metasploit | bd64273315a14107de082980ff128ae9eaca0a36302c0f367867bcaaf57aaaaa

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/12/2024, 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-12_a033174a36f5fcf67bc7f0237b70fd47_avoslocker_hijackloader_luca-stealer_magniber.exe
Size

22.7MB
MD5

a033174a36f5fcf67bc7f0237b70fd47
SHA1

f0eada0b9432d0ba85bb0de44e4b7751a996f7df
SHA256

bd64273315a14107de082980ff128ae9eaca0a36302c0f367867bcaaf57aaaaa
SHA512

61b3870842667bc4c0ab282df011259c604b00df0a093659d8559dd1b9d5f85da459c63e5440da7e3464d4b2b9e0a110a08bd15a8e20dab087ca97d6f3d09c18
SSDEEP

196608:69uXVejN2DaVCjRgo5wwDScTLKdJ4R2zJXTO0oVejN2DaVCjRgo5wwDScTLKdJ4I:69pWH5/+dBJXTzlWH5/+dBJXTz

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Loads dropped DLL 2 IoCs

pid	Process
2876	msiexec.exe
1532	MsiExec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	1924	msiexec.exe
15	2876	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\RealVNC\VNC Viewer\SetupCache\VNC-Viewer-7.13.0-Windows-64bit.msiKey	msiexec.exe
File created	C:\Program Files\RealVNC\VNC Viewer\SetupCache\VNC-Viewer-7.13.0-Windows-64bit.msi	msiexec.exe
File created	C:\Program Files\RealVNC\VNC Viewer\logmessages.dll	msiexec.exe
File created	C:\Program Files\RealVNC\VNC Viewer\vncviewer.exe	msiexec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f7755fc.msi	msiexec.exe
File created	C:\Windows\Installer\{2B49B292-3014-4700-9EDD-A730D38BEB4F}\IconViewer.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f7755fd.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f7755fc.msi	msiexec.exe
File created	C:\Windows\Installer\f7755fd.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5801.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{2B49B292-3014-4700-9EDD-A730D38BEB4F}\IconViewer.exe	msiexec.exe
File created	C:\Windows\Installer\f7755ff.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5A93.tmp	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-12_a033174a36f5fcf67bc7f0237b70fd47_avoslocker_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VNC.ConnectionInfo\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.realvnc.vncviewer.connect\shell\open\command\ = "C:\\Program Files\\RealVNC\\VNC Viewer\\vncviewer.exe -uri \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\SourceList\PackageName = "vnc64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\SourceList\PackageName = "VNC-Viewer-7.13.0-Windows-64bit.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VNC.ConnectionInfo\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\VNC.ConnectionInfo\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.vnc	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VNC.ConnectionInfo\ = "RealVNC Viewer Connection Shortcut"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.realvnc.vncviewer.connect\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\292B94B241030074E9DD7A033DB8BEF4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\292B94B241030074E9DD7A033DB8BEF4\FeatureViewer	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\ProductIcon = "C:\\Windows\\Installer\\{2B49B292-3014-4700-9EDD-A730D38BEB4F}\\IconViewer.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\SourceList\Net\2 = "C:\\Program Files\\RealVNC\\VNC Viewer\\SetupCache\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VNC.ConnectionInfo\shell\open\command\ = "\"C:\\Program Files\\RealVNC\\VNC Viewer\\vncviewer.exe\" -config \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.realvnc.vncviewer.connect	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.realvnc.vncviewer.connect\shell\open\command	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\VNC.ConnectionInfo\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VNC.ConnectionInfo	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VNC.ConnectionInfo\shell\open\ = "Open"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vnc\ = "VNC.ConnectionInfo"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\VNC.ConnectionInfo	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\ProductName = "RealVNC Viewer 7.13.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\PackageCode = "704BF67F6954F744EB47E218809A2761"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.realvnc.vncviewer.connect\shell\open	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\Version = "118292480"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\46C1C5FF63EE1764B8F8C49444CD3C03\292B94B241030074E9DD7A033DB8BEF4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.realvnc.vncviewer.connect\URL Protocol	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\com.realvnc.vncviewer.connect\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.realvnc.vncviewer.connect\ = "URL:com.realvnc.vncviewer.connect"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\292B94B241030074E9DD7A033DB8BEF4\FeatureDesktopShortcut = "\x06FeatureViewer"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\com.realvnc.vncviewer.connect	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\46C1C5FF63EE1764B8F8C49444CD3C03	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2876	msiexec.exe
