Malware Analysis Report

2024-10-10 12:46

Sample ID 240613-19rxgswfkp
Target 2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif
SHA256 367f46e316769c2c512ba9aaa8f09050d3621dbbdd805e8fad06ebd1e16cefa6
Tags
upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

367f46e316769c2c512ba9aaa8f09050d3621dbbdd805e8fad06ebd1e16cefa6

Threat Level: Likely malicious

The file 2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif was found to be: Likely malicious.

Malicious Activity Summary

upx

UPX dump on OEP (original entry point)

Loads dropped DLL

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Enumerates connected drives

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:21

Reported

2024-06-13 22:23

Platform

win7-20240419-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 5isohu.com udp

Files

memory/1968-3-0x0000000010000000-0x0000000010030000-memory.dmp

\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

C:\Users\Admin\AppData\Local\Temp\log.txt

MD5 33a3a5b11d5acca287d7d80a7a2e17a5
SHA1 3871b9ab87e4f89e489f615df8b6ab37dd2a13e3
SHA256 dfbf5a77fd055f93ad667f2b7196eb4d11a31178070a1546273bae65f9e44a41
SHA512 46f2134d3f3d031c6c4dc7dc05cb48e09924fe6e36f3eaaa8c451c0da862f18b75adb9ffad46c5a5bd40d5ab91504fe599aa9338aec8edb72a1e89e50632a92d

C:\Users\Admin\AppData\Local\Temp\log.txt

MD5 58c6e6af914b9fa054cb9abb3c25e001
SHA1 3ee426e1ee73375217af350292b7a708e56c47ed
SHA256 153c50cbfc11a9a50a5207451415d53432e0b92591a63ac8764de007e4c363b8
SHA512 6efe0a52f39a2b567523590c89ec5292a28b4f0dc19a01b7b1c1eff36e5f561b0d5864939cee9be9fc408055aa0637a1cdfa63f7a211a54cfbbb6c5582d749d4

memory/1968-61-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1968-60-0x00000000003E0000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 22:21

Reported

2024-06-13 22:23

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe N/A
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 www.aieov.com udp
US 45.56.79.23:80 www.aieov.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 23.79.56.45.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 45.56.79.23:80 www.aieov.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/3076-4-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\log.txt

MD5 0b181f6e9814bdd55d29c857a7f896e6
SHA1 2143b1a975dcb27fc52946c6c235d8925b748e64
SHA256 1c2ab420c80edc4f07abee07a4e2ecacf12be5cd19e921a94f5bcc6de95bfdc2
SHA512 b11e9aefba89ba468dd98e15245422bd9c33a4d3cffdbcd966986247a41c5acc43ceb791b00717854b99582811cbfcecbdd86f9b93e5c8409af0212aca009145

C:\Users\Admin\AppData\Local\Temp\log.txt

MD5 bc891cd928ea897946235121ffaf989f
SHA1 3e429fd7ddfe1b5cf6d52efcc5e2ae430c1fe1bb
SHA256 026be562f6160dee4737bc0b5cb1f656f3dbf496b9eae0934816322809c6249e
SHA512 7dc723758ba6b20783a546e103d802509e768588b13488a6674cec27cdb387d2f6d31b4ebf464290a6434039f2d0712df66fbe82a3a20057242f68078f55de5f

memory/3076-63-0x0000000000CF0000-0x0000000000D88000-memory.dmp

memory/3076-65-0x0000000010000000-0x0000000010030000-memory.dmp