0b8be7d62ba830a3a53686afb8af57d1b2301d76c8b06759bf4b148d1e2ab6cc

Resubmissions

15/10/2024, 18:06

241015-wp7pzsyeqf 6

15/10/2024, 18:06

241015-wprc1ashql 1

15/10/2024, 18:05

241015-wpcvlsyemd 1

12/10/2024, 10:23

241012-me1dgszfqr 3

Analysis

max time kernel
67s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20241007-es
resource tags

arch:x64arch:x86image:win10v2004-20241007-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
15/10/2024, 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-12_0aa6945aee17c3eae75f48e715ee5eb7_avoslocker_hijackloader.exe
Size

5.7MB
MD5

0aa6945aee17c3eae75f48e715ee5eb7
SHA1

b84977d612d1760f7a682e96dba9f7160cdaf72d
SHA256

0b8be7d62ba830a3a53686afb8af57d1b2301d76c8b06759bf4b148d1e2ab6cc
SHA512

8cdb467c92fefe0add78824acc496bf1c70c1eada04a801076073df92497660551c7b3c56a7d97a5ba74eb75879e5323f4b33ee51f94cab8c8afe6515056f5e5
SSDEEP

98304:Vj8ab67Ht6RL8xpH4Tv7wPV6osBsBpPj7cZ+KCojTeEw98rqNkUi+bD:Vj8aatLPV6oPrke8rqN7

Score

6^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	2024-10-12_0aa6945aee17c3eae75f48e715ee5eb7_avoslocker_hijackloader.exe

Executes dropped EXE 3 IoCs

pid	Process
2232	Steam.exe
4232	Steam.exe
736	Steam.exe

Loads dropped DLL 12 IoCs

pid	Process
2232	Steam.exe
2232	Steam.exe
2232	Steam.exe
4232	Steam.exe
4232	Steam.exe
4232	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-12_0aa6945aee17c3eae75f48e715ee5eb7_avoslocker_hijackloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Steam.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Opera GXStable	2024-10-12_0aa6945aee17c3eae75f48e715ee5eb7_avoslocker_hijackloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable	2024-10-12_0aa6945aee17c3eae75f48e715ee5eb7_avoslocker_hijackloader.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe
736	Steam.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3404	2024-10-12_0aa6945aee17c3eae75f48e715ee5eb7_avoslocker_hijackloader.exe
3404	2024-10-12_0aa6945aee17c3eae75f48e715ee5eb7_avoslocker_hijackloader.exe
2232	Steam.exe
4232	Steam.exe
736	Steam.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 2232	3404	2024-10-12_0aa6945aee17c3eae75f48e715ee5eb7_avoslocker_hijackloader.exe	101
PID 3404 wrote to memory of 2232	3404	2024-10-12_0aa6945aee17c3eae75f48e715ee5eb7_avoslocker_hijackloader.exe	101
PID 3404 wrote to memory of 2232	3404	2024-10-12_0aa6945aee17c3eae75f48e715ee5eb7_avoslocker_hijackloader.exe	101
PID 3404 wrote to memory of 4232	3404	2024-10-12_0aa6945aee17c3eae75f48e715ee5eb7_avoslocker_hijackloader.exe	104
PID 3404 wrote to memory of 4232	3404	2024-10-12_0aa6945aee17c3eae75f48e715ee5eb7_avoslocker_hijackloader.exe	104
PID 3404 wrote to memory of 4232	3404	2024-10-12_0aa6945aee17c3eae75f48e715ee5eb7_avoslocker_hijackloader.exe	104
PID 3404 wrote to memory of 736	3404	2024-10-12_0aa6945aee17c3eae75f48e715ee5eb7_avoslocker_hijackloader.exe	109
PID 3404 wrote to memory of 736	3404	2024-10-12_0aa6945aee17c3eae75f48e715ee5eb7_avoslocker_hijackloader.exe	109
PID 3404 wrote to memory of 736	3404	2024-10-12_0aa6945aee17c3eae75f48e715ee5eb7_avoslocker_hijackloader.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-10-12_0aa6945aee17c3eae75f48e715ee5eb7_avoslocker_hijackloader.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-12_0aa6945aee17c3eae75f48e715ee5eb7_avoslocker_hijackloader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Users\Admin\AppData\Local\Temp\Steam.exe
  "C:\Users\Admin\AppData\Local\Temp\Steam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2232
- C:\Users\Admin\AppData\Local\Temp\Steam.exe
  "C:\Users\Admin\AppData\Local\Temp\Steam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4232
- C:\Users\Admin\AppData\Local\Temp\Steam.exe
  "C:\Users\Admin\AppData\Local\Temp\Steam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Steam.exe

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscFE86.tmp\modern-header.bmp

Filesize
25KB

MD5
da3486d12bb4c8aec16bd9e0d363d23f

SHA1
863244a4845c9d5dea8dd36e1083f5639e1224e1

SHA256
d93b76d51bd2214fa6e999c1bf70b4aff5165a6542f9b9b2a92b5672601f4624

SHA512
8e40adb65a4ad46f3bc5920d7fd8294397268e754b1eb00d4f7b0883be6468448033d9a46cf3a00fccddb4a7c81e7f984cf5a25731532c1aeface69573dfe59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso349A.tmp\StdUtils.dll

Filesize
110KB

MD5
db11ab4828b429a987e7682e495c1810

SHA1
29c2c2069c4975c90789dc6d3677b4b650196561

SHA256
c602c44a4d4088dbf5a659f36ba1c3a9d81f8367577de0cb940c0b8afee5c376

SHA512
460d1ccfc0d7180eae4e6f1a326d175fec78a7d6014447a9a79b6df501fa05cd4bd90f8f7a85b7b6a4610e2fa7059e30ae6e17bc828d370e5750de9b40b9ae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso349A.tmp\nsProcess.dll

Filesize
15KB

MD5
08072dc900ca0626e8c079b2c5bcfcf3

SHA1
35f2bfa0b1b2a65b9475fb91af31f7b02aee4e37

SHA256
bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8

SHA512
8981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssD880.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssD880.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssD880.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit