Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    29/05/2024, 08:54

General

  • Target

    2024-05-29_c7c9fe889c30cbc1d332d472e0fd880a_avoslocker_metamorfo.exe

  • Size

    18.9MB

  • MD5

    c7c9fe889c30cbc1d332d472e0fd880a

  • SHA1

    84ec7993934aaff118f50d92b9261657925ce345

  • SHA256

    38c7bc44a39130905042535a588d79c5a09ce22b1fba0fc04bca404b5c6ba153

  • SHA512

    5ce815b0b4fa7b7830c0383c9bee9d4771a8f629a82e81cd21df5dc107c5905e4aeddc0d7ab720209e015b8ed0061b702b55107b176cc7fc41befe01d8c6c297

  • SSDEEP

    393216:X/MLHhGY3yT1Z0RMSwj2DYqbD8jv2EYBalANPCm1Yff:vsmZ0+Swj2EqbD8jvFYB41iM

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-29_c7c9fe889c30cbc1d332d472e0fd880a_avoslocker_metamorfo.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-29_c7c9fe889c30cbc1d332d472e0fd880a_avoslocker_metamorfo.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system certificate store
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1856
    • C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe" /REP="C:\Users\Admin\AppData\Local\Temp\" /SILENT /WAIT
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe
        "C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe" /REP="C:\Users\Admin\AppData\Local\Temp\" /SILENT /WAIT /RELANCE
        3⤵
        • Executes dropped EXE
        PID:1328

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\wd280ggl.dll

          Filesize

          1.2MB

          MD5

          83575f55bc7ac9d0c781d0a09ec60f1d

          SHA1

          89c199c81fbc84b7e1eb8224580f8cd421f0d1af

          SHA256

          41bc027601bf15efd4611af3fed50a9dcb8fd7cc5aa3acaaddd5b26ac49f25f8

          SHA512

          2b09850738aea6aaf097ff9b32e989e857d33873850fe0c6cf62b5e16dde883d53867bf7734a73be0a853aabdffa61f2bcff8cd530208f8d2fad3e771c7e8c10

        • C:\Users\Admin\AppData\Local\Temp\wd280hf.dll

          Filesize

          4.5MB

          MD5

          6dcf5ef3140a6e23d840d951747092e2

          SHA1

          19fd9adf8ce28495f29fb38b5fb8d27084ad9e87

          SHA256

          540d9d09a52845b0c61c090b541d8e0f83ea6a795bf7597e6725b9cdd1b692e3

          SHA512

          03afe8001c8f78b546d8da7738caf1d83bf3d4eb5b00977e6782e0d64bd1a4cc2b1765b67e34fd2f8c941073884993de5161211856eba51d47cc742944003ff5

        • C:\Users\Admin\AppData\Local\Temp\wd280mdl.dll

          Filesize

          3.9MB

          MD5

          5312e14efdc499e7544a87abcd456add

          SHA1

          d5e44a7882a9bd006906e1fb1ac1c1379c6e28d5

          SHA256

          59a366773d5a460666307f6a47121af485ee27f4ef839d539bd5185705ce8835

          SHA512

          718a87d30c06c4459fc0c5416ddc6fc453151238b7f8eea044b467c8ec8efb2234428238708924791bb854139fa537ba10fa258a6ba8206decb473b7aedbf8bc

        • C:\Users\Admin\AppData\Local\Temp\wd280pnt.dll

          Filesize

          2.1MB

          MD5

          70ed1962686f6513c224603cbb0e0d09

          SHA1

          6ab5c13ce048ee902b8020367bb9af35eea91f43

          SHA256

          7037eefae2a7bf56a30fe1bb42a490c8dc9e48188a902aff892e59975905ed50

          SHA512

          383a62519e2a79802a824d8d1e333810b833e695b24e105aa7b66afbf28b044f7b107d048623b200713e0924fb848f5a49fcb15e0076c75a4199d75adbd838bf

        • C:\Users\Admin\AppData\Local\Temp\wd280std.dll

          Filesize

          3.0MB

          MD5

          995bcbd23b29d412124b9d487ad1b17b

          SHA1

          900b7b76d1a9732d5f626105da770962d9a8cd67

          SHA256

          23a5d057b6469cc4d9638370fb9a4871ba78cbad487029b7ec8b9d67d989bb70

          SHA512

          f63283b6565187e720d324ecdeeda88c0a73095a0911975c338efd66e4eee21bf90844414447a89621802d55c124f9134138f27b90b4bcf5aabf4644473bb008

        • C:\Users\Admin\AppData\Local\Temp\wd280vm.dll

          Filesize

          5.1MB

          MD5

          43751783acf22373ff40fc6e5aa4e762

          SHA1

          8056f50812f22e48a1ac6aa8b2e968eea07294e6

          SHA256

          aa991d9c14bbe567cdc47a6bd843f4f2e9de1b5ead0aff1ee4a8fa7cd40e0cdd

          SHA512

          b25809e48cc7e334ed108234ff2d810a457bf1ba4028cc7bebe8ac665741f96adc9c88d56bc6ea7ff1f82fda71c1d9b1d868928806a52709177ac64aab16f96c

        • C:\Users\Admin\AppData\Local\Temp\wd280xls.dll

          Filesize

          1.7MB

          MD5

          cbe21c3f485a70a1a60c0221b2750391

          SHA1

          6edf84318a2873b5e6d09916c5d3f5e6b2c7a50c

          SHA256

          794f5e933317a6cba7d795cee4be09d476857c187ab2e6ad9f72978d58bc6444

          SHA512

          3ada2111d39edaf1debf644a111f7c7c4f846917421452e74c70e70039c64546de3617d5870a329c913ec4b2230a9f2626d14ac8823335c5f45c2a92832d270d

        • \Users\Admin\AppData\Local\Temp\wd280com.dll

          Filesize

          5.3MB

          MD5

          48b04fb18896386ed4d1b2d2bbc3a64d

          SHA1

          ccf266e14e400467216cd719e48d09c0a046787f

          SHA256

          fbcedbcc8492470533843cf847447af7161368c458f5d1de1643dd6cd642040a

          SHA512

          800a8c2e76f2caa47d18f10d20d1d0230c69fada398b7e754bdbfe0e1ddd9f52a3ff54ecd231f58e5e4f180b1daca8268a8518629de2b0c6e6842433d9f91ee7

        • \Users\Admin\AppData\Local\Temp\wd280obj.dll

          Filesize

          17.9MB

          MD5

          1d57d0d2c9231c8930490cbbcfa74f59

          SHA1

          794eac5c72f650a5dcbab81470b7d5d77dbdd132

          SHA256

          aa186693330a3f5cd70ca70c17012deb9017f33abdf09312b6a7c08c50148da3

          SHA512

          0d60eb5c4259a0e154459e76ba5d314046f9400afb77a23ea58d0a977d03bd30b7e9f30547f26812b711ba12b7496f64c58df86586e27e0bf1fac4a68bfcf121

        • \Users\Admin\AppData\Local\Temp\wd280pdf.dll

          Filesize

          5.1MB

          MD5

          84c31c4226ae970cb7efbc3c13471d34

          SHA1

          27c16fb82e517f4e444f918ef83f8004193feacb

          SHA256

          e5ac69da6749377fe85b11df0ecaf27cbc6510c9100752c2fe04e444ce712d4f

          SHA512

          10e6f07c1d5d36c25ba7950f994560f5783f6e42af8aa21169941d40902851655d8b4c80315862b12cc2f681444038eee9b6e8b6e8f068757d7d430273bcd121

        • \Users\Admin\AppData\Local\Temp\wd280rpl.dll

          Filesize

          634KB

          MD5

          474c9c09fe9c5f3486fabb9f362e93b2

          SHA1

          c5527f5d8129a7787497496d295a05f500d3873b

          SHA256

          6763813ea27a7ea786494c14e80796b3b45757d5edf67776000e9f957e9f69d5

          SHA512

          e94571c4d03f18b51353add9c3d44a6003b218eaad5aa122de10b1cc571f1c31d358fd2a45b7b706339cb48ca2f0029d54b6d6c328f14cb75740263cd67e8860

        • \Users\Admin\AppData\Local\Temp\wd280xml.dll

          Filesize

          1.8MB

          MD5

          dd14562a1a2ef2fc885cb58e7839eceb

          SHA1

          ebb4b222323890d2d13c46cfcb5ea8b32515880a

          SHA256

          c871a454bc6883c9fae2d72af6bb0b565bef497b6f9c3260e6b7465ac86d176d

          SHA512

          fd7abc290e3283980a566fc9099d355307f3868738156fe2e6f793dc56588c0b24307aa2fb5c7815086dd478d8a2a4e09cd50fce8bd91cff0857ddfb2f36ec0b

        • memory/1856-1-0x00000000007C0000-0x00000000008C0000-memory.dmp

          Filesize

          1024KB

        • memory/1856-17-0x00000000007C0000-0x00000000008C0000-memory.dmp

          Filesize

          1024KB

        • memory/1856-305-0x0000000003B10000-0x0000000003B20000-memory.dmp

          Filesize

          64KB

        • memory/1856-320-0x0000000007580000-0x0000000008550000-memory.dmp

          Filesize

          15.8MB