Overview

overview

10

Static

static

10

c14dd4a083...28.exe

windows7-x64

10

c14dd4a083...28.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240319-en
  • resource tags

    arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
  • submitted
    17-04-2024 13:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe

  • Size

    483KB

  • MD5

    53717dc73f61b0f9551cb62d6fca2e4a

  • SHA1

    1ca9304e86632b147852767c85c57e08bdfc8855

  • SHA256

    c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028

  • SHA512

    ae6ff8377d89cd3d1686c5a6bd7bb398bb975e4e52f7db5fbb0550783d77648558f03a13a9751d0cb6ed993621b12980d54777385802dd4c014ec22ae8d33552

  • SSDEEP

    12288:WcvbX8rMmSZJ8t9ZITyDpFGIOyA4muT5WFExk8y:/zMr1SZJ8t9ZITyNzOt4dVy

Score
10/10
avaddonransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\a5HYE_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BEecADEACA You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTgwNS1qQ0NjSENRVlVCWWREajFaL3ZTL2dmMnR3MVVMWUJ2UzRxeTNGdHFoZWZZa2owWFd6VlJYSFdkbS9pQm4zMmtrZmJwK29idnY0N0t4S1lublNmWnU4blIrU1BVQXB1cE9TekUrN1AzUGJEQ2E2c3YrenlyRFdnVFN6MEV0MXEzQkhlYmdjWHJZcnJZV3QyaUVyZEZHN3Bub1B1Mk5LSzJXdFJacks4OEM2VjFRdjhENldRY2gyTXlMd2hhVngwYTBRQy9lZGJ3MmJCcW02UmVwdll4ZW5DbzlLNTdOYWNqYnRvbnhsN2YvQjd4VlBneWU3blc1U25NbUxxYjNLN0lSNGRTYXVBam1VTWJlaVByK2Z5WFFvZS9jbE5pNURjRnBZM1N1K2FLNUllVVIrakhHdFZwcXpWdWNzOUgvZ1hIVDNTZjdHdDNDRmZMamtjUGpzb1FjMlY0ZFROSVRqU2VIVHB3RFZYWnZVV1ZxaTlWL3M5ZmpWNVMrUm5QeTJpc2gzcWRPbWVneXV4dTRTKzdnalFOZjVzVFUzcy9vNlBQTm9YbmFyUzcvNEI0NTJPNW9KYzQ5KzY4WHJtTVpIVkJDRFRNWFRvcXpuaUpjSEVVTGZXVWR0RWVmT3FFdWpCQXAyZXpBaWtHNlZFb3RiQndZZFZIWktmbU9YM2g2UkJCZ2w5b1k3ZnM0RFFiMTNOZUUwOGNROWVoR3IyRDRPYlozb3dCeGxRbXV2TUhzdVdob2pINzBMZGpnMW5HZ0NxL0tlMnFUU3RNVmxLc3ZMYWlLM2xBd2h5R2Q1bVVZdjhZcHQreitDZkh4RU1Sa1lkbi9URGg5KzlNTWhTcFY3WWpMMWZ0NjV6RDlETUlKQnNkTVhuMVcwelZSMWhsSXJVbE0veFFHbUgvdlN4bTVGVFhHMXhOa0V3Z25qdGMyNjVKMWRBemNSbUhnWlN2S1AxaTdiN2s2WmoramNKSmg4ZitpdGwya1hCNGhRK244K01MR1dLcWx4ODZJelF5Q1VFR3VVSG5VazF6eDRkdjBSdG5nZGZoL0lDdU8zeU1HaGZNMUJ1VHdJd0E5Q055Z1VyNnU1MmZRRytEY09jZUxvcmdLUjgwVUt5aDFCU1p3OXpaMzZCVTlOZUh5ZVVYK3N6d20zWUkrZEdiSWNJQ0FpQUZrZ05GZnZOa29ob3F1di9QK2JCdVFCTUROUVpRVis2THlRRHRZaksrQUViNEFycVByVG9SVzJnR3Y4R2RWNDQ2NnlyWG53eGkwK0Rwb3FIeHF2eDlhQjRxdFhOWE9oL3FqenFWK1BPMnBnRmt0eU5ieFBMN1BZRENCYnVaS3Z3MmtCeHF1ek5CS3hObi82c2RYbkQ3OVEraVQwRDVHY010eDBXWjJHRFdmcDFvVGJJUk5qZktOREpxT1NLbC9rRkJHYVVRRVB6aG5HOG1xQXRoRFZZby9MQWh4cjlPYkhnZC9OQ0pBcks0UURHRDlPZGRYNWIzcytGRTluejBmMm9BOGZ2UVVFWTV5SEFWSlhFOVFHQnZGVzdUSVloTElzSGZjZGF1RnltSmJTelhMR2k3bHZBOWdITnhnTlZCd2FGTXJjd1NiUENza3ZKcTZrbnJwTHZ5NGhLSkU2U1daNFBFNnNWTW1saTBTNTFUMkw4RnhBY3l2YmtWTWN1RnJENjlLaGhxVm9hN0lYN0VmZ1ZUMmdhUktzOXFESG9mdkZqQ2UxV0VLN1B4RjRDaDJ0Vi9YelNhTnIvR3BFeEdKbWpWTThMaXA0cXRkU3RhbkJjSDFZeVRhQWp0Y20xU1hCUzVabnEya3FYdnJlZWtBWW1UL01RV2p5Y3dlRitGSUZjQTBEVnVvWWNTTUFzV3NObjlhYU9mSU5ZUEJ5OVJTRTRGSVhSNUozeElMaTk1dStRK25WMUUvTVZrWWtFQVhsQXdWSGoyVy82MDR1RWRvckwrZHRBN05iVUhqcXM1T2ozRFRlL0UyYXlvVm5DVmo1dHlPa1dPSzZ2UTMvdlNnRUpDNXE0Mlo0ODBWM0xYZDlnTEFpTHZTVTdIUS9QcjUzamhRaFBuTHJRS1ZlQ0g2aytzYVl6SkhkUFYzWFhEeWpWUi9jbHdPZnhsLzJybDZON0pKZFJIbDllQkN3WTk5ZGR3dVdOZGdkdz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * npUIN2Iu1EoNPJZrHSkGTbsF6
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\a5HYE_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BEecADEACA You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTgwNS1qQ0NjSENRVlVCWWREajFaL3ZTL2dmMnR3MVVMWUJ2UzRxeTNGdHFoZWZZa2owWFd6VlJYSFdkbS9pQm4zMmtrZmJwK29idnY0N0t4S1lublNmWnU4blIrU1BVQXB1cE9TekUrN1AzUGJEQ2E2c3YrenlyRFdnVFN6MEV0MXEzQkhlYmdjWHJZcnJZV3QyaUVyZEZHN3Bub1B1Mk5LSzJXdFJacks4OEM2VjFRdjhENldRY2gyTXlMd2hhVngwYTBRQy9lZGJ3MmJCcW02UmVwdll4ZW5DbzlLNTdOYWNqYnRvbnhsN2YvQjd4VlBneWU3blc1U25NbUxxYjNLN0lSNGRTYXVBam1VTWJlaVByK2Z5WFFvZS9jbE5pNURjRnBZM1N1K2FLNUllVVIrakhHdFZwcXpWdWNzOUgvZ1hIVDNTZjdHdDNDRmZMamtjUGpzb1FjMlY0ZFROSVRqU2VIVHB3RFZYWnZVV1ZxaTlWL3M5ZmpWNVMrUm5QeTJpc2gzcWRPbWVneXV4dTRTKzdnalFOZjVzVFUzcy9vNlBQTm9YbmFyUzcvNEI0NTJPNW9KYzQ5KzY4WHJtTVpIVkJDRFRNWFRvcXpuaUpjSEVVTGZXVWR0RWVmT3FFdWpCQXAyZXpBaWtHNlZFb3RiQndZZFZIWktmbU9YM2g2UkJCZ2w5b1k3ZnM0RFFiMTNOZUUwOGNROWVoR3IyRDRPYlozb3dCeGxRbXV2TUhzdVdob2pINzBMZGpnMW5HZ0NxL0tlMnFUU3RNVmxLc3ZMYWlLM2xBd2h5R2Q1bVVZdjhZcHQreitDZkh4RU1Sa1lkbi9URGg5KzlNTWhTcFY3WWpMMWZ0NjV6RDlETUlKQnNkTVhuMVcwelZSMWhsSXJVbE0veFFHbUgvdlN4bTVGVFhHMXhOa0V3Z25qdGMyNjVKMWRBemNSbUhnWlN2S1AxaTdiN2s2WmoramNKSmg4ZitpdGwya1hCNGhRK244K01MR1dLcWx4ODZJelF5Q1VFR3VVSG5VazF6eDRkdjBSdG5nZGZoL0lDdU8zeU1HaGZNMUJ1VHdJd0E5Q055Z1VyNnU1MmZRRytEY09jZUxvcmdLUjgwVUt5aDFCU1p3OXpaMzZCVTlOZUh5ZVVYK3N6d20zWUkrZEdiSWNJQ0FpQUZrZ05GZnZOa29ob3F1di9QK2JCdVFCTUROUVpRVis2THlRRHRZaksrQUViNEFycVByVG9SVzJnR3Y4R2RWNDQ2NnlyWG53eGkwK0Rwb3FIeHF2eDlhQjRxdFhOWE9oL3FqenFWK1BPMnBnRmt0eU5ieFBMN1BZRENCYnVaS3Z3MmtCeHF1ek5CS3hObi82c2RYbkQ3OVEraVQwRDVHY010eDBXWjJHRFdmcDFvVGJJUk5qZktOREpxT1NLbC9rRkJHYVVRRVB6aG5HOG1xQXRoRFZZby9MQWh4cjlPYkhnZC9OQ0pBcks0UURHRDlPZGRYNWIzcytGRTluejBmMm9BOGZ2UVVFWTV5SEFWSlhFOVFHQnZGVzdUSVloTElzSGZjZGF1RnltSmJTelhMR2k3bHZBOWdITnhnTlZCd2FGTXJjd1NiUENza3ZKcTZrbnJwTHZ5NGhLSkU2U1daNFBFNnNWTW1saTBTNTFUMkw4RnhBY3l2YmtWTWN1RnJENjlLaGhxVm9hN0lYN0VmZ1ZUMmdhUktzOXFESG9mdkZqQ2UxV0VLN1B4RjRDaDJ0Vi9YelNhTnIvR3BFeEdKbWpWTThMaXA0cXRkU3RhbkJjSDFZeVRhQWp0Y20xU1hCUzVabnEya3FYdnJlZWtBWW1UL01RV2p5Y3dlRitGSUZjQTBEVnVvWWNTTUFzV3NObjlhYU9mSU5ZUEJ5OVJTRTRGSVhSNUozeElMaTk1dStRK25WMUUvTVZrWWtFQVhsQXdWSGoyVy82MDR1RWRvckwrZHRBN05iVUhqcXM1T2ozRFRlL0UyYXlvVm5DVmo1dHlPa1dPSzZ2UTMvdlNnRUpDNXE0Mlo0ODBWM0xYZDlnTEFpTHZTVTdIUS9QcjUzamhRaFBuTHJRS1ZlQ0g2aytzYVl6SkhkUFYzWFhEeWpWUi9jbHdPZnhsLzJybDZON0pKZFJIbDllQkN3WTk5ZGR3dVdOZGdkdz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * AS58iE5hrqWwmjDtSyArAG1GSYpEN
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Music\a5HYE_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BEecADEACA You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTgwNS1qQ0NjSENRVlVCWWREajFaL3ZTL2dmMnR3MVVMWUJ2UzRxeTNGdHFoZWZZa2owWFd6VlJYSFdkbS9pQm4zMmtrZmJwK29idnY0N0t4S1lublNmWnU4blIrU1BVQXB1cE9TekUrN1AzUGJEQ2E2c3YrenlyRFdnVFN6MEV0MXEzQkhlYmdjWHJZcnJZV3QyaUVyZEZHN3Bub1B1Mk5LSzJXdFJacks4OEM2VjFRdjhENldRY2gyTXlMd2hhVngwYTBRQy9lZGJ3MmJCcW02UmVwdll4ZW5DbzlLNTdOYWNqYnRvbnhsN2YvQjd4VlBneWU3blc1U25NbUxxYjNLN0lSNGRTYXVBam1VTWJlaVByK2Z5WFFvZS9jbE5pNURjRnBZM1N1K2FLNUllVVIrakhHdFZwcXpWdWNzOUgvZ1hIVDNTZjdHdDNDRmZMamtjUGpzb1FjMlY0ZFROSVRqU2VIVHB3RFZYWnZVV1ZxaTlWL3M5ZmpWNVMrUm5QeTJpc2gzcWRPbWVneXV4dTRTKzdnalFOZjVzVFUzcy9vNlBQTm9YbmFyUzcvNEI0NTJPNW9KYzQ5KzY4WHJtTVpIVkJDRFRNWFRvcXpuaUpjSEVVTGZXVWR0RWVmT3FFdWpCQXAyZXpBaWtHNlZFb3RiQndZZFZIWktmbU9YM2g2UkJCZ2w5b1k3ZnM0RFFiMTNOZUUwOGNROWVoR3IyRDRPYlozb3dCeGxRbXV2TUhzdVdob2pINzBMZGpnMW5HZ0NxL0tlMnFUU3RNVmxLc3ZMYWlLM2xBd2h5R2Q1bVVZdjhZcHQreitDZkh4RU1Sa1lkbi9URGg5KzlNTWhTcFY3WWpMMWZ0NjV6RDlETUlKQnNkTVhuMVcwelZSMWhsSXJVbE0veFFHbUgvdlN4bTVGVFhHMXhOa0V3Z25qdGMyNjVKMWRBemNSbUhnWlN2S1AxaTdiN2s2WmoramNKSmg4ZitpdGwya1hCNGhRK244K01MR1dLcWx4ODZJelF5Q1VFR3VVSG5VazF6eDRkdjBSdG5nZGZoL0lDdU8zeU1HaGZNMUJ1VHdJd0E5Q055Z1VyNnU1MmZRRytEY09jZUxvcmdLUjgwVUt5aDFCU1p3OXpaMzZCVTlOZUh5ZVVYK3N6d20zWUkrZEdiSWNJQ0FpQUZrZ05GZnZOa29ob3F1di9QK2JCdVFCTUROUVpRVis2THlRRHRZaksrQUViNEFycVByVG9SVzJnR3Y4R2RWNDQ2NnlyWG53eGkwK0Rwb3FIeHF2eDlhQjRxdFhOWE9oL3FqenFWK1BPMnBnRmt0eU5ieFBMN1BZRENCYnVaS3Z3MmtCeHF1ek5CS3hObi82c2RYbkQ3OVEraVQwRDVHY010eDBXWjJHRFdmcDFvVGJJUk5qZktOREpxT1NLbC9rRkJHYVVRRVB6aG5HOG1xQXRoRFZZby9MQWh4cjlPYkhnZC9OQ0pBcks0UURHRDlPZGRYNWIzcytGRTluejBmMm9BOGZ2UVVFWTV5SEFWSlhFOVFHQnZGVzdUSVloTElzSGZjZGF1RnltSmJTelhMR2k3bHZBOWdITnhnTlZCd2FGTXJjd1NiUENza3ZKcTZrbnJwTHZ5NGhLSkU2U1daNFBFNnNWTW1saTBTNTFUMkw4RnhBY3l2YmtWTWN1RnJENjlLaGhxVm9hN0lYN0VmZ1ZUMmdhUktzOXFESG9mdkZqQ2UxV0VLN1B4RjRDaDJ0Vi9YelNhTnIvR3BFeEdKbWpWTThMaXA0cXRkU3RhbkJjSDFZeVRhQWp0Y20xU1hCUzVabnEya3FYdnJlZWtBWW1UL01RV2p5Y3dlRitGSUZjQTBEVnVvWWNTTUFzV3NObjlhYU9mSU5ZUEJ5OVJTRTRGSVhSNUozeElMaTk1dStRK25WMUUvTVZrWWtFQVhsQXdWSGoyVy82MDR1RWRvckwrZHRBN05iVUhqcXM1T2ozRFRlL0UyYXlvVm5DVmo1dHlPa1dPSzZ2UTMvdlNnRUpDNXE0Mlo0ODBWM0xYZDlnTEFpTHZTVTdIUS9QcjUzamhRaFBuTHJRS1ZlQ0g2aytzYVl6SkhkUFYzWFhEeWpWUi9jbHdPZnhsLzJybDZON0pKZFJIbDllQkN3WTk5ZGR3dVdOZGdkdz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * W
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\a5HYE_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BEecADEACA You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTgwNS1qQ0NjSENRVlVCWWREajFaL3ZTL2dmMnR3MVVMWUJ2UzRxeTNGdHFoZWZZa2owWFd6VlJYSFdkbS9pQm4zMmtrZmJwK29idnY0N0t4S1lublNmWnU4blIrU1BVQXB1cE9TekUrN1AzUGJEQ2E2c3YrenlyRFdnVFN6MEV0MXEzQkhlYmdjWHJZcnJZV3QyaUVyZEZHN3Bub1B1Mk5LSzJXdFJacks4OEM2VjFRdjhENldRY2gyTXlMd2hhVngwYTBRQy9lZGJ3MmJCcW02UmVwdll4ZW5DbzlLNTdOYWNqYnRvbnhsN2YvQjd4VlBneWU3blc1U25NbUxxYjNLN0lSNGRTYXVBam1VTWJlaVByK2Z5WFFvZS9jbE5pNURjRnBZM1N1K2FLNUllVVIrakhHdFZwcXpWdWNzOUgvZ1hIVDNTZjdHdDNDRmZMamtjUGpzb1FjMlY0ZFROSVRqU2VIVHB3RFZYWnZVV1ZxaTlWL3M5ZmpWNVMrUm5QeTJpc2gzcWRPbWVneXV4dTRTKzdnalFOZjVzVFUzcy9vNlBQTm9YbmFyUzcvNEI0NTJPNW9KYzQ5KzY4WHJtTVpIVkJDRFRNWFRvcXpuaUpjSEVVTGZXVWR0RWVmT3FFdWpCQXAyZXpBaWtHNlZFb3RiQndZZFZIWktmbU9YM2g2UkJCZ2w5b1k3ZnM0RFFiMTNOZUUwOGNROWVoR3IyRDRPYlozb3dCeGxRbXV2TUhzdVdob2pINzBMZGpnMW5HZ0NxL0tlMnFUU3RNVmxLc3ZMYWlLM2xBd2h5R2Q1bVVZdjhZcHQreitDZkh4RU1Sa1lkbi9URGg5KzlNTWhTcFY3WWpMMWZ0NjV6RDlETUlKQnNkTVhuMVcwelZSMWhsSXJVbE0veFFHbUgvdlN4bTVGVFhHMXhOa0V3Z25qdGMyNjVKMWRBemNSbUhnWlN2S1AxaTdiN2s2WmoramNKSmg4ZitpdGwya1hCNGhRK244K01MR1dLcWx4ODZJelF5Q1VFR3VVSG5VazF6eDRkdjBSdG5nZGZoL0lDdU8zeU1HaGZNMUJ1VHdJd0E5Q055Z1VyNnU1MmZRRytEY09jZUxvcmdLUjgwVUt5aDFCU1p3OXpaMzZCVTlOZUh5ZVVYK3N6d20zWUkrZEdiSWNJQ0FpQUZrZ05GZnZOa29ob3F1di9QK2JCdVFCTUROUVpRVis2THlRRHRZaksrQUViNEFycVByVG9SVzJnR3Y4R2RWNDQ2NnlyWG53eGkwK0Rwb3FIeHF2eDlhQjRxdFhOWE9oL3FqenFWK1BPMnBnRmt0eU5ieFBMN1BZRENCYnVaS3Z3MmtCeHF1ek5CS3hObi82c2RYbkQ3OVEraVQwRDVHY010eDBXWjJHRFdmcDFvVGJJUk5qZktOREpxT1NLbC9rRkJHYVVRRVB6aG5HOG1xQXRoRFZZby9MQWh4cjlPYkhnZC9OQ0pBcks0UURHRDlPZGRYNWIzcytGRTluejBmMm9BOGZ2UVVFWTV5SEFWSlhFOVFHQnZGVzdUSVloTElzSGZjZGF1RnltSmJTelhMR2k3bHZBOWdITnhnTlZCd2FGTXJjd1NiUENza3ZKcTZrbnJwTHZ5NGhLSkU2U1daNFBFNnNWTW1saTBTNTFUMkw4RnhBY3l2YmtWTWN1RnJENjlLaGhxVm9hN0lYN0VmZ1ZUMmdhUktzOXFESG9mdkZqQ2UxV0VLN1B4RjRDaDJ0Vi9YelNhTnIvR3BFeEdKbWpWTThMaXA0cXRkU3RhbkJjSDFZeVRhQWp0Y20xU1hCUzVabnEya3FYdnJlZWtBWW1UL01RV2p5Y3dlRitGSUZjQTBEVnVvWWNTTUFzV3NObjlhYU9mSU5ZUEJ5OVJTRTRGSVhSNUozeElMaTk1dStRK25WMUUvTVZrWWtFQVhsQXdWSGoyVy82MDR1RWRvckwrZHRBN05iVUhqcXM1T2ozRFRlL0UyYXlvVm5DVmo1dHlPa1dPSzZ2UTMvdlNnRUpDNXE0Mlo0ODBWM0xYZDlnTEFpTHZTVTdIUS9QcjUzamhRaFBuTHJRS1ZlQ0g2aytzYVl6SkhkUFYzWFhEeWpWUi9jbHdPZnhsLzJybDZON0pKZFJIbDllQkN3WTk5ZGR3dVdOZGdkdz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * MCo
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

    ransomwareavaddon
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (207) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
    "C:\Users\Admin\AppData\Local\Temp\c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2368
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2672
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2856
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2540
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
        PID:2756
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin Delete Shadows /All /Quiet
        2⤵
        • Interacts with shadow copies
        PID:2536
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1992

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\a5HYE_readme_.txt
      Filesize

      3KB

      MD5

      d4eeb2448b4e04490c28029d497f53d1

      SHA1

      b792fadeb9db456b0e82529d542e4718654fe540

      SHA256

      159a8efbeec629078a2896da1ef373280e735c35bb6f527b96794537db5de532

      SHA512

      5798637b393c7534d32cdb375e11ead67209c82dca5b3e4b735645f70c1092a3aeda0b2fa359c50982d3bfba61bed6e27ecafbec64c4e46048fd634d8be02575

      Download Submit

    • C:\Users\Admin\Downloads\a5HYE_readme_.txt
      Filesize

      3KB

      MD5

      03d18faa74918401fd48b8aad457b089

      SHA1

      5bdd3601d36020ac953e88d249ed10ad8569ea25

      SHA256

      5e6c1a7c2f703745a3ad7555c5ba458d01d5c71692df0d1b8b792ad0e6e71760

      SHA512

      127d9e930184090d5102ef287c2a6d8315ed0a4b96e5bb6e6679060a5e1bb8439cecfdd73916edc8765e9bc649ab0ec53b983cbe518351df1f4ff3854d77b7d4

      Download Submit

    • C:\Users\Admin\Music\a5HYE_readme_.txt
      Filesize

      3KB

      MD5

      cf65cf04567bd6e2accbdfa726e2ed6f

      SHA1

      2936d74c4950eea026e6047eac86e7ffcc2571ca

      SHA256

      1cbb70162f0f3e6ea0618dea8de27887c4d97b2c5380dc023f686f14b2801193

      SHA512

      0a05d05ab432095cc000e64fea2b974ec2753462af21bdcfa422da7815119efef8081221f02790483b685c24c104b915cccfda22f304b3b42f23436fadc2596d

      Download Submit

    • C:\a5HYE_readme_.txt
      Filesize

      3KB

      MD5

      f7b5d787f4c09124718b0d73a6c50a43

      SHA1

      c25f5807edc10769f092539c8010b4276f0941d5

      SHA256

      1504575d196ed371875e67d28a0979477eca422517c44b1e503762634ca3821b

      SHA512

      e2770a85253497e37ea9ac1370d10589b50bc265e5de37e58fd8e0ca90752fee458aaeb1688d3d2f78faecd2ab3ec6af2c862a4c69542aa512bbf7af198e56a4

      Download Submit