Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-04-2024 10:08

General

  • Target

    48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe

  • Size

    775KB

  • MD5

    117da2dd6fa24616f63eb43d5a15e5d3

  • SHA1

    b4d70eecdef52ceef15f04a025d1ab08f193fb97

  • SHA256

    48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275

  • SHA512

    de2e5538e8dd8210b630eca0fc611f0ba0dcb805b3a745c38a6f46ee9acfe8785c917b9452e0d6f70f675030430b65b352d695106bae639b20e0dbb2dd95e375

  • SSDEEP

    24576:TCsQ9+OXLpMePfI8TgmBTCDqEbOpPtpFhAxfq:5HOXLpMePfzVTCD7gPtLhQfq

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\DuLAL_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BdAAbEBAcd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjcwMS1aekRsYklKSE1XdnJJclF5WjdhQXhjSURUdUJnSjdzTVlTd3IveDhFcWJLSnF0dHZpNFl5amg3UGovakJzZzg1Y24rcng3MkRuMHpJMEZmMytOMW1raEFGYURuVXQzU05pSzF2azA2MEQ0akc3SnFyYmZvbzBLSVdmb0FaVEVraTRjYkErMWFHVG9KcXJWR2d0cVhObmVneWJBMzhRbXBTVSszeG1Fd0JocUZTNG1kbnptU2dmaEFGQnhSUU5KY3I0cFBDUG9xUGNvekptVnNXeGNTUmE0MkNpSWJENGhvNlpyWGNzaE5DWENwZTNaRVRLUjlySjlDMk0xczJwT2V5NVRkalp6Tk9vMGNhU3R0akFTN3V1RnRRalFzVEdNc0pzRGlIUVBOTU14dGovL1dXQzRsWnRUS2ZHZisyYU9vQTlXa25VdUd1VmlNbzNoM3g1Z1BQSGJHRi9Ha3V3d3JBTzZoMjJpMDhWRnF6c1l0NnYyeTdkdHoyRjltbndhZUR0S04vWi9VVjIxQ1dDZXQ2SmZtY2FUQTRodlVLM3Y1bDE3cGVrUXZ6aUxLRGdaSkN3NkQ5RU1DVk1FTGFOYzVYV0RMbkNzRTFQQzBFQXAyV3RhM1k5SVdkempMY1lDNXlGRll0Mnk3R3VKRDN3RnphQzZ0eHpBVkJLbkwzUzNheVJmK2U5MFVPRzJocGxCNENGN09LSUlEZGdacUpURTdJNFRZeVNVLzhCdFpZd1Z6Q1RqS3VOWDJ6Nmx0Z3BZakNPY0VYMnZaT3hyLzh6US9SdkZjSWhUaHN1M0NBY2pSUWRVMTNGTjdCVG9IbytTV3V0c1RDcE1vSXVKbEliSG9Db1g4ZXdpWGt4aERKbGljazJpTUFMMUpwamRCajN5Vm90bHZPRkQybUljYjgzSFFJcU55aTV0SGZpSkNCbE9GNnJFL3dqSGdNYzBvMXpqMzJtMTJGU3lVYWxnYWpwMnNXTFJwb2RNY0wzOUpyTk1qMldsRW14V2lkb0dSb1ZHREszOGl2N1pJeUh4UW5CQ3NQQVZDa1Q4OW9Vd3NQeTg4TUpTeUFlV2srYzZuZEZhVE81MGQwK2ZyNitMUkxmZDJpV1NuRDZnNTFyTFN3RlI1akdkRnBpbFZTdURVdjRWa2hkenpKYTEwdVlsK3phMDdYYWpDenFSVXRIQlZBRFhoYXRJZ0hJK1BGOW5XRDB6RTNCR0xWQ096UlFIendFSUhzczRqT3A2KysraVYxaFlSZnE3aXBaclZhOEhtREhZTjdCZDNYMm40MTRDKzd2VE85WmlLOS9KZzJFL0Jlc2x6OEdEbmJRem9xblpJKzF6bXBzeGo2YlhTYU1rYnlqSnFvbmVVcFdmYlpkS1BnNGdoRlp3a3ZRR243ZXhtNHZKK1YzYys1cndEUEVxS2tFYW0vVWtKVDdwcVhRL1d6SllDQWdVSnlxNG9JY1Z1Q1NteGV4U3hyRE5kYzlVK2N5R2tMdndrMzMwaks0V3orUUhRSjF3NVA1SWFBZ08zbGRRTCtsd0puMEIwU3pncTF2QXZTRlRodHl6UElSN056aXh3NTQ0KzI1NDY0UVNnNHVTVlhTdytna0ZvbHJ5VFNPOXI3YjZFazgvRmZxQlByRlBGNjgzOWhKOGxEQkVLU25ZbGhrdVFjK2JBMkNDdXo3R1BVZjRjSUFZdGtJV0ZkdllIZ25kalZUcVBIM09BbWVTd3FVQzlkbGl4dXNqSXY1MTh2UktOUU1oRFFiRzVkQXNlVHVkVTB6Q0Q0eWRCUTZ0VmtkbmVjRm1YT1lFY2dub1E5MHpGNDBLWnF1Nm9aVitGWms1WXlDVFZub25VejB2WGRzWTU3cCt3bHFoT3o4MnRHV000VXhIV1VITnJhVEk0ODIzUmdEL2JDc25ON2lUR3lCeGV6ZTBCcU0wQWlOWDIzQ0xtOGpWR1dqYW1ZQWM3ZmhJT0VHUlhwWTBxYTAwdTFFME1kamJNMmkxK3Q0dTRqL09zaTRucGlGYXJXU2FuejRpRnBod00zK1V3SDRuNEdUZmN5bTNqYnRmdmp4aUFkWVl3RnBpekhQL09EMmVPV0hvcDU0ckZwRGZ3QmJaVWNLbDJRc2dwdzloeU9qbEZiVm5BdU9zSFNSeEhhUlBqTUtCeXlLUT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * mmfkLltIUNoVLAgsi1v3pbJzIe
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Desktop\DuLAL_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BdAAbEBAcd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjcwMS1aekRsYklKSE1XdnJJclF5WjdhQXhjSURUdUJnSjdzTVlTd3IveDhFcWJLSnF0dHZpNFl5amg3UGovakJzZzg1Y24rcng3MkRuMHpJMEZmMytOMW1raEFGYURuVXQzU05pSzF2azA2MEQ0akc3SnFyYmZvbzBLSVdmb0FaVEVraTRjYkErMWFHVG9KcXJWR2d0cVhObmVneWJBMzhRbXBTVSszeG1Fd0JocUZTNG1kbnptU2dmaEFGQnhSUU5KY3I0cFBDUG9xUGNvekptVnNXeGNTUmE0MkNpSWJENGhvNlpyWGNzaE5DWENwZTNaRVRLUjlySjlDMk0xczJwT2V5NVRkalp6Tk9vMGNhU3R0akFTN3V1RnRRalFzVEdNc0pzRGlIUVBOTU14dGovL1dXQzRsWnRUS2ZHZisyYU9vQTlXa25VdUd1VmlNbzNoM3g1Z1BQSGJHRi9Ha3V3d3JBTzZoMjJpMDhWRnF6c1l0NnYyeTdkdHoyRjltbndhZUR0S04vWi9VVjIxQ1dDZXQ2SmZtY2FUQTRodlVLM3Y1bDE3cGVrUXZ6aUxLRGdaSkN3NkQ5RU1DVk1FTGFOYzVYV0RMbkNzRTFQQzBFQXAyV3RhM1k5SVdkempMY1lDNXlGRll0Mnk3R3VKRDN3RnphQzZ0eHpBVkJLbkwzUzNheVJmK2U5MFVPRzJocGxCNENGN09LSUlEZGdacUpURTdJNFRZeVNVLzhCdFpZd1Z6Q1RqS3VOWDJ6Nmx0Z3BZakNPY0VYMnZaT3hyLzh6US9SdkZjSWhUaHN1M0NBY2pSUWRVMTNGTjdCVG9IbytTV3V0c1RDcE1vSXVKbEliSG9Db1g4ZXdpWGt4aERKbGljazJpTUFMMUpwamRCajN5Vm90bHZPRkQybUljYjgzSFFJcU55aTV0SGZpSkNCbE9GNnJFL3dqSGdNYzBvMXpqMzJtMTJGU3lVYWxnYWpwMnNXTFJwb2RNY0wzOUpyTk1qMldsRW14V2lkb0dSb1ZHREszOGl2N1pJeUh4UW5CQ3NQQVZDa1Q4OW9Vd3NQeTg4TUpTeUFlV2srYzZuZEZhVE81MGQwK2ZyNitMUkxmZDJpV1NuRDZnNTFyTFN3RlI1akdkRnBpbFZTdURVdjRWa2hkenpKYTEwdVlsK3phMDdYYWpDenFSVXRIQlZBRFhoYXRJZ0hJK1BGOW5XRDB6RTNCR0xWQ096UlFIendFSUhzczRqT3A2KysraVYxaFlSZnE3aXBaclZhOEhtREhZTjdCZDNYMm40MTRDKzd2VE85WmlLOS9KZzJFL0Jlc2x6OEdEbmJRem9xblpJKzF6bXBzeGo2YlhTYU1rYnlqSnFvbmVVcFdmYlpkS1BnNGdoRlp3a3ZRR243ZXhtNHZKK1YzYys1cndEUEVxS2tFYW0vVWtKVDdwcVhRL1d6SllDQWdVSnlxNG9JY1Z1Q1NteGV4U3hyRE5kYzlVK2N5R2tMdndrMzMwaks0V3orUUhRSjF3NVA1SWFBZ08zbGRRTCtsd0puMEIwU3pncTF2QXZTRlRodHl6UElSN056aXh3NTQ0KzI1NDY0UVNnNHVTVlhTdytna0ZvbHJ5VFNPOXI3YjZFazgvRmZxQlByRlBGNjgzOWhKOGxEQkVLU25ZbGhrdVFjK2JBMkNDdXo3R1BVZjRjSUFZdGtJV0ZkdllIZ25kalZUcVBIM09BbWVTd3FVQzlkbGl4dXNqSXY1MTh2UktOUU1oRFFiRzVkQXNlVHVkVTB6Q0Q0eWRCUTZ0VmtkbmVjRm1YT1lFY2dub1E5MHpGNDBLWnF1Nm9aVitGWms1WXlDVFZub25VejB2WGRzWTU3cCt3bHFoT3o4MnRHV000VXhIV1VITnJhVEk0ODIzUmdEL2JDc25ON2lUR3lCeGV6ZTBCcU0wQWlOWDIzQ0xtOGpWR1dqYW1ZQWM3ZmhJT0VHUlhwWTBxYTAwdTFFME1kamJNMmkxK3Q0dTRqL09zaTRucGlGYXJXU2FuejRpRnBod00zK1V3SDRuNEdUZmN5bTNqYnRmdmp4aUFkWVl3RnBpekhQL09EMmVPV0hvcDU0ckZwRGZ3QmJaVWNLbDJRc2dwdzloeU9qbEZiVm5BdU9zSFNSeEhhUlBqTUtCeXlLUT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 8OHagyf5KzW4E6ouNYMB0mw0fLn5C
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Favorites\MSN Websites\DuLAL_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BdAAbEBAcd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjcwMS1aekRsYklKSE1XdnJJclF5WjdhQXhjSURUdUJnSjdzTVlTd3IveDhFcWJLSnF0dHZpNFl5amg3UGovakJzZzg1Y24rcng3MkRuMHpJMEZmMytOMW1raEFGYURuVXQzU05pSzF2azA2MEQ0akc3SnFyYmZvbzBLSVdmb0FaVEVraTRjYkErMWFHVG9KcXJWR2d0cVhObmVneWJBMzhRbXBTVSszeG1Fd0JocUZTNG1kbnptU2dmaEFGQnhSUU5KY3I0cFBDUG9xUGNvekptVnNXeGNTUmE0MkNpSWJENGhvNlpyWGNzaE5DWENwZTNaRVRLUjlySjlDMk0xczJwT2V5NVRkalp6Tk9vMGNhU3R0akFTN3V1RnRRalFzVEdNc0pzRGlIUVBOTU14dGovL1dXQzRsWnRUS2ZHZisyYU9vQTlXa25VdUd1VmlNbzNoM3g1Z1BQSGJHRi9Ha3V3d3JBTzZoMjJpMDhWRnF6c1l0NnYyeTdkdHoyRjltbndhZUR0S04vWi9VVjIxQ1dDZXQ2SmZtY2FUQTRodlVLM3Y1bDE3cGVrUXZ6aUxLRGdaSkN3NkQ5RU1DVk1FTGFOYzVYV0RMbkNzRTFQQzBFQXAyV3RhM1k5SVdkempMY1lDNXlGRll0Mnk3R3VKRDN3RnphQzZ0eHpBVkJLbkwzUzNheVJmK2U5MFVPRzJocGxCNENGN09LSUlEZGdacUpURTdJNFRZeVNVLzhCdFpZd1Z6Q1RqS3VOWDJ6Nmx0Z3BZakNPY0VYMnZaT3hyLzh6US9SdkZjSWhUaHN1M0NBY2pSUWRVMTNGTjdCVG9IbytTV3V0c1RDcE1vSXVKbEliSG9Db1g4ZXdpWGt4aERKbGljazJpTUFMMUpwamRCajN5Vm90bHZPRkQybUljYjgzSFFJcU55aTV0SGZpSkNCbE9GNnJFL3dqSGdNYzBvMXpqMzJtMTJGU3lVYWxnYWpwMnNXTFJwb2RNY0wzOUpyTk1qMldsRW14V2lkb0dSb1ZHREszOGl2N1pJeUh4UW5CQ3NQQVZDa1Q4OW9Vd3NQeTg4TUpTeUFlV2srYzZuZEZhVE81MGQwK2ZyNitMUkxmZDJpV1NuRDZnNTFyTFN3RlI1akdkRnBpbFZTdURVdjRWa2hkenpKYTEwdVlsK3phMDdYYWpDenFSVXRIQlZBRFhoYXRJZ0hJK1BGOW5XRDB6RTNCR0xWQ096UlFIendFSUhzczRqT3A2KysraVYxaFlSZnE3aXBaclZhOEhtREhZTjdCZDNYMm40MTRDKzd2VE85WmlLOS9KZzJFL0Jlc2x6OEdEbmJRem9xblpJKzF6bXBzeGo2YlhTYU1rYnlqSnFvbmVVcFdmYlpkS1BnNGdoRlp3a3ZRR243ZXhtNHZKK1YzYys1cndEUEVxS2tFYW0vVWtKVDdwcVhRL1d6SllDQWdVSnlxNG9JY1Z1Q1NteGV4U3hyRE5kYzlVK2N5R2tMdndrMzMwaks0V3orUUhRSjF3NVA1SWFBZ08zbGRRTCtsd0puMEIwU3pncTF2QXZTRlRodHl6UElSN056aXh3NTQ0KzI1NDY0UVNnNHVTVlhTdytna0ZvbHJ5VFNPOXI3YjZFazgvRmZxQlByRlBGNjgzOWhKOGxEQkVLU25ZbGhrdVFjK2JBMkNDdXo3R1BVZjRjSUFZdGtJV0ZkdllIZ25kalZUcVBIM09BbWVTd3FVQzlkbGl4dXNqSXY1MTh2UktOUU1oRFFiRzVkQXNlVHVkVTB6Q0Q0eWRCUTZ0VmtkbmVjRm1YT1lFY2dub1E5MHpGNDBLWnF1Nm9aVitGWms1WXlDVFZub25VejB2WGRzWTU3cCt3bHFoT3o4MnRHV000VXhIV1VITnJhVEk0ODIzUmdEL2JDc25ON2lUR3lCeGV6ZTBCcU0wQWlOWDIzQ0xtOGpWR1dqYW1ZQWM3ZmhJT0VHUlhwWTBxYTAwdTFFME1kamJNMmkxK3Q0dTRqL09zaTRucGlGYXJXU2FuejRpRnBod00zK1V3SDRuNEdUZmN5bTNqYnRmdmp4aUFkWVl3RnBpekhQL09EMmVPV0hvcDU0ckZwRGZ3QmJaVWNLbDJRc2dwdzloeU9qbEZiVm5BdU9zSFNSeEhhUlBqTUtCeXlLUT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * z
