General
-
Target
5060f50f1dd6b594221964188cf86d1462f683dfd6720ac78f2ff51d2a1adc7d
-
Size
382KB
-
Sample
240417-qcgedagf34
-
MD5
3c2ba59f0b322e87602fc1beebb4b7d5
-
SHA1
a5850a57cb5e4c6ad92178edfa06f2bea91f0cdf
-
SHA256
5060f50f1dd6b594221964188cf86d1462f683dfd6720ac78f2ff51d2a1adc7d
-
SHA512
e61f48b85c4ee5821cb24c79a4f5341fbb04cbc08f7e1453e0256ee735f8bdf154ed58c979e3731831161446c00f270c531ed5477a890ceee583ed3fe37c11d7
-
SSDEEP
6144:gNP3Cw1oFSxtzXMcvVcB8vPc1OgvJZF+ABs90/rdwPQKkVrXQEzrUHbkCs7rZl67:g53Ca73vQfTs9qJVKorg+ObkCs7NlK
Static task
static1
Behavioral task
behavioral1
Sample
d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
C:\Users\Admin\Downloads\O7IQ9_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Desktop\xleUz_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\xleUz_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Targets
-
-
Target
d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb.exe
-
Size
441KB
-
MD5
b1758767d10c75d1589c16763fca6fd3
-
SHA1
2722f21a31859ea735e908a1c705d07b139e3b12
-
SHA256
d841d0a10e8b6885f1b8e1282c70e88d4f74471fbbe1b4b6f29b4ca238b1e8cb
-
SHA512
93bdfaf8a7b35e3c0110e931a35c5a901c8acf06b36dd9e8cba9b770be642525ba0350ae94d68556961b06b0d802cd2e1997fc73849c643f76eba721215abf5e
-
SSDEEP
12288:5I7bv0KUN/9MISQBqz9xbwL5A++dMncx4wjSvh:K7QzuyErzrSwjMh
Score10/10-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Renames multiple (191) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Indicator Removal
2File Deletion
2