Overview

overview

10

Static

static

27cd3e759e...le.exe

windows7_x64

10

27cd3e759e...le.exe

windows10_x64

10

Analysis

  • max time kernel
    134s
  • max time network
    140s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    23-11-2021 14:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27cd3e759ec4858adaea63050ad1fc22e4850c1e157d88c0943c2589fa39b5a4.bin.sample.exe

  • Size

    402KB

  • MD5

    b46dcf39b56fe9f129fd78bb70f39b2f

  • SHA1

    ffb271557d40717c39b71c99b9d53c9eaea760c1

  • SHA256

    27cd3e759ec4858adaea63050ad1fc22e4850c1e157d88c0943c2589fa39b5a4

  • SHA512

    e3e8d41f32e9dac4f2fce7ebcb7ce0d5cb382b773c14a07724f4a1d95c49cc0728423f0221b77b49e0f073cfe4bea5b1f453cd0967c0d2699b2a942c30e1f19e

Score
10/10
avoslockerransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\GET_YOUR_FILES_BACK.txt

Family

avoslocker

Ransom Note
Attention! Your files have been encrypted using AES-256. We highly suggest not shutting down your computer in case encryption process is not finished, as your files may get corrupted. In order to decrypt your files, you must pay for the decryption key & application. You may do so by visiting us at http://avos2fuj6olp6x36.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Hurry up, as the price may increase in the following days. If you fail to respond in a swift manner, we will leak your files in our press release/blog website accessible at http://avos53nnmi4u6amh.onion/ Message from agent: wqe Your ID: f185fddd42a4b6b71d450e4cd7f961fc0d0359b66942fd95833cde18d44c5a2d
URLs

http://avos2fuj6olp6x36.onion

http://avos53nnmi4u6amh.onion/

Signatures

  • Avoslocker Ransomware

    Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.

    ransomwareavoslocker
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops file in System32 directory 4 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27cd3e759ec4858adaea63050ad1fc22e4850c1e157d88c0943c2589fa39b5a4.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\27cd3e759ec4858adaea63050ad1fc22e4850c1e157d88c0943c2589fa39b5a4.bin.sample.exe"
    1⤵
    • Modifies extensions of user files
    • Suspicious behavior: EnumeratesProcesses
    PID:2716
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Drops file in System32 directory
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1948

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads