General
-
Target
cf386d392da4947fefc3940e5f51414ae837cca482b7168491533fe5db93ef72
-
Size
382KB
-
Sample
240316-evbfasbf6s
-
MD5
bddd56fd9fcebc48ed773ca53e005ad3
-
SHA1
fb84162189c45b38cc051ef02284212096acb5ea
-
SHA256
cf386d392da4947fefc3940e5f51414ae837cca482b7168491533fe5db93ef72
-
SHA512
5ec289d33dc1b87a9078e1ca08c57d4cdd26212c01d137ade297fc8973fcd4c1cdb177b66bb5c938408cb819a6e41ed17aae320afbbbdb90b8528f9e315742bf
-
SSDEEP
6144:rSu73nucSwOTMxO4bRIqZ83okQhBvFatbpYO5L5FEc5WArYZPkz0lTNB5wchXCfz:my3nNSwOT09bRDkQLo31j5WAEssRB18z
Static task
static1
Behavioral task
behavioral1
Sample
d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
C:\Users\Admin\Desktop\KMCAK_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\KMCAK_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Desktop\5YSVTg_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\5YSVTg_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Pictures\5YSVTg_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Targets
-
-
Target
d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
-
Size
441KB
-
MD5
b1758767d10c75d1589c16763fca6fd3
-
SHA1
2722f21a31859ea735e908a1c705d07b139e3b12
-
SHA256
d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb
-
SHA512
93bdfaf8a7b35e3c0110e931a35c5a901c8acf06b36dd9e8cba9b770be642525ba0350ae94d68556961b06b0d802cd2e1997fc73849c643f76eba721215abf5e
-
SSDEEP
12288:5I7bv0KUN/9MISQBqz9xbwL5A++dMncx4wjSvh:K7QzuyErzrSwjMh
Score10/10-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Renames multiple (170) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Indicator Removal
2File Deletion
2