Overview

overview

10

Static

static

3

f810deb1ba...6f.exe

windows7-x64

10

f810deb1ba...6f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    170s
  • max time network
    180s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-01-2024 02:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f810deb1ba171cea5b595c6d3f816127fb182833f7a08a98de93226d4f6a336f.exe

  • Size

    921KB

  • MD5

    27fc2796210dc3bfdede6a69ac8fa3dd

  • SHA1

    b86ece05d5adbd421b0e50709ce95d25a79ea46e

  • SHA256

    f810deb1ba171cea5b595c6d3f816127fb182833f7a08a98de93226d4f6a336f

  • SHA512

    983ba7f22cf07abc2348e22b40dc27d0e94f58d5f30d9a7b3e3930f84605f1993b7239c3ed514f0a8d0718f9eb0e66220856b1259d23ed9934e5efc81143528d

  • SSDEEP

    24576:SnkXEg1ZlhKG+WWZtCpDCE5Ie534SCeTpOl13GHlI:SkXEg1ZlIzZtCpGE5j5oSHOlxmlI

Score
10/10
avoslockerransomware

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\GET_YOUR_FILES_BACK.txt

Ransom Note
AvosLocker Attention! Your systems have been encrypted, and your confidential documents were downloaded. In order to restore your data, you must pay for the decryption key & application. You may do so by visiting us at http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. The corporations whom don't pay or fail to respond in a swift manner have their data leaked in our blog, accessible at http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion Additional notes from attackers responsible: We have dumped 120GB from your networks which is contain your sensitive data such as : -Personal Infos -Customers Infos (Their Contacts) -Financial -HR -Pictures (Signatures, ID, Passports,...) -Documents(Personal,Contracts,...) in order to prevent of leaking these data and also prevent of more attacks you're gonna have to contact us using below information.you have only 8 days before any incidents happens. Your ID: 7fea6ca54ef9ca028caf1e750b1c5510e65e315450898444eb8e8c1ec2d57426
URLs

http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion

http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion

Signatures

  • Avoslocker Ransomware

    Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.

    ransomwareavoslocker
  • Renames multiple (136) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f810deb1ba171cea5b595c6d3f816127fb182833f7a08a98de93226d4f6a336f.exe
    "C:\Users\Admin\AppData\Local\Temp\f810deb1ba171cea5b595c6d3f816127fb182833f7a08a98de93226d4f6a336f.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3480
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$a = [System.IO.File]::ReadAllText(\"F:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:6112
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:5836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wao2lhd5.czh.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • F:\$RECYCLE.BIN\GET_YOUR_FILES_BACK.txt
    Filesize

    1KB

    MD5

    ee4b9494cf5b7402768b8db4a0f233c9

    SHA1

    9b5ea1e4fe997a6e9a6981d6f1d651557ad9c213

    SHA256

    f2161f906bed19f6a79f0bbe7919e3526baa5cf0080055e5aa84b50094a1278c

    SHA512

    29ef4199f16348262e3828991eca8608b340849e7c480ae469f36c7e1ed8995f5d63d0c66d7316dc9690148322b56164a707731122212b1669b7764c93e5f356

    Download Submit

  • memory/6112-392-0x0000000004B50000-0x0000000004B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/6112-397-0x00000000050A0000-0x0000000005106000-memory.dmp

    Filesize

    408KB

    Download

  • memory/6112-390-0x0000000004B50000-0x0000000004B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/6112-393-0x0000000005190000-0x00000000057B8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/6112-394-0x0000000074B40000-0x00000000752F0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/6112-395-0x0000000004B50000-0x0000000004B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/6112-396-0x0000000004F00000-0x0000000004F22000-memory.dmp

    Filesize

    136KB

    Download

  • memory/6112-391-0x00000000029E0000-0x0000000002A16000-memory.dmp

    Filesize

    216KB

    Download

  • memory/6112-398-0x0000000005830000-0x0000000005896000-memory.dmp

    Filesize

    408KB

    Download

  • memory/6112-399-0x0000000004B50000-0x0000000004B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/6112-389-0x0000000074B40000-0x00000000752F0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/6112-405-0x0000000005A20000-0x0000000005D74000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/6112-411-0x0000000005FF0000-0x000000000600E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/6112-412-0x00000000060C0000-0x000000000610C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/6112-414-0x0000000004B50000-0x0000000004B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/6112-415-0x0000000007670000-0x0000000007CEA000-memory.dmp

    Filesize

    6.5MB

    Download