General
-
Target
f68bf5cd0a4dcd08d83568c8ea8a2070404b8b292e4c13133aed365bb8eafeb9
-
Size
382KB
-
Sample
240316-ev43lsde64
-
MD5
fb9b574a463f7c4c165d93444bdd835d
-
SHA1
994060dd8254d421fcfab7f3ae64d0865015d5c1
-
SHA256
f68bf5cd0a4dcd08d83568c8ea8a2070404b8b292e4c13133aed365bb8eafeb9
-
SHA512
b140fd195e99b928046382605ec5257e91cc69f02c94386f394f220083083c18a38ec8a77fcec8b49833d16b451296c782aac2b6c99643880b912eb9848345f5
-
SSDEEP
6144:iTXP4oP5Cp5cy9qucA/B3hs3KeWjglClZgXR2ENI1Kk8oRDeq+jV:iTXgoBKX75heWjgl/1NWp8oRDH+jV
Static task
static1
Behavioral task
behavioral1
Sample
d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
C:\Users\Admin\Desktop\j3rK5_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Favorites\Links for United States\j3rK5_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Pictures\j3rK5_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\RwoXv_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Music\RwoXv_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Targets
-
-
Target
d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
-
Size
441KB
-
MD5
b1758767d10c75d1589c16763fca6fd3
-
SHA1
2722f21a31859ea735e908a1c705d07b139e3b12
-
SHA256
d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb
-
SHA512
93bdfaf8a7b35e3c0110e931a35c5a901c8acf06b36dd9e8cba9b770be642525ba0350ae94d68556961b06b0d802cd2e1997fc73849c643f76eba721215abf5e
-
SSDEEP
12288:5I7bv0KUN/9MISQBqz9xbwL5A++dMncx4wjSvh:K7QzuyErzrSwjMh
Score10/10-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Renames multiple (175) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Indicator Removal
2File Deletion
2