Malware Analysis Report

2024-12-01 01:30

Sample ID 241110-b2hamsxakg
Target 2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer
SHA256 f76e176f7dfba64188f364a143372baa3f9722061cab2556f8143d894251d57e
Tags
discovery
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

f76e176f7dfba64188f364a143372baa3f9722061cab2556f8143d894251d57e

Threat Level: Likely benign

The file 2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer was found to be: Likely benign.

Malicious Activity Summary

discovery

Program crash

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:38

Reported

2024-11-10 01:40

Platform

win7-20240729-en

Max time kernel

104s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe = "11001" C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cc-api-data.adobe.io udp
US 8.8.8.8:53 na1e-acc.services.adobe.com udp
US 8.8.8.8:53 cc-api-data.adobe.io udp
US 52.25.171.102:443 na1e-acc.services.adobe.com tcp
IE 54.77.72.255:443 cc-api-data.adobe.io tcp
IE 3.248.26.100:443 cc-api-data.adobe.io tcp
US 52.25.171.102:443 na1e-acc.services.adobe.com tcp
IE 54.77.72.255:443 cc-api-data.adobe.io tcp
IE 3.248.26.100:443 cc-api-data.adobe.io tcp
US 8.8.8.8:53 client.messaging.adobe.com udp
NL 18.65.39.31:443 client.messaging.adobe.com tcp
NL 18.65.39.31:443 client.messaging.adobe.com tcp
NL 18.65.39.31:443 client.messaging.adobe.com tcp
NL 18.65.39.31:443 client.messaging.adobe.com tcp
IE 54.77.72.255:443 cc-api-data.adobe.io tcp
IE 54.77.72.255:443 cc-api-data.adobe.io tcp
US 52.25.171.102:443 na1e-acc.services.adobe.com tcp
US 52.25.171.102:443 na1e-acc.services.adobe.com tcp
US 52.25.171.102:443 na1e-acc.services.adobe.com tcp
US 52.25.171.102:443 na1e-acc.services.adobe.com tcp
IE 54.77.72.255:443 cc-api-data.adobe.io tcp
IE 54.77.72.255:443 cc-api-data.adobe.io tcp
IE 54.77.72.255:443 cc-api-data.adobe.io tcp
IE 54.77.72.255:443 cc-api-data.adobe.io tcp

Files

memory/528-12-0x00000000024D0000-0x00000000024D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{DEF96363-0676-49C2-9702-6BA416C8BB84}\index.html

MD5 a28ab17b18ff254173dfeef03245efd0
SHA1 c6ce20924565644601d4e0dd0fba9dde8dea5c77
SHA256 886c0ab69e6e9d9d5b5909451640ea587accfcdf11b8369cad8542d1626ac375
SHA512 9371a699921b028bd93c35f9f2896d9997b906c8aba90dd4279abba0ae1909a8808a43bf829584e552ccfe534b2c991a5a7e3e3de7618343f50b1c47cff269d6

C:\Users\Admin\AppData\Local\Temp\{DEF96363-0676-49C2-9702-6BA416C8BB84}\CCDInstaller.js

MD5 76d91be7bdb92e541b3face5b94e9f0a
SHA1 22fb1d2239becd45cf81166fa522de1e8b495a68
SHA256 302b9bab186ed0e233f55cb660e0d0e326479e84855f0bb68e7632313238bf11
SHA512 eeacdf9c19029ffc8b9cf876419b86503e019fe3a25ec90a7ba27988a215a67e7f73079f74921d184ff4d93cdf4adca5f95eb10250f96716df5a6c879f389eb0

C:\Users\Admin\AppData\Local\Temp\Cab9727.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar97A7.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d7db230f0a189665aceb5dd5bf71df4
SHA1 0489bce9aa14c5bcb6f371cbdf66fc23e7530437
SHA256 d476c585ff19ec93806dbf77b7181adeab21190bcf154f6538892ca8b49016f7
SHA512 ab29000a9eb2bdd191dedf2534c0582862a8f0880adc03573a0260d0a0294f6fe8805f2826106418601f9fd97d1c11a5d340a58d1b1b0f80dfcdedc67190af04

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aec385ad645b6e6aaedc0e7bd8948f47
SHA1 9bc4278c1b38a04406859dc05c13a760ca458dee
SHA256 493fa97feef0cc1689fe8f1fca5d4bb499dc8fb20f96c452627b15338379c02c
SHA512 76209999a7e9e5278a4c41e6f9cdab93fb337fc9239297b59abc2bd5b4548d53e1f60ec172a83f7214792ef9b4029f0b9de30661176ca68af597148d621dfd3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b98803d22589b342b8f74714ac6f4720
SHA1 cc78ae4a8475af5183c2363a52fffbb87b7ccf36
SHA256 5bdb33933561c5adfc24580ace182566a49d3aefb810ebb23002f85eee63c1b6
SHA512 53205a1f2cc973677c7b6903492892d5152aeaf9d2b5787d5a5b73f2909815d75e25122f2669a0365cfa24ee8d836b3f492c986145c4b848078edcf55578a8fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5adacaf9aefe6050ebc72f025ae3a1f7
SHA1 d0cc141d2896e3a11c8015822afc541ddc03e7ef
SHA256 9ca867130c72b0b5cbd910d835b2434386416bb59aecbfe09d41b35e7730e699
SHA512 53feca6ee63af6a38ee9ebcf048176dcf151134a8d3e0d41491e4055b5f59f5c030d0dabdb3c1bae9f75b78e57f49a3271a0bd94e9ba19019a33ea5f83a27054

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1125bbfb2ef088e69e23efb4e0b83b48
SHA1 7d93cfb7269e1fd14366066623dd553bc75b1036
SHA256 d36f48caa117b47dd8ab594fa57876f18b337dd62bd219ccdad5d782ca15b7ba
SHA512 43ef003bb9d37d7e6586a95ea3d3a8011cd21b49d730c32260f97c526f4d312e8cc2ddb9f9b8f1d085d40f2307f1a4746e6075e021d3d49dda11394ec79cc665

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0187bc25812f068c24f81a968c42dba7
SHA1 046182a75db890b941336ebe1a63a47e06f36b7e
SHA256 64209cd5363ae0a02c3345d80ee07c2d7b1af65c2f3ef7dadc332e5abdd7bfc2
SHA512 8f584e46fa3506e517273146c765094231ad3be8570c489f0a90d58936a6b2fa264522765081b626abdbdc02858397432c6fdfab4863d18c434a28e22f60ef02

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0df02d5237967b5272f604027025667
SHA1 81c49dcd074db6863cffb1994957b90ef7f9666a
SHA256 95190433e0b32636fa1d33cc6df5c4e2285a33b3f9da34a334c770e77f398890
SHA512 de880cb26a024ac58aed4160be8626426671c238f98bdaab0db21bba243f124b18ec4974f2947d33b9d720007fba29610397f4c4ad2160d7b943a88e9b6e204e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 856b759ff183c11b56ef4cd03f926573
SHA1 b87be83dc2a8a14bf635a504a833f42442887ebd
SHA256 3c2f09fd5e366c5ff41a3c9db87bd67eefb75de82be31b8e43da948447c265b4
SHA512 52b545b0978bdb24fc07a6819747fc42b1cbf5416b55b825c4ab872f6fa49ed9ac4f5f11536be9c48b4721e3e095cc20e860fe5e63f965e23dab5270124661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eca6e34debbcdbaa045291a6a3e67d7c
SHA1 d3b005060e1c8ef7d704d74e7c62b9447f8ffed1
SHA256 75b23208f21f8c022015066468406c2c94704b6bc01c271af407bd12c14d0579
SHA512 6bfe2c93a51e729b7d7d9d31920435f21fd1cf61bddf4d2a483ecf824c8fd5f19bb02d6618aaef3d8a297fa343f554ddb990136adce164dd4ffdb340cfc9c651

memory/528-594-0x00000000024D0000-0x00000000024D1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:38

Reported

2024-11-10 01:40

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe = "11001" C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1040 -ip 1040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 2492

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 cc-api-data.adobe.io udp
US 8.8.8.8:53 na1e-acc.services.adobe.com udp
US 54.186.192.149:443 na1e-acc.services.adobe.com tcp
IE 54.194.243.238:443 cc-api-data.adobe.io tcp
IE 54.194.243.238:443 cc-api-data.adobe.io tcp
IE 54.194.243.238:443 cc-api-data.adobe.io tcp
US 8.8.8.8:53 238.243.194.54.in-addr.arpa udp
US 8.8.8.8:53 149.192.186.54.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\{EEE765C2-6570-4A9E-B7A8-497CBEA51701}\index.html

MD5 a28ab17b18ff254173dfeef03245efd0
SHA1 c6ce20924565644601d4e0dd0fba9dde8dea5c77
SHA256 886c0ab69e6e9d9d5b5909451640ea587accfcdf11b8369cad8542d1626ac375
SHA512 9371a699921b028bd93c35f9f2896d9997b906c8aba90dd4279abba0ae1909a8808a43bf829584e552ccfe534b2c991a5a7e3e3de7618343f50b1c47cff269d6

C:\Users\Admin\AppData\Local\Temp\{EEE765C2-6570-4A9E-B7A8-497CBEA51701}\CCDInstaller.js

MD5 76d91be7bdb92e541b3face5b94e9f0a
SHA1 22fb1d2239becd45cf81166fa522de1e8b495a68
SHA256 302b9bab186ed0e233f55cb660e0d0e326479e84855f0bb68e7632313238bf11
SHA512 eeacdf9c19029ffc8b9cf876419b86503e019fe3a25ec90a7ba27988a215a67e7f73079f74921d184ff4d93cdf4adca5f95eb10250f96716df5a6c879f389eb0