Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2024 10:08

General

  • Target

    1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe

  • Size

    775KB

  • MD5

    0b486fe0503524cfe4726a4022fa6a68

  • SHA1

    297dea71d489768ce45d23b0f8a45424b469ab00

  • SHA256

    1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2

  • SHA512

    f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619

  • SSDEEP

    24576:TCs99+OXLpMePfI8TgmBTCDqEbOpPtpFhyxfq:5GOXLpMePfzVTCD7gPtLhSfq

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\nfCud_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aEdECdeDda You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC11cTkzSTNMSjFEa3phMVpJMHpURlVmZEZ6cUFmNnlsTXlsc01UNmdlUVVaWGY1MmtobkM4MVVrR29lVmZ0WVd2UWIrd3V0TWFuQVlCTk5OUEtzYm1qU0tDY1ZsNDBBL0pZbTNESmJzNE9MMUt5dmRnM2NEa3ZoSzZ5M21FSXZBYmNKdFg1WHppbTMvcENDWjhhQ3pHNTU0ZS8yaWJna0h1eFRIVHNzcmM4RGRlM2ZqUmM0WUt6bWs2eEdmMHB6Y3pkenJYZmN0TFN3SW1rRWJrMTVmamJFWndXR0g0L0NtZ1ZmOW9Hc0NtOC9ZNjJONXNEOFlQOVUyNVBXWHRQTnJSaXFlU2I5bUEwR2k4Z3ZaS2RSaGJ0bWU1VlRZTFliaVloT0JsTHIza2MzTWpHK3dlSHM3RWRyYnpRSFpRT2JzV0F4M2tnRWRYQjQyKzlPdytET2lBdlRoMGFYclBJZ1J3Nk5Ja2hqeEo3Y1VMQnVPTFlJVWJHalRZdlg2OC9JTUVJMWRjSXhZMFFlcmE4UkpabVdNKzhXUndkQWRsTWJvQWxPTU5rVEh2WjhLb0kwYVJLL1NLdmU5aGp2YTYyKzZXV2JkM0dpcjZIaUVuRk1DTStZRXlsMmoyc1c1a3pqeVhkZXl5dzAwNHBCak9Tc0FSSVRwM2JDWEszcnk0MnNZd0tLa3J5NGNKTm1kSG42WUVtUVpSZ0lFb0RiQmdiQ1Z0blp1K1Jya3ZDTTN1WWhZYVJtYmJ5ZzdRRE9wc0RDbUhDeGFleG5wWmlHWGVMV3JiTXJTSk5DWlBjUjlHdEdZSXRnbW5jQ08yWUE0M3RYT0FmNHNYU1RuYVQ1Znl3amxIYmlmKzZqM0FjVFdYWU9UdXoxdU0veldZV1UrZG9WYzZEQkFHOWJkMTloODBWRTVkY3hvS3IzMUYwdEVocmhSQWo1bDZ2Nm85WkJNVTZ2QXJxdkxPa3F3czc5THA4NFBQTmhwQ3hkaGdzSUhHRjY3ZkNKNGN5U1BUWjY4SGs0eTBIOUc1dndKdjZLU1FZWTBYN0hpYmVZVTF4eU5MdWlLY2EwbDVldWI0UTRNa3F4M2dOSXVrREFVRTZKMGJoSStQTjBIM0tkWmplSkxPNTJZT0RncnZuZ3F2RFVKU2dBMi93YXVQak00WENsbmc4bS9CWEZRbmR0K2oxWXM4Rm1MeGJIanhrQkR6dmxIN0tUdWNjeG5rL2o5L0I5bWJiRlNKREgzY0l3RkdHM3FpNzdLKzVJdnREdFZmTFB2eU9NQXJjVk9LZTNwYkZmYXhvN3craWVJRXBqSEE0MnB4Q2pIWmlvVWpBUEQ2R2tLNUc4U2Y4UzhWNHk1NGZZVkxuM1pvS2RCSWhWYURZZTErbFpYMHdRMEFacVVHemF2bWh0ajhVSHZjMVRRNy83RFFQbE9NVFlLbzdwMnMrREgra1FweTBZK0ZtUWdmY0JCNVBQbFQ0dzI3eHd2dzYxWk5tcTk3bC9uMW5aWlBPMUxRRDREVERoUVpRZEUrOEVORjI4a3BqY0JSMjJ2dFZxZ2hUQTRvSEIrZ3BsUmFJYVo0NkZ2U3lOalE4SDNpRHRtanRONGpoOEc3Z2FwblhqNTI3SlNBYklsZUtXQlBueTE1Y3FsVnAwVzJKb2puMXNna3BUY1owQ1FrUDJTaWhHZk1vUVVWN3FYTDlnMmhHMVRSbUJ2VUxKaU5ad0pYMUp6SkVTYzZUZ0hqbHNDUy9IK2dPWE54RzlFa0J6WHg1VmpiYWFoakcxQ0RqZzhVaVF4OE9DeWFZNEw2Wmw5Q1VrRnFaa1MrRGVBbXZFK0lQQWFvdVY0OElQS0lrZ2FDV24rQ3Z4K0NoZjMveG8rMml3bTR5cDE0SE5ERVA2ZzZZNGF4TUFKdzc3WFJHbERmN1dkMkl1ZGh2VmZzWjRtRi90UVRvM2FqMWpBWWd0YVNhSms1cTEzUGtJdTkvWDF3NzR1eWRvZXhmQzRpSWJxN25mL0JNam0wT1hCUlBoS0ZHcnBtcnJoWnZsQThXd21TMWNkei8vRXRYUmVWcTVaMHBORksrTXcwZDhpMEp2cXJYaCtnTG8xTHgrcldad0ZJRmpCeWM2NnBrZHZjNVJOMlJYK3krWjFIZWNXanRTeno5QWE3QThtTVpPZ2FDUT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 9nnGSpb
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\nfCud_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aEdECdeDda You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC11cTkzSTNMSjFEa3phMVpJMHpURlVmZEZ6cUFmNnlsTXlsc01UNmdlUVVaWGY1MmtobkM4MVVrR29lVmZ0WVd2UWIrd3V0TWFuQVlCTk5OUEtzYm1qU0tDY1ZsNDBBL0pZbTNESmJzNE9MMUt5dmRnM2NEa3ZoSzZ5M21FSXZBYmNKdFg1WHppbTMvcENDWjhhQ3pHNTU0ZS8yaWJna0h1eFRIVHNzcmM4RGRlM2ZqUmM0WUt6bWs2eEdmMHB6Y3pkenJYZmN0TFN3SW1rRWJrMTVmamJFWndXR0g0L0NtZ1ZmOW9Hc0NtOC9ZNjJONXNEOFlQOVUyNVBXWHRQTnJSaXFlU2I5bUEwR2k4Z3ZaS2RSaGJ0bWU1VlRZTFliaVloT0JsTHIza2MzTWpHK3dlSHM3RWRyYnpRSFpRT2JzV0F4M2tnRWRYQjQyKzlPdytET2lBdlRoMGFYclBJZ1J3Nk5Ja2hqeEo3Y1VMQnVPTFlJVWJHalRZdlg2OC9JTUVJMWRjSXhZMFFlcmE4UkpabVdNKzhXUndkQWRsTWJvQWxPTU5rVEh2WjhLb0kwYVJLL1NLdmU5aGp2YTYyKzZXV2JkM0dpcjZIaUVuRk1DTStZRXlsMmoyc1c1a3pqeVhkZXl5dzAwNHBCak9Tc0FSSVRwM2JDWEszcnk0MnNZd0tLa3J5NGNKTm1kSG42WUVtUVpSZ0lFb0RiQmdiQ1Z0blp1K1Jya3ZDTTN1WWhZYVJtYmJ5ZzdRRE9wc0RDbUhDeGFleG5wWmlHWGVMV3JiTXJTSk5DWlBjUjlHdEdZSXRnbW5jQ08yWUE0M3RYT0FmNHNYU1RuYVQ1Znl3amxIYmlmKzZqM0FjVFdYWU9UdXoxdU0veldZV1UrZG9WYzZEQkFHOWJkMTloODBWRTVkY3hvS3IzMUYwdEVocmhSQWo1bDZ2Nm85WkJNVTZ2QXJxdkxPa3F3czc5THA4NFBQTmhwQ3hkaGdzSUhHRjY3ZkNKNGN5U1BUWjY4SGs0eTBIOUc1dndKdjZLU1FZWTBYN0hpYmVZVTF4eU5MdWlLY2EwbDVldWI0UTRNa3F4M2dOSXVrREFVRTZKMGJoSStQTjBIM0tkWmplSkxPNTJZT0RncnZuZ3F2RFVKU2dBMi93YXVQak00WENsbmc4bS9CWEZRbmR0K2oxWXM4Rm1MeGJIanhrQkR6dmxIN0tUdWNjeG5rL2o5L0I5bWJiRlNKREgzY0l3RkdHM3FpNzdLKzVJdnREdFZmTFB2eU9NQXJjVk9LZTNwYkZmYXhvN3craWVJRXBqSEE0MnB4Q2pIWmlvVWpBUEQ2R2tLNUc4U2Y4UzhWNHk1NGZZVkxuM1pvS2RCSWhWYURZZTErbFpYMHdRMEFacVVHemF2bWh0ajhVSHZjMVRRNy83RFFQbE9NVFlLbzdwMnMrREgra1FweTBZK0ZtUWdmY0JCNVBQbFQ0dzI3eHd2dzYxWk5tcTk3bC9uMW5aWlBPMUxRRDREVERoUVpRZEUrOEVORjI4a3BqY0JSMjJ2dFZxZ2hUQTRvSEIrZ3BsUmFJYVo0NkZ2U3lOalE4SDNpRHRtanRONGpoOEc3Z2FwblhqNTI3SlNBYklsZUtXQlBueTE1Y3FsVnAwVzJKb2puMXNna3BUY1owQ1FrUDJTaWhHZk1vUVVWN3FYTDlnMmhHMVRSbUJ2VUxKaU5ad0pYMUp6SkVTYzZUZ0hqbHNDUy9IK2dPWE54RzlFa0J6WHg1VmpiYWFoakcxQ0RqZzhVaVF4OE9DeWFZNEw2Wmw5Q1VrRnFaa1MrRGVBbXZFK0lQQWFvdVY0OElQS0lrZ2FDV24rQ3Z4K0NoZjMveG8rMml3bTR5cDE0SE5ERVA2ZzZZNGF4TUFKdzc3WFJHbERmN1dkMkl1ZGh2VmZzWjRtRi90UVRvM2FqMWpBWWd0YVNhSms1cTEzUGtJdTkvWDF3NzR1eWRvZXhmQzRpSWJxN25mL0JNam0wT1hCUlBoS0ZHcnBtcnJoWnZsQThXd21TMWNkei8vRXRYUmVWcTVaMHBORksrTXcwZDhpMEp2cXJYaCtnTG8xTHgrcldad0ZJRmpCeWM2NnBrZHZjNVJOMlJYK3krWjFIZWNXanRTeno5QWE3QThtTVpPZ2FDUT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 0POdn2OusYA
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Avaddon payload 1 IoCs
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (151) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
    "C:\Users\Admin\AppData\Local\Temp\1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1624
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:220
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
        PID:952
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        2⤵
          PID:2356
      • C:\Windows\system32\wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:3328
      • C:\Windows\system32\wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:1556
      • C:\Windows\system32\wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:4756
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
          PID:892
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Windows\1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
          1⤵
          • Executes dropped EXE
          PID:380

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Privilege Escalation

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Defense Evasion

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Impair Defenses

        1
        T1562

        Disable or Modify Tools

        1
        T1562.001

        Modify Registry

        2
        T1112

        Indicator Removal

        1
        T1070

        File Deletion

        1
        T1070.004

        Discovery

        System Information Discovery

        3
        T1082

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        Impact

        Inhibit System Recovery

        1
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
          Filesize

          775KB

          MD5

          0b486fe0503524cfe4726a4022fa6a68

          SHA1

          297dea71d489768ce45d23b0f8a45424b469ab00

          SHA256

          1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2

          SHA512

          f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619

        • C:\Users\Admin\Desktop\nfCud_readme_.txt
          Filesize

          3KB

          MD5

          b960166bf65fbb117dca236fef3710a3

          SHA1

          dc86e4442f681861c69f90e7d7f17b5468841a47

          SHA256

          863d88b71cf27703e93b9dad6bf6cb738389e5f0ebd25ab9e4e491375fb8a0fa

          SHA512

          77b0aea05ef8250642d136e734a587b15fda8327c2e2ddd94cf33f73aa4601d3bc53f6f823277e7cebdec047cc4f1c0aba7ce343c06f22ef80ae2f2171f1d31d

        • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\nfCud_readme_.txt
          Filesize

          3KB

          MD5

          20442c3c5cf01194e0c0e0e1f5432a6d

          SHA1

          75cd9280f4b7bea4cd4df524ba35de14adcc20f5

          SHA256

          c8b77ee4bc17896a117890d6ee4b9af959217180191c7e31e81274423bc1cfab

          SHA512

          ff8d8a81153ba7c96c89ad10f1fd94bd0d967492c54ce02851b9ed26abd634902a9efa692c3f022b3f04f77c0e574ec84c8e3245e6a1aea6f70bc946a1d4b451