General
-
Target
b3c2fe0ef49afd275f61632ca347569c2f7229740af8f02b5de7a5cafc1cfe6a
-
Size
382KB
-
Sample
240316-etjehsbf4t
-
MD5
c8111f72b1232afb2f15e84b80260aaf
-
SHA1
48ad1776d3130694131d325683078ace9a70d9f3
-
SHA256
b3c2fe0ef49afd275f61632ca347569c2f7229740af8f02b5de7a5cafc1cfe6a
-
SHA512
707e0adef8a7c1ca53e9e92e0444b631f0642e6cc6c8ea35715bfba01f5bed87881e79c89cac7d8538fbfd47d03ef61791da510cd95f7e321f169c877490e08c
-
SSDEEP
6144:Gre5THGRZdWbA3VKjbvSXddTz2EbIjdeZ5+WvWCvZGz1IXheEGNyJDH8NNLSFvaw:GrQGRZU2KjzSNZSEbyeZ5+cW1x61GNyx
Static task
static1
Behavioral task
behavioral1
Sample
d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
C:\Users\Admin\Desktop\u1HzPkY_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Desktop\u1HzPkY_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\dm0i4_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Targets
-
-
Target
d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
-
Size
441KB
-
MD5
b1758767d10c75d1589c16763fca6fd3
-
SHA1
2722f21a31859ea735e908a1c705d07b139e3b12
-
SHA256
d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb
-
SHA512
93bdfaf8a7b35e3c0110e931a35c5a901c8acf06b36dd9e8cba9b770be642525ba0350ae94d68556961b06b0d802cd2e1997fc73849c643f76eba721215abf5e
-
SSDEEP
12288:5I7bv0KUN/9MISQBqz9xbwL5A++dMncx4wjSvh:K7QzuyErzrSwjMh
Score10/10-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Renames multiple (221) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Indicator Removal
2File Deletion
2