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Music\DuLAL_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BdAAbEBAcd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjcwMS1aekRsYklKSE1XdnJJclF5WjdhQXhjSURUdUJnSjdzTVlTd3IveDhFcWJLSnF0dHZpNFl5amg3UGovakJzZzg1Y24rcng3MkRuMHpJMEZmMytOMW1raEFGYURuVXQzU05pSzF2azA2MEQ0akc3SnFyYmZvbzBLSVdmb0FaVEVraTRjYkErMWFHVG9KcXJWR2d0cVhObmVneWJBMzhRbXBTVSszeG1Fd0JocUZTNG1kbnptU2dmaEFGQnhSUU5KY3I0cFBDUG9xUGNvekptVnNXeGNTUmE0MkNpSWJENGhvNlpyWGNzaE5DWENwZTNaRVRLUjlySjlDMk0xczJwT2V5NVRkalp6Tk9vMGNhU3R0akFTN3V1RnRRalFzVEdNc0pzRGlIUVBOTU14dGovL1dXQzRsWnRUS2ZHZisyYU9vQTlXa25VdUd1VmlNbzNoM3g1Z1BQSGJHRi9Ha3V3d3JBTzZoMjJpMDhWRnF6c1l0NnYyeTdkdHoyRjltbndhZUR0S04vWi9VVjIxQ1dDZXQ2SmZtY2FUQTRodlVLM3Y1bDE3cGVrUXZ6aUxLRGdaSkN3NkQ5RU1DVk1FTGFOYzVYV0RMbkNzRTFQQzBFQXAyV3RhM1k5SVdkempMY1lDNXlGRll0Mnk3R3VKRDN3RnphQzZ0eHpBVkJLbkwzUzNheVJmK2U5MFVPRzJocGxCNENGN09LSUlEZGdacUpURTdJNFRZeVNVLzhCdFpZd1Z6Q1RqS3VOWDJ6Nmx0Z3BZakNPY0VYMnZaT3hyLzh6US9SdkZjSWhUaHN1M0NBY2pSUWRVMTNGTjdCVG9IbytTV3V0c1RDcE1vSXVKbEliSG9Db1g4ZXdpWGt4aERKbGljazJpTUFMMUpwamRCajN5Vm90bHZPRkQybUljYjgzSFFJcU55aTV0SGZpSkNCbE9GNnJFL3dqSGdNYzBvMXpqMzJtMTJGU3lVYWxnYWpwMnNXTFJwb2RNY0wzOUpyTk1qMldsRW14V2lkb0dSb1ZHREszOGl2N1pJeUh4UW5CQ3NQQVZDa1Q4OW9Vd3NQeTg4TUpTeUFlV2srYzZuZEZhVE81MGQwK2ZyNitMUkxmZDJpV1NuRDZnNTFyTFN3RlI1akdkRnBpbFZTdURVdjRWa2hkenpKYTEwdVlsK3phMDdYYWpDenFSVXRIQlZBRFhoYXRJZ0hJK1BGOW5XRDB6RTNCR0xWQ096UlFIendFSUhzczRqT3A2KysraVYxaFlSZnE3aXBaclZhOEhtREhZTjdCZDNYMm40MTRDKzd2VE85WmlLOS9KZzJFL0Jlc2x6OEdEbmJRem9xblpJKzF6bXBzeGo2YlhTYU1rYnlqSnFvbmVVcFdmYlpkS1BnNGdoRlp3a3ZRR243ZXhtNHZKK1YzYys1cndEUEVxS2tFYW0vVWtKVDdwcVhRL1d6SllDQWdVSnlxNG9JY1Z1Q1NteGV4U3hyRE5kYzlVK2N5R2tMdndrMzMwaks0V3orUUhRSjF3NVA1SWFBZ08zbGRRTCtsd0puMEIwU3pncTF2QXZTRlRodHl6UElSN056aXh3NTQ0KzI1NDY0UVNnNHVTVlhTdytna0ZvbHJ5VFNPOXI3YjZFazgvRmZxQlByRlBGNjgzOWhKOGxEQkVLU25ZbGhrdVFjK2JBMkNDdXo3R1BVZjRjSUFZdGtJV0ZkdllIZ25kalZUcVBIM09BbWVTd3FVQzlkbGl4dXNqSXY1MTh2UktOUU1oRFFiRzVkQXNlVHVkVTB6Q0Q0eWRCUTZ0VmtkbmVjRm1YT1lFY2dub1E5MHpGNDBLWnF1Nm9aVitGWms1WXlDVFZub25VejB2WGRzWTU3cCt3bHFoT3o4MnRHV000VXhIV1VITnJhVEk0ODIzUmdEL2JDc25ON2lUR3lCeGV6ZTBCcU0wQWlOWDIzQ0xtOGpWR1dqYW1ZQWM3ZmhJT0VHUlhwWTBxYTAwdTFFME1kamJNMmkxK3Q0dTRqL09zaTRucGlGYXJXU2FuejRpRnBod00zK1V3SDRuNEdUZmN5bTNqYnRmdmp4aUFkWVl3RnBpekhQL09EMmVPV0hvcDU0ckZwRGZ3QmJaVWNLbDJRc2dwdzloeU9qbEZiVm5BdU9zSFNSeEhhUlBqTUtCeXlLUT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * L9zJ
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\DuLAL_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BdAAbEBAcd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjcwMS1aekRsYklKSE1XdnJJclF5WjdhQXhjSURUdUJnSjdzTVlTd3IveDhFcWJLSnF0dHZpNFl5amg3UGovakJzZzg1Y24rcng3MkRuMHpJMEZmMytOMW1raEFGYURuVXQzU05pSzF2azA2MEQ0akc3SnFyYmZvbzBLSVdmb0FaVEVraTRjYkErMWFHVG9KcXJWR2d0cVhObmVneWJBMzhRbXBTVSszeG1Fd0JocUZTNG1kbnptU2dmaEFGQnhSUU5KY3I0cFBDUG9xUGNvekptVnNXeGNTUmE0MkNpSWJENGhvNlpyWGNzaE5DWENwZTNaRVRLUjlySjlDMk0xczJwT2V5NVRkalp6Tk9vMGNhU3R0akFTN3V1RnRRalFzVEdNc0pzRGlIUVBOTU14dGovL1dXQzRsWnRUS2ZHZisyYU9vQTlXa25VdUd1VmlNbzNoM3g1Z1BQSGJHRi9Ha3V3d3JBTzZoMjJpMDhWRnF6c1l0NnYyeTdkdHoyRjltbndhZUR0S04vWi9VVjIxQ1dDZXQ2SmZtY2FUQTRodlVLM3Y1bDE3cGVrUXZ6aUxLRGdaSkN3NkQ5RU1DVk1FTGFOYzVYV0RMbkNzRTFQQzBFQXAyV3RhM1k5SVdkempMY1lDNXlGRll0Mnk3R3VKRDN3RnphQzZ0eHpBVkJLbkwzUzNheVJmK2U5MFVPRzJocGxCNENGN09LSUlEZGdacUpURTdJNFRZeVNVLzhCdFpZd1Z6Q1RqS3VOWDJ6Nmx0Z3BZakNPY0VYMnZaT3hyLzh6US9SdkZjSWhUaHN1M0NBY2pSUWRVMTNGTjdCVG9IbytTV3V0c1RDcE1vSXVKbEliSG9Db1g4ZXdpWGt4aERKbGljazJpTUFMMUpwamRCajN5Vm90bHZPRkQybUljYjgzSFFJcU55aTV0SGZpSkNCbE9GNnJFL3dqSGdNYzBvMXpqMzJtMTJGU3lVYWxnYWpwMnNXTFJwb2RNY0wzOUpyTk1qMldsRW14V2lkb0dSb1ZHREszOGl2N1pJeUh4UW5CQ3NQQVZDa1Q4OW9Vd3NQeTg4TUpTeUFlV2srYzZuZEZhVE81MGQwK2ZyNitMUkxmZDJpV1NuRDZnNTFyTFN3RlI1akdkRnBpbFZTdURVdjRWa2hkenpKYTEwdVlsK3phMDdYYWpDenFSVXRIQlZBRFhoYXRJZ0hJK1BGOW5XRDB6RTNCR0xWQ096UlFIendFSUhzczRqT3A2KysraVYxaFlSZnE3aXBaclZhOEhtREhZTjdCZDNYMm40MTRDKzd2VE85WmlLOS9KZzJFL0Jlc2x6OEdEbmJRem9xblpJKzF6bXBzeGo2YlhTYU1rYnlqSnFvbmVVcFdmYlpkS1BnNGdoRlp3a3ZRR243ZXhtNHZKK1YzYys1cndEUEVxS2tFYW0vVWtKVDdwcVhRL1d6SllDQWdVSnlxNG9JY1Z1Q1NteGV4U3hyRE5kYzlVK2N5R2tMdndrMzMwaks0V3orUUhRSjF3NVA1SWFBZ08zbGRRTCtsd0puMEIwU3pncTF2QXZTRlRodHl6UElSN056aXh3NTQ0KzI1NDY0UVNnNHVTVlhTdytna0ZvbHJ5VFNPOXI3YjZFazgvRmZxQlByRlBGNjgzOWhKOGxEQkVLU25ZbGhrdVFjK2JBMkNDdXo3R1BVZjRjSUFZdGtJV0ZkdllIZ25kalZUcVBIM09BbWVTd3FVQzlkbGl4dXNqSXY1MTh2UktOUU1oRFFiRzVkQXNlVHVkVTB6Q