Analysis Overview
SHA256
c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02
Threat Level: Known bad
The file c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample was found to be: Known bad.
Malicious Activity Summary
Avoslocker Ransomware
Modifies extensions of user files
Opens file in notepad (likely ransom note)
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2021-11-22 14:59
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-11-22 14:59
Reported
2021-11-22 15:02
Platform
win7-en-20211104
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Avoslocker Ransomware
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\MountGet.crw => C:\Users\Admin\Pictures\MountGet.crw.avos2 | C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PopReceive.tiff => C:\Users\Admin\Pictures\PopReceive.tiff.avos2 | C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SelectRead.png => C:\Users\Admin\Pictures\SelectRead.png.avos2 | C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\PopReceive.tiff | C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt
Network
Files
memory/2488-55-0x000007FEFB7E1000-0x000007FEFB7E3000-memory.dmp
C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt
| MD5 | c416bf3911487d819c45a4001a77b35f |
| SHA1 | dc19ce5f2f104f710edf83f7efa617f0bc749f67 |
| SHA256 | 76bbf445e90dffd6d609e98faad6f84f7dc99c5412026cfb1a6e224b1cb2e6e2 |
| SHA512 | b6ace2a4c58ec68a60b1e1640e5adc1abbc58c669bc0d24f1cc5e1a778d595b5c255c4cc0314f7b3e4a413759658c6c281dafaa59e1110d05119b17d00555e5d |
Analysis: behavioral2
Detonation Overview
Submitted
2021-11-22 14:59
Reported
2021-11-22 15:02
Platform
win10-en-20211014
Max time kernel
62s
Max time network
130s
Command Line
Signatures
Avoslocker Ransomware
Modifies extensions of user files
Processes
C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.sample.exe"
Network
| Country | Destination | Domain | Proto |
| SE | 23.52.27.27:80 | tcp | |
| US | 8.253.208.120:80 | tcp | |
| SE | 23.52.27.27:80 | tcp | |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |