Analysis

  • max time kernel
    149s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-04-2024 10:08

General

  • Target

    46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe

  • Size

    775KB

  • MD5

    c19084114c85192dacfed89a92da6837

  • SHA1

    a1d6461e833813ccfb77a6929de43ab5383dbb98

  • SHA256

    46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675

  • SHA512

    cbcc47dfd2f1e1a15b93ff2df067ebce74a3623b5b5fa1162b9076d25175ea0f3f687c24b5051e7de753697b2a860595cf15351168f999e447ee5d0bc70cc11e

  • SSDEEP

    24576:+CsD9+OXLpMePfI8TgmBTCDqEbOpPtpFafxfq:YcOXLpMePfzVTCD7gPtLapfq

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\QlZZxj_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aEbeBBceea You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTk0Ni1CamNEMjFPaEV6NWowQ3Y2eVNraHBtckk5N1Y3eTdCVkZleGdPQ25GdVdpS09DWjhRb2ZPa3B3ZTU5aldVKzN1eGtGcWZsR2pKZFFRem9nb2JQblVyNnlTZDRKT1RkSENJOU44VVNOaDhlT052M0p4UWpxckZIa1VzNXYySlljVVJ0QUxwSTRCdjBFQ3FTWHJWWE5JTDlzY3hpcS9GcXUyRnhhdVN6Q09rTUJTOVJhUFFXeXd1aWRzS3NFbW4yVnBVV2RHZ3dmV1h4K1hNVFpubEhWSjNnS0FvS2lpajM0OTBoRE9ZOEp1OUFjUTAzSHlEYjZUYXd0aWc1R1YySUFqdXdCaGw4N1FFbklTSzE1T2NBNitlVE9rS1FIMWVhT09Nd2NiazB2YjkwcXVuTVlLZndwdkNHaTVMZzIrTUhWSFVhVHgyRTU5clc4eEpPK0dmUHhjeTlBeWcrZnoyRzZrcENyVFRHVGEvSjZ3aXpnUUYvYUJxMHZDdC92UytYbjI2ak5DUGtYWnJ4NlgrdTBkTGgwNzBrcGJkd2ZoK0NOQ2J1YmtCRXZoNWhEUGZONjBubm1aV0IwMXd3TCt6eEQ5M0YrUTd4UytyYkYyakFGUzl4Z0h1eGNzTEZNdncrcTB6SmlkOUNibDR4L3E4SWRNZVlDMWtaMEdKYXBUWEVJNWJhS0lvdGhqL2x6Zk5pZzNZWmZ2OUhSQm5NTEIyVU8ya2kwaHdTVXR5YjE5dGlSNDY0bHZNYWFZZi9OeXlzamtOV0tCaTJXbHZvQ2FsWFNNeXMzcW0ycERPVHlhRmRrczg4RWNURXBTU241TzY5RHg0Y2ZYdXRsd29DLzZCRGk3by84SXpZWkpXOHN6ZzJPTm1wZGVhWmJUVjlhckxYNUdpNlBDKzBHaWE3Z0VSVVkxRkdiUmp1czZSYi9wR3Y5MGV2VGdhL3ZVd2lZYkE0V0VWSHhZQm5TT1E3RkwyQzN0cUh2VUZhQ20zZ1R6ZVlQRWVwWUFKNjZDdWM3TWdCaUMrN2I2MHV4M3Myem85bUZMNmoxYmtCQ0pjbDdsME5QaFZFZmNrYWswdzkxT3pZMlpxSmkwSHFhVHd1Y0hraDJrQkdmNmNhdFM3N3RGNExmNWNVVGhXTEFEc21yZ0c4SkxhMXlabmZZcnJVMkFEV09GbDcwbXhlY2JtUm1FWjRJOGM4ZzZBNHh2dkVranZYTmVDeWJSa3lWcVNsR1VXS05kSW96QVFKYzVCWUFaTk5RRGhVTUZRU0dqWTVmWUNjblI5cEM5TFpsZTNxY2Y2bVpCbVlqazFsa2w0cXJYZGxFWVFEY2VQZE90VG1QcmhtcmUxM1FrS1kzZDRxN3dTRVR1WVlVamZkR2xQVDJ3dEZSU2NCakdjTDZVUHVyT1phUU4vS1BVcVJmLzA5NUIwRk85U0NCdUJIWkZJU0ljazdCcTA5Z3U1em9JTDhJaDltZzZBV3ZweENVK250ZE11WnphVExwQS9qQ0l6UUJkUkhsQVBJSnpjQW9UWERMa0F4eEIreHhPdDh5bHVOek1lV1NVajltaTNoa05QaEloeFlnZXZQNjFKY3ZiYmpmeTVLNkVhdS9lZTUrV1BZL2tBeDJiTS9kSXZiR1FqQ3JkQllPZkR2MnBpUG93aEZIUGlCZ1NpOUwxM0VzaGtvRjBnaUJKa3hDQjdSVGYwZjN0dDQ5eVpIbmt6a1YwWkZ2Ukp6c252bTVWb211eUhpbnkvRGlGSG9BSnZNRUhFLzI5WmY3MGkrbVdPVHFHUCtQdUpVUUVqUU5yQjlBcUJXN1dMVGliYTVqY3FPVndPZjI2RGNsSXNXdTE3VS9vdTJ5T2dMU2orVjlaTWZ3bTIrVFg2VTVNRnJKSXNvUlp0K3pjUXpZSkR0R05GbzV3ZVRqWExuaG0wSUFuTkJDNVlMcmZBdHliTG9ObFNtWllCY05ERnBuc1pQbSsyNE1UcmNjcVdCZmJIY3dQd3AraHFQNnpXT0taN1VTQVFTMkduZm4wQjlJRlIrN1kya2FPNi9pRk8ySGttSWpDdmUvbXltYVk4cmp6ckl2T1BtR2hKY1U2K3ZweklubXlqVm9mRHdEM2pWTTUxd3VQeDFPYmF4SFoxQzBwNzYrbVorbExkWTZDY20wMVdlcUZhUT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * qGUVI0D2zlpgG9CI4NJ1Ze8hmIMG
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Desktop\QlZZxj_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aEbeBBceea You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTk0Ni1CamNEMjFPaEV6NWowQ3Y2eVNraHBtckk5N1Y3eTdCVkZleGdPQ25GdVdpS09DWjhRb2ZPa3B3ZTU5aldVKzN1eGtGcWZsR2pKZFFRem9nb2JQblVyNnlTZDRKT1RkSENJOU44VVNOaDhlT052M0p4UWpxckZIa1VzNXYySlljVVJ0QUxwSTRCdjBFQ3FTWHJWWE5JTDlzY3hpcS9GcXUyRnhhdVN6Q09rTUJTOVJhUFFXeXd1aWRzS3NFbW4yVnBVV2RHZ3dmV1h4K1hNVFpubEhWSjNnS0FvS2lpajM0OTBoRE9ZOEp1OUFjUTAzSHlEYjZUYXd0aWc1R1YySUFqdXdCaGw4N1FFbklTSzE1T2NBNitlVE9rS1FIMWVhT09Nd2NiazB2YjkwcXVuTVlLZndwdkNHaTVMZzIrTUhWSFVhVHgyRTU5clc4eEpPK0dmUHhjeTlBeWcrZnoyRzZrcENyVFRHVGEvSjZ3aXpnUUYvYUJxMHZDdC92UytYbjI2ak5DUGtYWnJ4NlgrdTBkTGgwNzBrcGJkd2ZoK0NOQ2J1YmtCRXZoNWhEUGZONjBubm1aV0IwMXd3TCt6eEQ5M0YrUTd4UytyYkYyakFGUzl4Z0h1eGNzTEZNdncrcTB6SmlkOUNibDR4L3E4SWRNZVlDMWtaMEdKYXBUWEVJNWJhS0lvdGhqL2x6Zk5pZzNZWmZ2OUhSQm5NTEIyVU8ya2kwaHdTVXR5YjE5dGlSNDY0bHZNYWFZZi9OeXlzamtOV0tCaTJXbHZvQ2FsWFNNeXMzcW0ycERPVHlhRmRrczg4RWNURXBTU241TzY5RHg0Y2ZYdXRsd29DLzZCRGk3by84SXpZWkpXOHN6ZzJPTm1wZGVhWmJUVjlhckxYNUdpNlBDKzBHaWE3Z0VSVVkxRkdiUmp1czZSYi9wR3Y5MGV2VGdhL3ZVd2lZYkE0V0VWSHhZQm5TT1E3RkwyQzN0cUh2VUZhQ20zZ1R6ZVlQRWVwWUFKNjZDdWM3TWdCaUMrN2I2MHV4M3Myem85bUZMNmoxYmtCQ0pjbDdsME5QaFZFZmNrYWswdzkxT3pZMlpxSmkwSHFhVHd1Y0hraDJrQkdmNmNhdFM3N3RGNExmNWNVVGhXTEFEc21yZ0c4SkxhMXlabmZZcnJVMkFEV09GbDcwbXhlY2JtUm1FWjRJOGM4ZzZBNHh2dkVranZYTmVDeWJSa3lWcVNsR1VXS05kSW96QVFKYzVCWUFaTk5RRGhVTUZRU0dqWTVmWUNjblI5cEM5TFpsZTNxY2Y2bVpCbVlqazFsa2w0cXJYZGxFWVFEY2VQZE90VG1QcmhtcmUxM1FrS1kzZDRxN3dTRVR1WVlVamZkR2xQVDJ3dEZSU2NCakdjTDZVUHVyT1phUU4vS1BVcVJmLzA5NUIwRk85U0NCdUJIWkZJU0ljazdCcTA5Z3U1em9JTDhJaDltZzZBV3ZweENVK250ZE11WnphVExwQS9qQ0l6UUJkUkhsQVBJSnpjQW9UWERMa0F4eEIreHhPdDh5bHVOek1lV1NVajltaTNoa05QaEloeFlnZXZQNjFKY3ZiYmpmeTVLNkVhdS9lZTUrV1BZL2tBeDJiTS9kSXZiR1FqQ3JkQllPZkR2MnBpUG93aEZIUGlCZ1NpOUwxM0VzaGtvRjBnaUJKa3hDQjdSVGYwZjN0dDQ5eVpIbmt6a1YwWkZ2Ukp6c252bTVWb211eUhpbnkvRGlGSG9BSnZNRUhFLzI5WmY3MGkrbVdPVHFHUCtQdUpVUUVqUU5yQjlBcUJXN1dMVGliYTVqY3FPVndPZjI2RGNsSXNXdTE3VS9vdTJ5T2dMU2orVjlaTWZ3bTIrVFg2VTVNRnJKSXNvUlp0K3pjUXpZSkR0R05GbzV3ZVRqWExuaG0wSUFuTkJDNVlMcmZBdHliTG9ObFNtWllCY05ERnBuc1pQbSsyNE1UcmNjcVdCZmJIY3dQd3AraHFQNnpXT0taN1VTQVFTMkduZm4wQjlJRlIrN1kya2FPNi9pRk8ySGttSWpDdmUvbXltYVk4cmp6ckl2T1BtR2hKY1U2K3ZweklubXlqVm9mRHdEM2pWTTUxd3VQeDFPYmF4SFoxQzBwNzYrbVorbExkWTZDY20wMVdlcUZhUT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * CO5s7DzppNXFcaqKGtE9GJHicT5RbVi
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\QlZZxj_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aEbeBBceea You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTk0Ni1CamNEMjFPaEV6NWowQ3Y2eVNraHBtckk5N1Y3eTdCVkZleGdPQ25GdVdpS09DWjhRb2ZPa3B3ZTU5aldVKzN1eGtGcWZsR2pKZFFRem9nb2JQblVyNnlTZDRKT1RkSENJOU44VVNOaDhlT052M0p4UWpxckZIa1VzNXYySlljVVJ0QUxwSTRCdjBFQ3FTWHJWWE5JTDlzY3hpcS9GcXUyRnhhdVN6Q09rTUJTOVJhUFFXeXd1aWRzS3NFbW4yVnBVV2RHZ3dmV1h4K1hNVFpubEhWSjNnS0FvS2lpajM0OTBoRE9ZOEp1OUFjUTAzSHlEYjZUYXd0aWc1R1YySUFqdXdCaGw4N1FFbklTSzE1T2NBNitlVE9rS1FIMWVhT09Nd2NiazB2YjkwcXVuTVlLZndwdkNHaTVMZzIrTUhWSFVhVHgyRTU5clc4eEpPK0dmUHhjeTlBeWcrZnoyRzZrcENyVFRHVGEvSjZ3aXpnUUYvYUJxMHZDdC92UytYbjI2ak5DUGtYWnJ4NlgrdTBkTGgwNzBrcGJkd2ZoK0NOQ2J1YmtCRXZoNWhEUGZONjBubm1aV0IwMXd3TCt6eEQ5M0YrUTd4UytyYkYyakFGUzl4Z0h1eGNzTEZNdncrcTB6SmlkOUNibDR4L3E4SWRNZVlDMWtaMEdKYXBUWEVJNWJhS0lvdGhqL2x6Zk5pZzNZWmZ2OUhSQm5NTEIyVU8ya2kwaHdTVXR5YjE5dGlSNDY0bHZNYWFZZi9OeXlzamtOV0tCaTJXbHZvQ2FsWFNNeXMzcW0ycERPVHlhRmRrczg4RWNURXBTU241TzY5RHg0Y2ZYdXRsd29DLzZCRGk3by84SXpZWkpXOHN6ZzJPTm1wZGVhWmJUVjlhckxYNUdpNlBDKzBHaWE3Z0VSVVkxRkdiUmp1czZSYi9wR3Y5MGV2VGdhL3ZVd2lZYkE0V0VWSHhZQm5TT1E3RkwyQzN0cUh2VUZhQ20zZ1R6ZVlQRWVwWUFKNjZDdWM3TWdCaUMrN2I2MHV4M3Myem85bUZMNmoxYmtCQ0pjbDdsME5QaFZFZmNrYWswdzkxT3pZMlpxSmkwSHFhVHd1Y0hraDJrQkdmNmNhdFM3N3RGNExmNWNVVGhXTEFEc21yZ0c4SkxhMXlabmZZcnJVMkFEV09GbDcwbXhlY2JtUm1FWjRJOGM4ZzZBNHh2dkVranZYTmVDeWJSa3lWcVNsR1VXS05kSW96QVFKYzVCWUFaTk5RRGhVTUZRU0dqWTVmWUNjblI5cEM5TFpsZTNxY2Y2bVpCbVlqazFsa2w0cXJYZGxFWVFEY2VQZE90VG1QcmhtcmUxM1FrS1kzZDRxN3dTRVR1WVlVamZkR2xQVDJ3dEZSU2NCakdjTDZVUHVyT1phUU4vS1BVcVJmLzA5NUIwRk85U0NCdUJIWkZJU0ljazdCcTA5Z3U1em9JTDhJaDltZzZBV3ZweENVK250ZE11WnphVExwQS9qQ0l6UUJkUkhsQVBJSnpjQW9UWERMa0F4eEIreHhPdDh5bHVOek1lV1NVajltaTNoa05QaEloeFlnZXZQNjFKY3ZiYmpmeTVLNkVhdS9lZTUrV1BZL2tBeDJiTS9kSXZiR1FqQ3JkQllPZkR2MnBpUG93aEZIUGlCZ1NpOUwxM0VzaGtvRjBnaUJKa3hDQjdSVGYwZjN0dDQ5eVpIbmt6a1YwWkZ2Ukp6c252bTVWb211eUhpbnkvRGlGSG9BSnZNRUhFLzI5WmY3MGkrbVdPVHFHUCtQdUpVUUVqUU5yQjlBcUJXN1dMVGliYTVqY3FPVndPZjI2RGNsSXNXdTE3VS9vdTJ5T2dMU2orVjlaTWZ3bTIrVFg2VTVNRnJKSXNvUlp0K3pjUXpZSkR0R05GbzV3ZVRqWExuaG0wSUFuTkJDNVlMcmZBdHliTG9ObFNtWllCY05ERnBuc1pQbSsyNE1UcmNjcVdCZmJIY3dQd3AraHFQNnpXT0taN1VTQVFTMkduZm4wQjlJRlIrN1kya2FPNi9pRk8ySGttSWpDdmUvbXltYVk4cmp6ckl2T1BtR2hKY1U2K3ZweklubXlqVm9mRHdEM2pWTTUxd3VQeDFPYmF4SFoxQzBwNzYrbVorbExkWTZDY20wMVdlcUZhUT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * Z0
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\QlZZxj_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aEbeBBceea You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTk0Ni1CamNEMjFPaEV6NWowQ3Y2eVNraHBtckk5N1Y3eTdCVkZleGdPQ25GdVdpS09DWjhRb2ZPa3B3ZTU5aldVKzN1eGtGcWZsR2pKZFFRem9nb2JQblVyNnlTZDRKT1RkSENJOU44VVNOaDhlT052M0p4UWpxckZIa1VzNXYySlljVVJ0QUxwSTRCdjBFQ3FTWHJWWE5JTDlzY3hpcS9GcXUyRnhhdVN6Q09rTUJTOVJhUFFXeXd1aWRzS3NFbW4yVnBVV2RHZ3dmV1h4K1hNVFpubEhWSjNnS0FvS2lpajM0OTBoRE9ZOEp1OUFjUTAzSHlEYjZUYXd0aWc1R1YySUFqdXdCaGw4N1FFbklTSzE1T2NBNitlVE9rS1FIMWVhT09Nd2NiazB2YjkwcXVuTVlLZndwdkNHaTVMZzIrTUhWSFVhVHgyRTU5clc4eEpPK0dmUHhjeTlBeWcrZnoyRzZrcENyVFRHVGEvSjZ3aXpnUUYvYUJxMHZDdC92UytYbjI2ak5DUGtYWnJ4NlgrdTBkTGgwNzBrcGJkd2ZoK0NOQ2J1YmtCRXZoNWhEUGZONjBubm1aV0IwMXd3TCt6eEQ5M0YrUTd4UytyYkYyakFGUzl4Z0h1eGNzTEZNdncrcTB6SmlkOUNibDR4L3E4SWRNZVlDMWtaMEdKYXBUWEVJNWJhS0lvdGhqL2x6Zk5pZzNZWmZ2OUhSQm5NTEIyVU8ya2kwaHdTVXR5YjE5dGlSNDY0bHZNYWFZZi9OeXlzamtOV0tCaTJXbHZvQ2FsWFNNeXMzcW0ycERPVHlhRmRrczg4RWNURXBTU241TzY5RHg0Y2ZYdXRsd29DLzZCRGk3by84SXpZWkpXOHN6ZzJPTm1wZGVhWmJUVjlhckxYNUdpNlBDKzBHaWE3Z0VSVVkxRkdiUmp1czZSYi9wR3Y5MGV2VGdhL3ZVd2lZYkE0V0VWSHhZQm5TT1E3RkwyQzN0cUh2VUZhQ20zZ1R6ZVlQRWVwWUFKNjZDdWM3TWdCaUMrN2I2MHV4M3Myem85bUZMNmoxYmtCQ0pjbDdsME5QaFZFZmNrYWswdzkxT3pZMlpxSmkwSHFhVHd1Y0hraDJrQkdmNmNhdFM3N3RGNExmNWNVVGhXTEFEc21yZ0c4SkxhMXlabmZZcnJVMkFEV09GbDcwbXhlY2JtUm1FWjRJOGM4ZzZBNHh2dkVranZYTmVDeWJSa3lWcVNsR1VXS05kSW96QVFKYzVCWUFaTk5RRGhVTUZRU0dqWTVmWUNjblI5cEM5TFpsZTNxY2Y2bVpCbVlqazFsa2w0cXJYZGxFWVFEY2VQZE90VG1QcmhtcmUxM1FrS1kzZDRxN3dTRVR1WVlVamZkR2xQVDJ3dEZSU2NCakdjTDZVUHVyT1phUU4vS1BVcVJmLzA5NUIwRk85U0NCdUJIWkZJU0ljazdCcTA5Z3U1em9JTDhJaDltZzZBV3ZweENVK250ZE11WnphVExwQS9qQ0l6UUJkUkhsQVBJSnpjQW9UWERMa0F4eEIreHhPdDh5bHVOek1lV1NVajltaTNoa05QaEloeFlnZXZQNjFKY3ZiYmpmeTVLNkVhdS9lZTUrV1BZL2tBeDJiTS9kSXZiR1FqQ3JkQllPZkR2MnBpUG93aEZIUGlCZ1NpOUwxM0VzaGtvRjBnaUJKa3hDQjdSVGYwZjN0dDQ5eVpIbmt6a1YwWkZ2Ukp6c252bTVWb211eUhpbnkvRGlGSG9BSnZNRUhFLzI5WmY3MGkrbVdPVHFHUCtQdUpVUUVqUU5yQjlBcUJXN1dMVGliYTVqY3FPVndPZjI2RGNsSXNXdTE3VS9vdTJ5T2dMU2orVjlaTWZ3bTIrVFg2VTVNRnJKSXNvUlp0K3pjUXpZSkR0R05GbzV3ZVRqWExuaG0wSUFuTkJDNVlMcmZBdHliTG9ObFNtWllCY05ERnBuc1pQbSsyNE1UcmNjcVdCZmJIY3dQd3AraHFQNnpXT0taN1VTQVFTMkduZm4wQjlJRlIrN1kya2FPNi9pRk8ySGttSWpDdmUvbXltYVk4cmp6ckl2T1BtR2hKY1U2K3ZweklubXlqVm9mRHdEM2pWTTUxd3VQeDFPYmF4SFoxQzBwNzYrbVorbExkWTZDY20wMVdlcUZhUT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * P9o5m
