Malware Analysis Report

2025-03-15 08:29

Sample ID 250213-mranlawqek
Target be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.7z
SHA256 e7d9a5b611a026cfe696e863dba29097e604f198c54f5da18b7db4a810f22d4f
Tags
avoslocker discovery execution ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e7d9a5b611a026cfe696e863dba29097e604f198c54f5da18b7db4a810f22d4f

Threat Level: Known bad

The file be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.7z was found to be: Known bad.

Malicious Activity Summary

avoslocker discovery execution ransomware

Avoslocker family

Avoslocker Ransomware

Renames multiple (129) files with added filename extension

Renames multiple (171) files with added filename extension

Downloads MZ/PE file

Sets desktop wallpaper using registry

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-13 10:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-13 10:41

Reported

2025-02-13 10:44

Platform

win7-20241010-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Avoslocker family

avoslocker

Renames multiple (171) files with added filename extension

ransomware

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2012356288.png" C:\Windows\SysWOW64\reg.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3032 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3032 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3032 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 1608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2164 wrote to memory of 1608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2164 wrote to memory of 1608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2164 wrote to memory of 1608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2164 wrote to memory of 1776 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\rundll32.exe
PID 2164 wrote to memory of 1776 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\rundll32.exe
PID 2164 wrote to memory of 1776 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\rundll32.exe
PID 2164 wrote to memory of 1776 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\rundll32.exe
PID 2164 wrote to memory of 1776 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\rundll32.exe
PID 2164 wrote to memory of 1776 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\rundll32.exe
PID 2164 wrote to memory of 1776 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe

"C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2012356288.png /f

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False

Network

N/A

Files

C:\GET_YOUR_FILES_BACK.txt

MD5 d90d05a5fea9c28b3bf2b55f808c3a45
SHA1 7774c79c85b4401acfc56002f9e8a3e10e8a7b60
SHA256 8a9b224d68a718e7cd4da069a158408d9c71fb8ecc4e4a6581982d7a35b29cec
SHA512 783d830a0d75911da6878ea58f7191f1438a429e232c63db86e6f09a1bb390ec7ee72f10db1ee695177686cacab24c9e58f61e7d403d75dd9c817c592131170a

memory/2164-422-0x0000000074581000-0x0000000074582000-memory.dmp

memory/2164-423-0x0000000074580000-0x0000000074B2B000-memory.dmp

memory/2164-424-0x0000000074580000-0x0000000074B2B000-memory.dmp

memory/2164-425-0x0000000074580000-0x0000000074B2B000-memory.dmp

memory/2164-426-0x0000000074580000-0x0000000074B2B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2012356288.png

MD5 5ca6d4ad7570cf8bfbdeadfe55e09471
SHA1 be3de1209ffbf8553865e6ae02d0f2a2de8cd6b5
SHA256 11f5386c7328d46c59a26a5d11aa17fb64fa0e3e283e0da98afdedbefac27666
SHA512 81241b00403a894f765451c3ba2db9b7967fd1b12d042ac67b9f9ee8872d7ca3642613ba81d3370a870c369e27dc68a66e875ff5589dc208743d10ad6a4eb915

memory/2164-430-0x0000000074580000-0x0000000074B2B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-13 10:41

Reported

2025-02-13 10:43

Platform

win10v2004-20250207-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Avoslocker family

avoslocker

Renames multiple (129) files with added filename extension

ransomware

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\62469180.png" C:\Windows\SysWOW64\reg.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe

"C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$a = [System.IO.File]::ReadAllText(\"F:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\62469180.png /f

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTZGMzFEMDctNTQ3Qy00MDhBLUFDQjYtRTVFRDk5NTQ3QTdFfSIgdXNlcmlkPSJ7RkJBNDEwNTYtMzJGRC00OUZELTk3M0ItRDI1NDQ4NzcxNkQ2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RjA1OTVCNjYtMEIyRi00OTE0LTgzMUEtNDgzNjY5REFGNUI3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTc2MTE0MDk3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

Network

Country Destination Domain Proto
GB 2.16.153.203:443 www.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 4.151.228.221:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
GB 96.17.178.188:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

F:\$RECYCLE.BIN\GET_YOUR_FILES_BACK.txt

MD5 d90d05a5fea9c28b3bf2b55f808c3a45
SHA1 7774c79c85b4401acfc56002f9e8a3e10e8a7b60
SHA256 8a9b224d68a718e7cd4da069a158408d9c71fb8ecc4e4a6581982d7a35b29cec
SHA512 783d830a0d75911da6878ea58f7191f1438a429e232c63db86e6f09a1bb390ec7ee72f10db1ee695177686cacab24c9e58f61e7d403d75dd9c817c592131170a

memory/5764-372-0x000000007472E000-0x000000007472F000-memory.dmp

memory/5764-373-0x0000000004B80000-0x0000000004BB6000-memory.dmp

memory/5764-374-0x00000000052C0000-0x00000000058E8000-memory.dmp

memory/5764-376-0x0000000074720000-0x0000000074ED0000-memory.dmp

memory/5764-375-0x0000000074720000-0x0000000074ED0000-memory.dmp

memory/5764-377-0x0000000005190000-0x00000000051B2000-memory.dmp

memory/5764-378-0x0000000005960000-0x00000000059C6000-memory.dmp

memory/5764-379-0x00000000059D0000-0x0000000005A36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2qyb412u.dsj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5764-389-0x0000000005BC0000-0x0000000005F14000-memory.dmp

memory/5764-390-0x00000000061E0000-0x00000000061FE000-memory.dmp

memory/5764-391-0x0000000006270000-0x00000000062BC000-memory.dmp

memory/5764-393-0x0000000007820000-0x0000000007E9A000-memory.dmp

memory/5764-394-0x0000000006720000-0x000000000673A000-memory.dmp

memory/5764-395-0x0000000007630000-0x00000000076C2000-memory.dmp

memory/5764-396-0x0000000074720000-0x0000000074ED0000-memory.dmp

memory/5764-400-0x0000000074720000-0x0000000074ED0000-memory.dmp