Analysis
-
max time kernel
130s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 00:49
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe
-
Size
6.8MB
-
MD5
c6a564d1a6468eeb3f1eacce7b198f8c
-
SHA1
161313eac66315988be594f4b9ceac478a2084e4
-
SHA256
de66704f068bc75bc984abc0ee78b79c663c907154f0621593b1e7e4e5b45360
-
SHA512
88f11209eb32ce1808908fb52884772c79ad7d3ac9d17972b294653b8684b47967fd686652d915252ff6bdcd922de5d8ae5088ec2bd70d5c8c91c23260c21af1
-
SSDEEP
98304:B9rOvi3HzBvnKFn0MeYttysOx6VamqSJ5a4fYWb/LY:frOvijBGnBeYtAX+q05aWYEk
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 836 548 WerFault.exe 2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe 2004 548 WerFault.exe 2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe -
Processes:
2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION 2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe = "11001" 2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exepid process 548 2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe 548 2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe 548 2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe 548 2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe 548 2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe 548 2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe 548 2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe 548 2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe 548 2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe 548 2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe 548 2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe 548 2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exedescription pid process Token: SeIncreaseQuotaPrivilege 548 2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe Token: SeIncreaseQuotaPrivilege 548 2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe Token: SeIncreaseQuotaPrivilege 548 2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe Token: SeIncreaseQuotaPrivilege 548 2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe Token: SeIncreaseQuotaPrivilege 548 2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe Token: SeIncreaseQuotaPrivilege 548 2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exepid process 548 2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe 548 2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-23_c6a564d1a6468eeb3f1eacce7b198f8c_avoslocker.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 24082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 22922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 548 -ip 5481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 548 -ip 5481⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\{167A318E-7A3F-436C-B658-7A4E4E6DC068}\CCDInstaller.jsFilesize
1.2MB
MD5698687ac9e653b2c7a1b0d2a2ec40505
SHA1ad6959510eff569cff355f2ac4c5988a6d6a433e
SHA256142db397e43384d0af407ad59ed5b64371cf054b7645913592ca72d2d848c1c9
SHA51229c5971005bac00173c96bc3b7ffc4fd5701d2f7ff5a29fc05bd8832ff2b1c850903ebed72baa6e4bbcaa0c6b14670ba1e59d900f3087c0fdb0453bea5d150eb
-
C:\Users\Admin\AppData\Local\Temp\{167A318E-7A3F-436C-B658-7A4E4E6DC068}\index.htmlFilesize
426B
MD5a28ab17b18ff254173dfeef03245efd0
SHA1c6ce20924565644601d4e0dd0fba9dde8dea5c77
SHA256886c0ab69e6e9d9d5b5909451640ea587accfcdf11b8369cad8542d1626ac375
SHA5129371a699921b028bd93c35f9f2896d9997b906c8aba90dd4279abba0ae1909a8808a43bf829584e552ccfe534b2c991a5a7e3e3de7618343f50b1c47cff269d6
-
memory/548-23-0x0000000006AA0000-0x0000000006AC0000-memory.dmpFilesize
128KB
-
memory/548-32-0x0000000006AA0000-0x0000000006AC0000-memory.dmpFilesize
128KB