e722a12597c11763970e6d431ec2a54a4881aa8fc745ba239b4dbabd647303f0

General

Target

2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe
Size

663KB
MD5

5034bb1e06bde3b9ef44ce72e5b680e1
SHA1

227407cbbb205a342a9fd2a6bd5e459aa2f73eff
SHA256

e722a12597c11763970e6d431ec2a54a4881aa8fc745ba239b4dbabd647303f0
SHA512

9c763a00502d34b6917b43e1f22928c038f65b97d1d12adca12814be9ccc1d6860ecd13b75b190d3fe1110bc7d0c0eeaae8f10e9bb69acb2f66db42c55d74e14
SSDEEP

12288:XDiAGc6VBGZLG9PNSx97YoglUw+OeO+OeNhBBhhBBbnt2mS8n3vcUohKivvM2d29:XDiPc6VEZK9PNSx97YonBgmSuA7vlI8B

Score

10^/10

defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-493223053-2004649691-1575712786-1000\README_WARNING.txt

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? ): Your files have been encrypted for NIGRA. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? ): If you wish to decrypt your files you will need to pay us you can send a three small files for testing,'excel ,word,txt,jpg' something. As a guarantee of our decryption ability. .3. Q: How to contact with you? ): You can write us to our 3 mailboxes: [[email protected]] [[email protected]] [[email protected]] If we do not reply within 24 hours, it means that the mailbox has been blocked, please contact our backup mailbox. (please in subject line write your ID: d47e9e7f2d) :::WARNING STATEMENT::: DON'T try to change encrypted files by yourself! We have never posted any decrypted videos on youtube, any SNS, please don't trust those crooks who post so-called decrypted videos choose to trust them, unless you have a lot of money! If you need decryption, please contact us via our email, we will only get in touch with you via email. The private key for decryption only exists in our hands, and only we can help decrypt files in this world !!

Emails

[[email protected]]

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (141) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

640 icacls.exe

pid	process
640	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe\" e"	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe

description	ioc	process
File opened for modification	\??\E:\$RECYCLE.BIN\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe

description	ioc	process
File opened (read-only)	\??\D:	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe
File opened (read-only)	\??\E:	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe
File opened (read-only)	\??\F:	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4640 sc.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4052 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4640	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.execmd.exe2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exenet.exenet1.exesc.exewmic.exeicacls.exetimeout.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5328 timeout.exe
Runs net.exe

pid	process
5328	timeout.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exe2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe

pid	process
4052	powershell.exe
4052	powershell.exe
2676	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe
2676	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

wmic.exevssvc.exepowershell.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2164	wmic.exe
Token: SeSecurityPrivilege	2164	wmic.exe
Token: SeTakeOwnershipPrivilege	2164	wmic.exe
Token: SeLoadDriverPrivilege	2164	wmic.exe
Token: SeSystemProfilePrivilege	2164	wmic.exe
Token: SeSystemtimePrivilege	2164	wmic.exe
Token: SeProfSingleProcessPrivilege	2164	wmic.exe
Token: SeIncBasePriorityPrivilege	2164	wmic.exe
Token: SeCreatePagefilePrivilege	2164	wmic.exe
Token: SeBackupPrivilege	2164	wmic.exe
Token: SeRestorePrivilege	2164	wmic.exe
Token: SeShutdownPrivilege	2164	wmic.exe
Token: SeDebugPrivilege	2164	wmic.exe
Token: SeSystemEnvironmentPrivilege	2164	wmic.exe
Token: SeRemoteShutdownPrivilege	2164	wmic.exe
Token: SeUndockPrivilege	2164	wmic.exe
Token: SeManageVolumePrivilege	2164	wmic.exe
Token: 33	2164	wmic.exe
Token: 34	2164	wmic.exe
Token: 35	2164	wmic.exe
Token: 36	2164	wmic.exe
Token: SeIncreaseQuotaPrivilege	2164	wmic.exe
Token: SeSecurityPrivilege	2164	wmic.exe
Token: SeTakeOwnershipPrivilege	2164	wmic.exe
Token: SeLoadDriverPrivilege	2164	wmic.exe
Token: SeSystemProfilePrivilege	2164	wmic.exe
Token: SeSystemtimePrivilege	2164	wmic.exe
Token: SeProfSingleProcessPrivilege	2164	wmic.exe
Token: SeIncBasePriorityPrivilege	2164	wmic.exe
Token: SeCreatePagefilePrivilege	2164	wmic.exe
Token: SeBackupPrivilege	2164	wmic.exe
Token: SeRestorePrivilege	2164	wmic.exe
Token: SeShutdownPrivilege	2164	wmic.exe
Token: SeDebugPrivilege	2164	wmic.exe
Token: SeSystemEnvironmentPrivilege	2164	wmic.exe
Token: SeRemoteShutdownPrivilege	2164	wmic.exe
Token: SeUndockPrivilege	2164	wmic.exe
Token: SeManageVolumePrivilege	2164	wmic.exe
Token: 33	2164	wmic.exe
Token: 34	2164	wmic.exe
Token: 35	2164	wmic.exe
Token: 36	2164	wmic.exe
Token: SeBackupPrivilege	1816	vssvc.exe
Token: SeRestorePrivilege	1816	vssvc.exe
Token: SeAuditPrivilege	1816	vssvc.exe
Token: SeDebugPrivilege	4052	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exenet.execmd.exe

