metasploit | b52c47e114f8e8523dfb634146a4bf8bb54d639d3e733d7b3afe7cfb623208cc

Analysis

max time kernel
93s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-12_0178d22ec86dd92c1cd8e0ba2ac223e5_avoslocker_hijackloader_luca-stealer_magniber.exe
Size

22.7MB
MD5

0178d22ec86dd92c1cd8e0ba2ac223e5
SHA1

30025465a07d50a21b8dda66b4591f545c35989d
SHA256

b52c47e114f8e8523dfb634146a4bf8bb54d639d3e733d7b3afe7cfb623208cc
SHA512

0c2075ac382e3c31eaac831e6225bc5cf96e4971d0779e636215fce16b2acecd6d6fb7722877e2139190331e6c4443c92a16bf51816748a6a1e322263dd9c9bf
SSDEEP

196608:49uXVejN2DaVCjRgo5wwDScTLKdJ4R2zJXTO0yVejN2DaVCjRgo5wwDScTLKdJ4I:49pWH5/+dBJXTzrWH5/+dBJXTz

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

192.168.1.26:443

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Loads dropped DLL 1 IoCs

pid	Process
4408	MsiExec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
11	1576	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\RealVNC\VNC Viewer\vncviewer.exe	msiexec.exe
File created	C:\Program Files\RealVNC\VNC Viewer\SetupCache\VNC-Viewer-7.13.0-Windows-64bit.msiKey	msiexec.exe
File created	C:\Program Files\RealVNC\VNC Viewer\SetupCache\VNC-Viewer-7.13.0-Windows-64bit.msi	msiexec.exe
File created	C:\Program Files\RealVNC\VNC Viewer\logmessages.dll	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI51A5.tmp	msiexec.exe
File created	C:\Windows\Installer\{2B49B292-3014-4700-9EDD-A730D38BEB4F}\IconViewer.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{2B49B292-3014-4700-9EDD-A730D38BEB4F}\IconViewer.exe	msiexec.exe
File created	C:\Windows\Installer\e58506f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI534C.tmp	msiexec.exe
File created	C:\Windows\Installer\e58506d.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2B49B292-3014-4700-9EDD-A730D38BEB4F}	msiexec.exe
File opened for modification	C:\Windows\Installer\e58506d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-12_0178d22ec86dd92c1cd8e0ba2ac223e5_avoslocker_hijackloader_luca-stealer_magniber.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e6cf55ff94a5976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e6cf55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e6cf55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de6cf55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e6cf55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\VNC.ConnectionInfo\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.realvnc.vncviewer.connect\shell\open\command\ = "C:\\Program Files\\RealVNC\\VNC Viewer\\vncviewer.exe -uri \"%1\""	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\46C1C5FF63EE1764B8F8C49444CD3C03	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.realvnc.vncviewer.connect\URL Protocol	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\com.realvnc.vncviewer.connect\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.realvnc.vncviewer.connect\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\292B94B241030074E9DD7A033DB8BEF4\FeatureViewer	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\SourceList\PackageName = "vnc64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VNC.ConnectionInfo\shell\open\ = "Open"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.vnc	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\VNC.ConnectionInfo	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\PackageCode = "704BF67F6954F744EB47E218809A2761"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VNC.ConnectionInfo\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.realvnc.vncviewer.connect\ = "URL:com.realvnc.vncviewer.connect"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\SourceList\Net\2 = "C:\\Program Files\\RealVNC\\VNC Viewer\\SetupCache\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vnc\ = "VNC.ConnectionInfo"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VNC.ConnectionInfo\ = "RealVNC Viewer Connection Shortcut"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.realvnc.vncviewer.connect\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.realvnc.vncviewer.connect\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\SourceList\PackageName = "VNC-Viewer-7.13.0-Windows-64bit.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VNC.ConnectionInfo\shell\open\command\ = "\"C:\\Program Files\\RealVNC\\VNC Viewer\\vncviewer.exe\" -config \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.realvnc.vncviewer.connect	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\46C1C5FF63EE1764B8F8C49444CD3C03\292B94B241030074E9DD7A033DB8BEF4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VNC.ConnectionInfo\shell\open	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\ProductIcon = "C:\\Windows\\Installer\\{2B49B292-3014-4700-9EDD-A730D38BEB4F}\\IconViewer.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\VNC.ConnectionInfo\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VNC.ConnectionInfo	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\com.realvnc.vncviewer.connect	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\292B94B241030074E9DD7A033DB8BEF4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\292B94B241030074E9DD7A033DB8BEF4\FeatureDesktopShortcut = "\x06FeatureViewer"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\ProductName = "RealVNC Viewer 7.13.0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\Version = "118292480"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3368	msiexec.exe
3368	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1576	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1576	msiexec.exe
Token: SeSecurityPrivilege	3368	msiexec.exe
Token: SeCreateTokenPrivilege	1576	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1576	msiexec.exe
Token: SeLockMemoryPrivilege	1576	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1576	msiexec.exe
Token: SeMachineAccountPrivilege	1576	msiexec.exe
Token: SeTcbPrivilege	1576	msiexec.exe
Token: SeSecurityPrivilege	1576	msiexec.exe
Token: SeTakeOwnershipPrivilege	1576	msiexec.exe
Token: SeLoadDriverPrivilege	1576	msiexec.exe
Token: SeSystemProfilePrivilege	1576	msiexec.exe
Token: SeSystemtimePrivilege	1576	msiexec.exe
Token: SeProfSingleProcessPrivilege	1576	msiexec.exe
Token: SeIncBasePriorityPrivilege	1576	msiexec.exe
Token: SeCreatePagefilePrivilege	1576	msiexec.exe
Token: SeCreatePermanentPrivilege	1576	msiexec.exe
Token: SeBackupPrivilege	1576	msiexec.exe
Token: SeRestorePrivilege	1576	msiexec.exe
Token: SeShutdownPrivilege	1576	msiexec.exe
Token: SeDebugPrivilege	1576	msiexec.exe
Token: SeAuditPrivilege	1576	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1576	msiexec.exe
Token: SeChangeNotifyPrivilege	1576	msiexec.exe
Token: SeRemoteShutdownPrivilege	1576	msiexec.exe
Token: SeUndockPrivilege	1576	msiexec.exe
Token: SeSyncAgentPrivilege	1576	msiexec.exe
Token: SeEnableDelegationPrivilege	1576	msiexec.exe
Token: SeManageVolumePrivilege	1576	msiexec.exe
Token: SeImpersonatePrivilege	1576	msiexec.exe
Token: SeCreateGlobalPrivilege	1576	msiexec.exe
Token: SeBackupPrivilege	5052	vssvc.exe
Token: SeRestorePrivilege	5052	vssvc.exe
Token: SeAuditPrivilege	5052	vssvc.exe
Token: SeBackupPrivilege	3368	msiexec.exe
Token: SeRestorePrivilege	3368	msiexec.exe
Token: SeRestorePrivilege	3368	msiexec.exe
Token: SeTakeOwnershipPrivilege	3368	msiexec.exe
Token: SeRestorePrivilege	3368	msiexec.exe
Token: SeTakeOwnershipPrivilege	3368	msiexec.exe
Token: SeRestorePrivilege	3368	msiexec.exe
Token: SeTakeOwnershipPrivilege	3368	msiexec.exe
Token: SeRestorePrivilege	3368	msiexec.exe
Token: SeTakeOwnershipPrivilege	3368	msiexec.exe
Token: SeRestorePrivilege	3368	msiexec.exe
Token: SeTakeOwnershipPrivilege	3368	msiexec.exe
Token: SeRestorePrivilege	3368	msiexec.exe
Token: SeTakeOwnershipPrivilege	3368	msiexec.exe
Token: SeRestorePrivilege	3368	msiexec.exe
Token: SeTakeOwnershipPrivilege	3368	msiexec.exe
Token: SeRestorePrivilege	3368	msiexec.exe
Token: SeTakeOwnershipPrivilege	3368	msiexec.exe
Token: SeRestorePrivilege	3368	msiexec.exe
Token: SeTakeOwnershipPrivilege	3368	msiexec.exe
Token: SeRestorePrivilege	3368	msiexec.exe
Token: SeTakeOwnershipPrivilege	3368	msiexec.exe
Token: SeRestorePrivilege	3368	msiexec.exe
Token: SeTakeOwnershipPrivilege	3368	msiexec.exe
Token: SeRestorePrivilege	3368	msiexec.exe
Token: SeTakeOwnershipPrivilege	3368	msiexec.exe
Token: SeRestorePrivilege	3368	msiexec.exe
Token: SeTakeOwnershipPrivilege	3368	msiexec.exe
Token: SeRestorePrivilege	3368	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1576	msiexec.exe
1576	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 1576	3520	2024-12-12_0178d22ec86dd92c1cd8e0ba2ac223e5_avoslocker_hijackloader_luca-stealer_magniber.exe	84
PID 3520 wrote to memory of 1576	3520	2024-12-12_0178d22ec86dd92c1cd8e0ba2ac223e5_avoslocker_hijackloader_luca-stealer_magniber.exe	84
PID 3520 wrote to memory of 1576	3520	2024-12-12_0178d22ec86dd92c1cd8e0ba2ac223e5_avoslocker_hijackloader_luca-stealer_magniber.exe	84
PID 3368 wrote to memory of 4076	3368	msiexec.exe	111
PID 3368 wrote to memory of 4076	3368	msiexec.exe	111
PID 3368 wrote to memory of 4408	3368	msiexec.exe	113
PID 3368 wrote to memory of 4408	3368	msiexec.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-12-12_0178d22ec86dd92c1cd8e0ba2ac223e5_avoslocker_hijackloader_luca-stealer_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-12_0178d22ec86dd92c1cd8e0ba2ac223e5_avoslocker_hijackloader_luca-stealer_magniber.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\SysWOW64\msiexec.exe
  C:\Windows\system32\msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\vnc64.msi ProductLanguage=1033
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1576

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4076
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding AFA63CEB3E348CE9874EC98DA92CFDFA E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:4408

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58506e.rbs

Filesize
1.0MB

MD5
ceda158434fa9d180aadb2683bd5aa10

SHA1
cd4a4e6538173368449b2ee7f8673f823f88aade

SHA256
9edbc72df116c051f1f0fa4c0c0c95c990268cc81f23e6ca6f228efee4d09693

SHA512
eeeedf83f3d4dca0003e7c529bd16fbb2f48df017351191d8938a029aae72aa4979c0528f3c7efa86652f071d6dc6a1533b63902c3d609e600cf6d1d217a6fab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
4a9aa6a614556e086a26fd3799e56ddd

SHA1
f20b660dfaba446060f0c074a511cb931adc1129

SHA256
1f26a246511a771e468f21ebf16ebc65771824106b0cdf4ac4d7686a0e33f9ec

SHA512
417fe3d13064b688bc432a363bb8ffcbb5236b0481eb804889ffe836f3796d5e96634f1685c4f36588c067a05cb15b50795bf6363f1ded5c23533faecb15ad47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_F59623AEE3E6048CCD92ADA564422513

Filesize
727B

MD5
2720763d3d6e1af588241a850d29db71

SHA1
5304cfecb54632e1824150f2db0d69ff1fa5a686

SHA256
aaf83b6a0722f145f3b5a85052e44b6c59689ffb03189d68a44b24cb0b5fd364

SHA512
64d2b84bc11e36de9aec359523e628636874e8c5ebe76f46134dd01ddd8bfa1c1666af0fae865268c464b4a83eba2ecc4c93f386cd101f988be07593bd014cf0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
144166bcdd73de6bc88826b56a505cf7

SHA1
ec02bf36ee81da1c0b9092337a054956480ea26a

SHA256
d7ed6d87057832f9a9d0476cc4f287cfd161453d978088bac3504428709a7523

SHA512
f56bbc0ed83c96aac239356e0664ac511b7c4c651017843f9fadf189e9a5dc0bc9f0eba3cb95179383d69c076feb966c2fd9bf00ef976e2c925ae8cbada4e463

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
12489dc42680b6ff2903abcaa955525b

SHA1
f37272715600f29dad0eaa6b0d1a3c7b59d84c9d

SHA256
10e2694b87c7e819b42e5ce5ed11318d677c595ee3a8f5ef674dea7a65a8fea6

SHA512
9486dad59fc2a36e3a6727e388a529f23c05c530b71c822c9074ea0fe2ca082217474398b85c824d2a8fa472bbdccbac7595470510eecf8a41e158ec582b2319

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_F59623AEE3E6048CCD92ADA564422513

Filesize
408B

MD5
26dc9004ae0d938213f1536f55539280

SHA1
c64c1888929eaa2b1670096c074550af8ea444b5

SHA256
0c423d8849d5ff951603f5452bc6311b809d1e74d0abba2807e6f417cc55a1ae

SHA512
a850c2ebea5e368623abb5ea7b3ace6ea2566698e0670990305877a75066c1336b9078ce3f201e2877240e024b852cca0e08e9031b9469bf7af971e848f8dbc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
24fa6d293fbea6a80e9cc940aff8a42f

SHA1
0b2303e1a23ff169e55eb7cb24a2c8c3e10188a7

SHA256
72efad98c41379358af4258b84e3c2c3b3d7c40e3886f728557832ecc618b516

SHA512
76dd3c43e8ce12ac64884248847a06cacd8b2ed99fbbea270af2f7ecc33de02d0551b750bbdfe62f2a11cd900c204cf194013673d844b5495790c00cc8cc09c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnc64.msi

Filesize
5.6MB

MD5
5b24d1c6b28984bf3a307a217ae862b4

SHA1
4db2cb295343977d1c4b1a6f0c8890f47aab6271

SHA256
14c5a337888158e635ea9d5c6d608ad5e9fb6af0b5f125d20b38bb03e26ffd6b

SHA512
1e30c593a2542099372dd0e6dc14f25a4cfeb5d4aa95a3981da4def8942db9ed0603e64f9c5d8040ca21f3894c7fe705fff62bb47dfe6ff9ccb7a84516f014a8

Download Submit
C:\Windows\Installer\MSI534C.tmp

Filesize
1.0MB

MD5
55d3dcd4008adcfef3e0cb44fb0f229b

SHA1
6f828fa6e759b1cae266954670448f8bc6c6316f

SHA256
96fad74bb3630a31b8793887f394ba45a251b4b292c37225db05f47785c7dcf7

SHA512
19fc3c4b83392734a30019e08408ba4865ba483fd2ab701c630aad67b70bc9d0785aa70f737692b1955357a9a7e702ad868e48f6d6f03e5639126481f3319634

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
ec13911ae2831c1e17041a5f7c5b240b

SHA1
5f14233ce0126602a7eb89cf8cad0e3ee34320df

SHA256
d0d034d015f444a7eb155d54865ed6941a4109d6cdeb414c43e9d037ed1abc71

SHA512
74a2cac2accdaf05b24f35366d0cab8e5e2fc96dba145c0c212cff45c795aaf1c8aeb71a9d42aeea2a1ccb5daba43459db7daede0c64fac60ba0f2d374c8aad3

Download Submit
\??\Volume{ff55cfe6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3400cfe7-0190-450f-b270-db00779ca9b3}_OnDiskSnapshotProp

Filesize
6KB

MD5
b4e1c5c8aac91dd74724738312aab153

SHA1
4723a347de66b69a4b1ddf09cffa4f26cd5ba8b1

SHA256
4f2fd7328a7f4d758814ac0868fc399253f77d71981c67763365f2244ca1ca51

SHA512
9fb94f87f2f9ade722463f9eebce977430cab1801956e4faa5e1327c01fdc20843d4c25cf48214de731f03c6321bff33e6131cd383812947d47c0b715c686ca0

Download Submit
memory/3520-0-0x0000000000400000-0x0000000001AB5AEC-memory.dmp

Filesize
22.7MB

Download
memory/3520-51-0x0000000000400000-0x0000000001AB5AEC-memory.dmp

Filesize
22.7MB

Download