Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2024 13:35

General

  • Target

    0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

  • Size

    775KB

  • MD5

    2d2a5a22bc983829cfb4627a271fbd4e

  • SHA1

    c0fc01350ae774f3817d71710d9a6e9adaba441f

  • SHA256

    0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b

  • SHA512

    8237f6db84a2339827e4044929df58597733d04f8e56c621394f2c2b79c06dc9fb3e64373d0205c0f14372173875b2487d178472eda6837da2ef20187285ad0d

  • SSDEEP

    24576:+Csq9+OXLpMePfI8TgmBTCDqEbOpPtpFaoxfq:YxOXLpMePfzVTCD7gPtLa4fq

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\bwg6Gi_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bCdaCaeABd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjAwNC1DOW01U2ZrUFQydDNwUHFNSEw4REppbXJYWXJ0T21HbldwRjhvSVVVZ2crbWZvZ2MrRytlSi9sRWFCKzZuT3FhZEZnSFpzVk5JRVJRa1pPZkdLckF5UUtMd1RtUDhhRzFma2FReUZ6Nm1wM3FBOVZGTkdDYk9jbWordk8vOWZRc1pwbEFNcitGYmdSVlZWVkwxWUxWYktQaDEvZWdldXZzWnNkeTZDbDJRNnJETzM2Y0QxVjI3K1NhdDNSL0Z5M2NvSGM3cUVWb2pPS3V4NlFWZ09xVUpIVitrTFRaMnEzYW1obDJKT1RYMXF2S0pkdlVoV0F5WXdLQnoxUWRPSGkySyttUFhON2NoQWVsR1JFbi9zTllnWFdBK1Y5MTRuWlYxQU5hNHhuLy96R2JWQS9Vek90cGRuMmpISm1mZTRkTlpyMlRRWVZvVm5MbUEvTXZEVHRFWTViaC8zbkZ2T1NNSUpOVWNKdi9YUFNodGZhaVBIUTZ1TUhiSkpVeVJNMG8yWGs0cDB6QVpFaGhtZTk4U3lwcFQ3UHdzOFZwT0g2SDNFSDhmV3RHeThCWVE5MlNHcHdXdWpMMyttQ0VYbDFMT21mRGJHSVBMVHVJeXRhS1RpRThvZTRzOG1meWorbVBUNlhZSzY1bzBYVTNSWmtBOGZTSzFwb21GbWtyWDAzQndLUm0zSExsR1o2cDdNTUZEVk1lcFBoQmFvTEswMkxpU0QrN09ZLzZ4Q0w2M1RJcWhaVU9UaXBuNGFERjZRSnp5V281d3hVTE5vS0YxYUJNNzRoakZDdmxxeDRLN3RDQmNGRWdPRTl6OWxnWmlTeFZpaVNTVlA2Mytaa0hZNWdnMFh0N0tNZFZSTWttdmFFWGZuZjZ5U2R2NnBzVlMrNGR2U3h3ZXExRFVoeHZvdktnQ2pRME9ralZ1cnVrczVybjFmdGRIbmVuL1ljYWVldmNhVTE5UHlha1NIc240Yy95ZzlCR2xqZU53VzhtNUNjN1E5WFdIVDZHeGI5Y0VaMlNlV05GMlpVNnVmK05meXh4ZThxM1dOblBrUzBDRS80Sy96S2JwSThKL3lYT0V3WkhNbWhCeXVGeGQxREVyNi9KTlpLQ1FiNDQ2cEJ5MmIvenM3aGxnYmFYbmw1UkxUOVRtS2tuN1d2Ym94RGpQRkNzd1RQTTE5NXJHU1A1TEpUWmd5QVBPbXJFUGdhc1Ywdm5wcVB2Z0JBSnZDT2hER2N3RHMvRFZkd1hqOEpIMUdkR3FmSkwvUnZKOTcyTlVUM09VUTZUY2tsU1RWMVJtRFpuRXdvSVpKdWMxWGphejcwclpQVVZlc2hwMUQrQXR5Slh2b1pkTFl4VndPTjNEalEzdGx1d3lzNi9jSWdKak9kMWlhajgrL1ZUYkh6RXdYMVNRN2NXS0w5YmszZWo3V0RZNE5WdENHc2JpNUdHNHpIVWx0UFRHRDlDUGQzcnVxUmFTN0trcDBFcWdrV3k4WHBNMkFFUkVuNkMvSDQ5VngwNmVKcDFMYVFZUUI3MmdYM21FUk5pRy9HZnJiZ2pBcWF1aWtqR2t0bUZNb0hZeXR6QkJ1UG9PWkVDVmcwSjgxT1FxOEhWOENYTVkzYkI2eDhMNXNRb2I2YnlaNk9tUytBM2N0Q3N1WmtnSEVrMEJnaVdTcUNNWWhuTEs5TGNCWStXZXFtK3Z1TFhZUnB6K3FCNHlIY0tUb3pERkQ0d2tVTXEvTDNSdld0ZEpFLzVaNkcwdjY2ZWZJUG9rUk13OHcvL1JoUjd1T0ZhZFIyWDh3TVNGWVRmYmN1bi85cy9UZ21yOHV6QnB1NWVoczJVUmJGUjBoOGF2YkQxRWFYRHUxOFBIbzgySFVEejRjdWovODQ1M3J6S3lob1V6Uzg2Mmg1aHV1NnhiMnNIY2FPMDlZUFpKNnM4UExwMjlpU1RhajNkV2o4MS9keFZBN0x1c3NDaUVlWVd3ZWtvcmx6bjA0Wm14YXgyN3lsUnBlZFA1aWhGYjZycG42SXlMNndHVmo0WHIzMDl2WDVnM0FWaXFPSEw0aDE0cWhSRFRPcStiVExkM2ZLaXpCWUNYOXpTZFlXdGF4Ny9vSU9naWZkN2NGTVZ3ckE0ZGIwaHNtZVNnUEVUVHlqZ3RMM2FSbzNkc3pqUEZ2RDBXQT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * x4Ixbvn5bfV4DXvFxkKzu9ZNY
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\bwg6Gi_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bCdaCaeABd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjAwNC1DOW01U2ZrUFQydDNwUHFNSEw4REppbXJYWXJ0T21HbldwRjhvSVVVZ2crbWZvZ2MrRytlSi9sRWFCKzZuT3FhZEZnSFpzVk5JRVJRa1pPZkdLckF5UUtMd1RtUDhhRzFma2FReUZ6Nm1wM3FBOVZGTkdDYk9jbWordk8vOWZRc1pwbEFNcitGYmdSVlZWVkwxWUxWYktQaDEvZWdldXZzWnNkeTZDbDJRNnJETzM2Y0QxVjI3K1NhdDNSL0Z5M2NvSGM3cUVWb2pPS3V4NlFWZ09xVUpIVitrTFRaMnEzYW1obDJKT1RYMXF2S0pkdlVoV0F5WXdLQnoxUWRPSGkySyttUFhON2NoQWVsR1JFbi9zTllnWFdBK1Y5MTRuWlYxQU5hNHhuLy96R2JWQS9Vek90cGRuMmpISm1mZTRkTlpyMlRRWVZvVm5MbUEvTXZEVHRFWTViaC8zbkZ2T1NNSUpOVWNKdi9YUFNodGZhaVBIUTZ1TUhiSkpVeVJNMG8yWGs0cDB6QVpFaGhtZTk4U3lwcFQ3UHdzOFZwT0g2SDNFSDhmV3RHeThCWVE5MlNHcHdXdWpMMyttQ0VYbDFMT21mRGJHSVBMVHVJeXRhS1RpRThvZTRzOG1meWorbVBUNlhZSzY1bzBYVTNSWmtBOGZTSzFwb21GbWtyWDAzQndLUm0zSExsR1o2cDdNTUZEVk1lcFBoQmFvTEswMkxpU0QrN09ZLzZ4Q0w2M1RJcWhaVU9UaXBuNGFERjZRSnp5V281d3hVTE5vS0YxYUJNNzRoakZDdmxxeDRLN3RDQmNGRWdPRTl6OWxnWmlTeFZpaVNTVlA2Mytaa0hZNWdnMFh0N0tNZFZSTWttdmFFWGZuZjZ5U2R2NnBzVlMrNGR2U3h3ZXExRFVoeHZvdktnQ2pRME9ralZ1cnVrczVybjFmdGRIbmVuL1ljYWVldmNhVTE5UHlha1NIc240Yy95ZzlCR2xqZU53VzhtNUNjN1E5WFdIVDZHeGI5Y0VaMlNlV05GMlpVNnVmK05meXh4ZThxM1dOblBrUzBDRS80Sy96S2JwSThKL3lYT0V3WkhNbWhCeXVGeGQxREVyNi9KTlpLQ1FiNDQ2cEJ5MmIvenM3aGxnYmFYbmw1UkxUOVRtS2tuN1d2Ym94RGpQRkNzd1RQTTE5NXJHU1A1TEpUWmd5QVBPbXJFUGdhc1Ywdm5wcVB2Z0JBSnZDT2hER2N3RHMvRFZkd1hqOEpIMUdkR3FmSkwvUnZKOTcyTlVUM09VUTZUY2tsU1RWMVJtRFpuRXdvSVpKdWMxWGphejcwclpQVVZlc2hwMUQrQXR5Slh2b1pkTFl4VndPTjNEalEzdGx1d3lzNi9jSWdKak9kMWlhajgrL1ZUYkh6RXdYMVNRN2NXS0w5YmszZWo3V0RZNE5WdENHc2JpNUdHNHpIVWx0UFRHRDlDUGQzcnVxUmFTN0trcDBFcWdrV3k4WHBNMkFFUkVuNkMvSDQ5VngwNmVKcDFMYVFZUUI3MmdYM21FUk5pRy9HZnJiZ2pBcWF1aWtqR2t0bUZNb0hZeXR6QkJ1UG9PWkVDVmcwSjgxT1FxOEhWOENYTVkzYkI2eDhMNXNRb2I2YnlaNk9tUytBM2N0Q3N1WmtnSEVrMEJnaVdTcUNNWWhuTEs5TGNCWStXZXFtK3Z1TFhZUnB6K3FCNHlIY0tUb3pERkQ0d2tVTXEvTDNSdld0ZEpFLzVaNkcwdjY2ZWZJUG9rUk13OHcvL1JoUjd1T0ZhZFIyWDh3TVNGWVRmYmN1bi85cy9UZ21yOHV6QnB1NWVoczJVUmJGUjBoOGF2YkQxRWFYRHUxOFBIbzgySFVEejRjdWovODQ1M3J6S3lob1V6Uzg2Mmg1aHV1NnhiMnNIY2FPMDlZUFpKNnM4UExwMjlpU1RhajNkV2o4MS9keFZBN0x1c3NDaUVlWVd3ZWtvcmx6bjA0Wm14YXgyN3lsUnBlZFA1aWhGYjZycG42SXlMNndHVmo0WHIzMDl2WDVnM0FWaXFPSEw0aDE0cWhSRFRPcStiVExkM2ZLaXpCWUNYOXpTZFlXdGF4Ny9vSU9naWZkN2NGTVZ3ckE0ZGIwaHNtZVNnUEVUVHlqZ3RMM2FSbzNkc3pqUEZ2RDBXQT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * ogPJP7aPRHD9ZxaHdHFa5KhuPXuZ
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Avaddon payload 1 IoCs
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (158) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
    "C:\Users\Admin\AppData\Local\Temp\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2976
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1344
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
        PID:5064
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        2⤵
          PID:3304
      • C:\Windows\system32\wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:1788
      • C:\Windows\system32\wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:2992
      • C:\Windows\system32\wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:3196
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
          PID:5024
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Windows\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
          1⤵
          • Executes dropped EXE
          PID:640

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Privilege Escalation

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Defense Evasion

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Impair Defenses

        1
        T1562

        Disable or Modify Tools

        1
        T1562.001

        Modify Registry

        2
        T1112

        Indicator Removal

        1
        T1070

        File Deletion

        1
        T1070.004

        Discovery

        System Information Discovery

        3
        T1082

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        Impact

        Inhibit System Recovery

        1
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
          Filesize

          775KB

          MD5

          2d2a5a22bc983829cfb4627a271fbd4e

          SHA1

          c0fc01350ae774f3817d71710d9a6e9adaba441f

          SHA256

          0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b

          SHA512

          8237f6db84a2339827e4044929df58597733d04f8e56c621394f2c2b79c06dc9fb3e64373d0205c0f14372173875b2487d178472eda6837da2ef20187285ad0d

        • C:\Users\Admin\Desktop\bwg6Gi_readme_.txt
          Filesize

          3KB

          MD5

          16c45922bd0f9dbcc7b48a756f6dac27

          SHA1

          ec919968b337d4f580015c9fc821a381fa243386

          SHA256

          051bb99ce9ad21e5b1a399c7852fec9f1e84896dba1750876325e9b9781d5740

          SHA512

          5f77a63487a97e3145c498d43ec9d691e839fdeed78a42b07de05f5bf129413f55773f6f4427f74052dadefdfa2ac0c7c66699deecb08afe07b5afad9994e588

        • C:\Users\Admin\Documents\bwg6Gi_readme_.txt
          Filesize

          3KB

          MD5

          0cfe52656f515b1cd3868ad3d4670f91

          SHA1

          8803dd8971c1b33f5b9b713bba36453d722ff7cf

          SHA256

          0bdb2501184e1f32a4c65143a5f6b161e57875bd3d16a752ca59977c22606683

          SHA512

          5d5bf72eea2bff1a208229705695b0649a4326dab4dd01bdd91aba3bf3391e1187c2d6fa605ce1b2322bd13e94e9f51d2e2b35a5b81379ad73779d48b3c7df66