Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-09-2024 11:05
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-07_76fc20fb4777f98f260e1c155fec7dc4_avoslocker_cobalt-strike_hijackloader.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-09-07_76fc20fb4777f98f260e1c155fec7dc4_avoslocker_cobalt-strike_hijackloader.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-07_76fc20fb4777f98f260e1c155fec7dc4_avoslocker_cobalt-strike_hijackloader.exe
-
Size
485KB
-
MD5
76fc20fb4777f98f260e1c155fec7dc4
-
SHA1
4723e9ff6db20b1994b87b84cb0edf3c0a358ee7
-
SHA256
53629603cef09920ba1dfeb16fcddf1b441dde3fca9f42eb4c3538f5ece1f443
-
SHA512
10858d7b908bb1f9ded6a3522aa0942c7ef258875f1d7a2b7fbd99d6f0c2e67a863c437fc9b6353576d22507414d84bc7801ff592b857142790ae97e6a3fb9c9
-
SSDEEP
6144:K7WQ0j4ltziolIGlnE2dFD3rlBu0R+J5JlLgPYfq8ZF02IlLZDv0nXe:Ci4lZiox3fu0R+J5JlLgPbDv0n
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 2828 2764 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-07_76fc20fb4777f98f260e1c155fec7dc4_avoslocker_cobalt-strike_hijackloader.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2764 wrote to memory of 2828 2764 2024-09-07_76fc20fb4777f98f260e1c155fec7dc4_avoslocker_cobalt-strike_hijackloader.exe 30 PID 2764 wrote to memory of 2828 2764 2024-09-07_76fc20fb4777f98f260e1c155fec7dc4_avoslocker_cobalt-strike_hijackloader.exe 30 PID 2764 wrote to memory of 2828 2764 2024-09-07_76fc20fb4777f98f260e1c155fec7dc4_avoslocker_cobalt-strike_hijackloader.exe 30 PID 2764 wrote to memory of 2828 2764 2024-09-07_76fc20fb4777f98f260e1c155fec7dc4_avoslocker_cobalt-strike_hijackloader.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_76fc20fb4777f98f260e1c155fec7dc4_avoslocker_cobalt-strike_hijackloader.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-07_76fc20fb4777f98f260e1c155fec7dc4_avoslocker_cobalt-strike_hijackloader.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 1562⤵
- Program crash
PID:2828
-