Malware Analysis Report

2024-10-16 03:28

Sample ID 220927-trxxfsdhc8
Target 6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.7z
SHA256 df480deb191b335dcbc3d4fc5d59594cb38caee2aaef8d877fbbc573de741301
Tags
avoslocker ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

df480deb191b335dcbc3d4fc5d59594cb38caee2aaef8d877fbbc573de741301

Threat Level: Known bad

The file 6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.7z was found to be: Known bad.

Malicious Activity Summary

avoslocker ransomware

Avoslocker Ransomware

Modifies extensions of user files

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-09-27 16:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-27 16:18

Reported

2022-09-27 16:21

Platform

win7-20220812-en

Max time kernel

42s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ExportUnblock.png => C:\Users\Admin\Pictures\ExportUnblock.png.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File renamed C:\Users\Admin\Pictures\MergeReset.crw => C:\Users\Admin\Pictures\MergeReset.crw.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File renamed C:\Users\Admin\Pictures\SetMove.png => C:\Users\Admin\Pictures\SetMove.png.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File renamed C:\Users\Admin\Pictures\SkipBackup.tif => C:\Users\Admin\Pictures\SkipBackup.tif.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File renamed C:\Users\Admin\Pictures\ProtectEnable.png => C:\Users\Admin\Pictures\ProtectEnable.png.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File renamed C:\Users\Admin\Pictures\CopyCheckpoint.raw => C:\Users\Admin\Pictures\CopyCheckpoint.raw.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File renamed C:\Users\Admin\Pictures\DenyAssert.crw => C:\Users\Admin\Pictures\DenyAssert.crw.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File renamed C:\Users\Admin\Pictures\ExpandImport.crw => C:\Users\Admin\Pictures\ExpandImport.crw.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe

"C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-27 16:18

Reported

2022-09-27 16:20

Platform

win10v2004-20220812-en

Max time kernel

91s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\EnableApprove.raw => C:\Users\Admin\Pictures\EnableApprove.raw.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File renamed C:\Users\Admin\Pictures\RequestEnable.crw => C:\Users\Admin\Pictures\RequestEnable.crw.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File renamed C:\Users\Admin\Pictures\SendResume.png => C:\Users\Admin\Pictures\SendResume.png.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File renamed C:\Users\Admin\Pictures\ResumeWait.raw => C:\Users\Admin\Pictures\ResumeWait.raw.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File renamed C:\Users\Admin\Pictures\DebugPush.png => C:\Users\Admin\Pictures\DebugPush.png.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File renamed C:\Users\Admin\Pictures\SubmitRemove.tif => C:\Users\Admin\Pictures\SubmitRemove.tif.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe

"C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe"

Network

Country Destination Domain Proto
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp

Files

N/A