817b7cf67532cd72d7ed576a86768c0d21897401c8c47db580f8de0ebadb29dc

Analysis

max time kernel
117s
max time network
126s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
24/07/2024, 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
Size

3.9MB
MD5

5b15aeea8ee9f6a6407be7e3e2088cff
SHA1

103d28874f841474b179364f1541c74025bcfb5f
SHA256

817b7cf67532cd72d7ed576a86768c0d21897401c8c47db580f8de0ebadb29dc
SHA512

457458571d4f0727e47da80b01347587add72006104f0a3b948a31b008e613425b846dbcaf83322cd29958279640a1d3407f5cf768bb3f417d7c56b5f1d0a49f
SSDEEP

98304:xsRRaGVKg/Z5k38aYfUvFgi4ZxDaMqPXpoO6:UVpTkvvd47DaMMXpol

Score

8^/10

bootkit discovery evasion persistence trojan

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe

Loads dropped DLL 42 IoCs

pid	Process
2548	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
3040	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 3040	2548	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe	30
PID 2548 wrote to memory of 3040	2548	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe	30
PID 2548 wrote to memory of 3040	2548	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe	30
PID 2548 wrote to memory of 3040	2548	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe	30
PID 2548 wrote to memory of 3040	2548	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe	30
PID 2548 wrote to memory of 3040	2548	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe	30
PID 2548 wrote to memory of 3040	2548	2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\temp\0B192A225594FE11C92CE64D318855A8\2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe
  "C:\Windows\temp\0B192A225594FE11C92CE64D318855A8\2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe" -initialNonSecureSetupPath="C:\Users\Admin\AppData\Local\Temp\2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Kaspersky Lab Setup Files\KSDE21.17.7.539.0.234.0\au_setup_29A8D910-4955-11EF-9CC2-6ED41388558A\startup.exe

Filesize
4.2MB

MD5
0e59b36b30984880aa8736d3efb4f157

SHA1
4de8339002503bfae3fad5a6f64cbbadac966ea8

SHA256
2415860ac6b5be4b9102da8a7f3bfdb1fc738f058dafb6d4e108d138c9fa9b51

SHA512
6eaa9322d980f218d326631f64548fd02d9aeb1e90a560135ee7d3cf0670a953acce0f026e69679d52f8bddc69e38d33fa56831053ae932ed58af5e4550844a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\01BF6F225594FE11C92CE64D318855A8\kasperskylab.setup.ui.visuals.dll

Filesize
85KB

MD5
783977698c49b0d14a9c1a58707a6ed1

SHA1
2c194e542d6cfb01c1870d10a588ebebab6d9bbd

SHA256
6b1ef093643ff37d122eff63dfb94fc5faa7f600d19909077441837a9db34031

SHA512
e99112b2e880956cec9bbe6be3ff0581a292a9aa8de52db9d944fa10e55f45700f8e3c3e7697c363a08a05a7a0b33d670587ec10a7c02c4069eebed92133954b

Download Submit
C:\Users\Admin\AppData\Local\Temp\01BF6F225594FE11C92CE64D318855A8\kasperskylab.ui.framework.uikit.b2c.dll

Filesize
526KB

MD5
cab2d71bfb9447f0e93a26ac5a8914f0

SHA1
479319792e8079c520c277b89c34ee51f3451a65

SHA256
1c0b743015019769efaa61b4572fe46bfff74e39517ecbf903238d69d2fdb339

SHA512
ecac858e3254fb0cd3755817e92c19d6073e9e795d9fe55f3d47025c224e48c5f27b4ca0c0e94c0d46ed03853248f396a76144ae3512d76c0ccb727fe9b621f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab210A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar25AF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\01BF6F225594FE11C92CE64D318855A8\System.Windows.Interactivity.dll

Filesize
39KB

MD5
3ab57a33a6e3a1476695d5a6e856c06a

SHA1
dabb4ecffd0c422a8eebff5d4ec8116a6e90d7e7

SHA256
4aace8c8a330ae8429cd8cc1b6804076d3a9ffd633470f91fd36bdd25bb57876

SHA512
58dbfcf9199d72d370e2d98b8ef2713d74207a597c9494b0ecf5e4c7bf7cf60c5e85f4a92b2a1896dff63d9d5107f0d81d7dddbc7203e9e559ab7219eca0df92

Download Submit
\Users\Admin\AppData\Local\Temp\01BF6F225594FE11C92CE64D318855A8\kasperskylab.setup.ui.core.dll

Filesize
98KB

MD5
8e854a3c89d2830cc6be3c52a47347c9

SHA1
b382838fb89b1ea705c4d49e7d6bf15b0df32d3c

SHA256
9878b9ba16b3a898f4d3ce6d857c8f53ccaa74eacb073b606c3cbf947bda84e4

SHA512
5f92da96d27a7870095606232255c60ccc7768e73779f01600d33e15fff5ea764a43e8c7f78e99430ced44d254fc7254db566386144857e075bbb58613509802

Download Submit
\Users\Admin\AppData\Local\Temp\01BF6F225594FE11C92CE64D318855A8\kasperskylab.setup.ui.dll

Filesize
276KB

MD5
5b8032de52ad7af543e6bba902bc1682

SHA1
dc2306150860bdb3539469c19bdbd7372a154ba7

SHA256
2dd2ca43db0bc03f28ca628af87f077b499d7267afa055699303386719cd06c5

SHA512
d57cbdb0a2beb332f19f663753afe7436168d30c8ed43fa6be7434f94ceb613f3aff42f98dced843dd527ce6306ce2bb5d34cc16902f48ca6debca2d0b2766d0

Download Submit
\Users\Admin\AppData\Local\Temp\01BF6F225594FE11C92CE64D318855A8\kasperskylab.setup.ui.interoplayer.dll

Filesize
56KB

MD5
74e63994c9f35b775226b548db5cfa10

SHA1
33a11b8db899c88069c9ff6c6512b859b2e23d4a

SHA256
a464ee988471335f2e8dbee81bb2c6f7f11bab255a98fd29eb0b1863fd0d77e0

SHA512
296d81d2cf5f804076eda94c0db7c3f1e43a20238481a38a943302e7778f4b3b130d1811a1984c313e8123a350bfc37cc0dd264237b86fc10c142e019014a096

Download Submit
\Users\Admin\AppData\Local\Temp\01BF6F225594FE11C92CE64D318855A8\kasperskylab.ui.framework.dll

Filesize
216KB

MD5
89bddd5f9aa7aff6fdfa44a7f8eb8691

SHA1
cca9d46438f332ad70200414409fee875c0a638c

SHA256
bc294609a8d95d889c744186abf5af9fd83c382d3efd595449632465f03812b7

SHA512
02ece167a30db2e8fb4a39ef06f060de02711778f4e84e7e2f06c6d3c7cc3f911e919a0c11e0d1c4c56e268589072caf860f9f8b0694b51e80282e802d25c23f

Download Submit
\Users\Admin\AppData\Local\Temp\01BF6F225594FE11C92CE64D318855A8\kasperskylab.ui.framework.localization.dll

Filesize
278KB

MD5
5c3e60608f0998dc065d939f718da715

SHA1
8293ce337beebb3a5440ab3c0b27aac85d355439

SHA256
ccef75eebd6d5b2104779995c05d07c348aabfda228bcd117f3a945571f550d8

SHA512
d548be3cebd72edc909a8b1f2811bdb2b27e5cdea194e61a621689b4afa2544f68b9e4215fd8db767ce37224325d3611e5a27c42ce0467025208db42508c1edb

Download Submit
\Users\Admin\AppData\Local\Temp\01BF6F225594FE11C92CE64D318855A8\kasperskylab.ui.framework.uikit.dll

Filesize
2.0MB

MD5
b77fef38e2ba24c132060203af15bfe2

SHA1
bd34b6369a04777270207e4b6e81bc7a748cc70a

SHA256
6a1458c6065a5af4ddc4bdaa9cd41cfbdac9411d04526225d46dfcacd4019b9a

SHA512
51f1403e06c226ad866f147990fc9e30180838d532ebf7d99e8a3b2e0a06e787fd96dcd17ac1106a32b26f55d78fe798b83507607584b5aa6990402dfddcd9a7

Download Submit
\Users\Admin\AppData\Local\Temp\01BF6F225594FE11C92CE64D318855A8\setup.dll

Filesize
5.6MB

MD5
cb03ad9d3bdb4aaaa718dabe511e05f3

SHA1
4a2ea9e566991f9d3176ab7b847225e2b8006186

SHA256
f1e8b6cd978e92e5848d9b5fed809eba0df84ad91b6dc83ec11b1faa0d57686d

SHA512
c1100fc21f1512c4357ab8ff2793860fa7b952f3a5b859b9a920c96926821684b1b7138e9ce139b5a21760acb61123b35059a83d10f59a4fd444f03e3092c924

Download Submit
\Users\Admin\AppData\Local\Temp\01BF6F225594FE11C92CE64D318855A8\sharpvectorconverterswpf.dll

Filesize
137KB

MD5
07a04fc1329958ccbb1e7ea69d00746e

SHA1
c167dd5d143217942590b8164afc386d4641994e

SHA256
87bb7b7b624bba6b8ee8195f978195de74bdd379af4f751a0aeca833eff0ed5b

SHA512
7695df3d00c02db8f45c144ea1a0ecff065f9d1412be28c2616d6da60c1793361d0622337d0bc645c9cb56ec89cddb561df53811df637f1d5538d9a0bdabe9a0

Download Submit
\Users\Admin\AppData\Local\Temp\01BF6F225594FE11C92CE64D318855A8\sharpvectorcore.dll

Filesize
201KB

MD5
df4d6e152f722f958255d55de3730e3a

SHA1
2c3d920d611d33e0032e2b1cc4d9fb4236e513b1

SHA256
3d0d860b0eef92a12195365bbf4b6ad9616670025f620ab85d91b3e8d9042a61

SHA512
92d1d5657f3c4c62615271aad664647bc59b935f07d904358276f7ac9db7474a825f0c7a7fee536a3ccd21eb218768ccfb9f57c9763727ea22172e86aba9a6f7

Download Submit
\Users\Admin\AppData\Local\Temp\01BF6F225594FE11C92CE64D318855A8\sharpvectorcss.dll

Filesize
109KB

MD5
734199fe9d700367456e9262b0b97304

SHA1
fbe4f7ae290a48a383b63874554075bbfdd4d0cd

SHA256
16863cc4b30454c3db883640468e466dff6e49bf8140a0e07730bb5d4b460362

SHA512
0b499fbc4ddce4d802baf8442233ccca2da591274f5cd6db69e9da0898b44e61f43aa75b85b91caf6743124a125b6f740288b346178b8c7aa7917675bce51d37

Download Submit
\Users\Admin\AppData\Local\Temp\01BF6F225594FE11C92CE64D318855A8\sharpvectordom.dll

Filesize
55KB

MD5
08cdff748538150c3da8a93a1564a126

SHA1
d395b71a71997b2fb29bcd6b1025ba0ad92d7a93

SHA256
c3f0e79bfe0d9bf666f2a228bbce3bbffa76e95056c8ca00bc527d69907a9d23

SHA512
6c02eb6015f1439a94bf6679a6b096498d8c8beb83005f06c2fd83b93436266100194f5a37b5d454d079fa6013bc76bd24db7428beb624fd8b7783dd6881beb4

Download Submit
\Users\Admin\AppData\Local\Temp\01BF6F225594FE11C92CE64D318855A8\sharpvectormodel.dll

Filesize
997KB

MD5
910b0bd94e4cf3e035b0cd2ae475428d

SHA1
f450028f3c1df114c1daedf389af1f2b97dac24f

SHA256
ddd65384bc82877842bc400433462fec9eb9bddcb14e4c9f4116ad8a6b90e140

SHA512
9bf81cdf5c3634e9b636049adf27b84c24a142a7298818fc3266e5d9fc70479d687e9be89b58bdeab8fd0d0ccb8d7a383e198f5127c9f72a4283d6652adb0822

Download Submit
\Users\Admin\AppData\Local\Temp\01BF6F225594FE11C92CE64D318855A8\sharpvectorrenderingwpf.dll

Filesize
203KB

MD5
e72cd958b1496e185bfe94f7b1cb5ffc

SHA1
4d662a6c150b5709d153a4caf1f1333d0f6579f4

SHA256
d840f7d0e681ef80d7446d4acd69eda37c40735c3b514c63cd68fd0b3c523c97

SHA512
afb864c27f6296c75a802549074dc9b3a75a87be742c307bb8d0748ad57e14f318451d8f771c313999b624d9039cff85e72f704a77914552b151c184f85d0764

Download Submit
\Users\Admin\AppData\Local\Temp\01BF6F225594FE11C92CE64D318855A8\sharpvectorruntimewpf.dll

Filesize
69KB

MD5
b298b2f21f4938ee10e4c6b971daa9db

SHA1
2db6ba107e049a88093e20b5a56dcc248e747273

SHA256
04458af262f04dc2df8d8907eeab5c43f1ab815e62f2785651e0e69482af9548

SHA512
8a020baacd1277ef7aadf47f6d50930d949395ee4b7fb3ec0ef3c0b9b71e9ae595409b313569ec267f1ada0e920f2f7468b0b0e832b61d759e1373dceeeac7ec

Download Submit
\Windows\Temp\0B192A225594FE11C92CE64D318855A8\2024-07-24_5b15aeea8ee9f6a6407be7e3e2088cff_avoslocker.exe

Filesize
3.9MB

MD5
5b15aeea8ee9f6a6407be7e3e2088cff

SHA1
103d28874f841474b179364f1541c74025bcfb5f

SHA256
817b7cf67532cd72d7ed576a86768c0d21897401c8c47db580f8de0ebadb29dc

SHA512
457458571d4f0727e47da80b01347587add72006104f0a3b948a31b008e613425b846dbcaf83322cd29958279640a1d3407f5cf768bb3f417d7c56b5f1d0a49f

Download Submit
memory/2548-0-0x0000000077E90000-0x0000000077EA0000-memory.dmp

Filesize
64KB

Download
memory/2548-2-0x0000000077E90000-0x0000000077EA0000-memory.dmp

Filesize
64KB

Download
memory/2548-1-0x0000000077E90000-0x0000000077EA0000-memory.dmp

Filesize
64KB

Download
memory/3040-120-0x0000000006C00000-0x0000000006C84000-memory.dmp

Filesize
528KB

Download
memory/3040-158-0x0000000007B10000-0x0000000007C0A000-memory.dmp

Filesize
1000KB

Download
memory/3040-114-0x00000000034B0000-0x00000000034C6000-memory.dmp

Filesize
88KB

Download
memory/3040-125-0x0000000006C00000-0x0000000006C84000-memory.dmp

Filesize
528KB

Download
memory/3040-105-0x0000000005FA0000-0x0000000005FE6000-memory.dmp

Filesize
280KB

Download
memory/3040-137-0x0000000003600000-0x0000000003610000-memory.dmp

Filesize
64KB

Download
memory/3040-101-0x0000000006EB0000-0x00000000070A6000-memory.dmp

Filesize
2.0MB

Download
memory/3040-132-0x0000000003600000-0x0000000003610000-memory.dmp

Filesize
64KB

Download
memory/3040-141-0x0000000003660000-0x000000000366A000-memory.dmp

Filesize
40KB

Download
memory/3040-140-0x0000000003660000-0x000000000366A000-memory.dmp

Filesize
40KB

Download
memory/3040-97-0x0000000002BD0000-0x0000000002BE8000-memory.dmp

Filesize
96KB

Download
memory/3040-145-0x0000000003BF0000-0x0000000003C24000-memory.dmp

Filesize
208KB

Download
memory/3040-149-0x0000000003ED0000-0x0000000003EF2000-memory.dmp

Filesize
136KB

Download
memory/3040-93-0x00000000014B0000-0x00000000014E6000-memory.dmp

Filesize
216KB

Download
memory/3040-62-0x0000000002B80000-0x0000000002BC6000-memory.dmp

Filesize
280KB

Download
memory/3040-154-0x00000000069F0000-0x0000000006A22000-memory.dmp

Filesize
200KB

Download
memory/3040-63-0x0000000073AD0000-0x00000000741BE000-memory.dmp

Filesize
6.9MB

Download
memory/3040-109-0x00000000034B0000-0x00000000034C6000-memory.dmp

Filesize
88KB

Download
memory/3040-166-0x0000000003AA0000-0x0000000003AAE000-memory.dmp

Filesize
56KB

Download
memory/3040-58-0x0000000073AD0000-0x00000000741BE000-memory.dmp

Filesize
6.9MB

Download
memory/3040-162-0x0000000003DD0000-0x0000000003DEC000-memory.dmp

Filesize
112KB

Download
memory/3040-55-0x0000000000580000-0x000000000058E000-memory.dmp

Filesize
56KB

Download
memory/3040-170-0x0000000003F40000-0x0000000003F52000-memory.dmp

Filesize
72KB

Download
memory/3040-51-0x0000000073ADE000-0x0000000073ADF000-memory.dmp

Filesize
4KB

Download
memory/3040-174-0x0000000073AD0000-0x00000000741BE000-memory.dmp

Filesize
6.9MB

Download
memory/3040-172-0x0000000073AD0000-0x00000000741BE000-memory.dmp

Filesize
6.9MB

Download
memory/3040-187-0x0000000073ADE000-0x0000000073ADF000-memory.dmp

Filesize
4KB

Download
memory/3040-188-0x0000000073AD0000-0x00000000741BE000-memory.dmp

Filesize
6.9MB

Download
memory/3040-8-0x0000000077EA0000-0x0000000077EB0000-memory.dmp

Filesize
64KB

Download
memory/3040-9-0x0000000077EA0000-0x0000000077EB0000-memory.dmp

Filesize
64KB

Download
memory/3040-10-0x0000000077EA0000-0x0000000077EB0000-memory.dmp

Filesize
64KB

Download
memory/3040-300-0x0000000073AD0000-0x00000000741BE000-memory.dmp

Filesize
6.9MB

Download
memory/3040-301-0x0000000003660000-0x000000000366A000-memory.dmp

Filesize
40KB

Download
memory/3040-302-0x0000000073AD0000-0x00000000741BE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads