ScreenShot
| Created | 2024.09.10 10:34 | Machine | s1_win7_x6401 |
| Filename | AvosLocker.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 64 detected (AIDetectMalware, AvosLocker, malicious, high confidence, score, S27130740, Infected, Unsafe, Dump, AmnesiaE, V6ok, Genus, Filecoder, RansomX, Ransomware, Deepscan, DelShad, jpyrxd, pZJ1k8KCxxO, AGEN, SMYXBLNT, Static AI, Suspicious PE, Detected, ai score=100, Malware@#2502rf9mx1khm, Eldorado, R452361, GenericRXRK, FileCrypter, Genetic, Gencirc, Lockfile, susgen, confidence, 100%) | ||
| md5 | 8da384b2427b8397a5934182c159c257 | ||
| sha256 | f8e99bbacc62b0f72aa12f5f92e35607fa0382a881fe4a4b9476fc6b87a03c78 | ||
| ssdeep | 12288:0Z4s3rg9u/2/oT+NXtHLlP/O+OeO+OeNhBBhhBBAtHg9rjI+LXJ0ivlzkHBDsYAu:u4s+oT+NXBLi0rjFXvyHBlb6CZa8 | ||
| imphash | 6384241afa3b18e8b84aff69eaa01910 | ||
| impfuzzy | 96:NZKgkX1ttrS1wWJcpH+Kh+gN/prBPRseIm:NYgkFBWOMeIm | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 64 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to detect Cuckoo Sandbox through the presence of a file |
| watch | Creates known Hupigon files |
| watch | Modifies boot configuration settings |
| watch | Uses suspicious command line tools or Windows utilities |
| watch | Writes a potential ransom message to disk |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates (office) documents on the filesystem |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Encryption keys have been identified in this analysis |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Command line console output was observed |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PowerShell | PowerShell script | scripts |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x49d04c FormatMessageA
0x49d050 FindNextVolumeW
0x49d054 CreateIoCompletionPort
0x49d058 GetDriveTypeW
0x49d05c GetVolumePathNamesForVolumeNameW
0x49d060 ResetEvent
0x49d064 GetConsoleWindow
0x49d068 CopyFileW
0x49d06c FindVolumeClose
0x49d070 ExitProcess
0x49d074 LocalFree
0x49d078 SetVolumeMountPointW
0x49d07c CloseHandle
0x49d080 Process32Next
0x49d084 GlobalAlloc
0x49d088 GetLastError
0x49d08c Sleep
0x49d090 CreateToolhelp32Snapshot
0x49d094 SetFileAttributesW
0x49d098 PostQueuedCompletionStatus
0x49d09c GetFileAttributesW
0x49d0a0 CreateMutexA
0x49d0a4 GetQueuedCompletionStatus
0x49d0a8 SetThreadPriority
0x49d0ac SetEvent
0x49d0b0 WriteConsoleW
0x49d0b4 CreateFileW
0x49d0b8 Wow64DisableWow64FsRedirection
0x49d0bc lstrlenW
0x49d0c0 GetCurrentProcess
0x49d0c4 FindFirstVolumeW
0x49d0c8 Process32First
0x49d0cc GetFileSizeEx
0x49d0d0 HeapSize
0x49d0d4 GetTimeZoneInformation
0x49d0d8 ReadConsoleW
0x49d0dc SetFilePointerEx
0x49d0e0 ReadFile
0x49d0e4 GetConsoleMode
0x49d0e8 GetConsoleOutputCP
0x49d0ec FlushFileBuffers
0x49d0f0 SetStdHandle
0x49d0f4 InitializeSListHead
0x49d0f8 UnhandledExceptionFilter
0x49d0fc SetUnhandledExceptionFilter
0x49d100 TerminateProcess
0x49d104 IsProcessorFeaturePresent
0x49d108 IsDebuggerPresent
0x49d10c GetStartupInfoW
0x49d110 GetModuleHandleW
0x49d114 QueryPerformanceCounter
0x49d118 GetCurrentProcessId
0x49d11c GetCurrentThreadId
0x49d120 GetSystemTimeAsFileTime
0x49d124 MultiByteToWideChar
0x49d128 InitializeSRWLock
0x49d12c ReleaseSRWLockExclusive
0x49d130 AcquireSRWLockExclusive
0x49d134 EnterCriticalSection
0x49d138 LeaveCriticalSection
0x49d13c InitializeCriticalSectionEx
0x49d140 TryEnterCriticalSection
0x49d144 DeleteCriticalSection
0x49d148 WideCharToMultiByte
0x49d14c WaitForSingleObjectEx
0x49d150 GetExitCodeThread
0x49d154 LCMapStringEx
0x49d158 EncodePointer
0x49d15c DecodePointer
0x49d160 QueryPerformanceFrequency
0x49d164 GetProcAddress
0x49d168 CompareStringEx
0x49d16c GetCPInfo
0x49d170 GetLocaleInfoEx
0x49d174 GetStringTypeW
0x49d178 SetLastError
0x49d17c RtlUnwind
0x49d180 InterlockedPushEntrySList
0x49d184 RaiseException
0x49d188 InitializeCriticalSectionAndSpinCount
0x49d18c TlsAlloc
0x49d190 TlsGetValue
0x49d194 TlsSetValue
0x49d198 TlsFree
0x49d19c FreeLibrary
0x49d1a0 LoadLibraryExW
0x49d1a4 GetModuleHandleExW
0x49d1a8 CreateThread
0x49d1ac ExitThread
0x49d1b0 FreeLibraryAndExitThread
0x49d1b4 GetModuleFileNameW
0x49d1b8 GetStdHandle
0x49d1bc WriteFile
0x49d1c0 GetCommandLineA
0x49d1c4 GetCommandLineW
0x49d1c8 HeapFree
0x49d1cc HeapAlloc
0x49d1d0 GetDateFormatW
0x49d1d4 GetTimeFormatW
0x49d1d8 CompareStringW
0x49d1dc LCMapStringW
0x49d1e0 GetLocaleInfoW
0x49d1e4 IsValidLocale
0x49d1e8 GetUserDefaultLCID
0x49d1ec EnumSystemLocalesW
0x49d1f0 GetFileType
0x49d1f4 HeapReAlloc
0x49d1f8 FindClose
0x49d1fc FindFirstFileExW
0x49d200 FindNextFileW
0x49d204 IsValidCodePage
0x49d208 GetACP
0x49d20c GetOEMCP
0x49d210 GetEnvironmentStringsW
0x49d214 FreeEnvironmentStringsW
0x49d218 SetEnvironmentVariableW
0x49d21c GetProcessHeap
0x49d220 CreateEventW
ADVAPI32.dll
0x49d000 CryptDestroyKey
0x49d004 CryptImportKey
0x49d008 FreeSid
0x49d00c OpenProcessToken
0x49d010 SetNamedSecurityInfoW
0x49d014 LookupPrivilegeValueA
0x49d018 AllocateAndInitializeSid
0x49d01c CryptEncrypt
0x49d020 CryptReleaseContext
0x49d024 SetEntriesInAclA
0x49d028 AdjustTokenPrivileges
0x49d02c CryptAcquireContextA
0x49d030 CryptGenRandom
USER32.dll
0x49d250 ShutdownBlockReasonCreate
0x49d254 ShowWindow
CRYPT32.dll
0x49d038 CryptStringToBinaryA
0x49d03c CryptBinaryToStringA
0x49d040 CryptDecodeObjectEx
0x49d044 CryptImportPublicKeyInfo
RstrtMgr.DLL
0x49d23c RmGetList
0x49d240 RmRegisterResources
0x49d244 RmStartSession
0x49d248 RmEndSession
MPR.dll
0x49d228 WNetOpenEnumA
0x49d22c WNetCloseEnum
0x49d230 WNetAddConnection2A
0x49d234 WNetEnumResourceA
EAT(Export Address Table) is none
KERNEL32.dll
0x49d04c FormatMessageA
0x49d050 FindNextVolumeW
0x49d054 CreateIoCompletionPort
0x49d058 GetDriveTypeW
0x49d05c GetVolumePathNamesForVolumeNameW
0x49d060 ResetEvent
0x49d064 GetConsoleWindow
0x49d068 CopyFileW
0x49d06c FindVolumeClose
0x49d070 ExitProcess
0x49d074 LocalFree
0x49d078 SetVolumeMountPointW
0x49d07c CloseHandle
0x49d080 Process32Next
0x49d084 GlobalAlloc
0x49d088 GetLastError
0x49d08c Sleep
0x49d090 CreateToolhelp32Snapshot
0x49d094 SetFileAttributesW
0x49d098 PostQueuedCompletionStatus
0x49d09c GetFileAttributesW
0x49d0a0 CreateMutexA
0x49d0a4 GetQueuedCompletionStatus
0x49d0a8 SetThreadPriority
0x49d0ac SetEvent
0x49d0b0 WriteConsoleW
0x49d0b4 CreateFileW
0x49d0b8 Wow64DisableWow64FsRedirection
0x49d0bc lstrlenW
0x49d0c0 GetCurrentProcess
0x49d0c4 FindFirstVolumeW
0x49d0c8 Process32First
0x49d0cc GetFileSizeEx
0x49d0d0 HeapSize
0x49d0d4 GetTimeZoneInformation
0x49d0d8 ReadConsoleW
0x49d0dc SetFilePointerEx
0x49d0e0 ReadFile
0x49d0e4 GetConsoleMode
0x49d0e8 GetConsoleOutputCP
0x49d0ec FlushFileBuffers
0x49d0f0 SetStdHandle
0x49d0f4 InitializeSListHead
0x49d0f8 UnhandledExceptionFilter
0x49d0fc SetUnhandledExceptionFilter
0x49d100 TerminateProcess
0x49d104 IsProcessorFeaturePresent
0x49d108 IsDebuggerPresent
0x49d10c GetStartupInfoW
0x49d110 GetModuleHandleW
0x49d114 QueryPerformanceCounter
0x49d118 GetCurrentProcessId
0x49d11c GetCurrentThreadId
0x49d120 GetSystemTimeAsFileTime
0x49d124 MultiByteToWideChar
0x49d128 InitializeSRWLock
0x49d12c ReleaseSRWLockExclusive
0x49d130 AcquireSRWLockExclusive
0x49d134 EnterCriticalSection
0x49d138 LeaveCriticalSection
0x49d13c InitializeCriticalSectionEx
0x49d140 TryEnterCriticalSection
0x49d144 DeleteCriticalSection
0x49d148 WideCharToMultiByte
0x49d14c WaitForSingleObjectEx
0x49d150 GetExitCodeThread
0x49d154 LCMapStringEx
0x49d158 EncodePointer
0x49d15c DecodePointer
0x49d160 QueryPerformanceFrequency
0x49d164 GetProcAddress
0x49d168 CompareStringEx
0x49d16c GetCPInfo
0x49d170 GetLocaleInfoEx
0x49d174 GetStringTypeW
0x49d178 SetLastError
0x49d17c RtlUnwind
0x49d180 InterlockedPushEntrySList
0x49d184 RaiseException
0x49d188 InitializeCriticalSectionAndSpinCount
0x49d18c TlsAlloc
0x49d190 TlsGetValue
0x49d194 TlsSetValue
0x49d198 TlsFree
0x49d19c FreeLibrary
0x49d1a0 LoadLibraryExW
0x49d1a4 GetModuleHandleExW
0x49d1a8 CreateThread
0x49d1ac ExitThread
0x49d1b0 FreeLibraryAndExitThread
0x49d1b4 GetModuleFileNameW
0x49d1b8 GetStdHandle
0x49d1bc WriteFile
0x49d1c0 GetCommandLineA
0x49d1c4 GetCommandLineW
0x49d1c8 HeapFree
0x49d1cc HeapAlloc
0x49d1d0 GetDateFormatW
0x49d1d4 GetTimeFormatW
0x49d1d8 CompareStringW
0x49d1dc LCMapStringW
0x49d1e0 GetLocaleInfoW
0x49d1e4 IsValidLocale
0x49d1e8 GetUserDefaultLCID
0x49d1ec EnumSystemLocalesW
0x49d1f0 GetFileType
0x49d1f4 HeapReAlloc
0x49d1f8 FindClose
0x49d1fc FindFirstFileExW
0x49d200 FindNextFileW
0x49d204 IsValidCodePage
0x49d208 GetACP
0x49d20c GetOEMCP
0x49d210 GetEnvironmentStringsW
0x49d214 FreeEnvironmentStringsW
0x49d218 SetEnvironmentVariableW
0x49d21c GetProcessHeap
0x49d220 CreateEventW
ADVAPI32.dll
0x49d000 CryptDestroyKey
0x49d004 CryptImportKey
0x49d008 FreeSid
0x49d00c OpenProcessToken
0x49d010 SetNamedSecurityInfoW
0x49d014 LookupPrivilegeValueA
0x49d018 AllocateAndInitializeSid
0x49d01c CryptEncrypt
0x49d020 CryptReleaseContext
0x49d024 SetEntriesInAclA
0x49d028 AdjustTokenPrivileges
0x49d02c CryptAcquireContextA
0x49d030 CryptGenRandom
USER32.dll
0x49d250 ShutdownBlockReasonCreate
0x49d254 ShowWindow
CRYPT32.dll
0x49d038 CryptStringToBinaryA
0x49d03c CryptBinaryToStringA
0x49d040 CryptDecodeObjectEx
0x49d044 CryptImportPublicKeyInfo
RstrtMgr.DLL
0x49d23c RmGetList
0x49d240 RmRegisterResources
0x49d244 RmStartSession
0x49d248 RmEndSession
MPR.dll
0x49d228 WNetOpenEnumA
0x49d22c WNetCloseEnum
0x49d230 WNetAddConnection2A
0x49d234 WNetEnumResourceA
EAT(Export Address Table) is none