23700e7066c55249c7c2ed27432797b48fba3e303493e4ac35c669211b14e77b

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
17/05/2024, 14:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-17_55c53e24b86c8dd7f6db40d2b6644b2a_avoslocker.exe
Size

1.9MB
MD5

55c53e24b86c8dd7f6db40d2b6644b2a
SHA1

c7b3c727c03431637fb9fea9bb250ecaf75d9891
SHA256

23700e7066c55249c7c2ed27432797b48fba3e303493e4ac35c669211b14e77b
SHA512

9e0e3b32e2f5accb6da06d4454021e997cbb267847957f9de2d711e64a4e933df1217c6fae564dc885a2513a8a7ba315333abd3a1d7750bb1d80cdca37967b7e
SSDEEP

49152:R+k5kQcFdaU/r9tsb9z0KpGJbF7QgKQB6yPkHKa:kk5ktJ/r9tsbdLpGJbF7QgKQB7M

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2964	powershell.exe
2708	powershell.exe
2712	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2964	powershell.exe
2964	powershell.exe
2708	powershell.exe
2712	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2944	2180	2024-05-17_55c53e24b86c8dd7f6db40d2b6644b2a_avoslocker.exe	29
PID 2180 wrote to memory of 2944	2180	2024-05-17_55c53e24b86c8dd7f6db40d2b6644b2a_avoslocker.exe	29
PID 2180 wrote to memory of 2944	2180	2024-05-17_55c53e24b86c8dd7f6db40d2b6644b2a_avoslocker.exe	29
PID 2180 wrote to memory of 2944	2180	2024-05-17_55c53e24b86c8dd7f6db40d2b6644b2a_avoslocker.exe	29
PID 2944 wrote to memory of 2964	2944	cmd.exe	31
PID 2944 wrote to memory of 2964	2944	cmd.exe	31
PID 2944 wrote to memory of 2964	2944	cmd.exe	31
PID 2944 wrote to memory of 2964	2944	cmd.exe	31
PID 2944 wrote to memory of 2708	2944	cmd.exe	32
PID 2944 wrote to memory of 2708	2944	cmd.exe	32
PID 2944 wrote to memory of 2708	2944	cmd.exe	32
PID 2944 wrote to memory of 2708	2944	cmd.exe	32
PID 2944 wrote to memory of 2712	2944	cmd.exe	33
PID 2944 wrote to memory of 2712	2944	cmd.exe	33
PID 2944 wrote to memory of 2712	2944	cmd.exe	33
PID 2944 wrote to memory of 2712	2944	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\2024-05-17_55c53e24b86c8dd7f6db40d2b6644b2a_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-17_55c53e24b86c8dd7f6db40d2b6644b2a_avoslocker.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\D5612F60-B192-4bd8-A066-FEDFB06C00B2.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command Set-executionpolicy "bypass"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command get-executionpolicy
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command ".\Add-AppDevPackage.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D5612F60-B192-4bd8-A066-FEDFB06C00B2.bat

Filesize
312B

MD5
f1a0d1514a09ec75efac29cc514dd279

SHA1
c926a8eac4b23344840048541dbe835318c144e8

SHA256
3accc371d1b19cda5415632d74ceb720427433d3112ff0436f6bd678c969a139

SHA512
ca1b40c61c8979bd9cd96c3494a27be4b61e1c6574443b69f274a55717d434e5d4e150cebc705b9a033ba7b7b0079b50eb6b451b87868efc858d9bf5e1a6c7b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
99de71eece3eb45bfe3cc61df4992961

SHA1
3de94203cb0a0b5212f1d3a682f74028283bca00

SHA256
4f1804e0f50260baf9fcaf305ad4c35d09d0b7c8a3d3a1898c85a5623b7a414b

SHA512
92575030a1d0e92a2c351c847515e84c8f8fedcf87b585fe2536a54695d46d7ae7ab102bee6563be6f033fb45bffa3bb52e3c5cebd5ec65daf2a2e411133fe03

Download Submit
memory/2964-17-0x0000000001D70000-0x0000000001DB0000-memory.dmp

Filesize
256KB

Download