Analysis Overview
SHA256
df480deb191b335dcbc3d4fc5d59594cb38caee2aaef8d877fbbc573de741301
Threat Level: Known bad
The file 6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.7z was found to be: Known bad.
Malicious Activity Summary
Avoslocker Ransomware
Modifies extensions of user files
Opens file in notepad (likely ransom note)
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-01-19 21:39
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-19 21:39
Reported
2022-01-19 21:40
Platform
win7-en-20211208
Max time kernel
42s
Max time network
20s
Command Line
Signatures
Avoslocker Ransomware
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\WaitJoin.crw => C:\Users\Admin\Pictures\WaitJoin.crw.avos2 | C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe
"C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt
Network
Files
memory/2408-55-0x000007FEFC261000-0x000007FEFC263000-memory.dmp
C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt
| MD5 | 651c844ad8ffea0473fc70cc13ff2e47 |
| SHA1 | f904db3a0e77df893d39cb41fe4297589db82459 |
| SHA256 | f55ec710e56442344196f3612207118d89f877a79a6f8028db520631ace0fa0b |
| SHA512 | 91ca8247d673d8381ca5edc394e86956844218ae291e20480817a5a93ae6e4573af419e3d571815030a375de16e85fd5ec7693331aa6753fe07b88e15701fcae |
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-19 21:39
Reported
2022-01-19 21:40
Platform
win10v2004-en-20220113
Max time kernel
49s
Max time network
44s
Command Line
Signatures
Avoslocker Ransomware
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\BlockSave.png => C:\Users\Admin\Pictures\BlockSave.png.avos2 | C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\BackupEnable.tif => C:\Users\Admin\Pictures\BackupEnable.tif.avos2 | C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\EditDisconnect.tif => C:\Users\Admin\Pictures\EditDisconnect.tif.avos2 | C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SelectDisable.raw => C:\Users\Admin\Pictures\SelectDisable.raw.avos2 | C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnprotectCompare.raw => C:\Users\Admin\Pictures\UnprotectCompare.raw.avos2 | C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConnectOptimize.png => C:\Users\Admin\Pictures\ConnectOptimize.png.avos2 | C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConvertBackup.crw => C:\Users\Admin\Pictures\ConvertBackup.crw.avos2 | C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConvertFromRead.tif => C:\Users\Admin\Pictures\ConvertFromRead.tif.avos2 | C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe
"C:\Users\Admin\AppData\Local\Temp\6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.203:443 | tcp | |
| US | 8.8.8.8:53 | api.msn.com | udp |
| US | 204.79.197.203:443 | api.msn.com | tcp |
Files
C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt
| MD5 | 651c844ad8ffea0473fc70cc13ff2e47 |
| SHA1 | f904db3a0e77df893d39cb41fe4297589db82459 |
| SHA256 | f55ec710e56442344196f3612207118d89f877a79a6f8028db520631ace0fa0b |
| SHA512 | 91ca8247d673d8381ca5edc394e86956844218ae291e20480817a5a93ae6e4573af419e3d571815030a375de16e85fd5ec7693331aa6753fe07b88e15701fcae |