2876	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1924	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1924	msiexec.exe
Token: SeRestorePrivilege	2876	msiexec.exe
Token: SeTakeOwnershipPrivilege	2876	msiexec.exe
Token: SeSecurityPrivilege	2876	msiexec.exe
Token: SeCreateTokenPrivilege	1924	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1924	msiexec.exe
Token: SeLockMemoryPrivilege	1924	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1924	msiexec.exe
Token: SeMachineAccountPrivilege	1924	msiexec.exe
Token: SeTcbPrivilege	1924	msiexec.exe
Token: SeSecurityPrivilege	1924	msiexec.exe
Token: SeTakeOwnershipPrivilege	1924	msiexec.exe
Token: SeLoadDriverPrivilege	1924	msiexec.exe
Token: SeSystemProfilePrivilege	1924	msiexec.exe
Token: SeSystemtimePrivilege	1924	msiexec.exe
Token: SeProfSingleProcessPrivilege	1924	msiexec.exe
Token: SeIncBasePriorityPrivilege	1924	msiexec.exe
Token: SeCreatePagefilePrivilege	1924	msiexec.exe
Token: SeCreatePermanentPrivilege	1924	msiexec.exe
Token: SeBackupPrivilege	1924	msiexec.exe
Token: SeRestorePrivilege	1924	msiexec.exe
Token: SeShutdownPrivilege	1924	msiexec.exe
Token: SeDebugPrivilege	1924	msiexec.exe
Token: SeAuditPrivilege	1924	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1924	msiexec.exe
Token: SeChangeNotifyPrivilege	1924	msiexec.exe
Token: SeRemoteShutdownPrivilege	1924	msiexec.exe
Token: SeUndockPrivilege	1924	msiexec.exe
Token: SeSyncAgentPrivilege	1924	msiexec.exe
Token: SeEnableDelegationPrivilege	1924	msiexec.exe
Token: SeManageVolumePrivilege	1924	msiexec.exe
Token: SeImpersonatePrivilege	1924	msiexec.exe
Token: SeCreateGlobalPrivilege	1924	msiexec.exe
Token: SeBackupPrivilege	2156	vssvc.exe
Token: SeRestorePrivilege	2156	vssvc.exe
Token: SeAuditPrivilege	2156	vssvc.exe
Token: SeBackupPrivilege	2876	msiexec.exe
Token: SeRestorePrivilege	2876	msiexec.exe
Token: SeRestorePrivilege	1144	DrvInst.exe
Token: SeRestorePrivilege	1144	DrvInst.exe
Token: SeRestorePrivilege	1144	DrvInst.exe
Token: SeRestorePrivilege	1144	DrvInst.exe
Token: SeRestorePrivilege	1144	DrvInst.exe
Token: SeRestorePrivilege	1144	DrvInst.exe
Token: SeRestorePrivilege	1144	DrvInst.exe
Token: SeLoadDriverPrivilege	1144	DrvInst.exe
Token: SeLoadDriverPrivilege	1144	DrvInst.exe
Token: SeLoadDriverPrivilege	1144	DrvInst.exe
Token: SeRestorePrivilege	2876	msiexec.exe
Token: SeTakeOwnershipPrivilege	2876	msiexec.exe
Token: SeRestorePrivilege	2876	msiexec.exe
Token: SeTakeOwnershipPrivilege	2876	msiexec.exe
Token: SeRestorePrivilege	2876	msiexec.exe
Token: SeTakeOwnershipPrivilege	2876	msiexec.exe
Token: SeRestorePrivilege	2876	msiexec.exe
Token: SeTakeOwnershipPrivilege	2876	msiexec.exe
Token: SeRestorePrivilege	2876	msiexec.exe
Token: SeTakeOwnershipPrivilege	2876	msiexec.exe
Token: SeRestorePrivilege	2876	msiexec.exe
Token: SeTakeOwnershipPrivilege	2876	msiexec.exe
Token: SeRestorePrivilege	2876	msiexec.exe
Token: SeTakeOwnershipPrivilege	2876	msiexec.exe
Token: SeRestorePrivilege	2876	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1924	msiexec.exe
1924	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 592 wrote to memory of 1924	592	2024-12-12_a033174a36f5fcf67bc7f0237b70fd47_avoslocker_hijackloader_luca-stealer_magniber.exe	31
PID 592 wrote to memory of 1924	592	2024-12-12_a033174a36f5fcf67bc7f0237b70fd47_avoslocker_hijackloader_luca-stealer_magniber.exe	31
PID 592 wrote to memory of 1924	592	2024-12-12_a033174a36f5fcf67bc7f0237b70fd47_avoslocker_hijackloader_luca-stealer_magniber.exe	31
PID 592 wrote to memory of 1924	592	2024-12-12_a033174a36f5fcf67bc7f0237b70fd47_avoslocker_hijackloader_luca-stealer_magniber.exe	31
PID 592 wrote to memory of 1924	592	2024-12-12_a033174a36f5fcf67bc7f0237b70fd47_avoslocker_hijackloader_luca-stealer_magniber.exe	31
PID 592 wrote to memory of 1924	592	2024-12-12_a033174a36f5fcf67bc7f0237b70fd47_avoslocker_hijackloader_luca-stealer_magniber.exe	31
PID 592 wrote to memory of 1924	592	2024-12-12_a033174a36f5fcf67bc7f0237b70fd47_avoslocker_hijackloader_luca-stealer_magniber.exe	31
PID 2876 wrote to memory of 1532	2876	msiexec.exe	36
PID 2876 wrote to memory of 1532	2876	msiexec.exe	36
PID 2876 wrote to memory of 1532	2876	msiexec.exe	36
PID 2876 wrote to memory of 1532	2876	msiexec.exe	36
PID 2876 wrote to memory of 1532	2876	msiexec.exe	36

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-12-12_a033174a36f5fcf67bc7f0237b70fd47_avoslocker_hijackloader_luca-stealer_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-12_a033174a36f5fcf67bc7f0237b70fd47_avoslocker_hijackloader_luca-stealer_magniber.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:592
- C:\Windows\SysWOW64\msiexec.exe
  C:\Windows\system32\msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\vnc64.msi ProductLanguage=1033
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1924

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding C15EF3335FF8D048B2C0C9B62985F1F4 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:1532

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D0" "000000000000058C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7755fe.rbs

Filesize
1.0MB

MD5
2719ed7030ef6ab73d36aa01120cb3d5

SHA1
e9241ddc419f004f6fc0d9fc05f36a868356f40f

SHA256
bbd0e323ceda2756ee028a1999b6c45273d1f27efefbeaaaa2cd3357c1d4e5ac

SHA512
3d971c12d335a2fa345d6f52c36147f2a07e61f63134dbb5e6a353d421423a9dbb4eaaf9c671aa67efab9ab9d478e9ae3d6dbb0e46ee8b3224b68763c29b1a6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
4a9aa6a614556e086a26fd3799e56ddd

SHA1
f20b660dfaba446060f0c074a511cb931adc1129

SHA256
1f26a246511a771e468f21ebf16ebc65771824106b0cdf4ac4d7686a0e33f9ec

SHA512
417fe3d13064b688bc432a363bb8ffcbb5236b0481eb804889ffe836f3796d5e96634f1685c4f36588c067a05cb15b50795bf6363f1ded5c23533faecb15ad47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_F59623AEE3E6048CCD92ADA564422513

Filesize
727B

MD5
2720763d3d6e1af588241a850d29db71

SHA1
5304cfecb54632e1824150f2db0d69ff1fa5a686

SHA256
aaf83b6a0722f145f3b5a85052e44b6c59689ffb03189d68a44b24cb0b5fd364

SHA512
64d2b84bc11e36de9aec359523e628636874e8c5ebe76f46134dd01ddd8bfa1c1666af0fae865268c464b4a83eba2ecc4c93f386cd101f988be07593bd014cf0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
144166bcdd73de6bc88826b56a505cf7

SHA1
ec02bf36ee81da1c0b9092337a054956480ea26a

SHA256
d7ed6d87057832f9a9d0476cc4f287cfd161453d978088bac3504428709a7523

SHA512
f56bbc0ed83c96aac239356e0664ac511b7c4c651017843f9fadf189e9a5dc0bc9f0eba3cb95179383d69c076feb966c2fd9bf00ef976e2c925ae8cbada4e463

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
296caaf56467ebedef946c9640917f1d

SHA1
04fa5eed366714fbdee667600b61b99abaa04518

SHA256
c6f18936dbf55078140141af30268824490b13a440d2d58b6d8f8b606f1ffcb4

SHA512
dea462439d2cf7270835bd88a07cbe292bcac62df23dce63dd1e7b373fc3971cf6361d02d1927b3d0ebf3570107d0b575e51e96184bf8f0c93106765437f3ff4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_F59623AEE3E6048CCD92ADA564422513

Filesize
408B

MD5
9a0c2a28d053e5dcfc46dff98e592ab8

SHA1
d3e6d59f0d54aaa03a221d3ba09185faf257acbd

SHA256
92a6b1d0ca3d0a4c465993deeb0020ef1179d77e103913b4c54ca1549f270b71

SHA512
19dc2a411c9d32b73ff28a87f8da036dd3105c23f154afa59965137eded66d817a206dc8de59a6f38f9be06a9104d68302f9bd66c700a2c85c517c9f1007befe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
76d6f93a60bf72622b27e3850fe1d4a3

SHA1
d951a52d8cdd0f02ee844c012840699ebf5e40e3

SHA256
a6bcf45b0d65316d5b4519641266c4ec9a339436c2b691c1116451ded86258ed

SHA512
ca93a7e1cb71a2eaa628a37bc92c1085ab536eeedd8b98a5f2577046ae4f1256b7ce64c6ed86011e59453cbe472da36b682a9b8b56a43b371d305cbe79bfe02b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD673.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD7AE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnc64.msi

Filesize
5.6MB

MD5
5b24d1c6b28984bf3a307a217ae862b4

SHA1
4db2cb295343977d1c4b1a6f0c8890f47aab6271

SHA256
14c5a337888158e635ea9d5c6d608ad5e9fb6af0b5f125d20b38bb03e26ffd6b

SHA512
1e30c593a2542099372dd0e6dc14f25a4cfeb5d4aa95a3981da4def8942db9ed0603e64f9c5d8040ca21f3894c7fe705fff62bb47dfe6ff9ccb7a84516f014a8

Download Submit
C:\Windows\Installer\MSI5A93.tmp

Filesize
1.0MB

MD5
55d3dcd4008adcfef3e0cb44fb0f229b

SHA1
6f828fa6e759b1cae266954670448f8bc6c6316f

SHA256
96fad74bb3630a31b8793887f394ba45a251b4b292c37225db05f47785c7dcf7

SHA512
19fc3c4b83392734a30019e08408ba4865ba483fd2ab701c630aad67b70bc9d0785aa70f737692b1955357a9a7e702ad868e48f6d6f03e5639126481f3319634

Download Submit
\Program Files\RealVNC\VNC Viewer\vncviewer.exe

Filesize
11.3MB

MD5
13074501a8d7b61da2845bb4c509ba56

SHA1
c2faf654ba721d435fc44eebd5f61f5f119f3f9f

SHA256
6b6287b1e4a93b01124f7d091aec49b3d286b7aff625b3520b531fee3c6a324a

SHA512
95556fae5921523c5122edd73dcdb54aebc4289d57cae99cc67984a51c8ccb8198fdfb58c5fac31a65e13b5247e658770dcb6aceffc4a4c1458260d294b37895

Download Submit
memory/592-0-0x0000000000400000-0x0000000001AB5AEC-memory.dmp

Filesize
22.7MB

Download
memory/592-84-0x0000000000400000-0x0000000001AB5AEC-memory.dmp

Filesize
22.7MB

Download