Analysis

  • max time kernel
    146s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2024 10:08

General

  • Target

    46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe

  • Size

    775KB

  • MD5

    c19084114c85192dacfed89a92da6837

  • SHA1

    a1d6461e833813ccfb77a6929de43ab5383dbb98

  • SHA256

    46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675

  • SHA512

    cbcc47dfd2f1e1a15b93ff2df067ebce74a3623b5b5fa1162b9076d25175ea0f3f687c24b5051e7de753697b2a860595cf15351168f999e447ee5d0bc70cc11e

  • SSDEEP

    24576:+CsD9+OXLpMePfI8TgmBTCDqEbOpPtpFafxfq:YcOXLpMePfzVTCD7gPtLapfq

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\BCJwk_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .deCcDCacc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTk0Ni1CbW4vNTM0SkFsQ05GN3NVQVdXRHFZZmpZZ09aRWdHa2wxd0FrQk4yTFNlUTN6ZVlVazZrR3krcVdUUjc2UUdBTVNURUN5Uk1XTFk4aU12bC9mVnBaajBHVGN5Nk1VZnRUQjlBWHh1Vk95Q1BtUUdaYmY2cHJRUkgrb2syUUw1SW1wR2FNYjROZS8wY09CSWoxT3o1NTRSaFFCdzhrYUkremFGU3RDdytEcWV1b3pjV1l3WkozaHhRU3QwaW9KV1NlTUJsYm1jY1p0RzU4NFAzaTI2ZkhEb2U1Z09FR0VEbEptUE1iNHJRZXdvbUhEenUzRHhFZ2RuM3VaemJZemk3d3ZNWlJXMDM2QnVLeEk2MXFvbmRMam05S1Roa0xsNVhzanV0YTNXays4NHlsai8vMURVcFpHZnEyV3dNOWl6V05FU1hkYlhGQnB1ek51Q09ZVldZbTlLWS9Sd2VwaUUvcllaaGtnZVJPbERJMUYyN2wwM3lnS2lONEo2Uk1YZGoycXgxWDBNSmlEU1J6NjBCeE1ldDRJYkpXYy8yTzdaK1lrY3hyaHRZSURMNHJkYXNoZnpaZi9pQzBCb3F0ZkI0L1FSYXg0SVh5UExWSk41UE5xbk9oMldXOStwU0JRd0lCSFRBNE1kckdaQ0xReEloU3RDMUl5QmlicS9UaTlQTGtzbTh5M0toa0N1OFN5RzNEUFlTeS9GYXR6ODlCaW9vNGlad3V1SEROaURoNHE0VWYzZitVaVQvSkozeVBML3JCVStSSWNHR1BER2xrcXc2MFN1UDlTSEVFV284V2FFeFQ0UFpTVW5YOXdUZFoxY1lmektRY3VGWU5WZGdmWlhJN2xoNjh6RmhlOC91S2ZrbFgrQ09ZSG44U0JFakwzREs5UGRmakRKN2NOYWVlbWNwQkMwRXRpZWNxcXhoa08vN1RyVTlDWXlnOXl4R0ZLU1U5TFFId0E0b3NSY3pyMzczSVlublhSWnNGZU9LcWx1bjRSdXdhMkxzcTJKR29jV2hkalgvbVJpalg4aEFISWZJcXlkTVpOVEFmQWtObzdiZTRlMjlSS2Q2Z3RNQ05CanB0YWx1ajRMaEQ3bUJSNFR3aThGVzV1T2tDWmVFNjNoMXcrQjRIVEZJU3BEc3hNN2pEQjZjYXhrcnp6N2hSbjAySnI1S084c00wK1hsSHl4T3p5T0ZaRmJuYURlTzE1MEIyQnYzemJvaHl5YjVEU2JrZWovdkRKeFBUOXhGc0VKNEY2UzVHQzFCL0VtSHRFaFlWSGNDZGpuZk5MVG8vVUdOa2hFaDNoWHIrYUllM1EvQmMxTkxCck9KcFFZQXJGQ1B1YlhKbElFcVFXV3EwVUt5cTFJbitETWlBNERrQXZnSWRyN0FnVjd2YU1lRHd0bUplZnRBQTg3NDJVOHRReVkxWFh0MHF2NkRYSnhNUFRBLytvUko1R1ZJaWFua1RwNi9nQWorMkxJNHY1T3BHRnRnYjEwcU5QbTVnemQxWWE1M3NDa0JYNmNYZkoyOFUxQlZ2ZWlucVh2ODRscFJIUFhCY0ZaR0VDazBCRGFaY1BOMms2NWR6cWxxK1U1TW9BZnZmaEI1TEhyaHZBL1ZoT0djY3I2dlhjdlVDOENYb0UzNlpuUktXQmE1cVRGV0tKRkZRM0xOQ2MvRlcyZm9xWXMvYVk2bS9LVHZSOHJNNWlEWStkRUNQM3prTVIrSnh6WXZ5NjY2RHpLWU85bzBHTXU1a1dqVFhGNmZULzV5VGhhdlA3UEVrT2R6NFh4SFhKTkZrdWk5V1ZFQjdISFVMV3A1QXVEc3VxVXhSWUlLL295M3JwSzhEL1FqaWFDd2w3MVpwVWovc0NoT1MrOGNpSXk3MkZiV3J5Vk40WTFnQVV4ZjNUK3FvNnFLR3daV3A3Yi96ZzZMWkx1OGNNbXFtSmwwQVRlKzVaZlFvN1JhaXFVRkVSdU5jd2FucjFJNVc1dlRhZmlBamk2UDlESXNuNGlOWGNMdTA2SFdYOEQwUy92R3hWQzZjNlFYQ1ZHMWVGZmk4UWNybnExWnMvT3pHNmpjSG0zOExjVDJQemg4UUI5bkxwbWJ4azNVZ01uNkQ3OUxTYldiN29CVXRydFc0QmZtUVJtN2R0Y0VISE1JcGxpSGJ4U05yZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * NRW9Q6cER7pFEOR87ODub0H8sdH
