Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/03/2024, 13:23

General

  • Target

    2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe

  • Size

    775KB

  • MD5

    4ecc7bbbed724a23a2d6b0037064a64d

  • SHA1

    20b98609454cdbb242ff6102b344006f542f7f10

  • SHA256

    2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b

  • SHA512

    48dfe12630693864c4aa28732932beea2f75b9dfeb40ed03e9e1c6ad9aa0d03b2eaca235260dbc19073f59c68d854a45d04ad76c4c0d801b8fd095c06f26de52

  • SSDEEP

    24576:+CsR9+OXLpMePfI8TgmBTCDqEbOpPtpFa0xfq:YKOXLpMePfzVTCD7gPtLasfq

Malware Config

Extracted

Path

C:\Users\Admin\Documents\Ky4kB_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BcaEeBcAAd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTg5OC1PZVdlQlE5dEFDZGNCK1dVV3A3YVBDUGlUd1hNeFhWZVRkaStZall3K0cxL3pCZ1M5OU1ZTkVtRWJOMHBuL2hCb3JpUVVJdzdFTTNYbEVvN09MTFBBVTFvaFI0NnYzdTc1Z1FCRERwYWZpMmlqemd1VXJaMUZJOVY0ME02TGZhQnNtZDBUOFA2M1cvSkVYQTFnaytRcExnYzBFL09xN0RCczQ3UnJjSFQ4N1FndlRMR2ZiMzFmTm9zQkVKcWhtcUsxOU5hNVRjRUFMemEyREtQWldTZFBaN0ErbmdjUkFLbm5uQmZkNFlla1NUVGI0M1U0ZnA2bHpGbGV2dG1oRmQ4WGJMZlBpK3hKaExWWEhmUmczV1p0YmNKT3JsTnJQS1NDOThLcU9PTmdVOHFuWDhUbkd6cjFFSktaTUM1MVZzMnhvWHFBd3pmZ0UvbHVLL2IxUnZydWl2bDArS0t5UjlyRGltSzFoNlkwS2hMUlptalhNRy9aeWpvbFpHbVlzL1pzeDRpbEw3R3ZQRGlMcXdSZEV4ZmFFejZjUlVjN0RyWHJyNGpxQU5NdVQxYXQ0aCtNRkZwWHY4dWNjR1FaZUd5bWNNRjNQOUh1NW1QdWh6eFIrMkh0eGx1cm5Wdm8vdFhnNTN2OHlBLzc4RmYxSnhUZkZoOUUvRU9BSGxZTTlNUkJpRU9sNG55Y2x1NitXZHZtNXJvRExxYkJpTk1tSzVxd3ZqcWlUYmxLNFZ6UFI2UE9NZVpUb21zMXRVNGtwdFZmSUR5MG54NTBSVG5XNUtGNEhxdjhqOE44L0g1akFJank0alRkU0VhM21PNGVubjV6U28rTm1iVFhIMEhqOG51ZTJBRVA4OGdIay9qdWZUYkp5QUZjZCtLeEJvSUUzUVlBckdTTGRHNXlTUHZJK3ZtRkJaaFppNjAycGJWam9WOEpja21MZWRkQXNwYjNObmpOaFg1UHdwc3ZGUXFQYmhiT1ZoUS9OV0R0NVJBODY0WkxTMmYyRUJzdjl4Y3ZlYU9vUmZYQ0hiZERCVTNLUFNLYWpEUlNUWGxjL205ZmJYUzlHV2FNWmJqQmU5b0V3UzAvdGZqS0szQW1rSStXamp5WDloVFBmcHNYQ1ZCUlVlbXRHTndRRFMxTy8vT1FkamxhMjdUTEQ3anB0RlpnQ3dsdllIMzk1SWNWbDZyN1IxTVd3VlFZakhBUkpvY3hzRHlvSFRJbkdGcGZaWG11VTV6eHdWU3djWlZGUnB3d0VsVXJxNnE4SXlIejdaNThoMkRaY3Jpa3V3NFRlanIraGpUOGltcktvSkZxNWFRVFhuNVZDR0FMbjBOZXRORk43aEdxU2lhQTFuTWRYRzR6dTNxNWRTSFN5NUNDRDBHYkpNK0NVWDFVcVljWDlMTUwwN1NzUkxxdXdGZlpvWHhjN2Iwdjh4cmYxTjdFMjNqT2pkbjgvdDFYeHlYYXZUVlFCbUVVN1lkc3FHQzFud0tja25aNllCZ2lHdCtNTm5CKzB0WHJ4N3o3ZmFqeVZjK2lsNHZOWmt2MUNTNmhWMURobVU1MVNtb3M0VzVWNEVtcytFN2V0bVExeS9pTXhkM0V4ZVhEMFcvVXZtaUo5ME9pUzEzbkpPZlBHbEpiRWtKOERNN2Fsbis2WlNTMHdUV1k4UUo5ZjNtVStKK0UxQUllSWptcy9OSmVpdHR2emVhT29nNVJYZHZPUkY3Ykhqa0JkYS9ucEI4SG5JUE5NOWNHN3pVMm1ZUHJ2SWxYR0pJMzE4U29wUW1TV2p4VEhZcjF3SnF3WXNocVlYM3hHLyt0U0gvcThwWnQrNHNlOXNJKy9YOTRRNHRGRWFGM09GWG5DQ2x2Vy8yWjJKRHpPQ29RTHViMjN3VW1MemxZQ1gzZkJ3ZXFiU3dDQ0V5RHlCdC80QnNIeTQzVEpuQUdxQTJNU1ZQZm1ZSXJlUGxrTDFIQ291b1JNekI5VDdobENVQlpkVHhEMXBPRTUxWExUa2h4WjFHaUJyQkNZRE9odFlBY3dhdUMza0xGOWdWaFRDNjRUaDdjWE9xNlloaklVWkF1dm5QMHpvaXRKRkc3a2VpbEwxcHhib0JjRDArZkpnSVpvcWFEcDhaK3Z2cE5OVHpwa0YxZTYwUUowdTFrYnV6eFpQV1NnYVFWZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * FSzhW8in2pn92WGTB85rh
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\Ky4kB_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BcaEeBcAAd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTg5OC1PZVdlQlE5dEFDZGNCK1dVV3A3YVBDUGlUd1hNeFhWZVRkaStZall3K0cxL3pCZ1M5OU1ZTkVtRWJOMHBuL2hCb3JpUVVJdzdFTTNYbEVvN09MTFBBVTFvaFI0NnYzdTc1Z1FCRERwYWZpMmlqemd1VXJaMUZJOVY0ME02TGZhQnNtZDBUOFA2M1cvSkVYQTFnaytRcExnYzBFL09xN0RCczQ3UnJjSFQ4N1FndlRMR2ZiMzFmTm9zQkVKcWhtcUsxOU5hNVRjRUFMemEyREtQWldTZFBaN0ErbmdjUkFLbm5uQmZkNFlla1NUVGI0M1U0ZnA2bHpGbGV2dG1oRmQ4WGJMZlBpK3hKaExWWEhmUmczV1p0YmNKT3JsTnJQS1NDOThLcU9PTmdVOHFuWDhUbkd6cjFFSktaTUM1MVZzMnhvWHFBd3pmZ0UvbHVLL2IxUnZydWl2bDArS0t5UjlyRGltSzFoNlkwS2hMUlptalhNRy9aeWpvbFpHbVlzL1pzeDRpbEw3R3ZQRGlMcXdSZEV4ZmFFejZjUlVjN0RyWHJyNGpxQU5NdVQxYXQ0aCtNRkZwWHY4dWNjR1FaZUd5bWNNRjNQOUh1NW1QdWh6eFIrMkh0eGx1cm5Wdm8vdFhnNTN2OHlBLzc4RmYxSnhUZkZoOUUvRU9BSGxZTTlNUkJpRU9sNG55Y2x1NitXZHZtNXJvRExxYkJpTk1tSzVxd3ZqcWlUYmxLNFZ6UFI2UE9NZVpUb21zMXRVNGtwdFZmSUR5MG54NTBSVG5XNUtGNEhxdjhqOE44L0g1akFJank0alRkU0VhM21PNGVubjV6U28rTm1iVFhIMEhqOG51ZTJBRVA4OGdIay9qdWZUYkp5QUZjZCtLeEJvSUUzUVlBckdTTGRHNXlTUHZJK3ZtRkJaaFppNjAycGJWam9WOEpja21MZWRkQXNwYjNObmpOaFg1UHdwc3ZGUXFQYmhiT1ZoUS9OV0R0NVJBODY0WkxTMmYyRUJzdjl4Y3ZlYU9vUmZYQ0hiZERCVTNLUFNLYWpEUlNUWGxjL205ZmJYUzlHV2FNWmJqQmU5b0V3UzAvdGZqS0szQW1rSStXamp5WDloVFBmcHNYQ1ZCUlVlbXRHTndRRFMxTy8vT1FkamxhMjdUTEQ3anB0RlpnQ3dsdllIMzk1SWNWbDZyN1IxTVd3VlFZakhBUkpvY3hzRHlvSFRJbkdGcGZaWG11VTV6eHdWU3djWlZGUnB3d0VsVXJxNnE4SXlIejdaNThoMkRaY3Jpa3V3NFRlanIraGpUOGltcktvSkZxNWFRVFhuNVZDR0FMbjBOZXRORk43aEdxU2lhQTFuTWRYRzR6dTNxNWRTSFN5NUNDRDBHYkpNK0NVWDFVcVljWDlMTUwwN1NzUkxxdXdGZlpvWHhjN2Iwdjh4cmYxTjdFMjNqT2pkbjgvdDFYeHlYYXZUVlFCbUVVN1lkc3FHQzFud0tja25aNllCZ2lHdCtNTm5CKzB0WHJ4N3o3ZmFqeVZjK2lsNHZOWmt2MUNTNmhWMURobVU1MVNtb3M0VzVWNEVtcytFN2V0bVExeS9pTXhkM0V4ZVhEMFcvVXZtaUo5ME9pUzEzbkpPZlBHbEpiRWtKOERNN2Fsbis2WlNTMHdUV1k4UUo5ZjNtVStKK0UxQUllSWptcy9OSmVpdHR2emVhT29nNVJYZHZPUkY3Ykhqa0JkYS9ucEI4SG5JUE5NOWNHN3pVMm1ZUHJ2SWxYR0pJMzE4U29wUW1TV2p4VEhZcjF3SnF3WXNocVlYM3hHLyt0U0gvcThwWnQrNHNlOXNJKy9YOTRRNHRGRWFGM09GWG5DQ2x2Vy8yWjJKRHpPQ29RTHViMjN3VW1MemxZQ1gzZkJ3ZXFiU3dDQ0V5RHlCdC80QnNIeTQzVEpuQUdxQTJNU1ZQZm1ZSXJlUGxrTDFIQ291b1JNekI5VDdobENVQlpkVHhEMXBPRTUxWExUa2h4WjFHaUJyQkNZRE9odFlBY3dhdUMza0xGOWdWaFRDNjRUaDdjWE9xNlloaklVWkF1dm5QMHpvaXRKRkc3a2VpbEwxcHhib0JjRDArZkpnSVpvcWFEcDhaK3Z2cE5OVHpwa0YxZTYwUUowdTFrYnV6eFpQV1NnYVFWZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * ca63rLV7sRViuwO1qfzzOKhe
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Avaddon payload 1 IoCs
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (150) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
    "C:\Users\Admin\AppData\Local\Temp\2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2424
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4632
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
        PID:552
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        2⤵
          PID:2880
      • C:\Windows\system32\wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:1312
      • C:\Windows\system32\wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:1140
      • C:\Windows\system32\wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:3888
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
          PID:4544
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3952 --field-trial-handle=2264,i,7010714054498059916,1862725710331979271,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:6136
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
            C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe
            1⤵
            • Executes dropped EXE
            PID:5140

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b.exe

            Filesize

            775KB

            MD5

            4ecc7bbbed724a23a2d6b0037064a64d

            SHA1

            20b98609454cdbb242ff6102b344006f542f7f10

            SHA256

            2a63fd5330739eaf96adab4e1f4162655ab0e1d977787fb0495f0a2ed137b96b

            SHA512

            48dfe12630693864c4aa28732932beea2f75b9dfeb40ed03e9e1c6ad9aa0d03b2eaca235260dbc19073f59c68d854a45d04ad76c4c0d801b8fd095c06f26de52

          • C:\Users\Admin\Documents\Ky4kB_readme_.txt

            Filesize

            3KB

            MD5

            6a0fecfd8a8bea3817efb368e38f768e

            SHA1

            8a4cb7b271c3b2fe17ba4341aa9f1e44761d5665

            SHA256

            a2f5bcae413c50b442ff4608ceefbc426f728722e49ad7797a90f5c807e640ce

            SHA512

            065b01127ad6b0145e0c4b1a21b33bbff7bc036262c96b40d2239c45b044bf5987164dd9c0968266eb2c013a1fbedff32c534979dfa5e3a9647357c4113b5f94

          • C:\Users\Admin\Downloads\Ky4kB_readme_.txt

            Filesize

            3KB

            MD5

            aaab96729edcaae738dc536554e264fe

            SHA1

            006a86178457dd9b7a7ce0fb8e8207699f5c728b

            SHA256

            0f3585284decb3af4bdd6115331b6a5150e098439323b405a3bf16a83c2f3cc3

            SHA512

            b7e790ae9895d51529fd3849e52b586ea8f92208b3f6bfb844eb2447ea7bb5c6f86e82bd65e4d0d0ec0b58a0a9fa21be31d0129bcabe19ad0a3baad20f62c01f