Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-06-2024 08:28

General

  • Target

    2024-06-15_3fa2e627b92c3ffc01e7ba3dfab3823a_avoslocker.exe

  • Size

    4.2MB

  • MD5

    3fa2e627b92c3ffc01e7ba3dfab3823a

  • SHA1

    5333ec9ddf45e1d5c8ad0e9d81f248c0603ecd75

  • SHA256

    465e9fb5cf1f80fe667b6ee18a764a79a92b810a19182959d9cef6bf0d4a1870

  • SHA512

    adaa5fe1253ed7c086afda25f26c4723f35c671cf53978f31615338c0161d707a0e4560cd7bb92f356c1e40badebdb2dcc486a97b9e0371c3f49f00ca10d89ea

  • SSDEEP

    98304:0pq/d8kCBKlMyQjujDW9tBcg2jGqwwAWh7tmCY0N9n1bkB3tiXn:dcx5ujyp8jGqwwH7tIo1gNtmn

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 39 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-15_3fa2e627b92c3ffc01e7ba3dfab3823a_avoslocker.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-15_3fa2e627b92c3ffc01e7ba3dfab3823a_avoslocker.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4368
    • C:\Windows\temp\AC4333641FA2FE118B0C2C47A8A339EC\2024-06-15_3fa2e627b92c3ffc01e7ba3dfab3823a_avoslocker.exe
      "C:\Windows\temp\AC4333641FA2FE118B0C2C47A8A339EC\2024-06-15_3fa2e627b92c3ffc01e7ba3dfab3823a_avoslocker.exe" -initialNonSecureSetupPath="C:\Users\Admin\AppData\Local\Temp\2024-06-15_3fa2e627b92c3ffc01e7ba3dfab3823a_avoslocker.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Writes to the Master Boot Record (MBR)
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Suspicious behavior: EnumeratesProcesses
      PID:4876
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4352,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4552 /prefetch:8
    1⤵
      PID:840

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Pre-OS Boot

    1
    T1542

    Bootkit

    1
    T1542.003

    Defense Evasion

    Pre-OS Boot

    1
    T1542

    Bootkit

    1
    T1542.003

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    3
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\85AE7F251FA2FE118B0C2C47A8A339EC\kl.setup.ui.core.dll
      Filesize

      89KB

      MD5

      2c8f5ec07cb84d844e3fdee32b2a8e00

      SHA1

      2e27daffed27a7e6ee3adc50eef1710da318ca32

      SHA256

      8d5bd8184fbc3f79ea9edc2c25e1a5a935514518c3fba89bde308c06722375f9

      SHA512

      ef37109b456a68d55dee8a45340e25cb9901909b30f9f882f62060951bec20d838561dbe5ebe0480aa2feb668c6ffbb2137ed2f69cd3d6337c6f38cf395f6eca

    • C:\Users\Admin\AppData\Local\Temp\85AE7F251FA2FE118B0C2C47A8A339EC\kl.setup.ui.dll
      Filesize

      278KB

      MD5

      1bebc399a1b31eabc3361169df0316d1

      SHA1

      56091143fafa680dc65dd5f2b5d6fafa94590041

      SHA256

      894914e74da8c8faf8bb9b34e0f9b586db3cb248c3f6edb715a7cb8c930dd66b

      SHA512

      d0d1fb7e23391a352f6bb3d5756dbbcd5a3558e0c477b265453931940a223dfa31cafe20232a9d08fbb127158bce325dd8b769e7bb62907be89019cd3f02f1ac

    • C:\Users\Admin\AppData\Local\Temp\85AE7F251FA2FE118B0C2C47A8A339EC\kl.setup.ui.interoplayer.dll
      Filesize

      56KB

      MD5

      baf69d3c6977161e0c2b631b3f9958d4

      SHA1

      a1b2982c11811c4e5f6bce95f3072a855d11c369

      SHA256

      e6392d0cf3a5984034ca0b346476d7482243550ddd0c65a8c0ff2f03a15867bc

      SHA512

      2fb765d07638d239b666d4043f9ae75e91dc271ddf399dfe5bfd1c894bcabb95e6e965b478f5208687d9ebaa18cdafd6fc3400cd47694fd9db4ac30f3f1d5839

    • C:\Users\Admin\AppData\Local\Temp\85AE7F251FA2FE118B0C2C47A8A339EC\kl.setup.ui.visuals.dll
      Filesize

      420KB

      MD5

      6181240bc579d2dfb176a1ca260f5a90

      SHA1

      eb13b6cd4a242c8399396795d1863954b8d79507

      SHA256

      b07c4d99d4cbb62b31a425e60c993b809c7043518a9ef0b7b561abd180a1b768

      SHA512

      f5bb4bdd05836c494a560dc9aa16d62d29b90df7c5854d4a97b8e274890dd1476de955637237867a666c1f08785f5dc06d571e023b124530ee87cf6fdb98689f

    • C:\Users\Admin\AppData\Local\Temp\85AE7F251FA2FE118B0C2C47A8A339EC\kl.ui.framework.dll
      Filesize

      264KB

      MD5

      2ad2ab4f8517da8e2efdfed22ad49f1e

      SHA1

      55916e3e5c4c40cf2e5644fbad07baf31459673e

      SHA256

      6efe8efc6701c80d59ad33bd139aeca1b47a27f49d3ccc16ed01a49da9bfc2e7

      SHA512

      12800c7d475af627c98cecb6e6c2de8247094166126978e24bd8be3f7193828781e853ee10b3133c989d625f0e2860ce4551369d864748b70db4ec220c515bbd

    • C:\Users\Admin\AppData\Local\Temp\85AE7F251FA2FE118B0C2C47A8A339EC\kl.ui.framework.localization.dll
      Filesize

      283KB

      MD5

      079ac68d4beb2ab9602d754b09ff652b

      SHA1

      90032834cc5cffd0b00119e4e38b5f4c5f877e4c

      SHA256

      9377c35b19c30ee75c010b1e592796daf1d3493b397ef9d61a1c63a5ab30a88e

      SHA512

      53782adc516950888ec69b21e744fe4d7f8567223e7c067e362800c78e3621dc148d5aa19f6011962bece1ada3691ef1ef40838a8072480c54aeedb2f4e0c9b9

    • C:\Users\Admin\AppData\Local\Temp\85AE7F251FA2FE118B0C2C47A8A339EC\kl.ui.framework.uikit.b2c.dll
      Filesize

      631KB

      MD5

      445e34aa976419cae54e13ede8d41ce5

      SHA1

      98ca3ee808f97ae16970b0fcefd3387bd07278eb

      SHA256

      a255bb5dfaa685d7443dbc8bb7fca71417c8f0b1f617ade7077ee437a23a9b24

      SHA512

      86b4084cf781d4efbb814fce3ed6ca48addbf4c15c5ed3630673350cf65056a80e2a9bc00581a45ae370a64f0bc720d506622eccd9d7ef170814faab1cce14c4

    • C:\Users\Admin\AppData\Local\Temp\85AE7F251FA2FE118B0C2C47A8A339EC\kl.ui.framework.uikit.dll
      Filesize

      2.7MB

      MD5

      18defb1e3b7460f592a8ca61e4b40ff0

      SHA1

      8f8f7d7d1ee8a048d162603cc21a0f4c40b9036b

      SHA256

      02a884babc5584fec80b227eb1c52dc800c516f1117ff9637617ad84c632da9d

      SHA512

      7cbdc0c113a0c7ff9628674a8a23f4224290455d4a9a41a66889d01baf1f28b0175197c3078a791ecf6b2052c3fdfc35cf38cfae5bf5917bde80f82499d40b12

    • C:\Users\Admin\AppData\Local\Temp\85AE7F251FA2FE118B0C2C47A8A339EC\setup.dll
      Filesize

      5.2MB

      MD5

      9814c17fbd608a4dd34d0a67c14c7cc2

      SHA1

      9627ed25a6c843d7c57ccdd7368c5a64e497ad07

      SHA256

      071ce800e0fbd5fd090bb02913e267cda61504fa58bd943c726aa2f1b7179c2c

      SHA512

      3ecf76b6554dc47b1271b03e903d27ad0f77907ac760c48d304609c3937f9d76af4f8ddd871e089755aa1279f011f186180044000349d9f80f872a1551b423d4

    • C:\Users\Admin\AppData\Local\Temp\85AE7F251FA2FE118B0C2C47A8A339EC\sharpvectorconverterswpf.dll
      Filesize

      137KB

      MD5

      a56a73b39703d5ff85b5cf12f9b00009

      SHA1

      e6448c87f969e19ae4c6514d69d8286d26a2b5db

      SHA256

      bb5966185017d904d2d7fd952bcc6d5c19fdf6bbbe34ab29c63a3784cd1074c7

      SHA512

      7fa07a1fcc0735186ee71b3c123b1c4076f04dba5ad319588ea695ef117ab7c39918593e4ee42f18cbd3fe01d043e896981ca6f07293fc2fb0a9bce5d66992b5

    • C:\Users\Admin\AppData\Local\Temp\85AE7F251FA2FE118B0C2C47A8A339EC\sharpvectorcore.dll
      Filesize

      201KB

      MD5

      24e3b7177eeabdf085a01796b49c8e55

      SHA1

      6916a0bb98892252f59692fd0405e6da62af0f8b

      SHA256

      eab963926cf2d62b575c6f33804372fea04db328b2b3f0adfb45fee3f27e5386

      SHA512

      5e377e609673f3d84e22d070012578b8a18fce848a3815d9da05e10043d3e9fde8070094d1841acb44a4f876d8741e371a5fbcc86cce80cdf826131370a41e64

    • C:\Users\Admin\AppData\Local\Temp\85AE7F251FA2FE118B0C2C47A8A339EC\sharpvectorcss.dll
      Filesize

      109KB

      MD5

      726d04bbe783a3510b18a491adac05c0

      SHA1

      11a01c68204dd80b32c01dcdb2e51f5b0ee34d98

      SHA256

      639e091c9e87986eaf9fe00f0f401834e14878ebc48084697fd4307713a065ca

      SHA512

      90592ddef83b6640cf8f28f0818098f95acc4139c7b3f5e8afa63bb873530be1613d42ee02dae12160737ee612187fc0139e19ee4a7f1abb3fec1fcaee1ae297

    • C:\Users\Admin\AppData\Local\Temp\85AE7F251FA2FE118B0C2C47A8A339EC\sharpvectordom.dll
      Filesize

      55KB

      MD5

      e4f6efef27708458ecda4ee22edf3cef

      SHA1

      07ccb5fa980dead816737ad83802cbfed18e4a4f

      SHA256

      413e485d8dd07231d70107d86ee1a17ce705517aed8346b4701747d1fdbfdfc3

      SHA512

      4920e508304df14041df1189938a1102e4a71e2e57ac4b9b804b6b0405c89c8292012a5ff4dae21268204ed6d9b56a279f4ce18d709074d1cba71cc9d5e11a1d

    • C:\Users\Admin\AppData\Local\Temp\85AE7F251FA2FE118B0C2C47A8A339EC\sharpvectormodel.dll
      Filesize

      998KB

      MD5

      225a73e5a0cf87453832b578db6daddb

      SHA1

      a36717a1b2c7eb2ba160fec5fa80e48b9e57c4ac

      SHA256

      0499708762c56b9339c980e731ffab294e9b18362af3dcb4ad4481f1c7bd60c1

      SHA512

      565ee2105bd626650857e0e6f9c8f7d87a68c3ec41923de119a3b710038a4785e16ccf79feb4c1c4f8a308f682163089228ac4ac81295cea754ae1189311c965

    • C:\Users\Admin\AppData\Local\Temp\85AE7F251FA2FE118B0C2C47A8A339EC\sharpvectorrenderingwpf.dll
      Filesize

      203KB

      MD5

      faec58e7785c287a7c688f274207048d

      SHA1

      66c038c720035b7212a7d3733da4520e3b95d63b

      SHA256

      4c76dd0441a8021a308be24cf0c1957bee280451abcc1467acf47f1a6f7f5dce

      SHA512

      9269a91a5bab01f076d8e9fde2991463fb224dc6382f8cde3a118e83cb35bdf580b4ea7686f2ea767a2a9c04650222edfc3a8b2569978b734c51b7135915448e

    • C:\Users\Admin\AppData\Local\Temp\85AE7F251FA2FE118B0C2C47A8A339EC\sharpvectorruntimewpf.dll
      Filesize

      69KB

      MD5

      0e203d24d04e89779638dd70d5335b39

      SHA1

      98ffc3718c6e34bd6d696bbcce605db666f99b01

      SHA256

      f15b5199850b8ed98d2202972ada759823a17893a68d60ca3a0f76ee31aeb204

      SHA512

      a07f54cce2add948340807b8ecf430e72c07032332046e5dd05d9da90f7d732921c0ff628592ff0710914ec9d9b7188b46377e1594a9f9809a107a022de1cfee

    • C:\Windows\Temp\AC4333641FA2FE118B0C2C47A8A339EC\2024-06-15_3fa2e627b92c3ffc01e7ba3dfab3823a_avoslocker.exe
      Filesize

      4.2MB

      MD5

      3fa2e627b92c3ffc01e7ba3dfab3823a

      SHA1

      5333ec9ddf45e1d5c8ad0e9d81f248c0603ecd75

      SHA256

      465e9fb5cf1f80fe667b6ee18a764a79a92b810a19182959d9cef6bf0d4a1870

      SHA512

      adaa5fe1253ed7c086afda25f26c4723f35c671cf53978f31615338c0161d707a0e4560cd7bb92f356c1e40badebdb2dcc486a97b9e0371c3f49f00ca10d89ea