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\BCJwk_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .deCcDCacc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTk0Ni1CbW4vNTM0SkFsQ05GN3NVQVdXRHFZZmpZZ09aRWdHa2wxd0FrQk4yTFNlUTN6ZVlVazZrR3krcVdUUjc2UUdBTVNURUN5Uk1XTFk4aU12bC9mVnBaajBHVGN5Nk1VZnRUQjlBWHh1Vk95Q1BtUUdaYmY2cHJRUkgrb2syUUw1SW1wR2FNYjROZS8wY09CSWoxT3o1NTRSaFFCdzhrYUkremFGU3RDdytEcWV1b3pjV1l3WkozaHhRU3QwaW9KV1NlTUJsYm1jY1p0RzU4NFAzaTI2ZkhEb2U1Z09FR0VEbEptUE1iNHJRZXdvbUhEenUzRHhFZ2RuM3VaemJZemk3d3ZNWlJXMDM2QnVLeEk2MXFvbmRMam05S1Roa0xsNVhzanV0YTNXays4NHlsai8vMURVcFpHZnEyV3dNOWl6V05FU1hkYlhGQnB1ek51Q09ZVldZbTlLWS9Sd2VwaUUvcllaaGtnZVJPbERJMUYyN2wwM3lnS2lONEo2Uk1YZGoycXgxWDBNSmlEU1J6NjBCeE1ldDRJYkpXYy8yTzdaK1lrY3hyaHRZSURMNHJkYXNoZnpaZi9pQzBCb3F0ZkI0L1FSYXg0SVh5UExWSk41UE5xbk9oMldXOStwU0JRd0lCSFRBNE1kckdaQ0xReEloU3RDMUl5QmlicS9UaTlQTGtzbTh5M0toa0N1OFN5RzNEUFlTeS9GYXR6ODlCaW9vNGlad3V1SEROaURoNHE0VWYzZitVaVQvSkozeVBML3JCVStSSWNHR1BER2xrcXc2MFN1UDlTSEVFV284V2FFeFQ0UFpTVW5YOXdUZFoxY1lmektRY3VGWU5WZGdmWlhJN2xoNjh6RmhlOC91S2ZrbFgrQ09ZSG44U0JFakwzREs5UGRmakRKN2NOYWVlbWNwQkMwRXRpZWNxcXhoa08vN1RyVTlDWXlnOXl4R0ZLU1U5TFFId0E0b3NSY3pyMzczSVlublhSWnNGZU9LcWx1bjRSdXdhMkxzcTJKR29jV2hkalgvbVJpalg4aEFISWZJcXlkTVpOVEFmQWtObzdiZTRlMjlSS2Q2Z3RNQ05CanB0YWx1ajRMaEQ3bUJSNFR3aThGVzV1T2tDWmVFNjNoMXcrQjRIVEZJU3BEc3hNN2pEQjZjYXhrcnp6N2hSbjAySnI1S084c00wK1hsSHl4T3p5T0ZaRmJuYURlTzE1MEIyQnYzemJvaHl5YjVEU2JrZWovdkRKeFBUOXhGc0VKNEY2UzVHQzFCL0VtSHRFaFlWSGNDZGpuZk5MVG8vVUdOa2hFaDNoWHIrYUllM1EvQmMxTkxCck9KcFFZQXJGQ1B1YlhKbElFcVFXV3EwVUt5cTFJbitETWlBNERrQXZnSWRyN0FnVjd2YU1lRHd0bUplZnRBQTg3NDJVOHRReVkxWFh0MHF2NkRYSnhNUFRBLytvUko1R1ZJaWFua1RwNi9nQWorMkxJNHY1T3BHRnRnYjEwcU5QbTVnemQxWWE1M3NDa0JYNmNYZkoyOFUxQlZ2ZWlucVh2ODRscFJIUFhCY0ZaR0VDazBCRGFaY1BOMms2NWR6cWxxK1U1TW9BZnZmaEI1TEhyaHZBL1ZoT0djY3I2dlhjdlVDOENYb0UzNlpuUktXQmE1cVRGV0tKRkZRM0xOQ2MvRlcyZm9xWXMvYVk2bS9LVHZSOHJNNWlEWStkRUNQM3prTVIrSnh6WXZ5NjY2RHpLWU85bzBHTXU1a1dqVFhGNmZULzV5VGhhdlA3UEVrT2R6NFh4SFhKTkZrdWk5V1ZFQjdISFVMV3A1QXVEc3VxVXhSWUlLL295M3JwSzhEL1FqaWFDd2w3MVpwVWovc0NoT1MrOGNpSXk3MkZiV3J5Vk40WTFnQVV4ZjNUK3FvNnFLR3daV3A3Yi96ZzZMWkx1OGNNbXFtSmwwQVRlKzVaZlFvN1JhaXFVRkVSdU5jd2FucjFJNVc1dlRhZmlBamk2UDlESXNuNGlOWGNMdTA2SFdYOEQwUy92R3hWQzZjNlFYQ1ZHMWVGZmk4UWNybnExWnMvT3pHNmpjSG0zOExjVDJQemg4UUI5bkxwbWJ4azNVZ01uNkQ3OUxTYldiN29CVXRydFc0QmZtUVJtN2R0Y0VISE1JcGxpSGJ4U05yZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * kZ7WkIP2HjXK7o6Amve2IAu9sdH
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Avaddon payload 1 IoCs
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (150) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe
    "C:\Users\Admin\AppData\Local\Temp\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1520
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
        PID:1132
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        2⤵
          PID:2776
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          2⤵
            PID:3192
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:4896
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:1548
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:776
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
            PID:2956
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe
            C:\Users\Admin\AppData\Roaming\Microsoft\Windows\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe
            1⤵
            • Executes dropped EXE
            PID:4524

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          1
          T1562

          Disable or Modify Tools

          1
          T1562.001

          Modify Registry

          2
          T1112

          Indicator Removal

          1
          T1070

          File Deletion

          1
          T1070.004

          Discovery

          System Information Discovery

          3
          T1082

          Query Registry

          1
          T1012

          Peripheral Device Discovery

          1
          T1120

          Impact

          Inhibit System Recovery

          1
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe
            Filesize

            775KB

            MD5

            c19084114c85192dacfed89a92da6837

            SHA1

            a1d6461e833813ccfb77a6929de43ab5383dbb98

            SHA256

            46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675

            SHA512

            cbcc47dfd2f1e1a15b93ff2df067ebce74a3623b5b5fa1162b9076d25175ea0f3f687c24b5051e7de753697b2a860595cf15351168f999e447ee5d0bc70cc11e

          • C:\Users\Admin\Desktop\BCJwk_readme_.txt
            Filesize

            3KB

            MD5

            2a7e91ea0b6a11f933d764582691ad5b

            SHA1

            991036746189ef3926225b6cebce0584ba026b15

            SHA256

            96e8e6cd27b62fb247159ead4c22b1b9a7ddec43d4145975f1fcabca7b402aff

            SHA512

            341e84e45e4ae4ea8797642fa5f31e3fdd144234d750699388c625a7a42885ebaf62a5afc2ea1351f110d51473694430f9a8328fd7d9f115cad8672aff1107e5

          • C:\Users\Admin\Downloads\BCJwk_readme_.txt
            Filesize

            3KB

            MD5

            229d31f6cec29ae41bd13f1e618d9408

            SHA1

            51618e8067d8a66073252fc07cab6d956bb68c8e

            SHA256

            b6e6b3d190833ad9ef992ced89dc8e8c4d997f8e00ce19deb698f9bf51ed4d3e

            SHA512

            57dac91d63c0bddb6b4ef1205a655f0a911e7aa0493ce80b3f15750d6150cb3945b10ad45ac67efd6de2257063f331698160e456c89d74685e87936ecd6b1365

          • memory/4524-434-0x0000000075640000-0x000000007564B000-memory.dmp
            Filesize

            44KB

          • memory/4524-433-0x0000000075650000-0x000000007566D000-memory.dmp
            Filesize

            116KB

          • memory/4524-432-0x00000000758F0000-0x0000000075909000-memory.dmp
            Filesize

            100KB