Malware Analysis Report

2024-10-16 03:27

Sample ID 230601-t212vsff4w
Target 01798199.bin
SHA256 6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2
Tags
avoslocker ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2

Threat Level: Known bad

The file 01798199.bin was found to be: Known bad.

Malicious Activity Summary

avoslocker ransomware

Avoslocker Ransomware

Renames multiple (174) files with added filename extension

Renames multiple (166) files with added filename extension

Modifies extensions of user files

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-06-01 16:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-01 16:33

Reported

2023-06-01 16:36

Platform

win7-20230220-en

Max time kernel

31s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01798199.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Renames multiple (174) files with added filename extension

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\WatchRename.tiff C:\Users\Admin\AppData\Local\Temp\01798199.exe N/A
File renamed C:\Users\Admin\Pictures\SelectSearch.png => C:\Users\Admin\Pictures\SelectSearch.png.avos2 C:\Users\Admin\AppData\Local\Temp\01798199.exe N/A
File renamed C:\Users\Admin\Pictures\BackupOpen.tiff => C:\Users\Admin\Pictures\BackupOpen.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\01798199.exe N/A
File renamed C:\Users\Admin\Pictures\CheckpointShow.png => C:\Users\Admin\Pictures\CheckpointShow.png.avos2 C:\Users\Admin\AppData\Local\Temp\01798199.exe N/A
File renamed C:\Users\Admin\Pictures\CheckpointRead.png => C:\Users\Admin\Pictures\CheckpointRead.png.avos2 C:\Users\Admin\AppData\Local\Temp\01798199.exe N/A
File renamed C:\Users\Admin\Pictures\ClearRequest.raw => C:\Users\Admin\Pictures\ClearRequest.raw.avos2 C:\Users\Admin\AppData\Local\Temp\01798199.exe N/A
File renamed C:\Users\Admin\Pictures\ExitImport.crw => C:\Users\Admin\Pictures\ExitImport.crw.avos2 C:\Users\Admin\AppData\Local\Temp\01798199.exe N/A
File renamed C:\Users\Admin\Pictures\DisableRegister.crw => C:\Users\Admin\Pictures\DisableRegister.crw.avos2 C:\Users\Admin\AppData\Local\Temp\01798199.exe N/A
File opened for modification C:\Users\Admin\Pictures\BackupOpen.tiff C:\Users\Admin\AppData\Local\Temp\01798199.exe N/A
File renamed C:\Users\Admin\Pictures\WatchRename.tiff => C:\Users\Admin\Pictures\WatchRename.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\01798199.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01798199.exe

"C:\Users\Admin\AppData\Local\Temp\01798199.exe"

Network

N/A

Files

C:\Users\Default\Saved Games\GET_YOUR_FILES_BACK.txt

MD5 651c844ad8ffea0473fc70cc13ff2e47
SHA1 f904db3a0e77df893d39cb41fe4297589db82459
SHA256 f55ec710e56442344196f3612207118d89f877a79a6f8028db520631ace0fa0b
SHA512 91ca8247d673d8381ca5edc394e86956844218ae291e20480817a5a93ae6e4573af419e3d571815030a375de16e85fd5ec7693331aa6753fe07b88e15701fcae

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-01 16:33

Reported

2023-06-01 16:36

Platform

win10v2004-20230221-en

Max time kernel

136s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01798199.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Renames multiple (166) files with added filename extension

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ApproveRepair.tiff => C:\Users\Admin\Pictures\ApproveRepair.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\01798199.exe N/A
File renamed C:\Users\Admin\Pictures\PublishSelect.tif => C:\Users\Admin\Pictures\PublishSelect.tif.avos2 C:\Users\Admin\AppData\Local\Temp\01798199.exe N/A
File renamed C:\Users\Admin\Pictures\RemoveMerge.crw => C:\Users\Admin\Pictures\RemoveMerge.crw.avos2 C:\Users\Admin\AppData\Local\Temp\01798199.exe N/A
File renamed C:\Users\Admin\Pictures\RemoveOut.crw => C:\Users\Admin\Pictures\RemoveOut.crw.avos2 C:\Users\Admin\AppData\Local\Temp\01798199.exe N/A
File opened for modification C:\Users\Admin\Pictures\WriteFormat.tiff C:\Users\Admin\AppData\Local\Temp\01798199.exe N/A
File renamed C:\Users\Admin\Pictures\BlockRevoke.png => C:\Users\Admin\Pictures\BlockRevoke.png.avos2 C:\Users\Admin\AppData\Local\Temp\01798199.exe N/A
File renamed C:\Users\Admin\Pictures\AssertSearch.raw => C:\Users\Admin\Pictures\AssertSearch.raw.avos2 C:\Users\Admin\AppData\Local\Temp\01798199.exe N/A
File renamed C:\Users\Admin\Pictures\InstallRequest.png => C:\Users\Admin\Pictures\InstallRequest.png.avos2 C:\Users\Admin\AppData\Local\Temp\01798199.exe N/A
File renamed C:\Users\Admin\Pictures\UndoGrant.crw => C:\Users\Admin\Pictures\UndoGrant.crw.avos2 C:\Users\Admin\AppData\Local\Temp\01798199.exe N/A
File renamed C:\Users\Admin\Pictures\WriteFormat.tiff => C:\Users\Admin\Pictures\WriteFormat.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\01798199.exe N/A
File opened for modification C:\Users\Admin\Pictures\ApproveRepair.tiff C:\Users\Admin\AppData\Local\Temp\01798199.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01798199.exe

"C:\Users\Admin\AppData\Local\Temp\01798199.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 8.8.8.8:53 33.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
NL 13.69.109.130:443 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 209.197.3.8:80 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp

Files

C:\Users\Default\Saved Games\GET_YOUR_FILES_BACK.txt

MD5 651c844ad8ffea0473fc70cc13ff2e47
SHA1 f904db3a0e77df893d39cb41fe4297589db82459
SHA256 f55ec710e56442344196f3612207118d89f877a79a6f8028db520631ace0fa0b
SHA512 91ca8247d673d8381ca5edc394e86956844218ae291e20480817a5a93ae6e4573af419e3d571815030a375de16e85fd5ec7693331aa6753fe07b88e15701fcae