Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/03/2024, 13:40

General

  • Target

    bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe

  • Size

    775KB

  • MD5

    21de830008ad31c83a09be67a3ae8b4d

  • SHA1

    c95ac053d6f4284e41dfea342bb30aede7b02244

  • SHA256

    bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac

  • SHA512

    293dc967be7fd187116623cbc67d33b785c7e6d946b22e8793a7432a4eb044ab5f56af12d41c342d2ee06c6350b1615e6b15f9db170518abaad4dd219287d1b1

  • SSDEEP

    24576:+Csr9+OXLpMePfI8TgmBTCDqEbOpPtpFadxfq:Y0OXLpMePfzVTCD7gPtLaffq

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\eM9UR_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .CAaDcDEAdd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTYxNS1lSklXcnQ0ZXowbGpPYS9ZQTZ3Z0pnTFNpVjZaRTlFOVF0Y2daUGh0Rk9vb2JpMUx0VGIyRFB5czBrWkZjTVdreGxYckwzcDdwWDAraURJUFhHYVhRdEYySGpRekNmeU9KWWZMN21SMUdVa2RrbkRRbUxQTS9kbDlVcGp3RGJXWFhnUVZkYW1ZYnJjU3dBMUhQRlJsS3AxcjRQdk04d1lQUFV3SDFSQUJ2U0JqbkkvdVU1MHduUmpXK0dCNHBXZ1BWeXdTUlN2RFlmcGdZOFRMUkllWjVkU3RrVytMSHdLaUJGR0wvT1pzMnQxbERxRjh1d3dPRTZ5VHc3U2xqVzd2T1F1VUtaRFpxdStTMUV6ZWw3OEJwbGxuTlY5NDYzNkZ2V0xXMGQvNzRvSnRvUVNtZ2ZSK1dyQWtzNWI4MHpMbi80eUNlU2xxYXZMNm1HQmtsd1ZhS1M2VHI1NWU4dHVCK0RlOVdsYjdCcDFibGVJbU1BVjZMMU93MUVVRkNudDhvTkpnblVxUjg1UVExRDZnRC9VN1k0UjNyQzlxanNxeThwa3BCMS81d21DREw5WW1nZlVkZkVla3VaUzJGZFYrNHB1UW5CY0RyR1NPV1ZOck1xMzJteXh0UnlaU1U0MjVsU1REUzFsbmVUNWFkY0hReXlBbjBiMEw2MFJsN0xLMUw2dDJWeVJjNGtHZDBhMEg5L3ZHVXVBQWViSU1WcUZ2N1l5S1pFNzBheEUzbk1YYUQ2NDNKUzRPbDFYT0tIWTZuRzRqM3NXd1BockFMeER4WHNJOU5aallLTkl1Nm5zYlZTV3A4MHRCWjY5QmR1dWp1dVFBSnZKbE1DZ3JwTHV0SmJ6ck5UaFJvcGlIZm51RDNQU3MrbDhBZzBHSVF1bS95TmRrb1U3M0RUSHcxdVVoc3kzNUdOanlpZUU1U2lwZVBoSERwQk5GKzN2bmdTd0hSK0drSU81Ky91TFE0NHc0Rk0zZWJiR3ZHRlZnV0kvYWFZckpGaW5pU0oyOWNndUNxWUd5T3lISzUzT3NuTW9CNnZrSmhDUHZhT1BJVURnN2phd2VTRzQ3cEJyQk45MG9ZVkZ0dzdlRWxsQzRUUUFjdDdOd25TaHRJT0ZpQjJJUWJDOHkyRE9xc0ZSMlhhZldzL1p5MTdWcUF2UWVha1BQajhiUFF0Z2RSeFlYeDcyOUFTYjA2NDhyQ2ZudTh5OFM1dVNJYWNlTTZuemQ2UnhYQWE1NCtJaDJZNHRXR1RPQUlLQ20wNXNSbjBqVmwvMG1kRGExOFErRmJ3bG4zdndtdnZwWHZ2a0hISllVa2pROXFNRjRGWGZFUS9qQTNFNlZ4dnBZUmk1Q0NMTHhic0JFWVFVWlV1V0ZHc0FMays2Z1haNnFobkFkbGh0Nk83L3pwMkYzeURONkFtdGg3MjVISlhaQUliV3ZEcE0vQXp5SHZ6OHIvRTkxNDhFVlVEbWJSaWhLNzlOcml5UFVXL3FFVE5iSXVZZzdIbmEza2QzV2E0S2xld0lvcWdmckwySlYwR3NVYi85MUYzZWhiQTlvTlBhUnFlbThKUEVkdUNzWWJZTGdnZlNSUnpLekt1Wll0OUtWaTNmUEhYd20yRU1jL0ZURnVqWC9mc1NSMDVvWTRoRDlPTkQ1MVRtNFFVUVhUWDRUWXNLREZvOGh5RkM4ZGRIcGMya3dhbWVsZVlhZ2g2SnVpdEFNSGJtQWFYWFhxTFo5cWJFVXVTVnlhQUV4K3pvNmMvb0lITG9Vakx4OXBIb1prUjgvcDhhNGZXWWZYWTFHWmNUUmJRb2xsc3cxVVNGanFuNE90VlNuMitnK0xndElWYnIwbjVma2ZpVkNibDlyQkdGSDBGS2IxRCtOdjJhVUFBSlZNMnRVUnVoQ2VQbU10OHA1YWdFZlEraXJRajdLVWpYNERxTHU3WS9KdktOeHhvb3B1ckcreW1mMGY2eDlEU212TEVXQ1grY3grQ1B4N1hWaUZ6VTlzdC93NldMV09leXNrZFE4SlFJYVhlZHlKZ1dpaWNqelhtYlNkOFBPUjUwN3Mvdi8yTHZyMXdZZlJub1JrZEcxc3d0bXpnVy9kNDR4NjdKVUM4OVpjazlWeW11R3IrMjZyVXBuaDluSjNUMlRyWXJmc3p2YzE2M2dIQT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * UyGqmqjBwuVMfHkmlGJM9YhZYDkQ
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\eM9UR_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .CAaDcDEAdd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTYxNS1lSklXcnQ0ZXowbGpPYS9ZQTZ3Z0pnTFNpVjZaRTlFOVF0Y2daUGh0Rk9vb2JpMUx0VGIyRFB5czBrWkZjTVdreGxYckwzcDdwWDAraURJUFhHYVhRdEYySGpRekNmeU9KWWZMN21SMUdVa2RrbkRRbUxQTS9kbDlVcGp3RGJXWFhnUVZkYW1ZYnJjU3dBMUhQRlJsS3AxcjRQdk04d1lQUFV3SDFSQUJ2U0JqbkkvdVU1MHduUmpXK0dCNHBXZ1BWeXdTUlN2RFlmcGdZOFRMUkllWjVkU3RrVytMSHdLaUJGR0wvT1pzMnQxbERxRjh1d3dPRTZ5VHc3U2xqVzd2T1F1VUtaRFpxdStTMUV6ZWw3OEJwbGxuTlY5NDYzNkZ2V0xXMGQvNzRvSnRvUVNtZ2ZSK1dyQWtzNWI4MHpMbi80eUNlU2xxYXZMNm1HQmtsd1ZhS1M2VHI1NWU4dHVCK0RlOVdsYjdCcDFibGVJbU1BVjZMMU93MUVVRkNudDhvTkpnblVxUjg1UVExRDZnRC9VN1k0UjNyQzlxanNxeThwa3BCMS81d21DREw5WW1nZlVkZkVla3VaUzJGZFYrNHB1UW5CY0RyR1NPV1ZOck1xMzJteXh0UnlaU1U0MjVsU1REUzFsbmVUNWFkY0hReXlBbjBiMEw2MFJsN0xLMUw2dDJWeVJjNGtHZDBhMEg5L3ZHVXVBQWViSU1WcUZ2N1l5S1pFNzBheEUzbk1YYUQ2NDNKUzRPbDFYT0tIWTZuRzRqM3NXd1BockFMeER4WHNJOU5aallLTkl1Nm5zYlZTV3A4MHRCWjY5QmR1dWp1dVFBSnZKbE1DZ3JwTHV0SmJ6ck5UaFJvcGlIZm51RDNQU3MrbDhBZzBHSVF1bS95TmRrb1U3M0RUSHcxdVVoc3kzNUdOanlpZUU1U2lwZVBoSERwQk5GKzN2bmdTd0hSK0drSU81Ky91TFE0NHc0Rk0zZWJiR3ZHRlZnV0kvYWFZckpGaW5pU0oyOWNndUNxWUd5T3lISzUzT3NuTW9CNnZrSmhDUHZhT1BJVURnN2phd2VTRzQ3cEJyQk45MG9ZVkZ0dzdlRWxsQzRUUUFjdDdOd25TaHRJT0ZpQjJJUWJDOHkyRE9xc0ZSMlhhZldzL1p5MTdWcUF2UWVha1BQajhiUFF0Z2RSeFlYeDcyOUFTYjA2NDhyQ2ZudTh5OFM1dVNJYWNlTTZuemQ2UnhYQWE1NCtJaDJZNHRXR1RPQUlLQ20wNXNSbjBqVmwvMG1kRGExOFErRmJ3bG4zdndtdnZwWHZ2a0hISllVa2pROXFNRjRGWGZFUS9qQTNFNlZ4dnBZUmk1Q0NMTHhic0JFWVFVWlV1V0ZHc0FMays2Z1haNnFobkFkbGh0Nk83L3pwMkYzeURONkFtdGg3MjVISlhaQUliV3ZEcE0vQXp5SHZ6OHIvRTkxNDhFVlVEbWJSaWhLNzlOcml5UFVXL3FFVE5iSXVZZzdIbmEza2QzV2E0S2xld0lvcWdmckwySlYwR3NVYi85MUYzZWhiQTlvTlBhUnFlbThKUEVkdUNzWWJZTGdnZlNSUnpLekt1Wll0OUtWaTNmUEhYd20yRU1jL0ZURnVqWC9mc1NSMDVvWTRoRDlPTkQ1MVRtNFFVUVhUWDRUWXNLREZvOGh5RkM4ZGRIcGMya3dhbWVsZVlhZ2g2SnVpdEFNSGJtQWFYWFhxTFo5cWJFVXVTVnlhQUV4K3pvNmMvb0lITG9Vakx4OXBIb1prUjgvcDhhNGZXWWZYWTFHWmNUUmJRb2xsc3cxVVNGanFuNE90VlNuMitnK0xndElWYnIwbjVma2ZpVkNibDlyQkdGSDBGS2IxRCtOdjJhVUFBSlZNMnRVUnVoQ2VQbU10OHA1YWdFZlEraXJRajdLVWpYNERxTHU3WS9KdktOeHhvb3B1ckcreW1mMGY2eDlEU212TEVXQ1grY3grQ1B4N1hWaUZ6VTlzdC93NldMV09leXNrZFE4SlFJYVhlZHlKZ1dpaWNqelhtYlNkOFBPUjUwN3Mvdi8yTHZyMXdZZlJub1JrZEcxc3d0bXpnVy9kNDR4NjdKVUM4OVpjazlWeW11R3IrMjZyVXBuaDluSjNUMlRyWXJmc3p2YzE2M2dIQT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * r7sh7W2UmWDvYhOoQnEUKjp6PuUbQPD
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Avaddon payload 1 IoCs
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (178) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe
    "C:\Users\Admin\AppData\Local\Temp\bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2564
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4324
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
        PID:2308
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        2⤵
          PID:1776
      • C:\Windows\system32\wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:1732
      • C:\Windows\system32\wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:2896
      • C:\Windows\system32\wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:3256
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
          PID:4780
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe
          1⤵
          • Executes dropped EXE
          PID:1400

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac.exe

          Filesize

          775KB

          MD5

          21de830008ad31c83a09be67a3ae8b4d

          SHA1

          c95ac053d6f4284e41dfea342bb30aede7b02244

          SHA256

          bc5c264c4dc0207f6d500c47f870cc2aef641c4bf0efa3b1a408b83922cc61ac

          SHA512

          293dc967be7fd187116623cbc67d33b785c7e6d946b22e8793a7432a4eb044ab5f56af12d41c342d2ee06c6350b1615e6b15f9db170518abaad4dd219287d1b1

        • C:\Users\Admin\Desktop\eM9UR_readme_.txt

          Filesize

          3KB

          MD5

          7bbbfbe7b07facee18efc5e6650568ae

          SHA1

          ec6929f6b27007db102ab5165ae7df201f8b9ca2

          SHA256

          769c7e0c8656207403811377c70e4424f6656e08f58b7d786d5c365af08307f4

          SHA512

          4dc70c172a7efc8c7729d851b20647684d5a20ddedc9dea3255ec53c5d4371d3df9851771385eb771909a1273f5ff273f7b6e1664b33446e3e146473e4ef5b01

        • C:\Users\Admin\Documents\eM9UR_readme_.txt

          Filesize

          3KB

          MD5

          5fa29f0a0673b0f371ce90eea8a7f400

          SHA1

          ddfbb09f2538cd5b15dda0f5cd2355efca98f4a0

          SHA256

          de90ddf9e54802830b04f089adbc6b3748b2b34e079b4e789b5f021e6c3edebf

          SHA512

          446533a7658d7858b90f912f80cc5f412abb6c983ca9b5ef773a41037fc23ffcfc7dddebc6e0aa8ae4226c22712a241ee39e7794ccd69f4725b53ad9e09d5d9e