Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 16:05
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-24_04b5bbc97808c93abac75c0042e6b505_avoslocker.exe
Resource
win7-20240508-en
General
-
Target
2024-05-24_04b5bbc97808c93abac75c0042e6b505_avoslocker.exe
-
Size
1.3MB
-
MD5
04b5bbc97808c93abac75c0042e6b505
-
SHA1
e455578720860020aecee363e1812204bf1740fa
-
SHA256
3d032b379725d11000a30ade2fefbe0881516cccfe6e6ce5a5978436f5b2632e
-
SHA512
4c50c8d9b92951a2325e2e1a8a9ce7dddcc78ab3e90ae844757f412e60b6d319a6c644b580bbfcd5b9a45cb447f23534066b29a14be19a8f62ff5ca3d39bf3cd
-
SSDEEP
24576:92zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedWe1g6p7HF/w/ftDsBUiScD7Wb:9PtjtQiIhUyQd1SkFdWmgiTd8DsMcDKb
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
alg.exepid process 476 3016 alg.exe -
Drops file in System32 directory 1 IoCs
Processes:
2024-05-24_04b5bbc97808c93abac75c0042e6b505_avoslocker.exedescription ioc process File opened for modification C:\Windows\System32\alg.exe 2024-05-24_04b5bbc97808c93abac75c0042e6b505_avoslocker.exe -
Drops file in Program Files directory 3 IoCs
Processes:
2024-05-24_04b5bbc97808c93abac75c0042e6b505_avoslocker.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\Adobe\Adobe PCD\pcd.db 2024-05-24_04b5bbc97808c93abac75c0042e6b505_avoslocker.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db 2024-05-24_04b5bbc97808c93abac75c0042e6b505_avoslocker.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db-journal 2024-05-24_04b5bbc97808c93abac75c0042e6b505_avoslocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2024-05-24_04b5bbc97808c93abac75c0042e6b505_avoslocker.exedescription pid process Token: SeTakeOwnershipPrivilege 1872 2024-05-24_04b5bbc97808c93abac75c0042e6b505_avoslocker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-24_04b5bbc97808c93abac75c0042e6b505_avoslocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-24_04b5bbc97808c93abac75c0042e6b505_avoslocker.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Windows\System32\alg.exeFilesize
644KB
MD55723f278f5e6a674c646ec71ef32d25e
SHA1148f5a28059ed10a0772b7aa2a5448c89f20c100
SHA256e7febf861d326aa720a247bac9e4f0a0a6e93b4e7744275f1c6e08aff8203904
SHA5123970765ce87aa232ea48fd4682ad3c24a4058d69d2f8734cd71382126a729e9e2711e9ed82bae6479bdb109ed6bdfbeb93a1f3afbc0c9d49a625256c4097823b
-
memory/1872-8-0x0000000000560000-0x00000000005C7000-memory.dmpFilesize
412KB
-
memory/1872-0-0x0000000000560000-0x00000000005C7000-memory.dmpFilesize
412KB
-
memory/1872-7-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/1872-18-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/3016-20-0x0000000100000000-0x00000001000A4000-memory.dmpFilesize
656KB
-
memory/3016-21-0x0000000100000000-0x00000001000A4000-memory.dmpFilesize
656KB