5c746e2287dd35282f1b5cb04088758b622e4e22e29930bee9f2ef6387ee016a

Analysis

max time kernel
135s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_fc2a441f03c998290ac7d24e764195ff_avoslocker.exe
Size

1.3MB
MD5

fc2a441f03c998290ac7d24e764195ff
SHA1

34a940f8c4cb87fd6d14e83bf6c3b28393237f2d
SHA256

5c746e2287dd35282f1b5cb04088758b622e4e22e29930bee9f2ef6387ee016a
SHA512

2d9a2f66d4cabd178e8c7a857a95bf5d113217d5ee48b3b2f1fe3ecac745a7d023f0f5ad8b187e8fab3c85468ce9e79c61e6dfdabc417b98962daaaa36006956
SSDEEP

24576:y2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedygPvod50p/TXM2s0espsODZjV:yPtjtQiIhUyQd1SkFdy0vo05s0eusONx

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4824	alg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-05-29_fc2a441f03c998290ac7d24e764195ff_avoslocker.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Adobe PCD\pcd.db	2024-05-29_fc2a441f03c998290ac7d24e764195ff_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db	2024-05-29_fc2a441f03c998290ac7d24e764195ff_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db-journal	2024-05-29_fc2a441f03c998290ac7d24e764195ff_avoslocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3872	2024-05-29_fc2a441f03c998290ac7d24e764195ff_avoslocker.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-29_fc2a441f03c998290ac7d24e764195ff_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_fc2a441f03c998290ac7d24e764195ff_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
d8af4ccc01ed75d6055bcf07dc175eb0

SHA1
7ed9713c4a08849f7579baf577e5ed4a9cbe7e23

SHA256
cc1dd2fff190cda34ce0f11aaf0882e3ea9049c0895c6d25b6959e98e7c72d12

SHA512
ff9cc86685dd8f5a1366bc56a3a482bff077813c98cfa505719b59a04fe7d985c8b51137069af5ca28a0d660b5cf17ddc9713a288b167d05a89f5d0663fc8dd2

Download Submit
memory/3872-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3872-2-0x00000000022D0000-0x0000000002336000-memory.dmp

Filesize
408KB

Download
memory/3872-6-0x00000000022D0000-0x0000000002336000-memory.dmp

Filesize
408KB

Download
memory/3872-17-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4824-18-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4824-19-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download