Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 09:46
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-28_90d3b933178f3c6cf42bfe4b1ccffd6c_avoslocker.exe
Resource
win7-20240221-en
General
-
Target
2024-04-28_90d3b933178f3c6cf42bfe4b1ccffd6c_avoslocker.exe
-
Size
1.3MB
-
MD5
90d3b933178f3c6cf42bfe4b1ccffd6c
-
SHA1
1b1414ec8bde029cca5e4e0a43cdaf242167d99f
-
SHA256
c026e8ba2c12b97d31946dbe49ce661003543d5347c2022d5577149fb92206c1
-
SHA512
27db95533b4ebb46369815bc370b3e28a41e99d111ba9ae049f617b868e11617138b6a44a5c46115ec01a1f6539bb8ec76303604247ea0c08a11124ed383373d
-
SSDEEP
24576:32zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgeddF3B7zPkcowwtdwKzDXkDNJ4N:3PtjtQiIhUyQd1SkFdd19zPkAwtdwKz7
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
alg.exepid process 480 2964 alg.exe -
Drops file in System32 directory 1 IoCs
Processes:
2024-04-28_90d3b933178f3c6cf42bfe4b1ccffd6c_avoslocker.exedescription ioc process File opened for modification C:\Windows\System32\alg.exe 2024-04-28_90d3b933178f3c6cf42bfe4b1ccffd6c_avoslocker.exe -
Drops file in Program Files directory 3 IoCs
Processes:
2024-04-28_90d3b933178f3c6cf42bfe4b1ccffd6c_avoslocker.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\Adobe\Adobe PCD\pcd.db 2024-04-28_90d3b933178f3c6cf42bfe4b1ccffd6c_avoslocker.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db 2024-04-28_90d3b933178f3c6cf42bfe4b1ccffd6c_avoslocker.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db-journal 2024-04-28_90d3b933178f3c6cf42bfe4b1ccffd6c_avoslocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2024-04-28_90d3b933178f3c6cf42bfe4b1ccffd6c_avoslocker.exedescription pid process Token: SeTakeOwnershipPrivilege 2032 2024-04-28_90d3b933178f3c6cf42bfe4b1ccffd6c_avoslocker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_90d3b933178f3c6cf42bfe4b1ccffd6c_avoslocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_90d3b933178f3c6cf42bfe4b1ccffd6c_avoslocker.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Windows\System32\alg.exeFilesize
644KB
MD5b049b7c18f53d1557cd09153da1cf6dd
SHA1794b6adaf4d56be05bf3d3dcb29f63806a869010
SHA2568c5e4fa4af5e401b2c140dde4d7e7f28e24cec1da54038974113c02da2472769
SHA51235012b30f28b5d00332070fe55a8e89f46c8d40269ac61a1c99488be97f10c96a5d3f3e47fcf3f93e8da3ec59a42bad08231585899831e3d44c9741cf55b1a66
-
memory/2032-0-0x0000000000230000-0x0000000000297000-memory.dmpFilesize
412KB
-
memory/2032-7-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/2032-8-0x0000000000230000-0x0000000000297000-memory.dmpFilesize
412KB
-
memory/2032-17-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/2964-20-0x0000000100000000-0x00000001000A4000-memory.dmpFilesize
656KB
-
memory/2964-21-0x0000000100000000-0x00000001000A4000-memory.dmpFilesize
656KB