a0b908b44fd45f5ead19a7fc6dcea3edd48a863e9932c6158baf4aff205375d2

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
30-04-2024 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-30_4f0d8329e049803106900191a779db87_avoslocker.exe
Size

1.3MB
MD5

4f0d8329e049803106900191a779db87
SHA1

d5b634e6807204def506f3a23fa07954240247d9
SHA256

a0b908b44fd45f5ead19a7fc6dcea3edd48a863e9932c6158baf4aff205375d2
SHA512

c92de1ea9e2f597b7e747ef12716029d4469d4f167c3b1c8ad70de60e7afd5954dfff3101ab41dbfc8f3e37b6dab97f570f7b232cdc6d9caba79d368102b05e4
SSDEEP

24576:j2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedv65gcTVjUCs2Vo2:jPtjtQiIhUyQd1SkFdv65RjUV2Vo

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-30_4f0d8329e049803106900191a779db87_avoslocker.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Adobe PCD\pcd.db	2024-04-30_4f0d8329e049803106900191a779db87_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db	2024-04-30_4f0d8329e049803106900191a779db87_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db-journal	2024-04-30_4f0d8329e049803106900191a779db87_avoslocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2084	2024-04-30_4f0d8329e049803106900191a779db87_avoslocker.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-30_4f0d8329e049803106900191a779db87_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-30_4f0d8329e049803106900191a779db87_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2084-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2084-1-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2084-7-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2084-6-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2084-17-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download