General
-
Target
2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike
-
Size
775KB
-
Sample
240921-zym9gstemb
-
MD5
2ceaaae95cdd7c53b2285289c2c8219c
-
SHA1
dad6ab33bdfc9ee19611e22addce66169b6fc3ab
-
SHA256
8b921d2333babce2c668096229f4fb6942bad3c7a1436b9d209ee05432ede990
-
SHA512
8613363d3a5e28d7db3ca535fca9281acbc952629f6bf6b665ff8e2fc48ba0c583019654a6987cee2f62022ff9311ac3a33f07c63b534f3fc54f0462a5d01b7e
-
SSDEEP
24576:+Csw9+OXLpMePfI8TgmBTCDqEbOpPtpFaFxfq:YnOXLpMePfzVTCD7gPtLaHfq
Behavioral task
behavioral1
Sample
2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
C:\Users\Admin\jRKyo_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Desktop\jRKyo_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\9wFO9_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\9wFO9_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Targets
-
-
Target
2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike
-
Size
775KB
-
MD5
2ceaaae95cdd7c53b2285289c2c8219c
-
SHA1
dad6ab33bdfc9ee19611e22addce66169b6fc3ab
-
SHA256
8b921d2333babce2c668096229f4fb6942bad3c7a1436b9d209ee05432ede990
-
SHA512
8613363d3a5e28d7db3ca535fca9281acbc952629f6bf6b665ff8e2fc48ba0c583019654a6987cee2f62022ff9311ac3a33f07c63b534f3fc54f0462a5d01b7e
-
SSDEEP
24576:+Csw9+OXLpMePfI8TgmBTCDqEbOpPtpFaFxfq:YnOXLpMePfzVTCD7gPtLaHfq
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (173) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
2