Malware Analysis Report

2024-10-16 03:28

Sample ID 220119-1h113sdeb2
Target 6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.7z
SHA256 df480deb191b335dcbc3d4fc5d59594cb38caee2aaef8d877fbbc573de741301
Tags
avoslocker ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

df480deb191b335dcbc3d4fc5d59594cb38caee2aaef8d877fbbc573de741301

Threat Level: Known bad

The file 6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.7z was found to be: Known bad.

Malicious Activity Summary

avoslocker ransomware

Avoslocker Ransomware

Modifies extensions of user files

Opens file in notepad (likely ransom note)

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-01-19 21:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-19 21:39

Reported

2022-01-19 21:40

Platform

win7-en-20211208

Max time kernel

42s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\WaitJoin.crw => C:\Users\Admin\Pictures\WaitJoin.crw.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe

"C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt

Network

N/A

Files

memory/2408-55-0x000007FEFC261000-0x000007FEFC263000-memory.dmp

C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt

MD5 651c844ad8ffea0473fc70cc13ff2e47
SHA1 f904db3a0e77df893d39cb41fe4297589db82459
SHA256 f55ec710e56442344196f3612207118d89f877a79a6f8028db520631ace0fa0b
SHA512 91ca8247d673d8381ca5edc394e86956844218ae291e20480817a5a93ae6e4573af419e3d571815030a375de16e85fd5ec7693331aa6753fe07b88e15701fcae

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-19 21:39

Reported

2022-01-19 21:40

Platform

win10v2004-en-20220113

Max time kernel

49s

Max time network

44s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\BlockSave.png => C:\Users\Admin\Pictures\BlockSave.png.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File renamed C:\Users\Admin\Pictures\BackupEnable.tif => C:\Users\Admin\Pictures\BackupEnable.tif.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File renamed C:\Users\Admin\Pictures\EditDisconnect.tif => C:\Users\Admin\Pictures\EditDisconnect.tif.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File renamed C:\Users\Admin\Pictures\SelectDisable.raw => C:\Users\Admin\Pictures\SelectDisable.raw.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File renamed C:\Users\Admin\Pictures\UnprotectCompare.raw => C:\Users\Admin\Pictures\UnprotectCompare.raw.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File renamed C:\Users\Admin\Pictures\ConnectOptimize.png => C:\Users\Admin\Pictures\ConnectOptimize.png.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertBackup.crw => C:\Users\Admin\Pictures\ConvertBackup.crw.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertFromRead.tif => C:\Users\Admin\Pictures\ConvertFromRead.tif.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe

"C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

Network

Country Destination Domain Proto
US 204.79.197.203:443 tcp
US 8.8.8.8:53 api.msn.com udp
US 204.79.197.203:443 api.msn.com tcp

Files

C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt

MD5 651c844ad8ffea0473fc70cc13ff2e47
SHA1 f904db3a0e77df893d39cb41fe4297589db82459
SHA256 f55ec710e56442344196f3612207118d89f877a79a6f8028db520631ace0fa0b
SHA512 91ca8247d673d8381ca5edc394e86956844218ae291e20480817a5a93ae6e4573af419e3d571815030a375de16e85fd5ec7693331aa6753fe07b88e15701fcae