Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
5af3a0894eb834e2b539d8c340995450531325abef1ddf14fc35b463ab9867ae
-
Size
775KB
-
Sample
240315-qq749abe88
-
MD5
4e36274238eb6d09c22156eba0128542
-
SHA1
25e039d8a5cfd0438410ff85233bb20e9dc2f34f
-
SHA256
5af3a0894eb834e2b539d8c340995450531325abef1ddf14fc35b463ab9867ae
-
SHA512
f6424cf84f6d928982c98423bf41f7905ba0b44aede4b8eb40e90138d7238d03e67987576c95963cb1cac76747b05853269a4ad3ceaf330ead6da632db62843c
-
SSDEEP
24576:+Csi9+OXLpMePfI8TgmBTCDqEbOpPtpFaLxfq:Y5OXLpMePfzVTCD7gPtLaNfq
Behavioral task
behavioral1
Sample
5af3a0894eb834e2b539d8c340995450531325abef1ddf14fc35b463ab9867ae.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5af3a0894eb834e2b539d8c340995450531325abef1ddf14fc35b463ab9867ae.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
C:\Users\Admin\Desktop\nTH8jiU_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\nTH8jiU_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Desktop\ZaKvt_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\ZaKvt_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Targets
-
-
Target
5af3a0894eb834e2b539d8c340995450531325abef1ddf14fc35b463ab9867ae
-
Size
775KB
-
MD5
4e36274238eb6d09c22156eba0128542
-
SHA1
25e039d8a5cfd0438410ff85233bb20e9dc2f34f
-
SHA256
5af3a0894eb834e2b539d8c340995450531325abef1ddf14fc35b463ab9867ae
-
SHA512
f6424cf84f6d928982c98423bf41f7905ba0b44aede4b8eb40e90138d7238d03e67987576c95963cb1cac76747b05853269a4ad3ceaf330ead6da632db62843c
-
SSDEEP
24576:+Csi9+OXLpMePfI8TgmBTCDqEbOpPtpFaLxfq:Y5OXLpMePfzVTCD7gPtLaNfq
Score10/10-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Renames multiple (181) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
2