Analysis
-
max time kernel
86s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
09-10-2022 17:06
Static task
static1
Behavioral task
behavioral1
Sample
6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe
Resource
win10v2004-20220812-en
General
-
Target
6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe
-
Size
919KB
-
MD5
40f2238875fcbd2a92cfefc4846a15a8
-
SHA1
06dce6a5df6ee0099602863a47e2cdeea4e34764
-
SHA256
6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2
-
SHA512
8ab1a2124a67e91a4e1842b5f600f977d3d72d398b64ee690c297a04b733e60e01fe4383a1fdf25bb412bc1294d69c5402bd60159c3125bdfb709d024c8e04b8
-
SSDEEP
24576:ID7x8JDwepWTu/g6YvOkAT5OdAP6tfKf2J9lb:Ifx8JDwepWaOvOkANOdS6BT9V
Malware Config
Extracted
C:\GET_YOUR_FILES_BACK.txt
avoslocker
http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion
http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion
Signatures
-
Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exedescription ioc Process File renamed C:\Users\Admin\Pictures\UninstallUse.tif => C:\Users\Admin\Pictures\UninstallUse.tif.avos2 6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe File renamed C:\Users\Admin\Pictures\InstallResume.png => C:\Users\Admin\Pictures\InstallResume.png.avos2 6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe File renamed C:\Users\Admin\Pictures\OptimizeExpand.png => C:\Users\Admin\Pictures\OptimizeExpand.png.avos2 6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid Process 956 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exepid Process 216 chrome.exe 216 chrome.exe 3424 chrome.exe 3424 chrome.exe 4948 chrome.exe 4948 chrome.exe 2544 chrome.exe 2544 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
chrome.exepid Process 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
Processes:
chrome.exepid Process 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid Process 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid Process procid_target PID 3424 wrote to memory of 1776 3424 chrome.exe 98 PID 3424 wrote to memory of 1776 3424 chrome.exe 98 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 320 3424 chrome.exe 99 PID 3424 wrote to memory of 216 3424 chrome.exe 100 PID 3424 wrote to memory of 216 3424 chrome.exe 100 PID 3424 wrote to memory of 1828 3424 chrome.exe 101 PID 3424 wrote to memory of 1828 3424 chrome.exe 101 PID 3424 wrote to memory of 1828 3424 chrome.exe 101 PID 3424 wrote to memory of 1828 3424 chrome.exe 101 PID 3424 wrote to memory of 1828 3424 chrome.exe 101 PID 3424 wrote to memory of 1828 3424 chrome.exe 101 PID 3424 wrote to memory of 1828 3424 chrome.exe 101 PID 3424 wrote to memory of 1828 3424 chrome.exe 101 PID 3424 wrote to memory of 1828 3424 chrome.exe 101 PID 3424 wrote to memory of 1828 3424 chrome.exe 101 PID 3424 wrote to memory of 1828 3424 chrome.exe 101 PID 3424 wrote to memory of 1828 3424 chrome.exe 101 PID 3424 wrote to memory of 1828 3424 chrome.exe 101 PID 3424 wrote to memory of 1828 3424 chrome.exe 101 PID 3424 wrote to memory of 1828 3424 chrome.exe 101 PID 3424 wrote to memory of 1828 3424 chrome.exe 101 PID 3424 wrote to memory of 1828 3424 chrome.exe 101 PID 3424 wrote to memory of 1828 3424 chrome.exe 101 PID 3424 wrote to memory of 1828 3424 chrome.exe 101 PID 3424 wrote to memory of 1828 3424 chrome.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe"C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe"1⤵
- Modifies extensions of user files
PID:1428
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3880
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\GET_YOUR_FILES_BACK.txt1⤵
- Opens file in notepad (likely ransom note)
PID:956
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff8ccb24f50,0x7ff8ccb24f60,0x7ff8ccb24f702⤵PID:1776
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1648,5575940208151370968,14207706530152647959,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1688 /prefetch:22⤵PID:320
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1648,5575940208151370968,14207706530152647959,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1648,5575940208151370968,14207706530152647959,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2300 /prefetch:82⤵PID:1828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,5575940208151370968,14207706530152647959,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:12⤵PID:3592
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,5575940208151370968,14207706530152647959,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:12⤵PID:1812
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,5575940208151370968,14207706530152647959,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:12⤵PID:1664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,5575940208151370968,14207706530152647959,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:12⤵PID:900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,5575940208151370968,14207706530152647959,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:12⤵PID:4424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,5575940208151370968,14207706530152647959,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵PID:428
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,5575940208151370968,14207706530152647959,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4764 /prefetch:82⤵PID:620
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,5575940208151370968,14207706530152647959,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:12⤵PID:4660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,5575940208151370968,14207706530152647959,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4948
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,5575940208151370968,14207706530152647959,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2984 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2544
-
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level2⤵PID:3000
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff79236a890,0x7ff79236a8a0,0x7ff79236a8b03⤵PID:1920
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,5575940208151370968,14207706530152647959,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:12⤵PID:4492
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,5575940208151370968,14207706530152647959,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=980 /prefetch:82⤵PID:3436
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,5575940208151370968,14207706530152647959,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5048 /prefetch:82⤵PID:764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,5575940208151370968,14207706530152647959,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=976 /prefetch:82⤵PID:4512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,5575940208151370968,14207706530152647959,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5004 /prefetch:82⤵PID:4436
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,5575940208151370968,14207706530152647959,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:12⤵PID:4988
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4384
-
C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateBroker.exe"C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateBroker.exe" -Embedding1⤵PID:1928
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5651c844ad8ffea0473fc70cc13ff2e47
SHA1f904db3a0e77df893d39cb41fe4297589db82459
SHA256f55ec710e56442344196f3612207118d89f877a79a6f8028db520631ace0fa0b
SHA51291ca8247d673d8381ca5edc394e86956844218ae291e20480817a5a93ae6e4573af419e3d571815030a375de16e85fd5ec7693331aa6753fe07b88e15701fcae
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e