    • memory/4368-1-0x00000000777E0000-0x00000000777F0000-memory.dmp
      Filesize

      64KB

    • memory/4368-3-0x00000000776A2000-0x00000000776A3000-memory.dmp
      Filesize

      4KB

    • memory/4368-0-0x00000000777E0000-0x00000000777F0000-memory.dmp
      Filesize

      64KB

    • memory/4368-2-0x00000000777E0000-0x00000000777F0000-memory.dmp
      Filesize

      64KB

    • memory/4876-39-0x0000000072DDE000-0x0000000072DDF000-memory.dmp
      Filesize

      4KB

    • memory/4876-151-0x0000000072DD0000-0x0000000073580000-memory.dmp
      Filesize

      7.7MB

    • memory/4876-84-0x0000000006780000-0x0000000006A40000-memory.dmp
      Filesize

      2.8MB

    • memory/4876-85-0x0000000072DD0000-0x0000000073580000-memory.dmp
      Filesize

      7.7MB

    • memory/4876-8-0x0000000077810000-0x0000000077820000-memory.dmp
      Filesize

      64KB

    • memory/4876-89-0x0000000006F70000-0x0000000006FDA000-memory.dmp
      Filesize

      424KB

    • memory/4876-124-0x0000000007870000-0x000000000796A000-memory.dmp
      Filesize

      1000KB

    • memory/4876-99-0x0000000006FE0000-0x000000000707E000-memory.dmp
      Filesize

      632KB

    • memory/4876-106-0x0000000072DD0000-0x0000000073580000-memory.dmp
      Filesize

      7.7MB

    • memory/4876-72-0x00000000060E0000-0x0000000006122000-memory.dmp
      Filesize

      264KB

    • memory/4876-111-0x0000000007440000-0x0000000007474000-memory.dmp
      Filesize

      208KB

    • memory/4876-49-0x0000000003F40000-0x0000000003F86000-memory.dmp
      Filesize

      280KB

    • memory/4876-43-0x0000000003A90000-0x0000000003A9E000-memory.dmp
      Filesize

      56KB

    • memory/4876-80-0x0000000006730000-0x0000000006778000-memory.dmp
      Filesize

      288KB

    • memory/4876-154-0x0000000000A10000-0x0000000000A18000-memory.dmp
      Filesize

      32KB

    • memory/4876-7-0x0000000077810000-0x0000000077820000-memory.dmp
      Filesize

      64KB

    • memory/4876-9-0x0000000077810000-0x0000000077820000-memory.dmp
      Filesize

      64KB

    • memory/4876-116-0x00000000074D0000-0x0000000007562000-memory.dmp
      Filesize

      584KB

    • memory/4876-115-0x0000000007480000-0x00000000074A2000-memory.dmp
      Filesize

      136KB

    • memory/4876-132-0x00000000079A0000-0x00000000079AE000-memory.dmp
      Filesize

      56KB

    • memory/4876-50-0x0000000072DD0000-0x0000000073580000-memory.dmp
      Filesize

      7.7MB

    • memory/4876-128-0x0000000007980000-0x000000000799C000-memory.dmp
      Filesize

      112KB

    • memory/4876-51-0x0000000072DD0000-0x0000000073580000-memory.dmp
      Filesize

      7.7MB

    • memory/4876-136-0x00000000079F0000-0x0000000007A02000-memory.dmp
      Filesize

      72KB

    • memory/4876-146-0x000000000BE40000-0x000000000BE78000-memory.dmp
      Filesize

      224KB

    • memory/4876-147-0x000000000BE80000-0x000000000BE8E000-memory.dmp
      Filesize

      56KB

    • memory/4876-148-0x0000000072DDE000-0x0000000072DDF000-memory.dmp
      Filesize

      4KB

    • memory/4876-149-0x0000000072DD0000-0x0000000073580000-memory.dmp
      Filesize

      7.7MB

    • memory/4876-150-0x0000000072DD0000-0x0000000073580000-memory.dmp
      Filesize

      7.7MB

    • memory/4876-120-0x00000000076F0000-0x0000000007722000-memory.dmp
      Filesize

      200KB

    • memory/4876-152-0x0000000072DD0000-0x0000000073580000-memory.dmp
      Filesize

      7.7MB

    • memory/4876-76-0x0000000006190000-0x00000000061A6000-memory.dmp
      Filesize

      88KB