Resubmissions

26-09-2021 12:47

210926-p1dsqaegem 10

26-09-2021 12:40

210926-pwcd4aehb8 10

Analysis

  • max time kernel
    252s
  • max time network
    254s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    26-09-2021 12:40

General

  • Target

    run.exe

  • Size

    921KB

  • MD5

    b76d1d3d2d40366569da67620cf78a87

  • SHA1

    ae23c0227afc973f11d6d08d898a6bb7516418e2

  • SHA256

    718810b8eeb682fc70df602d952c0c83e028c5a5bfa44c506756980caf2edebb

  • SHA512

    85991cd78c13546e3fcb9da0574000eb1ff118c05f77d603c19941f3eaab908ab65b57f82dbd20d4c7784d0892ff5ea8ab8c160338d78b5fc76f71e09cec20b5

Score
10/10

Malware Config

Extracted

Path

C:\GET_YOUR_FILES_BACK.txt

Ransom Note
AvosLocker Attention! Your systems have been encrypted, and your confidential documents were downloaded. In order to restore your data, you must pay for the decryption key & application. You may do so by visiting us at http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. The corporations whom don't pay or fail to respond in a swift manner have their data leaked in our blog, accessible at http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion Your ID: a77832c5ecdb671734d285a12860d02ef838e880641a7f9adcdeab6254212c04
URLs

http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion

http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion

Signatures

  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\run.exe
    "C:\Users\Admin\AppData\Local\Temp\run.exe"
    1⤵
    • Modifies extensions of user files
    • Suspicious use of WriteProcessMemory
    PID:740
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4184
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\156937082.png /f
        3⤵
        • Sets desktop wallpaper using registry
        PID:4396
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
        3⤵
          PID:4416

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Modify Registry

    1
    T1112

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\GET_YOUR_FILES_BACK.txt
      MD5

      d90d05a5fea9c28b3bf2b55f808c3a45

      SHA1

      7774c79c85b4401acfc56002f9e8a3e10e8a7b60

      SHA256

      8a9b224d68a718e7cd4da069a158408d9c71fb8ecc4e4a6581982d7a35b29cec

      SHA512

      783d830a0d75911da6878ea58f7191f1438a429e232c63db86e6f09a1bb390ec7ee72f10db1ee695177686cacab24c9e58f61e7d403d75dd9c817c592131170a

    • memory/4184-126-0x00000000086C0000-0x00000000086C1000-memory.dmp
      Filesize

      4KB

    • memory/4184-134-0x0000000009220000-0x0000000009221000-memory.dmp
      Filesize

      4KB

    • memory/4184-125-0x0000000007790000-0x0000000007791000-memory.dmp
      Filesize

      4KB

    • memory/4184-120-0x0000000007182000-0x0000000007183000-memory.dmp
      Filesize

      4KB

    • memory/4184-121-0x0000000007330000-0x0000000007331000-memory.dmp
      Filesize

      4KB

    • memory/4184-122-0x00000000074D0000-0x00000000074D1000-memory.dmp
      Filesize

      4KB

    • memory/4184-123-0x0000000007540000-0x0000000007541000-memory.dmp
      Filesize

      4KB

    • memory/4184-124-0x0000000007DF0000-0x0000000007DF1000-memory.dmp
      Filesize

      4KB

    • memory/4184-119-0x0000000007180000-0x0000000007181000-memory.dmp
      Filesize

      4KB

    • memory/4184-114-0x0000000000000000-mapping.dmp
    • memory/4184-117-0x0000000004D20000-0x0000000004D21000-memory.dmp
      Filesize

      4KB

    • memory/4184-127-0x00000000084D0000-0x00000000084D1000-memory.dmp
      Filesize

      4KB

    • memory/4184-133-0x0000000009C80000-0x0000000009C81000-memory.dmp
      Filesize

      4KB

    • memory/4184-118-0x00000000077C0000-0x00000000077C1000-memory.dmp
      Filesize

      4KB

    • memory/4184-143-0x00000000096F0000-0x00000000096F1000-memory.dmp
      Filesize

      4KB

    • memory/4184-145-0x0000000007184000-0x0000000007186000-memory.dmp
      Filesize

      8KB

    • memory/4184-144-0x0000000007183000-0x0000000007184000-memory.dmp
      Filesize

      4KB

    • memory/4396-146-0x0000000000000000-mapping.dmp
    • memory/4416-147-0x0000000000000000-mapping.dmp