General
-
Target
b5946ce7b68898350deb4a1fc5097ab1c94cffba4cba8be96d0ef9991aef4301
-
Size
329KB
-
Sample
240316-etl6eabf4x
-
MD5
d5fa66bce317bdb33ea8475ab228f448
-
SHA1
ab086f2a8aa2815a475a1fa923ab4e6052bf70ab
-
SHA256
b5946ce7b68898350deb4a1fc5097ab1c94cffba4cba8be96d0ef9991aef4301
-
SHA512
8851e49c96f73e48942caa657eb191f5cc2591ae0b521bb35f92c694bfa2c2f59838207713b1cddf2aabb0a9be3b9f765cc74be4e740ba394ff3b1998d62ec4a
-
SSDEEP
6144:BYmSQ4dBWrebajRgJs8JbocTMh2ukiFmrposqIEUjyQpRGp2LLqRmmMB43Qmwp7h:BY+4dBQebaNgJJZTMIliQisqIEUWQps8
Behavioral task
behavioral1
Sample
1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
C:\Users\Admin\Desktop\UubZPMvB_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\UubZPMvB_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Pictures\UubZPMvB_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Desktop\STp7s_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\STp7s_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Pictures\STp7s_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Pictures\STp7s_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Targets
-
-
Target
1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
-
Size
775KB
-
MD5
0b486fe0503524cfe4726a4022fa6a68
-
SHA1
297dea71d489768ce45d23b0f8a45424b469ab00
-
SHA256
1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2
-
SHA512
f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619
-
SSDEEP
24576:TCs99+OXLpMePfI8TgmBTCDqEbOpPtpFhyxfq:5GOXLpMePfzVTCD7gPtLhSfq
Score10/10-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Renames multiple (213) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Indicator Removal
2File Deletion
2