Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 20:00
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe
Resource
win7-20241010-en
General
-
Target
2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe
-
Size
3.1MB
-
MD5
555437a35bbb26dc74ccbbff9241eef4
-
SHA1
6913cb4ed72eb3788885d8eebedae60e9d88cdd2
-
SHA256
562ef514baef9536a3bca3ef76d72ac1e37ae587377da7449782936619e19771
-
SHA512
c68e5bbea164e0185042f79183e2be501528e57516b5a3825f1e4223595376f8dfa82f8c09acf3f323b861fc216f03363a2ac2849a95904abd5dbceddaf3d509
-
SSDEEP
49152:TIAE0miU9mNKtcsS1OU/zXNUfEeXAxhF2rl/IuOryOvKODjj3POMjUfkptVxp/:+EUhcsaOU/jIEeQfoR/IuOFVjUu5
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
104.219.215.160:4449
104.219.215.160:8008
jjzxklegwjqz
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
resource yara_rule behavioral1/memory/2764-34-0x0000000000400000-0x00000000004D6000-memory.dmp VenomRAT behavioral1/memory/2764-32-0x0000000000400000-0x00000000004D6000-memory.dmp VenomRAT behavioral1/files/0x000b00000001202c-40.dat VenomRAT behavioral1/memory/1236-54-0x0000000001060000-0x0000000001078000-memory.dmp VenomRAT behavioral1/memory/1476-86-0x0000000000400000-0x00000000004D6000-memory.dmp VenomRAT behavioral1/memory/2180-101-0x0000000001370000-0x0000000001388000-memory.dmp VenomRAT behavioral1/memory/1476-124-0x0000000000400000-0x00000000004D6000-memory.dmp VenomRAT behavioral1/memory/1476-123-0x0000000000400000-0x00000000004D6000-memory.dmp VenomRAT behavioral1/memory/1476-125-0x0000000000400000-0x00000000004D6000-memory.dmp VenomRAT behavioral1/memory/1476-154-0x0000000000400000-0x00000000004D6000-memory.dmp VenomRAT -
Venomrat family
-
Xred family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000b00000001202c-40.dat family_asyncrat -
Executes dropped EXE 5 IoCs
pid Process 2764 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2704 Synaptics.exe 1476 Synaptics.exe 2180 ._cache_Synaptics.exe -
Loads dropped DLL 6 IoCs
pid Process 2568 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2764 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2764 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2764 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1476 Synaptics.exe 1476 Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AnyDVD HD v6.7.4.0 Final = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe -
pid Process 2044 powershell.exe 2940 powershell.exe 2716 powershell.exe 1944 powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2568 set thread context of 2764 2568 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 37 PID 2704 set thread context of 1476 2704 Synaptics.exe 47 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2472 schtasks.exe 1160 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2532 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 2716 powershell.exe 2044 powershell.exe 1944 powershell.exe 2940 powershell.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2716 powershell.exe Token: SeDebugPrivilege 2044 powershell.exe Token: SeDebugPrivilege 1944 powershell.exe Token: SeDebugPrivilege 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe Token: SeDebugPrivilege 2940 powershell.exe Token: SeDebugPrivilege 2180 ._cache_Synaptics.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2532 EXCEL.EXE 1236 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2568 wrote to memory of 2716 2568 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 30 PID 2568 wrote to memory of 2716 2568 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 30 PID 2568 wrote to memory of 2716 2568 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 30 PID 2568 wrote to memory of 2716 2568 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 30 PID 2568 wrote to memory of 2044 2568 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 32 PID 2568 wrote to memory of 2044 2568 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 32 PID 2568 wrote to memory of 2044 2568 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 32 PID 2568 wrote to memory of 2044 2568 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 32 PID 2568 wrote to memory of 1952 2568 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 34 PID 2568 wrote to memory of 1952 2568 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 34 PID 2568 wrote to memory of 1952 2568 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 34 PID 2568 wrote to memory of 1952 2568 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 34 PID 1952 wrote to memory of 2472 1952 cmd.exe 36 PID 1952 wrote to memory of 2472 1952 cmd.exe 36 PID 1952 wrote to memory of 2472 1952 cmd.exe 36 PID 1952 wrote to memory of 2472 1952 cmd.exe 36 PID 2568 wrote to memory of 2764 2568 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 37 PID 2568 wrote to memory of 2764 2568 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 37 PID 2568 wrote to memory of 2764 2568 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 37 PID 2568 wrote to memory of 2764 2568 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 37 PID 2568 wrote to memory of 2764 2568 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 37 PID 2568 wrote to memory of 2764 2568 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 37 PID 2568 wrote to memory of 2764 2568 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 37 PID 2568 wrote to memory of 2764 2568 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 37 PID 2568 wrote to memory of 2764 2568 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 37 PID 2568 wrote to memory of 2764 2568 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 37 PID 2568 wrote to memory of 2764 2568 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 37 PID 2568 wrote to memory of 2764 2568 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 37 PID 2764 wrote to memory of 1236 2764 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 38 PID 2764 wrote to memory of 1236 2764 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 38 PID 2764 wrote to memory of 1236 2764 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 38 PID 2764 wrote to memory of 1236 2764 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 38 PID 2764 wrote to memory of 2704 2764 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 39 PID 2764 wrote to memory of 2704 2764 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 39 PID 2764 wrote to memory of 2704 2764 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 39 PID 2764 wrote to memory of 2704 2764 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 39 PID 2704 wrote to memory of 1944 2704 Synaptics.exe 40 PID 2704 wrote to memory of 1944 2704 Synaptics.exe 40 PID 2704 wrote to memory of 1944 2704 Synaptics.exe 40 PID 2704 wrote to memory of 1944 2704 Synaptics.exe 40 PID 2704 wrote to memory of 2940 2704 Synaptics.exe 42 PID 2704 wrote to memory of 2940 2704 Synaptics.exe 42 PID 2704 wrote to memory of 2940 2704 Synaptics.exe 42 PID 2704 wrote to memory of 2940 2704 Synaptics.exe 42 PID 2704 wrote to memory of 2324 2704 Synaptics.exe 43 PID 2704 wrote to memory of 2324 2704 Synaptics.exe 43 PID 2704 wrote to memory of 2324 2704 Synaptics.exe 43 PID 2704 wrote to memory of 2324 2704 Synaptics.exe 43 PID 2324 wrote to memory of 1160 2324 cmd.exe 46 PID 2324 wrote to memory of 1160 2324 cmd.exe 46 PID 2324 wrote to memory of 1160 2324 cmd.exe 46 PID 2324 wrote to memory of 1160 2324 cmd.exe 46 PID 2704 wrote to memory of 1476 2704 Synaptics.exe 47 PID 2704 wrote to memory of 1476 2704 Synaptics.exe 47 PID 2704 wrote to memory of 1476 2704 Synaptics.exe 47 PID 2704 wrote to memory of 1476 2704 Synaptics.exe 47 PID 2704 wrote to memory of 1476 2704 Synaptics.exe 47 PID 2704 wrote to memory of 1476 2704 Synaptics.exe 47 PID 2704 wrote to memory of 1476 2704 Synaptics.exe 47 PID 2704 wrote to memory of 1476 2704 Synaptics.exe 47 PID 2704 wrote to memory of 1476 2704 Synaptics.exe 47 PID 2704 wrote to memory of 1476 2704 Synaptics.exe 47 PID 2704 wrote to memory of 1476 2704 Synaptics.exe 47 PID 2704 wrote to memory of 1476 2704 Synaptics.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" (Get-CimInstance -ClassName Win32_ComputerSystem).TotalPhysicalMemory2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '' -Value '"C:\Users\Admin\AppData\Roaming\.exe"' -PropertyType 'String'2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 30 /rl HIGHEST /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 30 /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2472
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe#by-unknown2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1236
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" (Get-CimInstance -ClassName Win32_ComputerSystem).TotalPhysicalMemory4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '' -Value '"C:\Users\Admin\AppData\Roaming\.exe"' -PropertyType 'String'4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 30 /rl HIGHEST /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 30 /rl HIGHEST /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1160
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe#by-unknown4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2532
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JRW9883P3GTZ4U3WNBO3.temp
Filesize7KB
MD5931704c6538704b4052d1f397d6de0e5
SHA1bb0e5fc5a7f2a4ef1a51e7b0e8ac5940a894a585
SHA2564d66f4847a47b97ea628ed1dce7add4468c9d15ba71059c892345869da369755
SHA512a45f0c29ad1ea8b7a79c6436bf2183435ff353c861dcf3c59e153bd115f858ce1aa2f4c2667ce45230fbd645166ad7c9c12c2fa1e608b6160cb1f38dce8b6f99
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5d43bb253f04212d5cd8bd4eb72eb8b9b
SHA1e7b81f21733b1a7706b51f9289777b02ae9a3f6f
SHA2564c8efc47de57cf46707d0279d16b76b23dff1115f526b4034b33c1adc8f6387c
SHA512286732a45c1573ed0fdf19a6fb76523cc36683f394b63bda83d80f9dd864ced64f46d906ee63bc0d4bcb7ac71191d0ea1069a133bf85c2c5e27197a12332e5c4
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
\Users\Admin\AppData\Local\Temp\._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe
Filesize74KB
MD58ce78f483110d74e5eff82f76e78a0b0
SHA1ea39826209a5084b5cfbf4a89366856fd330b72d
SHA2567a573f3735077c7a97662456d8c5f5001559bc6dd2356ff6e4ef92f5e8a9acad
SHA51269654e33c7ccf5300b92c1e8d4e713671fb0676f01f02e93e500aa62ccd94a96aa6fc2ec9e928b1e8498c7950fa606ba2480bd63a11c379f949d247ff8dc399d
-
\Users\Admin\AppData\Local\Temp\2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe
Filesize3.1MB
MD5555437a35bbb26dc74ccbbff9241eef4
SHA16913cb4ed72eb3788885d8eebedae60e9d88cdd2
SHA256562ef514baef9536a3bca3ef76d72ac1e37ae587377da7449782936619e19771
SHA512c68e5bbea164e0185042f79183e2be501528e57516b5a3825f1e4223595376f8dfa82f8c09acf3f323b861fc216f03363a2ac2849a95904abd5dbceddaf3d509