avoslocker | e7d9a5b611a026cfe696e863dba29097e604f198c54f5da18b7db4a810f22d4f

General

Target

be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe
Size

921KB
MD5

075cb88f83fbe4ad2ae0f553697e7bdf
SHA1

773dce7c01a42e8371cf49ceda07f26cba0907b9
SHA256

be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70
SHA512

3f0a503acbfffc79eed37597d59e313c31f6b5451fdad79eacd611119ec17a4a245928079993689811a5695ad310951a282b1c493d08bdb31aa2b5fdbf63bf67
SSDEEP

24576:SnkXEg1ZlhKG+WWZtCpDCE5Ie534SCeTpOl135HlIp:SkXEg1ZlIzZtCpGE5j5oSHOlxdlIp

Score

10^/10

avoslocker discovery execution ransomware

Malware Config

Signatures

Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
ransomware avoslocker
Avoslocker family
avoslocker
Renames multiple (191) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1340577695.png"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2036	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2036	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2036	2324	be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe	32
PID 2324 wrote to memory of 2036	2324	be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe	32
PID 2324 wrote to memory of 2036	2324	be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe	32
PID 2324 wrote to memory of 2036	2324	be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe	32
PID 2036 wrote to memory of 792	2036	powershell.exe	34
PID 2036 wrote to memory of 792	2036	powershell.exe	34
PID 2036 wrote to memory of 792	2036	powershell.exe	34
PID 2036 wrote to memory of 792	2036	powershell.exe	34
PID 2036 wrote to memory of 2124	2036	powershell.exe	35
PID 2036 wrote to memory of 2124	2036	powershell.exe	35
PID 2036 wrote to memory of 2124	2036	powershell.exe	35
PID 2036 wrote to memory of 2124	2036	powershell.exe	35
PID 2036 wrote to memory of 2124	2036	powershell.exe	35
PID 2036 wrote to memory of 2124	2036	powershell.exe	35
PID 2036 wrote to memory of 2124	2036	powershell.exe	35

C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe
"C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1340577695.png /f
    3⤵
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    PID:792
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

F:\$RECYCLE.BIN\GET_YOUR_FILES_BACK.txt

Filesize
1011B

MD5
d90d05a5fea9c28b3bf2b55f808c3a45

SHA1
7774c79c85b4401acfc56002f9e8a3e10e8a7b60

SHA256
8a9b224d68a718e7cd4da069a158408d9c71fb8ecc4e4a6581982d7a35b29cec

SHA512
783d830a0d75911da6878ea58f7191f1438a429e232c63db86e6f09a1bb390ec7ee72f10db1ee695177686cacab24c9e58f61e7d403d75dd9c817c592131170a

Download Submit
memory/2036-461-0x0000000073EE1000-0x0000000073EE2000-memory.dmp

Filesize
4KB

Download
memory/2036-462-0x0000000073EE0000-0x000000007448B000-memory.dmp

Filesize
5.7MB

Download
memory/2036-463-0x0000000073EE0000-0x000000007448B000-memory.dmp

Filesize
5.7MB

Download
memory/2036-464-0x0000000073EE0000-0x000000007448B000-memory.dmp

Filesize
5.7MB

Download
memory/2036-467-0x0000000073EE0000-0x000000007448B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing