avoslocker | 29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-en-20211104
submitted
23-11-2021 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
Size

402KB
MD5

f646ee1e7765458e1ac0d3b9b413a4f4
SHA1

732dee57ca723a008c00bdfae338a9cca4767cd2
SHA256

29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08
SHA512

79d6b8c56a80ce3b8a0621050e051160902168620a2b125cd6af2f9a5ec249264af31e7f636c045e3055340cf13e76eb743eb5cb27dc9843b63c852640a6cfc3

Score

10^/10

avoslocker ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\GET_YOUR_FILES_BACK.txt

Family

avoslocker

Ransom Note

Attention! Your files have been encrypted using AES-256. We highly suggest not shutting down your computer in case encryption process is not finished, as your files may get corrupted. In order to decrypt your files, you must pay for the decryption key & application. You may do so by visiting us at http://avos2fuj6olp6x36.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Hurry up, as the price may increase in the following days. If you fail to respond in a swift manner, we will leak your files in our press release/blog website accessible at http://avos53nnmi4u6amh.onion/ Message from agent: We have exfiltrated confidential documents, passports scans, social security numbers and financial documents. All data will be leaked if you do not cooperate! Your ID: 168e11dcf2c8e477a570a445a82dec00ed1ae418a6722075b2986ccfd661f2d6

URLs

http://avos2fuj6olp6x36.onion

http://avos53nnmi4u6amh.onion/

Signatures

Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
ransomware avoslocker

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\SkipStep.tiff => C:\Users\Admin\Pictures\SkipStep.tiff.avos	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\UpdateReceive.png => C:\Users\Admin\Pictures\UpdateReceive.png.avos	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\InstallConvert.png => C:\Users\Admin\Pictures\InstallConvert.png.avos	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\RegisterDisable.png => C:\Users\Admin\Pictures\RegisterDisable.png.avos	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\SkipStep.tiff	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1940	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
768	29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe

C:\Users\Admin\AppData\Local\Temp\29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\29910ea42c8e2abb22d5a88053e1725c93a104e61560a2f8d88716d619bcaa08.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
PID:768

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1940-55-0x000007FEFBF21000-0x000007FEFBF23000-memory.dmp

Filesize
8KB

Download