avoslocker | fe23d4b7a9db3c937523afecdbe14969987c27f35b9bb9c90f656bcd897bcb87

Resubmissions

09-10-2022 17:06

221009-vmk8jahcg4 10

09-10-2022 17:05

221009-vlwymshdgq 10

Analysis

max time kernel
57s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2022 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe
Size

919KB
MD5

40f2238875fcbd2a92cfefc4846a15a8
SHA1

06dce6a5df6ee0099602863a47e2cdeea4e34764
SHA256

6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2
SHA512

8ab1a2124a67e91a4e1842b5f600f977d3d72d398b64ee690c297a04b733e60e01fe4383a1fdf25bb412bc1294d69c5402bd60159c3125bdfb709d024c8e04b8
SSDEEP

24576:ID7x8JDwepWTu/g6YvOkAT5OdAP6tfKf2J9lb:Ifx8JDwepWaOvOkANOdS6BT9V

Score

10^/10

avoslocker ransomware

Malware Config

Extracted

Path

C:\GET_YOUR_FILES_BACK.txt

Family

avoslocker

Ransom Note

Attention! Your files have been encrypted using AES-256. We highly suggest not shutting down your computer in case encryption process is not finished, as your files may get corrupted. In order to decrypt your files, you must pay for the decryption key & application. You may do so by visiting us at http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. The corporations whom don't pay or fail to respond in a swift manner can be found in our blog, accessible at http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion Your ID: 08604a3c44a32c3c2a51182916c1de99605478319605c31f1215e6109c01f9db

URLs

http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion

http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion

Signatures

Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
ransomware avoslocker

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\InstallResume.png => C:\Users\Admin\Pictures\InstallResume.png.avos2	6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe
File renamed	C:\Users\Admin\Pictures\OptimizeExpand.png => C:\Users\Admin\Pictures\OptimizeExpand.png.avos2	6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe
File renamed	C:\Users\Admin\Pictures\UninstallUse.tif => C:\Users\Admin\Pictures\UninstallUse.tif.avos2	6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2184 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

chrome.exechrome.exechrome.exe

pid process

1940 chrome.exe
1940 chrome.exe
1056 chrome.exe
1056 chrome.exe
1056 chrome.exe
4248 chrome.exe
4248 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

1056 chrome.exe
1056 chrome.exe
1056 chrome.exe
1056 chrome.exe
1056 chrome.exe
1056 chrome.exe

pid	process
2184	NOTEPAD.EXE

pid	process
1940	chrome.exe
1940	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
4248	chrome.exe
4248	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe
1056	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1056 wrote to memory of 4028	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 4028	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1640	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1940	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 1940	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 228	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 228	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 228	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 228	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 228	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 228	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 228	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 228	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 228	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 228	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 228	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 228	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 228	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 228	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 228	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 228	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 228	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 228	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 228	1056	chrome.exe	chrome.exe
PID 1056 wrote to memory of 228	1056	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe
"C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe"
1⤵
- Modifies extensions of user files
PID:5036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3796

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\GET_YOUR_FILES_BACK.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ccb24f50,0x7ff8ccb24f60,0x7ff8ccb24f70
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1588,14264180320768916357,17105268863712224604,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1704 /prefetch:2
  2⤵
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1588,14264180320768916357,17105268863712224604,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1588,14264180320768916357,17105268863712224604,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2288 /prefetch:8
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,14264180320768916357,17105268863712224604,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,14264180320768916357,17105268863712224604,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,14264180320768916357,17105268863712224604,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,14264180320768916357,17105268863712224604,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4528 /prefetch:8
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,14264180320768916357,17105268863712224604,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4640 /prefetch:8
  2⤵
  PID:3452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,14264180320768916357,17105268863712224604,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,14264180320768916357,17105268863712224604,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,14264180320768916357,17105268863712224604,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,14264180320768916357,17105268863712224604,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,14264180320768916357,17105268863712224604,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3648 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Downloads\GET_YOUR_FILES_BACK.txt

Filesize
1KB

MD5
651c844ad8ffea0473fc70cc13ff2e47

SHA1
f904db3a0e77df893d39cb41fe4297589db82459

SHA256
f55ec710e56442344196f3612207118d89f877a79a6f8028db520631ace0fa0b

SHA512
91ca8247d673d8381ca5edc394e86956844218ae291e20480817a5a93ae6e4573af419e3d571815030a375de16e85fd5ec7693331aa6753fe07b88e15701fcae

Download Submit
\??\pipe\crashpad_1056_OQTTOLFYBDQPXGGW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit