Malware Analysis Report

2024-10-16 03:28

Sample ID 210928-xdmq4sceg6
Target offline.exe
SHA256 373a791f058539d72983e38ebe68e98132fcf996d04e9a181145f22a96689386
Tags
avoslocker ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

373a791f058539d72983e38ebe68e98132fcf996d04e9a181145f22a96689386

Threat Level: Known bad

The file offline.exe was found to be: Known bad.

Malicious Activity Summary

avoslocker ransomware

Avoslocker Ransomware

Modifies extensions of user files

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-09-28 18:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-28 18:44

Reported

2021-09-28 18:46

Platform

win7-en-20210920

Max time kernel

146s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\offline.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\UnprotectReceive.tiff => C:\Users\Admin\Pictures\UnprotectReceive.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\offline.exe N/A
File opened for modification C:\Users\Admin\Pictures\EditRevoke.tiff C:\Users\Admin\AppData\Local\Temp\offline.exe N/A
File renamed C:\Users\Admin\Pictures\EditRevoke.tiff => C:\Users\Admin\Pictures\EditRevoke.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\offline.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnprotectReceive.tiff C:\Users\Admin\AppData\Local\Temp\offline.exe N/A
File renamed C:\Users\Admin\Pictures\ShowGroup.tiff => C:\Users\Admin\Pictures\ShowGroup.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\offline.exe N/A
File renamed C:\Users\Admin\Pictures\UnprotectMount.tif => C:\Users\Admin\Pictures\UnprotectMount.tif.avos2 C:\Users\Admin\AppData\Local\Temp\offline.exe N/A
File opened for modification C:\Users\Admin\Pictures\ShowGroup.tiff C:\Users\Admin\AppData\Local\Temp\offline.exe N/A
File renamed C:\Users\Admin\Pictures\PingDismount.raw => C:\Users\Admin\Pictures\PingDismount.raw.avos2 C:\Users\Admin\AppData\Local\Temp\offline.exe N/A
File renamed C:\Users\Admin\Pictures\SplitClose.tif => C:\Users\Admin\Pictures\SplitClose.tif.avos2 C:\Users\Admin\AppData\Local\Temp\offline.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\offline.exe

"C:\Users\Admin\AppData\Local\Temp\offline.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-28 18:44

Reported

2021-09-28 18:46

Platform

win10v20210408

Max time kernel

101s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\offline.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ImportInvoke.tif => C:\Users\Admin\Pictures\ImportInvoke.tif.avos2 C:\Users\Admin\AppData\Local\Temp\offline.exe N/A
File renamed C:\Users\Admin\Pictures\WritePush.crw => C:\Users\Admin\Pictures\WritePush.crw.avos2 C:\Users\Admin\AppData\Local\Temp\offline.exe N/A
File renamed C:\Users\Admin\Pictures\DismountMount.tif => C:\Users\Admin\Pictures\DismountMount.tif.avos2 C:\Users\Admin\AppData\Local\Temp\offline.exe N/A
File renamed C:\Users\Admin\Pictures\SearchUnpublish.raw => C:\Users\Admin\Pictures\SearchUnpublish.raw.avos2 C:\Users\Admin\AppData\Local\Temp\offline.exe N/A
File renamed C:\Users\Admin\Pictures\LimitReceive.raw => C:\Users\Admin\Pictures\LimitReceive.raw.avos2 C:\Users\Admin\AppData\Local\Temp\offline.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\offline.exe

"C:\Users\Admin\AppData\Local\Temp\offline.exe"

Network

Files

N/A