{"description": "Enterprise techniques used by AvosLocker, ATT&CK software S1053 (v1.0)", "name": "AvosLocker (S1053)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[AvosLocker](https://attack.mitre.org/software/S1053) has been executed via the `RunOnce` Registry key to run itself on safe mode.(Citation: Trend Micro AvosLocker Apr 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[AvosLocker](https://attack.mitre.org/software/S1053) has encrypted files and network resources using AES-256 and added an `.avos`, `.avos2`, or `.AvosLinux` extension to filenames.(Citation: Malwarebytes AvosLocker Jul 2021)(Citation: Trend Micro AvosLocker Apr 2022)(Citation: Cisco Talos Avos Jun 2022)(Citation: Joint CSA AvosLocker Mar 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[AvosLocker](https://attack.mitre.org/software/S1053) has deobfuscated XOR-encoded strings.(Citation: Malwarebytes AvosLocker Jul 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[AvosLocker](https://attack.mitre.org/software/S1053) has searched for files and directories on a compromised network.(Citation: Malwarebytes AvosLocker Jul 2021)(Citation: Trend Micro AvosLocker Apr 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[AvosLocker](https://attack.mitre.org/software/S1053) has hidden its console window by using the `ShowWindow` API function.(Citation: Malwarebytes AvosLocker Jul 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.009", "comment": "[AvosLocker](https://attack.mitre.org/software/S1053) can restart a compromised machine in safe mode.(Citation: Trend Micro AvosLocker Apr 2022)(Citation: Costa AvosLocker May 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.008", "comment": "[AvosLocker](https://attack.mitre.org/software/S1053) has been disguised as a .jpg file.(Citation: Trend Micro AvosLocker Apr 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[AvosLocker](https://attack.mitre.org/software/S1053) has used a variety of Windows API calls, including `NtCurrentPeb` and `GetLogicalDrives`.(Citation: Malwarebytes AvosLocker Jul 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[AvosLocker](https://attack.mitre.org/software/S1053) has enumerated shared drives on a compromised network.(Citation: Malwarebytes AvosLocker Jul 2021)(Citation: Joint CSA AvosLocker Mar 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[AvosLocker](https://attack.mitre.org/software/S1053) has used XOR-encoded strings.(Citation: Malwarebytes AvosLocker Jul 2021)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.007", "comment": "[AvosLocker](https://attack.mitre.org/software/S1053) has used obfuscated API calls that are retrieved by their checksums.(Citation: Malwarebytes AvosLocker Jul 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[AvosLocker](https://attack.mitre.org/software/S1053) has discovered system processes by calling `RmGetList`.(Citation: Malwarebytes AvosLocker Jul 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1489", "comment": "[AvosLocker](https://attack.mitre.org/software/S1053) has terminated specific processes before encryption.(Citation: Malwarebytes AvosLocker Jul 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1529", "comment": "[AvosLocker](https://attack.mitre.org/software/S1053)\u2019s Linux variant has terminated ESXi virtual machines.(Citation: Trend Micro AvosLocker Apr 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[AvosLocker](https://attack.mitre.org/software/S1053) has checked the system time before and after encryption.(Citation: Malwarebytes AvosLocker Jul 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by AvosLocker", "color": "#66b1ff"}]}