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\QlZZxj_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aEbeBBceea You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTk0Ni1CamNEMjFPaEV6NWowQ3Y2eVNraHBtckk5N1Y3eTdCVkZleGdPQ25GdVdpS09DWjhRb2ZPa3B3ZTU5aldVKzN1eGtGcWZsR2pKZFFRem9nb2JQblVyNnlTZDRKT1RkSENJOU44VVNOaDhlT052M0p4UWpxckZIa1VzNXYySlljVVJ0QUxwSTRCdjBFQ3FTWHJWWE5JTDlzY3hpcS9GcXUyRnhhdVN6Q09rTUJTOVJhUFFXeXd1aWRzS3NFbW4yVnBVV2RHZ3dmV1h4K1hNVFpubEhWSjNnS0FvS2lpajM0OTBoRE9ZOEp1OUFjUTAzSHlEYjZUYXd0aWc1R1YySUFqdXdCaGw4N1FFbklTSzE1T2NBNitlVE9rS1FIMWVhT09Nd2NiazB2YjkwcXVuTVlLZndwdkNHaTVMZzIrTUhWSFVhVHgyRTU5clc4eEpPK0dmUHhjeTlBeWcrZnoyRzZrcENyVFRHVGEvSjZ3aXpnUUYvYUJxMHZDdC92UytYbjI2ak5DUGtYWnJ4NlgrdTBkTGgwNzBrcGJkd2ZoK0NOQ2J1YmtCRXZoNWhEUGZONjBubm1aV0IwMXd3TCt6eEQ5M0YrUTd4UytyYkYyakFGUzl4Z0h1eGNzTEZNdncrcTB6SmlkOUNibDR4L3E4SWRNZVlDMWtaMEdKYXBUWEVJNWJhS0lvdGhqL2x6Zk5pZzNZWmZ2OUhSQm5NTEIyVU8ya2kwaHdTVXR5YjE5dGlSNDY0bHZNYWFZZi9OeXlzamtOV0tCaTJXbHZvQ2FsWFNNeXMzcW0ycERPVHlhRmRrczg4RWNURXBTU241TzY5RHg0Y2ZYdXRsd29DLzZCRGk3by84SXpZWkpXOHN6ZzJPTm1wZGVhWmJUVjlhckxYNUdpNlBDKzBHaWE3Z0VSVVkxRkdiUmp1czZSYi9wR3Y5MGV2VGdhL3ZVd2lZYkE0V0VWSHhZQm5TT1E3RkwyQzN0cUh2VUZhQ20zZ1R6ZVlQRWVwWUFKNjZDdWM3TWdCaUMrN2I2MHV4M3Myem85bUZMNmoxYmtCQ0pjbDdsME5QaFZFZmNrYWswdzkxT3pZMlpxSmkwSHFhVHd1Y0hraDJrQkdmNmNhdFM3N3RGNExmNWNVVGhXTEFEc21yZ0c4SkxhMXlabmZZcnJVMkFEV09GbDcwbXhlY2JtUm1FWjRJOGM4ZzZBNHh2dkVranZYTmVDeWJSa3lWcVNsR1VXS05kSW96QVFKYzVCWUFaTk5RRGhVTUZRU0dqWTVmWUNjblI5cEM5TFpsZTNxY2Y2bVpCbVlqazFsa2w0cXJYZGxFWVFEY2VQZE90VG1QcmhtcmUxM1FrS1kzZDRxN3dTRVR1WVlVamZkR2xQVDJ3dEZSU2NCakdjTDZVUHVyT1phUU4vS1BVcVJmLzA5NUIwRk85U0NCdUJIWkZJU0ljazdCcTA5Z3U1em9JTDhJaDltZzZBV3ZweENVK250ZE11WnphVExwQS9qQ0l6UUJkUkhsQVBJSnpjQW9UWERMa0F4eEIreHhPdDh5bHVOek1lV1NVajltaTNoa05QaEloeFlnZXZQNjFKY3ZiYmpmeTVLNkVhdS9lZTUrV1BZL2tBeDJiTS9kSXZiR1FqQ3JkQllPZkR2MnBpUG93aEZIUGlCZ1NpOUwxM0VzaGtvRjBnaUJKa3hDQjdSVGYwZjN0dDQ5eVpIbmt6a1YwWkZ2Ukp6c252bTVWb211eUhpbnkvRGlGSG9BSnZNRUhFLzI5WmY3MGkrbVdPVHFHUCtQdUpVUUVqUU5yQjlBcUJXN1dMVGliYTVqY3FPVndPZjI2RGNsSXNXdTE3VS9vdTJ5T2dMU2orVjlaTWZ3bTIrVFg2VTVNRnJKSXNvUlp0K3pjUXpZSkR0R05GbzV3ZVRqWExuaG0wSUFuTkJDNVlMcmZBdHliTG9ObFNtWllCY05ERnBuc1pQbSsyNE1UcmNjcVdCZmJIY3dQd3AraHFQNnpXT0taN1VTQVFTMkduZm4wQjlJRlIrN1kya2FPNi9pRk8ySGttSWpDdmUvbXltYVk4cmp6ckl2T1BtR2hKY1U2K3ZweklubXlqVm9mRHdEM2pWTTUxd3VQeDFPYmF4SFoxQzBwNzYrbVorbExkWTZDY20wMVdlcUZhUT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * mlPS7oMGr
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Avaddon payload 1 IoCs
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (194) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe
    "C:\Users\Admin\AppData\Local\Temp\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2896
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
        PID:2476
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin Delete Shadows /All /Quiet
        2⤵
        • Interacts with shadow copies
        PID:2728
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        2⤵
          PID:2332
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /All /Quiet
          2⤵
          • Interacts with shadow copies
          PID:1800
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          2⤵
            PID:1124
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin Delete Shadows /All /Quiet
            2⤵
            • Interacts with shadow copies
            PID:2240
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:2392
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:2740
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:2628
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
            PID:1396
          • C:\Windows\system32\taskeng.exe
            taskeng.exe {F3179155-2F08-4738-BF40-442DB6E4F0C5} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:2132
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe
              C:\Users\Admin\AppData\Roaming\Microsoft\Windows\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe
              2⤵
              • Executes dropped EXE
              PID:108

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          1
          T1562

          Disable or Modify Tools

          1
          T1562.001

          Modify Registry

          2
          T1112

          Indicator Removal

          2
          T1070

          File Deletion

          2
          T1070.004

          Discovery

          System Information Discovery

          3
          T1082

          Query Registry

          1
          T1012

          Peripheral Device Discovery

          1
          T1120

          Impact

          Inhibit System Recovery

          2
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\QlZZxj_readme_.txt
            Filesize

            3KB

            MD5

            ecb21609a308dbc3d96cada66b6bf0da

            SHA1

            8d014444ee9f8c64963da7df3919c3cb065ac5a3

            SHA256

            3df5a7e603f388148e3a864a39d07ff44888ec4d85fb293c1905453c8d7acd2c

            SHA512

            cfe8446321541e290c93652e6f6b8a59002654ed4a8eed5dc33346ac36724a5f18e317dbe10e0cf64a3dd922d184159e364391dcddb59b401e8ad3ef6da7b74e

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe
            Filesize

            775KB

            MD5

            c19084114c85192dacfed89a92da6837

            SHA1

            a1d6461e833813ccfb77a6929de43ab5383dbb98

            SHA256

            46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675

            SHA512

            cbcc47dfd2f1e1a15b93ff2df067ebce74a3623b5b5fa1162b9076d25175ea0f3f687c24b5051e7de753697b2a860595cf15351168f999e447ee5d0bc70cc11e

          • C:\Users\Admin\Desktop\QlZZxj_readme_.txt
            Filesize

            3KB

            MD5

            7165c8ec7196668008df9c816346d1f8

            SHA1

            953d3d6d0d29ab142d7b628e25b7d4053de7e021

            SHA256

            172e5172771334ec6a532d1e510ccf0c2f7e2d89086cd3ad5bc748bad9381a1e

            SHA512

            9d27b33896aee9f57a5724f356c8d9444ac425de6791edb76f82c13e01e55e9907dd5b783e74e8194b96e6cf637f753e880d3223e57dbd9f45cefcc5444d5340

          • C:\Users\Admin\Desktop\QlZZxj_readme_.txt
            Filesize

            3KB

            MD5

            4a8a0f6f001c2969ba7de041ab881316

            SHA1

            6943d6b37cc50ce3b53e1e81c65ff219f2791c71

            SHA256

            2fe82817ec2f3475eb70b042d20f965e208c61db11a90150dd65d7dfeaeb79ce

            SHA512

            ffdea0d4f79bef089a4ba4691abf582d61c0f08221c3ff83e9c576df1d477e7512565c5276bd4f556042604bb5cfb247e99f5ca16f2364b13a93a502be057adb

          • C:\Users\Admin\Documents\QlZZxj_readme_.txt
            Filesize

            3KB

            MD5

            c54637b64738c619faaa25de0e5e6324

            SHA1

            dd0e1f11c5fd1085c0e405c4798026464a824b03

            SHA256

            0669024616f98740541bca9c5b760d9c594b3e648ce84d9569e801567ae85781

            SHA512

            45f105da9af2096c576bf1f6bc65ce5788603276f6afdb3e57a86b647b7efa45c10b38ce14187c66c4c44c67f2b3dc1768c70e82e957531ce1fdef1e0d99f1c2

          • C:\Users\Admin\Downloads\QlZZxj_readme_.txt
            Filesize

            3KB

            MD5

            93cd79bfa82d29877434d6cf8c3a9ba3

            SHA1

            46578f53ccdc726c929e7c42f29602ddee1377cb

            SHA256

            8cc5d9397412836bad352eb855d7ff49f5464cbd2d68cc62d159bb58554eb6d6

            SHA512

            87300ea55e3cd3e19b63cb7a744c01066ca2bc600be3bc35bcb63b9152b252666d600c02571d27844858ffc04ab4843f0053563fd2d5e7e8ce2ce41829f50189