Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    21/09/2024, 21:07

General

  • Target

    2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe

  • Size

    775KB

  • MD5

    2ceaaae95cdd7c53b2285289c2c8219c

  • SHA1

    dad6ab33bdfc9ee19611e22addce66169b6fc3ab

  • SHA256

    8b921d2333babce2c668096229f4fb6942bad3c7a1436b9d209ee05432ede990

  • SHA512

    8613363d3a5e28d7db3ca535fca9281acbc952629f6bf6b665ff8e2fc48ba0c583019654a6987cee2f62022ff9311ac3a33f07c63b534f3fc54f0462a5d01b7e

  • SSDEEP

    24576:+Csw9+OXLpMePfI8TgmBTCDqEbOpPtpFaFxfq:YnOXLpMePfzVTCD7gPtLaHfq

Malware Config

Extracted

Path

C:\Users\Admin\jRKyo_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BEBbdCcCEc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTU5Mi15anpzUmRhRGQwQWhJMGg0WEJRSkllcUlJREtydElhaEI3Qlg4SStHemlZc0hVaWFRL1dCbjBSWXFMVDdtM09MTXdkK25oUkRLM0luNmNpRjdrSm1rZ0ZVNnVVSDdCdXpyaW1Gd0YwMTJBeFYvNGdVZ2JSTW1KZmZhT1B6dy9ZMXRjK1kwVGkxMUZYOWFzTk1CczlhSE9tdEhBYzhqZ0JXVHUrSFdKd0t0L2hmRGl1eWgzajI3aGVCcERQalRQWWltbDRndFMrV1oxb1l4SGNIN2tGaTh2UHhSdzhwcU5KRXByWlJDUmZlSHVycWFOcW1DazhQRHlSSS9FWG0xTTA1UWNRSzZMQlI0NHNDeis2NjFJczN3UmtFMEZ6OVhENEF1SjJENVU2dVBrN2hmM3NUY0RXVENVVUZ3eEdBbVJ0Mk54T0RZajJpN1ZTcldHVlN0RlZMNS9aZnJ3eW1LV0VUbEhwbGFEYnc0RTBzWnI4Zncvdk9KVkdaVjQ1VDYyVzFNdkVDS1FIU3dQMjI4YzRmRmxFelNJWC9yNENCRm5PYUZjZXU1SzgvTW1uT3EyM0thcTJxSFY1RGVQQ1pHdEw0b203RzhFc2VpU3JCTklTekVHRWEvRDBYbUhZSUJ6dFhJUEp1THUzTmVldHluTzlGZUhxSFV6MUhoNEJodXVpTUpTOGRQZ3JwODZRdTZJTjZ5N0hBN2FtTFlhRVA0V3lMSVZpVzZTWjFpM25SWG10d0xFMk1MVTl4THE5S2lOYVkydEJ4Y2FOR3BUdDl5TW5UY2lveUk5MFZ2TzVzZ3BZYnRJWUZSZUpUclRVVjBjRkhCTGF0dG1pS21PazdtNnBhbUs4YklsRUZsMXY0U0VycFpzQmpwS2hpUzNzV0tYRFhjSDNiM2paaEZjTDRuQXlGRnE1c1hTQzJab21rTTJ3a2xNK1h4ZmEvaVFGeUxmSmdxNko5M0wvWlFJck8yMWZJQXprbzFoZUpEd01uOGthS0NOam8xQUFabGZlVnRZMlA0YzRkWC9TWUlFb0I3QUFxWU05aG94SlBFMkQweUFoTXN1K01XZWJ5dzlFVkxZTUdhNWVCVmJSdVhqazJFdDN0SjNiWjFINFI0TCtwM2VRT1puUms5SW9lbXlLakVnSk5aWURjOE9DYjl5eGt4S0pEZWhmUk84b0RERzNsak5SaHAybmg3V3BSL1ZLUTJEcHdGbTdLalo3a3g3OEtBU3RhZU1WMUpnYUVlR2xnb3VSVEJPK0YrZEo1cVNpRDFKeHdtOW1qZHBPRVZtRFFvemNpTEtOa1lzdUppbS90MHdLN1Q3NTBVc2l4Smdpb1ZoSEpjeUs0VmhJUTBEU3NpUS9RMjlaa1BvaDlWV3o5dnlUQjl1ekZuUXFYdnZzQndSYXViZ05JNTViMWlhb2JkdXowSW5sY3V6RURBS21JUlpVaGdyUkRSVzBqZEIwSGI1MFk0cG03TWQ4OUxEMHAyYncrMjcxdVc3NjRKbXk1eUJHeVAzMUdrSE0vcUVPUEIvaTArZFFtY3h0Q2U4M2FqWEpydmVBNE5TRjhzZFpXMDNia3MraHA5MDRPSVI1WFpaS082alR2WW5qSDhhaEhITlZERUNEN2pjbkc5Z09XeWdFemxwTmlML3FzZmw5S1hKZVZobEJSUHp0SkVqQ3ZEVWZwNXNRQXJScVk4YVo4WGMrTXlZQnp2OXZkd0VlV3RpVU9yZVIrSHBLUTBqSlovVDRsVktEa0ZJT3phUklnV0t5R3R0ME42Tzd6VFQ3M0ZDcjRSZWZ0S05Uam9xcUcxVFdGUVMwNlZmRlNxdVMrSUlMdm9kUkZLb3h1cFQ4T2h6N1pHN25lL3RhamFZSjBDWmE0NGtYZ0lrbG9YTEVGczlQbFpOT2g0MWl1ZjhxaEwxQ05UUnh5UXhneDM2cERHZVBScDZwblVQR2hEUmRmZlZDVEdqeFg1a3dDQ1NsbG1obkk1OHZlRWtvT2JPUUJJUTA3N3FUcHd2ckJkWW9zRHhHZ2czQ3U5Q0dPK1hHQ0pWNElsN0JUSFUyZ1dSQ0grMkppY2VJOWtpV3NTNXV2V3VCTTlOcm53Tjc0RVpHaWJGR0dYQ3RlNXlDU3JZUmhjV204cW5TSGZuSmFwc0ltYkdqTFNOL3I5dz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * a3vp9CWcPQSzTilbQmKuDJ4TIhzRcv
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Desktop\jRKyo_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BEBbdCcCEc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTU5Mi15anpzUmRhRGQwQWhJMGg0WEJRSkllcUlJREtydElhaEI3Qlg4SStHemlZc0hVaWFRL1dCbjBSWXFMVDdtM09MTXdkK25oUkRLM0luNmNpRjdrSm1rZ0ZVNnVVSDdCdXpyaW1Gd0YwMTJBeFYvNGdVZ2JSTW1KZmZhT1B6dy9ZMXRjK1kwVGkxMUZYOWFzTk1CczlhSE9tdEhBYzhqZ0JXVHUrSFdKd0t0L2hmRGl1eWgzajI3aGVCcERQalRQWWltbDRndFMrV1oxb1l4SGNIN2tGaTh2UHhSdzhwcU5KRXByWlJDUmZlSHVycWFOcW1DazhQRHlSSS9FWG0xTTA1UWNRSzZMQlI0NHNDeis2NjFJczN3UmtFMEZ6OVhENEF1SjJENVU2dVBrN2hmM3NUY0RXVENVVUZ3eEdBbVJ0Mk54T0RZajJpN1ZTcldHVlN0RlZMNS9aZnJ3eW1LV0VUbEhwbGFEYnc0RTBzWnI4Zncvdk9KVkdaVjQ1VDYyVzFNdkVDS1FIU3dQMjI4YzRmRmxFelNJWC9yNENCRm5PYUZjZXU1SzgvTW1uT3EyM0thcTJxSFY1RGVQQ1pHdEw0b203RzhFc2VpU3JCTklTekVHRWEvRDBYbUhZSUJ6dFhJUEp1THUzTmVldHluTzlGZUhxSFV6MUhoNEJodXVpTUpTOGRQZ3JwODZRdTZJTjZ5N0hBN2FtTFlhRVA0V3lMSVZpVzZTWjFpM25SWG10d0xFMk1MVTl4THE5S2lOYVkydEJ4Y2FOR3BUdDl5TW5UY2lveUk5MFZ2TzVzZ3BZYnRJWUZSZUpUclRVVjBjRkhCTGF0dG1pS21PazdtNnBhbUs4YklsRUZsMXY0U0VycFpzQmpwS2hpUzNzV0tYRFhjSDNiM2paaEZjTDRuQXlGRnE1c1hTQzJab21rTTJ3a2xNK1h4ZmEvaVFGeUxmSmdxNko5M0wvWlFJck8yMWZJQXprbzFoZUpEd01uOGthS0NOam8xQUFabGZlVnRZMlA0YzRkWC9TWUlFb0I3QUFxWU05aG94SlBFMkQweUFoTXN1K01XZWJ5dzlFVkxZTUdhNWVCVmJSdVhqazJFdDN0SjNiWjFINFI0TCtwM2VRT1puUms5SW9lbXlLakVnSk5aWURjOE9DYjl5eGt4S0pEZWhmUk84b0RERzNsak5SaHAybmg3V3BSL1ZLUTJEcHdGbTdLalo3a3g3OEtBU3RhZU1WMUpnYUVlR2xnb3VSVEJPK0YrZEo1cVNpRDFKeHdtOW1qZHBPRVZtRFFvemNpTEtOa1lzdUppbS90MHdLN1Q3NTBVc2l4Smdpb1ZoSEpjeUs0VmhJUTBEU3NpUS9RMjlaa1BvaDlWV3o5dnlUQjl1ekZuUXFYdnZzQndSYXViZ05JNTViMWlhb2JkdXowSW5sY3V6RURBS21JUlpVaGdyUkRSVzBqZEIwSGI1MFk0cG03TWQ4OUxEMHAyYncrMjcxdVc3NjRKbXk1eUJHeVAzMUdrSE0vcUVPUEIvaTArZFFtY3h0Q2U4M2FqWEpydmVBNE5TRjhzZFpXMDNia3MraHA5MDRPSVI1WFpaS082alR2WW5qSDhhaEhITlZERUNEN2pjbkc5Z09XeWdFemxwTmlML3FzZmw5S1hKZVZobEJSUHp0SkVqQ3ZEVWZwNXNRQXJScVk4YVo4WGMrTXlZQnp2OXZkd0VlV3RpVU9yZVIrSHBLUTBqSlovVDRsVktEa0ZJT3phUklnV0t5R3R0ME42Tzd6VFQ3M0ZDcjRSZWZ0S05Uam9xcUcxVFdGUVMwNlZmRlNxdVMrSUlMdm9kUkZLb3h1cFQ4T2h6N1pHN25lL3RhamFZSjBDWmE0NGtYZ0lrbG9YTEVGczlQbFpOT2g0MWl1ZjhxaEwxQ05UUnh5UXhneDM2cERHZVBScDZwblVQR2hEUmRmZlZDVEdqeFg1a3dDQ1NsbG1obkk1OHZlRWtvT2JPUUJJUTA3N3FUcHd2ckJkWW9zRHhHZ2czQ3U5Q0dPK1hHQ0pWNElsN0JUSFUyZ1dSQ0grMkppY2VJOWtpV3NTNXV2V3VCTTlOcm53Tjc0RVpHaWJGR0dYQ3RlNXlDU3JZUmhjV204cW5TSGZuSmFwc0ltYkdqTFNOL3I5dz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * w
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Avaddon payload 1 IoCs
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 2 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (173) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2756
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1340
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /All /Quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:2968
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2336
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /All /Quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:1992
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2040
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /All /Quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:1284
  • C:\Windows\system32\wbem\wmic.exe
    wmic SHADOWCOPY DELETE /nointeractive
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    PID:2648
  • C:\Windows\system32\wbem\wmic.exe
    wmic SHADOWCOPY DELETE /nointeractive
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    PID:2572
  • C:\Windows\system32\wbem\wmic.exe
    wmic SHADOWCOPY DELETE /nointeractive
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    PID:1808
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:2032
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {183436A0-58D1-4EFC-941C-795174D2677A} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1724

