avoslocker | f5880e3ce512f648351291a3728b13adb6c87954f9a88c3070dce9f4c5c5b1f4

Analysis

max time kernel
5s
max time network
5s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

1.1MB
MD5

04dbd49522ee24448a45aebf69e88850
SHA1

67b8315214cb31fa4b5e013f24884b663768f2cf
SHA256

f5880e3ce512f648351291a3728b13adb6c87954f9a88c3070dce9f4c5c5b1f4
SHA512

9e30f7160dfe6fed3c4700ba13fffc7f69ae0cba530585bf3ece644b56572cc929652693d51da9a8067435fbc5b675dff12cedf0ad976c5d60d909bbe1e249a7
SSDEEP

24576:u4s+oT+NXBLi0rjFXvyHBlbmCZa8pXawp90sQvX:uioT+NXVFjxvMBlbmya8pKU9nQvX

Score

10^/10

avoslocker defense_evasion discovery evasion execution impact ransomware

Malware Config

Signatures

Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
ransomware avoslocker
Avoslocker family
avoslocker
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
34896	bcdedit.exe
34912	bcdedit.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	test.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
34904	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
244	test.exe
244	test.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	244	test.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 244 wrote to memory of 3880	244	test.exe	84
PID 244 wrote to memory of 3880	244	test.exe	84
PID 244 wrote to memory of 3152	244	test.exe	85
PID 244 wrote to memory of 3152	244	test.exe	85
PID 244 wrote to memory of 4120	244	test.exe	86
PID 244 wrote to memory of 4120	244	test.exe	86
PID 244 wrote to memory of 4796	244	test.exe	87
PID 244 wrote to memory of 4796	244	test.exe	87
PID 244 wrote to memory of 1948	244	test.exe	88
PID 244 wrote to memory of 1948	244	test.exe	88

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:244
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c wmic shadowcopy delete /nointeractive
  2⤵
  PID:3880
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  PID:3152
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:34904
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c bcdedit /set {default} recoveryenabled No
  2⤵
  PID:4120
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:34896
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:4796
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:34912
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
  2⤵
  PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GET_YOUR_FILES_BACK.txt

Filesize
1011B

MD5
c92c2b70fb37f84aab38412ad9226aa8

SHA1
14f2e9a83285612d0a7b2c83b8f89bccfde6c154

SHA256
d64639e873c0873b469cd856d1ef4bce7dc14a80fac6fe2bed9d629f05acc77f

SHA512
04f9dcb3cd49909712535255b6eadd7fafcb2902bf1abd5a25e9bb5f5c4dc032611aec0a5b0ec89cd7dbc65276b935c54b906b391507d2e3e3aa65466b15f848

Download Submit