Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b
-
Size
775KB
-
Sample
240315-qm6f9ahc4v
-
MD5
4ecc7bbbed724a23a2d6b0037064a64d
-
SHA1
20b98609454cdbb242ff6102b344006f542f7f10
-
SHA256
2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b
-
SHA512
48dfe12630693864c4aa28732932beea2f75b9dfeb40ed03e9e1c6ad9aa0d03b2eaca235260dbc19073f59c68d854a45d04ad76c4c0d801b8fd095c06f26de52
-
SSDEEP
24576:+CsR9+OXLpMePfI8TgmBTCDqEbOpPtpFa0xfq:YKOXLpMePfzVTCD7gPtLasfq
Behavioral task
behavioral1
Sample
2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
C:\Users\Admin\Desktop\7DrXW_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\7DrXW_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Pictures\7DrXW_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\Ky4kB_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\Ky4kB_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Targets
-
-
Target
2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b
-
Size
775KB
-
MD5
4ecc7bbbed724a23a2d6b0037064a64d
-
SHA1
20b98609454cdbb242ff6102b344006f542f7f10
-
SHA256
2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b
-
SHA512
48dfe12630693864c4aa28732932beea2f75b9dfeb40ed03e9e1c6ad9aa0d03b2eaca235260dbc19073f59c68d854a45d04ad76c4c0d801b8fd095c06f26de52
-
SSDEEP
24576:+CsR9+OXLpMePfI8TgmBTCDqEbOpPtpFa0xfq:YKOXLpMePfzVTCD7gPtLasfq
Score10/10-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Renames multiple (210) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
2