Analysis
-
max time kernel
160s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 10:08
Behavioral task
behavioral1
Sample
c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
Resource
win10v2004-20231215-en
General
-
Target
c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
-
Size
483KB
-
MD5
53717dc73f61b0f9551cb62d6fca2e4a
-
SHA1
1ca9304e86632b147852767c85c57e08bdfc8855
-
SHA256
c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028
-
SHA512
ae6ff8377d89cd3d1686c5a6bd7bb398bb975e4e52f7db5fbb0550783d77648558f03a13a9751d0cb6ed993621b12980d54777385802dd4c014ec22ae8d33552
-
SSDEEP
12288:WcvbX8rMmSZJ8t9ZITyDpFGIOyA4muT5WFExk8y:/zMr1SZJ8t9ZITyNzOt4dVy
Malware Config
Extracted
C:\Users\Admin\Desktop\2xfHG_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\2xfHG_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\2xfHG_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Pictures\2xfHG_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\2xfHG_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\2xfHG_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (192) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exedescription ioc process File opened (read-only) \??\Z: c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe File opened (read-only) \??\G: c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe File opened (read-only) \??\H: c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe File opened (read-only) \??\J: c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe File opened (read-only) \??\N: c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe File opened (read-only) \??\O: c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe File opened (read-only) \??\P: c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe File opened (read-only) \??\X: c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe File opened (read-only) \??\I: c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe File opened (read-only) \??\L: c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe File opened (read-only) \??\T: c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe File opened (read-only) \??\M: c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe File opened (read-only) \??\S: c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe File opened (read-only) \??\U: c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe File opened (read-only) \??\V: c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe File opened (read-only) \??\Y: c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe File opened (read-only) \??\F: c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe File opened (read-only) \??\A: c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe File opened (read-only) \??\B: c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe File opened (read-only) \??\E: c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe File opened (read-only) \??\K: c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe File opened (read-only) \??\Q: c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe File opened (read-only) \??\R: c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe File opened (read-only) \??\W: c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 2564 vssadmin.exe 2744 vssadmin.exe 308 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exepid process 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exevssvc.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2712 wmic.exe Token: SeSecurityPrivilege 2712 wmic.exe Token: SeTakeOwnershipPrivilege 2712 wmic.exe Token: SeLoadDriverPrivilege 2712 wmic.exe Token: SeSystemProfilePrivilege 2712 wmic.exe Token: SeSystemtimePrivilege 2712 wmic.exe Token: SeProfSingleProcessPrivilege 2712 wmic.exe Token: SeIncBasePriorityPrivilege 2712 wmic.exe Token: SeCreatePagefilePrivilege 2712 wmic.exe Token: SeBackupPrivilege 2712 wmic.exe Token: SeRestorePrivilege 2712 wmic.exe Token: SeShutdownPrivilege 2712 wmic.exe Token: SeDebugPrivilege 2712 wmic.exe Token: SeSystemEnvironmentPrivilege 2712 wmic.exe Token: SeRemoteShutdownPrivilege 2712 wmic.exe Token: SeUndockPrivilege 2712 wmic.exe Token: SeManageVolumePrivilege 2712 wmic.exe Token: 33 2712 wmic.exe Token: 34 2712 wmic.exe Token: 35 2712 wmic.exe Token: SeIncreaseQuotaPrivilege 2712 wmic.exe Token: SeSecurityPrivilege 2712 wmic.exe Token: SeTakeOwnershipPrivilege 2712 wmic.exe Token: SeLoadDriverPrivilege 2712 wmic.exe Token: SeSystemProfilePrivilege 2712 wmic.exe Token: SeSystemtimePrivilege 2712 wmic.exe Token: SeProfSingleProcessPrivilege 2712 wmic.exe Token: SeIncBasePriorityPrivilege 2712 wmic.exe Token: SeCreatePagefilePrivilege 2712 wmic.exe Token: SeBackupPrivilege 2712 wmic.exe Token: SeRestorePrivilege 2712 wmic.exe Token: SeShutdownPrivilege 2712 wmic.exe Token: SeDebugPrivilege 2712 wmic.exe Token: SeSystemEnvironmentPrivilege 2712 wmic.exe Token: SeRemoteShutdownPrivilege 2712 wmic.exe Token: SeUndockPrivilege 2712 wmic.exe Token: SeManageVolumePrivilege 2712 wmic.exe Token: 33 2712 wmic.exe Token: 34 2712 wmic.exe Token: 35 2712 wmic.exe Token: SeBackupPrivilege 2444 vssvc.exe Token: SeRestorePrivilege 2444 vssvc.exe Token: SeAuditPrivilege 2444 vssvc.exe Token: SeIncreaseQuotaPrivilege 1920 wmic.exe Token: SeSecurityPrivilege 1920 wmic.exe Token: SeTakeOwnershipPrivilege 1920 wmic.exe Token: SeLoadDriverPrivilege 1920 wmic.exe Token: SeSystemProfilePrivilege 1920 wmic.exe Token: SeSystemtimePrivilege 1920 wmic.exe Token: SeProfSingleProcessPrivilege 1920 wmic.exe Token: SeIncBasePriorityPrivilege 1920 wmic.exe Token: SeCreatePagefilePrivilege 1920 wmic.exe Token: SeBackupPrivilege 1920 wmic.exe Token: SeRestorePrivilege 1920 wmic.exe Token: SeShutdownPrivilege 1920 wmic.exe Token: SeDebugPrivilege 1920 wmic.exe Token: SeSystemEnvironmentPrivilege 1920 wmic.exe Token: SeRemoteShutdownPrivilege 1920 wmic.exe Token: SeUndockPrivilege 1920 wmic.exe Token: SeManageVolumePrivilege 1920 wmic.exe Token: 33 1920 wmic.exe Token: 34 1920 wmic.exe Token: 35 1920 wmic.exe Token: SeIncreaseQuotaPrivilege 1920 wmic.