0Q0eWRCUTZ0VmtkbmVjRm1YT1lFY2dub1E5MHpGNDBLWnF1Nm9aVitGWms1WXlDVFZub25VejB2WGRzWTU3cCt3bHFoT3o4MnRHV000VXhIV1VITnJhVEk0ODIzUmdEL2JDc25ON2lUR3lCeGV6ZTBCcU0wQWlOWDIzQ0xtOGpWR1dqYW1ZQWM3ZmhJT0VHUlhwWTBxYTAwdTFFME1kamJNMmkxK3Q0dTRqL09zaTRucGlGYXJXU2FuejRpRnBod00zK1V3SDRuNEdUZmN5bTNqYnRmdmp4aUFkWVl3RnBpekhQL09EMmVPV0hvcDU0ckZwRGZ3QmJaVWNLbDJRc2dwdzloeU9qbEZiVm5BdU9zSFNSeEhhUlBqTUtCeXlLUT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * hHbAAZ2
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Avaddon payload 1 IoCs
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (178) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
    "C:\Users\Admin\AppData\Local\Temp\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2656
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
        PID:2840
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin Delete Shadows /All /Quiet
        2⤵
        • Interacts with shadow copies
        PID:2248
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        2⤵
          PID:1944
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /All /Quiet
          2⤵
          • Interacts with shadow copies
          PID:1984
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          2⤵
            PID:1936
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin Delete Shadows /All /Quiet
            2⤵
            • Interacts with shadow copies
            PID:2000
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:936
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:2428
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:2484
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
            PID:1428
          • C:\Windows\system32\taskeng.exe
            taskeng.exe {E5487F54-5F19-4E84-A55C-0DB05EF81785} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:2588
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
              C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
              2⤵
              • Executes dropped EXE
              PID:840

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          1
          T1562

          Disable or Modify Tools

          1
          T1562.001

          Modify Registry

          2
          T1112

          Indicator Removal

          2
          T1070

          File Deletion

          2
          T1070.004

          Discovery

          System Information Discovery

          3
          T1082

          Query Registry

          1
          T1012

          Peripheral Device Discovery

          1
          T1120

          Impact

          Inhibit System Recovery

          2
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\DuLAL_readme_.txt
            Filesize

            3KB

            MD5

            84989f395d9092fa15e0cf3d21501c6d

            SHA1

            9b01453b0f97bb71c1ef9fce338e82bec7ce9ec0

            SHA256

            de555dc601225676d09ae840d6a3ea759257ec731f1fd909c09aa06fd796bf1a

            SHA512

            ea3c6e2ac4341b84474e538fbdb3115872b70532b4d9053ba9ddaa0e975f72f4d360948a90450db22f411992dc4e8e240632c152bbc7faff5177ae82b3e68b90

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
            Filesize

            775KB

            MD5

            117da2dd6fa24616f63eb43d5a15e5d3

            SHA1

            b4d70eecdef52ceef15f04a025d1ab08f193fb97

            SHA256

            48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275

            SHA512

            de2e5538e8dd8210b630eca0fc611f0ba0dcb805b3a745c38a6f46ee9acfe8785c917b9452e0d6f70f675030430b65b352d695106bae639b20e0dbb2dd95e375

          • C:\Users\Admin\Desktop\DuLAL_readme_.txt
            Filesize

            3KB

            MD5

            a6ddb178d2cfcc2f91282fcc617535f4

            SHA1

            13b2bffe3eda0eb76e40cc696ece164a3fe49fb6

            SHA256

            8809253c6f49448d01077f398618997ae9ea48b787cdc1c0c74073dab5739012

            SHA512

            a3577a0b3293275dd5e50f73f2a5ab9dfed652d0dbe06530ef28968fc1d41f04242f125d0d43b8d253a4faea64f176d5c3b61284327da0db498d4e0dfc74d4b8

          • C:\Users\Admin\Desktop\DuLAL_readme_.txt
            Filesize

            3KB

            MD5

            55e669c9697f82882f9e5e2553a42877

            SHA1

            a9b94c465d18af2e817dd4b106c5b7ade75003e4

            SHA256

            b47d5a54ea81cf1dc4502fd6d61d35f69fabd5c2b674b3764d3b2c17f12c4790

            SHA512

            5f1a847c612e993294166effc2d21191459d5b80ab958a8d56dbdc8ce703ec23ff7de753e577fd5c67931f0808002c8120ab36729f68af27250e41cd3abc7bea

          • C:\Users\Admin\Favorites\MSN Websites\DuLAL_readme_.txt
            Filesize

            3KB

            MD5

            280b802a1c84a420afce39afaa5dadc2

            SHA1

            54f2d618bacd3029dcaedfc145e19cdd7e8957d0

            SHA256

            9f488ae750b3d845e909e2c1e92a4a230bf8f632add10b6fb7a3569c56233d51

            SHA512

            3480f19482dd3d9d50fa7d934dbb42bd02e2c77b20f473dce5e4fec0228a6c33bc7baece452aa02dfeb7705f929bc177f8ed87220a1cd676a6a03eac637eb2e6

          • C:\Users\Admin\Music\DuLAL_readme_.txt
            Filesize

            3KB

            MD5

            0704dd9e5f27f4d153ae53220306f216

            SHA1

            be93c9dc4098fd60ea01281fcf4d3384f12a9fbb

            SHA256

            ac6572b530adfb487cfba60230d17a3830d90076e90d7e1219d6c74942fad2e4

            SHA512

            1cbd7973a136e6bf70bcf8bf63aa54e25c9271c710550b2205508ac468b185588056ad502d70a910bed2f03f2e2b04c21a67cee7af83d26869eab0e7ebe53167