77947d5edd467052f2bc684827454f86ef318c22d438420313ea6457b7038e09

General

Target

2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe
Size

7.7MB
MD5

d1e0d958232da44207eb7cb1dc7433d1
SHA1

a3adf3f60f54f41994c9093841ea91d59b7821a4
SHA256

77947d5edd467052f2bc684827454f86ef318c22d438420313ea6457b7038e09
SHA512

17ed8be06e05c987aefda96f6ff5dbb7dfb972f8543aaa7917e7303f9a7781d28dbde6ca7ee300a7b64f3f7c2fa5860bc794f9c3a0faa6c4b09cbcd06ceaaa02
SSDEEP

98304:wTisnWeTgdq8EDJnkDcxiChFWGc5gg3Jyw0WImZWr7lbioe00HcM5y:EiEpTgdq8SJnkDqXvngZyw0WY7QoeP5y

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4844	3292	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe = "11001"	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3292	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe
3292	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe
3292	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe
3292	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe
3292	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe
3292	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe
3292	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe
3292	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe
3292	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe
3292	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe
3292	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe
3292	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe
3292	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe
3292	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe
3292	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe
3292	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3292	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	3292	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	3292	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	3292	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	3292	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	3292	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	3292	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	3292	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3292	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe
3292	2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-01_d1e0d958232da44207eb7cb1dc7433d1_avoslocker.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3292
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 2344
  2⤵
  - Program crash
  PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3292 -ip 3292
1⤵
PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{1F05A93A-2A99-44BD-BDF3-E28C4E5E2E7C}\CCDInstaller.js

Filesize
1.3MB

MD5
7c577a9f582682f27eef11030195b57c

SHA1
3b517edd713615f353ac85d910b0e7df4aeeed47

SHA256
ac03e251735b01492afaba4eda6a22f9a903b73ae2c16e5a7cd176db43275a03

SHA512
91a9dca69c477a0d8d8ee085eff2b7a89ac1c535aad0a942b4d068f80bff5e4a1f6b507643046d820e8150c17a1e5ef322f266d4f9d12a6592b4a972c054db4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1F05A93A-2A99-44BD-BDF3-E28C4E5E2E7C}\index.html

Filesize
426B

MD5
a28ab17b18ff254173dfeef03245efd0

SHA1
c6ce20924565644601d4e0dd0fba9dde8dea5c77

SHA256
886c0ab69e6e9d9d5b5909451640ea587accfcdf11b8369cad8542d1626ac375

SHA512
9371a699921b028bd93c35f9f2896d9997b906c8aba90dd4279abba0ae1909a8808a43bf829584e552ccfe534b2c991a5a7e3e3de7618343f50b1c47cff269d6

Download Submit

Analysis

Sharing