Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

f2fab3c856...5c.exe

windows7-x64

10

f2fab3c856...5c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2024, 18:21 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f2fab3c8562f852d00847aad5ebde069084758be998255b55c0b61b9b3be7c5c.exe

  • Size

    1.1MB

  • MD5

    414577c56ed5184ea260a89fb0d6a878

  • SHA1

    b2d8465417fab504a02f0407af9526d0cf3c8ebd

  • SHA256

    f2fab3c8562f852d00847aad5ebde069084758be998255b55c0b61b9b3be7c5c

  • SHA512

    6a8d0089934dfe27d4ff9cb15b4455ce408c297a490d330067d733b9b0708e1ded9e73a86c0c8efd41b734e9e709e21957b4506608f9b295d132fec1c13e39f3

  • SSDEEP

    24576:aImw98okVgela0as5CqLVO7XJCjkD3N0HRAn:EL5ljasaUW

Score
10/10
avoslockerdefense_evasiondiscoveryevasionexecutionimpactransomware

Malware Config

Signatures

  • Avoslocker Ransomware

    Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.

    ransomwareavoslocker
  • Avoslocker family
    avoslocker
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (8503) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2fab3c8562f852d00847aad5ebde069084758be998255b55c0b61b9b3be7c5c.exe
    "C:\Users\Admin\AppData\Local\Temp\f2fab3c8562f852d00847aad5ebde069084758be998255b55c0b61b9b3be7c5c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr
      "C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr" /S
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3568
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c wmic shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2224
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete /nointeractive
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2036
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1940
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          4⤵
          • Interacts with shadow copies
          PID:3832
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c bcdedit /set {default} recoveryenabled No
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3500
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled No
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2888
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3544
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:4780
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1560
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3972
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:28468
        • C:\Windows\system32\reg.exe
          "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\56388273.png /f
          4⤵
          • Sets desktop wallpaper using registry
          PID:28628
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
          4⤵
            PID:28680
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:15860

    Network

    • flag-us
      DNS
      228.249.119.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      228.249.119.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      88.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      88.210.23.2.in-addr.arpa
      IN PTR
      Response
      88.210.23.2.in-addr.arpa
      IN PTR
      a2-23-210-88deploystaticakamaitechnologiescom
    • flag-us
      DNS
      138.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      138.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      197.87.175.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      197.87.175.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.42.69.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.42.69.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      209.205.72.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.205.72.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      21.49.80.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      21.49.80.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      29.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      29.243.111.52.in-addr.arpa
      IN PTR
      Response
    No results found
    • 8.8.8.8:53
      228.249.119.40.in-addr.arpa
      dns
      73 B
       159 B
       1
      1

      DNS Request

      228.249.119.40.in-addr.arpa

    • 8.8.8.8:53
      88.210.23.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      88.210.23.2.in-addr.arpa

    • 8.8.8.8:53
      138.32.126.40.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      138.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      197.87.175.4.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      197.87.175.4.in-addr.arpa

    • 8.8.8.8:53
      241.42.69.40.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      241.42.69.40.in-addr.arpa

    • 8.8.8.8:53
      209.205.72.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      209.205.72.20.in-addr.arpa

    • 8.8.8.8:53
      21.49.80.91.in-addr.arpa
      dns
      70 B
       145 B
       1
      1

      DNS Request

      21.49.80.91.in-addr.arpa

    • 8.8.8.8:53
      29.243.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      29.243.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\GET_YOUR_FILES_BACK.txt
      Filesize

      1011B

      MD5

      c92c2b70fb37f84aab38412ad9226aa8

      SHA1

      14f2e9a83285612d0a7b2c83b8f89bccfde6c154

      SHA256

      d64639e873c0873b469cd856d1ef4bce7dc14a80fac6fe2bed9d629f05acc77f

      SHA512

      04f9dcb3cd49909712535255b6eadd7fafcb2902bf1abd5a25e9bb5f5c4dc032611aec0a5b0ec89cd7dbc65276b935c54b906b391507d2e3e3aa65466b15f848

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      6cf293cb4d80be23433eecf74ddb5503

      SHA1

      24fe4752df102c2ef492954d6b046cb5512ad408

      SHA256

      b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

      SHA512

      0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      79d3a960f51997915b243fbef8084741

      SHA1

      fe0e1081dd63119b4c03e528c28a3656902a3637

      SHA256

      0ba700c8d857fec0a2692a150be5991bcc83a129c45d395267eaee9205e6de50

      SHA512

      6ec9bb7dfebd8b0697996f66c29c728f0cdca1a7d0dc616d84d38c26567a3b0fbda6bb4ce29d656da35e5b10361315828f46e1438eac22ea0d9009aa6dd1ff2e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr
      Filesize

      807KB

      MD5

      e27b5291c8fb2dfdeb7f16bb6851df5e

      SHA1

      40207f83b601cd60905c1f807ac0889c80dfe33f

      SHA256

      ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f

      SHA512

      2ddbc50cd780ffbf73c354b9b437322eb49cb05bb6f287d54e7dcafb61dc4c4549e37ae2f972f3d240bfa7d2ca485b7583137f1bf038bc901f378cea0c305c6a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xx0m5ktp.z0v.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/2644-4-0x00007FF64CCE0000-0x00007FF64CDFE000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3972-17524-0x00000293C4660000-0x00000293C4682000-memory.dmp

      Filesize

      136KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.