Analysis Overview
SHA256
d3470cbf411c34cb8fd2b21b7ab70ece9aff8b28e7b50722013ebfcfb26c954b
Threat Level: Known bad
The file f810deb1ba171cea5b595c6d3f816127fb182833f7a08a98de93226d4f6a336f.zip was found to be: Known bad.
Malicious Activity Summary
Avoslocker Ransomware
Renames multiple (198) files with added filename extension
Renames multiple (136) files with added filename extension
Sets desktop wallpaper using registry
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-05 02:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-05 02:20
Reported
2024-01-05 02:23
Platform
win7-20231129-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Avoslocker Ransomware
Renames multiple (198) files with added filename extension
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\496767467.png" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f810deb1ba171cea5b595c6d3f816127fb182833f7a08a98de93226d4f6a336f.exe
"C:\Users\Admin\AppData\Local\Temp\f810deb1ba171cea5b595c6d3f816127fb182833f7a08a98de93226d4f6a336f.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\496767467.png /f
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
Network
Files
C:\GET_YOUR_FILES_BACK.txt
| MD5 | ee4b9494cf5b7402768b8db4a0f233c9 |
| SHA1 | 9b5ea1e4fe997a6e9a6981d6f1d651557ad9c213 |
| SHA256 | f2161f906bed19f6a79f0bbe7919e3526baa5cf0080055e5aa84b50094a1278c |
| SHA512 | 29ef4199f16348262e3828991eca8608b340849e7c480ae469f36c7e1ed8995f5d63d0c66d7316dc9690148322b56164a707731122212b1669b7764c93e5f356 |
memory/1540-477-0x00000000028E0000-0x0000000002920000-memory.dmp
memory/1540-479-0x00000000028E0000-0x0000000002920000-memory.dmp
memory/1540-478-0x0000000073CC0000-0x000000007426B000-memory.dmp
memory/1540-476-0x0000000073CC0000-0x000000007426B000-memory.dmp
memory/1540-483-0x0000000073CC0000-0x000000007426B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\496767467.png
| MD5 | 52ebab915b3b7a577375a83f5a112e35 |
| SHA1 | 9b77c770b7c02c2720a5f57068f19d654ad80ca2 |
| SHA256 | 70d9b340bff370de621141e814f78994f6d757ce17178b28e8c9d5f478d5d3a5 |
| SHA512 | b93e40508078eaac3c5d6d78ca04cf029f0fd83cb93aa8919c27b999e231b511201bfb2f8c2f4faa9f8b253b187f5415bb9e03f7db5d425ff2df11ffd4da98fe |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-05 02:20
Reported
2024-01-05 02:24
Platform
win10v2004-20231215-en
Max time kernel
170s
Max time network
180s
Command Line
Signatures
Avoslocker Ransomware
Renames multiple (136) files with added filename extension
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3480 wrote to memory of 6112 | N/A | C:\Users\Admin\AppData\Local\Temp\f810deb1ba171cea5b595c6d3f816127fb182833f7a08a98de93226d4f6a336f.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 3480 wrote to memory of 6112 | N/A | C:\Users\Admin\AppData\Local\Temp\f810deb1ba171cea5b595c6d3f816127fb182833f7a08a98de93226d4f6a336f.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 3480 wrote to memory of 6112 | N/A | C:\Users\Admin\AppData\Local\Temp\f810deb1ba171cea5b595c6d3f816127fb182833f7a08a98de93226d4f6a336f.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f810deb1ba171cea5b595c6d3f816127fb182833f7a08a98de93226d4f6a336f.exe
"C:\Users\Admin\AppData\Local\Temp\f810deb1ba171cea5b595c6d3f816127fb182833f7a08a98de93226d4f6a336f.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$a = [System.IO.File]::ReadAllText(\"F:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 21.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
F:\$RECYCLE.BIN\GET_YOUR_FILES_BACK.txt
| MD5 | ee4b9494cf5b7402768b8db4a0f233c9 |
| SHA1 | 9b5ea1e4fe997a6e9a6981d6f1d651557ad9c213 |
| SHA256 | f2161f906bed19f6a79f0bbe7919e3526baa5cf0080055e5aa84b50094a1278c |
| SHA512 | 29ef4199f16348262e3828991eca8608b340849e7c480ae469f36c7e1ed8995f5d63d0c66d7316dc9690148322b56164a707731122212b1669b7764c93e5f356 |
memory/6112-389-0x0000000074B40000-0x00000000752F0000-memory.dmp
memory/6112-390-0x0000000004B50000-0x0000000004B60000-memory.dmp
memory/6112-391-0x00000000029E0000-0x0000000002A16000-memory.dmp
memory/6112-392-0x0000000004B50000-0x0000000004B60000-memory.dmp
memory/6112-393-0x0000000005190000-0x00000000057B8000-memory.dmp
memory/6112-394-0x0000000074B40000-0x00000000752F0000-memory.dmp
memory/6112-395-0x0000000004B50000-0x0000000004B60000-memory.dmp
memory/6112-396-0x0000000004F00000-0x0000000004F22000-memory.dmp
memory/6112-397-0x00000000050A0000-0x0000000005106000-memory.dmp
memory/6112-398-0x0000000005830000-0x0000000005896000-memory.dmp
memory/6112-399-0x0000000004B50000-0x0000000004B60000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wao2lhd5.czh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/6112-405-0x0000000005A20000-0x0000000005D74000-memory.dmp
memory/6112-411-0x0000000005FF0000-0x000000000600E000-memory.dmp
memory/6112-412-0x00000000060C0000-0x000000000610C000-memory.dmp
memory/6112-414-0x0000000004B50000-0x0000000004B60000-memory.dmp
memory/6112-415-0x0000000007670000-0x0000000007CEA000-memory.dmp