Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    15/03/2024, 13:40

General

  • Target

    bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe

  • Size

    775KB

  • MD5

    21de830008ad31c83a09be67a3ae8b4d

  • SHA1

    c95ac053d6f4284e41dfea342bb30aede7b02244

  • SHA256

    bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac

  • SHA512

    293dc967be7fd187116623cbc67d33b785c7e6d946b22e8793a7432a4eb044ab5f56af12d41c342d2ee06c6350b1615e6b15f9db170518abaad4dd219287d1b1

  • SSDEEP

    24576:+Csr9+OXLpMePfI8TgmBTCDqEbOpPtpFadxfq:Y0OXLpMePfzVTCD7gPtLaffq

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\eM9UR_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aEcDAcacBb You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTYxNS1oaEpTRm9pbEJWU1M4clNaWE55NzRHdHNBWHRFbjgyVkRCNnV2aEJ5VU0vOGdsMklLWU9Cd1N1dzZnaEZlOGs0UlcxNk50RUpqOEYvcFB2N1VuNkhWYXZNRTZpTEZ1SkI5enlYYzNtdjg3VVVDU05vcTNhNHB6SjJyamRHczlUVzNkQTlBcUsvK0ZvbnIveGNIekIwNWtFYUhMZE1yeDI3ci8wT3BoWUd2cWVQZlFJdFRaMktKWmNEWHhZREc2N3RxUEFBaWJzTkQ4YzlJYU1nUXJocDZobnhTYmdnVmtsYWttYmphKzBwSVRQZkVWd1RTVWZoV3NIa3ZOdFdVa2kxK3dpUUtncmEyWGxxREF1L0dqL24xRExWZXZjdzY5MUE1clViZExCcVpjRURmbWtsb3Y4bWFTQmV5ZlBrRVk5d2kzUFJRNE13UjNyZFJ3OExlOFdZOVAvNElsTW43bTIxVEg4aVpROEJYbC9UOEVrSlhmU0ZBU1FtMURTNmRGdXBZcThERUdwRGpNTmZ4ckNUNlhUazNESmVNL0FIODhPMDg3SGZoNTZiY1dGczZmcmhjcmdVMDM5RTBzVUpqZlJSV3dUdnZzdTlsTE8zL3J2L1RKQlBFaWo4T1FuWGoxOE85NzcxdUVTQTgzOUttSlRneWVOdnF1TUVIS0lteVo5aFpZR2RHaFF3a1VBVEVHa3l4N3ZLNFo4MkZQdUtBeEdHeHJ0MGZwcjdVME1uOVdCRzdJTENQT0k5Mmxxck0yMG9tVUh6Sno3ZlovUGNBS1lDVklRd25OQlprZklMSHdGT0dQYnJBVzdoNkZGKzRia2RITko0aTdqdmV1VWRuVWxrelVXOUZ2SHF3ZkNYeVVHM1VDank3MzYyNGlOa2I4aFFYN0RDUGpNTkQyNjhJOXFDV1hGSzAwK2ZUcGdSTW1waWJqNnFWTUNTZzhYVk55NGpNNFc4Q080VGZ0c2VPc3NkcmEyTVkwSnI1eXY4WlpvU0lmUjNXcjFveFdkL2l5ZVE1Y0ZQRkYxR25FZVB4K0NGZllKUXJSTG9TdWJXMXVvL24rYzhLbEZDQ3pOclp6NUZXU1ZlT1V0alJEbFVIcEhyZmlOUktQMGVqWE1UVG5DeC9QTVIrNitFb2dpdit6TjNLWEVqR2RzRHcwa085d3N0eVhDN21IMWx2WmlDMXdvajZwejNjNGNoWFBxQ05oUUhrWFVFYU5LQ2c4Y3dpQTgyd01EdHBVMFoyaklqV0pHLzhIUllBMk9ZcmJrdVA5TnN5ZGNqNTVOZE5XVWtCVWw0N1pNQ0gvVGZ1aGtwYkNhZFQ1WlppM1hTdkdwbGU3WkxxL05HeCs2RHlvWWRiZFRIaThRbXIyRnJrUzlJZFJkTFlObituWUhmWFJ4dURBK3p1aHJ4RFFXa1lNZy80SjNLWGwrYmdTL3dtK1hKb3ExWUQ2SXRKMkhRM1h2VC9oUUtKK2dkNEd3em1FbE1BZXdYUm1qckdsQjV2WUI1L0pTdXI4clFWcEUzTnczWHhIalA2MGZqT2tudmVGZ0daVE9ZRGZaWWN5c1J3dzFFVVZPS3pvTEIwUkVReUZ0blBxS3M0ODdCVXYrcGdqa3ZTMHppRXlYUjNiVTR0MXBubno3V1JOMmVTczYrbG5oemFPVFZWZ2MxR2FxQVZYM3loTE1wdE8wUGgxUDk0NGVENDk0MHArNjU5S2dnL2VMTUwyQkRPT0lvbFFocCtJVWJ2SFVmM1k2SGVuNDNrSFdCK1dQMXNVOVF6NndLclZGVlV1ZVJUakw2RXNhWm1aSXlrdk1pdWVpd080cVdkbVc1bDZ6dkJuUGNIK2gwTjNtQzFYdldyaWUybFJ3bzA1SGd4YzBuRHhUektSZHk0cmpIWE5zcERRZThkUXdyK0xkTWFwQXNCbDViWkIvNHVPZzJyS1IxSnplSVZGK0lKelpsdUdJWHN6eTFSYnlVZmM3LzhyNDRmZ0Fla2Y4ejhYVHZnVnJnSFRsbUkwRWNxemlyaE5XZ09FYXdPZFpnMGc3dE4vekFKM2dyeE5vZGs3MHJ4R0wwUHp4L3p3V1J4T01zWGxQdU1zTTdwMnBmN3RmWEtLNDJRUjFsUnRic28zTnBHbk1uamtLMkVYbFR3R2tpVGliZGFIbDZTdz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * UyGqmqjBwuVMfHkmlGJM9YhZYDkQ
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Favorites\Microsoft Websites\eM9UR_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aEcDAcacBb You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTYxNS1oaEpTRm9pbEJWU1M4clNaWE55NzRHdHNBWHRFbjgyVkRCNnV2aEJ5VU0vOGdsMklLWU9Cd1N1dzZnaEZlOGs0UlcxNk50RUpqOEYvcFB2N1VuNkhWYXZNRTZpTEZ1SkI5enlYYzNtdjg3VVVDU05vcTNhNHB6SjJyamRHczlUVzNkQTlBcUsvK0ZvbnIveGNIekIwNWtFYUhMZE1yeDI3ci8wT3BoWUd2cWVQZlFJdFRaMktKWmNEWHhZREc2N3RxUEFBaWJzTkQ4YzlJYU1nUXJocDZobnhTYmdnVmtsYWttYmphKzBwSVRQZkVWd1RTVWZoV3NIa3ZOdFdVa2kxK3dpUUtncmEyWGxxREF1L0dqL24xRExWZXZjdzY5MUE1clViZExCcVpjRURmbWtsb3Y4bWFTQmV5ZlBrRVk5d2kzUFJRNE13UjNyZFJ3OExlOFdZOVAvNElsTW43bTIxVEg4aVpROEJYbC9UOEVrSlhmU0ZBU1FtMURTNmRGdXBZcThERUdwRGpNTmZ4ckNUNlhUazNESmVNL0FIODhPMDg3SGZoNTZiY1dGczZmcmhjcmdVMDM5RTBzVUpqZlJSV3dUdnZzdTlsTE8zL3J2L1RKQlBFaWo4T1FuWGoxOE85NzcxdUVTQTgzOUttSlRneWVOdnF1TUVIS0lteVo5aFpZR2RHaFF3a1VBVEVHa3l4N3ZLNFo4MkZQdUtBeEdHeHJ0MGZwcjdVME1uOVdCRzdJTENQT0k5Mmxxck0yMG9tVUh6Sno3ZlovUGNBS1lDVklRd25OQlprZklMSHdGT0dQYnJBVzdoNkZGKzRia2RITko0aTdqdmV1VWRuVWxrelVXOUZ2SHF3ZkNYeVVHM1VDank3MzYyNGlOa2I4aFFYN0RDUGpNTkQyNjhJOXFDV1hGSzAwK2ZUcGdSTW1waWJqNnFWTUNTZzhYVk55NGpNNFc4Q080VGZ0c2VPc3NkcmEyTVkwSnI1eXY4WlpvU0lmUjNXcjFveFdkL2l5ZVE1Y0ZQRkYxR25FZVB4K0NGZllKUXJSTG9TdWJXMXVvL24rYzhLbEZDQ3pOclp6NUZXU1ZlT1V0alJEbFVIcEhyZmlOUktQMGVqWE1UVG5DeC9QTVIrNitFb2dpdit6TjNLWEVqR2RzRHcwa085d3N0eVhDN21IMWx2WmlDMXdvajZwejNjNGNoWFBxQ05oUUhrWFVFYU5LQ2c4Y3dpQTgyd01EdHBVMFoyaklqV0pHLzhIUllBMk9ZcmJrdVA5TnN5ZGNqNTVOZE5XVWtCVWw0N1pNQ0gvVGZ1aGtwYkNhZFQ1WlppM1hTdkdwbGU3WkxxL05HeCs2RHlvWWRiZFRIaThRbXIyRnJrUzlJZFJkTFlObituWUhmWFJ4dURBK3p1aHJ4RFFXa1lNZy80SjNLWGwrYmdTL3dtK1hKb3ExWUQ2SXRKMkhRM1h2VC9oUUtKK2dkNEd3em1FbE1BZXdYUm1qckdsQjV2WUI1L0pTdXI4clFWcEUzTnczWHhIalA2MGZqT2tudmVGZ0daVE9ZRGZaWWN5c1J3dzFFVVZPS3pvTEIwUkVReUZ0blBxS3M0ODdCVXYrcGdqa3ZTMHppRXlYUjNiVTR0MXBubno3V1JOMmVTczYrbG5oemFPVFZWZ2MxR2FxQVZYM3loTE1wdE8wUGgxUDk0NGVENDk0MHArNjU5S2dnL2VMTUwyQkRPT0lvbFFocCtJVWJ2SFVmM1k2SGVuNDNrSFdCK1dQMXNVOVF6NndLclZGVlV1ZVJUakw2RXNhWm1aSXlrdk1pdWVpd080cVdkbVc1bDZ6dkJuUGNIK2gwTjNtQzFYdldyaWUybFJ3bzA1SGd4YzBuRHhUektSZHk0cmpIWE5zcERRZThkUXdyK0xkTWFwQXNCbDViWkIvNHVPZzJyS1IxSnplSVZGK0lKelpsdUdJWHN6eTFSYnlVZmM3LzhyNDRmZ0Fla2Y4ejhYVHZnVnJnSFRsbUkwRWNxemlyaE5XZ09FYXdPZFpnMGc3dE4vekFKM2dyeE5vZGs3MHJ4R0wwUHp4L3p3V1J4T01zWGxQdU1zTTdwMnBmN3RmWEtLNDJRUjFsUnRic28zTnBHbk1uamtLMkVYbFR3R2tpVGliZGFIbDZTdz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * r7sh7W2UmWDvYhOoQnEUKjp6PuUbQPD
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Avaddon payload 1 IoCs
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (170) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe
    "C:\Users\Admin\AppData\Local\Temp\bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2308
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
        PID:2360
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin Delete Shadows /All /Quiet
        2⤵
        • Interacts with shadow copies
        PID:1628
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        2⤵
          PID:1760
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /All /Quiet
          2⤵
          • Interacts with shadow copies
          PID:1816
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          2⤵
            PID:2364
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin Delete Shadows /All /Quiet
            2⤵
            • Interacts with shadow copies
            PID:1596
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:2904
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:2472
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:2612
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
            PID:1664
          • C:\Windows\system32\taskeng.exe
            taskeng.exe {407A6F1E-7166-4E86-AFC8-E73D94C17F14} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:3008
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe
              C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe
              2⤵
              • Executes dropped EXE
              PID:2544

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe

            Filesize

            775KB

            MD5

            21de830008ad31c83a09be67a3ae8b4d

            SHA1

            c95ac053d6f4284e41dfea342bb30aede7b02244

            SHA256

            bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac

            SHA512

            293dc967be7fd187116623cbc67d33b785c7e6d946b22e8793a7432a4eb044ab5f56af12d41c342d2ee06c6350b1615e6b15f9db170518abaad4dd219287d1b1

          • C:\Users\Admin\Desktop\eM9UR_readme_.txt

            Filesize

            3KB

            MD5

            7b22d8d9d994e328b61064ee93888782

            SHA1

            0410dec396738cc17718f4fb24f862ea54fbc846

            SHA256

            51caf465250d13bb55b24242f77972890810f0e0fd0012436b8824d479a3d951

            SHA512

            b5823ca1f864efbf7042784e34ecb10b427e58d8516e3f2d786823ffd033089f55223bf9f72f56ef9500ac98599d2d6bcf242120ff64066f0285746c76f49698

          • C:\Users\Admin\Favorites\Microsoft Websites\eM9UR_readme_.txt

            Filesize

            3KB

            MD5

            12c59a4fb36018ad6163f598d7b343b5

            SHA1

            91e37e2dc52bc2f6ef8631da1375a59810cbd38d

            SHA256

            d1a7b98f090cf1e04f224bd89fe7391488691a0433cf98c25acb29c1d91bb2ac

            SHA512

            8a47b8cdfa26e9dbd20002caf66fcfa907cee647af9356f7ecb9023a4962842d5d4aa9bd6932c660e63ea611e839040e7439fe1d8fafead360a8655a4d4bad01