Analysis Overview
SHA256
367f46e316769c2c512ba9aaa8f09050d3621dbbdd805e8fad06ebd1e16cefa6
Threat Level: Likely malicious
The file 2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif was found to be: Likely malicious.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Loads dropped DLL
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Enumerates connected drives
Drops file in Program Files directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 22:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 22:21
Reported
2024-06-13 22:23
Platform
win7-20240419-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\e: | C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\System\symsrv.dll | C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 5isohu.com | udp |
Files
memory/1968-3-0x0000000010000000-0x0000000010030000-memory.dmp
\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
C:\Users\Admin\AppData\Local\Temp\log.txt
| MD5 | 33a3a5b11d5acca287d7d80a7a2e17a5 |
| SHA1 | 3871b9ab87e4f89e489f615df8b6ab37dd2a13e3 |
| SHA256 | dfbf5a77fd055f93ad667f2b7196eb4d11a31178070a1546273bae65f9e44a41 |
| SHA512 | 46f2134d3f3d031c6c4dc7dc05cb48e09924fe6e36f3eaaa8c451c0da862f18b75adb9ffad46c5a5bd40d5ab91504fe599aa9338aec8edb72a1e89e50632a92d |
C:\Users\Admin\AppData\Local\Temp\log.txt
| MD5 | 58c6e6af914b9fa054cb9abb3c25e001 |
| SHA1 | 3ee426e1ee73375217af350292b7a708e56c47ed |
| SHA256 | 153c50cbfc11a9a50a5207451415d53432e0b92591a63ac8764de007e4c363b8 |
| SHA512 | 6efe0a52f39a2b567523590c89ec5292a28b4f0dc19a01b7b1c1eff36e5f561b0d5864939cee9be9fc408055aa0637a1cdfa63f7a211a54cfbbb6c5582d749d4 |
memory/1968-61-0x0000000010000000-0x0000000010030000-memory.dmp
memory/1968-60-0x00000000003E0000-0x0000000000478000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 22:21
Reported
2024-06-13 22:23
Platform
win10v2004-20240611-en
Max time kernel
92s
Max time network
99s
Command Line
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\e: | C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\System\symsrv.dll | C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe | N/A |
| File created | \??\c:\program files\common files\system\symsrv.dll.000 | C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-13_dbde29d0b5ac09f3c91a93c6da46d2b0_avoslocker_cobalt-strike_floxif.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | www.aieov.com | udp |
| US | 45.56.79.23:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.79.56.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 45.56.79.23:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
memory/3076-4-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\log.txt
| MD5 | 0b181f6e9814bdd55d29c857a7f896e6 |
| SHA1 | 2143b1a975dcb27fc52946c6c235d8925b748e64 |
| SHA256 | 1c2ab420c80edc4f07abee07a4e2ecacf12be5cd19e921a94f5bcc6de95bfdc2 |
| SHA512 | b11e9aefba89ba468dd98e15245422bd9c33a4d3cffdbcd966986247a41c5acc43ceb791b00717854b99582811cbfcecbdd86f9b93e5c8409af0212aca009145 |
C:\Users\Admin\AppData\Local\Temp\log.txt
| MD5 | bc891cd928ea897946235121ffaf989f |
| SHA1 | 3e429fd7ddfe1b5cf6d52efcc5e2ae430c1fe1bb |
| SHA256 | 026be562f6160dee4737bc0b5cb1f656f3dbf496b9eae0934816322809c6249e |
| SHA512 | 7dc723758ba6b20783a546e103d802509e768588b13488a6674cec27cdb387d2f6d31b4ebf464290a6434039f2d0712df66fbe82a3a20057242f68078f55de5f |
memory/3076-63-0x0000000000CF0000-0x0000000000D88000-memory.dmp
memory/3076-65-0x0000000010000000-0x0000000010030000-memory.dmp