Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

26/02/2025, 16:43

250226-t8l7aawtcw 10

Analysis

  • max time kernel
    141s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/02/2025, 21:24

General

  • Target

    c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe

  • Size

    483KB

  • MD5

    53717dc73f61b0f9551cb62d6fca2e4a

  • SHA1

    1ca9304e86632b147852767c85c57e08bdfc8855

  • SHA256

    c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028

  • SHA512

    ae6ff8377d89cd3d1686c5a6bd7bb398bb975e4e52f7db5fbb0550783d77648558f03a13a9751d0cb6ed993621b12980d54777385802dd4c014ec22ae8d33552

  • SSDEEP

    12288:WcvbX8rMmSZJ8t9ZITyDpFGIOyA4muT5WFExk8y:/zMr1SZJ8t9ZITyNzOt4dVy

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\1o1tj_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .CaCADbeaEd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTgwNS1ZMm1FaTFqcjVFQW02S0pHbU1nYytTNjVYcnA0ZEdCTldTQUI3VUNIOTRpTlVocytRZmdodlpWN1diZDZrOXZaQjdRQWdDUHIrK042YXRNOFJ1N1JiczB6NTNKOXhJZ045bTgxcVdLTkR5WEVsaEFGSWY1TjB3Njk1bi90aWY5U1BaZXM3Z0FWeCt5OUxzRjhEYi92Uml3aHdFS0ZNVmZCbGlGWE12a2RGeUNGWUdkSGVJM3RhbWxhdnJGSnhrVEtEbkZXSGlqQWwyUk95d1loZGZSTldSaEM5Nm1kZUJUT1ljc2w3SU1obGNTeDcrRkE1Yk1tT1ROTUwrcTh1WUF5T2tOajVzUmEwSmxmejlYbEFuWVhZd0p6Tjg2SlRzdDJ1dm1XWTdBaGg4MnV6WklHMkV4cUhRekJNemxkVFgySWdLMXNpZzl1RjNlQ256QkdvY3l4T1RYVDFxR25SRHRRZ3NDUzdvRTFieDNFY0FQeEtxK3FVVzNUU0dKdndGZnYyTGFUdk1ySUdNNlZzYzRuQ3RlMFdKU0g4dWNjdnhMZER1L1JkOW94UUF2N3cxbmlwSi9sUEJZZVlMbDVhdFZpZlNXTzhFYmorWkpNUjVvYUNrU2g4TEo1cFFqdkl4c2pHSlRSem1lWVBubWlPRmljMXNhdDNHRjNWam10Sk5Ya296L2k4SktZYnMrZlJVZWpmbG5YT2dMM0NjNEU5NWNQWVlSaTBOV0F1WUtENUltY3p4R285YkZPZm96aU93Si9kc2xKNkRjN3Eyc09VVlZDeXFPeXdTWWZJZy80NUROWFZnVEtlZnpoQ0VYTXlScVRYeEpqS1d2SkhnRnJXSVJFbzlqak5mWHBCOUwzeCtQZnh6ZVl1eUlNS2RwS2dnUzdSS0x1TXlNc3kvZEhwVkM1Vi9CaUVieWxBWDRuMFZuVHVkcmVaZkxyQ2luWnpiQTJ4Y3lIVllDdTdzU09kd2NmNkpCdEVkd0hMZ2g5ZUZ6Y01hRzRnU24vRXh3aU1UdklYa2xuSE40UDdWeURVYkQybWhqSXlxNEIvZTc3VzhSNjgybHRwOFRiMFNtUjJWS1BoYUdibWxtMmJabmVEMXd2SWl4OXlCYVpmR2hwdXRjNW9vWWFvYW9qM3dCQWxyWEdvTitJb3ROaFdNZkFPSDRDNUtidG90OCtiVnMwbzVUVTVLaTcwQkE1akF4b2hJM0dlRGJuYWQ3aksxbktibFpnc2VjYm45dWtucXJZYmhBMmdEbzBUajJxR0FUMXJ4aHVONWJxLzErL0RYazJDM3dtblp4REUrOVJiUWtxS3h4UEE0T3IzcFp0eEpUVWJENFVDZXJBYXkxTjNXaExnRlJSQkgxUWlLa0YvYXl5eTJjTFFxTE1LcUFQZ2JyaGtWejRRanN5MjUrNW1UY1Ztcno4Q3ZmUUYwcU9nMW5Bb2kxZi9od1l6dmFJVHM1cnBmNFJIWTZmajVhUWw4OHd6aEFmb0JHSkNiWm1vOVF5aUpFUG5IRVNGcWVWUDhKcUVmVDRqZTBsUjVpajZUMUMvVm5ZT0xPQTRHNnJURHVHNkpKblpMWDJtUkdLbExISm95ZnhNdkdhRGN1eUZJeTVkQi9LRnczWTVQL0NtazFsRHJPeUZORnhGOTZLVG9ySWJLckhHOUJXWmNQN3BlV2V0b2ZFaE5zbEtnMm12ZHhTVS8xSmVYSld3N1pyVUIyUHBzdC9uZnpOT1RuQWZtT1VkVU1CcUFGSHlyc3dKOVBPVVROVDNhZ1FhclMwL2lZTFIxYUpGdERzWUF4U2l4bllhSjRuMC9xZU5naFQ5WEU5bFA3N3RnaGVTVnp4OHVSOE1LMnl3aVFRdWY5TExZeVFpR3FzSTJMcFZ4ZzBGQVVPT01GNnNrRDhmd05hNStFN3FNMWlxa3krOEl4VjhLUDRzcEY5N0JvTWhQZ0JBMmx4b1pBRTlXOTNvNEF2MEJQMGlhVk5TckpaaHFYT2MyK3g3K3d4by9yVFd5S25UTTd5cGpLUDRrcWNYdCszTU80RTNGN1h0VEU1dmNaRlBIV2ZQMlF0bVJ6dlFYdG5ReXZGamJweUcrZ3psb2liVkxmTHNtVzVvRWpYbmVpMjNoS0d3NnZDdnNMbzVud055MVViVWpXTUczMkNjZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * NwdG4iYrU5E5b
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Avaddon family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (148) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
    "C:\Users\Admin\AppData\Local\Temp\c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe"
    1⤵
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3112
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2924
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3928
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3476

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Desktop\1o1tj_readme_.txt

    Filesize

    3KB

    MD5

    5ec2d75665199b57b61effe24c30b4b2

    SHA1

    ba442f9163ce647a3b2beeae170bfea5e283c780

    SHA256

    c7d291dd9d829ab2d49deedc6095be4235f646bb4d4dcd405e58ee1ba8f81c27

    SHA512

    d2165557d701238bb8a7aba24e47b426d4a44ebfc03560bec0fa2ca4d796f583bd87eb7f31730fcf5a8820d6c37448bc1bacf751eea82a947ad62de787aea0f1