Resubmissions

09-10-2022 17:06

221009-vmk8jahcg4 10

09-10-2022 17:05

221009-vlwymshdgq 10

Analysis

  • max time kernel
    57s
  • max time network
    59s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2022 17:05

General

  • Target

    6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe

  • Size

    919KB

  • MD5

    40f2238875fcbd2a92cfefc4846a15a8

  • SHA1

    06dce6a5df6ee0099602863a47e2cdeea4e34764

  • SHA256

    6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2

  • SHA512

    8ab1a2124a67e91a4e1842b5f600f977d3d72d398b64ee690c297a04b733e60e01fe4383a1fdf25bb412bc1294d69c5402bd60159c3125bdfb709d024c8e04b8

  • SSDEEP

    24576:ID7x8JDwepWTu/g6YvOkAT5OdAP6tfKf2J9lb:Ifx8JDwepWaOvOkANOdS6BT9V

Score
10/10

Malware Config

Extracted

Path

C:\GET_YOUR_FILES_BACK.txt

Family

avoslocker

Ransom Note
Attention! Your files have been encrypted using AES-256. We highly suggest not shutting down your computer in case encryption process is not finished, as your files may get corrupted. In order to decrypt your files, you must pay for the decryption key & application. You may do so by visiting us at http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. The corporations whom don't pay or fail to respond in a swift manner can be found in our blog, accessible at http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion Your ID: 08604a3c44a32c3c2a51182916c1de99605478319605c31f1215e6109c01f9db
URLs

http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion

http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion

Signatures

  • Avoslocker Ransomware

    Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.

  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe
    "C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe"
    1⤵
    • Modifies extensions of user files
    PID:5036
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3796
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\GET_YOUR_FILES_BACK.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:2184
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      1⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1056
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ccb24f50,0x7ff8ccb24f60,0x7ff8ccb24f70
        2⤵
          PID:4028
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1588,14264180320768916357,17105268863712224604,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1704 /prefetch:2
          2⤵
            PID:1640
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1588,14264180320768916357,17105268863712224604,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:8
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1940
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1588,14264180320768916357,17105268863712224604,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2288 /prefetch:8
            2⤵
              PID:228
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,14264180320768916357,17105268863712224604,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:1
              2⤵
                PID:3964
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,14264180320768916357,17105268863712224604,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
                2⤵
                  PID:1828
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,14264180320768916357,17105268863712224604,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
                  2⤵
                    PID:1048
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,14264180320768916357,17105268863712224604,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4528 /prefetch:8
                    2⤵
                      PID:3916
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,14264180320768916357,17105268863712224604,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4640 /prefetch:8
                      2⤵
                        PID:3452
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,14264180320768916357,17105268863712224604,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4780 /prefetch:8
                        2⤵
                          PID:5012
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,14264180320768916357,17105268863712224604,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
                          2⤵
                            PID:3284
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,14264180320768916357,17105268863712224604,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
                            2⤵
                              PID:3608
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,14264180320768916357,17105268863712224604,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
                              2⤵
                                PID:3808
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,14264180320768916357,17105268863712224604,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3648 /prefetch:8
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:4248
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:3356

                              Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\Downloads\GET_YOUR_FILES_BACK.txt

                                Filesize

                                1KB

                                MD5

                                651c844ad8ffea0473fc70cc13ff2e47

                                SHA1

                                f904db3a0e77df893d39cb41fe4297589db82459

                                SHA256

                                f55ec710e56442344196f3612207118d89f877a79a6f8028db520631ace0fa0b

                                SHA512

                                91ca8247d673d8381ca5edc394e86956844218ae291e20480817a5a93ae6e4573af419e3d571815030a375de16e85fd5ec7693331aa6753fe07b88e15701fcae