General
-
Target
f6f7a49549d6d30389ca83e03cfa8b45a6b83a95f1bfc42f85c7dfc729a25b85
-
Size
329KB
-
Sample
240316-ev749sde66
-
MD5
78402012f05075032f34d1c9ab72130b
-
SHA1
fd4db8fc1d12ac757502d755eebb5ac4a0eb581f
-
SHA256
f6f7a49549d6d30389ca83e03cfa8b45a6b83a95f1bfc42f85c7dfc729a25b85
-
SHA512
930554e531fc7e77a62d4b9dc8b7f58f56e2aef1a990af7d413df86db17deaa55724ecf04d8e1562e702c432bbb855f3b091e912038eda0cee313c74715a66be
-
SSDEEP
6144:hgI/76qypjcyEki7cyXdcjFaYiap67QjV5xj26fePeXendQAeYnhQFelK9M:hFmqqoyGYycjsYiNQZ3j26luCA1hZD
Behavioral task
behavioral1
Sample
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
C:\Users\Admin\Desktop\boDAa_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Favorites\MSN Websites\boDAa_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\RfJ3Z_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Music\RfJ3Z_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Pictures\RfJ3Z_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Targets
-
-
Target
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
-
Size
775KB
-
MD5
2d2a5a22bc983829cfb4627a271fbd4e
-
SHA1
c0fc01350ae774f3817d71710d9a6e9adaba441f
-
SHA256
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b
-
SHA512
8237f6db84a2339827e4044929df58597733d04f8e56c621394f2c2b79c06dc9fb3e64373d0205c0f14372173875b2487d178472eda6837da2ef20187285ad0d
-
SSDEEP
24576:+Csq9+OXLpMePfI8TgmBTCDqEbOpPtpFaoxfq:YxOXLpMePfzVTCD7gPtLa4fq
Score10/10-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Renames multiple (176) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Indicator Removal
2File Deletion
2