Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2024 10:08

General

  • Target

    e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe

  • Size

    2.1MB

  • MD5

    ccede1200a6e8eff54a358fa1e6d119a

  • SHA1

    e62fbe82dc5c1efbdecfd94791e023002d3c178b

  • SHA256

    e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf

  • SHA512

    d4c7e45c2f509e43b521bfbcd67474ef271fa12088f7a57794ba866cdd41ddd3e9ee8fc776b31dd0a0811e62542b813e97c0f3404f4e416066c1338193f7f6c7

  • SSDEEP

    49152:Q6otv8NVQqr7XXpwM+DbhzFG13Dyz6fRG+A+85fbhl7zsPS0mc+8aun:QDB8XQqDXf+D9FG1dp9m5fb37zsf+yn

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\solfF_readme.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BAbDdEDaDE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzk5LW1qT3BLL3pEd0I2WHgybFc2aDNJVVIyZGJHZ1BPRUVLbUZaNVdWNFZoTTBncStYT3RjTE13dkYwRHQ5TEpDR3AwV0FqSjR4UTRXRjlzVWZ4eE1HV3o5UW00U25GYkY5V0pOeFY3dGYyMGZ1YU9xVmZ2Q2JJVXFWQmZHOUtMcWhGOWQ0eko2WHphNXU3c2dxTkI0SE1rNEVhNjBqMTBjU3JVa053bVU0L1pNNENDZTAwK2R2b01ic0l1aVFKdHpCZ0hTUFI5MWErWEdsMWJBZ1NjV2g4bWt5UW5PbzZSWjFUdGlhR2E3QVMydkpxZ0VPMFRnWUhsUnJwbkZKOExuQkI1emRORjU5Q1NzQzJSYzJTbWdDTkI5SlZCZXYwcWljVERERlMrd1pHTllKY0tKV0MvQVNiU2Z1UVRYT2JQRHk2NVY5bzdSUjZibDZMekFpK0w2aVRsT2pqajBWL0xDblJjR1oyTHFLa3hmbk55aDdaanlPOEZCWmd1TnJHOGs2MWxaelJtUkxMMTNyZFBHRWdxWXNURkw2RU1Ba21tOHZVdTNDc0dZdys2S3U1YXFjMlhVY2dDR1lVS1JiNjhrWllZTkszSEp1SzFLV3pHQWxYMVkwdjN1cTk3anVLRHg4bzJUVGdHejFEQUJKY3pnSG91a1ZkUGd3cmg3dWUyMGpsb3hkYVdIRHliTWNYaTVROUNYazdpc3BXek5HNWY1b3ZtWGtvRkE0MkZHcTFpOWJRYjF1SWxYOCtDVHlJK0pSREhGc2RaYXhoY3BBbFA2L29XVU1nKzVtT1ZFdi9VQmJ4QnV1QXdjWlp6andpKzN6UnhTN2R0Z3Bqa1BFYkN2NkNlS3BOWjFLVXMxb1JyTzkwYnFzaFZIRUFOVW51UjZUQm9qU29EK3g4RFJ3b0ZjQWZhL0FRV2dlVEZtOE1HSTZpS0pjUHpQVnZ6S1lHajZSYitYMFlMa3Z5ekRadllCcVI3T2cyVjZvRXpwdnNKcVhEWXFYWWM3T2NwSXhQdy9vekFFclFHL3d4VlRxQTJEVkkrR1N5RW40cjhHYkZlUk43WkhVTU8wRlM4NWpyRHJUa2xqbG1EeFhYek95WHk2Rk4xK05uTHcvbUdRYTRBQmozNUJvdCt2K0hlM2xPZ3UwbEpDMGdRQUpKbGpqNXFPKzk5ZzltQlZ5OThYRDEvS012b0xlaENjcWNoa21RRWFidVNuU2dlMzZEQlA3N0NGZGgyWGY0R0hudmpheFN3bWJMTnRjem5BQitTSkhveFRxdXU2NlY2WVBBR0MxRjMxU29sOFZWejI3UFJmeGZYamU5RWVNUnpyWlZEUnQrQnhpU1JVZE5wUWE5NDdORFJYWkFadEMxMTRMZktkNXVzT2pONmNrYVgxZkFGNTNXclorSWFiaW1BbHRTT3Y0T25RWlRreGd6YUJRS2YvMlBFQWh0bnBRdnFsaGtaRTJCSmJXN3JjNzdIa1h0QisxcTR0Zk1SaFk5cGd3czRlT1QrOTVIV2NlNjlmWjRMOVZqY0JkRDFlVkhNWHZHS3pQcnFROFR2Sm1oUVhSdnhlZVJ6K2dhSkF1ZFcwS3pXZDIrbXRJYk5waUVQUjJQTzZaK0tSME9Wd2RYV20xVE40UVVrU21WVkhzVmsxYWhqaFFVd3FnclMrNnNjdnphbWJDVnF3c2M5Q0RrZmlobnZwYzMyNHJjNld6UHQ5NzFYQ1d5VUE0TWllakRJd0poNDd4MGN5K1ZVS2JkSW9JL0RkMUt1eUJ2UTdkVzVNVm5YZ2FoWExqbEJ1eUYvTm9tMDFHTk9PeHowZFRJeE9MNm9JVlBjQXoxQlJYbzFFaXFQdjhQLzlORTY3cVpiT3VmRU95MDNxQVdaMUh2WE43UW1hb2JxQUMvdmx5OWFiZlYwaVFuaTlUdThIN0RQM2tGSVN0Skd1aitITXBUeVp3a2hmWGxOSkZlQmNFRUxyeTFKTkFQcEFucmdMQW0xc2x0RCswMUl5NjB0em5FT0ZtRHZHSWNzbElrcWFMbnJpUVFpMFByUjNuTHQ4eE04UEZzOVlldzBWUktWMU1yUHRYaTVrVXJoQVg4ZCtib2c4MlVyUzdxQnJ6V2hXaUNrZnBBcG5JUXVVcDB3eHF3cEg3QWxZMWNuYWtmYkhHcThsVnlRaVJEeGpjcHdmTThqRXhtaVRveGUzK3Yrc3FWcVpEaDhMUysxMFNO -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * IIgbammcgsdVIZSV0gKBdLGO0P4B
URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\solfF_readme.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BAbDdEDaDE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzk5LW1qT3BLL3pEd0I2WHgybFc2aDNJVVIyZGJHZ1BPRUVLbUZaNVdWNFZoTTBncStYT3RjTE13dkYwRHQ5TEpDR3AwV0FqSjR4UTRXRjlzVWZ4eE1HV3o5UW00U25GYkY5V0pOeFY3dGYyMGZ1YU9xVmZ2Q2JJVXFWQmZHOUtMcWhGOWQ0eko2WHphNXU3c2dxTkI0SE1rNEVhNjBqMTBjU3JVa053bVU0L1pNNENDZTAwK2R2b01ic0l1aVFKdHpCZ0hTUFI5MWErWEdsMWJBZ1NjV2g4bWt5UW5PbzZSWjFUdGlhR2E3QVMydkpxZ0VPMFRnWUhsUnJwbkZKOExuQkI1emRORjU5Q1NzQzJSYzJTbWdDTkI5SlZCZXYwcWljVERERlMrd1pHTllKY0tKV0MvQVNiU2Z1UVRYT2JQRHk2NVY5bzdSUjZibDZMekFpK0w2aVRsT2pqajBWL0xDblJjR1oyTHFLa3hmbk55aDdaanlPOEZCWmd1TnJHOGs2MWxaelJtUkxMMTNyZFBHRWdxWXNURkw2RU1Ba21tOHZVdTNDc0dZdys2S3U1YXFjMlhVY2dDR1lVS1JiNjhrWllZTkszSEp1SzFLV3pHQWxYMVkwdjN1cTk3anVLRHg4bzJUVGdHejFEQUJKY3pnSG91a1ZkUGd3cmg3dWUyMGpsb3hkYVdIRHliTWNYaTVROUNYazdpc3BXek5HNWY1b3ZtWGtvRkE0MkZHcTFpOWJRYjF1SWxYOCtDVHlJK0pSREhGc2RaYXhoY3BBbFA2L29XVU1nKzVtT1ZFdi9VQmJ4QnV1QXdjWlp6andpKzN6UnhTN2R0Z3Bqa1BFYkN2NkNlS3BOWjFLVXMxb1JyTzkwYnFzaFZIRUFOVW51UjZUQm9qU29EK3g4RFJ3b0ZjQWZhL0FRV2dlVEZtOE1HSTZpS0pjUHpQVnZ6S1lHajZSYitYMFlMa3Z5ekRadllCcVI3T2cyVjZvRXpwdnNKcVhEWXFYWWM3T2NwSXhQdy9vekFFclFHL3d4VlRxQTJEVkkrR1N5RW40cjhHYkZlUk43WkhVTU8wRlM4NWpyRHJUa2xqbG1EeFhYek95WHk2Rk4xK05uTHcvbUdRYTRBQmozNUJvdCt2K0hlM2xPZ3UwbEpDMGdRQUpKbGpqNXFPKzk5ZzltQlZ5OThYRDEvS012b0xlaENjcWNoa21RRWFidVNuU2dlMzZEQlA3N0NGZGgyWGY0R0hudmpheFN3bWJMTnRjem5BQitTSkhveFRxdXU2NlY2WVBBR0MxRjMxU29sOFZWejI3UFJmeGZYamU5RWVNUnpyWlZEUnQrQnhpU1JVZE5wUWE5NDdORFJYWkFadEMxMTRMZktkNXVzT2pONmNrYVgxZkFGNTNXclorSWFiaW1BbHRTT3Y0T25RWlRreGd6YUJRS2YvMlBFQWh0bnBRdnFsaGtaRTJCSmJXN3JjNzdIa1h0QisxcTR0Zk1SaFk5cGd3czRlT1QrOTVIV2NlNjlmWjRMOVZqY0JkRDFlVkhNWHZHS3pQcnFROFR2Sm1oUVhSdnhlZVJ6K2dhSkF1ZFcwS3pXZDIrbXRJYk5waUVQUjJQTzZaK0tSME9Wd2RYV20xVE40UVVrU21WVkhzVmsxYWhqaFFVd3FnclMrNnNjdnphbWJDVnF3c2M5Q0RrZmlobnZwYzMyNHJjNld6UHQ5NzFYQ1d5VUE0TWllakRJd0poNDd4MGN5K1ZVS2JkSW9JL0RkMUt1eUJ2UTdkVzVNVm5YZ2FoWExqbEJ1eUYvTm9tMDFHTk9PeHowZFRJeE9MNm9JVlBjQXoxQlJYbzFFaXFQdjhQLzlORTY3cVpiT3VmRU95MDNxQVdaMUh2WE43UW1hb2JxQUMvdmx5OWFiZlYwaVFuaTlUdThIN0RQM2tGSVN0Skd1aitITXBUeVp3a2hmWGxOSkZlQmNFRUxyeTFKTkFQcEFucmdMQW0xc2x0RCswMUl5NjB0em5FT0ZtRHZHSWNzbElrcWFMbnJpUVFpMFByUjNuTHQ4eE04UEZzOVlldzBWUktWMU1yUHRYaTVrVXJoQVg4ZCtib2c4MlVyUzdxQnJ6V2hXaUNrZnBBcG5JUXVVcDB3eHF3cEg3QWxZMWNuYWtmYkhHcThsVnlRaVJEeGpjcHdmTThqRXhtaVRveGUzK3Yrc3FWcVpEaDhMUysxMFNO -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * evISuzZvWUL4eW7XgDFJoWOvNZIMOd2
URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Music\solfF_readme.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BAbDdEDaDE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzk5LW1qT3BLL3pEd0I2WHgybFc2aDNJVVIyZGJHZ1BPRUVLbUZaNVdWNFZoTTBncStYT3RjTE13dkYwRHQ5TEpDR3AwV0FqSjR4UTRXRjlzVWZ4eE1HV3o5UW00U25GYkY5V0pOeFY3dGYyMGZ1YU9xVmZ2Q2JJVXFWQmZHOUtMcWhGOWQ0eko2WHphNXU3c2dxTkI0SE1rNEVhNjBqMTBjU3JVa053bVU0L1pNNENDZTAwK2R2b01ic0l1aVFKdHpCZ0hTUFI5MWErWEdsMWJBZ1NjV2g4bWt5UW5PbzZSWjFUdGlhR2E3QVMydkpxZ0VPMFRnWUhsUnJwbkZKOExuQkI1emRORjU5Q1NzQzJSYzJTbWdDTkI5SlZCZXYwcWljVERERlMrd1pHTllKY0tKV0MvQVNiU2Z1UVRYT2JQRHk2NVY5bzdSUjZibDZMekFpK0w2aVRsT2pqajBWL0xDblJjR1oyTHFLa3hmbk55aDdaanlPOEZCWmd1TnJHOGs2MWxaelJtUkxMMTNyZFBHRWdxWXNURkw2RU1Ba21tOHZVdTNDc0dZdys2S3U1YXFjMlhVY2dDR1lVS1JiNjhrWllZTkszSEp1SzFLV3pHQWxYMVkwdjN1cTk3anVLRHg4bzJUVGdHejFEQUJKY3pnSG91a1ZkUGd3cmg3dWUyMGpsb3hkYVdIRHliTWNYaTVROUNYazdpc3BXek5HNWY1b3ZtWGtvRkE0MkZHcTFpOWJRYjF1SWxYOCtDVHlJK0pSREhGc2RaYXhoY3BBbFA2L29XVU1nKzVtT1ZFdi9VQmJ4QnV1QXdjWlp6andpKzN6UnhTN2R0Z3Bqa1BFYkN2NkNlS3BOWjFLVXMxb1JyTzkwYnFzaFZIRUFOVW51UjZUQm9qU29EK3g4RFJ3b0ZjQWZhL0FRV2dlVEZtOE1HSTZpS0pjUHpQVnZ6S1lHajZSYitYMFlMa3Z5ekRadllCcVI3T2cyVjZvRXpwdnNKcVhEWXFYWWM3T2NwSXhQdy9vekFFclFHL3d4VlRxQTJEVkkrR1N5RW40cjhHYkZlUk43WkhVTU8wRlM4NWpyRHJUa2xqbG1EeFhYek95WHk2Rk4xK05uTHcvbUdRYTRBQmozNUJvdCt2K0hlM2xPZ3UwbEpDMGdRQUpKbGpqNXFPKzk5ZzltQlZ5OThYRDEvS012b0xlaENjcWNoa21RRWFidVNuU2dlMzZEQlA3N0NGZGgyWGY0R0hudmpheFN3bWJMTnRjem5BQitTSkhveFRxdXU2NlY2WVBBR0MxRjMxU29sOFZWejI3UFJmeGZYamU5RWVNUnpyWlZEUnQrQnhpU1JVZE5wUWE5NDdORFJYWkFadEMxMTRMZktkNXVzT2pONmNrYVgxZkFGNTNXclorSWFiaW1BbHRTT3Y0T25RWlRreGd6YUJRS2YvMlBFQWh0bnBRdnFsaGtaRTJCSmJXN3JjNzdIa1h0QisxcTR0Zk1SaFk5cGd3czRlT1QrOTVIV2NlNjlmWjRMOVZqY0JkRDFlVkhNWHZHS3pQcnFROFR2Sm1oUVhSdnhlZVJ6K2dhSkF1ZFcwS3pXZDIrbXRJYk5waUVQUjJQTzZaK0tSME9Wd2RYV20xVE40UVVrU21WVkhzVmsxYWhqaFFVd3FnclMrNnNjdnphbWJDVnF3c2M5Q0RrZmlobnZwYzMyNHJjNld6UHQ5NzFYQ1d5VUE0TWllakRJd0poNDd4MGN5K1ZVS2JkSW9JL0RkMUt1eUJ2UTdkVzVNVm5YZ2FoWExqbEJ1eUYvTm9tMDFHTk9PeHowZFRJeE9MNm9JVlBjQXoxQlJYbzFFaXFQdjhQLzlORTY3cVpiT3VmRU95MDNxQVdaMUh2WE43UW1hb2JxQUMvdmx5OWFiZlYwaVFuaTlUdThIN0RQM2tGSVN0Skd1aitITXBUeVp3a2hmWGxOSkZlQmNFRUxyeTFKTkFQcEFucmdMQW0xc2x0RCswMUl5NjB0em5FT0ZtRHZHSWNzbElrcWFMbnJpUVFpMFByUjNuTHQ4eE04UEZzOVlldzBWUktWMU1yUHRYaTVrVXJoQVg4ZCtib2c4MlVyUzdxQnJ6V2hXaUNrZnBBcG5JUXVVcDB3eHF3cEg3QWxZMWNuYWtmYkhHcThsVnlRaVJEeGpjcHdmTThqRXhtaVRveGUzK3Yrc3FWcVpEaDhMUysxMFNO -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 1X
URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\solfF_readme.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BAbDdEDaDE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzk5LW1qT3BLL3pEd0I2WHgybFc2aDNJVVIyZGJHZ1BPRUVLbUZaNVdWNFZoTTBncStYT3RjTE13dkYwRHQ5TEpDR3AwV0FqSjR4UTRXRjlzVWZ4eE1HV3o5UW00U25GYkY5V0pOeFY3dGYyMGZ1YU9xVmZ2Q2JJVXFWQmZHOUtMcWhGOWQ0eko2WHphNXU3c2dxTkI0SE1rNEVhNjBqMTBjU3JVa053bVU0L1pNNENDZTAwK2R2b01ic0l1aVFKdHpCZ0hTUFI5MWErWEdsMWJBZ1NjV2g4bWt5UW5PbzZSWjFUdGlhR2E3QVMydkpxZ0VPMFRnWUhsUnJwbkZKOExuQkI1emRORjU5Q1NzQzJSYzJTbWdDTkI5SlZCZXYwcWljVERERlMrd1pHTllKY0tKV0MvQVNiU2Z1UVRYT2JQRHk2NVY5bzdSUjZibDZMekFpK0w2aVRsT2pqajBWL0xDblJjR1oyTHFLa3hmbk55aDdaanlPOEZCWmd1TnJHOGs2MWxaelJtUkxMMTNyZFBHRWdxWXNURkw2RU1Ba21tOHZVdTNDc0dZdys2S3U1YXFjMlhVY2dDR1lVS1JiNjhrWllZTkszSEp1SzFLV3pHQWxYMVkwdjN1cTk3anVLRHg4bzJUVGdHejFEQUJKY3pnSG91a1ZkUGd3cmg3dWUyMGpsb3hkYVdIRHliTWNYaTVROUNYazdpc3BXek5HNWY1b3ZtWGtvRkE0MkZHcTFpOWJRYjF1SWxYOCtDVHlJK0pSREhGc2RaYXhoY3BBbFA2L29XVU1nKzVtT1ZFdi9VQmJ4QnV1QXdjWlp6andpKzN6UnhTN2R0Z3Bqa1BFYkN2NkNlS3BOWjFLVXMxb1JyTzkwYnFzaFZIRUFOVW51UjZUQm9qU29EK3g4RFJ3b0ZjQWZhL0FRV2dlVEZtOE1HSTZpS0pjUHpQVnZ6S1lHajZSYitYMFlMa3Z5ekRadllCcVI3T2cyVjZvRXpwdnNKcVhEWXFYWWM3T2NwSXhQdy9vekFFclFHL3d4VlRxQTJEVkkrR1N5RW40cjhHYkZlUk43WkhVTU8wRlM4NWpyRHJUa2xqbG1EeFhYek95WHk2Rk4xK05uTHcvbUdRYTRBQmozNUJvdCt2K0hlM2xPZ3UwbEpDMGdRQUpKbGpqNXFPKzk5ZzltQlZ5OThYRDEvS012b0xlaENjcWNoa21RRWFidVNuU2dlMzZEQlA3N0NGZGgyWGY0R0hudmpheFN3bWJMTnRjem5BQitTSkhveFRxdXU2NlY2WVBBR0MxRjMxU29sOFZWejI3UFJmeGZYamU5RWVNUnpyWlZEUnQrQnhpU1JVZE5wUWE5NDdORFJYWkFadEMxMTRMZktkNXVzT2pONmNrYVgxZkFGNTNXclorSWFiaW1BbHRTT3Y0T25RWlRreGd6YUJRS2YvMlBFQWh0bnBRdnFsaGtaRTJCSmJXN3JjNzdIa1h0QisxcTR0Zk1SaFk5cGd3czRlT1QrOTVIV2NlNjlmWjRMOVZqY0JkRDFlVkhNWHZHS3pQcnFROFR2Sm1oUVhSdnhlZVJ6K2dhSkF1ZFcwS3pXZDIrbXRJYk5waUVQUjJQTzZaK0tSME9Wd2RYV20xVE40UVVrU21WVkhzVmsxYWhqaFFVd3FnclMrNnNjdnphbWJDVnF3c2M5Q0RrZmlobnZwYzMyNHJjNld6UHQ5NzFYQ1d5VUE0TWllakRJd0poNDd4MGN5K1ZVS2JkSW9JL0RkMUt1eUJ2UTdkVzVNVm5YZ2FoWExqbEJ1eUYvTm9tMDFHTk9PeHowZFRJeE9MNm9JVlBjQXoxQlJYbzFFaXFQdjhQLzlORTY3cVpiT3VmRU95MDNxQVdaMUh2WE43UW1hb2JxQUMvdmx5OWFiZlYwaVFuaTlUdThIN0RQM2tGSVN0Skd1aitITXBUeVp3a2hmWGxOSkZlQmNFRUxyeTFKTkFQcEFucmdMQW0xc2x0RCswMUl5NjB0em5FT0ZtRHZHSWNzbElrcWFMbnJpUVFpMFByUjNuTHQ4eE04UEZzOVlldzBWUktWMU1yUHRYaTVrVXJoQVg4ZCtib2c4MlVyUzdxQnJ6V2hXaUNrZnBBcG5JUXVVcDB3eHF3cEg3QWxZMWNuYWtmYkhHcThsVnlRaVJEeGpjcHdmTThqRXhtaVRveGUzK3Yrc3FWcVpEaDhMUysxMFNO -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * rf0B4
URLs

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Avaddon payload 16 IoCs
  • UAC bypass 3 TTPs 2 IoCs
  • Renames multiple (159) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe
    "C:\Users\Admin\AppData\Local\Temp\e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1764
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2400
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4856
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3628

Network

MITRE ATT&CK Matrix ATT&CK v13

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

2
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Desktop\solfF_readme.txt
    Filesize

    3KB

    MD5

    2856a86eb4b7ac80b267e882439b2e32

    SHA1

    be6a7479d961cd04f8456a512a474b889ff7923f

    SHA256

    8307400e90d6d047cceb1023d26a4af07677f92d88e027ac239ad95484ceec90

    SHA512

    671ba8a38cea45c035ddb7914662c08defab27135251cdd6caed86ec8cfdd73ca9d0f4ea930878a8a86cab88d6c103b342adb7f0e4c1a55beae8dbaa1f05e919

  • C:\Users\Admin\Documents\solfF_readme.txt
    Filesize

    3KB

    MD5

    e86a1ee8f401a61a5c9ea92713dc208c

    SHA1

    c841adbfd46c645bb4bc1d66e18e0a6a8d1a9786

    SHA256

    1fa8d0809b94be4da487c9ae2d2832d578e177ce0d56e8dac5ec2349d890d453

    SHA512

    3dfa11ad5e96e30c8d1c0223fb15986da91d2fd82c219c63923ca87584abdad4776fa2424ceb16a3927567483064817927128c32d44fe63729468207b15cdfbc

  • C:\Users\Admin\Music\solfF_readme.txt
    Filesize

    3KB

    MD5

    073ffcea51e2136e20f244a982bafe7d

    SHA1

    fa8daa1f7c8df534348404897c9667216cb86576

    SHA256

    8c9b0228c9f544cb272ee30cb7ee5be6e32ac9c3f88b614c37a5542b829c8b07

    SHA512

    73c38b78cd838855ac2371549e77bd19f1661b149d37c018426dfb080a379ccf211ae5519a3b11d9c3e660d8306645cdb4c8613ce827324a8361855cac1c61ca

  • C:\solfF_readme.txt
    Filesize

    3KB

    MD5

    27a4a1216ce4e9934360f623ee16e00d

    SHA1

    0697332c015123a1316c6fd070da97d78f0a4de4

    SHA256

    56431d861beeeda03c9493a727a46ee5609094fb8d57e0be827d90ed71a87573

    SHA512

    97f545c3eed26231e7287e95ef719155abf052144417c36464e2feb9b0aeadf85e2fe2676b2ebe5537c1aa60bc0b746f5acd3f81a8e0e7e988e2ccae98a6b480

  • memory/1764-499-0x0000000000400000-0x00000000009C4000-memory.dmp
    Filesize

    5.8MB

  • memory/1764-502-0x0000000000400000-0x00000000009C4000-memory.dmp
    Filesize

    5.8MB

  • memory/1764-1-0x00000000030F0000-0x0000000003216000-memory.dmp
    Filesize

    1.1MB

  • memory/1764-496-0x0000000000400000-0x00000000009C4000-memory.dmp
    Filesize

    5.8MB

  • memory/1764-497-0x0000000000400000-0x00000000009C4000-memory.dmp
    Filesize

    5.8MB

  • memory/1764-498-0x0000000000400000-0x00000000009C4000-memory.dmp
    Filesize

    5.8MB

  • memory/1764-0-0x0000000000400000-0x00000000009C4000-memory.dmp
    Filesize

    5.8MB

  • memory/1764-500-0x0000000000400000-0x00000000009C4000-memory.dmp
    Filesize

    5.8MB

  • memory/1764-501-0x0000000000400000-0x00000000009C4000-memory.dmp
    Filesize

    5.8MB

  • memory/1764-2-0x0000000000400000-0x00000000009C4000-memory.dmp
    Filesize

    5.8MB

  • memory/1764-503-0x0000000000400000-0x00000000009C4000-memory.dmp
    Filesize

    5.8MB

  • memory/1764-504-0x0000000000400000-0x00000000009C4000-memory.dmp
    Filesize

    5.8MB

  • memory/1764-505-0x0000000000400000-0x00000000009C4000-memory.dmp
    Filesize

    5.8MB

  • memory/1764-506-0x0000000000400000-0x00000000009C4000-memory.dmp
    Filesize

    5.8MB

  • memory/1764-507-0x0000000000400000-0x00000000009C4000-memory.dmp
    Filesize

    5.8MB

  • memory/1764-508-0x0000000000400000-0x00000000009C4000-memory.dmp
    Filesize

    5.8MB

  • memory/1764-509-0x0000000000400000-0x00000000009C4000-memory.dmp
    Filesize

    5.8MB

  • memory/1764-510-0x0000000000400000-0x00000000009C4000-memory.dmp
    Filesize

    5.8MB