Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-04-2024 10:08

General

  • Target

    d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe

  • Size

    441KB

  • MD5

    b1758767d10c75d1589c16763fca6fd3

  • SHA1

    2722f21a31859ea735e908a1c705d07b139e3b12

  • SHA256

    d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb

  • SHA512

    93bdfaf8a7b35e3c0110e931a35c5a901c8acf06b36dd9e8cba9b770be642525ba0350ae94d68556961b06b0d802cd2e1997fc73849c643f76eba721215abf5e

  • SSDEEP

    12288:5I7bv0KUN/9MISQBqz9xbwL5A++dMncx4wjSvh:K7QzuyErzrSwjMh

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\P9o5m_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .abAcedbeAC You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjAwNC1KTHNjcTN6QzhRTThwN1VmUWl3Q2dUek5xY2xoZEd1eFdsUkhEcTJTa1pCcHdGYUxEcGVXMmh3NWZ1dWd1MUc5S1ZROERKdzN1ajhLRXFxNXlqNmhjOWdzcWdaNGlYTHpuN3BOdDh2NjBQNE9ITEJMeTdUU3VZSlVBSnVtNWlScGtkVFhkYnlRc01MN1hsRFBSZmZkdmFLa0xZWlI0S2lsV2JUMUZOZTJidmJieXhMaStwWnhIUGFJSjVCWHNVZDQwVWZQekRZVUZtR0VhanJUV3pIUWczSVJZb1ZMeUJoT0xBV0RENmxWMVZYZmZOOGQyTW91OFdYdEQ2bUdreTc1NWFGbzFtQjN4Y1VEZnl2aDVIdUdVUjNWQmhick1iQWFycHBpN1hQZXVqSmxCbEhDOGFib1MrNGQvaHlPL2I4c2NWeWJlZlBHc2s2Q3lLVnhzd3NhVzlvZ0NSYm93a1FGTmFraWVUd1Z4YTNFb2I5MmxMU0k5SE9wNUhsRmJyTyszWkUxenJqREJ3UU9qV29HMm9KUXBLSUEyR3NIenYvb2Z6QkNyV2NWUGtyN0dicXpMTjVXNTR4THdtOWN5OGZzRnFTZzk2MjRyTjZveU1pUmthemNZQXJxVWc1bmtmRXJhck03eG1VY0x6eVRnQkV6U0ZNbHlZcDkzdGYxRzJsK2FrWEl2VEJQTVhMUkc2bTVsNWpaZlFGYUtKazArM3h0bmpySTJ5VkdPUXJCb1h1TWR5dmpMUEhtUmw4dHM3WWhzWlpIV3RhNTBuUEtVQzVEK2FXSWxwVGY3UlkvOWNESXN4dUVGSDdyNlJNS0NRVzllcFJKYmFNRkcranBlcXJHd2dxRW1yNWRiY3lreEhxZXZZdWlEU3lYck10cUZoMWpjaE16U1duWkxnN2gxd243REV2Q3ZZQnhJMjRiWGNiK1pjNGtKT1haNEc1MCtLSWVhQzhHYjJRSldYMlk1NS9ncHFqaUlYSk9adTRmTFdGV2ltNTRnN1BGYndlaWo4ak9HSk5ja3lrWkRHd0ZQSEpLUWJsWUFtQWJ5WW9lcW1CU3ZOd2N4bHZsQXplY2lrMWNNMStDQXNVdnFFTG9mUXFKc2dUYzBGS1lCSWl2RFVKNEZBankydEhaR0xnYlF1OWpJR05VMDFScEJhYmhTcXBWVU04WDJEZnBUSXdtZnhhV2RMWWFncEtqN2NRSXY0cW96UzhncFNUZk00eitBcGZYWGpZVG0wUVNPRU9McENtL1JVejN0cGJWYk1ZdzVkQzduRTBKRk1ncEpTYndnUnNTUjhlQkJMOXFpUURNUWd4OVIxQTJHY3dWT2cxV25Cdk1WREhZZlJwTkFYVFY1Q1R3Mi94THdEaGdnY2ZDRkhMbnBHYmNPOGNzZndVZGdFOFgzZGNjVFNERW5tV2VXeHBBMXdONW0wNlpmYUVhQXhyaXFwT1kwSnY2a2FOc2xxRGpKeWNvTUQ4WjdkUFZucm9vdXRPbnZBV0VRSVJ6am5nQ25UVGVLMVNvVkpCNjdma2lvNForNXQ0YzhDVVY4Q25PdmVWNkdyT2J0ZDhkUDN5WndvMEp3Tlg1V0pBR1Zla2doTlphWXVXZENWUmJtVm1TZEJERDUvdWdkWjQ3UlBYZW1abFBGaXBtQ2pBNUpjQ0xwVE4vaXA2Z3hsdlU5WVUwaXRuaGhDbHdmS1MxZ0VDNGpmSjdNdnRiQzdIanlRZVZNdkZSWDR1VGNkU2gzaUVML2daTi9HV0FuWkhwNFBkcjR4cW5tYUdkQUlHY2FqWlVWVEE5OElkWUdVVnhsR092bFUwYkFVZDl1NVlnYmpFbWNFZElVUGxTYjZBODVvYW5yL1NxOC9KcDVvaWpJV3lEYlRWRTRkaFNYMkxNelNpSzcrWDdtRUZ0alpIVEZPYkh5QlVQVzVOenN3cEpHS2JXUGRQUDR4MEpVSXNZamhzSzVKTnloYWRyS0VEVDcwdnNjR3hzUnY1RWs0VDZEZnZKMXA4ZHp1VmFkbXJ4T0Yyc29mRXdtUUZFeHg5K2tUdHRaczJteE54Q281a202NmsrRDdHT3Z3dFZzNS9ZZ0JKZXc1SldpdzZwcnNRTTdQUTJOaCtyK1V2U0xka0ZoN3JUVE5aeXhZS1FjV0JUZzZnT3BQTWdXQT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * mlPS7oMGr
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\P9o5m_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .abAcedbeAC You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjAwNC1KTHNjcTN6QzhRTThwN1VmUWl3Q2dUek5xY2xoZEd1eFdsUkhEcTJTa1pCcHdGYUxEcGVXMmh3NWZ1dWd1MUc5S1ZROERKdzN1ajhLRXFxNXlqNmhjOWdzcWdaNGlYTHpuN3BOdDh2NjBQNE9ITEJMeTdUU3VZSlVBSnVtNWlScGtkVFhkYnlRc01MN1hsRFBSZmZkdmFLa0xZWlI0S2lsV2JUMUZOZTJidmJieXhMaStwWnhIUGFJSjVCWHNVZDQwVWZQekRZVUZtR0VhanJUV3pIUWczSVJZb1ZMeUJoT0xBV0RENmxWMVZYZmZOOGQyTW91OFdYdEQ2bUdreTc1NWFGbzFtQjN4Y1VEZnl2aDVIdUdVUjNWQmhick1iQWFycHBpN1hQZXVqSmxCbEhDOGFib1MrNGQvaHlPL2I4c2NWeWJlZlBHc2s2Q3lLVnhzd3NhVzlvZ0NSYm93a1FGTmFraWVUd1Z4YTNFb2I5MmxMU0k5SE9wNUhsRmJyTyszWkUxenJqREJ3UU9qV29HMm9KUXBLSUEyR3NIenYvb2Z6QkNyV2NWUGtyN0dicXpMTjVXNTR4THdtOWN5OGZzRnFTZzk2MjRyTjZveU1pUmthemNZQXJxVWc1bmtmRXJhck03eG1VY0x6eVRnQkV6U0ZNbHlZcDkzdGYxRzJsK2FrWEl2VEJQTVhMUkc2bTVsNWpaZlFGYUtKazArM3h0bmpySTJ5VkdPUXJCb1h1TWR5dmpMUEhtUmw4dHM3WWhzWlpIV3RhNTBuUEtVQzVEK2FXSWxwVGY3UlkvOWNESXN4dUVGSDdyNlJNS0NRVzllcFJKYmFNRkcranBlcXJHd2dxRW1yNWRiY3lreEhxZXZZdWlEU3lYck10cUZoMWpjaE16U1duWkxnN2gxd243REV2Q3ZZQnhJMjRiWGNiK1pjNGtKT1haNEc1MCtLSWVhQzhHYjJRSldYMlk1NS9ncHFqaUlYSk9adTRmTFdGV2ltNTRnN1BGYndlaWo4ak9HSk5ja3lrWkRHd0ZQSEpLUWJsWUFtQWJ5WW9lcW1CU3ZOd2N4bHZsQXplY2lrMWNNMStDQXNVdnFFTG9mUXFKc2dUYzBGS1lCSWl2RFVKNEZBankydEhaR0xnYlF1OWpJR05VMDFScEJhYmhTcXBWVU04WDJEZnBUSXdtZnhhV2RMWWFncEtqN2NRSXY0cW96UzhncFNUZk00eitBcGZYWGpZVG0wUVNPRU9McENtL1JVejN0cGJWYk1ZdzVkQzduRTBKRk1ncEpTYndnUnNTUjhlQkJMOXFpUURNUWd4OVIxQTJHY3dWT2cxV25Cdk1WREhZZlJwTkFYVFY1Q1R3Mi94THdEaGdnY2ZDRkhMbnBHYmNPOGNzZndVZGdFOFgzZGNjVFNERW5tV2VXeHBBMXdONW0wNlpmYUVhQXhyaXFwT1kwSnY2a2FOc2xxRGpKeWNvTUQ4WjdkUFZucm9vdXRPbnZBV0VRSVJ6am5nQ25UVGVLMVNvVkpCNjdma2lvNForNXQ0YzhDVVY4Q25PdmVWNkdyT2J0ZDhkUDN5WndvMEp3Tlg1V0pBR1Zla2doTlphWXVXZENWUmJtVm1TZEJERDUvdWdkWjQ3UlBYZW1abFBGaXBtQ2pBNUpjQ0xwVE4vaXA2Z3hsdlU5WVUwaXRuaGhDbHdmS1MxZ0VDNGpmSjdNdnRiQzdIanlRZVZNdkZSWDR1VGNkU2gzaUVML2daTi9HV0FuWkhwNFBkcjR4cW5tYUdkQUlHY2FqWlVWVEE5OElkWUdVVnhsR092bFUwYkFVZDl1NVlnYmpFbWNFZElVUGxTYjZBODVvYW5yL1NxOC9KcDVvaWpJV3lEYlRWRTRkaFNYMkxNelNpSzcrWDdtRUZ0alpIVEZPYkh5QlVQVzVOenN3cEpHS2JXUGRQUDR4MEpVSXNZamhzSzVKTnloYWRyS0VEVDcwdnNjR3hzUnY1RWs0VDZEZnZKMXA4ZHp1VmFkbXJ4T0Yyc29mRXdtUUZFeHg5K2tUdHRaczJteE54Q281a202NmsrRDdHT3Z3dFZzNS9ZZ0JKZXc1SldpdzZwcnNRTTdQUTJOaCtyK1V2U0xka0ZoN3JUVE5aeXhZS1FjV0JUZzZnT3BQTWdXQT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 8N1IR184hqNW
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Avaddon payload 1 IoCs
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (217) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
    "C:\Users\Admin\AppData\Local\Temp\d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1040
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
        PID:2372
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin Delete Shadows /All /Quiet
        2⤵
        • Interacts with shadow copies
        PID:2144
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        2⤵
          PID:1584
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /All /Quiet
          2⤵
          • Interacts with shadow copies
          PID:540
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          2⤵
            PID:2044
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin Delete Shadows /All /Quiet
            2⤵
            • Interacts with shadow copies
            PID:2024
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:2836
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:2536
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:2276
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
            PID:2328
          • C:\Windows\system32\taskeng.exe
            taskeng.exe {B7B9A52D-E10C-4DF7-928D-7016AA4C7631} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:1664
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
              C:\Users\Admin\AppData\Roaming\Microsoft\Windows\d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
              2⤵
              • Executes dropped EXE
              PID:1692

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          1
          T1562

          Disable or Modify Tools

          1
          T1562.001

          Modify Registry

          2
          T1112

          Indicator Removal

          2
          T1070

          File Deletion

          2
          T1070.004

          Discovery

          System Information Discovery

          3
          T1082

          Query Registry

          1
          T1012

          Peripheral Device Discovery

          1
          T1120

          Impact

          Inhibit System Recovery

          2
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
            Filesize

            441KB

            MD5

            b1758767d10c75d1589c16763fca6fd3

            SHA1

            2722f21a31859ea735e908a1c705d07b139e3b12

            SHA256

            d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb

            SHA512

            93bdfaf8a7b35e3c0110e931a35c5a901c8acf06b36dd9e8cba9b770be642525ba0350ae94d68556961b06b0d802cd2e1997fc73849c643f76eba721215abf5e

          • C:\Users\Admin\Desktop\P9o5m_readme_.txt
            Filesize

            3KB

            MD5

            6d26784c7489316e27fca6b6883c4943

            SHA1

            8f76c403d4a4795410e93666712cffe14b226ad7

            SHA256

            d583290e713b5e40b1255f23859ed5678cf737f3e60952f9acc506f42f8750a8

            SHA512

            c4c39be079c63b05ed22802dda8099083ea1d0494b739efec180f915e1c8c749d2943ae99a7a30f4ba95b1e3ce2a7882267c27e87a0761620dc2d5a31f3dc0f2

          • C:\Users\Admin\Documents\P9o5m_readme_.txt
            Filesize

            3KB

            MD5

            b920e81a64026cdfab25774148d37a3b

            SHA1

            b1d50e120b89ebc981010de3005397885499b6dd

            SHA256

            73788fdce7bbdd6dd03ec9e591f262daa1b3f206a58c192e487e4c903cd39e79

            SHA512

            5129c419790ca17d7b77276f5b4815dfae9119610e6b7a8a26fec5fad2ceb239cc5ff91a759a30f5317d1e079277f583e6f6196dbc0eec82bf6164dc6d8e9e04

          • memory/1040-0-0x0000000000400000-0x00000000005E3204-memory.dmp
            Filesize

            1.9MB

          • memory/1692-646-0x0000000000400000-0x00000000005E3204-memory.dmp
            Filesize

            1.9MB