Overview

overview

10

Static

static

3

2024-11-21...er.exe

windows7-x64

10

2024-11-21...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    0s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 11:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe

  • Size

    663KB

  • MD5

    5034bb1e06bde3b9ef44ce72e5b680e1

  • SHA1

    227407cbbb205a342a9fd2a6bd5e459aa2f73eff

  • SHA256

    e722a12597c11763970e6d431ec2a54a4881aa8fc745ba239b4dbabd647303f0

  • SHA512

    9c763a00502d34b6917b43e1f22928c038f65b97d1d12adca12814be9ccc1d6860ecd13b75b190d3fe1110bc7d0c0eeaae8f10e9bb69acb2f66db42c55d74e14

  • SSDEEP

    12288:XDiAGc6VBGZLG9PNSx97YoglUw+OeO+OeNhBBhhBBbnt2mS8n3vcUohKivvM2d29:XDiPc6VEZK9PNSx97YonBgmSuA7vlI8B

Score
10/10
defense_evasiondiscoveryexecutionimpactpersistenceransomware

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\cs-CZ\README_WARNING.txt

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? ): Your files have been encrypted for NIGRA. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? ): If you wish to decrypt your files you will need to pay us you can send a three small files for testing,'excel ,word,txt,jpg' something. As a guarantee of our decryption ability. .3. Q: How to contact with you? ): You can write us to our 3 mailboxes: [[email protected]] [[email protected]] [[email protected]] If we do not reply within 24 hours, it means that the mailbox has been blocked, please contact our backup mailbox. (please in subject line write your ID: ec33c2359b) :::WARNING STATEMENT::: DON'T try to change encrypted files by yourself! We have never posted any decrypted videos on youtube, any SNS, please don't trust those crooks who post so-called decrypted videos choose to trust them, unless you have a lot of money! If you need decryption, please contact us via our email, we will only get in touch with you via email. The private key for decryption only exists in our hands, and only we can help decrypt files in this world !!

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2052
    • C:\Windows\SysWOW64\net.exe
      net stop VSS & sc config VSS start= disabled
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop VSS & sc config VSS start= disabled
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1376
    • C:\Windows\SysWOW64\sc.exe
      sc config VSS start= Demand & net start VSS
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:1252
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY delete /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:760
    • C:\Windows\SysWOW64\icacls.exe
      icacls.exe "{A-Z}:" /grant {Username}:F /T /C /Q
      2⤵
      • Modifies file permissions
      PID:3664
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      PID:1904
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer.exe" >> NUL
      2⤵
        PID:2556
        • C:\Windows\SysWOW64\timeout.exe
          timeout 1
          3⤵
          • Delays execution with timeout.exe
          PID:1160
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
        PID:3812

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Windows Management Instrumentation

      1
      T1047

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      File and Directory Permissions Modification

      1
      T1222

      Indicator Removal

      1
      T1070

      File Deletion

      1
      T1070.004

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Peripheral Device Discovery

      1
      T1120

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Inhibit System Recovery

      1
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ge333lcp.23p.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • \Device\HarddiskVolume1\Boot\cs-CZ\README_WARNING.txt
        Filesize

        2KB

        MD5

        1752cc55353a477e2afc2a04be3fbb82

        SHA1

        5d396dcf37fef7da009b58c582c3210381b14ad3

        SHA256

        b6ba67d1410584d65faf08bc8147265d59e466081fe1a4dc6141c0b1b831d430

        SHA512

        f1212ce018b5824aef6961d4b80fcbadecaf06b2d1719df3969997c2d269488bc00531536b1739a8ec3c5f6ba273b72858dbe3765c2733a2aef28c617eb8207a

        Download Submit

      • memory/1904-4-0x0000000005630000-0x0000000005652000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1904-17-0x00000000064E0000-0x00000000064FE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1904-6-0x0000000005E30000-0x0000000005E96000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1904-2-0x00000000737E0000-0x0000000073F90000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1904-5-0x0000000005D10000-0x0000000005D76000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1904-16-0x0000000005FE0000-0x0000000006334000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1904-0-0x00000000737EE000-0x00000000737EF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1904-3-0x0000000005670000-0x0000000005C98000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/1904-18-0x0000000006590000-0x00000000065DC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1904-19-0x00000000074F0000-0x0000000007586000-memory.dmp

        Filesize

        600KB

        Download

      • memory/1904-21-0x0000000006A10000-0x0000000006A32000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1904-22-0x0000000007B40000-0x00000000080E4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1904-20-0x00000000069C0000-0x00000000069DA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1904-25-0x00000000737E0000-0x0000000073F90000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1904-1-0x0000000002F00000-0x0000000002F36000-memory.dmp

        Filesize

        216KB

        Download