464da04b2082472d9faeb326e6ca71a09389a59e6fb1add847898250109f4e7b

General

Target

2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe
Size

2.3MB
MD5

b747ee03230dd69e8fd8b7e3cc59c5ea
SHA1

4240cc3448f1c9b4c42b427d67423b05f912f087
SHA256

464da04b2082472d9faeb326e6ca71a09389a59e6fb1add847898250109f4e7b
SHA512

e344d7aff8f0ae43ca4a418a02e9069d4bfc2f7fb84664742e821cade06a7ac531908f1829c443f20587571bf22ddef02069e90cc803ab45184b6a69a9052318
SSDEEP

49152:Uf0fgV8ryyIarNnjmhtY4R96OZqcjjYsKaTHXHbpySwnPxl/:Uf0fOuNnKhtY4T6OZ58sKs396

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2556	InstallFramework.exe
2428	InstallFramework.exe

Loads dropped DLL 9 IoCs

pid	Process
1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe
2556	InstallFramework.exe
1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe
1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe
1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe
1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe
1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe
1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe
1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe
1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe
1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe
1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe
1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe
1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe
1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe
1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe
1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe
1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe
1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe
1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe
1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe
1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 2556	1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe	32
PID 1560 wrote to memory of 2556	1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe	32
PID 1560 wrote to memory of 2556	1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe	32
PID 1560 wrote to memory of 2556	1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe	32
PID 1560 wrote to memory of 2556	1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe	32
PID 1560 wrote to memory of 2556	1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe	32
PID 1560 wrote to memory of 2556	1560	2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe	32
PID 2556 wrote to memory of 2428	2556	InstallFramework.exe	33
PID 2556 wrote to memory of 2428	2556	InstallFramework.exe	33
PID 2556 wrote to memory of 2428	2556	InstallFramework.exe	33
PID 2556 wrote to memory of 2428	2556	InstallFramework.exe	33
PID 2556 wrote to memory of 2428	2556	InstallFramework.exe	33
PID 2556 wrote to memory of 2428	2556	InstallFramework.exe	33
PID 2556 wrote to memory of 2428	2556	InstallFramework.exe	33

C:\Users\Admin\AppData\Local\Temp\2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_b747ee03230dd69e8fd8b7e3cc59c5ea_avoslocker_metamorfo.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe" /REP="C:\Users\Admin\AppData\Local\Temp\" /SILENT /WAIT
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallFramework.exe" /REP="C:\Users\Admin\AppData\Local\Temp\" /SILENT /WAIT /RELANCE
    3⤵
    - Executes dropped EXE
    PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wd280hf.dll

Filesize
4.5MB

MD5
14f357ea2cf1376683d3c9365798af54

SHA1
9c702e3f300541700ed0292ad37adaaf3f79be6c

SHA256
d2aeec00c7632e8c96444f8fd7ea3b5a05f6c0b76cae10bb29194a8db8b221b1

SHA512
14536bc2ba1e02062e10db9500ea54424af47c23636d849a886f70bad77656efc43ffcf527a7c4d393322afc95b8549465fa79b833ec91330148fca8ed672874

Download Submit
C:\Users\Admin\AppData\Local\Temp\wd280mdl.dll

Filesize
3.9MB

MD5
f5a55f9deddc964c7ce90cc6ee897b5e

SHA1
784b702262c32bfc92835adae49ced354040ed6d

SHA256
194137f74af6ed584fcadfea6b4f7c2e1dc713510d3d0b23aa60644c00cd3bf0

SHA512
cdeb6e55b13a8117d817612cf743520833a1af58e9507baf3f869fdd9dacc85a4b1cf403cf7be22a24aa69085e3d8a19640f857b0d8133952627dbf766e9a207

Download Submit
C:\Users\Admin\AppData\Local\Temp\wd280obj.dll

Filesize
17.9MB

MD5
e457064438f76edea2ab5371be07186c

SHA1
1f2faad3a04cf83d693bec35855abdd8d33f9ec8

SHA256
f282d97cdeb505a043c0a0a856fee2f894129fa5387abf38029008b291506c27

SHA512
ad59b6a13de15360b15b90d5a98dc06a64ca42421578cd684a7859e2bb63a0413d2837c3a46715a5e91efc3c1ccdae65710dfde13ddd9464c4560fe8ab0f7d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\wd280pdf.dll

Filesize
5.1MB

MD5
b25f6a18372d84c29a7b4d44d7f92634

SHA1
ccad3c7dcd8a7e1f1d70333e3d2a1da311429137

SHA256
8b60182fcc48632d75b61f52c60cdec688e5dbd3170be3f87ec01143e368d682

SHA512
47560b5c09cfec4a7763ea6df75ae8110f05ef180e78c9eaa6f71cb2459e2627a8fc211bace676c5832f140e6c5be6f0ce2bb9b1d4981272c3b933b251fb4aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wd280pnt.dll

Filesize
2.1MB

MD5
20a994b3e4793af38b18ba783ba3e3a8

SHA1
88f6d6a668c2c28fa7217bd212c75351ace46e92

SHA256
81c168b5d7f9ccd920ce7ee55748a43e9b4a5dbea98b89001b2a9ebdbe59e8f9

SHA512
0b74e4b41afe3cc943cdb1619442a69a60590134280245d911314befc8e83600bafcb12db74afd2cfc054ea4a976d47ad8e1729bc62663c35144088233b598a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wd280std.dll

Filesize
3.0MB

MD5
7912dd97e5d2f18987605abaf6d168a8

SHA1
d912e182e65cbe48e7294a0092d02a40d9331be5

SHA256
9a83548a486c7177d6bc39e2b3002398b9f1734f1a330d735b1fd91c24b10cc5

SHA512
ff198e2648eafbf46ca544f01103e438af73cc6610b8556ce5999efc9abbd44b15af0b4ed7c41a48ed22c61dbc50914ea3b3e6c4940b8f5089c2c98295363b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\wd280vm.dll

Filesize
5.1MB

MD5
56eb18ee8bfc9a759b39891c570aa58c

SHA1
3539000a585d6f7441d72433df2991c6637eea65

SHA256
3a65665f808fb549fa1ca16b43367c8149e2fb2148fec0682c66a69cbd9091ff

SHA512
0a3a7409b04cdf6eaaf21272138ad380a48bcb4374de40c007812b2ccac802b8e99b7b726a652ba7d9f11e0a3146c8e6f512ce288238861a7fb34a1d9a193721

Download Submit
memory/1560-1-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1560-17-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1560-157-0x0000000003620000-0x0000000003630000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing