Overview

overview

10

Static

static

3

2024-12-25...er.exe

windows7-x64

10

2024-12-25...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2024 06:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-12-25_d17dc248fc4714da1b7dce6987892d02_avoslocker_luca-stealer.exe

  • Size

    3.0MB

  • MD5

    d17dc248fc4714da1b7dce6987892d02

  • SHA1

    803c61130ab5ed2ecba9973cfa9051dc17884128

  • SHA256

    78352a58975a346f5c3f9d4056604163234a508d03635a72c76a69a07c7c4300

  • SHA512

    1665d3e16ae664b53f1efe5cfe84ecd8a751e22c807bd059108fb6f8fcd0b47b2317231b584c77806c6e685ffcb3e7771d9636f0198cc3eeed4ca3a44dc0dfbd

  • SSDEEP

    98304:91BfKEkYUJXqxpsDiSfgFKLT39QI3koVyQg3qL81bjR:cJhy8iSf0K39QIJg3l

Score
10/10
metasploitbackdoordiscoverypersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

192.168.119.137:8990

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Modifies system executable filetype association 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 42 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-25_d17dc248fc4714da1b7dce6987892d02_avoslocker_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-25_d17dc248fc4714da1b7dce6987892d02_avoslocker_luca-stealer.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Program Files (x86)\WinRAR\uninstall.exe
      "C:\Program Files (x86)\WinRAR\uninstall.exe" /setup
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\WinRAR\Rar.txt
    Filesize

    107KB

    MD5

    af6766905702754df5bcdf2c138f1095

    SHA1

    6673b0c7206bad71990833151f7dcb68821ebf6e

    SHA256

    971bd3bfcb422d855761f0a1536003e55716ff37dd7b3517baf7d64f3e4fea4b

    SHA512

    6a5903286d86de086a6cc39419b0dbbd2db932f79e5502f5450afd23e9a059ed12f39395f093675a6cfbfeecaeb186755d5cacbdd8d2e761648ef36f9fb13d89

    Download Submit

  • C:\Program Files (x86)\WinRAR\WhatsNew.txt
    Filesize

    93KB

    MD5

    eb597062d6433ed06834334d4adbb7b4

    SHA1

    97fcb4eb6c41669618b4065909b9e9c53e1357ab

    SHA256

    3a1007071a6f895378337d6bff7854d95508d73c81ae7c1f2ab501e120e1e392

    SHA512

    2211fd33a51bd1b507d0f66a9083cf651193a6842d01ca7eb14b775436f0b456da06d417b9d4c7542dff8f95e4e5ecd10270129e86f7e7ddb901e25b2c1cf527

    Download Submit

  • C:\Program Files (x86)\WinRAR\WinRAR.chm
    Filesize

    314KB

    MD5

    a79ea3ac4bb8b44449e2b6c639b2fea3

    SHA1

    b2d9577a6db88ca3cd10009975944c4209afe859

    SHA256

    01b72aae3af4717fba683f9981d2395f6cdaa02eeb36ce6df26b80b7f34d12f9

    SHA512

    a3591018ff223d8460a3479a354847244c85582da0d6117ea5a0e19d4e50fa21a7ca0d858e04f6a3459077ac4adbeff40c15d7c26342d7bff408f606046be6e8

    Download Submit

  • C:\Program Files (x86)\WinRAR\WinRAR.exe
    Filesize

    2.4MB

    MD5

    904f7ad062a41f3c90cc55f9ab9f5e51

    SHA1

    aeb4684b5b9fb539d513d73a15569d28a03431c4

    SHA256

    679a4727340b97a42d09825774cbefe5e964d2bea6c62a21056f239517443746

    SHA512

    cd5d9516c3a4baddbd5a389a4c751a9c2d88f9a34d3b8cb3a6ac92c9dd57335bc1989231bf7dc64a80df221b426a30554a4b46b0a5577e0308366f2424ce317b

    Download Submit

  • \Program Files (x86)\WinRAR\Uninstall.exe
    Filesize

    375KB

    MD5

    ab1a85e211d1a30a63e7d5ecd8fcdb72

    SHA1

    68513f22c573006fe458780c86e91e3133a4ec17

    SHA256

    31ef12117144cdf3eb3e9dbb1fa383d5ab0a8cc34b520a9bff9621e764634769

    SHA512

    66229476c4c63365dbe62a098e7dda4c043fad3948f074675977f4a4d7d4a5911c40fa0313fd96b688674c027018da89e26da9432bba26a5bee71e29b9c4dcbf

    Download Submit

  • memory/2332-0-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2332-1-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download