Overview

overview

10

Static

static

3

generated_script.exe

windows7-x64

7

generated_script.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    8s
  • max time network
    45s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-12-2024 00:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    generated_script.exe

  • Size

    56.0MB

  • MD5

    0743d55a94100e93c80e9ad6201f7f60

  • SHA1

    2e8ad959c55b407bd67a8cb88e93f3cd670cc1af

  • SHA256

    44000c80effa84d7b149003e07b9c73ebfdb73f21672f6beee69f6a298c226fb

  • SHA512

    4b69c923f9ffca887c1dc4904864015ca1e3e8dd05b828b4830acf7b1e349cf3260b82db0c601658fe6732aed622614a3a1d2353555e42d906c49e97879afacc

  • SSDEEP

    196608:8mKu818v8SYdQmRm8Qnf2ODjMnGydS8GrNs:mu81olYdQdF3MnG38GrNs

Score
10/10
avoslockerdefense_evasiondiscoveryevasionexecutionimpactransomware

Malware Config

Signatures

  • Avoslocker Ransomware

    Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.

    ransomwareavoslocker
  • Avoslocker family
    avoslocker
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (4142) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\generated_script.exe
    "C:\Users\Admin\AppData\Local\Temp\generated_script.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3268
    • C:\Users\Admin\AppData\Local\Temp\generated_script.exe
      "C:\Users\Admin\AppData\Local\Temp\generated_script.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:808
      • C:\Users\Admin\AppData\Local\Temp\tmp9dquk0q2\hack.exe
        C:\Users\Admin\AppData\Local\Temp\tmp9dquk0q2\hack.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:224
        • C:\Windows\SYSTEM32\cmd.exe
          cmd /c wmic shadowcopy delete /nointeractive
          4⤵
            PID:232
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic shadowcopy delete /nointeractive
              5⤵
                PID:56936
            • C:\Windows\SYSTEM32\cmd.exe
              cmd /c vssadmin.exe Delete Shadows /All /Quiet
              4⤵
                PID:644
                • C:\Windows\system32\vssadmin.exe
                  vssadmin.exe Delete Shadows /All /Quiet
                  5⤵
                  • Interacts with shadow copies
                  PID:30808
              • C:\Windows\SYSTEM32\cmd.exe
                cmd /c bcdedit /set {default} recoveryenabled No
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2372
                • C:\Windows\system32\bcdedit.exe
                  bcdedit /set {default} recoveryenabled No
                  5⤵
                  • Modifies boot configuration data using bcdedit
                  PID:38200
              • C:\Windows\SYSTEM32\cmd.exe
                cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
                4⤵
                  PID:3340
                  • C:\Windows\system32\bcdedit.exe
                    bcdedit /set {default} bootstatuspolicy ignoreallfailures
                    5⤵
                    • Modifies boot configuration data using bcdedit
                    PID:56952
                • C:\Windows\SYSTEM32\cmd.exe
                  cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
                  4⤵
                    PID:3972
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
                      5⤵
                      • Command and Scripting Interpreter: PowerShell
                      PID:56944
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
                    4⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:35908
                    • C:\Windows\system32\reg.exe
                      "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1391265282.png /f
                      5⤵
                        PID:17928
                      • C:\Windows\system32\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
                        5⤵
                          PID:20852
                • C:\Windows\system32\vssvc.exe
                  C:\Windows\system32\vssvc.exe
                  1⤵
                    PID:30708

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                    Filesize

                    2KB

                    MD5

                    6cf293cb4d80be23433eecf74ddb5503

                    SHA1

                    24fe4752df102c2ef492954d6b046cb5512ad408

                    SHA256

                    b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

                    SHA512

                    0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    64B

                    MD5

                    d8b9a260789a22d72263ef3bb119108c

                    SHA1

                    376a9bd48726f422679f2cd65003442c0b6f6dd5

                    SHA256

                    d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

                    SHA512

                    550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\_MEI32682\VCRUNTIME140.dll
                    Filesize

                    96KB

                    MD5

                    f12681a472b9dd04a812e16096514974

                    SHA1

                    6fd102eb3e0b0e6eef08118d71f28702d1a9067c

                    SHA256

                    d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

                    SHA512

                    7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\_MEI32682\_bz2.pyd
                    Filesize

                    81KB

                    MD5

                    4101128e19134a4733028cfaafc2f3bb

                    SHA1

                    66c18b0406201c3cfbba6e239ab9ee3dbb3be07d

                    SHA256

                    5843872d5e2b08f138a71fe9ba94813afee59c8b48166d4a8eb0f606107a7e80

                    SHA512

                    4f2fc415026d7fd71c5018bc2ffdf37a5b835a417b9e5017261849e36d65375715bae148ce8f9649f9d807a63ac09d0fb270e4abae83dfa371d129953a5422ca

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\_MEI32682\_decimal.pyd
                    Filesize

                    245KB

                    MD5

                    d47e6acf09ead5774d5b471ab3ab96ff

                    SHA1

                    64ce9b5d5f07395935df95d4a0f06760319224a2

                    SHA256

                    d0df57988a74acd50b2d261e8b5f2c25da7b940ec2aafbee444c277552421e6e

                    SHA512

                    52e132ce94f21fa253fed4cf1f67e8d4423d8c30224f961296ee9f64e2c9f4f7064d4c8405cd3bb67d3cf880fe4c21ab202fa8cf677e3b4dad1be6929dbda4e2

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\_MEI32682\_hashlib.pyd
                    Filesize

                    62KB

                    MD5

                    de4d104ea13b70c093b07219d2eff6cb

                    SHA1

                    83daf591c049f977879e5114c5fea9bbbfa0ad7b

                    SHA256

                    39bc615842a176db72d4e0558f3cdcae23ab0623ad132f815d21dcfbfd4b110e

                    SHA512

                    567f703c2e45f13c6107d767597dba762dc5caa86024c87e7b28df2d6c77cd06d3f1f97eed45e6ef127d5346679fea89ac4dc2c453ce366b6233c0fa68d82692

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\_MEI32682\_lzma.pyd
                    Filesize

                    154KB

                    MD5

                    337b0e65a856568778e25660f77bc80a

                    SHA1

                    4d9e921feaee5fa70181eba99054ffa7b6c9bb3f

                    SHA256

                    613de58e4a9a80eff8f8bc45c350a6eaebf89f85ffd2d7e3b0b266bf0888a60a

                    SHA512

                    19e6da02d9d25ccef06c843b9f429e6b598667270631febe99a0d12fc12d5da4fb242973a8351d3bf169f60d2e17fe821ad692038c793ce69dfb66a42211398e

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\_MEI32682\_socket.pyd
                    Filesize

                    76KB

                    MD5

                    8140bdc5803a4893509f0e39b67158ce

                    SHA1

                    653cc1c82ba6240b0186623724aec3287e9bc232

                    SHA256

                    39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769

                    SHA512

                    d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\_MEI32682\base_library.zip
                    Filesize

                    1.4MB

                    MD5

                    9836732a064983e8215e2e26e5b66974

                    SHA1

                    02e9a46f5a82fa5de6663299512ca7cd03777d65

                    SHA256

                    3dfe7d63f90833e0f3de22f450ed5ee29858bb12fe93b41628afe85657a3b61f

                    SHA512

                    1435ba9bc8d35a9336dee5db06944506953a1bcf340e9bdad834828170ce826dcfb1fa80274cd9df667e47b83348139b38ab317055a5a3e6824df15adf8a4d86

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\_MEI32682\libcrypto-1_1.dll
                    Filesize

                    3.3MB

                    MD5

                    6f4b8eb45a965372156086201207c81f

                    SHA1

                    8278f9539463f0a45009287f0516098cb7a15406

                    SHA256

                    976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541

                    SHA512

                    2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\_MEI32682\python311.dll
                    Filesize

                    5.5MB

                    MD5

                    9a24c8c35e4ac4b1597124c1dcbebe0f

                    SHA1

                    f59782a4923a30118b97e01a7f8db69b92d8382a

                    SHA256

                    a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

                    SHA512

                    9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\_MEI32682\select.pyd
                    Filesize

                    28KB

                    MD5

                    97ee623f1217a7b4b7de5769b7b665d6

                    SHA1

                    95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0

                    SHA256

                    0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790

                    SHA512

                    20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\_MEI32682\unicodedata.pyd
                    Filesize

                    1.1MB

                    MD5

                    bc58eb17a9c2e48e97a12174818d969d

                    SHA1

                    11949ebc05d24ab39d86193b6b6fcff3e4733cfd

                    SHA256

                    ecf7836aa0d36b5880eb6f799ec402b1f2e999f78bfff6fb9a942d1d8d0b9baa

                    SHA512

                    4aa2b2ce3eb47503b48f6a888162a527834a6c04d3b49c562983b4d5aad9b7363d57aef2e17fe6412b89a9a3b37fb62a4ade4afc90016e2759638a17b1deae6c

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sx2tl5zj.inv.ps1
                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\tmp9dquk0q2\hack.exe
                    Filesize

                    807KB

                    MD5

                    e27b5291c8fb2dfdeb7f16bb6851df5e

                    SHA1

                    40207f83b601cd60905c1f807ac0889c80dfe33f

                    SHA256

                    ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f

                    SHA512

                    2ddbc50cd780ffbf73c354b9b437322eb49cb05bb6f287d54e7dcafb61dc4c4549e37ae2f972f3d240bfa7d2ca485b7583137f1bf038bc901f378cea0c305c6a

                    Download Submit

                  • C:\Users\GET_YOUR_FILES_BACK.txt
                    Filesize

                    1011B

                    MD5

                    c92c2b70fb37f84aab38412ad9226aa8

                    SHA1

                    14f2e9a83285612d0a7b2c83b8f89bccfde6c154

                    SHA256

                    d64639e873c0873b469cd856d1ef4bce7dc14a80fac6fe2bed9d629f05acc77f

                    SHA512

                    04f9dcb3cd49909712535255b6eadd7fafcb2902bf1abd5a25e9bb5f5c4dc032611aec0a5b0ec89cd7dbc65276b935c54b906b391507d2e3e3aa65466b15f848

                    Download Submit

                  • memory/56944-16139-0x000001CFB86A0000-0x000001CFB86C2000-memory.dmp

                    Filesize

                    136KB

                    Download