Analysis Overview
SHA256
373a791f058539d72983e38ebe68e98132fcf996d04e9a181145f22a96689386
Threat Level: Known bad
The file offline.exe was found to be: Known bad.
Malicious Activity Summary
Avoslocker Ransomware
Modifies extensions of user files
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2021-09-28 18:44
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-09-28 18:44
Reported
2021-09-28 18:46
Platform
win7-en-20210920
Max time kernel
146s
Max time network
140s
Command Line
Signatures
Avoslocker Ransomware
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\UnprotectReceive.tiff => C:\Users\Admin\Pictures\UnprotectReceive.tiff.avos2 | C:\Users\Admin\AppData\Local\Temp\offline.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\EditRevoke.tiff | C:\Users\Admin\AppData\Local\Temp\offline.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\EditRevoke.tiff => C:\Users\Admin\Pictures\EditRevoke.tiff.avos2 | C:\Users\Admin\AppData\Local\Temp\offline.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UnprotectReceive.tiff | C:\Users\Admin\AppData\Local\Temp\offline.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ShowGroup.tiff => C:\Users\Admin\Pictures\ShowGroup.tiff.avos2 | C:\Users\Admin\AppData\Local\Temp\offline.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnprotectMount.tif => C:\Users\Admin\Pictures\UnprotectMount.tif.avos2 | C:\Users\Admin\AppData\Local\Temp\offline.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ShowGroup.tiff | C:\Users\Admin\AppData\Local\Temp\offline.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PingDismount.raw => C:\Users\Admin\Pictures\PingDismount.raw.avos2 | C:\Users\Admin\AppData\Local\Temp\offline.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SplitClose.tif => C:\Users\Admin\Pictures\SplitClose.tif.avos2 | C:\Users\Admin\AppData\Local\Temp\offline.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\offline.exe
"C:\Users\Admin\AppData\Local\Temp\offline.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2021-09-28 18:44
Reported
2021-09-28 18:46
Platform
win10v20210408
Max time kernel
101s
Max time network
103s
Command Line
Signatures
Avoslocker Ransomware
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\ImportInvoke.tif => C:\Users\Admin\Pictures\ImportInvoke.tif.avos2 | C:\Users\Admin\AppData\Local\Temp\offline.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\WritePush.crw => C:\Users\Admin\Pictures\WritePush.crw.avos2 | C:\Users\Admin\AppData\Local\Temp\offline.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DismountMount.tif => C:\Users\Admin\Pictures\DismountMount.tif.avos2 | C:\Users\Admin\AppData\Local\Temp\offline.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SearchUnpublish.raw => C:\Users\Admin\Pictures\SearchUnpublish.raw.avos2 | C:\Users\Admin\AppData\Local\Temp\offline.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\LimitReceive.raw => C:\Users\Admin\Pictures\LimitReceive.raw.avos2 | C:\Users\Admin\AppData\Local\Temp\offline.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\offline.exe
"C:\Users\Admin\AppData\Local\Temp\offline.exe"