRUw3SHlmNm9JbDhCVVlxb09FakV6SjlQQ2ExQmxsYlRxTmJzb0M1L1dTSWxYUldpb3BHRG04QWF6dTJLQndBWUM1SnVySVRtSkxZUjViSlZhMUFOQXBTRnVnaUNQT2hHWEx0ek4xTDJ1NVlqS0dZeTVxOU1yT3h0Q1hyQ3Y5Q2NEUEpmUmJIS25oMlV2dDlSZDRXdDMzLzE2UVpMQ1Jncy94TXdKL0lkaDdXWFo1NnVQbFhpMkxpR3Ayb2xheHc0K1hUWkR6WjlkN1M3Yko0b2JKUFNGbGNmTzlzOTIvUFVCMmJpRk1aOXArblFIbHBQS0U5NFI5MmhXVkVkcnVyQ28wL0JVNmRLd0xzYUV4QUVQMGVCbU9kaEpGUUNuV1RjbUhrclEzMW90U2F1TFNtOEdSN3BBK2hSWmcvb1FPcFRIUE9vZnJrTFQvYUtySDI2WFhweDFITXdDTXlhU2d0SXkweUhGR1cyN0NibUFaSnBKVjZFYldQMEpPMXQ2Z0dRM0FjTjFTZDNlY2pLMjlXSkNuZ1JYbTRNcEU4TURDWWF4Q29NbHNmaEhRUVZFcGZ6ZzNiNGFSTm4yTVhsTWhpOHpZTnhmR2NETmkxTUR0OFVWakZ3K2lpcXFpMXNMU012QzBvZmZQd2dWcXptYnBnb1kyczRJYU9DZVhwbkEyNk4wZFpNS3J4QnZlbWw2RUFFTHBMTE9rZlR2cjNRS0VTZThZcFZsTzl6V1IrTjBJTnZwaEp0MUl2WWZGbVdNMDUyWWVjNjlhZ1BiVGgyck85RmRIMDhDalRIWU4xQT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 4ccYgajpJLjYJBq4K0pQLl
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Pictures\87hbL_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bEcbdecee You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjcwMS1VT3NtamtuMnU4dEtoR3ZZS09qdDdTTkZocmpDSWt2MEpycWZrZE04cFNDdzRqc1BrZVJtcm5pd2Y3QVRQMDdpeFB6M0RiekRjREJvekJuMC9Fd3NXTzlUdHhXdTlaY3lkVXRTd3hoYmd1NkY0UHdiL1dkY0JUUnllUE0wME9kZ1lBR2M2RllIdXBCc3FuVnJTODNxMmovbG1LRTJpYWpqbWFvY01SRFZqd1hDeWgza0pHYXZYaDFhbXIxcEtzMEpCcmNsRnJDNVpWSUsxMlozeEV2QjlQUjVsK0YwVURvT1hEcWlYUUFYQjVqMkIvWXNINVNNaisvTWQ0Z0VIQ0VybVJERGc4YWpnZ3c0Vng4VlNGV1F0VGFPaElyeXgrM0dsZEFhOWZwNGRZd1VPcDBuaEF2V2NueE5WejJTY1FXc2pHYnBPUEdyMHdLbDBhU1VKMWhyTWdIaUZqRm9zUHNJVkZ2WW5jTVZOWGsvUHdyc0FOTFc1SWc0RHF2MlVqcHExaVIxK2xTblU5NnRvZWF2UmFUWGY5dnJlOUhyWFZZdTdRZW52ZzhMYUdXOFNsNmZTVURBRHM4WHloODl5OGRFb2NJUVlydFR3eU9Ka2dNMFpzWUJRQ1BXMkdSZnV1NDBoY1pBQ3lKWVpHMHZhSkVWQUJsREdYSHNkK3hJYlkzTWNYTEVFS0VwTnkrMkdGYnZ4NHZPek44V0tWOHE0Q0hkRS9rSklFRVlPaU4zOWFRSHIyQlAvdENXLzVHZ2JGYnRFR2lMYzlvQWQ3QlhhQThoc1hOUXg5QUZPcXo5VmJtdUdpaU1VYXAyT0JlMSsvNEk1M2p4Z1IzOHRldWFKZmY2TUk4T1c5YzNsNTVScTlBSmNlbFU1SkdVOGtGVzhOU0dBNGhZbEc0bjcvYmlEYWpYTjBFMGh4ZCt3K1ZpYnhOZHI0NEh2a2svODYrYlEzMUl5V0FGOG9iNW1qaC9UQjBnVG8zWGtEZWI0TmtrQklFR1pMQ2w1bVRlTzhmdzdBdXYycmtaSGkrN1RDMHBhK3NLM0xjazVpcWFHYjhnRnJMN3M4MkRjTXBUejlwTi9GVkpHV2hIeUlzNmZwUlREWVJoTHFoT3dadGpIL1pGY2U5WFFTTjhHMDhXUDNBQ09td2JNRlp4eGpidEx1VXExTGN5eU5Ecnk4eW90cGRoSjkxdmxGYzg4VGJzWUljL29IUHltL2VDRTlsSUUxdEJGOFNLNEVPTjVkWW92UXlDdml2STZoc2NUZ2M5N3I2djhjZ0lBQ1BtU21YRUFCZlA4Vmx6OHFyTEhad2dMRVZlSElIaUVuYlEyMFlNUWliY3ZiUlNodGo5cExKdXpCRUw3SHlmNm9JbDhCVVlxb09FakV6SjlQQ2ExQmxsYlRxTmJzb0M1L1dTSWxYUldpb3BHRG04QWF6dTJLQndBWUM1SnVySVRtSkxZUjViSlZhMUFOQXBTRnVnaUNQT2hHWEx0ek4xTDJ1NVlqS0dZeTVxOU1yT3h0Q1hyQ3Y5Q2NEUEpmUmJIS25oMlV2dDlSZDRXdDMzLzE2UVpMQ1Jncy94TXdKL0lkaDdXWFo1NnVQbFhpMkxpR3Ayb2xheHc0K1hUWkR6WjlkN1M3Yko0b2JKUFNGbGNmTzlzOTIvUFVCMmJpRk1aOXArblFIbHBQS0U5NFI5MmhXVkVkcnVyQ28wL0JVNmRLd0xzYUV4QUVQMGVCbU9kaEpGUUNuV1RjbUhrclEzMW90U2F1TFNtOEdSN3BBK2hSWmcvb1FPcFRIUE9vZnJrTFQvYUtySDI2WFhweDFITXdDTXlhU2d0SXkweUhGR1cyN0NibUFaSnBKVjZFYldQMEpPMXQ2Z0dRM0FjTjFTZDNlY2pLMjlXSkNuZ1JYbTRNcEU4TURDWWF4Q29NbHNmaEhRUVZFcGZ6ZzNiNGFSTm4yTVhsTWhpOHpZTnhmR2NETmkxTUR0OFVWakZ3K2lpcXFpMXNMU012QzBvZmZQd2dWcXptYnBnb1kyczRJYU9DZVhwbkEyNk4wZFpNS3J4QnZlbWw2RUFFTHBMTE9rZlR2cjNRS0VTZThZcFZsTzl6V1IrTjBJTnZwaEp0MUl2WWZGbVdNMDUyWWVjNjlhZ1BiVGgyck85RmRIMDhDalRIWU4xQT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * QEDOVnW8fxR6Bby6VXGYWwRR1
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

    ransomwareavaddon
  • Avaddon payload 2 IoCs
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (148) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
    "C:\Users\Admin\AppData\Local\Temp\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4568
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1196
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
        PID:3824
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        2⤵
          PID:4940
      • C:\Windows\system32\wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:5116
      • C:\Windows\system32\wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:1500
      • C:\Windows\system32\wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:1924
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
          PID:4004
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
          1⤵
          • Executes dropped EXE
          PID:2932

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
          Filesize

          775KB

          MD5

          117da2dd6fa24616f63eb43d5a15e5d3

          SHA1

          b4d70eecdef52ceef15f04a025d1ab08f193fb97

          SHA256

          48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275

          SHA512

          de2e5538e8dd8210b630eca0fc611f0ba0dcb805b3a745c38a6f46ee9acfe8785c917b9452e0d6f70f675030430b65b352d695106bae639b20e0dbb2dd95e375

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
          Filesize

          775KB

          MD5

          117da2dd6fa24616f63eb43d5a15e5d3

          SHA1

          b4d70eecdef52ceef15f04a025d1ab08f193fb97

          SHA256

          48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275

          SHA512

          de2e5538e8dd8210b630eca0fc611f0ba0dcb805b3a745c38a6f46ee9acfe8785c917b9452e0d6f70f675030430b65b352d695106bae639b20e0dbb2dd95e375

          Download Submit

        • C:\Users\Admin\Desktop\87hbL_readme_.txt
          Filesize

          3KB

          MD5

          baae08c86c28519b7ef9a70a765a6058

          SHA1

          851bef25c59c1a4a9867b61a60a4781fefc5234c

          SHA256

          99658eb19190794abd6132df620e83547bb47d0d11e43b4b94340df27f9fb81a

          SHA512

          4f653cc938bb7bef7f386e4ed601e3700618e54d936b49db6d93b6a2666ebfc0e8a0fc47b5ce5c10ec7321367965c5bc59dcd45e69092ccac2cdca82128e5737

          Download Submit

        • C:\Users\Admin\Pictures\87hbL_readme_.txt
          Filesize

          3KB

          MD5

          82c8051fe9305ccb58ab388d66aa5433

          SHA1

          f9e3475ef59787953772d245982c39856df5a298

          SHA256

          da57956af4af7d19bfd265c849561a53ae39d7d9332c44ac1af2332cbe37d81e

          SHA512

          b4113b9d2febbe3be293ba36e5f375080c66c791031a3c79a6e2518835b4bbb3b8df3b31cdfed18cf12205a486650a591d42cb8ee43e2506d0b06ab2cf51873e

          Download Submit