Malware Analysis Report

2024-10-16 03:28

Sample ID 211122-scyprsfgfj
Target c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample
SHA256 c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02
Tags
avoslocker ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02

Threat Level: Known bad

The file c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample was found to be: Known bad.

Malicious Activity Summary

avoslocker ransomware

Avoslocker Ransomware

Modifies extensions of user files

Opens file in notepad (likely ransom note)

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-11-22 14:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-11-22 14:59

Reported

2021-11-22 15:02

Platform

win7-en-20211104

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\MountGet.crw => C:\Users\Admin\Pictures\MountGet.crw.avos2 C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe N/A
File renamed C:\Users\Admin\Pictures\PopReceive.tiff => C:\Users\Admin\Pictures\PopReceive.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe N/A
File renamed C:\Users\Admin\Pictures\SelectRead.png => C:\Users\Admin\Pictures\SelectRead.png.avos2 C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\PopReceive.tiff C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe

"C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt

Network

N/A

Files

memory/2488-55-0x000007FEFB7E1000-0x000007FEFB7E3000-memory.dmp

C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt

MD5 c416bf3911487d819c45a4001a77b35f
SHA1 dc19ce5f2f104f710edf83f7efa617f0bc749f67
SHA256 76bbf445e90dffd6d609e98faad6f84f7dc99c5412026cfb1a6e224b1cb2e6e2
SHA512 b6ace2a4c58ec68a60b1e1640e5adc1abbc58c669bc0d24f1cc5e1a778d595b5c255c4cc0314f7b3e4a413759658c6c281dafaa59e1110d05119b17d00555e5d

Analysis: behavioral2

Detonation Overview

Submitted

2021-11-22 14:59

Reported

2021-11-22 15:02

Platform

win10-en-20211014

Max time kernel

62s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\OutSwitch.tiff => C:\Users\Admin\Pictures\OutSwitch.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe N/A
File renamed C:\Users\Admin\Pictures\PingOpen.png => C:\Users\Admin\Pictures\PingOpen.png.avos2 C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe N/A
File renamed C:\Users\Admin\Pictures\CompareComplete.png => C:\Users\Admin\Pictures\CompareComplete.png.avos2 C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe N/A
File renamed C:\Users\Admin\Pictures\StartResize.crw => C:\Users\Admin\Pictures\StartResize.crw.avos2 C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe N/A
File renamed C:\Users\Admin\Pictures\RenameWrite.tiff => C:\Users\Admin\Pictures\RenameWrite.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\OutSwitch.tiff C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe N/A
File renamed C:\Users\Admin\Pictures\MergeSync.crw => C:\Users\Admin\Pictures\MergeSync.crw.avos2 C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe N/A
File renamed C:\Users\Admin\Pictures\ResumeDebug.tif => C:\Users\Admin\Pictures\ResumeDebug.tif.avos2 C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe N/A
File renamed C:\Users\Admin\Pictures\RedoDisconnect.raw => C:\Users\Admin\Pictures\RedoDisconnect.raw.avos2 C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\RenameWrite.tiff C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe

"C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe"

Network

Country Destination Domain Proto
SE 23.52.27.27:80 tcp
US 8.253.208.120:80 tcp
SE 23.52.27.27:80 tcp
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp

Files

N/A