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exedescription pid process target process PID 2136 wrote to memory of 2712 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe wmic.exe PID 2136 wrote to memory of 2712 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe wmic.exe PID 2136 wrote to memory of 2712 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe wmic.exe PID 2136 wrote to memory of 2712 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe wmic.exe PID 2136 wrote to memory of 2564 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe vssadmin.exe PID 2136 wrote to memory of 2564 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe vssadmin.exe PID 2136 wrote to memory of 2564 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe vssadmin.exe PID 2136 wrote to memory of 2564 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe vssadmin.exe PID 2136 wrote to memory of 1920 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe wmic.exe PID 2136 wrote to memory of 1920 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe wmic.exe PID 2136 wrote to memory of 1920 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe wmic.exe PID 2136 wrote to memory of 1920 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe wmic.exe PID 2136 wrote to memory of 2744 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe vssadmin.exe PID 2136 wrote to memory of 2744 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe vssadmin.exe PID 2136 wrote to memory of 2744 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe vssadmin.exe PID 2136 wrote to memory of 2744 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe vssadmin.exe PID 2136 wrote to memory of 2752 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe wmic.exe PID 2136 wrote to memory of 2752 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe wmic.exe PID 2136 wrote to memory of 2752 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe wmic.exe PID 2136 wrote to memory of 2752 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe wmic.exe PID 2136 wrote to memory of 308 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe vssadmin.exe PID 2136 wrote to memory of 308 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe vssadmin.exe PID 2136 wrote to memory of 308 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe vssadmin.exe PID 2136 wrote to memory of 308 2136 c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe vssadmin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe"C:\Users\Admin\AppData\Local\Temp\c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\2xfHG_readme_.txtFilesize
3KB
MD5efa3058f9e6e54dd10dafd638d972e9e
SHA13c873088ac99d7673f9d7f919e0bf55c208414be
SHA25600ae09506e5c41e5e135aedb94cc4906ebf399755494493867666b3c46e4e992
SHA5122318afd886dd42d22acf275eb70d8495c58103c5cf3c833b8ae356f8ff70e3576e46314b0d67fb5ec72cb5539fb4168f48023c1fedfa3ad23780c1057d576621
-
C:\2xfHG_readme_.txtFilesize
3KB
MD581e8968224c2a99d356ab90db951371e
SHA1a8539e9b8ec7ada394601541e233aac6b2326339
SHA25696156ffd03af56cd73c6fea0decf0cb10e4cf5fac91c87bad828c89f805560cd
SHA5125929992507e2d7a585ca455dd1d544c27f298733ea873380b7d2f02904d1db5e252aeebfa549580e5c7a7e5cbe202d67b10cf958b20f7299d1b02e130a5c7006
-
C:\Users\Admin\Desktop\2xfHG_readme_.txtFilesize
3KB
MD5cccf3549898cd32702360562ae79d786
SHA1728e18e09981b0fedf42f6ecf684845a4adccc4c
SHA256c6f075d04c7969d2a1299bff09c6da0418d2851bde01dc14f58e91c37aacc46e
SHA5123ed81ae6f9e3aa83598d5b916a92447827d831e1a140794940c6927d18474b50923b807d232d1ec53561c7b90447113e5ffb84f1fdb251db02159aac57127d8c
-
C:\Users\Admin\Documents\2xfHG_readme_.txtFilesize
3KB
MD5794fa779ac381f8ff7154b37cb56fc1e
SHA1d0a8a93eb9261d5ea15a4f46e0b2607a48afdff3
SHA2565b1041155cfdbfed998692eef333eccbcf7065364757f076c932d4e9bc0dc730
SHA5125f4e0f3cb9b38a325346800430837014161a9432ab36f9bb44e8c3ed2ecaf355cb0d23968564520e6bb1820cee1ae0b1340427ab5c724f2fee14cebc00b2560b
-
C:\Users\Admin\Downloads\2xfHG_readme_.txtFilesize
3KB
MD595cc089b7d51c47aae4a9be176e770d0
SHA1ceede015badcd0fe0f98c8daf6d3814859b991c2
SHA256425bce31bcf9ed1883aa1f4d8e0e9e341c50eb349d2b23d0291e313e1fd30028
SHA5120a7d573a937f9baa8376c10da912833953a023f3afa3e1755b7b5152a26334603304acbe6c99a8967742e329bb7da61ae923fd5e029388f2220b92fd2223ec46
-
C:\Users\Admin\Pictures\2xfHG_readme_.txtFilesize
3KB
MD53b871a23d33141da6cd4a23480b67e88
SHA189bb45e9eadb87019807959090ebdd9f8c816902
SHA2569107796cc12ad90b594d6397f56365e1f872f756d342629def96a0e412f5e91f
SHA512cc17d36a0b33cac71b36241611a7ce24f900be798dd2d71caeeb826b96825a781334eb073596f3cce713ea3a5167bd4af632f4a8172b253a7c2eb08964002faa