run.exe

General
Target

run.exe

Filesize

921KB

Completed

26-09-2021 12:50

Score
10 /10
MD5

b76d1d3d2d40366569da67620cf78a87

SHA1

ae23c0227afc973f11d6d08d898a6bb7516418e2

SHA256

718810b8eeb682fc70df602d952c0c83e028c5a5bfa44c506756980caf2edebb

Malware Config

Extracted

Path C:\GET_YOUR_FILES_BACK.txt
Ransom Note
AvosLocker Attention! Your systems have been encrypted, and your confidential documents were downloaded. In order to restore your data, you must pay for the decryption key & application. You may do so by visiting us at http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. The corporations whom don't pay or fail to respond in a swift manner have their data leaked in our blog, accessible at http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion Your ID: a77832c5ecdb671734d285a12860d02ef838e880641a7f9adcdeab6254212c04
URLs

http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion

http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion

Signatures 6

Filter: none

Defense Evasion
Impact
  • Modifies extensions of user files
    run.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File renamedC:\Users\Admin\Pictures\CompleteCompress.crw => C:\Users\Admin\Pictures\CompleteCompress.crw.avos2run.exe
    File renamedC:\Users\Admin\Pictures\FormatPush.png => C:\Users\Admin\Pictures\FormatPush.png.avos2run.exe
    File opened for modificationC:\Users\Admin\Pictures\MountNew.tiffrun.exe
    File renamedC:\Users\Admin\Pictures\MountNew.tiff => C:\Users\Admin\Pictures\MountNew.tiff.avos2run.exe
    File renamedC:\Users\Admin\Pictures\UnprotectSave.raw => C:\Users\Admin\Pictures\UnprotectSave.raw.avos2run.exe
    File renamedC:\Users\Admin\Pictures\TestSkip.raw => C:\Users\Admin\Pictures\TestSkip.raw.avos2run.exe
    File renamedC:\Users\Admin\Pictures\StopMount.png => C:\Users\Admin\Pictures\StopMount.png.avos2run.exe
    File renamedC:\Users\Admin\Pictures\UninstallBlock.tif => C:\Users\Admin\Pictures\UninstallBlock.tif.avos2run.exe
  • Sets desktop wallpaper using registry
    reg.exe

    Tags

    TTPs

    DefacementModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1230483534.png"reg.exe
  • Opens file in notepad (likely ransom note)
    NOTEPAD.EXE

    Tags

    Reported IOCs

    pidprocess
    2548NOTEPAD.EXE
  • Suspicious behavior: EnumeratesProcesses
    powershell.exe

    Reported IOCs

    pidprocess
    2304powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege2304powershell.exe
  • Suspicious use of WriteProcessMemory
    run.exepowershell.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 840 wrote to memory of 2304840run.exepowershell.exe
    PID 840 wrote to memory of 2304840run.exepowershell.exe
    PID 840 wrote to memory of 2304840run.exepowershell.exe
    PID 840 wrote to memory of 2304840run.exepowershell.exe
    PID 2304 wrote to memory of 24362304powershell.exereg.exe
    PID 2304 wrote to memory of 24362304powershell.exereg.exe
    PID 2304 wrote to memory of 24362304powershell.exereg.exe
    PID 2304 wrote to memory of 24362304powershell.exereg.exe
    PID 2304 wrote to memory of 24522304powershell.exerundll32.exe
    PID 2304 wrote to memory of 24522304powershell.exerundll32.exe
    PID 2304 wrote to memory of 24522304powershell.exerundll32.exe
    PID 2304 wrote to memory of 24522304powershell.exerundll32.exe
    PID 2304 wrote to memory of 24522304powershell.exerundll32.exe
    PID 2304 wrote to memory of 24522304powershell.exerundll32.exe
    PID 2304 wrote to memory of 24522304powershell.exerundll32.exe
Processes 5
  • C:\Users\Admin\AppData\Local\Temp\run.exe
    "C:\Users\Admin\AppData\Local\Temp\run.exe"
    Modifies extensions of user files
    Suspicious use of WriteProcessMemory
    PID:840
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2304
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1230483534.png /f
        Sets desktop wallpaper using registry
        PID:2436
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
        PID:2452
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt
    Opens file in notepad (likely ransom note)
    PID:2548
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\GET_YOUR_FILES_BACK.txt

                        MD5

                        d90d05a5fea9c28b3bf2b55f808c3a45

                        SHA1

                        7774c79c85b4401acfc56002f9e8a3e10e8a7b60

                        SHA256

                        8a9b224d68a718e7cd4da069a158408d9c71fb8ecc4e4a6581982d7a35b29cec

                        SHA512

                        783d830a0d75911da6878ea58f7191f1438a429e232c63db86e6f09a1bb390ec7ee72f10db1ee695177686cacab24c9e58f61e7d403d75dd9c817c592131170a

                      • C:\Users\Admin\AppData\Local\Temp\1230483534.png

                        MD5

                        5ca6d4ad7570cf8bfbdeadfe55e09471

                        SHA1

                        be3de1209ffbf8553865e6ae02d0f2a2de8cd6b5

                        SHA256

                        11f5386c7328d46c59a26a5d11aa17fb64fa0e3e283e0da98afdedbefac27666

                        SHA512

                        81241b00403a894f765451c3ba2db9b7967fd1b12d042ac67b9f9ee8872d7ca3642613ba81d3370a870c369e27dc68a66e875ff5589dc208743d10ad6a4eb915

                      • C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt

                        MD5

                        d90d05a5fea9c28b3bf2b55f808c3a45

                        SHA1

                        7774c79c85b4401acfc56002f9e8a3e10e8a7b60

                        SHA256

                        8a9b224d68a718e7cd4da069a158408d9c71fb8ecc4e4a6581982d7a35b29cec

                        SHA512

                        783d830a0d75911da6878ea58f7191f1438a429e232c63db86e6f09a1bb390ec7ee72f10db1ee695177686cacab24c9e58f61e7d403d75dd9c817c592131170a

                      • memory/2304-53-0x0000000000000000-mapping.dmp

                      • memory/2304-54-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

                      • memory/2304-56-0x00000000004F1000-0x00000000004F2000-memory.dmp

                      • memory/2304-55-0x00000000004F0000-0x00000000004F1000-memory.dmp

                      • memory/2304-57-0x00000000004F2000-0x00000000004F4000-memory.dmp

                      • memory/2436-59-0x0000000000000000-mapping.dmp

                      • memory/2452-60-0x0000000000000000-mapping.dmp

                      • memory/2548-63-0x000007FEFB891000-0x000007FEFB893000-memory.dmp