General
-
Target
e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.zip
-
Size
2.0MB
-
Sample
240402-mn9zaafg74
-
MD5
5ca7517a95cd5124bd07a883f0aef3db
-
SHA1
bd2a4e773949c11ca98a4c00bea43d805f9db930
-
SHA256
e86da4f9fcfcee747b03ed15d6b091911e34c2477472b38cd33b95735da179f8
-
SHA512
a36b58aa2d195ace0154c39257dbb402a046a76925437a4012339476eba5cca21ab1804b55afe49e5153d7215efc7a3cac46caf136cd4bc46bc4e237b66fa077
-
SSDEEP
49152:TPfXQ8e7k+mh2fQNLcg5moXD2rf4+WwffS/MFcYb7h7n0KNO:TXXJN+QpcgH2jgwf+9Y/tnK
Static task
static1
Behavioral task
behavioral1
Sample
e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
C:\Users\Admin\Desktop\a1lUSTTD_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Desktop\a1lUSTTD_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Favorites\Links\a1lUSTTD_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Public\Pictures\Sample Pictures\a1lUSTTD_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Desktop\9OZaS_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\9OZaS_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Pictures\9OZaS_readme.txt
avaddon
http://avaddonbotrxmuyl.onion
Targets
-
-
Target
e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf.exe
-
Size
2.1MB
-
MD5
ccede1200a6e8eff54a358fa1e6d119a
-
SHA1
e62fbe82dc5c1efbdecfd94791e023002d3c178b
-
SHA256
e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf
-
SHA512
d4c7e45c2f509e43b521bfbcd67474ef271fa12088f7a57794ba866cdd41ddd3e9ee8fc776b31dd0a0811e62542b813e97c0f3404f4e416066c1338193f7f6c7
-
SSDEEP
49152:Q6otv8NVQqr7XXpwM+DbhzFG13Dyz6fRG+A+85fbhl7zsPS0mc+8aun:QDB8XQqDXf+D9FG1dp9m5fb37zsf+yn
Score10/10-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload
-
Renames multiple (204) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Indicator Removal
2File Deletion
2Subvert Trust Controls
1Install Root Certificate
1