AbbySec

My digital playground โ€“ where hacking meets learning.

View on GitHub
19 March 2026

SOC145 โ€“ Ransomware Detected (Avaddon Ransomware Infection)

by

๐Ÿง  Summary

This investigation was triggered by a SOC145 โ€“ Ransomware Detected alert involving a suspicious executable named ab.exe.

Initial threat intelligence analysis using VirusTotal revealed a high detection rate (62/72), strongly indicating malicious activity.

Further dynamic analysis using AnyRun sandbox confirmed ransomware behavior, including execution of WMIC commands to delete shadow copies, a known technique used by ransomware to prevent recovery.

Additional validation using Joe Sandbox identified the malware as part of the Avaddon ransomware family, associated with the RIDDLE SPIDER threat group.

The affected host was immediately contained, and the alert was classified as a True Positive ransomware infection.

๐Ÿšจ Alert Overview

๐Ÿ–ฅ๏ธ Endpoint Information

๐Ÿ” Initial Findings

โš ๏ธ Immediate deep-dive investigation required due to ransomware risk.

๐Ÿงช Threat Intelligence โ€“ File Analysis

๐Ÿ”Ž VirusTotal (File Hash)

VT Result

Result Value
Detection Ratio 62 / 72
Verdict Malicious

๐Ÿงฌ Threat Classification

๐Ÿง  Interpretation

๐Ÿงฌ Dynamic Analysis (AnyRun Sandbox)

AnyRun Analysis

๐Ÿ”Ž Observations

๐Ÿšจ Critical Behavior Detected

WMIC.exe SHADOWCOPY DELETE /nointeractive

๐Ÿง  Analysis

๐Ÿ“Š Process Behavior Analysis

Process Tree

๐Ÿ”Ž Key Findings

๐Ÿง  Interpretation

๐Ÿงช Threat Intelligence โ€“ Malware Family

JoeSandbox

๐Ÿ”Ž Joe Sandbox Findings

Attribute Value
Malware Family Avaddon
Threat Type Ransomware
Attribution RIDDLE SPIDER

๐Ÿง  Intelligence Insight

๐Ÿ“Š Behavioral Indicators

Indicator Status
Malicious File Execution โœ… Confirmed
Shadow Copy Deletion โœ… Confirmed
Ransomware Behavior โœ… Confirmed
Known Malicious Hash โœ… Confirmed
Sandbox Malicious Activity โœ… Confirmed

๐Ÿงพ Investigation Steps

  1. Reviewed alert metadata and file details
  2. Analyzed file hash in VirusTotal
  3. Observed high detection ratio (62/72)
  4. Executed file in AnyRun sandbox
  5. Identified ransomware behavior (shadow copy deletion)
  6. Analyzed process tree and system activity
  7. Verified malware family using Joe Sandbox
  8. Correlated all threat intelligence data
  9. Confirmed ransomware infection
  10. Contained affected endpoint

๐Ÿšจ Incident Response Actions

๐Ÿงฌ MITRE ATT&CK Mapping

Tactic Technique Description
Execution T1204.002 โ€“ User Execution User executed malicious file
Defense Evasion T1070.004 โ€“ File Deletion Shadow copies deleted
Impact T1486 โ€“ Data Encrypted for Impact Ransomware encryption
Discovery T1082 โ€“ System Information Discovery System info gathering
Command & Control T1071.001 โ€“ Web Protocols Potential C2 communication

๐Ÿ“Œ Final Verdict

Category Result
Malware Presence Confirmed
Threat Type Avaddon Ransomware
Initial Vector Malicious File Execution
Host Compromise Confirmed
Alert Classification True Positive
Incident Severity Critical

๐Ÿ Conclusion

This alert represents a confirmed ransomware infection involving Avaddon malware.

Key evidence includes:

The malware demonstrated classic ransomware techniques, including:

Immediate containment was required to prevent:

tags: