General
-
Target
fb3995d5b4d4a0d2fe4779fc114435d04cf500d50b2d9331bafa35430726b257
-
Size
338KB
-
Sample
240316-ewlbwsde78
-
MD5
da4a22847d1dadf29e9afce6df158c5a
-
SHA1
2a94a57c6755207be53acc6320d2726e4efa7cb5
-
SHA256
fb3995d5b4d4a0d2fe4779fc114435d04cf500d50b2d9331bafa35430726b257
-
SHA512
29035fdf4467cf89a0c8f0e0a2c362f4f699bdf5364ed5a55b51b95b9909477b7e42534a8991ba50ea4ea4d255a8797455b3eaf8666b22919091752eb25a9828
-
SSDEEP
6144:PYraDy73/76UsYz+A1JY52gU67yk2eF4nqxAcyzdfUFJPt:gSy776UxfYIemc9QdkJl
Behavioral task
behavioral1
Sample
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
C:\Users\Admin\Desktop\ucm7O0_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Music\ucm7O0_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Desktop\lEtyC_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\lEtyC_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Targets
-
-
Target
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a
-
Size
775KB
-
MD5
7fc5a1aafb84705745dba65e2a178217
-
SHA1
0825e3b2115c9053563a307402e32d28056223a7
-
SHA256
2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a
-
SHA512
b0a1ec5e8c28b4343457edf317e20fdd0489e983c01ab9205c10a409ab8a9aae1cf5645e625b2edebf7c7eb551b801a196b7e37616143dce4cb9d00b179be9d2
-
SSDEEP
24576:TCsB9+OXLpMePfI8TgmBTCDqEbOpPtpFhPxfq:56OXLpMePfzVTCD7gPtLh5fq
Score10/10-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Renames multiple (174) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Indicator Removal
2File Deletion
2