Analysis

  • max time kernel
    160s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-04-2024 10:08

General

  • Target

    c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe

  • Size

    483KB

  • MD5

    53717dc73f61b0f9551cb62d6fca2e4a

  • SHA1

    1ca9304e86632b147852767c85c57e08bdfc8855

  • SHA256

    c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028

  • SHA512

    ae6ff8377d89cd3d1686c5a6bd7bb398bb975e4e52f7db5fbb0550783d77648558f03a13a9751d0cb6ed993621b12980d54777385802dd4c014ec22ae8d33552

  • SSDEEP

    12288:WcvbX8rMmSZJ8t9ZITyDpFGIOyA4muT5WFExk8y:/zMr1SZJ8t9ZITyNzOt4dVy

Score
10/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\2xfHG_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bDaaeBCbCc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTgwNS1US092blM2OGdsaGx4dUlvVEo1VHk4UHhsWnRnWlNDV2YzNFI4TVVldXhOZFFCejVscEs0bEdWeDZsTXBrcGhteGVjMzlmRDZiZXlGenZtWm9CRnlrWEluTEFVTi9kYXV2S1FVMnAxMkZrR1RnZWpRL29WVVJKbUZEQVhYRjQ2eUJlc2Nab2RGbWxtWmcrVGRaanlZUjQ0QzQxdWwxWDFoQUFpZkhka3RQaHU5TzNUdDZSSXJRVlNpZkp3ay8zTUVZNit3SjBrUXh2Y095UXhSemNzSVBSeGNMaDRUc0JhRHpTNlZ3eFYzZndLUVdLM1lQcVk4dWFoQ1orNnI1NjhQM2Ntbzl5d09yVWxqbGgxdjR2d0x1bEdjT2pzQXNIMkZrU1NGNDlnYnoxRU5LeFpZdTJrbGJaSXkwYlZ6YUkxQSt5MTVoM0VWWE5OaFI1TnRKdkdvd1dORUJxbTlpT2tPRkxOZVJVNDRuQlEvdDR2QmlGajVxdlUzL2dobXgveHdHcGNBbkwySm82VStjU25zRWFtdWIwWHNVOVd0c1IvMFkrY0dmek1nbDBSWm1Vd0FLWG9vekpDc3hZV0FiMXRIZTFnY2hXQm4zc2wwSjFYQnlNd0t0U1VubmZlWEZKT0sxUXVpRG14c1VkcDJsZ21YWHZMQ1dUK21naU9CaWJrMzlTeUdsMWl1YmRiWDF5U0c3VUpLYkh5VmZNNEVsb0xTLzIrWmM2V2dvdEgwcWdWRDZLRllRcnFqYnA2eEVRSCtSSXFNYkJpeTZBNU9EcEdDU3dRTk5DZ09BYk5tdGl6Y2lnMzEwVTlzSmtFUUF6T0kvRmVpSmNRM0swN2F5aUZaclRseTZrYUpjZ2VJMzRQSnNBYlJ3SUozUE5qK203MC9kemNaQXpuM2NhMEowRlFXRHhjWXo3NkhwdmJaU3ZocUVFaUYvZFhrOGcyWDg4UTd2SDErTzdGTmdjNS9CSkp6bk5mWnczVTF6MmNpUmZXMDVDeStZSTlyLzJhUG5NQ2NsQ0ZWb1JwMCtNcXFEVVJ5VFhlREY0bEJ2YXZxZmxCaWhCZ1RPYjczT3Q4NmZxVENjQjVCZkYyZjhEVGtNeDY4RzBwVXJEelRXRGRXMGw4THY3aEFqRU41c0RGNFRQUHJNQ2dzOGFENUE4UStPa0lja2lEdVpFTE84MENDWFNQcDdScFZVZnl3c3ZsMHorU3dJbzlHdmJWbmhHUUxGOFl4WllEMTdkQXhyNkw4ZlJxWHp6Y0dCT3Vpb2JtSlZMUjEvMS9SRExVMHhsT05ZZ0ZoTDYvOXNEU3plOWZiMW1KV09yMnRURWZibnU0Z0xON21EZGpnZkVGRGRHb0FpbHV1VUM1N3MxS291c2ZKMWIrZFpGRllpQnZWWFNXWU8ya1ZOVjRJN25PYUhoOENqTE1Id1EvS0ZLRmpKT05mVnRBWHNEZEROMWJxRUxQQ3RHTHJ1TUV6ait0WGtFRGZ3RUxJcmJNUVRZV3p4Qm5jRGk2ZkQzQmJHSi9lN05pVjFOSS9sbjBVamMvTTJLV21QbWZKNWpsTUwvUG9PKzVSem0vQ2IyQ3o5blJQSmNzdFpQb2o1akNYV3lraXVVTTZOZUJRbXhCWHErZi92ck9ibE4yWFBRNHh6MHFmSlVWa2FXeXptdC9mS1dVSHptNWg3MEFId1c2MTViYm1wV01sNVlyRVlCRDd3ZzAxRFJ1Y2w2WUF1aExoQ3Irdy9uN3JMaUYwWkk4Nzg0eFR4V28vY0JBVm44TmVrTkpmRGgvYXNPVnBWa3Ixa1pEekVaUnVsUWt5Y0VOYm93Vmcvb1p4aHphVUx3OEVwOU5pSWRoK29VVkhmTTFzQWgwRUpMVEM3ZEZpSXErc1VCNVhnRFZkaWtIc2YxRzk2UlFjK010eCtaS2lpUXNTQy9nQWpRQjBESlNBbmsxRk1BeFl6SW4vSjdFaWFOVnBhRXU2eWRmOFNxenFWR1IxWGZaS1dsRFRhbkRxZ1ZtTU1YRlhrM3M2ODN0V1dkbExVbCtTR1hYcTRuWTdWRGhkbGJ1SGhkZTlSOWNBSmI4Z0crVTNHS3Y1QUhCU0l3OEwxVnpPbjMya1N3akZvNzd1akxnbUxoblZjMU9taDQxa29pNnVVb2s2OEVzVXhYTWl3dz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * FiO0
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\2xfHG_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bDaaeBCbCc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTgwNS1US092blM2OGdsaGx4dUlvVEo1VHk4UHhsWnRnWlNDV2YzNFI4TVVldXhOZFFCejVscEs0bEdWeDZsTXBrcGhteGVjMzlmRDZiZXlGenZtWm9CRnlrWEluTEFVTi9kYXV2S1FVMnAxMkZrR1RnZWpRL29WVVJKbUZEQVhYRjQ2eUJlc2Nab2RGbWxtWmcrVGRaanlZUjQ0QzQxdWwxWDFoQUFpZkhka3RQaHU5TzNUdDZSSXJRVlNpZkp3ay8zTUVZNit3SjBrUXh2Y095UXhSemNzSVBSeGNMaDRUc0JhRHpTNlZ3eFYzZndLUVdLM1lQcVk4dWFoQ1orNnI1NjhQM2Ntbzl5d09yVWxqbGgxdjR2d0x1bEdjT2pzQXNIMkZrU1NGNDlnYnoxRU5LeFpZdTJrbGJaSXkwYlZ6YUkxQSt5MTVoM0VWWE5OaFI1TnRKdkdvd1dORUJxbTlpT2tPRkxOZVJVNDRuQlEvdDR2QmlGajVxdlUzL2dobXgveHdHcGNBbkwySm82VStjU25zRWFtdWIwWHNVOVd0c1IvMFkrY0dmek1nbDBSWm1Vd0FLWG9vekpDc3hZV0FiMXRIZTFnY2hXQm4zc2wwSjFYQnlNd0t0U1VubmZlWEZKT0sxUXVpRG14c1VkcDJsZ21YWHZMQ1dUK21naU9CaWJrMzlTeUdsMWl1YmRiWDF5U0c3VUpLYkh5VmZNNEVsb0xTLzIrWmM2V2dvdEgwcWdWRDZLRllRcnFqYnA2eEVRSCtSSXFNYkJpeTZBNU9EcEdDU3dRTk5DZ09BYk5tdGl6Y2lnMzEwVTlzSmtFUUF6T0kvRmVpSmNRM0swN2F5aUZaclRseTZrYUpjZ2VJMzRQSnNBYlJ3SUozUE5qK203MC9kemNaQXpuM2NhMEowRlFXRHhjWXo3NkhwdmJaU3ZocUVFaUYvZFhrOGcyWDg4UTd2SDErTzdGTmdjNS9CSkp6bk5mWnczVTF6MmNpUmZXMDVDeStZSTlyLzJhUG5NQ2NsQ0ZWb1JwMCtNcXFEVVJ5VFhlREY0bEJ2YXZxZmxCaWhCZ1RPYjczT3Q4NmZxVENjQjVCZkYyZjhEVGtNeDY4RzBwVXJEelRXRGRXMGw4THY3aEFqRU41c0RGNFRQUHJNQ2dzOGFENUE4UStPa0lja2lEdVpFTE84MENDWFNQcDdScFZVZnl3c3ZsMHorU3dJbzlHdmJWbmhHUUxGOFl4WllEMTdkQXhyNkw4ZlJxWHp6Y0dCT3Vpb2JtSlZMUjEvMS9SRExVMHhsT05ZZ0ZoTDYvOXNEU3plOWZiMW1KV09yMnRURWZibnU0Z0xON21EZGpnZkVGRGRHb0FpbHV1VUM1N3MxS291c2ZKMWIrZFpGRllpQnZWWFNXWU8ya1ZOVjRJN25PYUhoOENqTE1Id1EvS0ZLRmpKT05mVnRBWHNEZEROMWJxRUxQQ3RHTHJ1TUV6ait0WGtFRGZ3RUxJcmJNUVRZV3p4Qm5jRGk2ZkQzQmJHSi9lN05pVjFOSS9sbjBVamMvTTJLV21QbWZKNWpsTUwvUG9PKzVSem0vQ2IyQ3o5blJQSmNzdFpQb2o1akNYV3lraXVVTTZOZUJRbXhCWHErZi92ck9ibE4yWFBRNHh6MHFmSlVWa2FXeXptdC9mS1dVSHptNWg3MEFId1c2MTViYm1wV01sNVlyRVlCRDd3ZzAxRFJ1Y2w2WUF1aExoQ3Irdy9uN3JMaUYwWkk4Nzg0eFR4V28vY0JBVm44TmVrTkpmRGgvYXNPVnBWa3Ixa1pEekVaUnVsUWt5Y0VOYm93Vmcvb1p4aHphVUx3OEVwOU5pSWRoK29VVkhmTTFzQWgwRUpMVEM3ZEZpSXErc1VCNVhnRFZkaWtIc2YxRzk2UlFjK010eCtaS2lpUXNTQy9nQWpRQjBESlNBbmsxRk1BeFl6SW4vSjdFaWFOVnBhRXU2eWRmOFNxenFWR1IxWGZaS1dsRFRhbkRxZ1ZtTU1YRlhrM3M2ODN0V1dkbExVbCtTR1hYcTRuWTdWRGhkbGJ1SGhkZTlSOWNBSmI4Z0crVTNHS3Y1QUhCU0l3OEwxVnpPbjMya1N3akZvNzd1akxnbUxoblZjMU9taDQxa29pNnVVb2s2OEVzVXhYTWl3dz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * bKzMG5h
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\2xfHG_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bDaaeBCbCc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTgwNS1US092blM2OGdsaGx4dUlvVEo1VHk4UHhsWnRnWlNDV2YzNFI4TVVldXhOZFFCejVscEs0bEdWeDZsTXBrcGhteGVjMzlmRDZiZXlGenZtWm9CRnlrWEluTEFVTi9kYXV2S1FVMnAxMkZrR1RnZWpRL29WVVJKbUZEQVhYRjQ2eUJlc2Nab2RGbWxtWmcrVGRaanlZUjQ0QzQxdWwxWDFoQUFpZkhka3RQaHU5TzNUdDZSSXJRVlNpZkp3ay8zTUVZNit3SjBrUXh2Y095UXhSemNzSVBSeGNMaDRUc0JhRHpTNlZ3eFYzZndLUVdLM1lQcVk4dWFoQ1orNnI1NjhQM2Ntbzl5d09yVWxqbGgxdjR2d0x1bEdjT2pzQXNIMkZrU1NGNDlnYnoxRU5LeFpZdTJrbGJaSXkwYlZ6YUkxQSt5MTVoM0VWWE5OaFI1TnRKdkdvd1dORUJxbTlpT2tPRkxOZVJVNDRuQlEvdDR2QmlGajVxdlUzL2dobXgveHdHcGNBbkwySm82VStjU25zRWFtdWIwWHNVOVd0c1IvMFkrY0dmek1nbDBSWm1Vd0FLWG9vekpDc3hZV0FiMXRIZTFnY2hXQm4zc2wwSjFYQnlNd0t0U1VubmZlWEZKT0sxUXVpRG14c1VkcDJsZ21YWHZMQ1dUK21naU9CaWJrMzlTeUdsMWl1YmRiWDF5U0c3VUpLYkh5VmZNNEVsb0xTLzIrWmM2V2dvdEgwcWdWRDZLRllRcnFqYnA2eEVRSCtSSXFNYkJpeTZBNU9EcEdDU3dRTk5DZ09BYk5tdGl6Y2lnMzEwVTlzSmtFUUF6T0kvRmVpSmNRM0swN2F5aUZaclRseTZrYUpjZ2VJMzRQSnNBYlJ3SUozUE5qK203MC9kemNaQXpuM2NhMEowRlFXRHhjWXo3NkhwdmJaU3ZocUVFaUYvZFhrOGcyWDg4UTd2SDErTzdGTmdjNS9CSkp6bk5mWnczVTF6MmNpUmZXMDVDeStZSTlyLzJhUG5NQ2NsQ0ZWb1JwMCtNcXFEVVJ5VFhlREY0bEJ2YXZxZmxCaWhCZ1RPYjczT3Q4NmZxVENjQjVCZkYyZjhEVGtNeDY4RzBwVXJEelRXRGRXMGw4THY3aEFqRU41c0RGNFRQUHJNQ2dzOGFENUE4UStPa0lja2lEdVpFTE84MENDWFNQcDdScFZVZnl3c3ZsMHorU3dJbzlHdmJWbmhHUUxGOFl4WllEMTdkQXhyNkw4ZlJxWHp6Y0dCT3Vpb2JtSlZMUjEvMS9SRExVMHhsT05ZZ0ZoTDYvOXNEU3plOWZiMW1KV09yMnRURWZibnU0Z0xON21EZGpnZkVGRGRHb0FpbHV1VUM1N3MxS291c2ZKMWIrZFpGRllpQnZWWFNXWU8ya1ZOVjRJN25PYUhoOENqTE1Id1EvS0ZLRmpKT05mVnRBWHNEZEROMWJxRUxQQ3RHTHJ1TUV6ait0WGtFRGZ3RUxJcmJNUVRZV3p4Qm5jRGk2ZkQzQmJHSi9lN05pVjFOSS9sbjBVamMvTTJLV21QbWZKNWpsTUwvUG9PKzVSem0vQ2IyQ3o5blJQSmNzdFpQb2o1akNYV3lraXVVTTZOZUJRbXhCWHErZi92ck9ibE4yWFBRNHh6MHFmSlVWa2FXeXptdC9mS1dVSHptNWg3MEFId1c2MTViYm1wV01sNVlyRVlCRDd3ZzAxRFJ1Y2w2WUF1aExoQ3Irdy9uN3JMaUYwWkk4Nzg0eFR4V28vY0JBVm44TmVrTkpmRGgvYXNPVnBWa3Ixa1pEekVaUnVsUWt5Y0VOYm93Vmcvb1p4aHphVUx3OEVwOU5pSWRoK29VVkhmTTFzQWgwRUpMVEM3ZEZpSXErc1VCNVhnRFZkaWtIc2YxRzk2UlFjK010eCtaS2lpUXNTQy9nQWpRQjBESlNBbmsxRk1BeFl6SW4vSjdFaWFOVnBhRXU2eWRmOFNxenFWR1IxWGZaS1dsRFRhbkRxZ1ZtTU1YRlhrM3M2ODN0V1dkbExVbCtTR1hYcTRuWTdWRGhkbGJ1SGhkZTlSOWNBSmI4Z0crVTNHS3Y1QUhCU0l3OEwxVnpPbjMya1N3akZvNzd1akxnbUxoblZjMU9taDQxa29pNnVVb2s2OEVzVXhYTWl3dz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * SSbD5IT0Zez
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Pictures\2xfHG_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bDaaeBCbCc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTgwNS1US092blM2OGdsaGx4dUlvVEo1VHk4UHhsWnRnWlNDV2YzNFI4TVVldXhOZFFCejVscEs0bEdWeDZsTXBrcGhteGVjMzlmRDZiZXlGenZtWm9CRnlrWEluTEFVTi9kYXV2S1FVMnAxMkZrR1RnZWpRL29WVVJKbUZEQVhYRjQ2eUJlc2Nab2RGbWxtWmcrVGRaanlZUjQ0QzQxdWwxWDFoQUFpZkhka3RQaHU5TzNUdDZSSXJRVlNpZkp3ay8zTUVZNit3SjBrUXh2Y095UXhSemNzSVBSeGNMaDRUc0JhRHpTNlZ3eFYzZndLUVdLM1lQcVk4dWFoQ1orNnI1NjhQM2Ntbzl5d09yVWxqbGgxdjR2d0x1bEdjT2pzQXNIMkZrU1NGNDlnYnoxRU5LeFpZdTJrbGJaSXkwYlZ6YUkxQSt5MTVoM0VWWE5OaFI1TnRKdkdvd1dORUJxbTlpT2tPRkxOZVJVNDRuQlEvdDR2QmlGajVxdlUzL2dobXgveHdHcGNBbkwySm82VStjU25zRWFtdWIwWHNVOVd0c1IvMFkrY0dmek1nbDBSWm1Vd0FLWG9vekpDc3hZV0FiMXRIZTFnY2hXQm4zc2wwSjFYQnlNd0t0U1VubmZlWEZKT0sxUXVpRG14c1VkcDJsZ21YWHZMQ1dUK21naU9CaWJrMzlTeUdsMWl1YmRiWDF5U0c3VUpLYkh5VmZNNEVsb0xTLzIrWmM2V2dvdEgwcWdWRDZLRllRcnFqYnA2eEVRSCtSSXFNYkJpeTZBNU9EcEdDU3dRTk5DZ09BYk5tdGl6Y2lnMzEwVTlzSmtFUUF6T0kvRmVpSmNRM0swN2F5aUZaclRseTZrYUpjZ2VJMzRQSnNBYlJ3SUozUE5qK203MC9kemNaQXpuM2NhMEowRlFXRHhjWXo3NkhwdmJaU3ZocUVFaUYvZFhrOGcyWDg4UTd2SDErTzdGTmdjNS9CSkp6bk5mWnczVTF6MmNpUmZXMDVDeStZSTlyLzJhUG5NQ2NsQ0ZWb1JwMCtNcXFEVVJ5VFhlREY0bEJ2YXZxZmxCaWhCZ1RPYjczT3Q4NmZxVENjQjVCZkYyZjhEVGtNeDY4RzBwVXJEelRXRGRXMGw4THY3aEFqRU41c0RGNFRQUHJNQ2dzOGFENUE4UStPa0lja2lEdVpFTE84MENDWFNQcDdScFZVZnl3c3ZsMHorU3dJbzlHdmJWbmhHUUxGOFl4WllEMTdkQXhyNkw4ZlJxWHp6Y0dCT3Vpb2JtSlZMUjEvMS9SRExVMHhsT05ZZ0ZoTDYvOXNEU3plOWZiMW1KV09yMnRURWZibnU0Z0xON21EZGpnZkVGRGRHb0FpbHV1VUM1N3MxS291c2ZKMWIrZFpGRllpQnZWWFNXWU8ya1ZOVjRJN25PYUhoOENqTE1Id1EvS0ZLRmpKT05mVnRBWHNEZEROMWJxRUxQQ3RHTHJ1TUV6ait0WGtFRGZ3RUxJcmJNUVRZV3p4Qm5jRGk2ZkQzQmJHSi9lN05pVjFOSS9sbjBVamMvTTJLV21QbWZKNWpsTUwvUG9PKzVSem0vQ2IyQ3o5blJQSmNzdFpQb2o1akNYV3lraXVVTTZOZUJRbXhCWHErZi92ck9ibE4yWFBRNHh6MHFmSlVWa2FXeXptdC9mS1dVSHptNWg3MEFId1c2MTViYm1wV01sNVlyRVlCRDd3ZzAxRFJ1Y2w2WUF1aExoQ3Irdy9uN3JMaUYwWkk4Nzg0eFR4V28vY0JBVm44TmVrTkpmRGgvYXNPVnBWa3Ixa1pEekVaUnVsUWt5Y0VOYm93Vmcvb1p4aHphVUx3OEVwOU5pSWRoK29VVkhmTTFzQWgwRUpMVEM3ZEZpSXErc1VCNVhnRFZkaWtIc2YxRzk2UlFjK010eCtaS2lpUXNTQy9nQWpRQjBESlNBbmsxRk1BeFl6SW4vSjdFaWFOVnBhRXU2eWRmOFNxenFWR1IxWGZaS1dsRFRhbkRxZ1ZtTU1YRlhrM3M2ODN0V1dkbExVbCtTR1hYcTRuWTdWRGhkbGJ1SGhkZTlSOWNBSmI4Z0crVTNHS3Y1QUhCU0l3OEwxVnpPbjMya1N3akZvNzd1akxnbUxoblZjMU9taDQxa29pNnVVb2s2OEVzVXhYTWl3dz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * o4CZPUGnPGh3db
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\2xfHG_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bDaaeBCbCc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTgwNS1US092blM2OGdsaGx4dUlvVEo1VHk4UHhsWnRnWlNDV2YzNFI4TVVldXhOZFFCejVscEs0bEdWeDZsTXBrcGhteGVjMzlmRDZiZXlGenZtWm9CRnlrWEluTEFVTi9kYXV2S1FVMnAxMkZrR1RnZWpRL29WVVJKbUZEQVhYRjQ2eUJlc2Nab2RGbWxtWmcrVGRaanlZUjQ0QzQxdWwxWDFoQUFpZkhka3RQaHU5TzNUdDZSSXJRVlNpZkp3ay8zTUVZNit3SjBrUXh2Y095UXhSemNzSVBSeGNMaDRUc0JhRHpTNlZ3eFYzZndLUVdLM1lQcVk4dWFoQ1orNnI1NjhQM2Ntbzl5d09yVWxqbGgxdjR2d0x1bEdjT2pzQXNIMkZrU1NGNDlnYnoxRU5LeFpZdTJrbGJaSXkwYlZ6YUkxQSt5MTVoM0VWWE5OaFI1TnRKdkdvd1dORUJxbTlpT2tPRkxOZVJVNDRuQlEvdDR2QmlGajVxdlUzL2dobXgveHdHcGNBbkwySm82VStjU25zRWFtdWIwWHNVOVd0c1IvMFkrY0dmek1nbDBSWm1Vd0FLWG9vekpDc3hZV0FiMXRIZTFnY2hXQm4zc2wwSjFYQnlNd0t0U1VubmZlWEZKT0sxUXVpRG14c1VkcDJsZ21YWHZMQ1dUK21naU9CaWJrMzlTeUdsMWl1YmRiWDF5U0c3VUpLYkh5VmZNNEVsb0xTLzIrWmM2V2dvdEgwcWdWRDZLRllRcnFqYnA2eEVRSCtSSXFNYkJpeTZBNU9EcEdDU3dRTk5DZ09BYk5tdGl6Y2lnMzEwVTlzSmtFUUF6T0kvRmVpSmNRM0swN2F5aUZaclRseTZrYUpjZ2VJMzRQSnNBYlJ3SUozUE5qK203MC9kemNaQXpuM2NhMEowRlFXRHhjWXo3NkhwdmJaU3ZocUVFaUYvZFhrOGcyWDg4UTd2SDErTzdGTmdjNS9CSkp6bk5mWnczVTF6MmNpUmZXMDVDeStZSTlyLzJhUG5NQ2NsQ0ZWb1JwMCtNcXFEVVJ5VFhlREY0bEJ2YXZxZmxCaWhCZ1RPYjczT3Q4NmZxVENjQjVCZkYyZjhEVGtNeDY4RzBwVXJEelRXRGRXMGw4THY3aEFqRU41c0RGNFRQUHJNQ2dzOGFENUE4UStPa0lja2lEdVpFTE84MENDWFNQcDdScFZVZnl3c3ZsMHorU3dJbzlHdmJWbmhHUUxGOFl4WllEMTdkQXhyNkw4ZlJxWHp6Y0dCT3Vpb2JtSlZMUjEvMS9SRExVMHhsT05ZZ0ZoTDYvOXNEU3plOWZiMW1KV09yMnRURWZibnU0Z0xON21EZGpnZkVGRGRHb0FpbHV1VUM1N3MxS291c2ZKMWIrZFpGRllpQnZWWFNXWU8ya1ZOVjRJN25PYUhoOENqTE1Id1EvS0ZLRmpKT05mVnRBWHNEZEROMWJxRUxQQ3RHTHJ1TUV6ait0WGtFRGZ3RUxJcmJNUVRZV3p4Qm5jRGk2ZkQzQmJHSi9lN05pVjFOSS9sbjBVamMvTTJLV21QbWZKNWpsTUwvUG9PKzVSem0vQ2IyQ3o5blJQSmNzdFpQb2o1akNYV3lraXVVTTZOZUJRbXhCWHErZi92ck9ibE4yWFBRNHh6MHFmSlVWa2FXeXptdC9mS1dVSHptNWg3MEFId1c2MTViYm1wV01sNVlyRVlCRDd3ZzAxRFJ1Y2w2WUF1aExoQ3Irdy9uN3JMaUYwWkk4Nzg0eFR4V28vY0JBVm44TmVrTkpmRGgvYXNPVnBWa3Ixa1pEekVaUnVsUWt5Y0VOYm93Vmcvb1p4aHphVUx3OEVwOU5pSWRoK29VVkhmTTFzQWgwRUpMVEM3ZEZpSXErc1VCNVhnRFZkaWtIc2YxRzk2UlFjK010eCtaS2lpUXNTQy9nQWpRQjBESlNBbmsxRk1BeFl6SW4vSjdFaWFOVnBhRXU2eWRmOFNxenFWR1IxWGZaS1dsRFRhbkRxZ1ZtTU1YRlhrM3M2ODN0V1dkbExVbCtTR1hYcTRuWTdWRGhkbGJ1SGhkZTlSOWNBSmI4Z0crVTNHS3Y1QUhCU0l3OEwxVnpPbjMya1N3akZvNzd1akxnbUxoblZjMU9taDQxa29pNnVVb2s2OEVzVXhYTWl3dz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * vtZlts
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\2xfHG_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bDaaeBCbCc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTgwNS1US092blM2OGdsaGx4dUlvVEo1VHk4UHhsWnRnWlNDV2YzNFI4TVVldXhOZFFCejVscEs0bEdWeDZsTXBrcGhteGVjMzlmRDZiZXlGenZtWm9CRnlrWEluTEFVTi9kYXV2S1FVMnAxMkZrR1RnZWpRL29WVVJKbUZEQVhYRjQ2eUJlc2Nab2RGbWxtWmcrVGRaanlZUjQ0QzQxdWwxWDFoQUFpZkhka3RQaHU5TzNUdDZSSXJRVlNpZkp3ay8zTUVZNit3SjBrUXh2Y095UXhSemNzSVBSeGNMaDRUc0JhRHpTNlZ3eFYzZndLUVdLM1lQcVk4dWFoQ1orNnI1NjhQM2Ntbzl5d09yVWxqbGgxdjR2d0x1bEdjT2pzQXNIMkZrU1NGNDlnYnoxRU5LeFpZdTJrbGJaSXkwYlZ6YUkxQSt5MTVoM0VWWE5OaFI1TnRKdkdvd1dORUJxbTlpT2tPRkxOZVJVNDRuQlEvdDR2QmlGajVxdlUzL2dobXgveHdHcGNBbkwySm82VStjU25zRWFtdWIwWHNVOVd0c1IvMFkrY0dmek1nbDBSWm1Vd0FLWG9vekpDc3hZV0FiMXRIZTFnY2hXQm4zc2wwSjFYQnlNd0t0U1VubmZlWEZKT0sxUXVpRG14c1VkcDJsZ21YWHZMQ1dUK21naU9CaWJrMzlTeUdsMWl1YmRiWDF5U0c3VUpLYkh5VmZNNEVsb0xTLzIrWmM2V2dvdEgwcWdWRDZLRllRcnFqYnA2eEVRSCtSSXFNYkJpeTZBNU9EcEdDU3dRTk5DZ09BYk5tdGl6Y2lnMzEwVTlzSmtFUUF6T0kvRmVpSmNRM0swN2F5aUZaclRseTZrYUpjZ2VJMzRQSnNBYlJ3SUozUE5qK203MC9kemNaQXpuM2NhMEowRlFXRHhjWXo3NkhwdmJaU3ZocUVFaUYvZFhrOGcyWDg4UTd2SDErTzdGTmdjNS9CSkp6bk5mWnczVTF6MmNpUmZXMDVDeStZSTlyLzJhUG5NQ2NsQ0ZWb1JwMCtNcXFEVVJ5VFhlREY0bEJ2YXZxZmxCaWhCZ1RPYjczT3Q4NmZxVENjQjVCZkYyZjhEVGtNeDY4RzBwVXJEelRXRGRXMGw4THY3aEFqRU41c0RGNFRQUHJNQ2dzOGFENUE4UStPa0lja2lEdVpFTE84MENDWFNQcDdScFZVZnl3c3ZsMHorU3dJbzlHdmJWbmhHUUxGOFl4WllEMTdkQXhyNkw4ZlJxWHp6Y0dCT3Vpb2JtSlZMUjEvMS9SRExVMHhsT05ZZ0ZoTDYvOXNEU3plOWZiMW1KV09yMnRURWZibnU0Z0xON21EZGpnZkVGRGRHb0FpbHV1VUM1N3MxS291c2ZKMWIrZFpGRllpQnZWWFNXWU8ya1ZOVjRJN25PYUhoOENqTE1Id1EvS0ZLRmpKT05mVnRBWHNEZEROMWJxRUxQQ3RHTHJ1TUV6ait0WGtFRGZ3RUxJcmJNUVRZV3p4Qm5jRGk2ZkQzQmJHSi9lN05pVjFOSS9sbjBVamMvTTJLV21QbWZKNWpsTUwvUG9PKzVSem0vQ2IyQ3o5blJQSmNzdFpQb2o1akNYV3lraXVVTTZOZUJRbXhCWHErZi92ck9ibE4yWFBRNHh6MHFmSlVWa2FXeXptdC9mS1dVSHptNWg3MEFId1c2MTViYm1wV01sNVlyRVlCRDd3ZzAxRFJ1Y2w2WUF1aExoQ3Irdy9uN3JMaUYwWkk4Nzg0eFR4V28vY0JBVm44TmVrTkpmRGgvYXNPVnBWa3Ixa1pEekVaUnVsUWt5Y0VOYm93Vmcvb1p4aHphVUx3OEVwOU5pSWRoK29VVkhmTTFzQWgwRUpMVEM3ZEZpSXErc1VCNVhnRFZkaWtIc2YxRzk2UlFjK010eCtaS2lpUXNTQy9nQWpRQjBESlNBbmsxRk1BeFl6SW4vSjdFaWFOVnBhRXU2eWRmOFNxenFWR1IxWGZaS1dsRFRhbkRxZ1ZtTU1YRlhrM3M2ODN0V1dkbExVbCtTR1hYcTRuWTdWRGhkbGJ1SGhkZTlSOWNBSmI4Z0crVTNHS3Y1QUhCU0l3OEwxVnpPbjMya1N3akZvNzd1akxnbUxoblZjMU9taDQxa29pNnVVb2s2OEVzVXhYTWl3dz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * I1B8EZIQx
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (192) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
    "C:\Users\Admin\AppData\Local\Temp\c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2136
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2712
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2564
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1920
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2744
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
        PID:2752
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin Delete Shadows /All /Quiet
        2⤵
        • Interacts with shadow copies
        PID:308
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2444

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Defense Evasion

    Indicator Removal

    2
    T1070

    File Deletion

    2
    T1070.004

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Impact

    Inhibit System Recovery

    2
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\2xfHG_readme_.txt
      Filesize

      3KB

      MD5

      efa3058f9e6e54dd10dafd638d972e9e

      SHA1

      3c873088ac99d7673f9d7f919e0bf55c208414be

      SHA256

      00ae09506e5c41e5e135aedb94cc4906ebf399755494493867666b3c46e4e992

      SHA512

      2318afd886dd42d22acf275eb70d8495c58103c5cf3c833b8ae356f8ff70e3576e46314b0d67fb5ec72cb5539fb4168f48023c1fedfa3ad23780c1057d576621

    • C:\2xfHG_readme_.txt
      Filesize

      3KB

      MD5

      81e8968224c2a99d356ab90db951371e

      SHA1

      a8539e9b8ec7ada394601541e233aac6b2326339

      SHA256

      96156ffd03af56cd73c6fea0decf0cb10e4cf5fac91c87bad828c89f805560cd

      SHA512

      5929992507e2d7a585ca455dd1d544c27f298733ea873380b7d2f02904d1db5e252aeebfa549580e5c7a7e5cbe202d67b10cf958b20f7299d1b02e130a5c7006

    • C:\Users\Admin\Desktop\2xfHG_readme_.txt
      Filesize

      3KB

      MD5

      cccf3549898cd32702360562ae79d786

      SHA1

      728e18e09981b0fedf42f6ecf684845a4adccc4c

      SHA256

      c6f075d04c7969d2a1299bff09c6da0418d2851bde01dc14f58e91c37aacc46e

      SHA512

      3ed81ae6f9e3aa83598d5b916a92447827d831e1a140794940c6927d18474b50923b807d232d1ec53561c7b90447113e5ffb84f1fdb251db02159aac57127d8c

    • C:\Users\Admin\Documents\2xfHG_readme_.txt
      Filesize

      3KB

      MD5

      794fa779ac381f8ff7154b37cb56fc1e

      SHA1

      d0a8a93eb9261d5ea15a4f46e0b2607a48afdff3

      SHA256

      5b1041155cfdbfed998692eef333eccbcf7065364757f076c932d4e9bc0dc730

      SHA512

      5f4e0f3cb9b38a325346800430837014161a9432ab36f9bb44e8c3ed2ecaf355cb0d23968564520e6bb1820cee1ae0b1340427ab5c724f2fee14cebc00b2560b

    • C:\Users\Admin\Downloads\2xfHG_readme_.txt
      Filesize

      3KB

      MD5

      95cc089b7d51c47aae4a9be176e770d0

      SHA1

      ceede015badcd0fe0f98c8daf6d3814859b991c2

      SHA256

      425bce31bcf9ed1883aa1f4d8e0e9e341c50eb349d2b23d0291e313e1fd30028

      SHA512

      0a7d573a937f9baa8376c10da912833953a023f3afa3e1755b7b5152a26334603304acbe6c99a8967742e329bb7da61ae923fd5e029388f2220b92fd2223ec46

    • C:\Users\Admin\Pictures\2xfHG_readme_.txt
      Filesize

      3KB

      MD5

      3b871a23d33141da6cd4a23480b67e88

      SHA1

      89bb45e9eadb87019807959090ebdd9f8c816902

      SHA256

      9107796cc12ad90b594d6397f56365e1f872f756d342629def96a0e412f5e91f

      SHA512

      cc17d36a0b33cac71b36241611a7ce24f900be798dd2d71caeeb826b96825a781334eb073596f3cce713ea3a5167bd4af632f4a8172b253a7c2eb08964002faa