AvosLocker - S1053 (0945a1a5-a79a-47c8-9079-10c16cdfcb5d)

AvosLocker is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, AvosLocker had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.(Citation: Malwarebytes AvosLocker Jul 2021)(Citation: Trend Micro AvosLocker Apr 2022)(Citation: Joint CSA AvosLocker Mar 2022)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
AvosLocker - S1053 (0945a1a5-a79a-47c8-9079-10c16cdfcb5d)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	1
AvosLocker - S1053 (0945a1a5-a79a-47c8-9079-10c16cdfcb5d)	Malware	Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	AvosLocker - S1053 (0945a1a5-a79a-47c8-9079-10c16cdfcb5d)	Malware	1
AvosLocker - S1053 (0945a1a5-a79a-47c8-9079-10c16cdfcb5d)	Malware	Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4)	Attack Pattern	1
AvosLocker - S1053 (0945a1a5-a79a-47c8-9079-10c16cdfcb5d)	Malware	System Shutdown/Reboot - T1529 (ff73aa03-0090-4464-83ac-f89e233c02bc)	Attack Pattern	1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	AvosLocker - S1053 (0945a1a5-a79a-47c8-9079-10c16cdfcb5d)	Malware	1
Masquerade File Type - T1036.008 (208884f1-7b83-4473-ac22-4e1cf6c41471)	Attack Pattern	AvosLocker - S1053 (0945a1a5-a79a-47c8-9079-10c16cdfcb5d)	Malware	1
AvosLocker - S1053 (0945a1a5-a79a-47c8-9079-10c16cdfcb5d)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	1
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	AvosLocker - S1053 (0945a1a5-a79a-47c8-9079-10c16cdfcb5d)	Malware	1
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	AvosLocker - S1053 (0945a1a5-a79a-47c8-9079-10c16cdfcb5d)	Malware	1
AvosLocker - S1053 (0945a1a5-a79a-47c8-9079-10c16cdfcb5d)	Malware	Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0)	Attack Pattern	1
AvosLocker - S1053 (0945a1a5-a79a-47c8-9079-10c16cdfcb5d)	Malware	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	AvosLocker - S1053 (0945a1a5-a79a-47c8-9079-10c16cdfcb5d)	Malware	1
AvosLocker - S1053 (0945a1a5-a79a-47c8-9079-10c16cdfcb5d)	Malware	Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803)	Attack Pattern	1
AvosLocker - S1053 (0945a1a5-a79a-47c8-9079-10c16cdfcb5d)	Malware	Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b)	Attack Pattern	1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4)	Attack Pattern	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Masquerade File Type - T1036.008 (208884f1-7b83-4473-ac22-4e1cf6c41471)	Attack Pattern	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	2
Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803)	Attack Pattern	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	2