Overview

overview

10

Static

static

10

1228d0f04f...a2.exe

windows7-x64

10

1228d0f04f...a2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    159s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 13:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe

  • Size

    775KB

  • MD5

    0b486fe0503524cfe4726a4022fa6a68

  • SHA1

    297dea71d489768ce45d23b0f8a45424b469ab00

  • SHA256

    1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2

  • SHA512

    f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619

  • SSDEEP

    24576:TCs99+OXLpMePfI8TgmBTCDqEbOpPtpFhyxfq:5GOXLpMePfzVTCD7gPtLhSfq

Score
10/10
avaddonevasionransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\Documents\RwNRD_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BbbABBeeEb You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC02SGhlUDEybVQ3Yzd5d25aMzF2SlRPVnRQZFcrSGJEOStoZEx5RXVIL21JWlE5c1pmWS81TGNGQkowY0RkUzloQ0dqV1FLL1pUMzhHZWhEMmIwQjhEUUlyYUJKNk5IYnlHT1A5Z1d5OG9YQzZxZGVYa3RYQVRNbldvTGdmUHVBQTBLdzNLQW85SE1Hck1qMFBISEtPZHB3c2hlQmphb1l2UFhtNG5HVlVGZFVIb0w3THdObUhlZVBLREtUUWlJTXJiN0hGQnd6ejh4TFJka0cwZ01iRjh1MVBGeWNBZWtyMFdJREkvT3VnY0RzUVhLckVucnl2b1hha2E5NElZN0ovaVJOVEQrSVN3WEwxUXJKdWkraW1LZ0J6bTVQUHBQT1dTUjZ3V3RERmtQQ2gxaXlkNFJGNE0rMTlqbGNkS1lWUVY3dzNSVnp3RDNJOW1YMUxRaU5OdXRYdUROTkVtRXVTRVhjZEdOV0o1ME5rY0pPWjJTWnRsQ0F5Q3FtdUY2VEU1VTQ5NUZKZzBVaWYxOGNiTXBackFLVFVLYkM0dTN4amJNUGwyTlNmTE9JaGZDVlJsYnpRWG90VndkZjNYVThPaWZGZXNiQ09mOU5odU5JVnp5NUN1UEgyaXFmRjBBMWZGdzh6djlBK2dSSXo1WGI3V2kvMkZWUDI3aXBscjMvNzR2eGNCNURqcEdNZHRHNyt0bFlQSDJLRlFwa3I1c1dnWHhVdnhjL1JoNkI0R0loK01TZXVjaittZCtDejJFVmRhVHhqZlJ1Y3JvN1lOZ3YyZDF2VEgrK0p5b2tLc1VCeXlhQXVvbXFkQUR6a0lKQTRycGtsblFpamZLQTYwMFl1Y3VPQ1JFMVZJeVR3TUNJNTJ1ZTFLU3JMTm5uUVNiQjRmUlA1UDZSaDV4VGdLdjA5L1RFbnpaMUtMcGtFRE1XM0hReXNhQnFjTm5iTmNidVNRZ3dabDh2SUpxaFlqZjVkWFN1eGw2eVdBRlBud2tmMmsvUXczT2plaWR6MEpQUEdKV2MyQllRNXRVcHpPaWk3ektNbDVDYWExa015dnNEM2k1Tk5jdVFqUEN1VTFDcy83bmxUVEgyL1NZczl5a0xSZGwyWHhYZVlHdzZsWC9YZ2wvRmNoZCtqYmNqL3pLSVVsRFRINmNpNS93Uk55SkozSjlvZVRLME83NkZGMWtqYzRuOWZWR3JvZjZvKzRhU1dGRHpoYlhVU2hTeFBtb0diWkdZNVlqRDZpWVFCclgrY3N4VG5WbXU0WVZsenRFQklFWVhZUWQ1SERjZWFoYnppZHM5Zk45VGJEeXE5NitlVTRKN3dvRjNBQ0QwcXIyNEg2VWkwS0w1UnJYRVJ5ckpQdHR3S2RwUVJpVVhFY2pCRGQ0QnBsdGdjWG1lMFlXSEZQZlZpL0JwSTVMemFGZnptT3hmSHA1OTB3bnlPMUZtR3ZNVnhDbTNLY2t3RG4rUTNaYTZkM0JYUnVYUnpLMjFpSlRHWWJMcnBCTDRqbWE5Ui95NWhpcHpObTJsOWxiTE1TT0dnNHlCY1poY1BzbFNid2tQaU94cjBoLzduRHltc1BBOGpLbTR3WGNGbVBSU1JZcmRFNmhnNll3SmFiY2NrS3plTG95SUY5cUlIQWVlY0Rnd0cvcWRvMjdqNmNaemludTdKNmZsb0UwSFpJR2krTCtJTytFdVV4TkxWN2xuQklFNWEySFBwTHZxOU8ySEpxRWF1Z1VzcVVCK3R1WDJsSGo0YnA2THpTSkRKRXJDcnIwYm94WVZMRWhaNWRzanptMkJrbWpqeU5nMWlMQ1dGSmFxQjBMQU53VTNFM1VHN0JOaWFOd1F1a1dLSVRsNG5yd3VoNHdYQTlNRVVMTzJFUDZoVUkwaTBEZjcyd0ZiTzRXeENFMGJSNFE3V090ZStBWFVQSWN1SnI5U1hyOERYc3NlSTZiS2hVTm1DeFBRSUQ4OVRLRWkzd1VCaXNhZG94L09zOFdSaGQ4VHRGSTVLaFdUY1o1UFFIRTdlRGd6ZjE1eXNQOXdvTGlJSTB2aEVUaUJxOTVOaGhjTXl4VTNPMlc1RXFWT2hmUzVQTjVhUGNLTUFKaEQ0Mkd6bzB6WUErNmxGSUc1Tko5RERnVWlQUzhLeFljeHF2aWJiWENRazBEU05Cdz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * oi0
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\RwNRD_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BbbABBeeEb You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC02SGhlUDEybVQ3Yzd5d25aMzF2SlRPVnRQZFcrSGJEOStoZEx5RXVIL21JWlE5c1pmWS81TGNGQkowY0RkUzloQ0dqV1FLL1pUMzhHZWhEMmIwQjhEUUlyYUJKNk5IYnlHT1A5Z1d5OG9YQzZxZGVYa3RYQVRNbldvTGdmUHVBQTBLdzNLQW85SE1Hck1qMFBISEtPZHB3c2hlQmphb1l2UFhtNG5HVlVGZFVIb0w3THdObUhlZVBLREtUUWlJTXJiN0hGQnd6ejh4TFJka0cwZ01iRjh1MVBGeWNBZWtyMFdJREkvT3VnY0RzUVhLckVucnl2b1hha2E5NElZN0ovaVJOVEQrSVN3WEwxUXJKdWkraW1LZ0J6bTVQUHBQT1dTUjZ3V3RERmtQQ2gxaXlkNFJGNE0rMTlqbGNkS1lWUVY3dzNSVnp3RDNJOW1YMUxRaU5OdXRYdUROTkVtRXVTRVhjZEdOV0o1ME5rY0pPWjJTWnRsQ0F5Q3FtdUY2VEU1VTQ5NUZKZzBVaWYxOGNiTXBackFLVFVLYkM0dTN4amJNUGwyTlNmTE9JaGZDVlJsYnpRWG90VndkZjNYVThPaWZGZXNiQ09mOU5odU5JVnp5NUN1UEgyaXFmRjBBMWZGdzh6djlBK2dSSXo1WGI3V2kvMkZWUDI3aXBscjMvNzR2eGNCNURqcEdNZHRHNyt0bFlQSDJLRlFwa3I1c1dnWHhVdnhjL1JoNkI0R0loK01TZXVjaittZCtDejJFVmRhVHhqZlJ1Y3JvN1lOZ3YyZDF2VEgrK0p5b2tLc1VCeXlhQXVvbXFkQUR6a0lKQTRycGtsblFpamZLQTYwMFl1Y3VPQ1JFMVZJeVR3TUNJNTJ1ZTFLU3JMTm5uUVNiQjRmUlA1UDZSaDV4VGdLdjA5L1RFbnpaMUtMcGtFRE1XM0hReXNhQnFjTm5iTmNidVNRZ3dabDh2SUpxaFlqZjVkWFN1eGw2eVdBRlBud2tmMmsvUXczT2plaWR6MEpQUEdKV2MyQllRNXRVcHpPaWk3ektNbDVDYWExa015dnNEM2k1Tk5jdVFqUEN1VTFDcy83bmxUVEgyL1NZczl5a0xSZGwyWHhYZVlHdzZsWC9YZ2wvRmNoZCtqYmNqL3pLSVVsRFRINmNpNS93Uk55SkozSjlvZVRLME83NkZGMWtqYzRuOWZWR3JvZjZvKzRhU1dGRHpoYlhVU2hTeFBtb0diWkdZNVlqRDZpWVFCclgrY3N4VG5WbXU0WVZsenRFQklFWVhZUWQ1SERjZWFoYnppZHM5Zk45VGJEeXE5NitlVTRKN3dvRjNBQ0QwcXIyNEg2VWkwS0w1UnJYRVJ5ckpQdHR3S2RwUVJpVVhFY2pCRGQ0QnBsdGdjWG1lMFlXSEZQZlZpL0JwSTVMemFGZnptT3hmSHA1OTB3bnlPMUZtR3ZNVnhDbTNLY2t3RG4rUTNaYTZkM0JYUnVYUnpLMjFpSlRHWWJMcnBCTDRqbWE5Ui95NWhpcHpObTJsOWxiTE1TT0dnNHlCY1poY1BzbFNid2tQaU94cjBoLzduRHltc1BBOGpLbTR3WGNGbVBSU1JZcmRFNmhnNll3SmFiY2NrS3plTG95SUY5cUlIQWVlY0Rnd0cvcWRvMjdqNmNaemludTdKNmZsb0UwSFpJR2krTCtJTytFdVV4TkxWN2xuQklFNWEySFBwTHZxOU8ySEpxRWF1Z1VzcVVCK3R1WDJsSGo0YnA2THpTSkRKRXJDcnIwYm94WVZMRWhaNWRzanptMkJrbWpqeU5nMWlMQ1dGSmFxQjBMQU53VTNFM1VHN0JOaWFOd1F1a1dLSVRsNG5yd3VoNHdYQTlNRVVMTzJFUDZoVUkwaTBEZjcyd0ZiTzRXeENFMGJSNFE3V090ZStBWFVQSWN1SnI5U1hyOERYc3NlSTZiS2hVTm1DeFBRSUQ4OVRLRWkzd1VCaXNhZG94L09zOFdSaGQ4VHRGSTVLaFdUY1o1UFFIRTdlRGd6ZjE1eXNQOXdvTGlJSTB2aEVUaUJxOTVOaGhjTXl4VTNPMlc1RXFWT2hmUzVQTjVhUGNLTUFKaEQ0Mkd6bzB6WUErNmxGSUc1Tko5RERnVWlQUzhLeFljeHF2aWJiWENRazBEU05Cdz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * Bqbo06
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\RwNRD_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BbbABBeeEb You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC02SGhlUDEybVQ3Yzd5d25aMzF2SlRPVnRQZFcrSGJEOStoZEx5RXVIL21JWlE5c1pmWS81TGNGQkowY0RkUzloQ0dqV1FLL1pUMzhHZWhEMmIwQjhEUUlyYUJKNk5IYnlHT1A5Z1d5OG9YQzZxZGVYa3RYQVRNbldvTGdmUHVBQTBLdzNLQW85SE1Hck1qMFBISEtPZHB3c2hlQmphb1l2UFhtNG5HVlVGZFVIb0w3THdObUhlZVBLREtUUWlJTXJiN0hGQnd6ejh4TFJka0cwZ01iRjh1MVBGeWNBZWtyMFdJREkvT3VnY0RzUVhLckVucnl2b1hha2E5NElZN0ovaVJOVEQrSVN3WEwxUXJKdWkraW1LZ0J6bTVQUHBQT1dTUjZ3V3RERmtQQ2gxaXlkNFJGNE0rMTlqbGNkS1lWUVY3dzNSVnp3RDNJOW1YMUxRaU5OdXRYdUROTkVtRXVTRVhjZEdOV0o1ME5rY0pPWjJTWnRsQ0F5Q3FtdUY2VEU1VTQ5NUZKZzBVaWYxOGNiTXBackFLVFVLYkM0dTN4amJNUGwyTlNmTE9JaGZDVlJsYnpRWG90VndkZjNYVThPaWZGZXNiQ09mOU5odU5JVnp5NUN1UEgyaXFmRjBBMWZGdzh6djlBK2dSSXo1WGI3V2kvMkZWUDI3aXBscjMvNzR2eGNCNURqcEdNZHRHNyt0bFlQSDJLRlFwa3I1c1dnWHhVdnhjL1JoNkI0R0loK01TZXVjaittZCtDejJFVmRhVHhqZlJ1Y3JvN1lOZ3YyZDF2VEgrK0p5b2tLc1VCeXlhQXVvbXFkQUR6a0lKQTRycGtsblFpamZLQTYwMFl1Y3VPQ1JFMVZJeVR3TUNJNTJ1ZTFLU3JMTm5uUVNiQjRmUlA1UDZSaDV4VGdLdjA5L1RFbnpaMUtMcGtFRE1XM0hReXNhQnFjTm5iTmNidVNRZ3dabDh2SUpxaFlqZjVkWFN1eGw2eVdBRlBud2tmMmsvUXczT2plaWR6MEpQUEdKV2MyQllRNXRVcHpPaWk3ektNbDVDYWExa015dnNEM2k1Tk5jdVFqUEN1VTFDcy83bmxUVEgyL1NZczl5a0xSZGwyWHhYZVlHdzZsWC9YZ2wvRmNoZCtqYmNqL3pLSVVsRFRINmNpNS93Uk55SkozSjlvZVRLME83NkZGMWtqYzRuOWZWR3JvZjZvKzRhU1dGRHpoYlhVU2hTeFBtb0diWkdZNVlqRDZpWVFCclgrY3N4VG5WbXU0WVZsenRFQklFWVhZUWQ1SERjZWFoYnppZHM5Zk45VGJEeXE5NitlVTRKN3dvRjNBQ0QwcXIyNEg2VWkwS0w1UnJYRVJ5ckpQdHR3S2RwUVJpVVhFY2pCRGQ0QnBsdGdjWG1lMFlXSEZQZlZpL0JwSTVMemFGZnptT3hmSHA1OTB3bnlPMUZtR3ZNVnhDbTNLY2t3RG4rUTNaYTZkM0JYUnVYUnpLMjFpSlRHWWJMcnBCTDRqbWE5Ui95NWhpcHpObTJsOWxiTE1TT0dnNHlCY1poY1BzbFNid2tQaU94cjBoLzduRHltc1BBOGpLbTR3WGNGbVBSU1JZcmRFNmhnNll3SmFiY2NrS3plTG95SUY5cUlIQWVlY0Rnd0cvcWRvMjdqNmNaemludTdKNmZsb0UwSFpJR2krTCtJTytFdVV4TkxWN2xuQklFNWEySFBwTHZxOU8ySEpxRWF1Z1VzcVVCK3R1WDJsSGo0YnA2THpTSkRKRXJDcnIwYm94WVZMRWhaNWRzanptMkJrbWpqeU5nMWlMQ1dGSmFxQjBMQU53VTNFM1VHN0JOaWFOd1F1a1dLSVRsNG5yd3VoNHdYQTlNRVVMTzJFUDZoVUkwaTBEZjcyd0ZiTzRXeENFMGJSNFE3V090ZStBWFVQSWN1SnI5U1hyOERYc3NlSTZiS2hVTm1DeFBRSUQ4OVRLRWkzd1VCaXNhZG94L09zOFdSaGQ4VHRGSTVLaFdUY1o1UFFIRTdlRGd6ZjE1eXNQOXdvTGlJSTB2aEVUaUJxOTVOaGhjTXl4VTNPMlc1RXFWT2hmUzVQTjVhUGNLTUFKaEQ0Mkd6bzB6WUErNmxGSUc1Tko5RERnVWlQUzhLeFljeHF2aWJiWENRazBEU05Cdz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * XTjBLIJ1PP
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\RwNRD_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BbbABBeeEb