Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
17-04-2024 13:20
General
-
Target
cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe
-
Size
719KB
-
MD5
275e4a63fc63c995b3e0d464919f211b
-
SHA1
51d85210c2f621ca14d92a8375ee24d62f9d7f44
-
SHA256
cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46
-
SHA512
1723fb4a624859cb49f1d00100a44c5104a8a6ee4685b0e0988fa54f929dc7d70d171034577a17db2e6529d6c19b49d2ba023c4c98e9637f92981a3c1a5c9dac
-
SSDEEP
12288:OR8hjUV679Aa4Auw3gveB17cOT1WHWEQTe0udkuHgCNU7SY/qgjjmJ/:quK679Aa4Auw3gveB1TGWEQSzXY/tjq/
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\AS58i_readme_.txt
Family
avaddon
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .aBBcBDcBbB
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
NTc2LVJzcnRCR1gvalNtaVFVeHlna3VmWE5DeUUvUHROOHp3SXhSbmtDT004YnNxRHZRamVyR3hjdGswejIvMHdNaUh6OTJzYitmTGx3cUJCRHNLZE5XNjI3MGlwa0oxa1VLK25tekVydkUyZThwVWh1MmFLTWhOYmtWOUJGVG4xb2tlQ2xuLyt6S0JvOVNJSVBVbHpudDhlbHRoR0NmcUVXKzVXOFIyY2NHdFJEaTlPL3grNXcwY3I2NUFFeWVkdVZmbXBPUHozdEZ5bHY3RDJ3Q3Fic0R1V2c4bW00V3o5Z1IxVGlPRTArYWM1RGc2b1FoU1dhejFURklDTkhHREkxV3EzY28va1FCV05UN0FXVGVNMlFGQXMrdUhaRzNmOGRuOW9XSGc3T3pFRStVLzBMN0h6OXduc2JWQithRXdjTnZTd0RsQzRrVmtZNUpZTU1FSE9rWUhsc0xjWWcrZmhTZzlsZXhWQ1c0bTlEQjZZSmxGZng5dk5kamRhaDV0NzlDTXNFZk5Dd2t0N0h3Zlp1NXIvbC9HVTJCK3R6SVFEUmZueW1yS0h1WnhnZmJGZmQxUlZjMGhRVUV3YU1RMzF4MGZSYkZOOTI0ekMxZEI2aXoxeVpzNXQveTJ1RXZuMUVUVGQ2THJKam5VQUhQMFBUOCs0N1YzTXNPUUFmcmlwUFRnMUE5RmJNUElDY3NET1VHdXZsOXczclpqOVhOWGczVS9qMk1KTmlZdDBEU3RrOVcvUUNySU1yMnlJRGRoRm9xQmx3ZFgxQUg2QThvRm1jVU9mUENSVTR1L1ZlUjVzUjQ4aXJwMkRQdU82TzNPc0NZa2wrZTN0eXVHeVIvTmR1em5mYXhHaWpuenR1WnRqSFBZUnNiOHVyQWxWaFdNYktxS0pBTzVWRGs5eVZ2Nld6Q1hneGxvM1JueEg3bmY5RTFjMG9waFZVWEV1ZW4wUXNXZ3FoVEFpQjUvdzU3SHZpS011UEFBVnlHMkNuVXJhS2JxSDFydjIyQ2NyUHlMZG9xdzlrMXdRclJ6Q2ZCRWlrdVU2eTVTdzd1RU1TeXBseC8zVng2cUlmeXVMWENTc1dCSU5GS213bVdrWTlTc3Z6dldQSzBUS002WEVJS0liRkttKzB4RVNVb0daTDV6UDhIUTVQZW5RZVZiRUVUdHhpVFZDbUdFYU41aUwwUzZNcTNscnBtOUNRM0tkeDNxaHoxNHVZWVpJZkNPcVl3Y3FxK1U2UmwzTkxsWU1hN1ZJKzlpd2NGV0FEL0ZNUGFvWkJLUm9iNWZmNjJGUW5yVHlRd3pxNTVyTENTT1NpM1l4a2FaeXhFMGIxaEc2azJhb3JNVXdBSkh0MGpqZlFKQ1UvQkdqS0tuMENrUTUrV3MwbERjMzVQMWhXenoybVgvN1BicWF6bnhKUy9aYm5EeHVrSjJtNXdDNG5tR3F4ODU4S2xBSjFiZjBGT2d3Sm9rODVVRjRpbmRiU1lwZ0JaMG0wZjhobCsvN1pDZlVTdFZqNlh4bTk5dW5yUW1zanZrTmdGbFpkV0FHVXQrUTk4UEU4L1NmR1FGblBrZTlFOG9BS0hidmNPMUVDVUY3TDZCNE8veDVRdjdqZlNzYTl0cjJVanFJZWRMNlZpdlNlUWliSlJVdnlxYUQrMW9ESnJHSUJFTGhqOGw5QmxGNjZreFJKenBna3c5VTgva1IxWUpJbHhQMGI1OU1aUGxXU2kyeFJEV3R0OHlTbURMbkN3OGVjVlpQMjdEbk9adUFZenREREkzTGFQbmwvT0ljRXpGTDFYdTlieXZtUlBZaFJONW5GMkJ3TXlyZzZJbFpJWHN4R2djdm1rOVh1ZzgzaGhoVEVVNjRRSXRQUDd0VE9rUUNoM2ZzbStYcnVWd2hXcWtvYnF5SWpNblBnWGs4L3ZDNHZaNGNiSno5TlUrZWJnSTJzbmg1NGErOVVUWEFEMXE1RDRnS1laVmIvaGZOcVB6MVM4aS9XanF4QzZWcFhObXZuT3psakhqdGFKOXRsQmF0aEJmVFkvbU5nQTE2emozRTY0NWUvY0s3dThjcGJtMDRFcUZOVkIwVHcxK3dnNUFXd1FPTHlzNWJiMUlBN3RhUHpyamphN081eUJyTkZWSXBFMHV6VUpJUHNuTW92NDdkVkNRUUl4UE9RPT0=
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
MCo
URLs
http://avaddonbotrxmuyl.onion
Extracted
Path
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\AS58i_readme_.txt
Family
avaddon
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .aBBcBDcBbB
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
NTc2LVJzcnRCR1gvalNtaVFVeHlna3VmWE5DeUUvUHROOHp3SXhSbmtDT004YnNxRHZRamVyR3hjdGswejIvMHdNaUh6OTJzYitmTGx3cUJCRHNLZE5XNjI3MGlwa0oxa1VLK25tekVydkUyZThwVWh1MmFLTWhOYmtWOUJGVG4xb2tlQ2xuLyt6S0JvOVNJSVBVbHpudDhlbHRoR0NmcUVXKzVXOFIyY2NHdFJEaTlPL3grNXcwY3I2NUFFeWVkdVZmbXBPUHozdEZ5bHY3RDJ3Q3Fic0R1V2c4bW00V3o5Z1IxVGlPRTArYWM1RGc2b1FoU1dhejFURklDTkhHREkxV3EzY28va1FCV05UN0FXVGVNMlFGQXMrdUhaRzNmOGRuOW9XSGc3T3pFRStVLzBMN0h6OXduc2JWQithRXdjTnZTd0RsQzRrVmtZNUpZTU1FSE9rWUhsc0xjWWcrZmhTZzlsZXhWQ1c0bTlEQjZZSmxGZng5dk5kamRhaDV0NzlDTXNFZk5Dd2t0N0h3Zlp1NXIvbC9HVTJCK3R6SVFEUmZueW1yS0h1WnhnZmJGZmQxUlZjMGhRVUV3YU1RMzF4MGZSYkZOOTI0ekMxZEI2aXoxeVpzNXQveTJ1RXZuMUVUVGQ2THJKam5VQUhQMFBUOCs0N1YzTXNPUUFmcmlwUFRnMUE5RmJNUElDY3NET1VHdXZsOXczclpqOVhOWGczVS9qMk1KTmlZdDBEU3RrOVcvUUNySU1yMnlJRGRoRm9xQmx3ZFgxQUg2QThvRm1jVU9mUENSVTR1L1ZlUjVzUjQ4aXJwMkRQdU82TzNPc0NZa2wrZTN0eXVHeVIvTmR1em5mYXhHaWpuenR1WnRqSFBZUnNiOHVyQWxWaFdNYktxS0pBTzVWRGs5eVZ2Nld6Q1hneGxvM1JueEg3bmY5RTFjMG9waFZVWEV1ZW4wUXNXZ3FoVEFpQjUvdzU3SHZpS011UEFBVnlHMkNuVXJhS2JxSDFydjIyQ2NyUHlMZG9xdzlrMXdRclJ6Q2ZCRWlrdVU2eTVTdzd1RU1TeXBseC8zVng2cUlmeXVMWENTc1dCSU5GS213bVdrWTlTc3Z6dldQSzBUS002WEVJS0liRkttKzB4RVNVb0daTDV6UDhIUTVQZW5RZVZiRUVUdHhpVFZDbUdFYU41aUwwUzZNcTNscnBtOUNRM0tkeDNxaHoxNHVZWVpJZkNPcVl3Y3FxK1U2UmwzTkxsWU1hN1ZJKzlpd2NGV0FEL0ZNUGFvWkJLUm9iNWZmNjJGUW5yVHlRd3pxNTVyTENTT1NpM1l4a2FaeXhFMGIxaEc2azJhb3JNVXdBSkh0MGpqZlFKQ1UvQkdqS0tuMENrUTUrV3MwbERjMzVQMWhXenoybVgvN1BicWF6bnhKUy9aYm5EeHVrSjJtNXdDNG5tR3F4ODU4S2xBSjFiZjBGT2d3Sm9rODVVRjRpbmRiU1lwZ0JaMG0wZjhobCsvN1pDZlVTdFZqNlh4bTk5dW5yUW1zanZrTmdGbFpkV0FHVXQrUTk4UEU4L1NmR1FGblBrZTlFOG9BS0hidmNPMUVDVUY3TDZCNE8veDVRdjdqZlNzYTl0cjJVanFJZWRMNlZpdlNlUWliSlJVdnlxYUQrMW9ESnJHSUJFTGhqOGw5QmxGNjZreFJKenBna3c5VTgva1IxWUpJbHhQMGI1OU1aUGxXU2kyeFJEV3R0OHlTbURMbkN3OGVjVlpQMjdEbk9adUFZenREREkzTGFQbmwvT0ljRXpGTDFYdTlieXZtUlBZaFJONW5GMkJ3TXlyZzZJbFpJWHN4R2djdm1rOVh1ZzgzaGhoVEVVNjRRSXRQUDd0VE9rUUNoM2ZzbStYcnVWd2hXcWtvYnF5SWpNblBnWGs4L3ZDNHZaNGNiSno5TlUrZWJnSTJzbmg1NGErOVVUWEFEMXE1RDRnS1laVmIvaGZOcVB6MVM4aS9XanF4QzZWcFhObXZuT3psakhqdGFKOXRsQmF0aEJmVFkvbU5nQTE2emozRTY0NWUvY0s3dThjcGJtMDRFcUZOVkIwVHcxK3dnNUFXd1FPTHlzNWJiMUlBN3RhUHpyamphN081eUJyTkZWSXBFMHV6VUpJUHNuTW92NDdkVkNRUUl4UE9RPT0=
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
W
URLs
http://avaddonbotrxmuyl.onion
Extracted
Path
C:\Users\Admin\Pictures\AS58i_readme_.txt
Family
avaddon
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .aBBcBDcBbB
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
NTc2LVJzcnRCR1gvalNtaVFVeHlna3VmWE5DeUUvUHROOHp3SXhSbmtDT004YnNxRHZRamVyR3hjdGswejIvMHdNaUh6OTJzYitmTGx3cUJCRHNLZE5XNjI3MGlwa0oxa1VLK25tekVydkUyZThwVWh1MmFLTWhOYmtWOUJGVG4xb2tlQ2xuLyt6S0JvOVNJSVBVbHpudDhlbHRoR0NmcUVXKzVXOFIyY2NHdFJEaTlPL3grNXcwY3I2NUFFeWVkdVZmbXBPUHozdEZ5bHY3RDJ3Q3Fic0R1V2c4bW00V3o5Z1IxVGlPRTArYWM1RGc2b1FoU1dhejFURklDTkhHREkxV3EzY28va1FCV05UN0FXVGVNMlFGQXMrdUhaRzNmOGRuOW9XSGc3T3pFRStVLzBMN0h6OXduc2JWQithRXdjTnZTd0RsQzRrVmtZNUpZTU1FSE9rWUhsc0xjWWcrZmhTZzlsZXhWQ1c0bTlEQjZZSmxGZng5dk5kamRhaDV0NzlDTXNFZk5Dd2t0N0h3Zlp1NXIvbC9HVTJCK3R6SVFEUmZueW1yS0h1WnhnZmJGZmQxUlZjMGhRVUV3YU1RMzF4MGZSYkZOOTI0ekMxZEI2aXoxeVpzNXQveTJ1RXZuMUVUVGQ2THJKam5VQUhQMFBUOCs0N1YzTXNPUUFmcmlwUFRnMUE5RmJNUElDY3NET1VHdXZsOXczclpqOVhOWGczVS9qMk1KTmlZdDBEU3RrOVcvUUNySU1yMnlJRGRoRm9xQmx3ZFgxQUg2QThvRm1jVU9mUENSVTR1L1ZlUjVzUjQ4aXJwMkRQdU82TzNPc0NZa2wrZTN0eXVHeVIvTmR1em5mYXhHaWpuenR1WnRqSFBZUnNiOHVyQWxWaFdNYktxS0pBTzVWRGs5eVZ2Nld6Q1hneGxvM1JueEg3bmY5RTFjMG9waFZVWEV1ZW4wUXNXZ3FoVEFpQjUvdzU3SHZpS011UEFBVnlHMkNuVXJhS2JxSDFydjIyQ2NyUHlMZG9xdzlrMXdRclJ6Q2ZCRWlrdVU2eTVTdzd1RU1TeXBseC8zVng2cUlmeXVMWENTc1dCSU5GS213bVdrWTlTc3Z6dldQSzBUS002WEVJS0liRkttKzB4RVNVb0daTDV6UDhIUTVQZW5RZVZiRUVUdHhpVFZDbUdFYU41aUwwUzZNcTNscnBtOUNRM0tkeDNxaHoxNHVZWVpJZkNPcVl3Y3FxK1U2UmwzTkxsWU1hN1ZJKzlpd2NGV0FEL0ZNUGFvWkJLUm9iNWZmNjJGUW5yVHlRd3pxNTVyTENTT1NpM1l4a2FaeXhFMGIxaEc2azJhb3JNVXdBSkh0MGpqZlFKQ1UvQkdqS0tuMENrUTUrV3MwbERjMzVQMWhXenoybVgvN1BicWF6bnhKUy9aYm5EeHVrSjJtNXdDNG5tR3F4ODU4S2xBSjFiZjBGT2d3Sm9rODVVRjRpbmRiU1lwZ0JaMG0wZjhobCsvN1pDZlVTdFZqNlh4bTk5dW5yUW1zanZrTmdGbFpkV0FHVXQrUTk4UEU4L1NmR1FGblBrZTlFOG9BS0hidmNPMUVDVUY3TDZCNE8veDVRdjdqZlNzYTl0cjJVanFJZWRMNlZpdlNlUWliSlJVdnlxYUQrMW9ESnJHSUJFTGhqOGw5QmxGNjZreFJKenBna3c5VTgva1IxWUpJbHhQMGI1OU1aUGxXU2kyeFJEV3R0OHlTbURMbkN3OGVjVlpQMjdEbk9adUFZenREREkzTGFQbmwvT0ljRXpGTDFYdTlieXZtUlBZaFJONW5GMkJ3TXlyZzZJbFpJWHN4R2djdm1rOVh1ZzgzaGhoVEVVNjRRSXRQUDd0VE9rUUNoM2ZzbStYcnVWd2hXcWtvYnF5SWpNblBnWGs4L3ZDNHZaNGNiSno5TlUrZWJnSTJzbmg1NGErOVVUWEFEMXE1RDRnS1laVmIvaGZOcVB6MVM4aS9XanF4QzZWcFhObXZuT3psakhqdGFKOXRsQmF0aEJmVFkvbU5nQTE2emozRTY0NWUvY0s3dThjcGJtMDRFcUZOVkIwVHcxK3dnNUFXd1FPTHlzNWJiMUlBN3RhUHpyamphN081eUJyTkZWSXBFMHV6VUpJUHNuTW92NDdkVkNRUUl4UE9RPT0=
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
5wW43WkvjI
URLs
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
UAC bypass 3 TTPs 2 IoCs
-
Renames multiple (134) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 63 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe"C:\Users\Admin\AppData\Local\Temp\cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD525720caaf73446e1caf9af60f65271d0
SHA17af93514daf3827b56a7f5996e8f0a969a008736
SHA2562784ab2e9e9f99025ffb2a530502f8093132274de0eab4c07414e1a0e00d3083
SHA512d18c3a27c97999b254ea7578c6d1a4890d7018373842bdda2a0f5637d3a86506be32eb2f2909ebfc23b982689f432f566d69916189bf14a790d1c751063d8afc
-
Filesize
3KB
MD5f6a22b9b3036c15577d2ac9936090bbb
SHA1e4b99a4e3fcaeb9e2e41d71d4c6c6ee63fc31744
SHA256049569b54213b18c409cd28439afd3f34feff5e458883a1ae74ba32e19830f75
SHA512561713a908fdbb8ed3085013284b64ef75ea9cf14e416ddd7ec61bead3c8c0316909255fe91672da605eb7dfca024bb3915ffa09bc1b19c8ede76900f27fc4c1
-
Filesize
3KB
MD5e3ff2e6ceeeac9ed56f4cebb55a829a6
SHA1932bd9a74a82c2abc1a4d19faafd549e2b762e47
SHA2561c6be970969de4644946cdb7b03a146d9eb88381302df727c1ccf4098aa4b115
SHA51295d33e83cfdfb9593e7dbef65b9e36f84f6772f4ad32bd21f6033a17c8719484099bbe9fc56f9c88f3f2678ba6401381767534a84182aab7e33f56c0ec687f77