avoslocker | 09f10e7344ca61b53a080e4d54c7cb6ecd4e3308254b350906437e29e7a7d9b2

General

Target

wordpad.exe
Size

2.7MB
Sample

240621-mlsxzswdpb
MD5

61173ff6abb1c40e3d3b580126fc5f66
SHA1

c017e91a526dfbb37293cd79d86a1d7261ed0141
SHA256

09f10e7344ca61b53a080e4d54c7cb6ecd4e3308254b350906437e29e7a7d9b2
SHA512

c5c8d5ad867987d18f88ef7d88e86e9a8de13185f17f2e722409816d83147152adb87eab4a88e6327cbb1bd60d0223bbfe8689d54f747438bc66dd93c76cd9da
SSDEEP

24576:pxHn7MgYE6WM73vT62FxvNEYr8oSUGeP9PDkjjqX+l:pxH7MgYE67BxvWCXSZeP9PDk37l

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://erzurum.us/65376345273497600381/tjTyjrjywrdmJoaaenvF/dll/assistant.php

Extracted

Path

C:\Recovery\GET_YOUR_FILES_BACK.txt

Family

avoslocker

Ransom Note

Attention! Your files have been encrypted using AES-256. We highly suggest not shutting down your computer in case encryption process is not finished, as your files may get corrupted. In order to decrypt your files, you must pay for the decryption key & application. You may do so by visiting us at http://avos2fuj6olp6x36.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Hurry up, as the price may increase in the following days. If you fail to respond in a swift manner, we will leak your files in our press release/blog website accessible at http://avos53nnmi4u6amh.onion/ Your ID: c5c5cc75754e1763b14a0651e339cb3ebf64f8a6567aeb1146c5aa7ffa2d19c0

URLs

http://avos2fuj6olp6x36.onion

http://avos53nnmi4u6amh.onion/

Targets

- Target
  
  wordpad.exe
- Size
  
  2.7MB
- MD5
  
  61173ff6abb1c40e3d3b580126fc5f66
- SHA1
  
  c017e91a526dfbb37293cd79d86a1d7261ed0141
- SHA256
  
  09f10e7344ca61b53a080e4d54c7cb6ecd4e3308254b350906437e29e7a7d9b2
- SHA512
  
  c5c8d5ad867987d18f88ef7d88e86e9a8de13185f17f2e722409816d83147152adb87eab4a88e6327cbb1bd60d0223bbfe8689d54f747438bc66dd93c76cd9da
- SSDEEP
  
  24576:pxHn7MgYE6WM73vT62FxvNEYr8oSUGeP9PDkjjqX+l:pxH7MgYE67BxvWCXSZeP9PDk37l
Score

10^/10

avoslocker execution ransomware
- Avoslocker Ransomware
  Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
  ransomware avoslocker
- Nirsoft
- Renames multiple (69) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Process spawned suspicious child process
  This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
- Drops file in System32 directory
behavioral1