avoslocker | d3470cbf411c34cb8fd2b21b7ab70ece9aff8b28e7b50722013ebfcfb26c954b

General

Target

f810deb1ba171cea5b595c6d3f816127fb182833f7a08a98de93226d4f6a336f.exe
Size

921KB
MD5

27fc2796210dc3bfdede6a69ac8fa3dd
SHA1

b86ece05d5adbd421b0e50709ce95d25a79ea46e
SHA256

f810deb1ba171cea5b595c6d3f816127fb182833f7a08a98de93226d4f6a336f
SHA512

983ba7f22cf07abc2348e22b40dc27d0e94f58d5f30d9a7b3e3930f84605f1993b7239c3ed514f0a8d0718f9eb0e66220856b1259d23ed9934e5efc81143528d
SSDEEP

24576:SnkXEg1ZlhKG+WWZtCpDCE5Ie534SCeTpOl13GHlI:SkXEg1ZlIzZtCpGE5j5oSHOlxmlI

Score

10^/10

avoslocker ransomware

Malware Config

Extracted

Path

C:\GET_YOUR_FILES_BACK.txt

Ransom Note

AvosLocker Attention! Your systems have been encrypted, and your confidential documents were downloaded. In order to restore your data, you must pay for the decryption key & application. You may do so by visiting us at http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. The corporations whom don't pay or fail to respond in a swift manner have their data leaked in our blog, accessible at http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion Additional notes from attackers responsible: We have dumped 120GB from your networks which is contain your sensitive data such as : -Personal Infos -Customers Infos (Their Contacts) -Financial -HR -Pictures (Signatures, ID, Passports,...) -Documents(Personal,Contracts,...) in order to prevent of leaking these data and also prevent of more attacks you're gonna have to contact us using below information.you have only 8 days before any incidents happens. Your ID: 7fea6ca54ef9ca028caf1e750b1c5510e65e315450898444eb8e8c1ec2d57426

URLs

http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion

http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion

Signatures

Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
ransomware avoslocker
Renames multiple (198) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\496767467.png"	reg.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1540	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1540	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1540	2232	f810deb1ba171cea5b595c6d3f816127fb182833f7a08a98de93226d4f6a336f.exe	29
PID 2232 wrote to memory of 1540	2232	f810deb1ba171cea5b595c6d3f816127fb182833f7a08a98de93226d4f6a336f.exe	29
PID 2232 wrote to memory of 1540	2232	f810deb1ba171cea5b595c6d3f816127fb182833f7a08a98de93226d4f6a336f.exe	29
PID 2232 wrote to memory of 1540	2232	f810deb1ba171cea5b595c6d3f816127fb182833f7a08a98de93226d4f6a336f.exe	29
PID 1540 wrote to memory of 2404	1540	powershell.exe	31
PID 1540 wrote to memory of 2404	1540	powershell.exe	31
PID 1540 wrote to memory of 2404	1540	powershell.exe	31
PID 1540 wrote to memory of 2404	1540	powershell.exe	31
PID 1540 wrote to memory of 884	1540	powershell.exe	32
PID 1540 wrote to memory of 884	1540	powershell.exe	32
PID 1540 wrote to memory of 884	1540	powershell.exe	32
PID 1540 wrote to memory of 884	1540	powershell.exe	32
PID 1540 wrote to memory of 884	1540	powershell.exe	32
PID 1540 wrote to memory of 884	1540	powershell.exe	32
PID 1540 wrote to memory of 884	1540	powershell.exe	32

C:\Users\Admin\AppData\Local\Temp\f810deb1ba171cea5b595c6d3f816127fb182833f7a08a98de93226d4f6a336f.exe
"C:\Users\Admin\AppData\Local\Temp\f810deb1ba171cea5b595c6d3f816127fb182833f7a08a98de93226d4f6a336f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\496767467.png /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:2404
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
    3⤵
    PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GET_YOUR_FILES_BACK.txt

Filesize
1KB

MD5
ee4b9494cf5b7402768b8db4a0f233c9

SHA1
9b5ea1e4fe997a6e9a6981d6f1d651557ad9c213

SHA256
f2161f906bed19f6a79f0bbe7919e3526baa5cf0080055e5aa84b50094a1278c

SHA512
29ef4199f16348262e3828991eca8608b340849e7c480ae469f36c7e1ed8995f5d63d0c66d7316dc9690148322b56164a707731122212b1669b7764c93e5f356

Download Submit
C:\Users\Admin\AppData\Local\Temp\496767467.png

Filesize
16KB

MD5
52ebab915b3b7a577375a83f5a112e35

SHA1
9b77c770b7c02c2720a5f57068f19d654ad80ca2

SHA256
70d9b340bff370de621141e814f78994f6d757ce17178b28e8c9d5f478d5d3a5

SHA512
b93e40508078eaac3c5d6d78ca04cf029f0fd83cb93aa8919c27b999e231b511201bfb2f8c2f4faa9f8b253b187f5415bb9e03f7db5d425ff2df11ffd4da98fe

Download Submit
memory/1540-477-0x00000000028E0000-0x0000000002920000-memory.dmp

Filesize
256KB

Download
memory/1540-479-0x00000000028E0000-0x0000000002920000-memory.dmp

Filesize
256KB

Download
memory/1540-478-0x0000000073CC0000-0x000000007426B000-memory.dmp

Filesize
5.7MB

Download
memory/1540-476-0x0000000073CC0000-0x000000007426B000-memory.dmp

Filesize
5.7MB

Download
memory/1540-483-0x0000000073CC0000-0x000000007426B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing