Analysis

  • max time kernel
    99s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2024, 08:23

General

  • Target

    2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe

  • Size

    22.0MB

  • MD5

    7131a4436ababe2b301a45d0aff5edb6

  • SHA1

    bd1d4546b62b66af709b890751a3d0b685bf345f

  • SHA256

    0fcd20e67d949985a679dda15204a47c04aeeb260494834de5872fe02687e8be

  • SHA512

    7c6d282f5ff38eddbe7c12985456a64c3c33e6534eecfecce37f798a48f4f36a5c0d57dc80acc74cf470e532a9e8b1ed64ca787a323fc1df838faadab35ff158

  • SSDEEP

    393216:FrzQYmSVJy9hi4AkT1Z0R5Dfw51YiNk+0D8jfJMhZep2ebPagI8K2bpteVvmY:pQYTvyxZ0zDfw5eiNk3D8jfJMhZeppbY

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 16 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-29_7131a4436ababe2b301a45d0aff5edb6_avoslocker_metamorfo.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe" /REP="C:\Users\Admin\AppData\Local\Temp\" /SILENT /WAIT
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3980
      • C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe
        "C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe" /REP="C:\Users\Admin\AppData\Local\Temp\" /SILENT /WAIT /RELANCE
        3⤵
        • Executes dropped EXE
        PID:1700

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\wd280hf.dll

          Filesize

          4.5MB

          MD5

          6dcf5ef3140a6e23d840d951747092e2

          SHA1

          19fd9adf8ce28495f29fb38b5fb8d27084ad9e87

          SHA256

          540d9d09a52845b0c61c090b541d8e0f83ea6a795bf7597e6725b9cdd1b692e3

          SHA512

          03afe8001c8f78b546d8da7738caf1d83bf3d4eb5b00977e6782e0d64bd1a4cc2b1765b67e34fd2f8c941073884993de5161211856eba51d47cc742944003ff5

        • C:\Users\Admin\AppData\Local\Temp\wd280mdl.dll

          Filesize

          3.9MB

          MD5

          5312e14efdc499e7544a87abcd456add

          SHA1

          d5e44a7882a9bd006906e1fb1ac1c1379c6e28d5

          SHA256

          59a366773d5a460666307f6a47121af485ee27f4ef839d539bd5185705ce8835

          SHA512

          718a87d30c06c4459fc0c5416ddc6fc453151238b7f8eea044b467c8ec8efb2234428238708924791bb854139fa537ba10fa258a6ba8206decb473b7aedbf8bc

        • C:\Users\Admin\AppData\Local\Temp\wd280obj.dll

          Filesize

          17.9MB

          MD5

          1d57d0d2c9231c8930490cbbcfa74f59

          SHA1

          794eac5c72f650a5dcbab81470b7d5d77dbdd132

          SHA256

          aa186693330a3f5cd70ca70c17012deb9017f33abdf09312b6a7c08c50148da3

          SHA512

          0d60eb5c4259a0e154459e76ba5d314046f9400afb77a23ea58d0a977d03bd30b7e9f30547f26812b711ba12b7496f64c58df86586e27e0bf1fac4a68bfcf121

        • C:\Users\Admin\AppData\Local\Temp\wd280pdf.dll

          Filesize

          5.1MB

          MD5

          84c31c4226ae970cb7efbc3c13471d34

          SHA1

          27c16fb82e517f4e444f918ef83f8004193feacb

          SHA256

          e5ac69da6749377fe85b11df0ecaf27cbc6510c9100752c2fe04e444ce712d4f

          SHA512

          10e6f07c1d5d36c25ba7950f994560f5783f6e42af8aa21169941d40902851655d8b4c80315862b12cc2f681444038eee9b6e8b6e8f068757d7d430273bcd121

        • C:\Users\Admin\AppData\Local\Temp\wd280pnt.dll

          Filesize

          2.1MB

          MD5

          70ed1962686f6513c224603cbb0e0d09

          SHA1

          6ab5c13ce048ee902b8020367bb9af35eea91f43

          SHA256

          7037eefae2a7bf56a30fe1bb42a490c8dc9e48188a902aff892e59975905ed50

          SHA512

          383a62519e2a79802a824d8d1e333810b833e695b24e105aa7b66afbf28b044f7b107d048623b200713e0924fb848f5a49fcb15e0076c75a4199d75adbd838bf

        • C:\Users\Admin\AppData\Local\Temp\wd280rpl.dll

          Filesize

          634KB

          MD5

          474c9c09fe9c5f3486fabb9f362e93b2

          SHA1

          c5527f5d8129a7787497496d295a05f500d3873b

          SHA256

          6763813ea27a7ea786494c14e80796b3b45757d5edf67776000e9f957e9f69d5

          SHA512

          e94571c4d03f18b51353add9c3d44a6003b218eaad5aa122de10b1cc571f1c31d358fd2a45b7b706339cb48ca2f0029d54b6d6c328f14cb75740263cd67e8860

        • C:\Users\Admin\AppData\Local\Temp\wd280std.dll

          Filesize

          3.0MB

          MD5

          995bcbd23b29d412124b9d487ad1b17b

          SHA1

          900b7b76d1a9732d5f626105da770962d9a8cd67

          SHA256

          23a5d057b6469cc4d9638370fb9a4871ba78cbad487029b7ec8b9d67d989bb70

          SHA512

          f63283b6565187e720d324ecdeeda88c0a73095a0911975c338efd66e4eee21bf90844414447a89621802d55c124f9134138f27b90b4bcf5aabf4644473bb008

        • C:\Users\Admin\AppData\Local\Temp\wd280vm.dll

          Filesize

          5.1MB

          MD5

          43751783acf22373ff40fc6e5aa4e762

          SHA1

          8056f50812f22e48a1ac6aa8b2e968eea07294e6

          SHA256

          aa991d9c14bbe567cdc47a6bd843f4f2e9de1b5ead0aff1ee4a8fa7cd40e0cdd

          SHA512

          b25809e48cc7e334ed108234ff2d810a457bf1ba4028cc7bebe8ac665741f96adc9c88d56bc6ea7ff1f82fda71c1d9b1d868928806a52709177ac64aab16f96c

        • C:\Users\Admin\AppData\Local\Temp\wd280xls.dll

          Filesize

          1.7MB

          MD5

          cbe21c3f485a70a1a60c0221b2750391

          SHA1

          6edf84318a2873b5e6d09916c5d3f5e6b2c7a50c

          SHA256

          794f5e933317a6cba7d795cee4be09d476857c187ab2e6ad9f72978d58bc6444

          SHA512

          3ada2111d39edaf1debf644a111f7c7c4f846917421452e74c70e70039c64546de3617d5870a329c913ec4b2230a9f2626d14ac8823335c5f45c2a92832d270d

        • C:\Users\Admin\AppData\Local\Temp\wd280xml.dll

          Filesize

          1.8MB

          MD5

          dd14562a1a2ef2fc885cb58e7839eceb

          SHA1

          ebb4b222323890d2d13c46cfcb5ea8b32515880a

          SHA256

          c871a454bc6883c9fae2d72af6bb0b565bef497b6f9c3260e6b7465ac86d176d

          SHA512

          fd7abc290e3283980a566fc9099d355307f3868738156fe2e6f793dc56588c0b24307aa2fb5c7815086dd478d8a2a4e09cd50fce8bd91cff0857ddfb2f36ec0b