avaddon | b6f83cc09345f058e475a34658a3a37a9ed5ee9227082c5726ad44570b83aa0f

General

Target

0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
Size

775KB
MD5

2d2a5a22bc983829cfb4627a271fbd4e
SHA1

c0fc01350ae774f3817d71710d9a6e9adaba441f
SHA256

0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b
SHA512

8237f6db84a2339827e4044929df58597733d04f8e56c621394f2c2b79c06dc9fb3e64373d0205c0f14372173875b2487d178472eda6837da2ef20187285ad0d
SSDEEP

24576:+Csq9+OXLpMePfI8TgmBTCDqEbOpPtpFaoxfq:YxOXLpMePfzVTCD7gPtLa4fq

Score

10^/10

avaddon evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\42k7W_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .cbBDadeEC You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjAwNC1qamdJM29mVkNIQkNvNWR3VUdnZk1WQ0NONnhCdTRheXF6YW8wY3c4KzgwNk53ZjEzVnVZb1JDM1JINzJUUHpyZE1ueWlCQjlyWktabWQxQUxIQTVNcmNtNXE2MlJNTHM5VGJtc0lQSUZUSzJONUV3TXIxalhDNEI1N2F6bUlkOEZyYTgzQTc5M0hxZXdiODhXN1dXT294VWZKM0FzTnF0Sk4zYi9FQXpCWlV4bFVMWkk0UjdyN0xlNXk5STJhV0JRaFNiNy9CcVJvbkNGVzMxK2d3OTBjUzcxMWRZbk5nalNvNjgzWWYvZDR5QzlWdGdrSDlxWFkzbHdEeEU2VkZNajQ4WWZTZTNnTm1RWWpGK1dBc3cwY3BqWmt1Zk1LQk1CbDdWZnhFblhndzdlR0RWU2tNZHRVQzJQTzZ3WU9KV2NjWm9IQW1SSkNTN3dlR3BWTENTRXNWTnhYTkZNdGxsZEZwK2RiRGxHTWd3OHIyMzdycmo0MzlwMERSNDJDTG5pdjFuSDlkRkR6QUZWc011OVY5aVpqeTdaM05QOGxnVFFRQ0R2ZTJjWDQvR1ZaNGpsWjZSOHRUcnVPaXRQSnR4VTBvTndwZHhucDlmZDVHOGhzbEkxNDZXa3A2aWtBNnYxR3Q3ck1LNTl3emFLeElERkFneDl0VjUvY0xxUlFFNXVqcERqR1pUUnlwYldWenNUT3g3M0xYWHkvWHpnWks3ZGk0Ti8zdENZZUkzaUNraWtlcUY3Y3MrbWhyUGRNZDRRQXgzNW82TUlzWHpzRG42MHhVWS9heU1JWlF2elBrbzFsRDFPZVRhUXJjdUJBM0V4ZGh1UXRiRW56OHRrZjJFSFBKS0kvRysyWGhpSkcwb2JoOEF2N2lQRmNrZ2hsNUlRaGt5andsWUR1OVplZCtBSkpDK0FKV2oxTWdkamtvN0d6ZXVPdVFUaVQzL3ZIQ0VORUJKVEFvMWJPYVFEb0VBNFYzS2RqUzNaTko2U0dYMVFQbjg3VHZ6aFRVWVRwKzh4WTBuWmRMSlVwUFd3eWpyK3p6VWJiMXB2QkJ0VFlndWJ5WkN4UWVLeUs4eVVnM0pORkZ3a0lYOHBFOW53RU8vRm9lVHh2OTF2VFBLUzFHUU9sNHFERjBYWk8yb1ZmdlIvRlFBc0xmdDQ3ekFUcE1TUHFmZXdON21Ibmh5ajl3bzJialpZT3EyUkF5eEwyYkM0TWdJUVgwMlF3U2srTDIwL2k3ek5FNVAwbFhWV1Vta0J3QVN2Wmo1ZWxKS2h1cmduaXhLSXk3UnlpQy9sUk0xbDZENFE5aGxhS1YrR256azRpVmd5cFA2aHBrdC84VGU4SG1EWjMxWEZLWUhjdno4S25OU0g4NTY2aldyMTh5a3owWmxSWk42ZW1jZWdzQ3dzSVNzaFRsSXRZclZTOTJGK0w2bzRZYVR1ZzBUbHdTU0pHOFpKQW5EMUUwZXBUdGpBY1RxTjF1R0xXOGtBbnF4bDRFcG5Tandqdlg0UVptSTZHUWxxclUvb1piakRQTklSYXY1MXlWaSthR1NLS2VkMlhpNWZJcC9HQ3lCOGYzbXFYY25udkZlWm9YOEUrYXl2b2dYMDk1UGd0WGpycXRTR05ySG13NDE0TkpZL2Qrd3hEbmpMVUFodDlmdU5wUnBzWTJJL1dmQ1hOaHd5RVo1WEY0SitNMEFYNUR4K3BrNkljeS9tNWdOQmpkREJlcDZzbzJWN0pLVExidWNCTmxUeDRzWWlwRFZ1MkcwMFRkTW01SFFPdmlNV1ZGZTdaOU10ODJURHFMZzA4TzhUakhlejRxUy9Qb0ZBRHBpYzdleUd3aDZSZmxFL1ZRY3ZxR2Zicy93bVFtYXVQSGdnaDdwbzdvNWhJTE9aZmlXMGlPZllrVDR1TmxXYU1VWGYySStRdTRoNytZbWVIK2k4WkQ5MTZzb3I1T3hiS0VPSXJuSjJNNmp3UnNObGF3eHZsVzZRc2p5RkVlQkFZbC9RZXYvMUpiWUtLckh5K0NTVkdHYmNaVTZnRGdrd3pmaE1jcUxVbUlrc3FKaGYzTU5RQk9XakVDbFM4YjhQYm03L1NzckcyUXhPM3NFdmlUQlViNE1JM0RZdGk0bm9Ga3BTd28yU3FrVFZ2WjF3Yjh5ckFoeE9YdEkvZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * T1f3rVQdje8PxchPwFoD1cQyxey

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Desktop\42k7W_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .cbBDadeEC You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjAwNC1qamdJM29mVkNIQkNvNWR3VUdnZk1WQ0NONnhCdTRheXF6YW8wY3c4KzgwNk53ZjEzVnVZb1JDM1JINzJUUHpyZE1ueWlCQjlyWktabWQxQUxIQTVNcmNtNXE2MlJNTHM5VGJtc0lQSUZUSzJONUV3TXIxalhDNEI1N2F6bUlkOEZyYTgzQTc5M0hxZXdiODhXN1dXT294VWZKM0FzTnF0Sk4zYi9FQXpCWlV4bFVMWkk0UjdyN0xlNXk5STJhV0JRaFNiNy9CcVJvbkNGVzMxK2d3OTBjUzcxMWRZbk5nalNvNjgzWWYvZDR5QzlWdGdrSDlxWFkzbHdEeEU2VkZNajQ4WWZTZTNnTm1RWWpGK1dBc3cwY3BqWmt1Zk1LQk1CbDdWZnhFblhndzdlR0RWU2tNZHRVQzJQTzZ3WU9KV2NjWm9IQW1SSkNTN3dlR3BWTENTRXNWTnhYTkZNdGxsZEZwK2RiRGxHTWd3OHIyMzdycmo0MzlwMERSNDJDTG5pdjFuSDlkRkR6QUZWc011OVY5aVpqeTdaM05QOGxnVFFRQ0R2ZTJjWDQvR1ZaNGpsWjZSOHRUcnVPaXRQSnR4VTBvTndwZHhucDlmZDVHOGhzbEkxNDZXa3A2aWtBNnYxR3Q3ck1LNTl3emFLeElERkFneDl0VjUvY0xxUlFFNXVqcERqR1pUUnlwYldWenNUT3g3M0xYWHkvWHpnWks3ZGk0Ti8zdENZZUkzaUNraWtlcUY3Y3MrbWhyUGRNZDRRQXgzNW82TUlzWHpzRG42MHhVWS9heU1JWlF2elBrbzFsRDFPZVRhUXJjdUJBM0V4ZGh1UXRiRW56OHRrZjJFSFBKS0kvRysyWGhpSkcwb2JoOEF2N2lQRmNrZ2hsNUlRaGt5andsWUR1OVplZCtBSkpDK0FKV2oxTWdkamtvN0d6ZXVPdVFUaVQzL3ZIQ0VORUJKVEFvMWJPYVFEb0VBNFYzS2RqUzNaTko2U0dYMVFQbjg3VHZ6aFRVWVRwKzh4WTBuWmRMSlVwUFd3eWpyK3p6VWJiMXB2QkJ0VFlndWJ5WkN4UWVLeUs4eVVnM0pORkZ3a0lYOHBFOW53RU8vRm9lVHh2OTF2VFBLUzFHUU9sNHFERjBYWk8yb1ZmdlIvRlFBc0xmdDQ3ekFUcE1TUHFmZXdON21Ibmh5ajl3bzJialpZT3EyUkF5eEwyYkM0TWdJUVgwMlF3U2srTDIwL2k3ek5FNVAwbFhWV1Vta0J3QVN2Wmo1ZWxKS2h1cmduaXhLSXk3UnlpQy9sUk0xbDZENFE5aGxhS1YrR256azRpVmd5cFA2aHBrdC84VGU4SG1EWjMxWEZLWUhjdno4S25OU0g4NTY2aldyMTh5a3owWmxSWk42ZW1jZWdzQ3dzSVNzaFRsSXRZclZTOTJGK0w2bzRZYVR1ZzBUbHdTU0pHOFpKQW5EMUUwZXBUdGpBY1RxTjF1R0xXOGtBbnF4bDRFcG5Tandqdlg0UVptSTZHUWxxclUvb1piakRQTklSYXY1MXlWaSthR1NLS2VkMlhpNWZJcC9HQ3lCOGYzbXFYY25udkZlWm9YOEUrYXl2b2dYMDk1UGd0WGpycXRTR05ySG13NDE0TkpZL2Qrd3hEbmpMVUFodDlmdU5wUnBzWTJJL1dmQ1hOaHd5RVo1WEY0SitNMEFYNUR4K3BrNkljeS9tNWdOQmpkREJlcDZzbzJWN0pLVExidWNCTmxUeDRzWWlwRFZ1MkcwMFRkTW01SFFPdmlNV1ZGZTdaOU10ODJURHFMZzA4TzhUakhlejRxUy9Qb0ZBRHBpYzdleUd3aDZSZmxFL1ZRY3ZxR2Zicy93bVFtYXVQSGdnaDdwbzdvNWhJTE9aZmlXMGlPZllrVDR1TmxXYU1VWGYySStRdTRoNytZbWVIK2k4WkQ5MTZzb3I1T3hiS0VPSXJuSjJNNmp3UnNObGF3eHZsVzZRc2p5RkVlQkFZbC9RZXYvMUpiWUtLckh5K0NTVkdHYmNaVTZnRGdrd3pmaE1jcUxVbUlrc3FKaGYzTU5RQk9XakVDbFM4YjhQYm03L1NzckcyUXhPM3NFdmlUQlViNE1JM0RZdGk0bm9Ga3BTd28yU3FrVFZ2WjF3Yjh5ckFoeE9YdEkvZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * q9HPCiDRZHqyJYLR7miKinZVKoCtpzO

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\42k7W_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .cbBDadeEC You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjAwNC1qamdJM29mVkNIQkNvNWR3VUdnZk1WQ0NONnhCdTRheXF6YW8wY3c4KzgwNk53ZjEzVnVZb1JDM1JINzJUUHpyZE1ueWlCQjlyWktabWQxQUxIQTVNcmNtNXE2MlJNTHM5VGJtc0lQSUZUSzJONUV3TXIxalhDNEI1N2F6bUlkOEZyYTgzQTc5M0hxZXdiODhXN1dXT294VWZKM0FzTnF0Sk4zYi9FQXpCWlV4bFVMWkk0UjdyN0xlNXk5STJhV0JRaFNiNy9CcVJvbkNGVzMxK2d3OTBjUzcxMWRZbk5nalNvNjgzWWYvZDR5QzlWdGdrSDlxWFkzbHdEeEU2VkZNajQ4WWZTZTNnTm1RWWpGK1dBc3cwY3BqWmt1Zk1LQk1CbDdWZnhFblhndzdlR0RWU2tNZHRVQzJQTzZ3WU9KV2NjWm9IQW1SSkNTN3dlR3BWTENTRXNWTnhYTkZNdGxsZEZwK2RiRGxHTWd3OHIyMzdycmo0MzlwMERSNDJDTG5pdjFuSDlkRkR6QUZWc011OVY5aVpqeTdaM05QOGxnVFFRQ0R2ZTJjWDQvR1ZaNGpsWjZSOHRUcnVPaXRQSnR4VTBvTndwZHhucDlmZDVHOGhzbEkxNDZXa3A2aWtBNnYxR3Q3ck1LNTl3emFLeElERkFneDl0VjUvY0xxUlFFNXVqcERqR1pUUnlwYldWenNUT3g3M0xYWHkvWHpnWks3ZGk0Ti8zdENZZUkzaUNraWtlcUY3Y3MrbWhyUGRNZDRRQXgzNW82TUlzWHpzRG42MHhVWS9heU1JWlF2elBrbzFsRDFPZVRhUXJjdUJBM0V4ZGh1UXRiRW56OHRrZjJFSFBKS0kvRysyWGhpSkcwb2JoOEF2N2lQRmNrZ2hsNUlRaGt5andsWUR1OVplZCtBSkpDK0FKV2oxTWdkamtvN0d6ZXVPdVFUaVQzL3ZIQ0VORUJKVEFvMWJPYVFEb0VBNFYzS2RqUzNaTko2U0dYMVFQbjg3VHZ6aFRVWVRwKzh4WTBuWmRMSlVwUFd3eWpyK3p6VWJiMXB2QkJ0VFlndWJ5WkN4UWVLeUs4eVVnM0pORkZ3a0lYOHBFOW53RU8vRm9lVHh2OTF2VFBLUzFHUU9sNHFERjBYWk8yb1ZmdlIvRlFBc0xmdDQ3ekFUcE1TUHFmZXdON21Ibmh5ajl3bzJialpZT3EyUkF5eEwyYkM0TWdJUVgwMlF3U2srTDIwL2k3ek5FNVAwbFhWV1Vta0J3QVN2Wmo1ZWxKS2h1cmduaXhLSXk3UnlpQy9sUk0xbDZENFE5aGxhS1YrR256azRpVmd5cFA2aHBrdC84VGU4SG1EWjMxWEZLWUhjdno4S25OU0g4NTY2aldyMTh5a3owWmxSWk42ZW1jZWdzQ3dzSVNzaFRsSXRZclZTOTJGK0w2bzRZYVR1ZzBUbHdTU0pHOFpKQW5EMUUwZXBUdGpBY1RxTjF1R0xXOGtBbnF4bDRFcG5Tandqdlg0UVptSTZHUWxxclUvb1piakRQTklSYXY1MXlWaSthR1NLS2VkMlhpNWZJcC9HQ3lCOGYzbXFYY25udkZlWm9YOEUrYXl2b2dYMDk1UGd0WGpycXRTR05ySG13NDE0TkpZL2Qrd3hEbmpMVUFodDlmdU5wUnBzWTJJL1dmQ1hOaHd5RVo1WEY0SitNMEFYNUR4K3BrNkljeS9tNWdOQmpkREJlcDZzbzJWN0pLVExidWNCTmxUeDRzWWlwRFZ1MkcwMFRkTW01SFFPdmlNV1ZGZTdaOU10ODJURHFMZzA4TzhUakhlejRxUy9Qb0ZBRHBpYzdleUd3aDZSZmxFL1ZRY3ZxR2Zicy93bVFtYXVQSGdnaDdwbzdvNWhJTE9aZmlXMGlPZllrVDR1TmxXYU1VWGYySStRdTRoNytZbWVIK2k4WkQ5MTZzb3I1T3hiS0VPSXJuSjJNNmp3UnNObGF3eHZsVzZRc2p5RkVlQkFZbC9RZXYvMUpiWUtLckh5K0NTVkdHYmNaVTZnRGdrd3pmaE1jcUxVbUlrc3FKaGYzTU5RQk9XakVDbFM4YjhQYm03L1NzckcyUXhPM3NFdmlUQlViNE1JM0RZdGk0bm9Ga3BTd28yU3FrVFZ2WjF3Yjh5ckFoeE9YdEkvZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * Cl

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Favorites\MSN Websites\42k7W_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .cbBDadeEC You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjAwNC1qamdJM29mVkNIQkNvNWR3VUdnZk1WQ0NONnhCdTRheXF6YW8wY3c4KzgwNk53ZjEzVnVZb1JDM1JINzJUUHpyZE1ueWlCQjlyWktabWQxQUxIQTVNcmNtNXE2MlJNTHM5VGJtc0lQSUZUSzJONUV3TXIxalhDNEI1N2F6bUlkOEZyYTgzQTc5M0hxZXdiODhXN1dXT294VWZKM0FzTnF0Sk4zYi9FQXpCWlV4bFVMWkk0UjdyN0xlNXk5STJhV0JRaFNiNy9CcVJvbkNGVzMxK2d3OTBjUzcxMWRZbk5nalNvNjgzWWYvZDR5QzlWdGdrSDlxWFkzbHdEeEU2VkZNajQ4WWZTZTNnTm1RWWpGK1dBc3cwY3BqWmt1Zk1LQk1CbDdWZnhFblhndzdlR0RWU2tNZHRVQzJQTzZ3WU9KV2NjWm9IQW1SSkNTN3dlR3BWTENTRXNWTnhYTkZNdGxsZEZwK2RiRGxHTWd3OHIyMzdycmo0MzlwMERSNDJDTG5pdjFuSDlkRkR6QUZWc011OVY5aVpqeTdaM05QOGxnVFFRQ0R2ZTJjWDQvR1ZaNGpsWjZSOHRUcnVPaXRQSnR4VTBvTndwZHhucDlmZDVHOGhzbEkxNDZXa3A2aWtBNnYxR3Q3ck1LNTl3emFLeElERkFneDl0VjUvY0xxUlFFNXVqcERqR1pUUnlwYldWenNUT3g3M0xYWHkvWHpnWks3ZGk0Ti8zdENZZUkzaUNraWtlcUY3Y3MrbWhyUGRNZDRRQXgzNW82TUlzWHpzRG42MHhVWS9heU1JWlF2elBrbzFsRDFPZVRhUXJjdUJBM0V4ZGh1UXRiRW56OHRrZjJFSFBKS0kvRysyWGhpSkcwb2JoOEF2N2lQRmNrZ2hsNUlRaGt5andsWUR1OVplZCtBSkpDK0FKV2oxTWdkamtvN0d6ZXVPdVFUaVQzL3ZIQ0VORUJKVEFvMWJPYVFEb0VBNFYzS2RqUzNaTko2U0dYMVFQbjg3VHZ6aFRVWVRwKzh4WTBuWmRMSlVwUFd3eWpyK3p6VWJiMXB2QkJ0VFlndWJ5WkN4UWVLeUs4eVVnM0pORkZ3a0lYOHBFOW53RU8vRm9lVHh2OTF2VFBLUzFHUU9sNHFERjBYWk8yb1ZmdlIvRlFBc0xmdDQ3ekFUcE1TUHFmZXdON21Ibmh5ajl3bzJialpZT3EyUkF5eEwyYkM0TWdJUVgwMlF3U2srTDIwL2k3ek5FNVAwbFhWV1Vta0J3QVN2Wmo1ZWxKS2h1cmduaXhLSXk3UnlpQy9sUk0xbDZENFE5aGxhS1YrR256azRpVmd5cFA2aHBrdC84VGU4SG1EWjMxWEZLWUhjdno4S25OU0g4NTY2aldyMTh5a3owWmxSWk42ZW1jZWdzQ3dzSVNzaFRsSXRZclZTOTJGK0w2bzRZYVR1ZzBUbHdTU0pHOFpKQW5EMUUwZXBUdGpBY1RxTjF1R0xXOGtBbnF4bDRFcG5Tandqdlg0UVptSTZHUWxxclUvb1piakRQTklSYXY1MXlWaSthR1NLS2VkMlhpNWZJcC9HQ3lCOGYzbXFYY25udkZlWm9YOEUrYXl2b2dYMDk1UGd0WGpycXRTR05ySG13NDE0TkpZL2Qrd3hEbmpMVUFodDlmdU5wUnBzWTJJL1dmQ1hOaHd5RVo1WEY0SitNMEFYNUR4K3BrNkljeS9tNWdOQmpkREJlcDZzbzJWN0pLVExidWNCTmxUeDRzWWlwRFZ1MkcwMFRkTW01SFFPdmlNV1ZGZTdaOU10ODJURHFMZzA4TzhUakhlejRxUy9Qb0ZBRHBpYzdleUd3aDZSZmxFL1ZRY3ZxR2Zicy93bVFtYXVQSGdnaDdwbzdvNWhJTE9aZmlXMGlPZllrVDR1TmxXYU1VWGYySStRdTRoNytZbWVIK2k4WkQ5MTZzb3I1T3hiS0VPSXJuSjJNNmp3UnNObGF3eHZsVzZRc2p5RkVlQkFZbC9RZXYvMUpiWUtLckh5K0NTVkdHYmNaVTZnRGdrd3pmaE1jcUxVbUlrc3FKaGYzTU5RQk9XakVDbFM4YjhQYm03L1NzckcyUXhPM3NFdmlUQlViNE1JM0RZdGk0bm9Ga3BTd28yU3FrVFZ2WjF3Yjh5ckFoeE9YdEkvZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 3tzdL

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Public\Pictures\Sample Pictures\42k7W_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .cbBDadeEC You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjAwNC1qamdJM29mVkNIQkNvNWR3VUdnZk1WQ0NONnhCdTRheXF6YW8wY3c4KzgwNk53ZjEzVnVZb1JDM1JINzJUUHpyZE1ueWlCQjlyWktabWQxQUxIQTVNcmNtNXE2MlJNTHM5VGJtc0lQSUZUSzJONUV3TXIxalhDNEI1N2F6bUlkOEZyYTgzQTc5M0hxZXdiODhXN1dXT294VWZKM0FzTnF0Sk4zYi9FQXpCWlV4bFVMWkk0UjdyN0xlNXk5STJhV0JRaFNiNy9CcVJvbkNGVzMxK2d3OTBjUzcxMWRZbk5nalNvNjgzWWYvZDR5QzlWdGdrSDlxWFkzbHdEeEU2VkZNajQ4WWZTZTNnTm1RWWpGK1dBc3cwY3BqWmt1Zk1LQk1CbDdWZnhFblhndzdlR0RWU2tNZHRVQzJQTzZ3WU9KV2NjWm9IQW1SSkNTN3dlR3BWTENTRXNWTnhYTkZNdGxsZEZwK2RiRGxHTWd3OHIyMzdycmo0MzlwMERSNDJDTG5pdjFuSDlkRkR6QUZWc011OVY5aVpqeTdaM05QOGxnVFFRQ0R2ZTJjWDQvR1ZaNGpsWjZSOHRUcnVPaXRQSnR4VTBvTndwZHhucDlmZDVHOGhzbEkxNDZXa3A2aWtBNnYxR3Q3ck1LNTl3emFLeElERkFneDl0VjUvY0xxUlFFNXVqcERqR1pUUnlwYldWenNUT3g3M0xYWHkvWHpnWks3ZGk0Ti8zdENZZUkzaUNraWtlcUY3Y3MrbWhyUGRNZDRRQXgzNW82TUlzWHpzRG42MHhVWS9heU1JWlF2elBrbzFsRDFPZVRhUXJjdUJBM0V4ZGh1UXRiRW56OHRrZjJFSFBKS0kvRysyWGhpSkcwb2JoOEF2N2lQRmNrZ2hsNUlRaGt5andsWUR1OVplZCtBSkpDK0FKV2oxTWdkamtvN0d6ZXVPdVFUaVQzL3ZIQ0VORUJKVEFvMWJPYVFEb0VBNFYzS2RqUzNaTko2U0dYMVFQbjg3VHZ6aFRVWVRwKzh4WTBuWmRMSlVwUFd3eWpyK3p6VWJiMXB2QkJ0VFlndWJ5WkN4UWVLeUs4eVVnM0pORkZ3a0lYOHBFOW53RU8vRm9lVHh2OTF2VFBLUzFHUU9sNHFERjBYWk8yb1ZmdlIvRlFBc0xmdDQ3ekFUcE1TUHFmZXdON21Ibmh5ajl3bzJialpZT3EyUkF5eEwyYkM0TWdJUVgwMlF3U2srTDIwL2k3ek5FNVAwbFhWV1Vta0J3QVN2Wmo1ZWxKS2h1cmduaXhLSXk3UnlpQy9sUk0xbDZENFE5aGxhS1YrR256azRpVmd5cFA2aHBrdC84VGU4SG1EWjMxWEZLWUhjdno4S25OU0g4NTY2aldyMTh5a3owWmxSWk42ZW1jZWdzQ3dzSVNzaFRsSXRZclZTOTJGK0w2bzRZYVR1ZzBUbHdTU0pHOFpKQW5EMUUwZXBUdGpBY1RxTjF1R0xXOGtBbnF4bDRFcG5Tandqdlg0UVptSTZHUWxxclUvb1piakRQTklSYXY1MXlWaSthR1NLS2VkMlhpNWZJcC9HQ3lCOGYzbXFYY25udkZlWm9YOEUrYXl2b2dYMDk1UGd0WGpycXRTR05ySG13NDE0TkpZL2Qrd3hEbmpMVUFodDlmdU5wUnBzWTJJL1dmQ1hOaHd5RVo1WEY0SitNMEFYNUR4K3BrNkljeS9tNWdOQmpkREJlcDZzbzJWN0pLVExidWNCTmxUeDRzWWlwRFZ1MkcwMFRkTW01SFFPdmlNV1ZGZTdaOU10ODJURHFMZzA4TzhUakhlejRxUy9Qb0ZBRHBpYzdleUd3aDZSZmxFL1ZRY3ZxR2Zicy93bVFtYXVQSGdnaDdwbzdvNWhJTE9aZmlXMGlPZllrVDR1TmxXYU1VWGYySStRdTRoNytZbWVIK2k4WkQ5MTZzb3I1T3hiS0VPSXJuSjJNNmp3UnNObGF3eHZsVzZRc2p5RkVlQkFZbC9RZXYvMUpiWUtLckh5K0NTVkdHYmNaVTZnRGdrd3pmaE1jcUxVbUlrc3FKaGYzTU5RQk9XakVDbFM4YjhQYm03L1NzckcyUXhPM3NFdmlUQlViNE1JM0RZdGk0bm9Ga3BTd28yU3FrVFZ2WjF3Yjh5ckFoeE9YdEkvZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * PVbzgJZs

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
ransomware avaddon

Avaddon payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	family_avaddon

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wmic.exewmic.exewmic.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	1956	wmic.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	1956	wmic.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1956	wmic.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (208) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 1 IoCs

Processes:

0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

pid process

2412 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

pid	process
2412	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

description	ioc	process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

description	ioc	process
File opened (read-only)	\??\H:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\Z:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\A:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\E:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\G:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\N:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\R:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\B:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\J:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\K:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\S:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\T:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\U:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\W:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\Y:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\I:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\L:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\M:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\V:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\X:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\F:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\O:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\P:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
File opened (read-only)	\??\Q:	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

1332 vssadmin.exe
2648 vssadmin.exe
1816 vssadmin.exe

pid	process
1332	vssadmin.exe
2648	vssadmin.exe
1816	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

pid	process
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exewmic.exewmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1236	wmic.exe
Token: SeSecurityPrivilege	1236	wmic.exe
Token: SeTakeOwnershipPrivilege	1236	wmic.exe
Token: SeLoadDriverPrivilege	1236	wmic.exe
Token: SeSystemProfilePrivilege	1236	wmic.exe
Token: SeSystemtimePrivilege	1236	wmic.exe
Token: SeProfSingleProcessPrivilege	1236	wmic.exe
Token: SeIncBasePriorityPrivilege	1236	wmic.exe
Token: SeCreatePagefilePrivilege	1236	wmic.exe
Token: SeBackupPrivilege	1236	wmic.exe
Token: SeRestorePrivilege	1236	wmic.exe
Token: SeShutdownPrivilege	1236	wmic.exe
Token: SeDebugPrivilege	1236	wmic.exe
Token: SeSystemEnvironmentPrivilege	1236	wmic.exe
Token: SeRemoteShutdownPrivilege	1236	wmic.exe
Token: SeUndockPrivilege	1236	wmic.exe
Token: SeManageVolumePrivilege	1236	wmic.exe
Token: 33	1236	wmic.exe
Token: 34	1236	wmic.exe
Token: 35	1236	wmic.exe
Token: SeIncreaseQuotaPrivilege	2028	wmic.exe
Token: SeSecurityPrivilege	2028	wmic.exe
Token: SeTakeOwnershipPrivilege	2028	wmic.exe
Token: SeLoadDriverPrivilege	2028	wmic.exe
Token: SeSystemProfilePrivilege	2028	wmic.exe
Token: SeSystemtimePrivilege	2028	wmic.exe
Token: SeProfSingleProcessPrivilege	2028	wmic.exe
Token: SeIncBasePriorityPrivilege	2028	wmic.exe
Token: SeCreatePagefilePrivilege	2028	wmic.exe
Token: SeBackupPrivilege	2028	wmic.exe
Token: SeRestorePrivilege	2028	wmic.exe
Token: SeShutdownPrivilege	2028	wmic.exe
Token: SeDebugPrivilege	2028	wmic.exe
Token: SeSystemEnvironmentPrivilege	2028	wmic.exe
Token: SeRemoteShutdownPrivilege	2028	wmic.exe
Token: SeUndockPrivilege	2028	wmic.exe
Token: SeManageVolumePrivilege	2028	wmic.exe
Token: 33	2028	wmic.exe
Token: 34	2028	wmic.exe
Token: 35	2028	wmic.exe
Token: SeIncreaseQuotaPrivilege	1264	wmic.exe
Token: SeSecurityPrivilege	1264	wmic.exe
Token: SeTakeOwnershipPrivilege	1264	wmic.exe
Token: SeLoadDriverPrivilege	1264	wmic.exe
Token: SeSystemProfilePrivilege	1264	wmic.exe
Token: SeSystemtimePrivilege	1264	wmic.exe
Token: SeProfSingleProcessPrivilege	1264	wmic.exe
Token: SeIncBasePriorityPrivilege	1264	wmic.exe
Token: SeCreatePagefilePrivilege	1264	wmic.exe
Token: SeBackupPrivilege	1264	wmic.exe
Token: SeRestorePrivilege	1264	wmic.exe
Token: SeShutdownPrivilege	1264	wmic.exe
Token: SeDebugPrivilege	1264	wmic.exe
Token: SeSystemEnvironmentPrivilege	1264	wmic.exe
Token: SeRemoteShutdownPrivilege	1264	wmic.exe
Token: SeUndockPrivilege	1264	wmic.exe
Token: SeManageVolumePrivilege	1264	wmic.exe
Token: 33	1264	wmic.exe
Token: 34	1264	wmic.exe
Token: 35	1264	wmic.exe
Token: SeIncreaseQuotaPrivilege	1436	wmic.exe
Token: SeSecurityPrivilege	1436	wmic.exe
Token: SeTakeOwnershipPrivilege	1436	wmic.exe
Token: SeLoadDriverPrivilege	1436	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exetaskeng.exe

description	pid	process	target process
PID 2044 wrote to memory of 1436	2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	wmic.exe
PID 2044 wrote to memory of 1436	2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	wmic.exe
PID 2044 wrote to memory of 1436	2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	wmic.exe
PID 2044 wrote to memory of 1436	2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	wmic.exe
PID 2044 wrote to memory of 1332	2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	vssadmin.exe
PID 2044 wrote to memory of 1332	2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	vssadmin.exe
PID 2044 wrote to memory of 1332	2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	vssadmin.exe
PID 2044 wrote to memory of 1332	2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	vssadmin.exe
PID 2044 wrote to memory of 2600	2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	wmic.exe
PID 2044 wrote to memory of 2600	2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	wmic.exe
PID 2044 wrote to memory of 2600	2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	wmic.exe
PID 2044 wrote to memory of 2600	2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	wmic.exe
PID 2044 wrote to memory of 2648	2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	vssadmin.exe
PID 2044 wrote to memory of 2648	2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	vssadmin.exe
PID 2044 wrote to memory of 2648	2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	vssadmin.exe
PID 2044 wrote to memory of 2648	2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	vssadmin.exe
PID 2044 wrote to memory of 2852	2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	wmic.exe
PID 2044 wrote to memory of 2852	2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	wmic.exe
PID 2044 wrote to memory of 2852	2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	wmic.exe
PID 2044 wrote to memory of 2852	2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	wmic.exe
PID 2044 wrote to memory of 1816	2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	vssadmin.exe
PID 2044 wrote to memory of 1816	2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	vssadmin.exe
PID 2044 wrote to memory of 1816	2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	vssadmin.exe
PID 2044 wrote to memory of 1816	2044	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe	vssadmin.exe
PID 2124 wrote to memory of 2412	2124	taskeng.exe	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
PID 2124 wrote to memory of 2412	2124	taskeng.exe	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
PID 2124 wrote to memory of 2412	2124	taskeng.exe	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
PID 2124 wrote to memory of 2412	2124	taskeng.exe	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
"C:\Users\Admin\AppData\Local\Temp\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2044
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1332
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:2600
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2648
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:2852
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1816

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1880

C:\Windows\system32\taskeng.exe
taskeng.exe {AE51339F-7BC6-418F-95DF-D3AAD4D9018E} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
  2⤵
  - Executes dropped EXE
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

1

T1562.001

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe

Filesize
775KB

MD5
2d2a5a22bc983829cfb4627a271fbd4e

SHA1
c0fc01350ae774f3817d71710d9a6e9adaba441f

SHA256
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b

SHA512
8237f6db84a2339827e4044929df58597733d04f8e56c621394f2c2b79c06dc9fb3e64373d0205c0f14372173875b2487d178472eda6837da2ef20187285ad0d

Download Submit
C:\Users\Admin\Desktop\42k7W_readme_.txt

Filesize
3KB

MD5
b8e11ad4be2d2bfcbd4fcc55a65200a5

SHA1
da0d4a82e6fc5461ecb52c9863b415165b1a70b8

SHA256
4054e5be623ee8ca57b776a1ac2584f3603fec7ea998a1415f6093566e574075

SHA512
3e736042cee1f1361dbf475934e6a203b135161cf821b74026438eae7688954dae5e6d958074a395e596f977c7927c056dea0ccda8d3b6dffecd95e0e1d82a6f

Download Submit
C:\Users\Admin\Desktop\42k7W_readme_.txt

Filesize
3KB

MD5
246d434ff204cfdde5103e7e569f062e

SHA1
524b4f87a6f94c9a9f9b118c6b34d113aec0e096

SHA256
9ad8fa32b42a98747e022934c2a1f9d9bc895892e64b6a3849851e5e6d67405a

SHA512
128a75ed5e9f22c332c0054c9b466b606b769c6649dc8326defa7d74653e31358bec1121f73f201316fd368453e6228ec9e29715b6ce2d80a70e412830253eef

Download Submit
C:\Users\Admin\Downloads\42k7W_readme_.txt

Filesize
3KB

MD5
123eac0f0a79c03ef3c3ee26b7b71122

SHA1
a0b0679c518f8f850a214f3796b8622241d462cd

SHA256
6739dc1c507230810bfb643da10d7937c01e95cf05759945a751f3705137ea28

SHA512
682530f0a0c04ee648138f36aa07dac07d09794e79d030fc221971faedb4d64bff231c76b7eed96c675c429b05e68b625dc99cee679cf9625706866afb6798e6

Download Submit
C:\Users\Admin\Favorites\MSN Websites\42k7W_readme_.txt

Filesize
3KB

MD5
cfef06fda7f91dc8c743f9a0bd6d3053

SHA1
7c606dae19adf4890d010c48af13868fc5e05c0c

SHA256
5d1ebdcbba3b7d2f305b9eccbc166b43bca7973aa52a62338745955e18e70669

SHA512
c4943b53b2af025dc919ea11919473367c572d7fa7c653418ff26510c77fb869eb48f25a6e9f2bfb9cfda841831fdb6449857c4f852901d17a4a163d4a0491fb

Download Submit
C:\Users\Public\Pictures\Sample Pictures\42k7W_readme_.txt

Filesize
3KB

MD5
66c3828e1de22aa8682fbcfb074131f6

SHA1
815ffb70d77d1db03d5657f7c7f143280461848b

SHA256
b0a4f6b2ec444588144023dee039b5c6e62954de105c117fa8dcbced9eafb167

SHA512
80d9965dddcd6e3064c4440a70a55fffc2728f311643bd127e69f3756e610719ec1fc168d8d2aae231c99a40e95d3e3c2db688c377371f1774b247930ce30409

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads