cfe09262c215e3ba9ce0cb1fb4aca235c995a656763959ea145eacc3d8771d34

Analysis

max time kernel
15s
max time network
68s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
Size

6.8MB
MD5

f9130b592bc8b10b367d59af95635633
SHA1

57a7b5c12e3f3d2cdd2ff2188c5d912936efe42a
SHA256

cfe09262c215e3ba9ce0cb1fb4aca235c995a656763959ea145eacc3d8771d34
SHA512

f7f27cd770ca0974a1611605e785be7c18e951cb24cb682283d95fc794a3a3c51ee5b5479b000f2ef1699103abaae737c60f85e4cf6f014c110ac32cacc6a1d8
SSDEEP

98304:H9rOvi3HzBvnKFn0MeYttysOx6VamqSJ5a4f+Wb/L/:drOvijBGnBeYtAX+q05aW+Ej

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe = "11001"	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
2324	2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-03_f9130b592bc8b10b367d59af95635633_avoslocker.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64f893afbada5f7c4aa85c6ba3816d1f

SHA1
bc83610d83054a3946476b70e8014db294b513ff

SHA256
2a37175b881b3da7e7a35db5744962380e1fa4651a3048c9b370fa343aae9c0a

SHA512
c36e4752afea2505e4df313eb54c94c7710f181fdfd97377432c1ca40e99080b39644fd7eb6762fb6dca57ec7b044d06df7ca3628a7b65c4111c91fa5ca8cbf8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00680797a0a6ff315790ef9a4befc43b

SHA1
3664b0cf38573c0a464ec6acbdc8f64fcb44d26e

SHA256
5c5bb5973ad4cecae0e7755a980f5fd6cf9dac9417d0d6e44df32ea26e954e18

SHA512
17a09b189646f961bfb2e3fd249d821d463b604ccf4d54294ee7e4f93b567f2b4b1238fa32ed5f5a00f1c286c19548871fc1f0d34d4f375ecd12ac48ee5f1605

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08d32907073b6dc73e10a2fde45c6e9a

SHA1
fc48e3fc976c943f81e4c329d68f17e31153308e

SHA256
32e268fce6f70fa214722641f3d13d2bff6231854dc811cc6a0ace62e74cd07d

SHA512
64562345bc4b8c4610e95dfdb32294c46b670daa974dfbdddf9f4da3660865478d0e49735c6c6440d68d96ff0931a75bd18bfbcde04cf6992c96cc802b2feb18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e91bd5a6df71c6035b73c97cc88d6e2

SHA1
2e0587eda34e7cdb92891102fd2f88c5f0b9e2dd

SHA256
0a7fa888fc7163eccc3dcd0a7b78de730f659db31501db35ffceb589d6e07cb8

SHA512
da75f70563d6150c4bdabcaf6f1f1bc40f318619a2e23cba231d8b8e8d0557788976bc2b118af1d3baa1d84cc8f26a813caa8ce730134c130a63481baaba4dc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa54eb9f72c79fdda5d7193d5e8a253e

SHA1
5b4790ddb238ffbad49bcd0582af2b58fee415f6

SHA256
452fc980d3ab58fc343d1c92521a7ccfbe7b6f518e9d67a7757f8593119782fd

SHA512
1eb30ab4cb28424ea77fcbea07bc554bbffb9d09d462d508ebda1e5f46a16484195caf87ee2e51a51381eaf4b99911474cdc7f32933e618f5a209869c18f9a3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2dac8f6dee9424d7acee25669648e7f5

SHA1
44f6f14f93f5760778a0455397396baa7c4442e3

SHA256
2e1f6776707cba636f51ba9ad087c70ed4a2d581713bd3a305ba9f77cd84ae35

SHA512
9771b22ea3c95dbf871c574940c360f7a2f0fe6f297ee55dc57654356a5393db09f48fbe6bfbf31a29464b8a2f0762841320a5e571fd7c955a030708ee5b165c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e3d1614381c7ce3770e386b21c590fe

SHA1
4ffedc7ac3c7513bbbc7cdbd0ca4013560f968ba

SHA256
dc0d1feac8dc8b7f91875572648e550a996fe198826fdf3043d9ec9c9ada55a9

SHA512
f92902d984f581ee2461b6e93b61fee3a4b92bf16992fa783e7b3b05d6b136ff789a9f25849383c5fb09e5932aea99d0d9bcfe5a247b71418d6242f1ad0ffbb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02b1d44847612d7d625786bb7f49f60d

SHA1
b6b0ed8adf92af2b31d1c5e5de3afa9efe6ee349

SHA256
de4f29629391745d1e2f3d4ee7c30018522ce02a1f560f0b9eacee0954517508

SHA512
72be15ffe4a171c9d58db3e0211b4a85aceb3a85d43be76dd8193a4dbee6f25a814b162b940ee775fb48cdfe4e74d2d2c76df10abda90bacbf1db7818d385700

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74151bad652b78bd9ae9763cdf18d401

SHA1
732570ccbafeace0cf99f224c0e467e1ad7c83ab

SHA256
b465e7cb9eb86c80aafeb7c8b40e9ff5d09d37d80f67d3f20cc6b1da5b96c927

SHA512
08e34310ccdfbf3635b9ac2edd1a71da9f4b8e48b9f9609f0d85e4c6766c1db58d5f106aff691c027d019f058722cc7d303d4c5a7037b017393c470b8ae61463

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83d9a3a03eddea33ea9f42da38027e70

SHA1
4510a4638e7dd579d627fe00fc65f4c5e1bcc51d

SHA256
c152dba7456e31b38c9b8844d98f24971570c9c61fe043a0040cadb6f13c4666

SHA512
67f8bb9848de44dfb12509f0565c30eb79c3a06e863e94a2c41d0a2c607fbb631ce7b0f04a29f0c3621ca11943084d00e216d839fb929b973bdf4b0864c2af96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be97cc52a04a40d2d3a44c2c505f65d2

SHA1
1aa4bb93aef13df8a7fc92bedd65b6be063b1f0f

SHA256
840247898579804bfcec5cd5775da2738dea3d2f1017adc8d7bad21af0ef7b10

SHA512
fcfbed5f1b6a68760c6e68ac249a644663da3db5213040c52dedd1834145128ecd425361dd77d3ca5a30b80c222659ab51f994b9ddea1cc5adb398a0daba307b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3CA8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3D09.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E1FABA53-D257-4F7B-91C2-776908401104}\CCDInstaller.js

Filesize
1.2MB

MD5
698687ac9e653b2c7a1b0d2a2ec40505

SHA1
ad6959510eff569cff355f2ac4c5988a6d6a433e

SHA256
142db397e43384d0af407ad59ed5b64371cf054b7645913592ca72d2d848c1c9

SHA512
29c5971005bac00173c96bc3b7ffc4fd5701d2f7ff5a29fc05bd8832ff2b1c850903ebed72baa6e4bbcaa0c6b14670ba1e59d900f3087c0fdb0453bea5d150eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E1FABA53-D257-4F7B-91C2-776908401104}\index.html

Filesize
426B

MD5
a28ab17b18ff254173dfeef03245efd0

SHA1
c6ce20924565644601d4e0dd0fba9dde8dea5c77

SHA256
886c0ab69e6e9d9d5b5909451640ea587accfcdf11b8369cad8542d1626ac375

SHA512
9371a699921b028bd93c35f9f2896d9997b906c8aba90dd4279abba0ae1909a8808a43bf829584e552ccfe534b2c991a5a7e3e3de7618343f50b1c47cff269d6

Download Submit
memory/2324-28-0x0000000007AF0000-0x0000000007B10000-memory.dmp

Filesize
128KB

Download
memory/2324-11-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/2324-592-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/2324-593-0x0000000007AF0000-0x0000000007B10000-memory.dmp

Filesize
128KB

Download