aaba34a7ee00143fff499b219466498253e9fada28358dae6896870aeba84a99

General

Target

2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe
Size

1.2MB
MD5

c0054f9b49fe2466586daff417d6c9d6
SHA1

f2ba034713590f6f587ba4fee7420c5bb5ec4b25
SHA256

aaba34a7ee00143fff499b219466498253e9fada28358dae6896870aeba84a99
SHA512

20bd95a4e4a5598e0f18e1442483c746d92c1f06fedd6df6e1adfba4bb08694cb846e6cd3b655589f8540d376678d2c3400a4b56c69fa5b0a8cb00ad67a38735
SSDEEP

24576:e34avxauK03s37QaemGfKvw+RTrsJgjTNHyUt7yQaaPX8Q8p3qkw:E4aHK0837QlmGivw+RToqjTNH5tZaaP/

Score

10^/10

discovery

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 3032 cmd.exe
Deletes itself 1 IoCs

Processes:

2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe

pid process

2352 2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	3032	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe

pid	process
2352	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe
2304	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.execmd.exeDllHost.exe2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exeDllHost.exe2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe

pid	process
2524	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe
2524	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe
2820	DllHost.exe
2352	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe
2352	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe
2304	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe
2304	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

DllHost.exe

pid process

2820 DllHost.exe
2820 DllHost.exe

pid	process
2820	DllHost.exe
2820	DllHost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe

description	pid	process	target process
PID 2524 wrote to memory of 2984	2524	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe	cmd.exe
PID 2524 wrote to memory of 2984	2524	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe	cmd.exe
PID 2524 wrote to memory of 2984	2524	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe	cmd.exe
PID 2524 wrote to memory of 2984	2524	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\cmd.exe
  /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.jpg"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe" "C:\ProgramData\Microsoft Helper\Windows\2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe"
1⤵
- Process spawned unexpected child process
PID:3064

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2820

C:\ProgramData\Microsoft Helper\Windows\2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe
"C:\ProgramData\Microsoft Helper\Windows\2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe" b "C:\Users\Admin\AppData\Local\Temp\2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe"
1⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2352

C:\ProgramData\Microsoft Helper\Windows\2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe
"C:\ProgramData\Microsoft Helper\Windows\2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe" restart
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Helper\Windows\2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe

Filesize
1.2MB

MD5
c0054f9b49fe2466586daff417d6c9d6

SHA1
f2ba034713590f6f587ba4fee7420c5bb5ec4b25

SHA256
aaba34a7ee00143fff499b219466498253e9fada28358dae6896870aeba84a99

SHA512
20bd95a4e4a5598e0f18e1442483c746d92c1f06fedd6df6e1adfba4bb08694cb846e6cd3b655589f8540d376678d2c3400a4b56c69fa5b0a8cb00ad67a38735

Download Submit
C:\ProgramData\Microsoft Helper\Windows\cnf.dat

Filesize
63B

MD5
489c04b52c5e91e59650b979f3491453

SHA1
b864dbd523b27607c11234fe753541ce0da082f9

SHA256
bd93d74da928617637a676cafba8c6ea69c60d278303ab1050017d856f4f2f33

SHA512
50d5205b35d0098c2cedc4940a317caf4909dfddb767a916e80da7d2beec369339e0050c841541372e6b1d03030b408452ef396b015386d276e061a666b43d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.jpg

Filesize
690KB

MD5
4c658c353d303d7075bb657dbb9136b6

SHA1
b2f973fdc1cbbe2510954b165f48d32fc9ee8ee3

SHA256
596580915f0bf6bfcfd19cc18f733458a532573d1737922181d3e652342ef3ee

SHA512
32a39286774089eb05609e81aa433c473f6430a659ec6993f731eaf5317baa02dfccf296bff1174f085da2f863e8b7dd509815eeb5a43cfc2d9227b4fb6adc71

Download Submit
memory/2820-55-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/2984-54-0x0000000000450000-0x0000000000452000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads