f59d32ab7fa90ccadd961903a136f2f64ce3dbe642062fc397b63b31f8e03c16

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 08:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-14_28e83d675d40afd18e3159b0f82130c4_avoslocker_revil.exe
Size

6.5MB
MD5

28e83d675d40afd18e3159b0f82130c4
SHA1

902b1fb1d946e6aa2bcca27b4746c0fc59f82662
SHA256

f59d32ab7fa90ccadd961903a136f2f64ce3dbe642062fc397b63b31f8e03c16
SHA512

0c6e724969627796dd5aa291f4123f8ddd4a10e3b1d54ea223680d4e260f5bab155306955f735fbfb270a6d61c3d0b7c7522fa5ce584276b057c3d74f2f581a9
SSDEEP

98304:3I9tiSH6a6gfFCZ8th/yp3qvZ4ypOKRxoBBTxBQk6dtQ:3AH6aff4+4p84yjRyBNxqQ

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	2024-06-14_28e83d675d40afd18e3159b0f82130c4_avoslocker_revil.exe

Executes dropped EXE 1 IoCs

pid	Process
2924	dde6d07c6bbb43e7afc55c214685f772.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2924	2180	2024-06-14_28e83d675d40afd18e3159b0f82130c4_avoslocker_revil.exe	29
PID 2180 wrote to memory of 2924	2180	2024-06-14_28e83d675d40afd18e3159b0f82130c4_avoslocker_revil.exe	29
PID 2180 wrote to memory of 2924	2180	2024-06-14_28e83d675d40afd18e3159b0f82130c4_avoslocker_revil.exe	29
PID 2180 wrote to memory of 2924	2180	2024-06-14_28e83d675d40afd18e3159b0f82130c4_avoslocker_revil.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-06-14_28e83d675d40afd18e3159b0f82130c4_avoslocker_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-14_28e83d675d40afd18e3159b0f82130c4_avoslocker_revil.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\dde6d07c6bbb43e7afc55c214685f772.exe
  "C:\Users\Admin\AppData\Local\Temp\dde6d07c6bbb43e7afc55c214685f772.exe" --01
  2⤵
  - Executes dropped EXE
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dde6d07c6bbb43e7afc55c214685f772.exe

Filesize
6.0MB

MD5
02e6bf47f5315e8da515ccae63f58a6e

SHA1
3469eec2964080610b188eceabc216a5f0244d2b

SHA256
aad9c5c01c5c87d33da0695c53eb0bdae432d41452a2f54ddc1f23eb14928517

SHA512
949bf7ff8eaa37a0c036af580f6bde633aec5336312f1c96d879aaf2398ee05f82a9d84ce002937b95382bedf2e7143e894b8d0feec478d074a1a3e1baf1d031

Download Submit
memory/2180-0-0x000007FEF5A8E000-0x000007FEF5A8F000-memory.dmp

Filesize
4KB

Download
memory/2180-1-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2180-2-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2180-3-0x0000000002810000-0x000000000283E000-memory.dmp

Filesize
184KB

Download
memory/2180-4-0x0000000000A20000-0x0000000000A2A000-memory.dmp

Filesize
40KB

Download
memory/2180-11-0x00000000008E0000-0x00000000008F0000-memory.dmp

Filesize
64KB

Download
memory/2180-12-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download