Malware Analysis Report

2024-10-16 03:27

Sample ID 240407-lgg49aac55
Target c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02
SHA256 c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02
Tags
avoslocker ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02

Threat Level: Known bad

The file c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02 was found to be: Known bad.

Malicious Activity Summary

avoslocker ransomware

Avoslocker Ransomware

Renames multiple (172) files with added filename extension

Renames multiple (165) files with added filename extension

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-07 09:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 09:30

Reported

2024-04-07 09:31

Platform

win7-20240319-en

Max time kernel

76s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Renames multiple (172) files with added filename extension

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.exe

"C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" F:\GET_YOUR_FILES_BACK.txt

Network

N/A

Files

F:\$RECYCLE.BIN\GET_YOUR_FILES_BACK.txt

MD5 c416bf3911487d819c45a4001a77b35f
SHA1 dc19ce5f2f104f710edf83f7efa617f0bc749f67
SHA256 76bbf445e90dffd6d609e98faad6f84f7dc99c5412026cfb1a6e224b1cb2e6e2
SHA512 b6ace2a4c58ec68a60b1e1640e5adc1abbc58c669bc0d24f1cc5e1a778d595b5c255c4cc0314f7b3e4a413759658c6c281dafaa59e1110d05119b17d00555e5d

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 09:30

Reported

2024-04-07 09:32

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Renames multiple (165) files with added filename extension

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.exe

"C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

F:\$RECYCLE.BIN\S-1-5-21-513485977-2495024337-1260977654-1000\GET_YOUR_FILES_BACK.txt

MD5 c416bf3911487d819c45a4001a77b35f
SHA1 dc19ce5f2f104f710edf83f7efa617f0bc749f67
SHA256 76bbf445e90dffd6d609e98faad6f84f7dc99c5412026cfb1a6e224b1cb2e6e2
SHA512 b6ace2a4c58ec68a60b1e1640e5adc1abbc58c669bc0d24f1cc5e1a778d595b5c255c4cc0314f7b3e4a413759658c6c281dafaa59e1110d05119b17d00555e5d