6365be55d95a945a7d126efc1ab301fde9821c799b68a7f957b18fb6c68b118c

Analysis

max time kernel
95s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 17:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-27_456fa0e3c8dac4b0601aae86f24183ea_avoslocker.exe
Size

2.0MB
MD5

456fa0e3c8dac4b0601aae86f24183ea
SHA1

b818914aaf00c6817169cfc30f37812b807013e2
SHA256

6365be55d95a945a7d126efc1ab301fde9821c799b68a7f957b18fb6c68b118c
SHA512

542c28798bf1ca234be2eef5d0fac7138b0baf037b65452abbc6570d3d910b79c4891197328b8fb927bb82c6eb29f42f08f0fcb79caf8c805493b1b6fd09cdd7
SSDEEP

49152:lencs7Qc0FK79/Ves7FozshjPHYnsABxi4Dmg27RnWGj:lency/Ves7WwhjPGD527BWG

Score

7^/10

discovery evasion trojan

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	2024-09-27_456fa0e3c8dac4b0601aae86f24183ea_avoslocker.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-09-27_456fa0e3c8dac4b0601aae86f24183ea_avoslocker.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp	2024-09-27_456fa0e3c8dac4b0601aae86f24183ea_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Backup	2024-09-27_456fa0e3c8dac4b0601aae86f24183ea_avoslocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-27_456fa0e3c8dac4b0601aae86f24183ea_avoslocker.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	2024-09-27_456fa0e3c8dac4b0601aae86f24183ea_avoslocker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	2024-09-27_456fa0e3c8dac4b0601aae86f24183ea_avoslocker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	2024-09-27_456fa0e3c8dac4b0601aae86f24183ea_avoslocker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
228	2024-09-27_456fa0e3c8dac4b0601aae86f24183ea_avoslocker.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 2124	228	2024-09-27_456fa0e3c8dac4b0601aae86f24183ea_avoslocker.exe	83
PID 228 wrote to memory of 2124	228	2024-09-27_456fa0e3c8dac4b0601aae86f24183ea_avoslocker.exe	83
PID 228 wrote to memory of 2124	228	2024-09-27_456fa0e3c8dac4b0601aae86f24183ea_avoslocker.exe	83

C:\Users\Admin\AppData\Local\Temp\2024-09-27_456fa0e3c8dac4b0601aae86f24183ea_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-27_456fa0e3c8dac4b0601aae86f24183ea_avoslocker.exe"
1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:228
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
  2⤵
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RdrManifest2.msi

Filesize
14KB

MD5
0162a7a6ca55dd442e64f02c36187314

SHA1
24392ff794633445f4fe12a8a422046d24d67482

SHA256
5aa41c7e3160dca492317182e2cf5ad947e91457b5d4a39fc5d7aabcc0c9dd8c

SHA512
36e1fa17e868670b433206734fe028ce6b05dc3c6266c557342152fb3cb1984455fe6a9345c877eff394bf6959c6130a861ce7f30004d23c4a580227256a6332

Download Submit
C:\Users\Admin\AppData\Local\Temp\ReportUpdaterPolicy3672.txt

Filesize
4B

MD5
455831477b82574f6bf871193f2f761d

SHA1
f44217a81173869e08671753c52553646ff5d95b

SHA256
69bf0bc46f51b33377c4f3d92caf876714f6bbbe99e7544487327920873f9820

SHA512
cbc0ee58e447428bdcf72fc8b03c8cfb086edbb14205b918e75ebeff1d85ff1dd254e9dcb387afbd3fa766c803937c306e0a2a79870c0d87abcb7ab93661cf85

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpABC1.tmp

Filesize
5KB

MD5
590f0b893183a18322bb52632a7540eb

SHA1
0f7afb477bc8694f775b9d2b9d35f8c1e3c9e127

SHA256
66d5c55eb3662a2084ba3bdbacde986fb4bc52c4a5f23b4590bfa08a3ee13788

SHA512
11c5370921149fe3d45e6f3072e5a55ff87eb819ca2e70dd3c54c2c6d54c3f0285e6838d2ddc6580858819e03117e226ebe8c1200e2b275fae84f064eb4162ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpC8C0.tmp

Filesize
5KB

MD5
5db0f39788f404c09fb17c3486a00976

SHA1
8776e275612490445d2213e572795b60c7abdcaf

SHA256
699406274826aeb8e1fb1083b8c85e8ca2deb283d9c9070eed9317cea54020e3

SHA512
7d1a660aa72dc18370d2765ff25201bf07a2e5d2ff29c6a6f0230922908b5a7404ccf237d2ca17683be713e8a2b8b91898eaaa808f2f6814ce98d1de59357699

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpC96D.tmp

Filesize
3KB

MD5
fc2430057cb1be74c788f10c2d4540c8

SHA1
cab67ee8d5191fbf9f25545825e06c1a822af2f2

SHA256
dcc9d2695125406282ba990fec39403c44b12964acf51b5e0dc7f2080d714398

SHA512
4e2b9709a9e3ca5173abb35816e5a0aebbf2a7aaf971d7f75f3ae66e4a812cbade103baa5016525f5ab83a60c18f8d3c278c90ff83e4afdae419f81673cb5aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpD035.tmp

Filesize
3KB

MD5
a58599260c64cb41ed7d156db8ac13ef

SHA1
fb9396eb1270e9331456a646ebf1419fc283dc06

SHA256
aabf92089e16fdb28706356dbc4efb5a81f5277946f2e67695b31676616ed2d2

SHA512
6970cbc42e7ec64ccdb8e5633b7017b1e9ec0d4ad094869e221e9275b814b1442b84827996190159543bdb5e86df6885c45197c533d657db4660fca8ad761a71

Download Submit
C:\Windows\Temp\ArmReport.ini

Filesize
472B

MD5
150650f8b4ce06bf6720a55c29275c38

SHA1
c69a908cd7138d119f38c8db07031364b1d21388

SHA256
9d7407b8bcd4af6820eae7da00db7598246d0f58dc502ef3c89aacbd9cc8a104

SHA512
fcfb7f30078c6e1c43cf272b96b5fbd599fb6ea694cbb79a7a3e40de0eea9e031a4b67d1c2f348d3ab19760b48b67758fd7b4ddd921aab9f3e8d3a064c662bd4

Download Submit
C:\Windows\Temp\ArmReport.ini

Filesize
724B

MD5
9d62d227564196c844e892bf220a1298

SHA1
444b2371426b3ef7bc372aa40cc96b2428f29e8d

SHA256
75c515a974331642bba2005b0d0764cde29ffd6ac526a700e27b9de049c0c6bc

SHA512
b421783afc5d58727b8949f3a8db3e361047d99e9248ebdecd13bf60e0e0606dba6d6f6e293d2cc165b2bf0e793ec1076fd204a0d6b73699fdcb0f2bbf9a3e1c

Download Submit
C:\Windows\Temp\ArmReport.ini

Filesize
762B

MD5
77fecba2e448ebb5cc660ec5f94ccc4c

SHA1
5e09f9f76c75bb8f43a40caca105f1ba6388079f

SHA256
7403a5ed0c85bcb5ce1fe104bd05fcabe10fc978bb6963392222c06b2803cc98

SHA512
b8da5c9cd3ca889d96793c08ceb5ffa3f9064f790a143a5d4535512878e8db922a3055809c4fcb640008b9dec0e1233adae075d2a9f7320b9ab1e9b880ad625b

Download Submit
C:\Windows\Temp\ArmUI.ini

Filesize
234KB

MD5
cd12a965da4fb66e7f8a07e3f421196c

SHA1
f6377f231362acbd1063aff829ced283a2660b89

SHA256
790b06745f32e0f56a7af24c871ffce225ba05ebf0d8f8a71a00c727c97dcf09

SHA512
3fa242c3f573c706e0f36b477ce03f47d9ba0712ef72b94eae4f426dfe21ebbaf1dbebb0981335970b5186d416b4d25e175773796486f39e17de1df0a68a9b0d

Download Submit
memory/228-122-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/228-0-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/228-296-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads