Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-07-2022 08:48
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Olock.1.12604.exe
Resource
win7-20220414-en
General
-
Target
SecuriteInfo.com.Trojan.Olock.1.12604.exe
-
Size
848KB
-
MD5
50968c3535895352d411a89114c20feb
-
SHA1
449d8d3e5c6a2460a0015ae66a44087ea6920d77
-
SHA256
af5011d40d9869926e4f208372a75fcd5fd2547f5e406e7e5b5e5aab4a5b7cd3
-
SHA512
c26830fa525fc03b22cc507234e6c4e39e0f8df677c928f0ac3771c2b2e1fc3950bace8b8ce3a525bd7cb50c1083f964333a84c2cc433a388fe77f5964fcb9cd
Malware Config
Extracted
xloader
2.6
pdrq
welchsunstar.com
mppservicesllc.com
wiresofteflon.com
brabov.xyz
compnonoch.site
yourbuilderworks.com
iamsamirahman.com
eriqoes.com
eastudio.design
skyearth-est.com
teethfitness.com
razaancreates.com
shfbfs.com
joyfulbrokekids.com
kjbolden.com
howirep.com
deedeesmainecoons.website
e-powair.com
aheatea.com
shalfey0009.xyz
designcolor.style
netflixpaymentpending.ca
bothoitrang3.site
motondiarts.com
staynmocean.com
miamivideoshows.com
berendsit.com
yndzjs.com
yiwenhome.xyz
royaldeals.net
clearvison-ts.com
peluqueriasusanagalan.com
thelittlewellnessstudio.com
gurulotaska.com
smgsj.com
followpanelbd.com
prinirwedding.com
3559.fyi
amcvips.com
bigroof.top
chipbio-zt.com
candelasluxuryretreat.com
jboycephotography.com
affiliateindex.xyz
grannysseasonings.com
lcl-inc-test.com
beadallcreations.jewelry
yzzhome.top
tobe-science.com
cincinnaticustomrenovation.com
survaicommercial.xyz
businessdirectorymania.com
phqworld.com
miamigocars.com
labfour.systems
gregoryzeitler.com
dj-mary.com
one1-day.com
vegfiber.com
sfbayraw.net
xn--bndarsloto-s4a.com
felipesb.com
108580.com
1swj06mjrowgi.xyz
koalaglen.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
SecuriteInfo.com.Trojan.Olock.1.12604.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions SecuriteInfo.com.Trojan.Olock.1.12604.exe -
Xloader payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/748-143-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral2/memory/748-156-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral2/memory/876-160-0x0000000000280000-0x00000000002AB000-memory.dmp xloader behavioral2/memory/876-168-0x0000000000280000-0x00000000002AB000-memory.dmp xloader -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
SecuriteInfo.com.Trojan.Olock.1.12604.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools SecuriteInfo.com.Trojan.Olock.1.12604.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.Trojan.Olock.1.12604.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SecuriteInfo.com.Trojan.Olock.1.12604.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SecuriteInfo.com.Trojan.Olock.1.12604.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SecuriteInfo.com.Trojan.Olock.1.12604.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.Trojan.Olock.1.12604.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
mstsc.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mstsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YR08FTBPA = "C:\\Program Files (x86)\\H2d6hzl\\g0h82jerfihjl-x.exe" mstsc.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.Trojan.Olock.1.12604.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum SecuriteInfo.com.Trojan.Olock.1.12604.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 SecuriteInfo.com.Trojan.Olock.1.12604.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
SecuriteInfo.com.Trojan.Olock.1.12604.exeRegSvcs.exemstsc.exedescription pid process target process PID 3780 set thread context of 748 3780 SecuriteInfo.com.Trojan.Olock.1.12604.exe RegSvcs.exe PID 748 set thread context of 3004 748 RegSvcs.exe Explorer.EXE PID 876 set thread context of 3004 876 mstsc.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
mstsc.exedescription ioc process File opened for modification C:\Program Files (x86)\H2d6hzl\g0h82jerfihjl-x.exe mstsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5080 3780 WerFault.exe SecuriteInfo.com.Trojan.Olock.1.12604.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
mstsc.exedescription ioc process Key created \Registry\User\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 mstsc.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
SecuriteInfo.com.Trojan.Olock.1.12604.exepowershell.exeRegSvcs.exemstsc.exepid process 3780 SecuriteInfo.com.Trojan.Olock.1.12604.exe 764 powershell.exe 3780 SecuriteInfo.com.Trojan.Olock.1.12604.exe 764 powershell.exe 748 RegSvcs.exe 748 RegSvcs.exe 748 RegSvcs.exe 748 RegSvcs.exe 876 mstsc.exe 876 mstsc.exe 876 mstsc.exe 876 mstsc.exe 876 mstsc.exe 876 mstsc.exe 876 mstsc.exe 876 mstsc.exe 876 mstsc.exe 876 mstsc.exe 876 mstsc.exe 876 mstsc.exe 876 mstsc.exe 876 mstsc.exe 876 mstsc.exe 876 mstsc.exe 876 mstsc.exe 876 mstsc.exe 876 mstsc.exe 876 mstsc.exe 876 mstsc.exe 876 mstsc.exe 876 mstsc.exe 876 mstsc.exe 876 mstsc.exe 876 mstsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3004 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
RegSvcs.exemstsc.exepid process 748 RegSvcs.exe 748 RegSvcs.exe 748 RegSvcs.exe 876 mstsc.exe 876 mstsc.exe 876 mstsc.exe 876 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
SecuriteInfo.com.Trojan.Olock.1.12604.exepowershell.exeRegSvcs.exeExplorer.EXEmstsc.exedescription pid process Token: SeDebugPrivilege 3780 SecuriteInfo.com.Trojan.Olock.1.12604.exe Token: SeDebugPrivilege 764 powershell.exe Token: SeDebugPrivilege 748 RegSvcs.exe Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeDebugPrivilege 876 mstsc.exe Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
SecuriteInfo.com.Trojan.Olock.1.12604.exeExplorer.EXEmstsc.exedescription pid process target process PID 3780 wrote to memory of 764 3780 SecuriteInfo.com.Trojan.Olock.1.12604.exe powershell.exe PID 3780 wrote to memory of 764 3780 SecuriteInfo.com.Trojan.Olock.1.12604.exe powershell.exe PID 3780 wrote to memory of 764 3780 SecuriteInfo.com.Trojan.Olock.1.12604.exe powershell.exe PID 3780 wrote to memory of 1548 3780 SecuriteInfo.com.Trojan.Olock.1.12604.exe schtasks.exe PID 3780 wrote to memory of 1548 3780 SecuriteInfo.com.Trojan.Olock.1.12604.exe schtasks.exe PID 3780 wrote to memory of 1548 3780 SecuriteInfo.com.Trojan.Olock.1.12604.exe schtasks.exe PID 3780 wrote to memory of 748 3780 SecuriteInfo.com.Trojan.Olock.1.12604.exe RegSvcs.exe PID 3780 wrote to memory of 748 3780 SecuriteInfo.com.Trojan.Olock.1.12604.exe RegSvcs.exe PID 3780 wrote to memory of 748 3780 SecuriteInfo.com.Trojan.Olock.1.12604.exe RegSvcs.exe PID 3780 wrote to memory of 748 3780 SecuriteInfo.com.Trojan.Olock.1.12604.exe RegSvcs.exe PID 3780 wrote to memory of 748 3780 SecuriteInfo.com.Trojan.Olock.1.12604.exe RegSvcs.exe PID 3780 wrote to memory of 748 3780 SecuriteInfo.com.Trojan.Olock.1.12604.exe RegSvcs.exe PID 3004 wrote to memory of 876 3004 Explorer.EXE mstsc.exe PID 3004 wrote to memory of 876 3004 Explorer.EXE mstsc.exe PID 3004 wrote to memory of 876 3004 Explorer.EXE mstsc.exe PID 876 wrote to memory of 4228 876 mstsc.exe cmd.exe PID 876 wrote to memory of 4228 876 mstsc.exe cmd.exe PID 876 wrote to memory of 4228 876 mstsc.exe cmd.exe PID 876 wrote to memory of 2584 876 mstsc.exe cmd.exe PID 876 wrote to memory of 2584 876 mstsc.exe cmd.exe PID 876 wrote to memory of 2584 876 mstsc.exe cmd.exe PID 876 wrote to memory of 4592 876 mstsc.exe cmd.exe PID 876 wrote to memory of 4592 876 mstsc.exe cmd.exe PID 876 wrote to memory of 4592 876 mstsc.exe cmd.exe PID 876 wrote to memory of 2856 876 mstsc.exe Firefox.exe PID 876 wrote to memory of 2856 876 mstsc.exe Firefox.exe PID 876 wrote to memory of 2856 876 mstsc.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Olock.1.12604.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Olock.1.12604.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NQprQRmmRihX.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NQprQRmmRihX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBB61.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 19283⤵
- Program crash
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3780 -ip 37801⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\tmpBB61.tmpFilesize
1KB
MD52132a33ff038d936578d19350367873c
SHA1b4fc32df18074f049a4cdb4e3b81ae5b7a0d3ca4
SHA25669ba4a903d5c902c7b603618e00a5178f74da478301ea14781edf75abb31f2b3
SHA512663529effe0d70e6996ec66ef91939e1138efc73657504a522a0a35e22a928b6d05e2f5d7aa6ef8d65a0248a6ecf49b14564eef60d319c3c90b0294870fac51e
-
memory/748-156-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/748-148-0x00000000016C0000-0x00000000016D1000-memory.dmpFilesize
68KB
-
memory/748-147-0x0000000001790000-0x0000000001ADA000-memory.dmpFilesize
3.3MB
-
memory/748-143-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/748-142-0x0000000000000000-mapping.dmp
-
memory/764-151-0x0000000070350000-0x000000007039C000-memory.dmpFilesize
304KB
-
memory/764-152-0x0000000006E80000-0x0000000006E9E000-memory.dmpFilesize
120KB
-
memory/764-138-0x0000000005310000-0x0000000005346000-memory.dmpFilesize
216KB
-
memory/764-141-0x0000000006150000-0x0000000006172000-memory.dmpFilesize
136KB
-
memory/764-165-0x0000000007F10000-0x0000000007F18000-memory.dmpFilesize
32KB
-
memory/764-136-0x0000000000000000-mapping.dmp
-
memory/764-144-0x0000000006220000-0x0000000006286000-memory.dmpFilesize
408KB
-
memory/764-145-0x00000000068E0000-0x00000000068FE000-memory.dmpFilesize
120KB
-
memory/764-164-0x0000000007F30000-0x0000000007F4A000-memory.dmpFilesize
104KB
-
memory/764-139-0x0000000005A70000-0x0000000006098000-memory.dmpFilesize
6.2MB
-
memory/764-162-0x0000000007E20000-0x0000000007E2E000-memory.dmpFilesize
56KB
-
memory/764-150-0x0000000006EA0000-0x0000000006ED2000-memory.dmpFilesize
200KB
-
memory/764-158-0x0000000007E70000-0x0000000007F06000-memory.dmpFilesize
600KB
-
memory/764-157-0x0000000007C60000-0x0000000007C6A000-memory.dmpFilesize
40KB
-
memory/764-153-0x0000000008230000-0x00000000088AA000-memory.dmpFilesize
6.5MB
-
memory/764-154-0x0000000007BF0000-0x0000000007C0A000-memory.dmpFilesize
104KB
-
memory/876-155-0x0000000000000000-mapping.dmp
-
memory/876-168-0x0000000000280000-0x00000000002AB000-memory.dmpFilesize
172KB
-
memory/876-166-0x00000000022E0000-0x0000000002370000-memory.dmpFilesize
576KB
-
memory/876-159-0x0000000000350000-0x000000000048A000-memory.dmpFilesize
1.2MB
-
memory/876-160-0x0000000000280000-0x00000000002AB000-memory.dmpFilesize
172KB
-
memory/876-163-0x0000000002550000-0x000000000289A000-memory.dmpFilesize
3.3MB
-
memory/1548-137-0x0000000000000000-mapping.dmp
-
memory/2584-170-0x0000000000000000-mapping.dmp
-
memory/3004-169-0x0000000002900000-0x0000000002A2D000-memory.dmpFilesize
1.2MB
-
memory/3004-167-0x0000000002900000-0x0000000002A2D000-memory.dmpFilesize
1.2MB
-
memory/3004-149-0x00000000080E0000-0x0000000008284000-memory.dmpFilesize
1.6MB
-
memory/3780-134-0x0000000008BC0000-0x0000000008C5C000-memory.dmpFilesize
624KB
-
memory/3780-133-0x00000000051E0000-0x00000000051EA000-memory.dmpFilesize
40KB
-
memory/3780-130-0x0000000000720000-0x00000000007FA000-memory.dmpFilesize
872KB
-
memory/3780-135-0x0000000008B20000-0x0000000008B86000-memory.dmpFilesize
408KB
-
memory/3780-132-0x0000000005240000-0x00000000052D2000-memory.dmpFilesize
584KB
-
memory/3780-131-0x0000000005750000-0x0000000005CF4000-memory.dmpFilesize
5.6MB
-
memory/4228-161-0x0000000000000000-mapping.dmp
-
memory/4592-172-0x0000000000000000-mapping.dmp