aaba34a7ee00143fff499b219466498253e9fada28358dae6896870aeba84a99

General

Target

2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe
Size

1.2MB
MD5

c0054f9b49fe2466586daff417d6c9d6
SHA1

f2ba034713590f6f587ba4fee7420c5bb5ec4b25
SHA256

aaba34a7ee00143fff499b219466498253e9fada28358dae6896870aeba84a99
SHA512

20bd95a4e4a5598e0f18e1442483c746d92c1f06fedd6df6e1adfba4bb08694cb846e6cd3b655589f8540d376678d2c3400a4b56c69fa5b0a8cb00ad67a38735
SSDEEP

24576:e34avxauK03s37QaemGfKvw+RTrsJgjTNHyUt7yQaaPX8Q8p3qkw:E4aHK0837QlmGivw+RToqjTNH5tZaaP/

Score

10^/10

discovery

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3500 1940 cmd.exe
Deletes itself 1 IoCs

Processes:

2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe

pid process

3916 2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	1940	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe

pid	process
3916	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe
1248	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.execmd.exe2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe

pid	process
1260	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe
1260	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe
3916	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe
3916	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe
1248	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe
1248	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe

description	pid	process	target process
PID 1260 wrote to memory of 840	1260	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe	cmd.exe
PID 1260 wrote to memory of 840	1260	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe	cmd.exe
PID 1260 wrote to memory of 840	1260	2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\SysWOW64\cmd.exe
  /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.jpg"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe" "C:\ProgramData\Microsoft Helper\Windows\2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe"
1⤵
- Process spawned unexpected child process
PID:3500

C:\ProgramData\Microsoft Helper\Windows\2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe
"C:\ProgramData\Microsoft Helper\Windows\2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe" b "C:\Users\Admin\AppData\Local\Temp\2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe"
1⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:3916

C:\ProgramData\Microsoft Helper\Windows\2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe
"C:\ProgramData\Microsoft Helper\Windows\2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe" restart
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Helper\Windows\2024-11-22_c0054f9b49fe2466586daff417d6c9d6_avoslocker_luca-stealer.exe

Filesize
1.2MB

MD5
c0054f9b49fe2466586daff417d6c9d6

SHA1
f2ba034713590f6f587ba4fee7420c5bb5ec4b25

SHA256
aaba34a7ee00143fff499b219466498253e9fada28358dae6896870aeba84a99

SHA512
20bd95a4e4a5598e0f18e1442483c746d92c1f06fedd6df6e1adfba4bb08694cb846e6cd3b655589f8540d376678d2c3400a4b56c69fa5b0a8cb00ad67a38735

Download Submit
C:\ProgramData\Microsoft Helper\Windows\cnf.dat

Filesize
63B

MD5
e1524b18f340a9b717cb83d27d66935e

SHA1
e4cba9f1cc86aabfad8b57990d13532879f9a032

SHA256
e44ea0648c8b3097f6f346e31f2b9c2b878e60c49199a4b0c44c945cbe8df3d4

SHA512
56dc874969b501f985cc0cd2127b263f4edd76477da49b94ba72d94653bb241c9d7c5a00dde1b9fc48bfa98820b0e9b7483684361e97add2b44bf42b5a13dd38

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads