256b27db9e30bc928550552c21b4151c66e64e975c64d7f5d090e874a054fefd

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe
Size

6.1MB
MD5

e468925f8a4e874761f990dfb903dccf
SHA1

fa8c25643bf48a6275a3917696545f2e9f46641c
SHA256

256b27db9e30bc928550552c21b4151c66e64e975c64d7f5d090e874a054fefd
SHA512

470aa24a68b0ec96fd7f7bc78554cdbb2a33d8c0f84d5a11eb3bcaeeb36c98bc8b24febb0efffeb86d02223d6493d7ed4bf232c9b085af7e64a3a2bae9636c3e
SSDEEP

98304:InT0m9Lp46RuqTnT0m9Lp46Ruq3nT0m9Lp46Ruq3OU/jIEeQfoR/IuOFVjUu5:6TB9dOq7TB9dOqXTB9dOq3FIF0wu

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2608	powershell.exe
2096	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe
2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe
2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe
2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe
2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe
2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe
2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe
2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe
2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe
2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe
2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe
2608	powershell.exe
2096	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2608	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	30
PID 2596 wrote to memory of 2608	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	30
PID 2596 wrote to memory of 2608	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	30
PID 2596 wrote to memory of 2608	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	30
PID 2596 wrote to memory of 2096	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	32
PID 2596 wrote to memory of 2096	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	32
PID 2596 wrote to memory of 2096	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	32
PID 2596 wrote to memory of 2096	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	32
PID 2596 wrote to memory of 2804	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	33
PID 2596 wrote to memory of 2804	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	33
PID 2596 wrote to memory of 2804	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	33
PID 2596 wrote to memory of 2804	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	33
PID 2596 wrote to memory of 2580	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	36
PID 2596 wrote to memory of 2580	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	36
PID 2596 wrote to memory of 2580	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	36
PID 2596 wrote to memory of 2580	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	36
PID 2596 wrote to memory of 2256	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	37
PID 2596 wrote to memory of 2256	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	37
PID 2596 wrote to memory of 2256	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	37
PID 2596 wrote to memory of 2256	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	37
PID 2596 wrote to memory of 2992	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	38
PID 2596 wrote to memory of 2992	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	38
PID 2596 wrote to memory of 2992	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	38
PID 2596 wrote to memory of 2992	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	38
PID 2596 wrote to memory of 3040	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	39
PID 2596 wrote to memory of 3040	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	39
PID 2596 wrote to memory of 3040	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	39
PID 2596 wrote to memory of 3040	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	39
PID 2596 wrote to memory of 2100	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	40
PID 2596 wrote to memory of 2100	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	40
PID 2596 wrote to memory of 2100	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	40
PID 2596 wrote to memory of 2100	2596	2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe	40

C:\Users\Admin\AppData\Local\Temp\2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WIbQCONN.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WIbQCONN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB654.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe"
  2⤵
  PID:2580
- C:\Users\Admin\AppData\Local\Temp\2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe"
  2⤵
  PID:2256
- C:\Users\Admin\AppData\Local\Temp\2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe"
  2⤵
  PID:2992
- C:\Users\Admin\AppData\Local\Temp\2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe"
  2⤵
  PID:3040
- C:\Users\Admin\AppData\Local\Temp\2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader.exe"
  2⤵
  PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB654.tmp

Filesize
1KB

MD5
f610186b5888651fa604043570cfc53d

SHA1
4815c175eb87d916a08e65dce54f57affa13e761

SHA256
23d2f3734b1584e14ea3dbdd10c76eb757334ab9057e0a98110c69f4b657e1af

SHA512
816e7c48d1f10ceb7587e116bbb8203fcd23868b84b60ffc4d7c4de4b95eb4aaf4fd154e8a788a5f8554605915be10aa95cee001ffe81bbc5a599b92f97fffb3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8db4e10cfb20ec34d59fb70e5fd2f964

SHA1
61a4a98e3574633b17d93b226bbb2fa8a0a7ad7b

SHA256
60152790697d2dd308859959759e144527bc59b9a846cfd824fb7bab81d6b8f2

SHA512
c97f35130e685daa178339f8d41f74d05b7011dbf22a796c74463eaa3f8711e6535259cc0c66f2664dec01e30df75cb2ac414060fff4be8cd9e99771a8c981e2

Download Submit
memory/2596-0-0x0000000073C0E000-0x0000000073C0F000-memory.dmp

Filesize
4KB

Download
memory/2596-1-0x0000000000320000-0x0000000000932000-memory.dmp

Filesize
6.1MB

Download
memory/2596-2-0x0000000073C00000-0x00000000742EE000-memory.dmp

Filesize
6.9MB

Download
memory/2596-3-0x0000000000B70000-0x0000000000B7E000-memory.dmp

Filesize
56KB

Download
memory/2596-4-0x0000000073C0E000-0x0000000073C0F000-memory.dmp

Filesize
4KB

Download
memory/2596-5-0x0000000073C00000-0x00000000742EE000-memory.dmp

Filesize
6.9MB

Download
memory/2596-6-0x00000000064C0000-0x00000000065E6000-memory.dmp

Filesize
1.1MB

Download
memory/2596-19-0x0000000073C00000-0x00000000742EE000-memory.dmp

Filesize
6.9MB

Download