Malware Analysis Report

2024-10-16 03:26

Sample ID 230601-tljgwafb96
Target 6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.bin
SHA256 6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2
Tags
avoslocker ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2

Threat Level: Known bad

The file 6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.bin was found to be: Known bad.

Malicious Activity Summary

avoslocker ransomware

Avoslocker Ransomware

Renames multiple (150) files with added filename extension

Modifies extensions of user files

Unsigned PE

Opens file in notepad (likely ransom note)

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-06-01 16:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-01 16:08

Reported

2023-06-01 16:09

Platform

win10v2004-20230220-en

Max time kernel

19s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Renames multiple (150) files with added filename extension

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\GrantPush.tiff C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File renamed C:\Users\Admin\Pictures\OpenPop.tiff => C:\Users\Admin\Pictures\OpenPop.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File renamed C:\Users\Admin\Pictures\GrantPush.tiff => C:\Users\Admin\Pictures\GrantPush.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File renamed C:\Users\Admin\Pictures\CompressRestore.crw => C:\Users\Admin\Pictures\CompressRestore.crw.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File opened for modification C:\Users\Admin\Pictures\OpenPop.tiff C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File renamed C:\Users\Admin\Pictures\DismountMount.tif => C:\Users\Admin\Pictures\DismountMount.tif.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File renamed C:\Users\Admin\Pictures\OpenSync.tif => C:\Users\Admin\Pictures\OpenSync.tif.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File renamed C:\Users\Admin\Pictures\JoinMove.crw => C:\Users\Admin\Pictures\JoinMove.crw.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File opened for modification C:\Users\Admin\Pictures\ConvertFromPublish.tiff C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertFromPublish.tiff => C:\Users\Admin\Pictures\ConvertFromPublish.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe

"C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt

Network

Country Destination Domain Proto
US 52.152.110.14:443 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
GB 95.101.143.242:443 assets.msn.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 242.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 254.167.241.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp

Files

C:\Users\Default\Saved Games\GET_YOUR_FILES_BACK.txt

MD5 651c844ad8ffea0473fc70cc13ff2e47
SHA1 f904db3a0e77df893d39cb41fe4297589db82459
SHA256 f55ec710e56442344196f3612207118d89f877a79a6f8028db520631ace0fa0b
SHA512 91ca8247d673d8381ca5edc394e86956844218ae291e20480817a5a93ae6e4573af419e3d571815030a375de16e85fd5ec7693331aa6753fe07b88e15701fcae

C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt

MD5 651c844ad8ffea0473fc70cc13ff2e47
SHA1 f904db3a0e77df893d39cb41fe4297589db82459
SHA256 f55ec710e56442344196f3612207118d89f877a79a6f8028db520631ace0fa0b
SHA512 91ca8247d673d8381ca5edc394e86956844218ae291e20480817a5a93ae6e4573af419e3d571815030a375de16e85fd5ec7693331aa6753fe07b88e15701fcae