Overview

overview

10

Static

static

3

2024-11-21...er.exe

windows7-x64

10

2024-11-21...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 12:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe

  • Size

    663KB

  • MD5

    5034bb1e06bde3b9ef44ce72e5b680e1

  • SHA1

    227407cbbb205a342a9fd2a6bd5e459aa2f73eff

  • SHA256

    e722a12597c11763970e6d431ec2a54a4881aa8fc745ba239b4dbabd647303f0

  • SHA512

    9c763a00502d34b6917b43e1f22928c038f65b97d1d12adca12814be9ccc1d6860ecd13b75b190d3fe1110bc7d0c0eeaae8f10e9bb69acb2f66db42c55d74e14

  • SSDEEP

    12288:XDiAGc6VBGZLG9PNSx97YoglUw+OeO+OeNhBBhhBBbnt2mS8n3vcUohKivvM2d29:XDiPc6VEZK9PNSx97YonBgmSuA7vlI8B

Score
10/10
defense_evasiondiscoveryexecutionimpactpersistenceransomware

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\cs-CZ\README_WARNING.txt

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? ): Your files have been encrypted for NIGRA. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? ): If you wish to decrypt your files you will need to pay us you can send a three small files for testing,'excel ,word,txt,jpg' something. As a guarantee of our decryption ability. .3. Q: How to contact with you? ): You can write us to our 3 mailboxes: [[email protected]] [[email protected]] [[email protected]] If we do not reply within 24 hours, it means that the mailbox has been blocked, please contact our backup mailbox. (please in subject line write your ID: 62c688bab0) :::WARNING STATEMENT::: DON'T try to change encrypted files by yourself! We have never posted any decrypted videos on youtube, any SNS, please don't trust those crooks who post so-called decrypted videos choose to trust them, unless you have a lot of money! If you need decryption, please contact us via our email, we will only get in touch with you via email. The private key for decryption only exists in our hands, and only we can help decrypt files in this world !!

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (217) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 17 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Interacts with shadow copies 3 TTPs 14 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2024
    • C:\Windows\SysWOW64\net.exe
      net stop VSS & sc config VSS start= disabled
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop VSS & sc config VSS start= disabled
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2300
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:2176
    • C:\Windows\SysWOW64\sc.exe
      sc config VSS start= Demand & net start VSS
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2632
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY delete /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2736
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:2832
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
      2⤵
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:2580
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
      2⤵
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:2540
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:2612
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:3064
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:2724
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:1988
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:820
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:1232
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:1996
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:340
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:2640
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:2852
    • C:\Windows\SysWOW64\icacls.exe
      icacls.exe "{A-Z}:" /grant {Username}:F /T /C /Q
      2⤵
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:2388
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:448
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe" >> NUL
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1244
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:2120
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Direct Volume Access

1
T1006

File and Directory Permissions Modification

1
T1222

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

2
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Device\HarddiskVolume1\Boot\cs-CZ\README_WARNING.txt
    Filesize

    2KB

    MD5

    89b0bb75f070d22ca370e9e51d5f1abb

    SHA1

    44184cfb0d3d7a410fe925d6c528294162743215

    SHA256

    79588d33fafe62e7cff67e49202c8ae43905a6e0e7600b64b4af99b66ff3856a

    SHA512

    ffcce15ca399397e2d92dd173a777f0e029febaf09fe2fbe95101ce275923b2e3c5c6e7693a4cc1187f09b7e2dc4e852d6b048e48ff242f6ad0ac1310d155e66

    Download Submit