Overview

overview

10

Static

static

10

HEUR-Troja...365.7z

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.7z

  • Size

    2.2MB

  • Sample

    250402-tmvxassmy5

  • MD5

    02ab46ad0f72ebf04bfc987b1c6cfd93

  • SHA1

    1d319b9ecda6f4860bca276e00ed33c1e572f151

  • SHA256

    1640dbb1202916848fa226c543ee4abf6a3c24f357548f4cfcb41319b153803e

  • SHA512

    0949a55aca5d9d39061b219eb8e863e7c99abdc822747072d8b55d1ad9a3570f69419bde0bb957d414af1ff462fc6853b78a684f8fe2aa4eb142ffc27b5f5cbb

  • SSDEEP

    49152:VS4oWqzZEwotFlMO+feUOqW2MjUp7d6wCuxfQzT:lBqzZEwoXli2z296

Score
10/10
avaddondefense_evasiondiscoveryransomwarethemidatrojan

Malware Config

Targets

    • Target

      HEUR-Trojan-Ransom.Win32.Avaddon.vho-7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365.7z

    • Size

      2.2MB

    • MD5

      02ab46ad0f72ebf04bfc987b1c6cfd93

    • SHA1

      1d319b9ecda6f4860bca276e00ed33c1e572f151

    • SHA256

      1640dbb1202916848fa226c543ee4abf6a3c24f357548f4cfcb41319b153803e

    • SHA512

      0949a55aca5d9d39061b219eb8e863e7c99abdc822747072d8b55d1ad9a3570f69419bde0bb957d414af1ff462fc6853b78a684f8fe2aa4eb142ffc27b5f5cbb

    • SSDEEP

      49152:VS4oWqzZEwotFlMO+feUOqW2MjUp7d6wCuxfQzT:lBqzZEwoXli2z296

    Score
    10/10
    avaddondefense_evasiondiscoveryransomwarethemidatrojan

    • Avaddon

      Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

      ransomwareavaddon

    • Avaddon family

      avaddon

    • Avaddon payload

    • UAC bypass

      defense_evasiontrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Renames multiple (149) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks