Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    175s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/02/2025, 21:03

General

  • Target

    c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe

  • Size

    483KB

  • MD5

    53717dc73f61b0f9551cb62d6fca2e4a

  • SHA1

    1ca9304e86632b147852767c85c57e08bdfc8855

  • SHA256

    c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028

  • SHA512

    ae6ff8377d89cd3d1686c5a6bd7bb398bb975e4e52f7db5fbb0550783d77648558f03a13a9751d0cb6ed993621b12980d54777385802dd4c014ec22ae8d33552

  • SSDEEP

    12288:WcvbX8rMmSZJ8t9ZITyDpFGIOyA4muT5WFExk8y:/zMr1SZJ8t9ZITyNzOt4dVy

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\IGnZg_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .adBaAededA You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTgwNS0wYmh1aDRyTjdYR24zQmp6ZVlGMmowUi81TkRWUUJOeERzcVpvN1ppcHFFZWNWQmNMbEdLRXRkUGZydTgvNnVsYjNJVW5FUXYrTEVDOEtYSkI2Z09sTUw2VnZRamc2RmhBY282a2UyRmJHd3JlN3ZqbXl0aktJemtuQy92ZHZtZWpFNFBGQVNGT3NmelFTL1Z2K1hEeXE3WUJYMHVIMi9uRU5WMVdxKzRvV1NWTmp6NTlENVhmZE16NUEwWFc1WTZESjNGRFB2QnF5eGI4USsvOUo5YTRXemdJL2JMR3krV1ZML3JhUzZLMUJVQlo2bGdmZG53cHV4OVJSSElsSmZSQ0g1TENyeSszN3YvVEJZVStNWmtzWUpSUmNWbEpjc2xmOTRoTTF1bGczdi9GWGNDSGp2TWphTzFwT3VLMlEyZ2V3VXgvTE9xb2lJQVByREpjckxvSzc4U01FRWZkank4RnlLSldoUGptSDJUdnVaMW9CaWhQb3U5WElMSlp3TXdkMFlQUzlra2k5Y3hHOTcvZStvb3JGVFdUeEpldDB6YW53bm1iQzJIMm90dTkwdzV3MFFFQU9XcDlLbkk1aGkxSUUzU1oza2tuWVBTMzlEcHpsT25IQVF3VUI1cWs1ZXBXdnJQb09FM0xvT00wMEU1UjY4L0M5VFgrYzdsVVBQV1JRd0cyMjd2K201MGlxeEYrMDBmcHdwQTI3bmRsYkt2dlNnWHFXT2ZlMHJyS3RiaUZteGU3TlFlcnpSQ1hidW8xenpRKzVtczBNYWl2eHMwcDJxOUh0N204L2xUbjRhQkxDajJCL3dRUFdBbnJyWm5MM0huaWp0dmJWekRmejJEaXFNZFdNa2ZxWHJqcnZla3ZQbmI1cGUvOEpCVWtPcFYwT0RSc2hMVzZxdEV6SVh4RnA2VEh3THRnOXYwbUtuOFNua3Z1dVB2ajRZWFRUY2k1NVB3aFdCbEljV1JiVGVyZGFud1pPQWhLallkK2pGbDJTM3NpS2c4c1hZK2hPNWk0SkdJbnpQN1BtaXAzZ2VhV0VVZDlTUkdZcHpUZDJ3RFh5c3o1UHJ3VW8xMlZGZnYvanFnZFQyTjU4a0dpeGhQV28vYkdicEpBaXpRdjRSRmFwcFpYQXRoWDVPdEtYWE5PNmpqYUd4NVFHZXhITEgzVE82ZFdMak1kcjRLcVJsYzIrcXNtV0RoUElwYVFpcWZCMmN4cjJIZnZyK1QvZGgzeldQb3RDRmxaTm1iRVU1S280NWJMVkV3ZnJRdVRkUUhlMW1KcUllUU5rZlQraUVBdEdGNS9GbmZJOHpNVWFaNVF2TXg3S3htS3lZaGpEYUw1WnZsRXFIMEtJTlRNMWZ5ZERFbWt0eXZKTFdFSkJNY1pqWW8xNXBTczRUQWN1b2VzZThPUDhqRm9uNWtQVFQ0YkNQUWtwUjFieW1kdDdMTTlNcmkwTVF6Z3lkRWVXWlY1cFRuR3psRklxN0JFTklNbCtZdUVIRU95Q09UMXJpQ1U0U1B1MnBINk9GODRxZWNEVEduZ2g4ZmhPNGtsQWVnTUhLQ0VEcFVyeWRLRGJISG8reW80RHNzM09GaklFRXllaExMcWFCWW4yVXRDWWdIUEJNT3R4K2lscEJlYmJJNmJYR2xhVkRsMWVjNFFOY3lmK1dGckIvOFdNSzlUZWpObFUveHRLRlRMSlZmb3BpMm5veFI5NTB2bmNYZGFhSFJFS1lqV2kwWUhLVGF1WEQzU3U0M2l4OUI5czRBWG9LdzJDYjh6RTVQNTIwNGwrbWNMOGRFV3VOWVY4RVZXdHE5WG11TW95WjN1bC8xQXZPMUVZSDgzMmpteVl5ZXFNdFhYVEhiNmhWNGkyRERZOGZ4czNFSXUvV285eTlnOFV5cVhTbkVTQWhUa3gvdEVMODJ0a0pJTHJqSDFrQlRXMzFrYzc2QTAra0FtRmJpWk5vNzBVbVFkbzNNM2UrSmxRRC9uUnNqMXlURnEwTXRFN01rbkxyTmRqakNqMWxOSGxtWjJGZkowOWRabmJHVnBDb2pKdk94OFBVWDRQM3VuNTdWYW9JOU8vakZ1MWVlYkdGK3NwU3NPM2FDOTB6UTJ4YmRtd014RlRoa000dnFGZE90bDY0OXdXeXlEVzlUYkhNM1BXcEZTQT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * ftOw1gZ6J21cddbH8AICmd
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Avaddon family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (155) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Opens file in notepad (likely ransom note) 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
    "C:\Users\Admin\AppData\Local\Temp\c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe"
    1⤵
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2664
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3384
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1596
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4680
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\CloseUndo.ini
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:624
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UnlockRestore.ini
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:4496
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\IGnZg_readme_.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Desktop\IGnZg_readme_.txt

    Filesize

    3KB

    MD5

    552913e7950146258b72008ddf4230c8

    SHA1

    02a18da8cf1d25b7906ba4ac9663d991ae27bd34

    SHA256

    b9b5c31d5b02abd41acd7dfa72fcca4cd4d3d72200580cb85b80eba31454debb

    SHA512

    65b532a891a60534e2d613a9f413916886f5b769ae5bf1603deb8fa570bffeb21dd47a2eca4902cdfa8083f985c3ad37e41097c670d54dfb4336074f15390d58