Malware Analysis Report

2024-10-16 03:27

Sample ID 210907-lpxjxaccd7
Target origin.exe
SHA256 bd88d415032eb24091c352fc0732b31116f44a78d9333037bd7608289608d3cd
Tags
avoslocker ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd88d415032eb24091c352fc0732b31116f44a78d9333037bd7608289608d3cd

Threat Level: Known bad

The file origin.exe was found to be: Known bad.

Malicious Activity Summary

avoslocker ransomware

Avoslocker Ransomware

Modifies extensions of user files

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-09-07 09:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-07 09:43

Reported

2021-09-07 09:45

Platform

win7-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\origin.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\AssertCopy.tiff C:\Users\Admin\AppData\Local\Temp\origin.exe N/A
File renamed C:\Users\Admin\Pictures\AssertCopy.tiff => C:\Users\Admin\Pictures\AssertCopy.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\origin.exe N/A
File opened for modification C:\Users\Admin\Pictures\DisableDebug.tiff C:\Users\Admin\AppData\Local\Temp\origin.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertToUpdate.raw => C:\Users\Admin\Pictures\ConvertToUpdate.raw.avos2 C:\Users\Admin\AppData\Local\Temp\origin.exe N/A
File renamed C:\Users\Admin\Pictures\DisableDebug.tiff => C:\Users\Admin\Pictures\DisableDebug.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\origin.exe N/A
File renamed C:\Users\Admin\Pictures\RepairSet.crw => C:\Users\Admin\Pictures\RepairSet.crw.avos2 C:\Users\Admin\AppData\Local\Temp\origin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\origin.exe

"C:\Users\Admin\AppData\Local\Temp\origin.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-07 09:43

Reported

2021-09-07 09:45

Platform

win10v20210408

Max time kernel

22s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\origin.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\DismountSplit.raw => C:\Users\Admin\Pictures\DismountSplit.raw.avos2 C:\Users\Admin\AppData\Local\Temp\origin.exe N/A
File opened for modification C:\Users\Admin\Pictures\MergeCompare.tiff C:\Users\Admin\AppData\Local\Temp\origin.exe N/A
File renamed C:\Users\Admin\Pictures\ExitDebug.crw => C:\Users\Admin\Pictures\ExitDebug.crw.avos2 C:\Users\Admin\AppData\Local\Temp\origin.exe N/A
File renamed C:\Users\Admin\Pictures\MountDismount.tif => C:\Users\Admin\Pictures\MountDismount.tif.avos2 C:\Users\Admin\AppData\Local\Temp\origin.exe N/A
File renamed C:\Users\Admin\Pictures\DenyReset.tif => C:\Users\Admin\Pictures\DenyReset.tif.avos2 C:\Users\Admin\AppData\Local\Temp\origin.exe N/A
File renamed C:\Users\Admin\Pictures\MergeCompare.tiff => C:\Users\Admin\Pictures\MergeCompare.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\origin.exe N/A
File renamed C:\Users\Admin\Pictures\RemoveRegister.raw => C:\Users\Admin\Pictures\RemoveRegister.raw.avos2 C:\Users\Admin\AppData\Local\Temp\origin.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertToSend.crw => C:\Users\Admin\Pictures\ConvertToSend.crw.avos2 C:\Users\Admin\AppData\Local\Temp\origin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\origin.exe

"C:\Users\Admin\AppData\Local\Temp\origin.exe"

Network

Files

N/A