5f7a80e85c4579a734faa9910dc20069ff9e2bd272c0b6fac61a340abbeca28f

Analysis

max time kernel
267s
max time network
295s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe
Size

2.3MB
MD5

e32e0ec72fa11f6ed358a0eab5d94b68
SHA1

cbd4c4c96f97dfc70fa965ae93818b933715e267
SHA256

5f7a80e85c4579a734faa9910dc20069ff9e2bd272c0b6fac61a340abbeca28f
SHA512

dd40b98625314bc5f2054f39488bc8a3876c4cc8fa723c60e65ced41abc9444318ef196d36e91b97089a9eb79ec58fee5cd7525559f568dcc6173a155c64fc1b
SSDEEP

49152:ITJYktl6g7iJSB3skrYljjjnDsUill1yJGmEn:/alf1xskrYljjj

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\sUAgYkcM\\iyswQQUM.exe,"	2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\sUAgYkcM\\iyswQQUM.exe,"	2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Executes dropped EXE 5 IoCs

Processes:

juAsMAoA.exeiyswQQUM.exevWEUsEUQ.execver.exevWEUsEUQ.exe

pid process

3228 juAsMAoA.exe
2212 iyswQQUM.exe
4856 vWEUsEUQ.exe
4748 cver.exe
1016 vWEUsEUQ.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

pid	process
3228	juAsMAoA.exe
2212	iyswQQUM.exe
4856	vWEUsEUQ.exe
4748	cver.exe
1016	vWEUsEUQ.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exejuAsMAoA.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juAsMAoA.exe = "C:\\Users\\Admin\\HgYgYkIQ\\juAsMAoA.exe"	2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juAsMAoA.exe = "C:\\Users\\Admin\\HgYgYkIQ\\juAsMAoA.exe"	juAsMAoA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iyswQQUM.exe = "C:\\ProgramData\\sUAgYkcM\\iyswQQUM.exe"	2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

1924 reg.exe
4828 reg.exe
4380 reg.exe

pid	process
1924	reg.exe
4828	reg.exe
4380	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe

pid	process
3616	2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe
3616	2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe
3616	2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe
3616	2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.execmd.exe

description	pid	process	target process
PID 3616 wrote to memory of 3228	3616	2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe	juAsMAoA.exe
PID 3616 wrote to memory of 3228	3616	2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe	juAsMAoA.exe
PID 3616 wrote to memory of 3228	3616	2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe	juAsMAoA.exe
PID 3616 wrote to memory of 2212	3616	2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe	iyswQQUM.exe
PID 3616 wrote to memory of 2212	3616	2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe	iyswQQUM.exe
PID 3616 wrote to memory of 2212	3616	2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe	iyswQQUM.exe
PID 3616 wrote to memory of 1168	3616	2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe	cmd.exe
PID 3616 wrote to memory of 1168	3616	2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe	cmd.exe
PID 3616 wrote to memory of 1168	3616	2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe	cmd.exe
PID 3616 wrote to memory of 4828	3616	2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe	reg.exe
PID 3616 wrote to memory of 4828	3616	2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe	reg.exe
PID 3616 wrote to memory of 4828	3616	2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe	reg.exe
PID 3616 wrote to memory of 4380	3616	2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe	reg.exe
PID 3616 wrote to memory of 4380	3616	2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe	reg.exe
PID 3616 wrote to memory of 4380	3616	2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe	reg.exe
PID 3616 wrote to memory of 1924	3616	2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe	reg.exe
PID 3616 wrote to memory of 1924	3616	2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe	reg.exe
PID 3616 wrote to memory of 1924	3616	2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe	reg.exe
PID 1168 wrote to memory of 4748	1168	cmd.exe	cver.exe
PID 1168 wrote to memory of 4748	1168	cmd.exe	cver.exe

C:\Users\Admin\AppData\Local\Temp\2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2022-11-23_e32e0ec72fa11f6ed358a0eab5d94b68_virlock.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3616

C:\Users\Admin\HgYgYkIQ\juAsMAoA.exe
"C:\Users\Admin\HgYgYkIQ\juAsMAoA.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3228

C:\ProgramData\sUAgYkcM\iyswQQUM.exe
"C:\ProgramData\sUAgYkcM\iyswQQUM.exe"
2⤵
- Executes dropped EXE
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cver.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Users\Admin\AppData\Local\Temp\cver.exe
C:\Users\Admin\AppData\Local\Temp\cver.exe
3⤵
- Executes dropped EXE
PID:4748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
- Modifies registry key
PID:1924

C:\ProgramData\BAsEAYQM\vWEUsEUQ.exe
C:\ProgramData\BAsEAYQM\vWEUsEUQ.exe
1⤵
- Executes dropped EXE
PID:4856

C:\ProgramData\BAsEAYQM\vWEUsEUQ.exe
C:\ProgramData\BAsEAYQM\vWEUsEUQ.exe
1⤵
- Executes dropped EXE
PID:1016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BAsEAYQM\vWEUsEUQ.exe
Filesize
2.2MB

MD5
2a1910e1dae3e71a98bcf7d588122df2

SHA1
6b956bef44310f26a4767e1f3e406706ec8b41e0

SHA256
42d54c2933b5a452b9bf2dc03d84a09227f5fd31cd98f92b3d915f700d0814b4

SHA512
b02a109c3b01496ec2218f2cffb8cb049c8d21f6ba46b5d24bb750fd459a1774b1d4a6d40f2a6eb1b41765da385287bb7ad71891f63b0825fd359896431c242e

Download Submit
C:\ProgramData\BAsEAYQM\vWEUsEUQ.exe
Filesize
2.2MB

MD5
2a1910e1dae3e71a98bcf7d588122df2

SHA1
6b956bef44310f26a4767e1f3e406706ec8b41e0

SHA256
42d54c2933b5a452b9bf2dc03d84a09227f5fd31cd98f92b3d915f700d0814b4

SHA512
b02a109c3b01496ec2218f2cffb8cb049c8d21f6ba46b5d24bb750fd459a1774b1d4a6d40f2a6eb1b41765da385287bb7ad71891f63b0825fd359896431c242e

Download Submit
C:\ProgramData\BAsEAYQM\vWEUsEUQ.exe
Filesize
2.2MB

MD5
2a1910e1dae3e71a98bcf7d588122df2

SHA1
6b956bef44310f26a4767e1f3e406706ec8b41e0

SHA256
42d54c2933b5a452b9bf2dc03d84a09227f5fd31cd98f92b3d915f700d0814b4

SHA512
b02a109c3b01496ec2218f2cffb8cb049c8d21f6ba46b5d24bb750fd459a1774b1d4a6d40f2a6eb1b41765da385287bb7ad71891f63b0825fd359896431c242e

Download Submit
C:\ProgramData\sUAgYkcM\iyswQQUM.exe
Filesize
2.2MB

MD5
e86c9c079618eebd42887fbdb12234e2

SHA1
a49d4fdee3169d6d1a00045770def56270c7d4df

SHA256
79df062f24b12bdcb669377d8e952e983d58b6b8257db129ac20a4823e46e957

SHA512
66d536ce2389c8191afc69f479cc402d1860dbd73a081f4b2573710d3ee61c23862fb3311431fa173403a861f516e0c2cebb9992bcd7b56f4204200be43a9fa5

Download Submit
C:\ProgramData\sUAgYkcM\iyswQQUM.exe
Filesize
2.2MB

MD5
e86c9c079618eebd42887fbdb12234e2

SHA1
a49d4fdee3169d6d1a00045770def56270c7d4df

SHA256
79df062f24b12bdcb669377d8e952e983d58b6b8257db129ac20a4823e46e957

SHA512
66d536ce2389c8191afc69f479cc402d1860dbd73a081f4b2573710d3ee61c23862fb3311431fa173403a861f516e0c2cebb9992bcd7b56f4204200be43a9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cver.exe
Filesize
140KB

MD5
0d0b992d2d4b7619f49ee0458d3469b1

SHA1
5d9835b408a231902654d516b48843890f4130e5

SHA256
55c3f3f02b48a1e69d8b58d195c53f2d604acd890d09d7310272dcd289cf2d94

SHA512
8435b079d408689fabb3d8713c2d4b86f85f1b9bc4bc79427ee0ae069fafd23a703d71d481a1515bb98a31b90171a75a97c1ec6a9df63170a4961940e04494b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cver.exe
Filesize
140KB

MD5
0d0b992d2d4b7619f49ee0458d3469b1

SHA1
5d9835b408a231902654d516b48843890f4130e5

SHA256
55c3f3f02b48a1e69d8b58d195c53f2d604acd890d09d7310272dcd289cf2d94

SHA512
8435b079d408689fabb3d8713c2d4b86f85f1b9bc4bc79427ee0ae069fafd23a703d71d481a1515bb98a31b90171a75a97c1ec6a9df63170a4961940e04494b7

Download Submit
C:\Users\Admin\HgYgYkIQ\juAsMAoA.exe
Filesize
2.1MB

MD5
f291ca3742ca33e4598a0fbca6018662

SHA1
bf67d051456d0284e8ac6d8615aaca9df8fa3699

SHA256
0a2a81c15456214e1fd6633168e0e6800e591b71df5fea78e8e8780c7117c0b7

SHA512
68accd2f3921f112bc2a3a0516dda3174b53f30dc2b21a7da0ed9231e6139e3440a1625dfa4b068b3194ae2b1499c76356c97b57f08f2b9fa6df9dbedbaf34ff

Download Submit
C:\Users\Admin\HgYgYkIQ\juAsMAoA.exe
Filesize
2.1MB

MD5
f291ca3742ca33e4598a0fbca6018662

SHA1
bf67d051456d0284e8ac6d8615aaca9df8fa3699

SHA256
0a2a81c15456214e1fd6633168e0e6800e591b71df5fea78e8e8780c7117c0b7

SHA512
68accd2f3921f112bc2a3a0516dda3174b53f30dc2b21a7da0ed9231e6139e3440a1625dfa4b068b3194ae2b1499c76356c97b57f08f2b9fa6df9dbedbaf34ff

Download Submit
memory/1016-163-0x0000000000DC0000-0x0000000001DC0000-memory.dmp

Filesize
16.0MB

Download
memory/1168-150-0x0000000000000000-mapping.dmp

Download
memory/1924-155-0x0000000000000000-mapping.dmp

Download
memory/2212-143-0x0000000000000000-mapping.dmp

Download
memory/2212-149-0x0000000000400000-0x0000000000640000-memory.dmp

Filesize
2.2MB

Download
memory/2212-146-0x00000000021B0000-0x00000000031B0000-memory.dmp

Filesize
16.0MB

Download
memory/2212-147-0x0000000000400000-0x0000000000640000-memory.dmp

Filesize
2.2MB

Download
memory/2212-148-0x00000000021B0000-0x00000000031B0000-memory.dmp

Filesize
16.0MB

Download
memory/3228-140-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/3228-141-0x0000000002340000-0x0000000003340000-memory.dmp

Filesize
16.0MB

Download
memory/3228-139-0x0000000002340000-0x0000000003340000-memory.dmp

Filesize
16.0MB

Download
memory/3228-142-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/3228-136-0x0000000000000000-mapping.dmp

Download
memory/3616-135-0x0000000000400000-0x000000000064D000-memory.dmp

Filesize
2.3MB

Download
memory/3616-132-0x0000000002290000-0x0000000003290000-memory.dmp

Filesize
16.0MB

Download
memory/3616-133-0x0000000000400000-0x000000000064D000-memory.dmp

Filesize
2.3MB

Download
memory/3616-134-0x0000000002290000-0x0000000003290000-memory.dmp

Filesize
16.0MB

Download
memory/4380-154-0x0000000000000000-mapping.dmp

Download
memory/4748-158-0x0000000000000000-mapping.dmp

Download
memory/4828-152-0x0000000000000000-mapping.dmp

Download
memory/4856-156-0x0000000000EF0000-0x0000000001EF0000-memory.dmp

Filesize
16.0MB

Download
memory/4856-160-0x0000000000EF0000-0x0000000001EF0000-memory.dmp

Filesize
16.0MB

Download
memory/4856-157-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download