xred | db0e411a92e50a355454661f59b72cba859f17069a246895e3f4f0c3e62cf137

Analysis

max time kernel
148s
max time network
143s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
Size

3.1MB
MD5

06de160b924d40d3e9fa1ec4a7a126bb
SHA1

c7e29826c3f4107d3c2494e6bb2a36a7b3a044aa
SHA256

db0e411a92e50a355454661f59b72cba859f17069a246895e3f4f0c3e62cf137
SHA512

87e3a3fba9834253678f69e842b1185ff5510941e91ac4c1a1702e000aa1e5d694e1605f6b3404a97a65f397578fd32da4f8a7987ad9cbb88065ea7ef41fb875
SSDEEP

49152:5dGnsHyjtk2MYC5GDoOU/zXNUfEeXAxhF2rl/IuOryOvKODjj3POMjUfkptVxp/0:TGnsmtk2apOU/jIEeQfoR/IuOFVjUu5W

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 5 IoCs

pid	Process
2920	zgokr00.exe
2908	.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2712	vshost32.exe
2980	._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
3028	._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe

Loads dropped DLL 9 IoCs

pid	Process
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2920	zgokr00.exe
2908	.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2908	.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2712	vshost32.exe
2712	vshost32.exe
2980	._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\ScdBcd = "C:\\Users\\Admin\\AppData\\Roaming\\Dibifu_9\\vshost32.exe"	vshost32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zgokr00.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vshost32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3028	._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
3028	._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2920	2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	30
PID 2568 wrote to memory of 2920	2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	30
PID 2568 wrote to memory of 2920	2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	30
PID 2568 wrote to memory of 2920	2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	30
PID 2568 wrote to memory of 2908	2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	31
PID 2568 wrote to memory of 2908	2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	31
PID 2568 wrote to memory of 2908	2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	31
PID 2568 wrote to memory of 2908	2568	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	31
PID 2920 wrote to memory of 2712	2920	zgokr00.exe	32
PID 2920 wrote to memory of 2712	2920	zgokr00.exe	32
PID 2920 wrote to memory of 2712	2920	zgokr00.exe	32
PID 2920 wrote to memory of 2712	2920	zgokr00.exe	32
PID 2920 wrote to memory of 2344	2920	zgokr00.exe	33
PID 2920 wrote to memory of 2344	2920	zgokr00.exe	33
PID 2920 wrote to memory of 2344	2920	zgokr00.exe	33
PID 2920 wrote to memory of 2344	2920	zgokr00.exe	33
PID 2344 wrote to memory of 1992	2344	cmd.exe	35
PID 2344 wrote to memory of 1992	2344	cmd.exe	35
PID 2344 wrote to memory of 1992	2344	cmd.exe	35
PID 2344 wrote to memory of 1992	2344	cmd.exe	35
PID 2908 wrote to memory of 2980	2908	.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	36
PID 2908 wrote to memory of 2980	2908	.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	36
PID 2908 wrote to memory of 2980	2908	.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	36
PID 2908 wrote to memory of 2980	2908	.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	36
PID 2908 wrote to memory of 2980	2908	.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	36
PID 2908 wrote to memory of 2980	2908	.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	36
PID 2908 wrote to memory of 2980	2908	.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	36
PID 2980 wrote to memory of 3028	2980	._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	37
PID 2980 wrote to memory of 3028	2980	._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	37
PID 2980 wrote to memory of 3028	2980	._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	37
PID 2980 wrote to memory of 3028	2980	._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	37
PID 2980 wrote to memory of 3028	2980	._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	37
PID 2980 wrote to memory of 3028	2980	._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	37
PID 2980 wrote to memory of 3028	2980	._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	37

C:\Users\Admin\AppData\Local\Temp\2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Local\Temp\zgokr00.exe
  "C:\Users\Admin\AppData\Local\Temp\zgokr00.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Users\Admin\AppData\Roaming\Dibifu_9\vshost32.exe
    "C:\Users\Admin\AppData\Roaming\Dibifu_9\vshost32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del C:\Users\Admin\AppData\Local\Temp\zgokr00.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      System Location Discovery: System Language Discovery
      PID:1992
- C:\Users\Admin\AppData\Local\Temp\.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
  "C:\Users\Admin\AppData\Local\Temp\.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Users\Admin\AppData\Local\Temp\._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Users\Admin\AppData\Local\Temp\jds259425513.tmp\._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
      "C:\Users\Admin\AppData\Local\Temp\jds259425513.tmp\._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Modifies system certificate store
      Suspicious use of SetWindowsHookEx
      PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe

Filesize
2.2MB

MD5
d6d7f90978a6aa6a4bb1eaa53154881d

SHA1
9a2e8a8464bf5b28229faea669f2ae6d6a0973d2

SHA256
5cb03fddbe1e55a14282171eb4768a8cffa1d12a7123a63caba364c8f5495a54

SHA512
ff8190d9fdc1cee5838c31808bf347af089624c9fe971c10fe8cecfd39a6cafde13dfc82694184e854e9e734d66ae1f0a961fcef4afd8b2740eb2c6afbf51e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259425513.tmp\._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe

Filesize
1.9MB

MD5
a05dbfbe3a88017f1ec5b2abf96ed0ad

SHA1
7ee98080fe870e6be5828ab4d82982367532ddb3

SHA256
8b73184c395fac04d2dcb40244430a9b9d4e3094a06d8a4d129435e00f147171

SHA512
5a600c2984c761b34e1aacaa73c8e6848bdc488a9582c8f30076f883644a93455fc9f57a9bb142ae8607df2e2ef02522e797712ab35a957238865820a115457a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
3KB

MD5
0686ff8b2faa717dbe0f2c9934acae46

SHA1
0eeefcb51d4e98e5636d306172faea4a2e424c7e

SHA256
e9b4b93b3c57e3b89abe1972eaecbb1c06096d5227f4d145e3affa54c587d7d6

SHA512
3f18cc467976ceb1de79f00a36312edfa48a6bacb663d3c9fc06934b333a47d1af3858b226cc042fd0520d61fbc4605043a18ddae4a0e0cb07e96dfb2c7a9103

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
32KB

MD5
2071d48e8db4cb44cbeea7151f9d7696

SHA1
6d408fc968cc513d7730c8b0d232c7428a13feda

SHA256
fe147b9ab40fdca340ce0ac48a347b5e6761623323a86ec6e084733d5ede3f90

SHA512
cb02518e1d642116822a42875ebd2bc66a2ef38466937411587d725362fd2e9ba67b667f9b38c4984f963c0e40f021cb3d0e1da2a0b3fd88d399a9d77d13775d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgokr00.exe

Filesize
182KB

MD5
a72fdeb367d01313d3bb84d705928ae3

SHA1
5d18508c8e09808c3be38c6ecad0f75198eec5c3

SHA256
dc50f43227259376b18c450471ac19a426a21d6ebe5f5bc8b821b053ab0431e6

SHA512
46ef2f75d0762dd64e6d102398a506d1c58848dd23e58dc5e28a2dca2992a32f180c86803f8400cbe62ecafe62b059b291871c8c33b16a32003ec67ac99a95b2

Download Submit
\Users\Admin\AppData\Local\Temp\.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe

Filesize
3.0MB

MD5
864aaf86f3c22e6370742fab8821f738

SHA1
21dc4ce7892765671668d7c2b784b14ef7f7bdd1

SHA256
952ec7fec4cfdf64142995052776e8346f082b105cf26c5d0a94995f03582923

SHA512
62c32126de48fe890c5aef5152c7146e07c48aaaa01ae6cfe4d122f23f06b1d6756e52efc6ddea01a0936932669d5863acd7688dab3fef89b188c0bc65ec3b73

Download Submit
\Users\Admin\AppData\Roaming\Dibifu_9\IconExtractor.dll

Filesize
10KB

MD5
a21a157e7f27cb80cdd82cdb02dc2da6

SHA1
90a8a42d7356f06b1c144e657071461ddb224752

SHA256
35ba8730dd874fca3c0348bb38f972c099dbc7ba0f1c9b748dcfebdde1b0004e

SHA512
c4c68a9fa6f130526a0a0ec010d92dae38b81aebcf0fa3256b561987aa7b26e98b69bbc2acad4bafdc29ee2e6f714d81583baac2e28a8a25f62045ad84dba2a5

Download Submit
memory/2568-1-0x0000000001170000-0x00000000011A4000-memory.dmp

Filesize
208KB

Download
memory/2568-2-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/2568-192-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/2568-191-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download
memory/2568-0-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download
memory/2712-58-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/2712-37-0x0000000000C10000-0x0000000000C44000-memory.dmp

Filesize
208KB

Download
memory/2908-193-0x0000000000400000-0x00000000006FB000-memory.dmp

Filesize
3.0MB

Download
memory/2920-66-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/2920-18-0x0000000000B90000-0x0000000000BC4000-memory.dmp

Filesize
208KB

Download
memory/2920-19-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download