Analysis

  • max time kernel
    33s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    23-07-2021 23:46

General

  • Target

    fb544e1f74ce02937c3a3657be8d125d5953996115f65697b7d39e237020706f.bin.exe

  • Size

    402KB

  • MD5

    76e177a94834b3f7c63257bc8011f60f

  • SHA1

    e2bdef45d8dd4b1811396781b0bc94092d268a88

  • SHA256

    fb544e1f74ce02937c3a3657be8d125d5953996115f65697b7d39e237020706f

  • SHA512

    d5bd1f1854f2b7a589c0d9a4f57df30a03c92250f400bb3868facdeca5dcee6f9ee3a72653640a2f2bdafebce3e4db0fe322bfad5045741c43784bc94ef39418

Score
10/10

Malware Config

Extracted

Path

C:\$Recycle.Bin\GET_YOUR_FILES_BACK.txt

Family

avoslocker

Ransom Note
Attention! Your files have been encrypted using AES-256. We highly suggest not shutting down your computer in case encryption process is not finished, as your files may get corrupted. In order to decrypt your files, you must pay for the decryption key & application. You may do so by visiting us at http://avos2fuj6olp6x36.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Hurry up, as the price may increase in the following days. If you fail to respond in a swift manner, we will leak your files in our press release/blog website accessible at http://avos53nnmi4u6amh.onion/ Your ID: c5c5cc75754e1763b14a0651e339cb3ebf64f8a6567aeb1146c5aa7ffa2d19c0
URLs

http://avos2fuj6olp6x36.onion

http://avos53nnmi4u6amh.onion/

Signatures

  • Avoslocker Ransomware

    Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.

  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb544e1f74ce02937c3a3657be8d125d5953996115f65697b7d39e237020706f.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\fb544e1f74ce02937c3a3657be8d125d5953996115f65697b7d39e237020706f.bin.exe"
    1⤵
    • Modifies extensions of user files
    • Suspicious behavior: EnumeratesProcesses
    PID:1832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads