run.exe

General
Target

run.exe

Filesize

921KB

Completed

26-09-2021 12:50

Score
10 /10
MD5

b76d1d3d2d40366569da67620cf78a87

SHA1

ae23c0227afc973f11d6d08d898a6bb7516418e2

SHA256

718810b8eeb682fc70df602d952c0c83e028c5a5bfa44c506756980caf2edebb

Malware Config

Extracted

Path C:\GET_YOUR_FILES_BACK.txt
Ransom Note
AvosLocker Attention! Your systems have been encrypted, and your confidential documents were downloaded. In order to restore your data, you must pay for the decryption key & application. You may do so by visiting us at http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. The corporations whom don't pay or fail to respond in a swift manner have their data leaked in our blog, accessible at http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion Your ID: a77832c5ecdb671734d285a12860d02ef838e880641a7f9adcdeab6254212c04
URLs

http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion

http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion

Signatures 7

Filter: none

Defense Evasion
Impact
  • Modifies extensions of user files
    run.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File renamedC:\Users\Admin\Pictures\WaitGet.crw => C:\Users\Admin\Pictures\WaitGet.crw.avos2run.exe
    File renamedC:\Users\Admin\Pictures\OutReset.raw => C:\Users\Admin\Pictures\OutReset.raw.avos2run.exe
    File renamedC:\Users\Admin\Pictures\RedoWatch.png => C:\Users\Admin\Pictures\RedoWatch.png.avos2run.exe
    File renamedC:\Users\Admin\Pictures\SelectRename.crw => C:\Users\Admin\Pictures\SelectRename.crw.avos2run.exe
  • Sets desktop wallpaper using registry
    reg.exe

    Tags

    TTPs

    DefacementModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1808539772.png"reg.exe
  • Opens file in notepad (likely ransom note)
    NOTEPAD.EXE

    Tags

    Reported IOCs

    pidprocess
    4708NOTEPAD.EXE
  • Suspicious behavior: EnumeratesProcesses
    powershell.exe

    Reported IOCs

    pidprocess
    4160powershell.exe
    4160powershell.exe
    4160powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege4160powershell.exe
  • Suspicious use of FindShellTrayWindow
    NOTEPAD.EXE

    Reported IOCs

    pidprocess
    4708NOTEPAD.EXE
  • Suspicious use of WriteProcessMemory
    run.exepowershell.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 628 wrote to memory of 4160628run.exepowershell.exe
    PID 628 wrote to memory of 4160628run.exepowershell.exe
    PID 628 wrote to memory of 4160628run.exepowershell.exe
    PID 4160 wrote to memory of 43764160powershell.exereg.exe
    PID 4160 wrote to memory of 43764160powershell.exereg.exe
    PID 4160 wrote to memory of 43764160powershell.exereg.exe
    PID 4160 wrote to memory of 45804160powershell.exerundll32.exe
    PID 4160 wrote to memory of 45804160powershell.exerundll32.exe
    PID 4160 wrote to memory of 45804160powershell.exerundll32.exe
Processes 5
  • C:\Users\Admin\AppData\Local\Temp\run.exe
    "C:\Users\Admin\AppData\Local\Temp\run.exe"
    Modifies extensions of user files
    Suspicious use of WriteProcessMemory
    PID:628
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4160
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1808539772.png /f
        Sets desktop wallpaper using registry
        PID:4376
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
        PID:4580
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt
    Opens file in notepad (likely ransom note)
    Suspicious use of FindShellTrayWindow
    PID:4708
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\GET_YOUR_FILES_BACK.txt

                        MD5

                        d90d05a5fea9c28b3bf2b55f808c3a45

                        SHA1

                        7774c79c85b4401acfc56002f9e8a3e10e8a7b60

                        SHA256

                        8a9b224d68a718e7cd4da069a158408d9c71fb8ecc4e4a6581982d7a35b29cec

                        SHA512

                        783d830a0d75911da6878ea58f7191f1438a429e232c63db86e6f09a1bb390ec7ee72f10db1ee695177686cacab24c9e58f61e7d403d75dd9c817c592131170a

                      • C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt

                        MD5

                        d90d05a5fea9c28b3bf2b55f808c3a45

                        SHA1

                        7774c79c85b4401acfc56002f9e8a3e10e8a7b60

                        SHA256

                        8a9b224d68a718e7cd4da069a158408d9c71fb8ecc4e4a6581982d7a35b29cec

                        SHA512

                        783d830a0d75911da6878ea58f7191f1438a429e232c63db86e6f09a1bb390ec7ee72f10db1ee695177686cacab24c9e58f61e7d403d75dd9c817c592131170a

                      • memory/4160-126-0x0000000008190000-0x0000000008191000-memory.dmp

                      • memory/4160-119-0x0000000007210000-0x0000000007211000-memory.dmp

                      • memory/4160-120-0x0000000007212000-0x0000000007213000-memory.dmp

                      • memory/4160-121-0x0000000007810000-0x0000000007811000-memory.dmp

                      • memory/4160-122-0x0000000007F30000-0x0000000007F31000-memory.dmp

                      • memory/4160-123-0x0000000008090000-0x0000000008091000-memory.dmp

                      • memory/4160-124-0x0000000008320000-0x0000000008321000-memory.dmp

                      • memory/4160-125-0x00000000074F0000-0x00000000074F1000-memory.dmp

                      • memory/4160-118-0x0000000007890000-0x0000000007891000-memory.dmp

                      • memory/4160-127-0x00000000089E0000-0x00000000089E1000-memory.dmp

                      • memory/4160-117-0x0000000007220000-0x0000000007221000-memory.dmp

                      • memory/4160-133-0x0000000009D60000-0x0000000009D61000-memory.dmp

                      • memory/4160-134-0x0000000009700000-0x0000000009701000-memory.dmp

                      • memory/4160-143-0x0000000009930000-0x0000000009931000-memory.dmp

                      • memory/4160-144-0x0000000007213000-0x0000000007214000-memory.dmp

                      • memory/4160-146-0x0000000007214000-0x0000000007216000-memory.dmp

                      • memory/4160-114-0x0000000000000000-mapping.dmp

                      • memory/4376-145-0x0000000000000000-mapping.dmp

                      • memory/4580-147-0x0000000000000000-mapping.dmp