Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    02-04-2024 10:08

General

  • Target

    48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe

  • Size

    775KB

  • MD5

    117da2dd6fa24616f63eb43d5a15e5d3

  • SHA1

    b4d70eecdef52ceef15f04a025d1ab08f193fb97

  • SHA256

    48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275

  • SHA512

    de2e5538e8dd8210b630eca0fc611f0ba0dcb805b3a745c38a6f46ee9acfe8785c917b9452e0d6f70f675030430b65b352d695106bae639b20e0dbb2dd95e375

  • SSDEEP

    24576:TCsQ9+OXLpMePfI8TgmBTCDqEbOpPtpFhAxfq:5HOXLpMePfzVTCD7gPtLhQfq

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\93YwZa4_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bcAaEeCeEb You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjcwMS1ReGo0aTd2OHc3UjJLM2dCR2t4aW5wYVJITTJTZE1kOEFiTUhwREhoUEVScXM4Zm1rSzlmbHIzQjRKc3dMR01FOVd5Um41WHE2eXNqd0MzZlI4dTBPNHl5S2x2eXFzSU9NbVM3UVcrKzQraTB3ZFU3OWxWbUhVNEdvN3lyR3FNeFpqSnpQa0gwSXJ2OTRPMTdXb2hZZW55ci9mdzFOY2dxZDRSekFnSzhIZDFQRTRaaC83a1ozb0hNSE1zQk9jMkVGNzEvYXVZWEdLbG1WOXNJZGVIZ1hCcStyQ1VjOHpmdU1ReHNoTCtKbGJzQzVWWHRJM3llVVNraHF0WFVsSDF6K2ZXd3ZSd3YwckdZTC9hcVIxSnhsNWk3M2VxWmhZdFVxZTZFZGZpeStKekI4RmlxR3lDcDVBVjNoL2RYeDVLUmF6Q2ZKSW5oK0xJU2daNk16WVB0d3lTYjlzMFZ6TEFiUjJuZjhXTmUxUldpT0N1R1ZhekJKK0xtbU1xTG5jNTUyNmlmMFlyYUl0UmJNck15b2Zwd0xvZGFLTk0rS01iM2dMVDZiaG4zNUdWbG1SdVphR1A1K3N3YWZBNmIzT0xzeGRZbWdpblV5WDU4dUdDc2ZCdFUrM2JrZGFqclBMUnBJZUMvRkp0ZEpFb3IwbXZxQmRJalh6aWtVbWYyVmNLdFkzdG5pNjJQZTdPbVFmQ0FWTVgzckdJOGZpMGUyem0wMFo2aU0vWFdVcmowZFFQUUg2MDZmYmZyaGtxeFE3SWVOclRFSjJFYm9YOFg4N1VkZjgwMlhVcmlvM0xmZFh4c0g1T0pLc1RuSzV2K1RvRnY1VTduNE5KMkd6UWIzL3hjUFdlVlI3ajFEcXYxQ2l4NXZXSlpKZ0tleFpJd3FuUW14Zmw2d0EwbDVGNkhkU1BJQ2dCQlVoNjVLVFhCUlgvNUFNazBPVGZyQVdyZGZlZ0ZpQ2o2TmVueWxFSmZSaCs4TFA1WlhQU1YvS2R2T2FrclJNbi9rMHE5SlBSMDl4eFlkU2lvbFpQVlFITFFqQ3BvblJPdXRyRFhueC9YbzBnSWFMcDNZeTA4Tmp3K2tFLzZlS1F0MVVUVFh0S3EvYXRyY0dYeHNCeHFHdkpTczRVUTB2VWljV0p6bkRwc0dmdUY2NDlnQ1ZTNEhzSmg1Wkt1OUh3UmJlVnJtUzkvaG5FQ2hCZmYxQ3dDSWROZnllY0QwK3RBMnF4MWNFaUhhQ1NBRFhzSC9xUjlHZ3NsMTJRdFl6MXphK2I4TVNaY3ZlQ3Izc2s0YS9CWm1FaUFFREx0STBzRHlDOW5uSDFCZ3o0ays5a0IzZkxHY0VmUWE3MU5uSUZNN2l1aU1Nakl5aUpTTFdXekt2WG9ITWdMN0picmNOTjM5NWlDZkN2bEFjR0RoRWVvV2ZwRXBFRGl1NlNyVTAxMTltYUJmWENyYUlhcXdYTU9vd0g0c2syT0pPb05uRjMwUGtZY1AwME9HUHhpU054MUIwTE9MdnBNVDlRSUJralRNQ1dweXN0QnE2WnA1WENXd2M5Uy9EZHorQnNVRDFtcnJ5QUo0N05ndW5XczdlZUlWMVQzZGJ3b05PeFhBR2lHaFBjM3VrbHNDM2FoMFlHS3NJczVyVllmUXR2S3hIOUxqOVVXMUNlWDZiVjhQb1hRNTBVL0E5SlFZZDF1LzNzcDdmRlEzOURCVnU4eU8vQkdOR3FIWGJkU3FXQ2k5bEhIL0lkMmhhSDNoMm92bWt0eTlaY29nZ0FSNFlUUDdBdEpBMVBxN0dPSmR4Z015NkZoTGhmT3J4ZTZBMzcvN3pZbi9udWRMVWNURm9pcnRqQS8wZ0tMbllIcnBjR1RDbmlsSEh0d3VickQxblZaa3FSQTJTLy9xYzZtZC9DRjQ2NEVZUGQrSVFocXZIMjhJZVNUSEpMeFRRdEgwa3NaZWlrZ1RCSm01MS8vMlhLRjJYRXlleXBMR01EM2kzSVBXdTVqWENBSkErR1IwOVdBbEVDUVZsZlRvTE1aSmk5VS80TWc3dXNLVzRkNnVlLzh2YlpxdHlUWFQwYmIxYWxGbW9qSkNDU05XZjdYYy9LMHRKNXRNc25jUHVwS20yakppaDZmQlJKQzBKa1ZPVXpLendsaEZSUVF4UXJLaUhYTmphaVUzdz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * WgAJumrayn5
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Favorites\Microsoft Websites\93YwZa4_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bcAaEeCeEb You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjcwMS1ReGo0aTd2OHc3UjJLM2dCR2t4aW5wYVJITTJTZE1kOEFiTUhwREhoUEVScXM4Zm1rSzlmbHIzQjRKc3dMR01FOVd5Um41WHE2eXNqd0MzZlI4dTBPNHl5S2x2eXFzSU9NbVM3UVcrKzQraTB3ZFU3OWxWbUhVNEdvN3lyR3FNeFpqSnpQa0gwSXJ2OTRPMTdXb2hZZW55ci9mdzFOY2dxZDRSekFnSzhIZDFQRTRaaC83a1ozb0hNSE1zQk9jMkVGNzEvYXVZWEdLbG1WOXNJZGVIZ1hCcStyQ1VjOHpmdU1ReHNoTCtKbGJzQzVWWHRJM3llVVNraHF0WFVsSDF6K2ZXd3ZSd3YwckdZTC9hcVIxSnhsNWk3M2VxWmhZdFVxZTZFZGZpeStKekI4RmlxR3lDcDVBVjNoL2RYeDVLUmF6Q2ZKSW5oK0xJU2daNk16WVB0d3lTYjlzMFZ6TEFiUjJuZjhXTmUxUldpT0N1R1ZhekJKK0xtbU1xTG5jNTUyNmlmMFlyYUl0UmJNck15b2Zwd0xvZGFLTk0rS01iM2dMVDZiaG4zNUdWbG1SdVphR1A1K3N3YWZBNmIzT0xzeGRZbWdpblV5WDU4dUdDc2ZCdFUrM2JrZGFqclBMUnBJZUMvRkp0ZEpFb3IwbXZxQmRJalh6aWtVbWYyVmNLdFkzdG5pNjJQZTdPbVFmQ0FWTVgzckdJOGZpMGUyem0wMFo2aU0vWFdVcmowZFFQUUg2MDZmYmZyaGtxeFE3SWVOclRFSjJFYm9YOFg4N1VkZjgwMlhVcmlvM0xmZFh4c0g1T0pLc1RuSzV2K1RvRnY1VTduNE5KMkd6UWIzL3hjUFdlVlI3ajFEcXYxQ2l4NXZXSlpKZ0tleFpJd3FuUW14Zmw2d0EwbDVGNkhkU1BJQ2dCQlVoNjVLVFhCUlgvNUFNazBPVGZyQVdyZGZlZ0ZpQ2o2TmVueWxFSmZSaCs4TFA1WlhQU1YvS2R2T2FrclJNbi9rMHE5SlBSMDl4eFlkU2lvbFpQVlFITFFqQ3BvblJPdXRyRFhueC9YbzBnSWFMcDNZeTA4Tmp3K2tFLzZlS1F0MVVUVFh0S3EvYXRyY0dYeHNCeHFHdkpTczRVUTB2VWljV0p6bkRwc0dmdUY2NDlnQ1ZTNEhzSmg1Wkt1OUh3UmJlVnJtUzkvaG5FQ2hCZmYxQ3dDSWROZnllY0QwK3RBMnF4MWNFaUhhQ1NBRFhzSC9xUjlHZ3NsMTJRdFl6MXphK2I4TVNaY3ZlQ3Izc2s0YS9CWm1FaUFFREx0STBzRHlDOW5uSDFCZ3o0ays5a0IzZkxHY0VmUWE3MU5uSUZNN2l1aU1Nakl5aUpTTFdXekt2WG9ITWdMN0picmNOTjM5NWlDZkN2bEFjR0RoRWVvV2ZwRXBFRGl1NlNyVTAxMTltYUJmWENyYUlhcXdYTU9vd0g0c2syT0pPb05uRjMwUGtZY1AwME9HUHhpU054MUIwTE9MdnBNVDlRSUJralRNQ1dweXN0QnE2WnA1WENXd2M5Uy9EZHorQnNVRDFtcnJ5QUo0N05ndW5XczdlZUlWMVQzZGJ3b05PeFhBR2lHaFBjM3VrbHNDM2FoMFlHS3NJczVyVllmUXR2S3hIOUxqOVVXMUNlWDZiVjhQb1hRNTBVL0E5SlFZZDF1LzNzcDdmRlEzOURCVnU4eU8vQkdOR3FIWGJkU3FXQ2k5bEhIL0lkMmhhSDNoMm92bWt0eTlaY29nZ0FSNFlUUDdBdEpBMVBxN0dPSmR4Z015NkZoTGhmT3J4ZTZBMzcvN3pZbi9udWRMVWNURm9pcnRqQS8wZ0tMbllIcnBjR1RDbmlsSEh0d3VickQxblZaa3FSQTJTLy9xYzZtZC9DRjQ2NEVZUGQrSVFocXZIMjhJZVNUSEpMeFRRdEgwa3NaZWlrZ1RCSm01MS8vMlhLRjJYRXlleXBMR01EM2kzSVBXdTVqWENBSkErR1IwOVdBbEVDUVZsZlRvTE1aSmk5VS80TWc3dXNLVzRkNnVlLzh2YlpxdHlUWFQwYmIxYWxGbW9qSkNDU05XZjdYYy9LMHRKNXRNc25jUHVwS20yakppaDZmQlJKQzBKa1ZPVXpLendsaEZSUVF4UXJLaUhYTmphaVUzdz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * solfFzdNoPnjoN
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Avaddon payload 1 IoCs
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (170) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
    "C:\Users\Admin\AppData\Local\Temp\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2228
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2520
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1748
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
        PID:1768
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin Delete Shadows /All /Quiet
        2⤵
        • Interacts with shadow copies
        PID:1568
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        2⤵
          PID:2704
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin Delete Shadows /All /Quiet
          2⤵
          • Interacts with shadow copies
          PID:2248
      • C:\Windows\system32\wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:2644
      • C:\Windows\system32\wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:2492
      • C:\Windows\system32\wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:2488
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
          PID:1956
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {2931EFE9-2912-43D9-BEE4-E3073D8318D3} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1204
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
            C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
            2⤵
            • Executes dropped EXE
            PID:2068

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Privilege Escalation

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Defense Evasion

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Impair Defenses

        1
        T1562

        Disable or Modify Tools

        1
        T1562.001

        Modify Registry

        2
        T1112

        Indicator Removal

        2
        T1070

        File Deletion

        2
        T1070.004

        Discovery

        System Information Discovery

        3
        T1082

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        Impact

        Inhibit System Recovery

        2
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
          Filesize

          775KB

          MD5

          117da2dd6fa24616f63eb43d5a15e5d3

          SHA1

          b4d70eecdef52ceef15f04a025d1ab08f193fb97

          SHA256

          48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275

          SHA512

          de2e5538e8dd8210b630eca0fc611f0ba0dcb805b3a745c38a6f46ee9acfe8785c917b9452e0d6f70f675030430b65b352d695106bae639b20e0dbb2dd95e375

        • C:\Users\Admin\Desktop\93YwZa4_readme_.txt
          Filesize

          3KB

          MD5

          f185351620ebbecb1ba64d46c3cfa970

          SHA1

          c175c7e6c85fe819d4bd02b8ea415ed33f185b2d

          SHA256

          1ea6a3e11b115f3b3a74954ef4f3f2b9d46b6c03098c23b208e7a0aa32f2e41d

          SHA512

          5ca0a1b4c3cf763114fdf83290a1e385910023320577a1d86b7db0c6f2e14fa4dd3d6ca3889681e2c858e7d0cb01eee8476390872e474b2e2abc62c631441894

        • C:\Users\Admin\Favorites\Microsoft Websites\93YwZa4_readme_.txt
          Filesize

          3KB

          MD5

          cad1e533c84b32fb309a391bde398ddf

          SHA1

          b631f448786fbf4a781763ff33ba173d8aabc794

          SHA256

          747620912e24fbfb2ea5da44e22dd8adb3fa4a4f4cf6fbf5e2d7c1a258f11bb1

          SHA512

          ddb0508001859628a4b26b3a7b9b5f97e00e3877e155df3ffbe40734f41b2036911d82745a866be768fc8e36c22fe3a89512397da8470707f1f809fb74eeb9d4