Analysis Overview
SHA256
e7d9a5b611a026cfe696e863dba29097e604f198c54f5da18b7db4a810f22d4f
Threat Level: Known bad
The file be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.7z was found to be: Known bad.
Malicious Activity Summary
Avoslocker family
Avoslocker Ransomware
Renames multiple (129) files with added filename extension
Renames multiple (171) files with added filename extension
Downloads MZ/PE file
Sets desktop wallpaper using registry
System Network Configuration Discovery: Internet Connection Discovery
System Location Discovery: System Language Discovery
Unsigned PE
Command and Scripting Interpreter: PowerShell
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-13 10:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-13 10:41
Reported
2025-02-13 10:44
Platform
win7-20241010-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Avoslocker Ransomware
Avoslocker family
Renames multiple (171) files with added filename extension
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2012356288.png" | C:\Windows\SysWOW64\reg.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe
"C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2012356288.png /f
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
Network
Files
C:\GET_YOUR_FILES_BACK.txt
| MD5 | d90d05a5fea9c28b3bf2b55f808c3a45 |
| SHA1 | 7774c79c85b4401acfc56002f9e8a3e10e8a7b60 |
| SHA256 | 8a9b224d68a718e7cd4da069a158408d9c71fb8ecc4e4a6581982d7a35b29cec |
| SHA512 | 783d830a0d75911da6878ea58f7191f1438a429e232c63db86e6f09a1bb390ec7ee72f10db1ee695177686cacab24c9e58f61e7d403d75dd9c817c592131170a |
memory/2164-422-0x0000000074581000-0x0000000074582000-memory.dmp
memory/2164-423-0x0000000074580000-0x0000000074B2B000-memory.dmp
memory/2164-424-0x0000000074580000-0x0000000074B2B000-memory.dmp
memory/2164-425-0x0000000074580000-0x0000000074B2B000-memory.dmp
memory/2164-426-0x0000000074580000-0x0000000074B2B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2012356288.png
| MD5 | 5ca6d4ad7570cf8bfbdeadfe55e09471 |
| SHA1 | be3de1209ffbf8553865e6ae02d0f2a2de8cd6b5 |
| SHA256 | 11f5386c7328d46c59a26a5d11aa17fb64fa0e3e283e0da98afdedbefac27666 |
| SHA512 | 81241b00403a894f765451c3ba2db9b7967fd1b12d042ac67b9f9ee8872d7ca3642613ba81d3370a870c369e27dc68a66e875ff5589dc208743d10ad6a4eb915 |
memory/2164-430-0x0000000074580000-0x0000000074B2B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-13 10:41
Reported
2025-02-13 10:43
Platform
win10v2004-20250207-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Avoslocker Ransomware
Avoslocker family
Renames multiple (129) files with added filename extension
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\62469180.png" | C:\Windows\SysWOW64\reg.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe
"C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$a = [System.IO.File]::ReadAllText(\"F:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\62469180.png /f
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTZGMzFEMDctNTQ3Qy00MDhBLUFDQjYtRTVFRDk5NTQ3QTdFfSIgdXNlcmlkPSJ7RkJBNDEwNTYtMzJGRC00OUZELTk3M0ItRDI1NDQ4NzcxNkQ2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RjA1OTVCNjYtMEIyRi00OTE0LTgzMUEtNDgzNjY5REFGNUI3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTc2MTE0MDk3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| GB | 2.16.153.203:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 4.151.228.221:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| GB | 96.17.178.188:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
F:\$RECYCLE.BIN\GET_YOUR_FILES_BACK.txt
| MD5 | d90d05a5fea9c28b3bf2b55f808c3a45 |
| SHA1 | 7774c79c85b4401acfc56002f9e8a3e10e8a7b60 |
| SHA256 | 8a9b224d68a718e7cd4da069a158408d9c71fb8ecc4e4a6581982d7a35b29cec |
| SHA512 | 783d830a0d75911da6878ea58f7191f1438a429e232c63db86e6f09a1bb390ec7ee72f10db1ee695177686cacab24c9e58f61e7d403d75dd9c817c592131170a |
memory/5764-372-0x000000007472E000-0x000000007472F000-memory.dmp
memory/5764-373-0x0000000004B80000-0x0000000004BB6000-memory.dmp
memory/5764-374-0x00000000052C0000-0x00000000058E8000-memory.dmp
memory/5764-376-0x0000000074720000-0x0000000074ED0000-memory.dmp
memory/5764-375-0x0000000074720000-0x0000000074ED0000-memory.dmp
memory/5764-377-0x0000000005190000-0x00000000051B2000-memory.dmp
memory/5764-378-0x0000000005960000-0x00000000059C6000-memory.dmp
memory/5764-379-0x00000000059D0000-0x0000000005A36000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2qyb412u.dsj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5764-389-0x0000000005BC0000-0x0000000005F14000-memory.dmp
memory/5764-390-0x00000000061E0000-0x00000000061FE000-memory.dmp
memory/5764-391-0x0000000006270000-0x00000000062BC000-memory.dmp
memory/5764-393-0x0000000007820000-0x0000000007E9A000-memory.dmp
memory/5764-394-0x0000000006720000-0x000000000673A000-memory.dmp
memory/5764-395-0x0000000007630000-0x00000000076C2000-memory.dmp
memory/5764-396-0x0000000074720000-0x0000000074ED0000-memory.dmp
memory/5764-400-0x0000000074720000-0x0000000074ED0000-memory.dmp