Analysis Overview
SHA256
f76e176f7dfba64188f364a143372baa3f9722061cab2556f8143d894251d57e
Threat Level: Likely benign
The file 2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer was found to be: Likely benign.
Malicious Activity Summary
Program crash
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:38
Reported
2024-11-10 01:40
Platform
win7-20240729-en
Max time kernel
104s
Max time network
124s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl | C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe = "11001" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cc-api-data.adobe.io | udp |
| US | 8.8.8.8:53 | na1e-acc.services.adobe.com | udp |
| US | 8.8.8.8:53 | cc-api-data.adobe.io | udp |
| US | 52.25.171.102:443 | na1e-acc.services.adobe.com | tcp |
| IE | 54.77.72.255:443 | cc-api-data.adobe.io | tcp |
| IE | 3.248.26.100:443 | cc-api-data.adobe.io | tcp |
| US | 52.25.171.102:443 | na1e-acc.services.adobe.com | tcp |
| IE | 54.77.72.255:443 | cc-api-data.adobe.io | tcp |
| IE | 3.248.26.100:443 | cc-api-data.adobe.io | tcp |
| US | 8.8.8.8:53 | client.messaging.adobe.com | udp |
| NL | 18.65.39.31:443 | client.messaging.adobe.com | tcp |
| NL | 18.65.39.31:443 | client.messaging.adobe.com | tcp |
| NL | 18.65.39.31:443 | client.messaging.adobe.com | tcp |
| NL | 18.65.39.31:443 | client.messaging.adobe.com | tcp |
| IE | 54.77.72.255:443 | cc-api-data.adobe.io | tcp |
| IE | 54.77.72.255:443 | cc-api-data.adobe.io | tcp |
| US | 52.25.171.102:443 | na1e-acc.services.adobe.com | tcp |
| US | 52.25.171.102:443 | na1e-acc.services.adobe.com | tcp |
| US | 52.25.171.102:443 | na1e-acc.services.adobe.com | tcp |
| US | 52.25.171.102:443 | na1e-acc.services.adobe.com | tcp |
| IE | 54.77.72.255:443 | cc-api-data.adobe.io | tcp |
| IE | 54.77.72.255:443 | cc-api-data.adobe.io | tcp |
| IE | 54.77.72.255:443 | cc-api-data.adobe.io | tcp |
| IE | 54.77.72.255:443 | cc-api-data.adobe.io | tcp |
Files
memory/528-12-0x00000000024D0000-0x00000000024D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{DEF96363-0676-49C2-9702-6BA416C8BB84}\index.html
| MD5 | a28ab17b18ff254173dfeef03245efd0 |
| SHA1 | c6ce20924565644601d4e0dd0fba9dde8dea5c77 |
| SHA256 | 886c0ab69e6e9d9d5b5909451640ea587accfcdf11b8369cad8542d1626ac375 |
| SHA512 | 9371a699921b028bd93c35f9f2896d9997b906c8aba90dd4279abba0ae1909a8808a43bf829584e552ccfe534b2c991a5a7e3e3de7618343f50b1c47cff269d6 |
C:\Users\Admin\AppData\Local\Temp\{DEF96363-0676-49C2-9702-6BA416C8BB84}\CCDInstaller.js
| MD5 | 76d91be7bdb92e541b3face5b94e9f0a |
| SHA1 | 22fb1d2239becd45cf81166fa522de1e8b495a68 |
| SHA256 | 302b9bab186ed0e233f55cb660e0d0e326479e84855f0bb68e7632313238bf11 |
| SHA512 | eeacdf9c19029ffc8b9cf876419b86503e019fe3a25ec90a7ba27988a215a67e7f73079f74921d184ff4d93cdf4adca5f95eb10250f96716df5a6c879f389eb0 |
C:\Users\Admin\AppData\Local\Temp\Cab9727.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar97A7.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3d7db230f0a189665aceb5dd5bf71df4 |
| SHA1 | 0489bce9aa14c5bcb6f371cbdf66fc23e7530437 |
| SHA256 | d476c585ff19ec93806dbf77b7181adeab21190bcf154f6538892ca8b49016f7 |
| SHA512 | ab29000a9eb2bdd191dedf2534c0582862a8f0880adc03573a0260d0a0294f6fe8805f2826106418601f9fd97d1c11a5d340a58d1b1b0f80dfcdedc67190af04 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | aec385ad645b6e6aaedc0e7bd8948f47 |
| SHA1 | 9bc4278c1b38a04406859dc05c13a760ca458dee |
| SHA256 | 493fa97feef0cc1689fe8f1fca5d4bb499dc8fb20f96c452627b15338379c02c |
| SHA512 | 76209999a7e9e5278a4c41e6f9cdab93fb337fc9239297b59abc2bd5b4548d53e1f60ec172a83f7214792ef9b4029f0b9de30661176ca68af597148d621dfd3d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b98803d22589b342b8f74714ac6f4720 |
| SHA1 | cc78ae4a8475af5183c2363a52fffbb87b7ccf36 |
| SHA256 | 5bdb33933561c5adfc24580ace182566a49d3aefb810ebb23002f85eee63c1b6 |
| SHA512 | 53205a1f2cc973677c7b6903492892d5152aeaf9d2b5787d5a5b73f2909815d75e25122f2669a0365cfa24ee8d836b3f492c986145c4b848078edcf55578a8fb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5adacaf9aefe6050ebc72f025ae3a1f7 |
| SHA1 | d0cc141d2896e3a11c8015822afc541ddc03e7ef |
| SHA256 | 9ca867130c72b0b5cbd910d835b2434386416bb59aecbfe09d41b35e7730e699 |
| SHA512 | 53feca6ee63af6a38ee9ebcf048176dcf151134a8d3e0d41491e4055b5f59f5c030d0dabdb3c1bae9f75b78e57f49a3271a0bd94e9ba19019a33ea5f83a27054 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1125bbfb2ef088e69e23efb4e0b83b48 |
| SHA1 | 7d93cfb7269e1fd14366066623dd553bc75b1036 |
| SHA256 | d36f48caa117b47dd8ab594fa57876f18b337dd62bd219ccdad5d782ca15b7ba |
| SHA512 | 43ef003bb9d37d7e6586a95ea3d3a8011cd21b49d730c32260f97c526f4d312e8cc2ddb9f9b8f1d085d40f2307f1a4746e6075e021d3d49dda11394ec79cc665 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0187bc25812f068c24f81a968c42dba7 |
| SHA1 | 046182a75db890b941336ebe1a63a47e06f36b7e |
| SHA256 | 64209cd5363ae0a02c3345d80ee07c2d7b1af65c2f3ef7dadc332e5abdd7bfc2 |
| SHA512 | 8f584e46fa3506e517273146c765094231ad3be8570c489f0a90d58936a6b2fa264522765081b626abdbdc02858397432c6fdfab4863d18c434a28e22f60ef02 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c0df02d5237967b5272f604027025667 |
| SHA1 | 81c49dcd074db6863cffb1994957b90ef7f9666a |
| SHA256 | 95190433e0b32636fa1d33cc6df5c4e2285a33b3f9da34a334c770e77f398890 |
| SHA512 | de880cb26a024ac58aed4160be8626426671c238f98bdaab0db21bba243f124b18ec4974f2947d33b9d720007fba29610397f4c4ad2160d7b943a88e9b6e204e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 856b759ff183c11b56ef4cd03f926573 |
| SHA1 | b87be83dc2a8a14bf635a504a833f42442887ebd |
| SHA256 | 3c2f09fd5e366c5ff41a3c9db87bd67eefb75de82be31b8e43da948447c265b4 |
| SHA512 | 52b545b0978bdb24fc07a6819747fc42b1cbf5416b55b825c4ab872f6fa49ed9ac4f5f11536be9c48b4721e3e095cc20e860fe5e63f965e23dab5270124661b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eca6e34debbcdbaa045291a6a3e67d7c |
| SHA1 | d3b005060e1c8ef7d704d74e7c62b9447f8ffed1 |
| SHA256 | 75b23208f21f8c022015066468406c2c94704b6bc01c271af407bd12c14d0579 |
| SHA512 | 6bfe2c93a51e729b7d7d9d31920435f21fd1cf61bddf4d2a483ecf824c8fd5f19bb02d6618aaef3d8a297fa343f554ddb990136adce164dd4ffdb340cfc9c651 |
memory/528-594-0x00000000024D0000-0x00000000024D1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:38
Reported
2024-11-10 01:40
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
142s
Command Line
Signatures
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe = "11001" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-10_d0b890efc8a57308d85c1bd3b966b438_avoslocker_luca-stealer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1040 -ip 1040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 2492
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cc-api-data.adobe.io | udp |
| US | 8.8.8.8:53 | na1e-acc.services.adobe.com | udp |
| US | 54.186.192.149:443 | na1e-acc.services.adobe.com | tcp |
| IE | 54.194.243.238:443 | cc-api-data.adobe.io | tcp |
| IE | 54.194.243.238:443 | cc-api-data.adobe.io | tcp |
| IE | 54.194.243.238:443 | cc-api-data.adobe.io | tcp |
| US | 8.8.8.8:53 | 238.243.194.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.192.186.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\{EEE765C2-6570-4A9E-B7A8-497CBEA51701}\index.html
| MD5 | a28ab17b18ff254173dfeef03245efd0 |
| SHA1 | c6ce20924565644601d4e0dd0fba9dde8dea5c77 |
| SHA256 | 886c0ab69e6e9d9d5b5909451640ea587accfcdf11b8369cad8542d1626ac375 |
| SHA512 | 9371a699921b028bd93c35f9f2896d9997b906c8aba90dd4279abba0ae1909a8808a43bf829584e552ccfe534b2c991a5a7e3e3de7618343f50b1c47cff269d6 |
C:\Users\Admin\AppData\Local\Temp\{EEE765C2-6570-4A9E-B7A8-497CBEA51701}\CCDInstaller.js
| MD5 | 76d91be7bdb92e541b3face5b94e9f0a |
| SHA1 | 22fb1d2239becd45cf81166fa522de1e8b495a68 |
| SHA256 | 302b9bab186ed0e233f55cb660e0d0e326479e84855f0bb68e7632313238bf11 |
| SHA512 | eeacdf9c19029ffc8b9cf876419b86503e019fe3a25ec90a7ba27988a215a67e7f73079f74921d184ff4d93cdf4adca5f95eb10250f96716df5a6c879f389eb0 |