avaddon | 1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2

Analysis

max time kernel
103s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2025, 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab.exe
Size

775KB
MD5

0b486fe0503524cfe4726a4022fa6a68
SHA1

297dea71d489768ce45d23b0f8a45424b469ab00
SHA256

1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2
SHA512

f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619
SSDEEP

24576:TCs99+OXLpMePfI8TgmBTCDqEbOpPtpFhyxfq:5GOXLpMePfzVTCD7gPtLhSfq

Score

10^/10

avaddon defense_evasion discovery execution impact ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\dUBoP_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .aDACebEbbA You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjY2NC1EYjJROXEyN0svaVBlN29UKzE1S0pXM1QyKzFpcHZtYWl4REtiZlEzcGdsRElmaktLTXpDbTRBVStuRHdkT1lFYlo2bzhvQ1hjcDArN2FrSWRTbU9pUzVnQUs5WHA4WE5welpvR2E0Uk5wMXQ1UDFUd2tsYTFpMlJKRkQ0U1I3OGRnOHRXWmNmSkhHY3FycVNmWDJVZzFldWxuMDZEM3NkeUlVUFRIOFhYam4zWXBhVzNiQ1hRTHhkVy9yWXNxN0E2UXNDWExQNHB4U3gzdUhsY0xoMmoyTVk5dXYxb0NsRzhqVXZ1TkVPUFJDM2RTNVY3Zi9FSjdEaWh3amhnUHAwUk54ZTBONS9aa2JZNW1vSXFBV1JDZktNN1ZjZnpWbWE1dlJ6eCtubmlVYStvY3RYcng0cWVwNnIxa2tjUEx6MjBJWW9kaURLVUxhVWQyZjR2d0dwdEpHQmdsWUZtUXhlZ2NpZFR2Z01CT0tMUUFxQ3BTWjhUR0pJeTBUNksvdFRmdmNxaGt1TzFpdzJlVmorUkpCOWZ4ZTVuN3NNeDJxdjN5VnFOTkM1WlQvWlZ4clBRNy9iQm8vQ1hqL1BQbExGcWFCaHBrdFV4eXhUUHExQnhCYy9sc3o1V0g1c2VmQ0VLeGg1ODJNSGEzQVhzWjIyMmhCV3R4NTVxQUxKcTBFMWszMk80RWI1SkZJYUhhSzlWSElMbVJncjFKWlNUZDBCTzV0SFR0NHg3UVZyek90YjBka3U4Slc1M3MvYUlWd2l5S2NDT0xkb2FDN1ZDengxa2VabDJPOXVOQkVNancwbFFqdjRiNkdNd2krSGNRVENCTW1memxVV3pONjk3WmtydjVjRVMzSGlydUxDeGg2SEMvOS9nMVQ2OGZ0Z3FyU2l1TXFzcDQ5Mis2MUVDU1VtMEhranBEbmduQzl4N1hKSERZLzVzeVNXbkFIU09uNFhuby9TZDlZbVpFYVZySG0wSjUxQTMrS3diN0Q2amFzeFNKRlRvMXBwU3RqQnlNd293VVRWMUI3NUFEMkpEanBxZmlsaDdadU5ON0Q2UVd6eXp5aCtDTW85RWNUM1VEUGtITktHR3lWT2VlQ0J4d01QNkN5YXZDM284amdpMkVPb0NCejhDUCtSa2JkQ0xMTHdtQWJxRkZtVEVTWXd5QzdUT091eklLZFZVUURFckFvN3ByN3NSaiswT1Roa3pzZElBamlncHd4MytNZHhBdFpmRjJvbWpPUmp6OUp1TWg0eWZKQXR5OGhuYzl3MGZPU1RFd2dKeEZ5d0hwalRFWW5vQk9qUnNCWXZqWTMzdWVZUTJTWEJIS2RHcnRNWFR3RkdHeUNCTW9WMHNvVU5DSnBrNkxZNkl3V2phUllXOThlUG5IRXRhZ2tqTUdRK3FlUmZLWisxSkw4UnZrditvSVhCb1ZRQmhpdXd2S0tRYitDS2svSjF1RjdTVjNBcGlrTENwaUJac2hrQnBxcnFSMFlIckhDbkZWWkdkaXNydjljV0h4NXNNeWpubGF1OTR5a2tlaEMyNm5Xb0w1ODVldFVoWVRHSE5OZEVPUXhFakU3c0EzZTRUdEZ1b1RPbkMwS3FNZHlNRDRxeDZMUEpkeFBSVERhZWo1ZDNxd2RmdHFGckJVeExIN2FtY2ZSOWlmaUJJRGgwcGd6QTVWQnl0TGljckpPUi93SldQbUhvcGJITnNsdXFVZjBtNGZZeDdpcTNCZG4yQm9jc0tCTzJQRnpHSWpySVpMbmdKZXkzaGptUjhacEN1dGFHVk92cGdEdC8xVytQTUhzYk5LN05pdUROV0xuSkc3R0ZmckdaNmFOMERrNGEzQjhGbjlyRWRpa2xFU2phS2lLZzN1OVFCT204Z0ZxY0RTNzA0L2tsTStXTzF3TktKVjEvbExCc25MZ2Zya1lYckJtSi9nMTNuWXIvYWJORStQbTBUcW1vWS9UTDBHQ2p0ek9CNTErT2xtTytYeUNBcDFNZ1JvZ1h6MjdxSnRaZURtYlRtNlRpUlVzT3VwQnQ4aVh5bTcwdGo0TSs4UTd6MGFEdlRxNEdIZGluQUtTd3hodHlXUnlzZ1ZtbUZaU09QZ0paQ2ZPNVMxcmRXaXp0eERxUVJhSnZBY2dWVCtSbTliNjFuL05tVW0yOXZDSEM4UT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * qEN

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
ransomware avaddon
Avaddon family
avaddon

Avaddon payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00040000000227b2-468.dat	family_avaddon

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	764	wmic.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	764	wmic.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	764	wmic.exe	87

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ab.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (162) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
6124	ab.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ab.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-446031748-3036493239-2009529691-1000\desktop.ini	ab.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	ab.exe
File opened (read-only)	\??\W:	ab.exe
File opened (read-only)	\??\F:	ab.exe
File opened (read-only)	\??\I:	ab.exe
File opened (read-only)	\??\M:	ab.exe
File opened (read-only)	\??\S:	ab.exe
File opened (read-only)	\??\V:	ab.exe
File opened (read-only)	\??\Z:	ab.exe
File opened (read-only)	\??\A:	ab.exe
File opened (read-only)	\??\B:	ab.exe
File opened (read-only)	\??\G:	ab.exe
File opened (read-only)	\??\K:	ab.exe
File opened (read-only)	\??\U:	ab.exe
File opened (read-only)	\??\X:	ab.exe
File opened (read-only)	\??\E:	ab.exe
File opened (read-only)	\??\L:	ab.exe
File opened (read-only)	\??\N:	ab.exe
File opened (read-only)	\??\O:	ab.exe
File opened (read-only)	\??\Q:	ab.exe
File opened (read-only)	\??\R:	ab.exe
File opened (read-only)	\??\Y:	ab.exe
File opened (read-only)	\??\H:	ab.exe
File opened (read-only)	\??\J:	ab.exe
File opened (read-only)	\??\P:	ab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe
1176	ab.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2152	wmic.exe
Token: SeSecurityPrivilege	2152	wmic.exe
Token: SeTakeOwnershipPrivilege	2152	wmic.exe
Token: SeLoadDriverPrivilege	2152	wmic.exe
Token: SeSystemProfilePrivilege	2152	wmic.exe
Token: SeSystemtimePrivilege	2152	wmic.exe
Token: SeProfSingleProcessPrivilege	2152	wmic.exe
Token: SeIncBasePriorityPrivilege	2152	wmic.exe
Token: SeCreatePagefilePrivilege	2152	wmic.exe
Token: SeBackupPrivilege	2152	wmic.exe
Token: SeRestorePrivilege	2152	wmic.exe
Token: SeShutdownPrivilege	2152	wmic.exe
Token: SeDebugPrivilege	2152	wmic.exe
Token: SeSystemEnvironmentPrivilege	2152	wmic.exe
Token: SeRemoteShutdownPrivilege	2152	wmic.exe
Token: SeUndockPrivilege	2152	wmic.exe
Token: SeManageVolumePrivilege	2152	wmic.exe
Token: 33	2152	wmic.exe
Token: 34	2152	wmic.exe
Token: 35	2152	wmic.exe
Token: 36	2152	wmic.exe
Token: SeIncreaseQuotaPrivilege	2372	wmic.exe
Token: SeSecurityPrivilege	2372	wmic.exe
Token: SeTakeOwnershipPrivilege	2372	wmic.exe
Token: SeLoadDriverPrivilege	2372	wmic.exe
Token: SeSystemProfilePrivilege	2372	wmic.exe
Token: SeSystemtimePrivilege	2372	wmic.exe
Token: SeProfSingleProcessPrivilege	2372	wmic.exe
Token: SeIncBasePriorityPrivilege	2372	wmic.exe
Token: SeCreatePagefilePrivilege	2372	wmic.exe
Token: SeBackupPrivilege	2372	wmic.exe
Token: SeRestorePrivilege	2372	wmic.exe
Token: SeShutdownPrivilege	2372	wmic.exe
Token: SeDebugPrivilege	2372	wmic.exe
Token: SeSystemEnvironmentPrivilege	2372	wmic.exe
Token: SeRemoteShutdownPrivilege	2372	wmic.exe
Token: SeUndockPrivilege	2372	wmic.exe
Token: SeManageVolumePrivilege	2372	wmic.exe
Token: 33	2372	wmic.exe
Token: 34	2372	wmic.exe
Token: 35	2372	wmic.exe
Token: 36	2372	wmic.exe
Token: SeIncreaseQuotaPrivilege	2836	wmic.exe
Token: SeSecurityPrivilege	2836	wmic.exe
Token: SeTakeOwnershipPrivilege	2836	wmic.exe
Token: SeLoadDriverPrivilege	2836	wmic.exe
Token: SeSystemProfilePrivilege	2836	wmic.exe
Token: SeSystemtimePrivilege	2836	wmic.exe
Token: SeProfSingleProcessPrivilege	2836	wmic.exe
Token: SeIncBasePriorityPrivilege	2836	wmic.exe
Token: SeCreatePagefilePrivilege	2836	wmic.exe
Token: SeBackupPrivilege	2836	wmic.exe
Token: SeRestorePrivilege	2836	wmic.exe
Token: SeShutdownPrivilege	2836	wmic.exe
Token: SeDebugPrivilege	2836	wmic.exe
Token: SeSystemEnvironmentPrivilege	2836	wmic.exe
Token: SeRemoteShutdownPrivilege	2836	wmic.exe
Token: SeUndockPrivilege	2836	wmic.exe
Token: SeManageVolumePrivilege	2836	wmic.exe
Token: 33	2836	wmic.exe
Token: 34	2836	wmic.exe
Token: 35	2836	wmic.exe
Token: 36	2836	wmic.exe
Token: SeIncreaseQuotaPrivilege	936	wmic.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 2836	1176	ab.exe	93
PID 1176 wrote to memory of 2836	1176	ab.exe	93
PID 1176 wrote to memory of 2836	1176	ab.exe	93
PID 1176 wrote to memory of 400	1176	ab.exe	99
PID 1176 wrote to memory of 400	1176	ab.exe	99
PID 1176 wrote to memory of 400	1176	ab.exe	99
PID 1176 wrote to memory of 4916	1176	ab.exe	101
PID 1176 wrote to memory of 4916	1176	ab.exe	101
PID 1176 wrote to memory of 4916	1176	ab.exe	101

System policy modification 1 TTPs 3 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	ab.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ab.exe
"C:\Users\Admin\AppData\Local\Temp\ab.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1176
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  - System Location Discovery: System Language Discovery
  PID:400
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4916

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:388

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6124

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

Filesize
775KB

MD5
0b486fe0503524cfe4726a4022fa6a68

SHA1
297dea71d489768ce45d23b0f8a45424b469ab00

SHA256
1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2

SHA512
f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619

Download Submit
C:\Users\Admin\Desktop\dUBoP_readme_.txt

Filesize
3KB

MD5
b8aabfadd826d2b68688ef604c28102a

SHA1
a7833996f70390c2addce1cd12b97284fa3de58a

SHA256
667a3fb1b08af6c8cf93a7a7e60a03ddb67c5db9312bc129276a9fd22fa0ba75

SHA512
849eee5375ef9f4b0517d6c104a3b7141df701b301dc743269a13aaee5953e1905a6bbb037c75ec6d81591cb34a697e4f336d7085dd9163018d26dda9bb3e005

Download Submit