Analysis
-
max time kernel
99s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2024, 08:23
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe
-
Size
22.0MB
-
MD5
7131a4436ababe2b301a45d0aff5edb6
-
SHA1
bd1d4546b62b66af709b890751a3d0b685bf345f
-
SHA256
0fcd20e67d949985a679dda15204a47c04aeeb260494834de5872fe02687e8be
-
SHA512
7c6d282f5ff38eddbe7c12985456a64c3c33e6534eecfecce37f798a48f4f36a5c0d57dc80acc74cf470e532a9e8b1ed64ca787a323fc1df838faadab35ff158
-
SSDEEP
393216:FrzQYmSVJy9hi4AkT1Z0R5Dfw51YiNk+0D8jfJMhZep2ebPagI8K2bpteVvmY:pQYTvyxZ0zDfw5eiNk3D8jfJMhZeppbY
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation InstallFramework.exe -
Executes dropped EXE 2 IoCs
pid Process 3980 InstallFramework.exe 1700 InstallFramework.exe -
Loads dropped DLL 10 IoCs
pid Process 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2796 wrote to memory of 3980 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 96 PID 2796 wrote to memory of 3980 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 96 PID 2796 wrote to memory of 3980 2796 2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe 96 PID 3980 wrote to memory of 1700 3980 InstallFramework.exe 97 PID 3980 wrote to memory of 1700 3980 InstallFramework.exe 97 PID 3980 wrote to memory of 1700 3980 InstallFramework.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe"C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe" /REP="C:\Users\Admin\AppData\Local\Temp\" /SILENT /WAIT2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe"C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe" /REP="C:\Users\Admin\AppData\Local\Temp\" /SILENT /WAIT /RELANCE3⤵
- Executes dropped EXE
PID:1700
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.5MB
MD56dcf5ef3140a6e23d840d951747092e2
SHA119fd9adf8ce28495f29fb38b5fb8d27084ad9e87
SHA256540d9d09a52845b0c61c090b541d8e0f83ea6a795bf7597e6725b9cdd1b692e3
SHA51203afe8001c8f78b546d8da7738caf1d83bf3d4eb5b00977e6782e0d64bd1a4cc2b1765b67e34fd2f8c941073884993de5161211856eba51d47cc742944003ff5
-
Filesize
3.9MB
MD55312e14efdc499e7544a87abcd456add
SHA1d5e44a7882a9bd006906e1fb1ac1c1379c6e28d5
SHA25659a366773d5a460666307f6a47121af485ee27f4ef839d539bd5185705ce8835
SHA512718a87d30c06c4459fc0c5416ddc6fc453151238b7f8eea044b467c8ec8efb2234428238708924791bb854139fa537ba10fa258a6ba8206decb473b7aedbf8bc
-
Filesize
17.9MB
MD51d57d0d2c9231c8930490cbbcfa74f59
SHA1794eac5c72f650a5dcbab81470b7d5d77dbdd132
SHA256aa186693330a3f5cd70ca70c17012deb9017f33abdf09312b6a7c08c50148da3
SHA5120d60eb5c4259a0e154459e76ba5d314046f9400afb77a23ea58d0a977d03bd30b7e9f30547f26812b711ba12b7496f64c58df86586e27e0bf1fac4a68bfcf121
-
Filesize
5.1MB
MD584c31c4226ae970cb7efbc3c13471d34
SHA127c16fb82e517f4e444f918ef83f8004193feacb
SHA256e5ac69da6749377fe85b11df0ecaf27cbc6510c9100752c2fe04e444ce712d4f
SHA51210e6f07c1d5d36c25ba7950f994560f5783f6e42af8aa21169941d40902851655d8b4c80315862b12cc2f681444038eee9b6e8b6e8f068757d7d430273bcd121
-
Filesize
2.1MB
MD570ed1962686f6513c224603cbb0e0d09
SHA16ab5c13ce048ee902b8020367bb9af35eea91f43
SHA2567037eefae2a7bf56a30fe1bb42a490c8dc9e48188a902aff892e59975905ed50
SHA512383a62519e2a79802a824d8d1e333810b833e695b24e105aa7b66afbf28b044f7b107d048623b200713e0924fb848f5a49fcb15e0076c75a4199d75adbd838bf
-
Filesize
634KB
MD5474c9c09fe9c5f3486fabb9f362e93b2
SHA1c5527f5d8129a7787497496d295a05f500d3873b
SHA2566763813ea27a7ea786494c14e80796b3b45757d5edf67776000e9f957e9f69d5
SHA512e94571c4d03f18b51353add9c3d44a6003b218eaad5aa122de10b1cc571f1c31d358fd2a45b7b706339cb48ca2f0029d54b6d6c328f14cb75740263cd67e8860
-
Filesize
3.0MB
MD5995bcbd23b29d412124b9d487ad1b17b
SHA1900b7b76d1a9732d5f626105da770962d9a8cd67
SHA25623a5d057b6469cc4d9638370fb9a4871ba78cbad487029b7ec8b9d67d989bb70
SHA512f63283b6565187e720d324ecdeeda88c0a73095a0911975c338efd66e4eee21bf90844414447a89621802d55c124f9134138f27b90b4bcf5aabf4644473bb008
-
Filesize
5.1MB
MD543751783acf22373ff40fc6e5aa4e762
SHA18056f50812f22e48a1ac6aa8b2e968eea07294e6
SHA256aa991d9c14bbe567cdc47a6bd843f4f2e9de1b5ead0aff1ee4a8fa7cd40e0cdd
SHA512b25809e48cc7e334ed108234ff2d810a457bf1ba4028cc7bebe8ac665741f96adc9c88d56bc6ea7ff1f82fda71c1d9b1d868928806a52709177ac64aab16f96c
-
Filesize
1.7MB
MD5cbe21c3f485a70a1a60c0221b2750391
SHA16edf84318a2873b5e6d09916c5d3f5e6b2c7a50c
SHA256794f5e933317a6cba7d795cee4be09d476857c187ab2e6ad9f72978d58bc6444
SHA5123ada2111d39edaf1debf644a111f7c7c4f846917421452e74c70e70039c64546de3617d5870a329c913ec4b2230a9f2626d14ac8823335c5f45c2a92832d270d
-
Filesize
1.8MB
MD5dd14562a1a2ef2fc885cb58e7839eceb
SHA1ebb4b222323890d2d13c46cfcb5ea8b32515880a
SHA256c871a454bc6883c9fae2d72af6bb0b565bef497b6f9c3260e6b7465ac86d176d
SHA512fd7abc290e3283980a566fc9099d355307f3868738156fe2e6f793dc56588c0b24307aa2fb5c7815086dd478d8a2a4e09cd50fce8bd91cff0857ddfb2f36ec0b