General
-
Target
b98a4f6e384fcd6d8b151ddd1aa85544b424e7daa021c535b84cb101d5d369b0
-
Size
338KB
-
Sample
240316-ettv9abf5s
-
MD5
2d60a14561e950d79ce3c8e5cb3044c9
-
SHA1
d86268597174df06297e728c20e0324177a2486f
-
SHA256
b98a4f6e384fcd6d8b151ddd1aa85544b424e7daa021c535b84cb101d5d369b0
-
SHA512
c1d5bab400907da1b2a837f8912ed3bc087bf964f39be39320863bdee43de033e2223ffa15cde437e513551a5fffcbbc6e1621ea92e4f9f22f894d5c2122a3d3
-
SSDEEP
6144:fQXiV2mHTLgWViMm1VhX28hZ+J1vyS6kPDeQxOhIrwcCueqfwD:fMSTLNQVXsh6kPDeQYhIrwcPnM
Behavioral task
behavioral1
Sample
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
C:\Users\Admin\Desktop\karuY_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\karuY_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\karuY_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Public\Pictures\Sample Pictures\karuY_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\rgEZr_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Desktop\rgEZr_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\rgEZr_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Pictures\rgEZr_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Searches\rgEZr_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Targets
-
-
Target
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a
-
Size
775KB
-
MD5
7fc5a1aafb84705745dba65e2a178217
-
SHA1
0825e3b2115c9053563a307402e32d28056223a7
-
SHA256
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a
-
SHA512
b0a1ec5e8c28b4343457edf317e20fdd0489e983c01ab9205c10a409ab8a9aae1cf5645e625b2edebf7c7eb551b801a196b7e37616143dce4cb9d00b179be9d2
-
SSDEEP
24576:TCsB9+OXLpMePfI8TgmBTCDqEbOpPtpFhPxfq:56OXLpMePfzVTCD7gPtLh5fq
Score10/10-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Renames multiple (178) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Indicator Removal
2File Deletion
2