Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 10, 2024, 10:31 a.m.	Sept. 10, 2024, 10:34 a.m.

Size	807.5KB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`8da384b2427b8397a5934182c159c257`
SHA256	`f8e99bbacc62b0f72aa12f5f92e35607fa0382a881fe4a4b9476fc6b87a03c78`
CRC32	`63CEF296`
ssdeep	`12288:0Z4s3rg9u/2/oT+NXtHLlP/O+OeO+OeNhBBhhBBAtHg9rjI+LXJ0ivlzkHBDsYAu:u4s+oT+NXBLi0rjFXvyHBlb6CZa8`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

AvosLocker.exe "C:\Users\test22\AppData\Local\Temp\AvosLocker.exe"
2544
- cmd.exe cmd /c wmic shadowcopy delete /nointeractive
  2628
- cmd.exe cmd /c vssadmin.exe Delete Shadows /All /Quiet
  2664
- cmd.exe cmd /c bcdedit /set {default} recoveryenabled No
  2704
- cmd.exe cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2744
- cmd.exe cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
  2784

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (11 events)

Time & API	Arguments	Status	Return
WriteConsoleA Sept. 10, 2024, 10:31 a.m.	buffer: Build: SonicBoom console_handle: 0x00000007	1	1
WriteConsoleA Sept. 10, 2024, 10:31 a.m.	buffer: b_bruteforce_smb_enable: 0 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 10, 2024, 10:31 a.m.	buffer: b_logical_disable: 0 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 10, 2024, 10:31 a.m.	buffer: b_network_disable: 1 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 10, 2024, 10:31 a.m.	buffer: b_mutex_disable: 0 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 10, 2024, 10:31 a.m.	buffer: concurrent_threads_num_max: 200 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 10, 2024, 10:31 a.m.	buffer: drive: C: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 10, 2024, 10:31 a.m.	buffer: drive: D: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 10, 2024, 10:31 a.m.	buffer: drive: Z: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 10, 2024, 10:31 a.m.	buffer: drive D: took 0.003000 seconds console_handle: 0x00000007	1	1
WriteConsoleA Sept. 10, 2024, 10:31 a.m.	buffer: drive Z: took 0.177000 seconds console_handle: 0x00000007	1	1

Encryption keys have been identified in this analysis

Creates (office) documents on the filesystem (17 events)

file	C:\Users\test22\Documents\lLFuFezmExEmf.docm
file	C:\Users\test22\Documents\axTZwDBeUngqBG.ppt
file	C:\Users\test22\Documents\readme.xls
file	C:\Users\test22\Documents\WmXfDlmbAt.doc
file	C:\Users\test22\Documents\iZaIwdonvHsGmWxjG.docm
file	C:\Users\test22\Documents\readme.doc
file	C:\Users\test22\Documents\ONyeiyAHXnG.docx
file	C:\Users\test22\Documents\vSjjFAKhemtn.doc
file	C:\Users\test22\Documents\sGUIEmQWRjHTi.docx
file	C:\Users\test22\Documents\JDHeJjBWHuxqp.doc
file	C:\Users\test22\Documents\tfWgfaUyXRlwSTg.docm
file	C:\Users\test22\Documents\sByekmDWYN.docm
file	C:\Users\test22\Documents\cXMLMLMlMJidCP.doc
file	C:\Users\test22\Documents\FAaWoqRZplEQFsGvV.docm
file	C:\Users\test22\Documents\ATwjKHHgPIXqpQbCw.doc
file	C:\Users\test22\Documents\KIprYLexEf.doc
file	C:\Users\test22\Documents\FOwRatdvSt.docm

Creates executable files on the filesystem (1 event)

file	C:\util\vm_setting.reg

Creates a suspicious process (4 events)

cmdline	cmd /c wmic shadowcopy delete /nointeractive
cmdline	cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
cmdline	cmd /c bcdedit /set {default} recoveryenabled No
cmdline	cmd /c powershell -command "Get-EventLog -LogName * \| ForEach { Clear-EventLog $_.Log }"

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Sept. 10, 2024, 10:31 a.m.	snapshot_handle: 0x00000118 process_name: wsqmcons.exe process_identifier: 2308	1	1	0
Process32NextW Sept. 10, 2024, 10:31 a.m.	snapshot_handle: 0x00000118 process_name: conhost.exe process_identifier: 2596	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 10, 2024, 10:31 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

cmd /c wmic shadowcopy delete /nointeractive

Attempts to detect Cuckoo Sandbox through the presence of a file (1 event)

file	C:\tmpuvzci8\analyzer.py

Creates known Hupigon files, registry keys and/or mutexes (1 event)

file	Z:\Boot\BOOTSTAT.DAT

Modifies boot configuration settings (2 events)

command	cmd /c bcdedit /set {default} recoveryenabled no
command	cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

Writes a potential ransom message to disk (2 events)

Time & API	Arguments	Status	Return	Repeated
NtWriteFile Sept. 10, 2024, 10:31 a.m.	buffer: AvosLocker Attention! Your systems have been encrypted, and your confidential documents were downloaded. In order to restore your data, you must pay for the decryption key & application. You may do so by visiting us at http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. The corporations whom don't pay or fail to respond in a swift manner have their data leaked in our blog, accessible at http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion Your ID: 569005170014ec31d13e91e189207bb036c8a72478d1e5a2f51ea3bade53e837 offset: 0 file_handle: 0x00000468 filepath: C:\GET_YOUR_FILES_BACK.txt	1	0	0
NtWriteFile Sept. 10, 2024, 10:31 a.m.	buffer: AvosLocker Attention! Your systems have been encrypted, and your confidential documents were downloaded. In order to restore your data, you must pay for the decryption key & application. You may do so by visiting us at http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. The corporations whom don't pay or fail to respond in a swift manner have their data leaked in our blog, accessible at http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion Your ID: 569005170014ec31d13e91e189207bb036c8a72478d1e5a2f51ea3bade53e837 offset: 0 file_handle: 0x00000474 filepath: \Device\HarddiskVolume1\GET_YOUR_FILES_BACK.txt	1	0	0

Uses suspicious command line tools or Windows utilities (1 event)

cmdline

cmd /c vssadmin.exe Delete Shadows /All /Quiet

File has been identified by 64 AntiVirus engines on VirusTotal as malicious (50 out of 64 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.AvosLocker.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	Ransom.Avoslocker.S27130740
Skyhigh	BehavesLike.Win32.Infected.ch
ALYac	Trojan.Ransom.AvosLocker
Cylance	Unsafe
VIPRE	Dump:Generic.Ransom.AmnesiaE.FC97BF15
Sangfor	Ransom.Win32.Avoslocker.V6ok
K7AntiVirus	Trojan ( 0058241e1 )
BitDefender	Dump:Generic.Ransom.AmnesiaE.FC97BF15
K7GW	Trojan ( 0058241e1 )
Cybereason	malicious.2427b8
Arcabit	Dump:Generic.Ransom.AmnesiaE.FC97BF15
VirIT	Trojan.Win32.Genus.LXS
Symantec	Ransom.AvosLocker
ESET-NOD32	a variant of Win32/Filecoder.AvosLocker.A
Avast	Win32:RansomX-gen [Ransom]
ClamAV	Win.Ransomware.Deepscan-9938939-0
Kaspersky	HEUR:Trojan.Win32.DelShad.gen
Alibaba	Ransom:Win32/AvosLocker.76642e7b
NANO-Antivirus	Trojan.Win32.DelShad.jpyrxd
MicroWorld-eScan	Dump:Generic.Ransom.AmnesiaE.FC97BF15
Rising	Trojan.Filecoder!8.68 (TFE:5:pZJ1k8KCxxO)
Emsisoft	Dump:Generic.Ransom.AmnesiaE.FC97BF15 (B)
F-Secure	Heuristic.HEUR/AGEN.1318629
DrWeb	Trojan.Encoder.34626
Zillya	Trojan.Filecoder.Win32.20880
TrendMicro	Ransom.Win32.AVOSLOCKER.SMYXBLNT
McAfeeD	ti!F8E99BBACC62
FireEye	Generic.mg.8da384b2427b8397
Sophos	Troj/Ransom-GTK
SentinelOne	Static AI - Suspicious PE
Jiangmin	Trojan.DelShad.buh
Webroot	W32.Ransom.Gen
Google	Detected
Avira	HEUR/AGEN.1318629
MAX	malware (ai score=100)
Antiy-AVL	Trojan/Win32.DelShad
Kingsoft	Win32.Troj.Generic.jm
Gridinsoft	Ransom.Win32.AvosLocker.tr
Xcitium	Malware@#2502rf9mx1khm
Microsoft	Ransom:Win32/AvosLocker.MBK!MTB
ViRobot	Trojan.Win32.Z.Avoslocker.826880.E
ZoneAlarm	HEUR:Trojan.Win32.DelShad.gen
GData	Dump:Generic.Ransom.AmnesiaE.FC97BF15
Varist	W32/Trojan.ICF.gen!Eldorado
AhnLab-V3	Ransomware/Win.AvosLocker.R452361
McAfee	GenericRXRK-AV!8DA384B2427B

AvosLocker.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All