Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    95s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/12/2024, 13:07

General

  • Target

    2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe

  • Size

    758KB

  • MD5

    37576c3c5af9c1bad5ff73229a77d1f6

  • SHA1

    965256f9a4920e6ecd224a14cdae296f4f34f88b

  • SHA256

    2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312

  • SHA512

    c0ded35602d2bbed73c62f33951a9a317393e02f600d4e6c3c92f5a427ae0fc97175c5e14f0aabeb47d7cf3fca1f8b6cf92b9f61d29869a07db68d81885011b9

  • SSDEEP

    12288:s1vm9KObJ8AUczIEHySmv+QaxwQPATjcM+OEAW7Z5S3gRmhLI4c7uQ+oqUfTMZ0p:NdJTcUW+QaxwQPATjcM+FAK/dRmh0h9v

Malware Config

Extracted

Path

C:\Users\Admin\Documents\Pt7UH_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aeaBebACBB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTA4Mi1DdjBmM1M5YXVEYXEvSTFCdHZLQ1JrVkJXNCtVeHNuMTExMCtCRXhDRTA2Z2xQckJwNkpRa0owQlh2cVlUaUhqb0EyeXhXQlFYNnFEREc2cjk2V3BEekxsVG1QZGRhMHhQZ1hxS2dnZStPS0pkejBjbSs3ZzdsZVZ0Z2E0M2IrUmdCbStRT3hGMTFPWHNBUjBtY1FpWUdBNmtZQytHY2RpYnhUZXNBMUpZUWhEMmQxM01LT1NHUXBNby9zVjdJMXgzcWdVTEFaWXhCZFpOMDBNOXpsTks2SW4xUnBySm1JNmJYZm14ODFWa3JIU1QzWmhiem9XL3NwYjNQc1NRSUlzSkg2TXl6NjZLL0FkOG1zTzZTTGdhb1BuUzRvSnRMVGVOSDBkR0FYa3B3clpYU0Zjand2VFU0SHlGNm9EakVsNGV1ZHhiMTh4RFFnQnFSd0JtZlY0dWN6QzZnK29wSWtJMldWaTZWQTdZN0t4UDRHb0QvTG43RFZZOVc1TWtzcU9rSExSdXlZcWJLZEgweUhvVWFQM2laQ25mTXh5YzZpa01iSW96UFhRaHcxT2xDQzRDSTNueDJ2eGU0NWN1My9Ba3ZPNXlSRmc2dGNUQ29WRGxDYWVIV0JnOGtEeXRPbDQ1a1NqNnBSTzR6UEZ3K0JDOEV0L2djbHZVQWxBZ1ovMFBWMmtvM3UxYXpwSW5BVmxGcnVsajJQQkFEaG9LVVJldmVRRC94cS9DY2xuaHR5VTJLTnJkV0NHSkFOYlBSbUR2YlJOR0xXSlg3Q014WDFRQ0R3UVJGam1jaHhNeEhWTTBLVEJtVUZPU2V6dEU0TkNlSVcreERKbFRaN0dFK1VKT2pLWUdMVXBoek1nR1FrVjhVVWRXOGxxdjZqdjJQNXF1aGppYm9pU3Q0bnpEazBHWi9WcE1jTTI4N0VreVlQN05KRCtBNGVwc1NDcHNPN0hlMzhDU3BIUXc4amhKVDBzZ2s2Y2I0L1MzYUhxUjRWVGtGRkxRQ0daY21VTTFvRlpiRVp1UE03ay93SnNhN1ZCQ0lYTCtjMGxudTR0Z055QTRWd3dESW5hWGR2N0dEa2xjV1N3ZjIzUmxoVWRDQlJ0Mjg3QTd2MFd5OXcrUjdBTEd0dDlGYUR2aG1HVlFnVTNvWU14Z1FpUEcvRW1vQkNmb3A4eUkyUlU5SDJ1cm12L0lQUS9Qd2VrWXZ5RjhQWmRNb3FqSDk5ZTJOZ3dWa1VrMTF2aTVGUzcwbWFJcE5IZDY4eU1TOU03a2xzYUhDOEM2OUFZK3Axa01ROFBBMVVZMTVZNFJmWWd1a3dVNFFDaDJYS1o5NkZsM0hLMlZ4c0xZVDFMN3VidFRJS2RRTzA1dGU3MmZqenFGc1VJeGFhMjRoY1dLSFFXVlpxaU9Lcmx4SitZd1hlMVBZRm9TcXJ2S3hSNE1TUkFWQnJENXlpQ3g0L2pxUktFZUgvTk9ZVktBQ3lHcVdkNGJZUWtCZlZXanpIajAxNm55TG1aZVE5SkhKeXp4TVN4MUtCOE5jNEQ0elFZMDZjOERUN2F4d3NJVVU3YUZWbE85YkVQV3VFd1BIWXpTaTdLSGttd1hvcVVabzh5NzJNcFZ2RE1WdkhLTFVVY012Zk5mazcxWTQrV0pTWmVEQ3EzTGkxd1ZHM0tFYjlabWJjTUE4bkkyZE56dmxBSVhXRnFTWHhtVHBVUlJTeUdWYmhnN1VydDFmTGpjSjVZMG8wMTdQZjM3emszOW9kd3pmUkVVZjhBdjdja1RkbmVFMWRxbzhsNU5QM2g0OGJHMmNMQytVbFFibFNuQTFwMmIrZ1JURkcrTmRRRyt1aDBUemFzTEJibERHSStCTmw2T1dtc1pHUHZ2OThTVWNRSGNmL0hLZDkwdUFqblMyRkNGbWtHNnlqejl4WmEyQWtXMGhKRVRwaDlkd3ZtRFE2Y3pQQnpPL1VTZjVxVXU4V1BxNFVOREtwNmZCUmJGdERwL2E5cVJDeVc1am9uUVk2US9sUnpzK0N0TmZoVjBHRW9BQnJZQnFZMG1FMDNnSG1adlAvSHREZTkxalRSQU9maGFFeGxDTzJoTDNrWEJUTlcycnNad3E0RFBGT0grelpkZmxFaXM4UjlUYzNsdW5MdDJ6bHRaYVFLT2dmMFNweithZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * lVircTRrSWRBVlxuSHHIERq446Qp
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Music\Pt7UH_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aeaBebACBB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTA4Mi1DdjBmM1M5YXVEYXEvSTFCdHZLQ1JrVkJXNCtVeHNuMTExMCtCRXhDRTA2Z2xQckJwNkpRa0owQlh2cVlUaUhqb0EyeXhXQlFYNnFEREc2cjk2V3BEekxsVG1QZGRhMHhQZ1hxS2dnZStPS0pkejBjbSs3ZzdsZVZ0Z2E0M2IrUmdCbStRT3hGMTFPWHNBUjBtY1FpWUdBNmtZQytHY2RpYnhUZXNBMUpZUWhEMmQxM01LT1NHUXBNby9zVjdJMXgzcWdVTEFaWXhCZFpOMDBNOXpsTks2SW4xUnBySm1JNmJYZm14ODFWa3JIU1QzWmhiem9XL3NwYjNQc1NRSUlzSkg2TXl6NjZLL0FkOG1zTzZTTGdhb1BuUzRvSnRMVGVOSDBkR0FYa3B3clpYU0Zjand2VFU0SHlGNm9EakVsNGV1ZHhiMTh4RFFnQnFSd0JtZlY0dWN6QzZnK29wSWtJMldWaTZWQTdZN0t4UDRHb0QvTG43RFZZOVc1TWtzcU9rSExSdXlZcWJLZEgweUhvVWFQM2laQ25mTXh5YzZpa01iSW96UFhRaHcxT2xDQzRDSTNueDJ2eGU0NWN1My9Ba3ZPNXlSRmc2dGNUQ29WRGxDYWVIV0JnOGtEeXRPbDQ1a1NqNnBSTzR6UEZ3K0JDOEV0L2djbHZVQWxBZ1ovMFBWMmtvM3UxYXpwSW5BVmxGcnVsajJQQkFEaG9LVVJldmVRRC94cS9DY2xuaHR5VTJLTnJkV0NHSkFOYlBSbUR2YlJOR0xXSlg3Q014WDFRQ0R3UVJGam1jaHhNeEhWTTBLVEJtVUZPU2V6dEU0TkNlSVcreERKbFRaN0dFK1VKT2pLWUdMVXBoek1nR1FrVjhVVWRXOGxxdjZqdjJQNXF1aGppYm9pU3Q0bnpEazBHWi9WcE1jTTI4N0VreVlQN05KRCtBNGVwc1NDcHNPN0hlMzhDU3BIUXc4amhKVDBzZ2s2Y2I0L1MzYUhxUjRWVGtGRkxRQ0daY21VTTFvRlpiRVp1UE03ay93SnNhN1ZCQ0lYTCtjMGxudTR0Z055QTRWd3dESW5hWGR2N0dEa2xjV1N3ZjIzUmxoVWRDQlJ0Mjg3QTd2MFd5OXcrUjdBTEd0dDlGYUR2aG1HVlFnVTNvWU14Z1FpUEcvRW1vQkNmb3A4eUkyUlU5SDJ1cm12L0lQUS9Qd2VrWXZ5RjhQWmRNb3FqSDk5ZTJOZ3dWa1VrMTF2aTVGUzcwbWFJcE5IZDY4eU1TOU03a2xzYUhDOEM2OUFZK3Axa01ROFBBMVVZMTVZNFJmWWd1a3dVNFFDaDJYS1o5NkZsM0hLMlZ4c0xZVDFMN3VidFRJS2RRTzA1dGU3MmZqenFGc1VJeGFhMjRoY1dLSFFXVlpxaU9Lcmx4SitZd1hlMVBZRm9TcXJ2S3hSNE1TUkFWQnJENXlpQ3g0L2pxUktFZUgvTk9ZVktBQ3lHcVdkNGJZUWtCZlZXanpIajAxNm55TG1aZVE5SkhKeXp4TVN4MUtCOE5jNEQ0elFZMDZjOERUN2F4d3NJVVU3YUZWbE85YkVQV3VFd1BIWXpTaTdLSGttd1hvcVVabzh5NzJNcFZ2RE1WdkhLTFVVY012Zk5mazcxWTQrV0pTWmVEQ3EzTGkxd1ZHM0tFYjlabWJjTUE4bkkyZE56dmxBSVhXRnFTWHhtVHBVUlJTeUdWYmhnN1VydDFmTGpjSjVZMG8wMTdQZjM3emszOW9kd3pmUkVVZjhBdjdja1RkbmVFMWRxbzhsNU5QM2g0OGJHMmNMQytVbFFibFNuQTFwMmIrZ1JURkcrTmRRRyt1aDBUemFzTEJibERHSStCTmw2T1dtc1pHUHZ2OThTVWNRSGNmL0hLZDkwdUFqblMyRkNGbWtHNnlqejl4WmEyQWtXMGhKRVRwaDlkd3ZtRFE2Y3pQQnpPL1VTZjVxVXU4V1BxNFVOREtwNmZCUmJGdERwL2E5cVJDeVc1am9uUVk2US9sUnpzK0N0TmZoVjBHRW9BQnJZQnFZMG1FMDNnSG1adlAvSHREZTkxalRSQU9maGFFeGxDTzJoTDNrWEJUTlcycnNad3E0RFBGT0grelpkZmxFaXM4UjlUYzNsdW5MdDJ6bHRaYVFLT2dmMFNweithZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 7dKhxfDfo89ksh5S7oCPPcTbRH906hA
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Avaddon family
  • Avaddon payload 1 IoCs
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 2 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (183) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
    "C:\Users\Admin\AppData\Local\Temp\2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4108
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4912
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3984
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3948
  • C:\Windows\system32\wbem\wmic.exe
    wmic SHADOWCOPY DELETE /nointeractive
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    PID:2620
  • C:\Windows\system32\wbem\wmic.exe
    wmic SHADOWCOPY DELETE /nointeractive
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    PID:3020
  • C:\Windows\system32\wbem\wmic.exe
    wmic SHADOWCOPY DELETE /nointeractive
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    PID:4816
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:1876
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2976

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312.exe

      Filesize

      758KB

      MD5

      37576c3c5af9c1bad5ff73229a77d1f6

      SHA1

      965256f9a4920e6ecd224a14cdae296f4f34f88b

      SHA256

      2a2a770ed80f8101bcff73b791ccd14391d2df3a4e152cbcacbd7df24878e312

      SHA512

      c0ded35602d2bbed73c62f33951a9a317393e02f600d4e6c3c92f5a427ae0fc97175c5e14f0aabeb47d7cf3fca1f8b6cf92b9f61d29869a07db68d81885011b9

    • C:\Users\Admin\Documents\Pt7UH_readme_.txt

      Filesize

      3KB

      MD5

      357b66f39316dde427dc7695fafb6c23

      SHA1

      6f729180969335957b35754eb64a306cf22fbb23

      SHA256

      b4b36e32579eb112ff82585d8ef637da237219979c5d71152fc122ffc947af19

      SHA512

      4fbfd423ed4494dbbac7f860a53fe7cfa22ba328dd11b47de36e6c151666a866d460223c897b2a981af2049110b01f984cd129bf89581449e78b040e79272955

    • C:\Users\Admin\Music\Pt7UH_readme_.txt

      Filesize

      3KB

      MD5

      197e62d51476f7a4c1e03432309f37ca

      SHA1

      de8272e9773c1316f6449fc4adb27a17924eaa4b

      SHA256

      83a59b21ab5e9ce715233b40d695d12925a1d480af728841f003bc13a936bfdf

      SHA512

      871e6c3d564063fad384bf6032691fc1b1fcd6f50567bcba1516e5c883c02eca1401bc70e849a819441177f60b9e969505bcf040d074b07430dc7de4ed7c1b61