General
-
Target
1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.7z
-
Size
238KB
-
Sample
240724-vqqbna1and
-
MD5
b207eb6d8587ac013b9dea64d8486988
-
SHA1
23c0d172dfa2b1d776d155426bdc27717a451441
-
SHA256
98736243426e6edb1b4aff08edce38d22069e387c26f1a25e43ac8270fd2964c
-
SHA512
545f281dd1cd9db4142a7a1b7938b10e10ccd952161d4c22bdac53c04f15c996c9d558cf4c3dae33bd784232d84781a1626be6d9068328c2e7cfb8a5751961cd
-
SSDEEP
6144:VkCGp74Gb5AFh+B6ZbNIYWoaOQDbZ/28nP9K/lJKWWvT5z8CsIl2:ynkGdAiBsbN30nd2qKdJSLbg
Behavioral task
behavioral1
Sample
1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
Resource
win10-20240404-en
Malware Config
Extracted
C:\Users\Admin\Documents\OneNote Notebooks\sURPGzk_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Desktop\sURPGzk_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Targets
-
-
Target
1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
-
Size
775KB
-
MD5
0b486fe0503524cfe4726a4022fa6a68
-
SHA1
297dea71d489768ce45d23b0f8a45424b469ab00
-
SHA256
1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2
-
SHA512
f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619
-
SSDEEP
24576:TCs99+OXLpMePfI8TgmBTCDqEbOpPtpFhyxfq:5GOXLpMePfzVTCD7gPtLhSfq
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (176) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
2