Overview

overview

10

Static

static

0d094770db...82.exe

windows7_x64

10

0d094770db...82.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0d094770db65ec637489116e1510ee787a48d6d130aad26ae40f7dbca6fe7182.zip

  • Size

    359KB

  • Sample

    220521-jfe76adhgm

  • MD5

    c8e24c4c02bb7d342fe4123aea42eebd

  • SHA1

    31684a3d37c889e4d502b688237da8ab2518e363

  • SHA256

    7350798ef19a86e5abd526d6cacacc97091daededf5a934b310d68ef03613b4a

  • SHA512

    66aa4c929ba09f19ae56c4e38195b1fbb635c87c65624da4bc9ca001e995bd107c14618c76e9d4ac83d43b8dc2165afaa1f5d88c5fa775f8cb3663fc0ff08ad3

Score
10/10
evasionransomware

Malware Config

Extracted

Path

C:\GET_YOUR_FILES_BACK.txt

Ransom Note
AvosLocker Attention! Your systems have been encrypted, and your confidential documents were downloaded. In order to restore your data, you must pay for the decryption key & application. You may do so by visiting us at http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. The corporations whom don't pay or fail to respond in a swift manner have their data leaked in our blog, accessible at http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion Your ID: 4f0c437975864c3037db7eed5dedd296dffc308be7bd28a7a86b34b110a3a887
URLs

http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion

http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion

Targets

    • Target

      0d094770db65ec637489116e1510ee787a48d6d130aad26ae40f7dbca6fe7182.exe

    • Size

      807KB

    • MD5

      2163c068a10608bbc6d721dba25b0c47

    • SHA1

      1ade2676a39dbf268929aafbd3f576fc4ab6a7e6

    • SHA256

      0d094770db65ec637489116e1510ee787a48d6d130aad26ae40f7dbca6fe7182

    • SHA512

      75b2a0650bec7e98470e2a0f14caa6b164d3d4dd2c70c68860e019f2ff9b23695f7a6a27eae4f794915fb624c96dc12902f642eb1acb32041b3d2a296899139b

    Score
    10/10
    evasionransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

3
T1490

Defacement

1
T1491

Tasks