Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 17:50
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-11_46795d83f1b59e48ee80e5718fb020bd_avoslocker.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-06-11_46795d83f1b59e48ee80e5718fb020bd_avoslocker.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-11_46795d83f1b59e48ee80e5718fb020bd_avoslocker.exe
-
Size
1.3MB
-
MD5
46795d83f1b59e48ee80e5718fb020bd
-
SHA1
a8f0d013de670f4ec92449e1e4c0a3491b1133be
-
SHA256
698c0a88febaf2fcbb385cd1cbb99f45d4ec0050b7949545b5c9b5ed7dcc22d3
-
SHA512
c97c106a37183e821fac5c3b627ee2bb980bb651308bf7aa018d7769fa2d00f5a19ddb030518d00e02f4b217c91a7bab3fc0746473bd47c49c17ec62ef005cd7
-
SSDEEP
24576:o2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgedP+L6VMRCPU6CENltmVVdpx7f3:oPtjtQiIhUyQd1SkFdU6ZU6CENlc7dp5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2440 alg.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 2024-06-11_46795d83f1b59e48ee80e5718fb020bd_avoslocker.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\Adobe\Adobe PCD\pcd.db 2024-06-11_46795d83f1b59e48ee80e5718fb020bd_avoslocker.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db 2024-06-11_46795d83f1b59e48ee80e5718fb020bd_avoslocker.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db-journal 2024-06-11_46795d83f1b59e48ee80e5718fb020bd_avoslocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2348 2024-06-11_46795d83f1b59e48ee80e5718fb020bd_avoslocker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-11_46795d83f1b59e48ee80e5718fb020bd_avoslocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-11_46795d83f1b59e48ee80e5718fb020bd_avoslocker.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:2440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
661KB
MD50b0043f59be922c302c7a8929195e4f1
SHA1e425c2043cb7945a4c243f16f2b3a727e06deb42
SHA25680908bf6eff112865aff1f6641d307446dfe4e9c4466c06cb08f16c63d71aa12
SHA5129582f5d679234a056e3b12f6d17ce7a12a84a103af0bba054445f6ccaefc06fe6fa24d1e509f9cd0658047e1e287d585a6203fba37591bebb655579ec29e3b6e