Analysis Overview
SHA256
6cc510a772d7718c95216eb56a84a96201241b264755f28875e685f06e95e1a2
Threat Level: Known bad
The file 01798199.bin was found to be: Known bad.
Malicious Activity Summary
Avoslocker Ransomware
Renames multiple (174) files with added filename extension
Renames multiple (166) files with added filename extension
Modifies extensions of user files
Unsigned PE
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-06-01 16:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-01 16:33
Reported
2023-06-01 16:36
Platform
win7-20230220-en
Max time kernel
31s
Max time network
33s
Command Line
Signatures
Avoslocker Ransomware
Renames multiple (174) files with added filename extension
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\WatchRename.tiff | C:\Users\Admin\AppData\Local\Temp\01798199.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SelectSearch.png => C:\Users\Admin\Pictures\SelectSearch.png.avos2 | C:\Users\Admin\AppData\Local\Temp\01798199.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\BackupOpen.tiff => C:\Users\Admin\Pictures\BackupOpen.tiff.avos2 | C:\Users\Admin\AppData\Local\Temp\01798199.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CheckpointShow.png => C:\Users\Admin\Pictures\CheckpointShow.png.avos2 | C:\Users\Admin\AppData\Local\Temp\01798199.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CheckpointRead.png => C:\Users\Admin\Pictures\CheckpointRead.png.avos2 | C:\Users\Admin\AppData\Local\Temp\01798199.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ClearRequest.raw => C:\Users\Admin\Pictures\ClearRequest.raw.avos2 | C:\Users\Admin\AppData\Local\Temp\01798199.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ExitImport.crw => C:\Users\Admin\Pictures\ExitImport.crw.avos2 | C:\Users\Admin\AppData\Local\Temp\01798199.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DisableRegister.crw => C:\Users\Admin\Pictures\DisableRegister.crw.avos2 | C:\Users\Admin\AppData\Local\Temp\01798199.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\BackupOpen.tiff | C:\Users\Admin\AppData\Local\Temp\01798199.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\WatchRename.tiff => C:\Users\Admin\Pictures\WatchRename.tiff.avos2 | C:\Users\Admin\AppData\Local\Temp\01798199.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\01798199.exe
"C:\Users\Admin\AppData\Local\Temp\01798199.exe"
Network
Files
C:\Users\Default\Saved Games\GET_YOUR_FILES_BACK.txt
| MD5 | 651c844ad8ffea0473fc70cc13ff2e47 |
| SHA1 | f904db3a0e77df893d39cb41fe4297589db82459 |
| SHA256 | f55ec710e56442344196f3612207118d89f877a79a6f8028db520631ace0fa0b |
| SHA512 | 91ca8247d673d8381ca5edc394e86956844218ae291e20480817a5a93ae6e4573af419e3d571815030a375de16e85fd5ec7693331aa6753fe07b88e15701fcae |
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-01 16:33
Reported
2023-06-01 16:36
Platform
win10v2004-20230221-en
Max time kernel
136s
Max time network
147s
Command Line
Signatures
Avoslocker Ransomware
Renames multiple (166) files with added filename extension
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\ApproveRepair.tiff => C:\Users\Admin\Pictures\ApproveRepair.tiff.avos2 | C:\Users\Admin\AppData\Local\Temp\01798199.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PublishSelect.tif => C:\Users\Admin\Pictures\PublishSelect.tif.avos2 | C:\Users\Admin\AppData\Local\Temp\01798199.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RemoveMerge.crw => C:\Users\Admin\Pictures\RemoveMerge.crw.avos2 | C:\Users\Admin\AppData\Local\Temp\01798199.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RemoveOut.crw => C:\Users\Admin\Pictures\RemoveOut.crw.avos2 | C:\Users\Admin\AppData\Local\Temp\01798199.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\WriteFormat.tiff | C:\Users\Admin\AppData\Local\Temp\01798199.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\BlockRevoke.png => C:\Users\Admin\Pictures\BlockRevoke.png.avos2 | C:\Users\Admin\AppData\Local\Temp\01798199.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\AssertSearch.raw => C:\Users\Admin\Pictures\AssertSearch.raw.avos2 | C:\Users\Admin\AppData\Local\Temp\01798199.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\InstallRequest.png => C:\Users\Admin\Pictures\InstallRequest.png.avos2 | C:\Users\Admin\AppData\Local\Temp\01798199.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UndoGrant.crw => C:\Users\Admin\Pictures\UndoGrant.crw.avos2 | C:\Users\Admin\AppData\Local\Temp\01798199.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\WriteFormat.tiff => C:\Users\Admin\Pictures\WriteFormat.tiff.avos2 | C:\Users\Admin\AppData\Local\Temp\01798199.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ApproveRepair.tiff | C:\Users\Admin\AppData\Local\Temp\01798199.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\01798199.exe
"C:\Users\Admin\AppData\Local\Temp\01798199.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 123.108.74.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.146.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| NL | 13.69.109.130:443 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp |
Files
C:\Users\Default\Saved Games\GET_YOUR_FILES_BACK.txt
| MD5 | 651c844ad8ffea0473fc70cc13ff2e47 |
| SHA1 | f904db3a0e77df893d39cb41fe4297589db82459 |
| SHA256 | f55ec710e56442344196f3612207118d89f877a79a6f8028db520631ace0fa0b |
| SHA512 | 91ca8247d673d8381ca5edc394e86956844218ae291e20480817a5a93ae6e4573af419e3d571815030a375de16e85fd5ec7693331aa6753fe07b88e15701fcae |