General
-
Target
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.zip
-
Size
2.6MB
-
Sample
240402-mn9crafc7y
-
MD5
d2bca08c406beffd4b3b93d3770db14d
-
SHA1
acd8aee93079b6422ae199226106a05d51d7cfad
-
SHA256
86d1f8ea214669608ee26c1ab7e90db6441fb931d058e192593744216b64edce
-
SHA512
1b9789e30d24803f4fc357b166e8743aa65706d1fa8d188ca420027d6e62a1e2b518fcc3acee5b546f83855a19bf0f7f4dd32a44e4e9cacbb4e10c8ca9cd0e42
-
SSDEEP
49152:+gcSC+6FHK/5UIqM1/k/9D2RiGLu7OaFkIU6lZdJVdDf3kDonJ:zZkVy18D2RvyOaq+lZdj5MY
Behavioral task
behavioral1
Sample
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
C:\Users\Admin\Desktop\vqabiUl_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Desktop\vqabiUl_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\vqabiUl_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Music\vqabiUl_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Pictures\vqabiUl_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Public\Libraries\vqabiUl_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Public\Pictures\Sample Pictures\vqabiUl_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\vqabiUl_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Desktop\XQwPoZ_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\XQwPoZ_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Targets
-
-
Target
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259.exe
-
Size
4.8MB
-
MD5
affa6575a3ff529c583fab38ff9f59e5
-
SHA1
a4d2dde718cc10d6ac12e4ec1f602a1050746aa5
-
SHA256
c7c9f8f68348fbd26aae20c9ccb1aefd1cfce63897efa4c64abe7ac480253259
-
SHA512
c7ea550c214c3d4cf0686f50e2644b6fe569397bc1d4b0363da173e9a9889ce290f33f6a4e9215aba6cf1deef0be73abdf4b44a8070204d75868d845b34a8767
-
SSDEEP
98304:bw3OKBzMFxybbbbpNGWeEi4DtrRKm40djW1mGaHBad6s:bw3y6bbbbpNYwDdjW1zqEn
Score10/10-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Renames multiple (171) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Indicator Removal
2File Deletion
2Virtualization/Sandbox Evasion
1Subvert Trust Controls
1Install Root Certificate
1