avoslocker | c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-en-20211104
submitted
22-11-2021 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe
Size

919KB
MD5

825d6049ba8600ee5fefd817ac5444b4
SHA1

31c4dfbf7029c5ca8334042faaf906477be1ec17
SHA256

c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02
SHA512

43f30546ae519a902556412f5d0233a70c90181686e38dfe3c3751e462db91b0d189de1429f44805ba7bc188f5c5ff521eb26288f694f07f5868296f75d61bfa

Score

10^/10

avoslocker ransomware

Malware Config

Extracted

Path

C:\GET_YOUR_FILES_BACK.txt

Family

avoslocker

Ransom Note

Attention! Your files have been encrypted using AES-256. We highly suggest not shutting down your computer in case encryption process is not finished, as your files may get corrupted. In order to decrypt your files, you must pay for the decryption key & application. You may do so by visiting us at http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. The corporations whom don't pay or fail to respond in a swift manner can be found in our blog, accessible at http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion Your ID: 3276b4d5d73dc9de228691c8193c374f5c83ba83341cf9405130e0095f60437b

URLs

http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion

http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion

Signatures

Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
ransomware avoslocker

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\MountGet.crw => C:\Users\Admin\Pictures\MountGet.crw.avos2	c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\PopReceive.tiff => C:\Users\Admin\Pictures\PopReceive.tiff.avos2	c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\SelectRead.png => C:\Users\Admin\Pictures\SelectRead.png.avos2	c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\PopReceive.tiff	c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2488	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe"
1⤵
- Modifies extensions of user files
PID:2032

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2488-55-0x000007FEFB7E1000-0x000007FEFB7E3000-memory.dmp

Filesize
8KB

Download