a0b908b44fd45f5ead19a7fc6dcea3edd48a863e9932c6158baf4aff205375d2

Analysis

max time kernel
55s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-30_4f0d8329e049803106900191a779db87_avoslocker.exe
Size

1.3MB
MD5

4f0d8329e049803106900191a779db87
SHA1

d5b634e6807204def506f3a23fa07954240247d9
SHA256

a0b908b44fd45f5ead19a7fc6dcea3edd48a863e9932c6158baf4aff205375d2
SHA512

c92de1ea9e2f597b7e747ef12716029d4469d4f167c3b1c8ad70de60e7afd5954dfff3101ab41dbfc8f3e37b6dab97f570f7b232cdc6d9caba79d368102b05e4
SSDEEP

24576:j2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedv65gcTVjUCs2Vo2:jPtjtQiIhUyQd1SkFdv65RjUV2Vo

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3968	alg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-30_4f0d8329e049803106900191a779db87_avoslocker.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db-journal	2024-04-30_4f0d8329e049803106900191a779db87_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Adobe PCD\pcd.db	2024-04-30_4f0d8329e049803106900191a779db87_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db	2024-04-30_4f0d8329e049803106900191a779db87_avoslocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	744	2024-04-30_4f0d8329e049803106900191a779db87_avoslocker.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-30_4f0d8329e049803106900191a779db87_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-30_4f0d8329e049803106900191a779db87_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
e55eccfdb0dd95bd673cff7e416be949

SHA1
82f73a40d1930558aa355d6c4841e172cb53d4da

SHA256
cf4f73f2c2fd7a68e8d046bd091166d979a885adcb81c08167da36c77caa61e5

SHA512
cb18b2d487d1d1deeadb50317a35802bbedb559c156d66cd9e6b99a6b646a78f2cfb3bfc202de63a6a1f32a920b6b9a78a0fbc8cce6fb000ef2e0afc7a3480e4

Download Submit
memory/744-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/744-1-0x0000000000850000-0x00000000008B7000-memory.dmp

Filesize
412KB

Download
memory/744-6-0x0000000000850000-0x00000000008B7000-memory.dmp

Filesize
412KB

Download
memory/744-17-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3968-18-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3968-19-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download