Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 19:56
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe
Resource
win7-20240903-en
General
-
Target
2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe
-
Size
3.1MB
-
MD5
555437a35bbb26dc74ccbbff9241eef4
-
SHA1
6913cb4ed72eb3788885d8eebedae60e9d88cdd2
-
SHA256
562ef514baef9536a3bca3ef76d72ac1e37ae587377da7449782936619e19771
-
SHA512
c68e5bbea164e0185042f79183e2be501528e57516b5a3825f1e4223595376f8dfa82f8c09acf3f323b861fc216f03363a2ac2849a95904abd5dbceddaf3d509
-
SSDEEP
49152:TIAE0miU9mNKtcsS1OU/zXNUfEeXAxhF2rl/IuOryOvKODjj3POMjUfkptVxp/:+EUhcsaOU/jIEeQfoR/IuOFVjUu5
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 api.ipify.org -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to get system information.
pid Process 1144 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language calc.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings calc.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1144 powershell.exe 1144 powershell.exe 4464 powershell.exe 4464 powershell.exe 4048 powershell.exe 4048 powershell.exe 4696 powershell.exe 4696 powershell.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 1144 powershell.exe Token: SeIncreaseQuotaPrivilege 1144 powershell.exe Token: SeSecurityPrivilege 1144 powershell.exe Token: SeTakeOwnershipPrivilege 1144 powershell.exe Token: SeLoadDriverPrivilege 1144 powershell.exe Token: SeSystemProfilePrivilege 1144 powershell.exe Token: SeSystemtimePrivilege 1144 powershell.exe Token: SeProfSingleProcessPrivilege 1144 powershell.exe Token: SeIncBasePriorityPrivilege 1144 powershell.exe Token: SeCreatePagefilePrivilege 1144 powershell.exe Token: SeBackupPrivilege 1144 powershell.exe Token: SeRestorePrivilege 1144 powershell.exe Token: SeShutdownPrivilege 1144 powershell.exe Token: SeDebugPrivilege 1144 powershell.exe Token: SeSystemEnvironmentPrivilege 1144 powershell.exe Token: SeRemoteShutdownPrivilege 1144 powershell.exe Token: SeUndockPrivilege 1144 powershell.exe Token: SeManageVolumePrivilege 1144 powershell.exe Token: 33 1144 powershell.exe Token: 34 1144 powershell.exe Token: 35 1144 powershell.exe Token: 36 1144 powershell.exe Token: SeDebugPrivilege 1740 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe Token: SeDebugPrivilege 4464 powershell.exe Token: SeDebugPrivilege 4048 powershell.exe Token: SeDebugPrivilege 4696 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4824 OpenWith.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1740 wrote to memory of 1144 1740 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 82 PID 1740 wrote to memory of 1144 1740 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 82 PID 1740 wrote to memory of 1144 1740 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 82 PID 1740 wrote to memory of 4464 1740 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 85 PID 1740 wrote to memory of 4464 1740 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 85 PID 1740 wrote to memory of 4464 1740 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 85 PID 1740 wrote to memory of 4048 1740 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 89 PID 1740 wrote to memory of 4048 1740 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 89 PID 1740 wrote to memory of 4048 1740 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 89 PID 1740 wrote to memory of 4696 1740 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 92 PID 1740 wrote to memory of 4696 1740 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 92 PID 1740 wrote to memory of 4696 1740 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 92 PID 1740 wrote to memory of 1888 1740 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 94 PID 1740 wrote to memory of 1888 1740 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 94 PID 1740 wrote to memory of 1888 1740 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" (Get-CimInstance -ClassName Win32_ComputerSystem).TotalPhysicalMemory2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-WmiObject Win32_BIOS | Select-Object -ExpandProperty SMBIOSBIOSVersion2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4464
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-WmiObject Win32_PhysicalMemory | Select-Object -ExpandProperty Speed2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-WmiObject Win32_VideoController | Select-Object -ExpandProperty Name2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4696
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1888
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:4824
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5123cd8a916c430f236f9ae908a55cc6d
SHA131cbd1fbc8bfe8bed2d0bf569f64ba9681682654
SHA2567aa5033e789da9d48b185be91ba0763769f9a846d782e02934484d0610b43667
SHA51224e036c4ddcaefa2069f7bfbc6ef71144595e2db6bef104118347bdcc4061cf321ab0a18e944338cc273d151c76666774cc2c50dbe5c2bf4b9ce8f3119e61da7
-
Filesize
18KB
MD565a41db05aa77992089558f5774b43a9
SHA1a3a32d4933ffb2d23fd142d069d3a965cc534afa
SHA25655cd1b8f412ba534eff18538a2f7db87bc8d61f57695acfc885ee9a6546960e8
SHA512a26a6e403580bf7f31f5b98d99f55583779768dced6bed340f0f58c9a089108e7a2a7f2c614155ab3e333300c408071cedf7b83c8e305e643fefc720c39ce0a1
-
Filesize
17KB
MD5d62a201cde0a69f487bcdb3aea919caa
SHA13f2fd2a1defac175a6e94e8edd054960077a4e89
SHA256244900ab7eba4ee0ff91c3e28352aa537c691936dc9ee9811ca1df9a5ccab275
SHA512f2e4292731fce0e646661ca6166a6b5c8496124cb9ba60c454eaa77b62e3c90f2a0343cbcc8392ecfd6fc1f24d5fd47ac4eaff32eac2af0ca6e3d3b72e7de57c
-
Filesize
16KB
MD5592365f571e03ddc8133536ad96cea1a
SHA1fb7be445283e65f8634cfaa2e1e16ec712ad3571
SHA25683a2de0f8a532f8d5b66d0ae0086727dd4902f480704122b7b257db094335bd5
SHA512bee49cc2f0c1b45ebac11197de9783b1236491718634cf54e9c27bde86101f5d02f8ec935a0e2bc05d9e1c58522a7d3a6f3336bcab6219abc4ee61b683d981dd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82