Analysis
-
max time kernel
157s -
max time network
69s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-09-2021 12:47
Static task
static1
Behavioral task
behavioral1
Sample
run.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
run.exe
Resource
win10v20210408
General
-
Target
run.exe
-
Size
921KB
-
MD5
b76d1d3d2d40366569da67620cf78a87
-
SHA1
ae23c0227afc973f11d6d08d898a6bb7516418e2
-
SHA256
718810b8eeb682fc70df602d952c0c83e028c5a5bfa44c506756980caf2edebb
-
SHA512
85991cd78c13546e3fcb9da0574000eb1ff118c05f77d603c19941f3eaab908ab65b57f82dbd20d4c7784d0892ff5ea8ab8c160338d78b5fc76f71e09cec20b5
Malware Config
Extracted
C:\GET_YOUR_FILES_BACK.txt
http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion
http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion
Signatures
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
run.exedescription ioc process File renamed C:\Users\Admin\Pictures\WaitGet.crw => C:\Users\Admin\Pictures\WaitGet.crw.avos2 run.exe File renamed C:\Users\Admin\Pictures\OutReset.raw => C:\Users\Admin\Pictures\OutReset.raw.avos2 run.exe File renamed C:\Users\Admin\Pictures\RedoWatch.png => C:\Users\Admin\Pictures\RedoWatch.png.avos2 run.exe File renamed C:\Users\Admin\Pictures\SelectRename.crw => C:\Users\Admin\Pictures\SelectRename.crw.avos2 run.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1808539772.png" reg.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4708 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 4160 powershell.exe 4160 powershell.exe 4160 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4160 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
NOTEPAD.EXEpid process 4708 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
run.exepowershell.exedescription pid process target process PID 628 wrote to memory of 4160 628 run.exe powershell.exe PID 628 wrote to memory of 4160 628 run.exe powershell.exe PID 628 wrote to memory of 4160 628 run.exe powershell.exe PID 4160 wrote to memory of 4376 4160 powershell.exe reg.exe PID 4160 wrote to memory of 4376 4160 powershell.exe reg.exe PID 4160 wrote to memory of 4376 4160 powershell.exe reg.exe PID 4160 wrote to memory of 4580 4160 powershell.exe rundll32.exe PID 4160 wrote to memory of 4580 4160 powershell.exe rundll32.exe PID 4160 wrote to memory of 4580 4160 powershell.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\run.exe"C:\Users\Admin\AppData\Local\Temp\run.exe"1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1808539772.png /f3⤵
- Sets desktop wallpaper using registry
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False3⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\GET_YOUR_FILES_BACK.txtMD5
d90d05a5fea9c28b3bf2b55f808c3a45
SHA17774c79c85b4401acfc56002f9e8a3e10e8a7b60
SHA2568a9b224d68a718e7cd4da069a158408d9c71fb8ecc4e4a6581982d7a35b29cec
SHA512783d830a0d75911da6878ea58f7191f1438a429e232c63db86e6f09a1bb390ec7ee72f10db1ee695177686cacab24c9e58f61e7d403d75dd9c817c592131170a
-
C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txtMD5
d90d05a5fea9c28b3bf2b55f808c3a45
SHA17774c79c85b4401acfc56002f9e8a3e10e8a7b60
SHA2568a9b224d68a718e7cd4da069a158408d9c71fb8ecc4e4a6581982d7a35b29cec
SHA512783d830a0d75911da6878ea58f7191f1438a429e232c63db86e6f09a1bb390ec7ee72f10db1ee695177686cacab24c9e58f61e7d403d75dd9c817c592131170a
-
memory/4160-126-0x0000000008190000-0x0000000008191000-memory.dmpFilesize
4KB
-
memory/4160-127-0x00000000089E0000-0x00000000089E1000-memory.dmpFilesize
4KB
-
memory/4160-120-0x0000000007212000-0x0000000007213000-memory.dmpFilesize
4KB
-
memory/4160-121-0x0000000007810000-0x0000000007811000-memory.dmpFilesize
4KB
-
memory/4160-122-0x0000000007F30000-0x0000000007F31000-memory.dmpFilesize
4KB
-
memory/4160-123-0x0000000008090000-0x0000000008091000-memory.dmpFilesize
4KB
-
memory/4160-124-0x0000000008320000-0x0000000008321000-memory.dmpFilesize
4KB
-
memory/4160-125-0x00000000074F0000-0x00000000074F1000-memory.dmpFilesize
4KB
-
memory/4160-114-0x0000000000000000-mapping.dmp
-
memory/4160-119-0x0000000007210000-0x0000000007211000-memory.dmpFilesize
4KB
-
memory/4160-118-0x0000000007890000-0x0000000007891000-memory.dmpFilesize
4KB
-
memory/4160-133-0x0000000009D60000-0x0000000009D61000-memory.dmpFilesize
4KB
-
memory/4160-134-0x0000000009700000-0x0000000009701000-memory.dmpFilesize
4KB
-
memory/4160-143-0x0000000009930000-0x0000000009931000-memory.dmpFilesize
4KB
-
memory/4160-144-0x0000000007213000-0x0000000007214000-memory.dmpFilesize
4KB
-
memory/4160-117-0x0000000007220000-0x0000000007221000-memory.dmpFilesize
4KB
-
memory/4160-146-0x0000000007214000-0x0000000007216000-memory.dmpFilesize
8KB
-
memory/4376-145-0x0000000000000000-mapping.dmp
-
memory/4580-147-0x0000000000000000-mapping.dmp