Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 20:00
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe
Resource
win7-20241010-en
General
-
Target
2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe
-
Size
3.1MB
-
MD5
555437a35bbb26dc74ccbbff9241eef4
-
SHA1
6913cb4ed72eb3788885d8eebedae60e9d88cdd2
-
SHA256
562ef514baef9536a3bca3ef76d72ac1e37ae587377da7449782936619e19771
-
SHA512
c68e5bbea164e0185042f79183e2be501528e57516b5a3825f1e4223595376f8dfa82f8c09acf3f323b861fc216f03363a2ac2849a95904abd5dbceddaf3d509
-
SSDEEP
49152:TIAE0miU9mNKtcsS1OU/zXNUfEeXAxhF2rl/IuOryOvKODjj3POMjUfkptVxp/:+EUhcsaOU/jIEeQfoR/IuOFVjUu5
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 api.ipify.org -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to get system information.
pid Process 3908 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language calc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings calc.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3908 powershell.exe 3908 powershell.exe 1512 powershell.exe 1512 powershell.exe 3668 powershell.exe 3668 powershell.exe 4720 powershell.exe 4720 powershell.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 3908 powershell.exe Token: SeIncreaseQuotaPrivilege 3908 powershell.exe Token: SeSecurityPrivilege 3908 powershell.exe Token: SeTakeOwnershipPrivilege 3908 powershell.exe Token: SeLoadDriverPrivilege 3908 powershell.exe Token: SeSystemProfilePrivilege 3908 powershell.exe Token: SeSystemtimePrivilege 3908 powershell.exe Token: SeProfSingleProcessPrivilege 3908 powershell.exe Token: SeIncBasePriorityPrivilege 3908 powershell.exe Token: SeCreatePagefilePrivilege 3908 powershell.exe Token: SeBackupPrivilege 3908 powershell.exe Token: SeRestorePrivilege 3908 powershell.exe Token: SeShutdownPrivilege 3908 powershell.exe Token: SeDebugPrivilege 3908 powershell.exe Token: SeSystemEnvironmentPrivilege 3908 powershell.exe Token: SeRemoteShutdownPrivilege 3908 powershell.exe Token: SeUndockPrivilege 3908 powershell.exe Token: SeManageVolumePrivilege 3908 powershell.exe Token: 33 3908 powershell.exe Token: 34 3908 powershell.exe Token: 35 3908 powershell.exe Token: 36 3908 powershell.exe Token: SeDebugPrivilege 4052 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe Token: SeDebugPrivilege 1512 powershell.exe Token: SeDebugPrivilege 3668 powershell.exe Token: SeDebugPrivilege 4720 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2264 OpenWith.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4052 wrote to memory of 3908 4052 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 83 PID 4052 wrote to memory of 3908 4052 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 83 PID 4052 wrote to memory of 3908 4052 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 83 PID 4052 wrote to memory of 1512 4052 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 88 PID 4052 wrote to memory of 1512 4052 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 88 PID 4052 wrote to memory of 1512 4052 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 88 PID 4052 wrote to memory of 3668 4052 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 91 PID 4052 wrote to memory of 3668 4052 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 91 PID 4052 wrote to memory of 3668 4052 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 91 PID 4052 wrote to memory of 4720 4052 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 94 PID 4052 wrote to memory of 4720 4052 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 94 PID 4052 wrote to memory of 4720 4052 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 94 PID 4052 wrote to memory of 2252 4052 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 99 PID 4052 wrote to memory of 2252 4052 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 99 PID 4052 wrote to memory of 2252 4052 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" (Get-CimInstance -ClassName Win32_ComputerSystem).TotalPhysicalMemory2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3908
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-WmiObject Win32_BIOS | Select-Object -ExpandProperty SMBIOSBIOSVersion2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-WmiObject Win32_PhysicalMemory | Select-Object -ExpandProperty Speed2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3668
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-WmiObject Win32_VideoController | Select-Object -ExpandProperty Name2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4720
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2252
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:2264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5123cd8a916c430f236f9ae908a55cc6d
SHA131cbd1fbc8bfe8bed2d0bf569f64ba9681682654
SHA2567aa5033e789da9d48b185be91ba0763769f9a846d782e02934484d0610b43667
SHA51224e036c4ddcaefa2069f7bfbc6ef71144595e2db6bef104118347bdcc4061cf321ab0a18e944338cc273d151c76666774cc2c50dbe5c2bf4b9ce8f3119e61da7
-
Filesize
18KB
MD5c6774cd04c9e894c680e1104adeb6bf7
SHA17b23dd1afa3f6e6038cd3b8a22b1d93b0501afd9
SHA256088b3461346379195e4680d5cf8eaea141a26c1859e8597961cbf83b02c468b1
SHA5125b7476d2d49b36c29a93be6823cf5a62c5179d44eb82716ecd063d97763935b7d40a0ee666407acbc2f420468458e593b3e4178259bbfef1a0c7b261fcdc208d
-
Filesize
17KB
MD55997e8ad535913cfa44a6631813f8b09
SHA123da20696e30fc8346daf6f1857ef0f8560cf257
SHA256745bad9d03d08dd030bff0fa720770890d69826e17838c3a9b910fe331708d9b
SHA512da83ba505aca229d5462599f5ba7735cda92ffb6590cd6d225d0b11acf22852bd4ea1793d5b046e35b4049b016bdff2c13e0f1169b093a3df75e1235eba1a5ca
-
Filesize
16KB
MD5332c9206487a89642dc177ece7e2210e
SHA1fbac0d799a302daa394c3e8ab6324d8c516267bb
SHA2568a57ba2b2fee47500d9d6d3e1ddf1c112f029d4cf8cd68319930e4429061eae6
SHA512d95ac5779cdd553b94574db05f5eaada2fbe9427285fc5d1e4382c8649c8199385c378aafea96b752bc718fdd109b20798b3535f391f47bb1c14aa78de928ff6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82