metasploit | bd64273315a14107de082980ff128ae9eaca0a36302c0f367867bcaaf57aaaaa

Analysis

max time kernel
94s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/12/2024, 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-12_a033174a36f5fcf67bc7f0237b70fd47_avoslocker_hijackloader_luca-stealer_magniber.exe
Size

22.7MB
MD5

a033174a36f5fcf67bc7f0237b70fd47
SHA1

f0eada0b9432d0ba85bb0de44e4b7751a996f7df
SHA256

bd64273315a14107de082980ff128ae9eaca0a36302c0f367867bcaaf57aaaaa
SHA512

61b3870842667bc4c0ab282df011259c604b00df0a093659d8559dd1b9d5f85da459c63e5440da7e3464d4b2b9e0a110a08bd15a8e20dab087ca97d6f3d09c18
SSDEEP

196608:69uXVejN2DaVCjRgo5wwDScTLKdJ4R2zJXTO0oVejN2DaVCjRgo5wwDScTLKdJ4I:69pWH5/+dBJXTzlWH5/+dBJXTz

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

192.168.1.26:443

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Loads dropped DLL 1 IoCs

pid	Process
2268	MsiExec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
16	116	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\RealVNC\VNC Viewer\logmessages.dll	msiexec.exe
File created	C:\Program Files\RealVNC\VNC Viewer\vncviewer.exe	msiexec.exe
File created	C:\Program Files\RealVNC\VNC Viewer\SetupCache\VNC-Viewer-7.13.0-Windows-64bit.msiKey	msiexec.exe
File created	C:\Program Files\RealVNC\VNC Viewer\SetupCache\VNC-Viewer-7.13.0-Windows-64bit.msi	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2B49B292-3014-4700-9EDD-A730D38BEB4F}	msiexec.exe
File created	C:\Windows\Installer\{2B49B292-3014-4700-9EDD-A730D38BEB4F}\IconViewer.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{2B49B292-3014-4700-9EDD-A730D38BEB4F}\IconViewer.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4B5D.tmp	msiexec.exe
File created	C:\Windows\Installer\e5846d8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI482F.tmp	msiexec.exe
File created	C:\Windows\Installer\e5846da.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5846d8.msi	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-12_a033174a36f5fcf67bc7f0237b70fd47_avoslocker_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c4d65e62b69e8e0b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c4d65e620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c4d65e62000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc4d65e62000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c4d65e6200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.realvnc.vncviewer.connect\shell\open	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.vnc	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\com.realvnc.vncviewer.connect\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.realvnc.vncviewer.connect	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\46C1C5FF63EE1764B8F8C49444CD3C03	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.realvnc.vncviewer.connect\URL Protocol	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\292B94B241030074E9DD7A033DB8BEF4\FeatureDesktopShortcut = "\x06FeatureViewer"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VNC.ConnectionInfo\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VNC.ConnectionInfo\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VNC.ConnectionInfo\shell\open\command\ = "\"C:\\Program Files\\RealVNC\\VNC Viewer\\vncviewer.exe\" -config \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vnc\ = "VNC.ConnectionInfo"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\VNC.ConnectionInfo	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\SourceList\PackageName = "VNC-Viewer-7.13.0-Windows-64bit.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\46C1C5FF63EE1764B8F8C49444CD3C03\292B94B241030074E9DD7A033DB8BEF4	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\ProductIcon = "C:\\Windows\\Installer\\{2B49B292-3014-4700-9EDD-A730D38BEB4F}\\IconViewer.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VNC.ConnectionInfo	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VNC.ConnectionInfo\shell\open\ = "Open"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VNC.ConnectionInfo\ = "RealVNC Viewer Connection Shortcut"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.realvnc.vncviewer.connect\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.realvnc.vncviewer.connect\shell\open\command\ = "C:\\Program Files\\RealVNC\\VNC Viewer\\vncviewer.exe -uri \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\VNC.ConnectionInfo\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.realvnc.vncviewer.connect\ = "URL:com.realvnc.vncviewer.connect"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\VNC.ConnectionInfo\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\com.realvnc.vncviewer.connect	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\292B94B241030074E9DD7A033DB8BEF4\FeatureViewer	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\292B94B241030074E9DD7A033DB8BEF4	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\Version = "118292480"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\SourceList\PackageName = "vnc64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\SourceList\Net\2 = "C:\\Program Files\\RealVNC\\VNC Viewer\\SetupCache\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.realvnc.vncviewer.connect\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\ProductName = "RealVNC Viewer 7.13.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\PackageCode = "704BF67F6954F744EB47E218809A2761"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292B94B241030074E9DD7A033DB8BEF4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2844	msiexec.exe
2844	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	116	msiexec.exe
Token: SeIncreaseQuotaPrivilege	116	msiexec.exe
Token: SeSecurityPrivilege	2844	msiexec.exe
Token: SeCreateTokenPrivilege	116	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	116	msiexec.exe
Token: SeLockMemoryPrivilege	116	msiexec.exe
Token: SeIncreaseQuotaPrivilege	116	msiexec.exe
Token: SeMachineAccountPrivilege	116	msiexec.exe
Token: SeTcbPrivilege	116	msiexec.exe
Token: SeSecurityPrivilege	116	msiexec.exe
Token: SeTakeOwnershipPrivilege	116	msiexec.exe
Token: SeLoadDriverPrivilege	116	msiexec.exe
Token: SeSystemProfilePrivilege	116	msiexec.exe
Token: SeSystemtimePrivilege	116	msiexec.exe
Token: SeProfSingleProcessPrivilege	116	msiexec.exe
Token: SeIncBasePriorityPrivilege	116	msiexec.exe
Token: SeCreatePagefilePrivilege	116	msiexec.exe
Token: SeCreatePermanentPrivilege	116	msiexec.exe
Token: SeBackupPrivilege	116	msiexec.exe
Token: SeRestorePrivilege	116	msiexec.exe
Token: SeShutdownPrivilege	116	msiexec.exe
Token: SeDebugPrivilege	116	msiexec.exe
Token: SeAuditPrivilege	116	msiexec.exe
Token: SeSystemEnvironmentPrivilege	116	msiexec.exe
Token: SeChangeNotifyPrivilege	116	msiexec.exe
Token: SeRemoteShutdownPrivilege	116	msiexec.exe
Token: SeUndockPrivilege	116	msiexec.exe
Token: SeSyncAgentPrivilege	116	msiexec.exe
Token: SeEnableDelegationPrivilege	116	msiexec.exe
Token: SeManageVolumePrivilege	116	msiexec.exe
Token: SeImpersonatePrivilege	116	msiexec.exe
Token: SeCreateGlobalPrivilege	116	msiexec.exe
Token: SeBackupPrivilege	3164	vssvc.exe
Token: SeRestorePrivilege	3164	vssvc.exe
Token: SeAuditPrivilege	3164	vssvc.exe
Token: SeBackupPrivilege	2844	msiexec.exe
Token: SeRestorePrivilege	2844	msiexec.exe
Token: SeRestorePrivilege	2844	msiexec.exe
Token: SeTakeOwnershipPrivilege	2844	msiexec.exe
Token: SeRestorePrivilege	2844	msiexec.exe
Token: SeTakeOwnershipPrivilege	2844	msiexec.exe
Token: SeBackupPrivilege	936	srtasks.exe
Token: SeRestorePrivilege	936	srtasks.exe
Token: SeSecurityPrivilege	936	srtasks.exe
Token: SeTakeOwnershipPrivilege	936	srtasks.exe
Token: SeRestorePrivilege	2844	msiexec.exe
Token: SeTakeOwnershipPrivilege	2844	msiexec.exe
Token: SeRestorePrivilege	2844	msiexec.exe
Token: SeTakeOwnershipPrivilege	2844	msiexec.exe
Token: SeRestorePrivilege	2844	msiexec.exe
Token: SeTakeOwnershipPrivilege	2844	msiexec.exe
Token: SeRestorePrivilege	2844	msiexec.exe
Token: SeTakeOwnershipPrivilege	2844	msiexec.exe
Token: SeRestorePrivilege	2844	msiexec.exe
Token: SeTakeOwnershipPrivilege	2844	msiexec.exe
Token: SeRestorePrivilege	2844	msiexec.exe
Token: SeTakeOwnershipPrivilege	2844	msiexec.exe
Token: SeRestorePrivilege	2844	msiexec.exe
Token: SeTakeOwnershipPrivilege	2844	msiexec.exe
Token: SeRestorePrivilege	2844	msiexec.exe
Token: SeTakeOwnershipPrivilege	2844	msiexec.exe
Token: SeRestorePrivilege	2844	msiexec.exe
Token: SeTakeOwnershipPrivilege	2844	msiexec.exe
Token: SeRestorePrivilege	2844	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
116	msiexec.exe
116	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 116	2296	2024-12-12_a033174a36f5fcf67bc7f0237b70fd47_avoslocker_hijackloader_luca-stealer_magniber.exe	84
PID 2296 wrote to memory of 116	2296	2024-12-12_a033174a36f5fcf67bc7f0237b70fd47_avoslocker_hijackloader_luca-stealer_magniber.exe	84
PID 2296 wrote to memory of 116	2296	2024-12-12_a033174a36f5fcf67bc7f0237b70fd47_avoslocker_hijackloader_luca-stealer_magniber.exe	84
PID 2844 wrote to memory of 936	2844	msiexec.exe	111
PID 2844 wrote to memory of 936	2844	msiexec.exe	111
PID 2844 wrote to memory of 2268	2844	msiexec.exe	113
PID 2844 wrote to memory of 2268	2844	msiexec.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-12-12_a033174a36f5fcf67bc7f0237b70fd47_avoslocker_hijackloader_luca-stealer_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-12_a033174a36f5fcf67bc7f0237b70fd47_avoslocker_hijackloader_luca-stealer_magniber.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\msiexec.exe
  C:\Windows\system32\msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\vnc64.msi ProductLanguage=1033
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:116

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:936
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding E7334A1521B9D06073C516584C486227 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:2268

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5846d9.rbs

Filesize
1.0MB

MD5
00b5c71f93259a0f042b92f1e950bba4

SHA1
1a4c6fc672df64d63df327431be0baf36a7e096f

SHA256
d2a84d5955ecde904153333c8873de922a60b483cc48799211b60b30567f07e3

SHA512
294e16dfce86341f2f3e540e9dfe21803f57a68a75ef7fe0f97afa0e903e453c4448455f855ef63a6fbdbb4694c7b384fecff031a4e7b9af502b29ca8bfb46e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
4a9aa6a614556e086a26fd3799e56ddd

SHA1
f20b660dfaba446060f0c074a511cb931adc1129

SHA256
1f26a246511a771e468f21ebf16ebc65771824106b0cdf4ac4d7686a0e33f9ec

SHA512
417fe3d13064b688bc432a363bb8ffcbb5236b0481eb804889ffe836f3796d5e96634f1685c4f36588c067a05cb15b50795bf6363f1ded5c23533faecb15ad47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_F59623AEE3E6048CCD92ADA564422513

Filesize
727B

MD5
2720763d3d6e1af588241a850d29db71

SHA1
5304cfecb54632e1824150f2db0d69ff1fa5a686

SHA256
aaf83b6a0722f145f3b5a85052e44b6c59689ffb03189d68a44b24cb0b5fd364

SHA512
64d2b84bc11e36de9aec359523e628636874e8c5ebe76f46134dd01ddd8bfa1c1666af0fae865268c464b4a83eba2ecc4c93f386cd101f988be07593bd014cf0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
144166bcdd73de6bc88826b56a505cf7

SHA1
ec02bf36ee81da1c0b9092337a054956480ea26a

SHA256
d7ed6d87057832f9a9d0476cc4f287cfd161453d978088bac3504428709a7523

SHA512
f56bbc0ed83c96aac239356e0664ac511b7c4c651017843f9fadf189e9a5dc0bc9f0eba3cb95179383d69c076feb966c2fd9bf00ef976e2c925ae8cbada4e463

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
4eb59d258e8c651a665a65f63af627da

SHA1
6b8eb8dd78eb3360fadf430c5e6159266d359b39

SHA256
12a1b9da9abe4296f70aa5727be638f293d4be0b47a526c3c88bcd90a7cb0768

SHA512
6ef488f66d1c66a83981810557368f18d3e41bce5cc12dd217e2c4be1b2bd7963d7e620244f9cc02e13aa2743a93de67c6f71517abba32b9f8ce564452ff97e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_F59623AEE3E6048CCD92ADA564422513

Filesize
408B

MD5
48c3bef571fb504ea098643ac0bcf212

SHA1
34a10c37ce8e2c6f9c837c34db2afdda28b7551d

SHA256
42d622b123838bbb04401fe1ebf92750f438e2eb2f7a98c343205a9e87a69924

SHA512
c0a3a1fdd81c30cb79a665eee71c5ab6d62754f39e2dd45c7905136594a5ef339e610010f2a4e9b92bac4576e4cc802f6a028ac1909a64e44ef95c30053d4df3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
3c1c3d454dba2831e0c8871a7114d2b1

SHA1
ebc3348facce6c93a76d4446301ee6a21fa644b5

SHA256
8865defb6e0fb6242a58e56f791db25fd2e64f1d0ce65b55c155a87248f9cfa2

SHA512
a46e0fd099b155234a1fef2b23161d50837bba49e41307ae71e89648c3a14eea78056497951f59d6e4a1204448aa6c891468b34edb9292810da676f63bc9248e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnc64.msi

Filesize
5.6MB

MD5
5b24d1c6b28984bf3a307a217ae862b4

SHA1
4db2cb295343977d1c4b1a6f0c8890f47aab6271

SHA256
14c5a337888158e635ea9d5c6d608ad5e9fb6af0b5f125d20b38bb03e26ffd6b

SHA512
1e30c593a2542099372dd0e6dc14f25a4cfeb5d4aa95a3981da4def8942db9ed0603e64f9c5d8040ca21f3894c7fe705fff62bb47dfe6ff9ccb7a84516f014a8

Download Submit
C:\Windows\Installer\MSI4B5D.tmp

Filesize
1.0MB

MD5
55d3dcd4008adcfef3e0cb44fb0f229b

SHA1
6f828fa6e759b1cae266954670448f8bc6c6316f

SHA256
96fad74bb3630a31b8793887f394ba45a251b4b292c37225db05f47785c7dcf7

SHA512
19fc3c4b83392734a30019e08408ba4865ba483fd2ab701c630aad67b70bc9d0785aa70f737692b1955357a9a7e702ad868e48f6d6f03e5639126481f3319634

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
0549b110e91b881fabd90d981507e76e

SHA1
ef2b3b9ea779afd9990b5b7803c561db2bc0e1f3

SHA256
030c00612d065bad44a924980e184348eeea264bf0097987998b63948779671c

SHA512
557fbec61adf64e0c3737fd754d56a19a202540c99ef7e77fdd8746bcbfb8b8ec7244d6a8bb746287420c5d8ebe04238b2d5d8310b829d5f20f20f35b831eec9

Download Submit
\??\Volume{625ed6c4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9c0f1d40-3fa6-433e-b6f6-06e9b480bd1b}_OnDiskSnapshotProp

Filesize
6KB

MD5
488eb96508ff372631a12316473e1636

SHA1
db6ab56cd4135b623db497211751d92bb5aaf332

SHA256
8b170de8493ba2bb85e71650a4231bfd2e03b4be25a86384029920a2a233375d

SHA512
f72c010bb48c8db4a4634df634ff4f3e45b8edd467d90f0016c592bc2e571d3935fa5185c55b390f1471850e7e24a4ffe264d7d192b63c5b2081821ff62f9999

Download Submit
memory/2296-0-0x0000000000400000-0x0000000001AB5AEC-memory.dmp

Filesize
22.7MB

Download
memory/2296-53-0x0000000000400000-0x0000000001AB5AEC-memory.dmp

Filesize
22.7MB

Download