ee2d68974e8c3c1a8bb20488477fde19048b997cd81ba22f1cf7879ba5677add

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 22:33

Target

2024-05-22_ee24766f32b85978aa6e5ff85851cf48_avoslocker.exe
Size

1.3MB
MD5

ee24766f32b85978aa6e5ff85851cf48
SHA1

c09dae31f4c5698b34d27b834de34270e8fbbe83
SHA256

ee2d68974e8c3c1a8bb20488477fde19048b997cd81ba22f1cf7879ba5677add
SHA512

c5a007ba1d7596f33d9dd9adb456ec52cc80d42744fd31cfe2264360d5d0d2824c1b1c32268c6c77b7bda9502263b5c02280f79160b5c1fe38cb9e21fc77d5ed
SSDEEP

24576:J2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedGW+vxWJq0Q7QqtWLjXTqM:JPtjtQiIhUyQd1SkFdf+pWAV7QqejX

Score

7^/10

Executes dropped EXE 2 IoCs

Processes:

alg.exe

pid process

480
2616 alg.exe
Drops file in System32 directory 1 IoCs

Processes:

2024-05-22_ee24766f32b85978aa6e5ff85851cf48_avoslocker.exe

description ioc process

File opened for modification C:\Windows\System32\alg.exe 2024-05-22_ee24766f32b85978aa6e5ff85851cf48_avoslocker.exe

pid	process
480
2616	alg.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	2024-05-22_ee24766f32b85978aa6e5ff85851cf48_avoslocker.exe

Drops file in Program Files directory 3 IoCs

Processes:

2024-05-22_ee24766f32b85978aa6e5ff85851cf48_avoslocker.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db-journal	2024-05-22_ee24766f32b85978aa6e5ff85851cf48_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Adobe PCD\pcd.db	2024-05-22_ee24766f32b85978aa6e5ff85851cf48_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db	2024-05-22_ee24766f32b85978aa6e5ff85851cf48_avoslocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2024-05-22_ee24766f32b85978aa6e5ff85851cf48_avoslocker.exe

description pid process

Token: SeTakeOwnershipPrivilege 2480 2024-05-22_ee24766f32b85978aa6e5ff85851cf48_avoslocker.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2480	2024-05-22_ee24766f32b85978aa6e5ff85851cf48_avoslocker.exe

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2616

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\System32\alg.exe

Filesize
644KB

MD5
7127446a8446e35b29b912f80b670ced

SHA1
3b4c1c02b9f3e1022a53730f9035bf146ec6ed35

SHA256
cd5ef14ad204354c07bf2a2b7f797cb70662b7246d5dfb399d57450b7193e2c4

SHA512
9978fe03bfa0b7c91dd0ef2af782d2f539e68df6f4056be58fc489c4bae7436276884e6264f6e310c6b0643cb9b21748ea3dad57652b1a48bafe021b64b0a1ed

Download Submit
memory/2480-8-0x0000000001E30000-0x0000000001E97000-memory.dmp

Filesize
412KB

Download
memory/2480-7-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2480-1-0x0000000001E30000-0x0000000001E97000-memory.dmp

Filesize
412KB

Download
memory/2480-19-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2616-20-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2616-21-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download