Analysis Overview
SHA256
43b7a60c0ef8b4af001f45a0c57410b7374b1d75a6811e0dfc86e4d60f503856
Threat Level: Known bad
The file 43b7a60c0ef8b4af001f45a0c57410b7374b1d75a6811e0dfc86e4d60f503856 was found to be: Known bad.
Malicious Activity Summary
Avoslocker Ransomware
Renames multiple (70) files with added filename extension
Renames multiple (71) files with added filename extension
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Opens file in notepad (likely ransom note)
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-09 18:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 18:26
Reported
2024-06-09 18:29
Platform
win7-20240221-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Avoslocker Ransomware
Renames multiple (70) files with added filename extension
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\43b7a60c0ef8b4af001f45a0c57410b7374b1d75a6811e0dfc86e4d60f503856.exe
"C:\Users\Admin\AppData\Local\Temp\43b7a60c0ef8b4af001f45a0c57410b7374b1d75a6811e0dfc86e4d60f503856.exe"
Network
Files
C:\PerfLogs\GET_YOUR_FILES_BACK.txt
| MD5 | 3806d7ac74d031d2bb681ab5270f2186 |
| SHA1 | 79ee44aa978b1a501458df1d90c5597cb9b3e04e |
| SHA256 | b284dafd0ba47b74f86324c39cbc69f2ac9e158e319ccce61b9800dbf47a1e00 |
| SHA512 | 2181728b3c17a7978f9f7c71970cda6a0e112de755a283de67054aeeb32720114f7cb064ebd9096c4c8abe9bf847e3ba6bc2cdb02b1e48b6fb56aa52f7e09fb4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 18:26
Reported
2024-06-09 18:29
Platform
win10v2004-20240426-en
Max time kernel
95s
Max time network
96s
Command Line
Signatures
Avoslocker Ransomware
Renames multiple (71) files with added filename extension
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\43b7a60c0ef8b4af001f45a0c57410b7374b1d75a6811e0dfc86e4d60f503856.exe
"C:\Users\Admin\AppData\Local\Temp\43b7a60c0ef8b4af001f45a0c57410b7374b1d75a6811e0dfc86e4d60f503856.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\GET_YOUR_FILES_BACK.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Recovery\GET_YOUR_FILES_BACK.txt
| MD5 | 3806d7ac74d031d2bb681ab5270f2186 |
| SHA1 | 79ee44aa978b1a501458df1d90c5597cb9b3e04e |
| SHA256 | b284dafd0ba47b74f86324c39cbc69f2ac9e158e319ccce61b9800dbf47a1e00 |
| SHA512 | 2181728b3c17a7978f9f7c71970cda6a0e112de755a283de67054aeeb32720114f7cb064ebd9096c4c8abe9bf847e3ba6bc2cdb02b1e48b6fb56aa52f7e09fb4 |