Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-12-2021 17:52
Static task
static1
Behavioral task
behavioral1
Sample
c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.exe
Resource
win10-en-20211208
General
-
Target
c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.exe
-
Size
919KB
-
MD5
825d6049ba8600ee5fefd817ac5444b4
-
SHA1
31c4dfbf7029c5ca8334042faaf906477be1ec17
-
SHA256
c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02
-
SHA512
43f30546ae519a902556412f5d0233a70c90181686e38dfe3c3751e462db91b0d189de1429f44805ba7bc188f5c5ff521eb26288f694f07f5868296f75d61bfa
Malware Config
Extracted
C:\GET_YOUR_FILES_BACK.txt
avoslocker
http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion
http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion
Signatures
-
Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\PingShow.png => C:\Users\Admin\Pictures\PingShow.png.avos2 c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.exe File opened for modification C:\Users\Admin\Pictures\RepairEdit.tiff c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.exe File renamed C:\Users\Admin\Pictures\RestoreSwitch.png => C:\Users\Admin\Pictures\RestoreSwitch.png.avos2 c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.exe File renamed C:\Users\Admin\Pictures\RepairEdit.tiff => C:\Users\Admin\Pictures\RepairEdit.tiff.avos2 c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.exe File renamed C:\Users\Admin\Pictures\StopSync.crw => C:\Users\Admin\Pictures\StopSync.crw.avos2 c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.exe File opened for modification C:\Users\Admin\Pictures\TestPing.tiff c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.exe File renamed C:\Users\Admin\Pictures\TestPing.tiff => C:\Users\Admin\Pictures\TestPing.tiff.avos2 c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02.bin.exe