Overview
overview
10Static
static
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
7Resubmissions
28-07-2024 16:38
240728-t5tryssgmm 1007-07-2024 14:07
240707-rfgd8atekm 1007-07-2024 14:07
240707-re689awdpe 1013-09-2022 17:54
220913-wg1lpsgbg7 10Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
28-07-2024 16:38
Static task
static1
Behavioral task
behavioral1
Sample
RansomwareSamples/Avaddon_09_06_2020_1054KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
RansomwareSamples/Avaddon_09_06_2020_1054KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
RansomwareSamples/Avos_18_07_2021_403KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
RansomwareSamples/Avos_18_07_2021_403KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral5
Sample
RansomwareSamples/Babik_04_01_2021_31KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
RansomwareSamples/Babik_04_01_2021_31KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral19
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral21
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral22
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral23
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral25
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral26
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral27
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral29
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral31
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral32
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10v2004-20240709-en
General
-
Target
RansomwareSamples/Avaddon_09_06_2020_1054KB.exe
-
Size
1.0MB
-
MD5
c9ec0d9ff44f445ce5614cc87398b38d
-
SHA1
591ffe54bac2c50af61737a28749ff8435168182
-
SHA256
05af0cf40590aef24b28fa04c6b4998b7ab3b7f26e60c507adb84f3d837778f2
-
SHA512
c340baeb66fc46830b6b77b2583033ade6e10b3de04d82ece7e241107afe741442585bf2ea9d6496af93143c37e9676d4f1e1d301d55632b88b12daadadd43f0
-
SSDEEP
24576:Cs6JmdFn5KLOCgHWcAvcrOcEsKfR9uA7rmFbbbbpccf:Cs6JY5KLOCyWcDUfRAA3mFbbbbpc4
Malware Config
Extracted
C:\Users\Admin\Desktop\824656-readme.html
avaddon
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Avaddon_09_06_2020_1054KB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Avaddon_09_06_2020_1054KB.exe -
Renames multiple (169) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Avaddon_09_06_2020_1054KB.exe" Avaddon_09_06_2020_1054KB.exe Set value (str) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Avaddon_09_06_2020_1054KB.exe" Avaddon_09_06_2020_1054KB.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Avaddon_09_06_2020_1054KB.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-47134698-4092160662-1261813102-1000\desktop.ini Avaddon_09_06_2020_1054KB.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: Avaddon_09_06_2020_1054KB.exe File opened (read-only) \??\Z: Avaddon_09_06_2020_1054KB.exe File opened (read-only) \??\B: Avaddon_09_06_2020_1054KB.exe File opened (read-only) \??\J: Avaddon_09_06_2020_1054KB.exe File opened (read-only) \??\L: Avaddon_09_06_2020_1054KB.exe File opened (read-only) \??\M: Avaddon_09_06_2020_1054KB.exe File opened (read-only) \??\P: Avaddon_09_06_2020_1054KB.exe File opened (read-only) \??\V: Avaddon_09_06_2020_1054KB.exe File opened (read-only) \??\F: Avaddon_09_06_2020_1054KB.exe File opened (read-only) \??\A: Avaddon_09_06_2020_1054KB.exe File opened (read-only) \??\K: Avaddon_09_06_2020_1054KB.exe File opened (read-only) \??\Q: Avaddon_09_06_2020_1054KB.exe File opened (read-only) \??\T: Avaddon_09_06_2020_1054KB.exe File opened (read-only) \??\U: Avaddon_09_06_2020_1054KB.exe File opened (read-only) \??\Y: Avaddon_09_06_2020_1054KB.exe File opened (read-only) \??\H: Avaddon_09_06_2020_1054KB.exe File opened (read-only) \??\I: Avaddon_09_06_2020_1054KB.exe File opened (read-only) \??\N: Avaddon_09_06_2020_1054KB.exe File opened (read-only) \??\O: Avaddon_09_06_2020_1054KB.exe File opened (read-only) \??\X: Avaddon_09_06_2020_1054KB.exe File opened (read-only) \??\E: Avaddon_09_06_2020_1054KB.exe File opened (read-only) \??\G: Avaddon_09_06_2020_1054KB.exe File opened (read-only) \??\R: Avaddon_09_06_2020_1054KB.exe File opened (read-only) \??\S: Avaddon_09_06_2020_1054KB.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 api.myip.com 20 api.myip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Avaddon_09_06_2020_1054KB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe 2496 Avaddon_09_06_2020_1054KB.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1108 wmic.exe Token: SeSecurityPrivilege 1108 wmic.exe Token: SeTakeOwnershipPrivilege 1108 wmic.exe Token: SeLoadDriverPrivilege 1108 wmic.exe Token: SeSystemProfilePrivilege 1108 wmic.exe Token: SeSystemtimePrivilege 1108 wmic.exe Token: SeProfSingleProcessPrivilege 1108 wmic.exe Token: SeIncBasePriorityPrivilege 1108 wmic.exe Token: SeCreatePagefilePrivilege 1108 wmic.exe Token: SeBackupPrivilege 1108 wmic.exe Token: SeRestorePrivilege 1108 wmic.exe Token: SeShutdownPrivilege 1108 wmic.exe Token: SeDebugPrivilege 1108 wmic.exe Token: SeSystemEnvironmentPrivilege 1108 wmic.exe Token: SeRemoteShutdownPrivilege 1108 wmic.exe Token: SeUndockPrivilege 1108 wmic.exe Token: SeManageVolumePrivilege 1108 wmic.exe Token: 33 1108 wmic.exe Token: 34 1108 wmic.exe Token: 35 1108 wmic.exe Token: 36 1108 wmic.exe Token: SeIncreaseQuotaPrivilege 4984 wmic.exe Token: SeSecurityPrivilege 4984 wmic.exe Token: SeTakeOwnershipPrivilege 4984 wmic.exe Token: SeLoadDriverPrivilege 4984 wmic.exe Token: SeSystemProfilePrivilege 4984 wmic.exe Token: SeSystemtimePrivilege 4984 wmic.exe Token: SeProfSingleProcessPrivilege 4984 wmic.exe Token: SeIncBasePriorityPrivilege 4984 wmic.exe Token: SeCreatePagefilePrivilege 4984 wmic.exe Token: SeBackupPrivilege 4984 wmic.exe Token: SeRestorePrivilege 4984 wmic.exe Token: SeShutdownPrivilege 4984 wmic.exe Token: SeDebugPrivilege 4984 wmic.exe Token: SeSystemEnvironmentPrivilege 4984 wmic.exe Token: SeRemoteShutdownPrivilege 4984 wmic.exe Token: SeUndockPrivilege 4984 wmic.exe Token: SeManageVolumePrivilege 4984 wmic.exe Token: 33 4984 wmic.exe Token: 34 4984 wmic.exe Token: 35 4984 wmic.exe Token: 36 4984 wmic.exe Token: SeIncreaseQuotaPrivilege 4516 wmic.exe Token: SeSecurityPrivilege 4516 wmic.exe Token: SeTakeOwnershipPrivilege 4516 wmic.exe Token: SeLoadDriverPrivilege 4516 wmic.exe Token: SeSystemProfilePrivilege 4516 wmic.exe Token: SeSystemtimePrivilege 4516 wmic.exe Token: SeProfSingleProcessPrivilege 4516 wmic.exe Token: SeIncBasePriorityPrivilege 4516 wmic.exe Token: SeCreatePagefilePrivilege 4516 wmic.exe Token: SeBackupPrivilege 4516 wmic.exe Token: SeRestorePrivilege 4516 wmic.exe Token: SeShutdownPrivilege 4516 wmic.exe Token: SeDebugPrivilege 4516 wmic.exe Token: SeSystemEnvironmentPrivilege 4516 wmic.exe Token: SeRemoteShutdownPrivilege 4516 wmic.exe Token: SeUndockPrivilege 4516 wmic.exe Token: SeManageVolumePrivilege 4516 wmic.exe Token: 33 4516 wmic.exe Token: 34 4516 wmic.exe Token: 35 4516 wmic.exe Token: 36 4516 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2496 wrote to memory of 1108 2496 Avaddon_09_06_2020_1054KB.exe 88 PID 2496 wrote to memory of 1108 2496 Avaddon_09_06_2020_1054KB.exe 88 PID 2496 wrote to memory of 1108 2496 Avaddon_09_06_2020_1054KB.exe 88 PID 2496 wrote to memory of 4984 2496 Avaddon_09_06_2020_1054KB.exe 90 PID 2496 wrote to memory of 4984 2496 Avaddon_09_06_2020_1054KB.exe 90 PID 2496 wrote to memory of 4984 2496 Avaddon_09_06_2020_1054KB.exe 90 PID 2496 wrote to memory of 4516 2496 Avaddon_09_06_2020_1054KB.exe 92 PID 2496 wrote to memory of 4516 2496 Avaddon_09_06_2020_1054KB.exe 92 PID 2496 wrote to memory of 4516 2496 Avaddon_09_06_2020_1054KB.exe 92 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Avaddon_09_06_2020_1054KB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Avaddon_09_06_2020_1054KB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" Avaddon_09_06_2020_1054KB.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe"1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2496 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4984
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4516
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49KB
MD5715d19e9efd5d8de2c5a675267effd80
SHA1fad8c3aa6cfce316a80aff7897f27d544a2ff258
SHA256bc62b2f8428f32999b84129990e1d9536b8d52123e0510792f7bff397f73f068
SHA5122848575fb3ebc73eb42c2e0bbd108bd7e752850bc98fe44a05dad92c72633c35481e37c27e8567ba75f96c4c5e094110f87657318bc13c32e2abf20d704cef07