Analysis Overview
SHA256
3784958f665b395183bb891240fddd8f99493ae8be96f55901880ea7e7bddb02
Threat Level: Shows suspicious behavior
The file 2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Checks whether UAC is enabled
Writes to the Master Boot Record (MBR)
Checks for VirtualBox DLLs, possible anti-VM trick
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 13:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 13:02
Reported
2024-06-20 13:05
Platform
win7-20240419-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe | N/A |
Loads dropped DLL
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe"
C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe
"C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe" -initialNonSecureSetupPath="C:\Users\Admin\AppData\Local\Temp\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ds.kaspersky.com | udp |
| CH | 82.202.184.184:443 | ds.kaspersky.com | tcp |
| US | 8.8.8.8:53 | crl.kaspersky.com | udp |
| FR | 212.73.221.196:80 | crl.kaspersky.com | tcp |
| US | 8.8.8.8:53 | dm.s.kaspersky-labs.com | udp |
| DE | 130.117.190.147:443 | dm.s.kaspersky-labs.com | tcp |
| DE | 130.117.190.147:443 | dm.s.kaspersky-labs.com | tcp |
| DE | 130.117.190.147:443 | dm.s.kaspersky-labs.com | tcp |
| DE | 130.117.190.147:443 | dm.s.kaspersky-labs.com | tcp |
| DE | 130.117.190.147:443 | dm.s.kaspersky-labs.com | tcp |
| DE | 130.117.190.147:443 | dm.s.kaspersky-labs.com | tcp |
| DE | 130.117.190.147:443 | dm.s.kaspersky-labs.com | tcp |
Files
memory/2396-2-0x0000000077570000-0x0000000077580000-memory.dmp
memory/2396-0-0x0000000077570000-0x0000000077580000-memory.dmp
memory/2396-1-0x0000000077570000-0x0000000077580000-memory.dmp
\Windows\Temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe
| MD5 | 602db6d99b3daffef5eaef8e3b13593d |
| SHA1 | 1a7677e5682345531592df57d5de6b4d22293f3a |
| SHA256 | 3784958f665b395183bb891240fddd8f99493ae8be96f55901880ea7e7bddb02 |
| SHA512 | 7ef6e292fc023ad8fde3b5cc37cb05d44a360e02a44518dfbccd9b22cdebc10838dfa8b86aacf1dc061b629fa943f7ae5475bf0a5cdff85128454c3eea93dbc3 |
memory/1400-10-0x0000000077560000-0x0000000077570000-memory.dmp
memory/1400-9-0x0000000077560000-0x0000000077570000-memory.dmp
memory/1400-8-0x0000000077560000-0x0000000077570000-memory.dmp
\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\setup.dll
| MD5 | 816f9b62aeeca708661dcd72da3ecb74 |
| SHA1 | c26a9bca4382009e61177598bb50f69fb88e88c3 |
| SHA256 | 3d7dd3e6ae9e4ef059f56f4eabcd8bdb519a2a1fe4cc5219c7a1efc1d554c4e7 |
| SHA512 | 53a2a3ceda1560f51fd006efedbc2adc8c8110cf8942c72e4d93ced56d693be70002c3fb1ba3503c88c22cf344dc4a64191b3bf729bcbef9cce8b8cbcbc900cc |
memory/1400-40-0x000000007319E000-0x000000007319F000-memory.dmp
memory/1400-44-0x0000000000730000-0x000000000073E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\kl.setup.ui.interoplayer.dll
| MD5 | baf69d3c6977161e0c2b631b3f9958d4 |
| SHA1 | a1b2982c11811c4e5f6bce95f3072a855d11c369 |
| SHA256 | e6392d0cf3a5984034ca0b346476d7482243550ddd0c65a8c0ff2f03a15867bc |
| SHA512 | 2fb765d07638d239b666d4043f9ae75e91dc271ddf399dfe5bfd1c894bcabb95e6e965b478f5208687d9ebaa18cdafd6fc3400cd47694fd9db4ac30f3f1d5839 |
memory/1400-47-0x0000000073190000-0x000000007387E000-memory.dmp
\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\kl.setup.ui.dll
| MD5 | 1bebc399a1b31eabc3361169df0316d1 |
| SHA1 | 56091143fafa680dc65dd5f2b5d6fafa94590041 |
| SHA256 | 894914e74da8c8faf8bb9b34e0f9b586db3cb248c3f6edb715a7cb8c930dd66b |
| SHA512 | d0d1fb7e23391a352f6bb3d5756dbbcd5a3558e0c477b265453931940a223dfa31cafe20232a9d08fbb127158bce325dd8b769e7bb62907be89019cd3f02f1ac |
memory/1400-51-0x0000000003AD0000-0x0000000003B16000-memory.dmp
memory/1400-52-0x0000000073190000-0x000000007387E000-memory.dmp
\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\kl.ui.framework.dll
| MD5 | 2ad2ab4f8517da8e2efdfed22ad49f1e |
| SHA1 | 55916e3e5c4c40cf2e5644fbad07baf31459673e |
| SHA256 | 6efe8efc6701c80d59ad33bd139aeca1b47a27f49d3ccc16ed01a49da9bfc2e7 |
| SHA512 | 12800c7d475af627c98cecb6e6c2de8247094166126978e24bd8be3f7193828781e853ee10b3133c989d625f0e2860ce4551369d864748b70db4ec220c515bbd |
memory/1400-82-0x0000000006210000-0x0000000006252000-memory.dmp
memory/1400-86-0x0000000002D70000-0x0000000002D86000-memory.dmp
\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\kl.ui.framework.uikit.dll
| MD5 | 18defb1e3b7460f592a8ca61e4b40ff0 |
| SHA1 | 8f8f7d7d1ee8a048d162603cc21a0f4c40b9036b |
| SHA256 | 02a884babc5584fec80b227eb1c52dc800c516f1117ff9637617ad84c632da9d |
| SHA512 | 7cbdc0c113a0c7ff9628674a8a23f4224290455d4a9a41a66889d01baf1f28b0175197c3078a791ecf6b2052c3fdfc35cf38cfae5bf5917bde80f82499d40b12 |
memory/1400-94-0x00000000083E0000-0x00000000086A0000-memory.dmp
memory/1400-90-0x00000000066E0000-0x0000000006728000-memory.dmp
\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\kl.ui.framework.localization.dll
| MD5 | 079ac68d4beb2ab9602d754b09ff652b |
| SHA1 | 90032834cc5cffd0b00119e4e38b5f4c5f877e4c |
| SHA256 | 9377c35b19c30ee75c010b1e592796daf1d3493b397ef9d61a1c63a5ab30a88e |
| SHA512 | 53782adc516950888ec69b21e744fe4d7f8567223e7c067e362800c78e3621dc148d5aa19f6011962bece1ada3691ef1ef40838a8072480c54aeedb2f4e0c9b9 |
\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\kl.setup.ui.core.dll
| MD5 | 2c8f5ec07cb84d844e3fdee32b2a8e00 |
| SHA1 | 2e27daffed27a7e6ee3adc50eef1710da318ca32 |
| SHA256 | 8d5bd8184fbc3f79ea9edc2c25e1a5a935514518c3fba89bde308c06722375f9 |
| SHA512 | ef37109b456a68d55dee8a45340e25cb9901909b30f9f882f62060951bec20d838561dbe5ebe0480aa2feb668c6ffbb2137ed2f69cd3d6337c6f38cf395f6eca |
C:\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\kl.setup.ui.visuals.dll
| MD5 | 6181240bc579d2dfb176a1ca260f5a90 |
| SHA1 | eb13b6cd4a242c8399396795d1863954b8d79507 |
| SHA256 | b07c4d99d4cbb62b31a425e60c993b809c7043518a9ef0b7b561abd180a1b768 |
| SHA512 | f5bb4bdd05836c494a560dc9aa16d62d29b90df7c5854d4a97b8e274890dd1476de955637237867a666c1f08785f5dc06d571e023b124530ee87cf6fdb98689f |
C:\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\kl.ui.framework.uikit.b2c.dll
| MD5 | 445e34aa976419cae54e13ede8d41ce5 |
| SHA1 | 98ca3ee808f97ae16970b0fcefd3387bd07278eb |
| SHA256 | a255bb5dfaa685d7443dbc8bb7fca71417c8f0b1f617ade7077ee437a23a9b24 |
| SHA512 | 86b4084cf781d4efbb814fce3ed6ca48addbf4c15c5ed3630673350cf65056a80e2a9bc00581a45ae370a64f0bc720d506622eccd9d7ef170814faab1cce14c4 |
memory/1400-117-0x0000000007F50000-0x0000000007FEE000-memory.dmp
memory/1400-111-0x0000000008000000-0x000000000809E000-memory.dmp
memory/1400-103-0x0000000007D40000-0x0000000007DAA000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/1400-98-0x0000000007D40000-0x0000000007DAA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar1378.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/1400-184-0x0000000005E00000-0x0000000005E34000-memory.dmp
\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\sharpvectorrenderingwpf.dll
| MD5 | faec58e7785c287a7c688f274207048d |
| SHA1 | 66c038c720035b7212a7d3733da4520e3b95d63b |
| SHA256 | 4c76dd0441a8021a308be24cf0c1957bee280451abcc1467acf47f1a6f7f5dce |
| SHA512 | 9269a91a5bab01f076d8e9fde2991463fb224dc6382f8cde3a118e83cb35bdf580b4ea7686f2ea767a2a9c04650222edfc3a8b2569978b734c51b7135915448e |
\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\sharpvectorconverterswpf.dll
| MD5 | a56a73b39703d5ff85b5cf12f9b00009 |
| SHA1 | e6448c87f969e19ae4c6514d69d8286d26a2b5db |
| SHA256 | bb5966185017d904d2d7fd952bcc6d5c19fdf6bbbe34ab29c63a3784cd1074c7 |
| SHA512 | 7fa07a1fcc0735186ee71b3c123b1c4076f04dba5ad319588ea695ef117ab7c39918593e4ee42f18cbd3fe01d043e896981ca6f07293fc2fb0a9bce5d66992b5 |
memory/1400-188-0x0000000005C80000-0x0000000005CA2000-memory.dmp
\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\sharpvectorcore.dll
| MD5 | 24e3b7177eeabdf085a01796b49c8e55 |
| SHA1 | 6916a0bb98892252f59692fd0405e6da62af0f8b |
| SHA256 | eab963926cf2d62b575c6f33804372fea04db328b2b3f0adfb45fee3f27e5386 |
| SHA512 | 5e377e609673f3d84e22d070012578b8a18fce848a3815d9da05e10043d3e9fde8070094d1841acb44a4f876d8741e371a5fbcc86cce80cdf826131370a41e64 |
\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\sharpvectormodel.dll
| MD5 | 225a73e5a0cf87453832b578db6daddb |
| SHA1 | a36717a1b2c7eb2ba160fec5fa80e48b9e57c4ac |
| SHA256 | 0499708762c56b9339c980e731ffab294e9b18362af3dcb4ad4481f1c7bd60c1 |
| SHA512 | 565ee2105bd626650857e0e6f9c8f7d87a68c3ec41923de119a3b710038a4785e16ccf79feb4c1c4f8a308f682163089228ac4ac81295cea754ae1189311c965 |
memory/1400-196-0x00000000070E0000-0x00000000071DA000-memory.dmp
memory/1400-204-0x00000000061C0000-0x00000000061CE000-memory.dmp
\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\sharpvectordom.dll
| MD5 | e4f6efef27708458ecda4ee22edf3cef |
| SHA1 | 07ccb5fa980dead816737ad83802cbfed18e4a4f |
| SHA256 | 413e485d8dd07231d70107d86ee1a17ce705517aed8346b4701747d1fdbfdfc3 |
| SHA512 | 4920e508304df14041df1189938a1102e4a71e2e57ac4b9b804b6b0405c89c8292012a5ff4dae21268204ed6d9b56a279f4ce18d709074d1cba71cc9d5e11a1d |
memory/1400-208-0x00000000062E0000-0x00000000062F2000-memory.dmp
\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\sharpvectorruntimewpf.dll
| MD5 | 0e203d24d04e89779638dd70d5335b39 |
| SHA1 | 98ffc3718c6e34bd6d696bbcce605db666f99b01 |
| SHA256 | f15b5199850b8ed98d2202972ada759823a17893a68d60ca3a0f76ee31aeb204 |
| SHA512 | a07f54cce2add948340807b8ecf430e72c07032332046e5dd05d9da90f7d732921c0ff628592ff0710914ec9d9b7188b46377e1594a9f9809a107a022de1cfee |
memory/1400-200-0x00000000060A0000-0x00000000060BC000-memory.dmp
memory/1400-217-0x0000000073190000-0x000000007387E000-memory.dmp
\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\sharpvectorcss.dll
| MD5 | 726d04bbe783a3510b18a491adac05c0 |
| SHA1 | 11a01c68204dd80b32c01dcdb2e51f5b0ee34d98 |
| SHA256 | 639e091c9e87986eaf9fe00f0f401834e14878ebc48084697fd4307713a065ca |
| SHA512 | 90592ddef83b6640cf8f28f0818098f95acc4139c7b3f5e8afa63bb873530be1613d42ee02dae12160737ee612187fc0139e19ee4a7f1abb3fec1fcaee1ae297 |
memory/1400-218-0x0000000073190000-0x000000007387E000-memory.dmp
memory/1400-192-0x0000000006020000-0x0000000006052000-memory.dmp
memory/1400-180-0x0000000003B20000-0x0000000003B2A000-memory.dmp
memory/1400-241-0x0000000073190000-0x000000007387E000-memory.dmp
memory/1400-242-0x0000000073190000-0x000000007387E000-memory.dmp
memory/1400-243-0x0000000073190000-0x000000007387E000-memory.dmp
memory/1400-244-0x000000007319E000-0x000000007319F000-memory.dmp
memory/1400-245-0x0000000073190000-0x000000007387E000-memory.dmp
memory/1400-246-0x0000000003B20000-0x0000000003B2A000-memory.dmp
memory/1400-247-0x0000000073190000-0x000000007387E000-memory.dmp
memory/1400-248-0x0000000073190000-0x000000007387E000-memory.dmp
memory/1400-249-0x0000000073190000-0x000000007387E000-memory.dmp
memory/1400-250-0x0000000073190000-0x000000007387E000-memory.dmp
memory/1400-251-0x0000000073190000-0x000000007387E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 13:02
Reported
2024-06-20 13:05
Platform
win10v2004-20240508-en
Max time kernel
64s
Max time network
64s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe | N/A |
Loads dropped DLL
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe | N/A |
| N/A | N/A | C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1660 wrote to memory of 4592 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe | C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe |
| PID 1660 wrote to memory of 4592 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe | C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe |
| PID 1660 wrote to memory of 4592 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe | C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe"
C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe
"C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe" -initialNonSecureSetupPath="C:\Users\Admin\AppData\Local\Temp\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ds.kaspersky.com | udp |
| US | 8.8.8.8:53 | dm.s.kaspersky-labs.com | udp |
| US | 8.8.8.8:53 | ds.kaspersky.com | udp |
| US | 8.8.8.8:53 | dm.s.kaspersky-labs.com | udp |
| US | 8.8.8.8:53 | ds.kaspersky.com | udp |
| US | 8.8.8.8:53 | dm.s.kaspersky-labs.com | udp |
| US | 8.8.8.8:53 | dm.kaspersky-labs.com | udp |
Files
memory/1660-0-0x00000000773D0000-0x00000000773E0000-memory.dmp
memory/1660-2-0x00000000773D0000-0x00000000773E0000-memory.dmp
memory/1660-1-0x00000000773D0000-0x00000000773E0000-memory.dmp
memory/1660-3-0x0000000077292000-0x0000000077293000-memory.dmp
C:\Windows\Temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe
| MD5 | 602db6d99b3daffef5eaef8e3b13593d |
| SHA1 | 1a7677e5682345531592df57d5de6b4d22293f3a |
| SHA256 | 3784958f665b395183bb891240fddd8f99493ae8be96f55901880ea7e7bddb02 |
| SHA512 | 7ef6e292fc023ad8fde3b5cc37cb05d44a360e02a44518dfbccd9b22cdebc10838dfa8b86aacf1dc061b629fa943f7ae5475bf0a5cdff85128454c3eea93dbc3 |
memory/4592-9-0x00000000773E0000-0x00000000773F0000-memory.dmp
memory/4592-8-0x00000000773E0000-0x00000000773F0000-memory.dmp
memory/4592-7-0x00000000773E0000-0x00000000773F0000-memory.dmp
memory/4592-10-0x0000000077292000-0x0000000077293000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\setup.dll
| MD5 | 816f9b62aeeca708661dcd72da3ecb74 |
| SHA1 | c26a9bca4382009e61177598bb50f69fb88e88c3 |
| SHA256 | 3d7dd3e6ae9e4ef059f56f4eabcd8bdb519a2a1fe4cc5219c7a1efc1d554c4e7 |
| SHA512 | 53a2a3ceda1560f51fd006efedbc2adc8c8110cf8942c72e4d93ced56d693be70002c3fb1ba3503c88c22cf344dc4a64191b3bf729bcbef9cce8b8cbcbc900cc |
memory/4592-40-0x0000000073A2E000-0x0000000073A2F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\kl.setup.ui.interoplayer.dll
| MD5 | baf69d3c6977161e0c2b631b3f9958d4 |
| SHA1 | a1b2982c11811c4e5f6bce95f3072a855d11c369 |
| SHA256 | e6392d0cf3a5984034ca0b346476d7482243550ddd0c65a8c0ff2f03a15867bc |
| SHA512 | 2fb765d07638d239b666d4043f9ae75e91dc271ddf399dfe5bfd1c894bcabb95e6e965b478f5208687d9ebaa18cdafd6fc3400cd47694fd9db4ac30f3f1d5839 |
memory/4592-44-0x0000000003E20000-0x0000000003E2E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\kl.setup.ui.dll
| MD5 | 1bebc399a1b31eabc3361169df0316d1 |
| SHA1 | 56091143fafa680dc65dd5f2b5d6fafa94590041 |
| SHA256 | 894914e74da8c8faf8bb9b34e0f9b586db3cb248c3f6edb715a7cb8c930dd66b |
| SHA512 | d0d1fb7e23391a352f6bb3d5756dbbcd5a3558e0c477b265453931940a223dfa31cafe20232a9d08fbb127158bce325dd8b769e7bb62907be89019cd3f02f1ac |
memory/4592-47-0x0000000073A20000-0x00000000741D0000-memory.dmp
memory/4592-51-0x00000000063D0000-0x0000000006416000-memory.dmp
memory/4592-52-0x0000000073A20000-0x00000000741D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\kl.ui.framework.dll
| MD5 | 2ad2ab4f8517da8e2efdfed22ad49f1e |
| SHA1 | 55916e3e5c4c40cf2e5644fbad07baf31459673e |
| SHA256 | 6efe8efc6701c80d59ad33bd139aeca1b47a27f49d3ccc16ed01a49da9bfc2e7 |
| SHA512 | 12800c7d475af627c98cecb6e6c2de8247094166126978e24bd8be3f7193828781e853ee10b3133c989d625f0e2860ce4551369d864748b70db4ec220c515bbd |
memory/4592-82-0x0000000006CD0000-0x0000000006D12000-memory.dmp
memory/4592-86-0x0000000007150000-0x0000000007166000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\kl.setup.ui.core.dll
| MD5 | 2c8f5ec07cb84d844e3fdee32b2a8e00 |
| SHA1 | 2e27daffed27a7e6ee3adc50eef1710da318ca32 |
| SHA256 | 8d5bd8184fbc3f79ea9edc2c25e1a5a935514518c3fba89bde308c06722375f9 |
| SHA512 | ef37109b456a68d55dee8a45340e25cb9901909b30f9f882f62060951bec20d838561dbe5ebe0480aa2feb668c6ffbb2137ed2f69cd3d6337c6f38cf395f6eca |
memory/4592-90-0x00000000074C0000-0x0000000007508000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\kl.ui.framework.localization.dll
| MD5 | 079ac68d4beb2ab9602d754b09ff652b |
| SHA1 | 90032834cc5cffd0b00119e4e38b5f4c5f877e4c |
| SHA256 | 9377c35b19c30ee75c010b1e592796daf1d3493b397ef9d61a1c63a5ab30a88e |
| SHA512 | 53782adc516950888ec69b21e744fe4d7f8567223e7c067e362800c78e3621dc148d5aa19f6011962bece1ada3691ef1ef40838a8072480c54aeedb2f4e0c9b9 |
C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\kl.ui.framework.uikit.dll
| MD5 | 18defb1e3b7460f592a8ca61e4b40ff0 |
| SHA1 | 8f8f7d7d1ee8a048d162603cc21a0f4c40b9036b |
| SHA256 | 02a884babc5584fec80b227eb1c52dc800c516f1117ff9637617ad84c632da9d |
| SHA512 | 7cbdc0c113a0c7ff9628674a8a23f4224290455d4a9a41a66889d01baf1f28b0175197c3078a791ecf6b2052c3fdfc35cf38cfae5bf5917bde80f82499d40b12 |
memory/4592-94-0x00000000077D0000-0x0000000007A90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\kl.setup.ui.visuals.dll
| MD5 | 6181240bc579d2dfb176a1ca260f5a90 |
| SHA1 | eb13b6cd4a242c8399396795d1863954b8d79507 |
| SHA256 | b07c4d99d4cbb62b31a425e60c993b809c7043518a9ef0b7b561abd180a1b768 |
| SHA512 | f5bb4bdd05836c494a560dc9aa16d62d29b90df7c5854d4a97b8e274890dd1476de955637237867a666c1f08785f5dc06d571e023b124530ee87cf6fdb98689f |
memory/4592-109-0x0000000007F80000-0x000000000801E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\kl.ui.framework.uikit.b2c.dll
| MD5 | 445e34aa976419cae54e13ede8d41ce5 |
| SHA1 | 98ca3ee808f97ae16970b0fcefd3387bd07278eb |
| SHA256 | a255bb5dfaa685d7443dbc8bb7fca71417c8f0b1f617ade7077ee437a23a9b24 |
| SHA512 | 86b4084cf781d4efbb814fce3ed6ca48addbf4c15c5ed3630673350cf65056a80e2a9bc00581a45ae370a64f0bc720d506622eccd9d7ef170814faab1cce14c4 |
memory/4592-105-0x0000000073A20000-0x00000000741D0000-memory.dmp
memory/4592-98-0x0000000007E70000-0x0000000007EDA000-memory.dmp
memory/4592-116-0x0000000073A20000-0x00000000741D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\sharpvectorrenderingwpf.dll
| MD5 | faec58e7785c287a7c688f274207048d |
| SHA1 | 66c038c720035b7212a7d3733da4520e3b95d63b |
| SHA256 | 4c76dd0441a8021a308be24cf0c1957bee280451abcc1467acf47f1a6f7f5dce |
| SHA512 | 9269a91a5bab01f076d8e9fde2991463fb224dc6382f8cde3a118e83cb35bdf580b4ea7686f2ea767a2a9c04650222edfc3a8b2569978b734c51b7135915448e |
memory/4592-125-0x0000000008320000-0x0000000008342000-memory.dmp
memory/4592-126-0x00000000083F0000-0x0000000008482000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\sharpvectormodel.dll
| MD5 | 225a73e5a0cf87453832b578db6daddb |
| SHA1 | a36717a1b2c7eb2ba160fec5fa80e48b9e57c4ac |
| SHA256 | 0499708762c56b9339c980e731ffab294e9b18362af3dcb4ad4481f1c7bd60c1 |
| SHA512 | 565ee2105bd626650857e0e6f9c8f7d87a68c3ec41923de119a3b710038a4785e16ccf79feb4c1c4f8a308f682163089228ac4ac81295cea754ae1189311c965 |
memory/4592-138-0x00000000084F0000-0x000000000850C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\sharpvectorcss.dll
| MD5 | 726d04bbe783a3510b18a491adac05c0 |
| SHA1 | 11a01c68204dd80b32c01dcdb2e51f5b0ee34d98 |
| SHA256 | 639e091c9e87986eaf9fe00f0f401834e14878ebc48084697fd4307713a065ca |
| SHA512 | 90592ddef83b6640cf8f28f0818098f95acc4139c7b3f5e8afa63bb873530be1613d42ee02dae12160737ee612187fc0139e19ee4a7f1abb3fec1fcaee1ae297 |
memory/4592-134-0x0000000008880000-0x000000000897A000-memory.dmp
memory/4592-130-0x0000000008490000-0x00000000084C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\sharpvectorcore.dll
| MD5 | 24e3b7177eeabdf085a01796b49c8e55 |
| SHA1 | 6916a0bb98892252f59692fd0405e6da62af0f8b |
| SHA256 | eab963926cf2d62b575c6f33804372fea04db328b2b3f0adfb45fee3f27e5386 |
| SHA512 | 5e377e609673f3d84e22d070012578b8a18fce848a3815d9da05e10043d3e9fde8070094d1841acb44a4f876d8741e371a5fbcc86cce80cdf826131370a41e64 |
C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\sharpvectorconverterswpf.dll
| MD5 | a56a73b39703d5ff85b5cf12f9b00009 |
| SHA1 | e6448c87f969e19ae4c6514d69d8286d26a2b5db |
| SHA256 | bb5966185017d904d2d7fd952bcc6d5c19fdf6bbbe34ab29c63a3784cd1074c7 |
| SHA512 | 7fa07a1fcc0735186ee71b3c123b1c4076f04dba5ad319588ea695ef117ab7c39918593e4ee42f18cbd3fe01d043e896981ca6f07293fc2fb0a9bce5d66992b5 |
memory/4592-121-0x00000000082E0000-0x0000000008314000-memory.dmp
memory/4592-142-0x00000000084D0000-0x00000000084DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\sharpvectordom.dll
| MD5 | e4f6efef27708458ecda4ee22edf3cef |
| SHA1 | 07ccb5fa980dead816737ad83802cbfed18e4a4f |
| SHA256 | 413e485d8dd07231d70107d86ee1a17ce705517aed8346b4701747d1fdbfdfc3 |
| SHA512 | 4920e508304df14041df1189938a1102e4a71e2e57ac4b9b804b6b0405c89c8292012a5ff4dae21268204ed6d9b56a279f4ce18d709074d1cba71cc9d5e11a1d |
memory/4592-146-0x0000000008780000-0x0000000008792000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\sharpvectorruntimewpf.dll
| MD5 | 0e203d24d04e89779638dd70d5335b39 |
| SHA1 | 98ffc3718c6e34bd6d696bbcce605db666f99b01 |
| SHA256 | f15b5199850b8ed98d2202972ada759823a17893a68d60ca3a0f76ee31aeb204 |
| SHA512 | a07f54cce2add948340807b8ecf430e72c07032332046e5dd05d9da90f7d732921c0ff628592ff0710914ec9d9b7188b46377e1594a9f9809a107a022de1cfee |
memory/4592-157-0x000000000C7B0000-0x000000000C7BE000-memory.dmp
memory/4592-156-0x000000000C7F0000-0x000000000C828000-memory.dmp
memory/4592-158-0x0000000073A2E000-0x0000000073A2F000-memory.dmp
memory/4592-159-0x0000000073A20000-0x00000000741D0000-memory.dmp
memory/4592-160-0x0000000073A20000-0x00000000741D0000-memory.dmp
memory/4592-161-0x0000000073A20000-0x00000000741D0000-memory.dmp
memory/4592-162-0x0000000073A20000-0x00000000741D0000-memory.dmp
memory/4592-164-0x0000000006880000-0x0000000006888000-memory.dmp