You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC02SGhlUDEybVQ3Yzd5d25aMzF2SlRPVnRQZFcrSGJEOStoZEx5RXVIL21JWlE5c1pmWS81TGNGQkowY0RkUzloQ0dqV1FLL1pUMzhHZWhEMmIwQjhEUUlyYUJKNk5IYnlHT1A5Z1d5OG9YQzZxZGVYa3RYQVRNbldvTGdmUHVBQTBLdzNLQW85SE1Hck1qMFBISEtPZHB3c2hlQmphb1l2UFhtNG5HVlVGZFVIb0w3THdObUhlZVBLREtUUWlJTXJiN0hGQnd6ejh4TFJka0cwZ01iRjh1MVBGeWNBZWtyMFdJREkvT3VnY0RzUVhLckVucnl2b1hha2E5NElZN0ovaVJOVEQrSVN3WEwxUXJKdWkraW1LZ0J6bTVQUHBQT1dTUjZ3V3RERmtQQ2gxaXlkNFJGNE0rMTlqbGNkS1lWUVY3dzNSVnp3RDNJOW1YMUxRaU5OdXRYdUROTkVtRXVTRVhjZEdOV0o1ME5rY0pPWjJTWnRsQ0F5Q3FtdUY2VEU1VTQ5NUZKZzBVaWYxOGNiTXBackFLVFVLYkM0dTN4amJNUGwyTlNmTE9JaGZDVlJsYnpRWG90VndkZjNYVThPaWZGZXNiQ09mOU5odU5JVnp5NUN1UEgyaXFmRjBBMWZGdzh6djlBK2dSSXo1WGI3V2kvMkZWUDI3aXBscjMvNzR2eGNCNURqcEdNZHRHNyt0bFlQSDJLRlFwa3I1c1dnWHhVdnhjL1JoNkI0R0loK01TZXVjaittZCtDejJFVmRhVHhqZlJ1Y3JvN1lOZ3YyZDF2VEgrK0p5b2tLc1VCeXlhQXVvbXFkQUR6a0lKQTRycGtsblFpamZLQTYwMFl1Y3VPQ1JFMVZJeVR3TUNJNTJ1ZTFLU3JMTm5uUVNiQjRmUlA1UDZSaDV4VGdLdjA5L1RFbnpaMUtMcGtFRE1XM0hReXNhQnFjTm5iTmNidVNRZ3dabDh2SUpxaFlqZjVkWFN1eGw2eVdBRlBud2tmMmsvUXczT2plaWR6MEpQUEdKV2MyQllRNXRVcHpPaWk3ektNbDVDYWExa015dnNEM2k1Tk5jdVFqUEN1VTFDcy83bmxUVEgyL1NZczl5a0xSZGwyWHhYZVlHdzZsWC9YZ2wvRmNoZCtqYmNqL3pLSVVsRFRINmNpNS93Uk55SkozSjlvZVRLME83NkZGMWtqYzRuOWZWR3JvZjZvKzRhU1dGRHpoYlhVU2hTeFBtb0diWkdZNVlqRDZpWVFCclgrY3N4VG5WbXU0WVZsenRFQklFWVhZUWQ1SERjZWFoYnppZHM5Zk45VGJEeXE5NitlVTRKN3dvRjNBQ0QwcXIyNEg2VWkwS0w1UnJYRVJ5ckpQdHR3S2RwUVJpVVhFY2pCRGQ0QnBsdGdjWG1lMFlXSEZQZlZpL0JwSTVMemFGZnptT3hmSHA1OTB3bnlPMUZtR3ZNVnhDbTNLY2t3RG4rUTNaYTZkM0JYUnVYUnpLMjFpSlRHWWJMcnBCTDRqbWE5Ui95NWhpcHpObTJsOWxiTE1TT0dnNHlCY1poY1BzbFNid2tQaU94cjBoLzduRHltc1BBOGpLbTR3WGNGbVBSU1JZcmRFNmhnNll3SmFiY2NrS3plTG95SUY5cUlIQWVlY0Rnd0cvcWRvMjdqNmNaemludTdKNmZsb0UwSFpJR2krTCtJTytFdVV4TkxWN2xuQklFNWEySFBwTHZxOU8ySEpxRWF1Z1VzcVVCK3R1WDJsSGo0YnA2THpTSkRKRXJDcnIwYm94WVZMRWhaNWRzanptMkJrbWpqeU5nMWlMQ1dGSmFxQjBMQU53VTNFM1VHN0JOaWFOd1F1a1dLSVRsNG5yd3VoNHdYQTlNRVVMTzJFUDZoVUkwaTBEZjcyd0ZiTzRXeENFMGJSNFE3V090ZStBWFVQSWN1SnI5U1hyOERYc3NlSTZiS2hVTm1DeFBRSUQ4OVRLRWkzd1VCaXNhZG94L09zOFdSaGQ4VHRGSTVLaFdUY1o1UFFIRTdlRGd6ZjE1eXNQOXdvTGlJSTB2aEVUaUJxOTVOaGhjTXl4VTNPMlc1RXFWT2hmUzVQTjVhUGNLTUFKaEQ0Mkd6bzB6WUErNmxGSUc1Tko5RERnVWlQUzhLeFljeHF2aWJiWENRazBEU05Cdz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * ObK1fU6pF1tb9
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

    ransomwareavaddon
  • Avaddon payload 1 IoCs
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (164) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
    "C:\Users\Admin\AppData\Local\Temp\1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:5072
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
        PID:1572
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        2⤵
          PID:556
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          2⤵
            PID:4328
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:3372
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:3952
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:4476
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
            PID:4044
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2268 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:1344
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
              C:\Users\Admin\AppData\Roaming\Microsoft\Windows\1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
              1⤵
              • Executes dropped EXE
              PID:1656

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\RwNRD_readme_.txt
              Filesize

              3KB

              MD5

              cb6626527334d70f7cca7442c57b6b92

              SHA1

              b34ad00c7d6cf1cc313b2be7caee3c4200e9cfce

              SHA256

              ecf7b733dc2550d817df45f046a7c2673ea66f5dd07f81a53ef829d6354a6d93

              SHA512

              094adc32e74614c7890baad95ba832e0aa186f1fd574b09d291564bed31f00405dbc3e8349bd82acb22da6fdbbd488d25c890248d726b6a036730ddd22e01a62

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
              Filesize

              775KB

              MD5

              0b486fe0503524cfe4726a4022fa6a68

              SHA1

              297dea71d489768ce45d23b0f8a45424b469ab00

              SHA256

              1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2

              SHA512

              f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619

              Download Submit

            • C:\Users\Admin\Desktop\RwNRD_readme_.txt
              MD5

              d41d8cd98f00b204e9800998ecf8427e

              SHA1

              da39a3ee5e6b4b0d3255bfef95601890afd80709

              SHA256

              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

              SHA512

              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

              Download Submit

            • C:\Users\Admin\Documents\RwNRD_readme_.txt
              Filesize

              3KB

              MD5

              a8a13766814c462430b8751463116eab

              SHA1

              9059a0c939985b24bc9708b46ddc11adc909c0fc

              SHA256

              c24a9a16e6f898d0ad391eb00517eb0749ffb0de041af0721ce86a7f0122f5c8

              SHA512

              372dcf14f652f5364404b4a7bcb85c2f930b3b72f14598ee94d2576fb7b877e9b3fb9a5a088c521c6081e8e6003d8e0fd5fd05dc64c87fb0786931c4fa1f4ef9

              Download Submit

            • C:\Users\Admin\Documents\RwNRD_readme_.txt
              Filesize

              3KB

              MD5

              75d5443f78b030b471ce6ef91d8e5aaf

              SHA1

              7faa27616a28130ceb5408d2f8090d53324d80dc

              SHA256

              a1ee4b40cfcc15e92c1a56df6bb64f0cd9aaba3276e8a74fbd716d2b79a37fbd

              SHA512

              b933bd66402669cf64f64c3212a21404b9716df17e494fa36cfb300912766e751c9ad4fd771d5b0dd185b1621fc82c7868963e38aa3e8001e85f67a3af18e153

              Download Submit

            • C:\Users\Admin\Downloads\RwNRD_readme_.txt
              Filesize

              3KB

              MD5

              eb646c3935780bd9c62871b6bb0241fd

              SHA1

              b2d2595d99e1c3b8fb23b1427e72e322573a36f9

              SHA256

              5ff8e2e9a865d765c9b38f9cf6eb50fc38661dba8728d8a17ceb7041ae62a70d

              SHA512

              0db9bc89f6f3ef72bf3c69ec7c5b0af0634872a3b9c60ae5703a2928ca9e9a2c0eff9570ed6b1eddba345daddfda04c857e245ef107e6014cc7fddac2ab23dc1

              Download Submit