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2024-09-21_2ceaaae95cdd7c53b2285289c2c8219c_avaddon_cobalt-strike.exe

      Filesize

      775KB

      MD5

      2ceaaae95cdd7c53b2285289c2c8219c

      SHA1

      dad6ab33bdfc9ee19611e22addce66169b6fc3ab

      SHA256

      8b921d2333babce2c668096229f4fb6942bad3c7a1436b9d209ee05432ede990

      SHA512

      8613363d3a5e28d7db3ca535fca9281acbc952629f6bf6b665ff8e2fc48ba0c583019654a6987cee2f62022ff9311ac3a33f07c63b534f3fc54f0462a5d01b7e

    • C:\Users\Admin\Desktop\jRKyo_readme_.txt

      Filesize

      3KB

      MD5

      521c3580d16c8da52d610c37d3ed239b

      SHA1

      72cc5ced79174b1cf24a78b855dfe810331ee3d2

      SHA256

      0360f19265533b7b38b0b20a07904919900b8a168d2889c3dc5f2a70a5025c3f

      SHA512

      f6bfd7987cb5fb7757aaeffe97454b014002a491978bfba27bd0e2dc1cbcb00fe64738c5f9451430ca1c0b78d4eac4ea1be12953daca9766df1957d195bb083c

    • C:\Users\Admin\jRKyo_readme_.txt

      Filesize

      3KB

      MD5

      01a108c1f0ecb7f097b478b7a4f266bd

      SHA1

      7cad9c3aedfac22cc7b5ee3c3295354debc68f57

      SHA256

      8b3f5d418cae85db320a69dd2ed21553ebbe51853b4bdb7ac516a2a2f42dc862

      SHA512

      74af7acda0504cfa0b5d2086db01a720ced66c75ac0d7ecf33bf974366647d575a1351ba57b5fd322c96c06a4e5f17a8226b2b91032a8a63faae4a51058c982a