description	pid	process	target process
PID 2676 wrote to memory of 3344	2676	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe	net.exe
PID 2676 wrote to memory of 3344	2676	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe	net.exe
PID 2676 wrote to memory of 3344	2676	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe	net.exe
PID 3344 wrote to memory of 5072	3344	net.exe	net1.exe
PID 3344 wrote to memory of 5072	3344	net.exe	net1.exe
PID 3344 wrote to memory of 5072	3344	net.exe	net1.exe
PID 2676 wrote to memory of 4640	2676	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe	sc.exe
PID 2676 wrote to memory of 4640	2676	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe	sc.exe
PID 2676 wrote to memory of 4640	2676	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe	sc.exe
PID 2676 wrote to memory of 2164	2676	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe	wmic.exe
PID 2676 wrote to memory of 2164	2676	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe	wmic.exe
PID 2676 wrote to memory of 2164	2676	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe	wmic.exe
PID 2676 wrote to memory of 640	2676	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe	icacls.exe
PID 2676 wrote to memory of 640	2676	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe	icacls.exe
PID 2676 wrote to memory of 640	2676	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe	icacls.exe
PID 2676 wrote to memory of 4052	2676	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe	powershell.exe
PID 2676 wrote to memory of 4052	2676	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe	powershell.exe
PID 2676 wrote to memory of 4052	2676	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe	powershell.exe
PID 2676 wrote to memory of 5272	2676	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe	cmd.exe
PID 2676 wrote to memory of 5272	2676	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe	cmd.exe
PID 2676 wrote to memory of 5272	2676	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe	cmd.exe
PID 5272 wrote to memory of 5328	5272	cmd.exe	timeout.exe
PID 5272 wrote to memory of 5328	5272	cmd.exe	timeout.exe
PID 5272 wrote to memory of 5328	5272	cmd.exe	timeout.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2676
- C:\Windows\SysWOW64\net.exe
  net stop VSS & sc config VSS start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3344
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VSS & sc config VSS start= disabled
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5072
- C:\Windows\SysWOW64\sc.exe
  sc config VSS start= Demand & net start VSS
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:4640
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY delete /nointeractive
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "{A-Z}:" /grant {Username}:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:640
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4052
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe" >> NUL
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5272
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:5328

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Windows Management Instrumentation

1

T1047

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

1

T1222

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5u1rqbaz.455.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-493223053-2004649691-1575712786-1000\README_WARNING.txt

Filesize
2KB

MD5
01a8088947156773319fab90ce78e6be

SHA1
3f6c455a88afff5142573f303d7d09d2b17e73a4

SHA256
d3e0bbbdecd2d7629ac35e6d44583db410cc4cf17e6a0da9509aad5ec2c10ca2

SHA512
aecb87176396bbfe859148be8636e0ec78ed0a7d3b4cad32bc67801aaa030b335de5bcc130574847ca0d5f3b876d0026a46f519bb03822cbf8b613dd8cc30bb4

Download Submit
memory/4052-4-0x0000000073800000-0x0000000073FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4052-17-0x0000000005690000-0x00000000059E4000-memory.dmp

Filesize
3.3MB

Download
memory/4052-0-0x000000007380E000-0x000000007380F000-memory.dmp

Filesize
4KB

Download
memory/4052-5-0x0000000004C90000-0x0000000004CB2000-memory.dmp

Filesize
136KB

Download
memory/4052-6-0x00000000054C0000-0x0000000005526000-memory.dmp

Filesize
408KB

Download
memory/4052-7-0x0000000005620000-0x0000000005686000-memory.dmp

Filesize
408KB

Download
memory/4052-2-0x0000000004D20000-0x0000000005348000-memory.dmp

Filesize
6.2MB

Download
memory/4052-3-0x0000000073800000-0x0000000073FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4052-18-0x0000000005C50000-0x0000000005C6E000-memory.dmp

Filesize
120KB

Download
memory/4052-19-0x0000000005C90000-0x0000000005CDC000-memory.dmp

Filesize
304KB

Download
memory/4052-20-0x00000000061A0000-0x0000000006236000-memory.dmp

Filesize
600KB

Download
memory/4052-21-0x0000000006130000-0x000000000614A000-memory.dmp

Filesize
104KB

Download
memory/4052-22-0x0000000006240000-0x0000000006262000-memory.dmp

Filesize
136KB

Download
memory/4052-23-0x0000000007450000-0x00000000079F4000-memory.dmp

Filesize
5.6MB

Download
memory/4052-26-0x0000000073800000-0x0000000073FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4052-1-0x0000000004680000-0x00000000046B6000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads