d3e00146f485478786404bbace60071b9add4db24714a24696bb24576e6e952c

Analysis

max time kernel
11s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe
Size

2.3MB
MD5

fe04426caaf094ed341ccc1657e64ae3
SHA1

d1a4ee9243b09c32b52c90d7ee887d5ecacbdd19
SHA256

d3e00146f485478786404bbace60071b9add4db24714a24696bb24576e6e952c
SHA512

077c686419e856e7972936221900374e089b54ee91d9d97b5b85a1657e33b3882b996ceb561f082d36f6788f1086fa60dc5ccc8abe8c1110da9c2ec838835572
SSDEEP

24576:ApeV0t19s+nurr5d7oQUEZZ9ZEB7pZsUcgQqudlaoSJ8XfgR7Gf6A3Lsnjl6/KHo:A0QUdhNoQLrElcRvlaoPoNAyjlRHGP

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\dCAUEcQM\\kyMkQAwA.exe,"	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\ProgramData\\dCAUEcQM\\kyMkQAwA.exe,"	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe

Executes dropped EXE 3 IoCs

Processes:

GGAgQckw.exekyMkQAwA.exeHckEAcIA.exe

pid process

896 GGAgQckw.exe
1124 kyMkQAwA.exe
936 HckEAcIA.exe

pid	process
896	GGAgQckw.exe
1124	kyMkQAwA.exe
936	HckEAcIA.exe

Loads dropped DLL 7 IoCs

Processes:

2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exekyMkQAwA.exe

pid	process
1208	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe
1208	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe
1208	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe
1208	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe
1124	kyMkQAwA.exe
1124	kyMkQAwA.exe
1124	kyMkQAwA.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kyMkQAwA.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kyMkQAwA.exe = "C:\\ProgramData\\dCAUEcQM\\kyMkQAwA.exe"	kyMkQAwA.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe

pid process

1208 2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe
1208 2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe

description	pid	process	target process
PID 1208 wrote to memory of 896	1208	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	GGAgQckw.exe
PID 1208 wrote to memory of 896	1208	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	GGAgQckw.exe
PID 1208 wrote to memory of 896	1208	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	GGAgQckw.exe
PID 1208 wrote to memory of 896	1208	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	GGAgQckw.exe
PID 1208 wrote to memory of 1124	1208	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	kyMkQAwA.exe
PID 1208 wrote to memory of 1124	1208	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	kyMkQAwA.exe
PID 1208 wrote to memory of 1124	1208	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	kyMkQAwA.exe
PID 1208 wrote to memory of 1124	1208	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	kyMkQAwA.exe

C:\Users\Admin\AppData\Local\Temp\2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\YSgYcEUo\GGAgQckw.exe
"C:\Users\Admin\YSgYcEUo\GGAgQckw.exe"
2⤵
- Executes dropped EXE
PID:896

C:\ProgramData\dCAUEcQM\kyMkQAwA.exe
"C:\ProgramData\dCAUEcQM\kyMkQAwA.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1124

C:\ProgramData\nqQcwcEc\HckEAcIA.exe
C:\ProgramData\nqQcwcEc\HckEAcIA.exe
1⤵
- Executes dropped EXE
PID:936

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dCAUEcQM\kyMkQAwA.exe
Filesize
2.1MB

MD5
0d31170deedaf79813865f2fef44d9aa

SHA1
dc0fc53e4be84ccd341e47c9b7ed30a74966fcf0

SHA256
00cc6123cbca3b49a70236859afe55891adeca2dbb54203e17bebe90f126e0db

SHA512
dc08a7a8cdcf072e7566c5a5bf7f00964bad04e152df14950eaf470b56aacfd5c4c0f03a7caacf9ae108fcb824ee3fb2856d692658f9606bff59401881d4283d

Download Submit
C:\ProgramData\nqQcwcEc\HckEAcIA.exe
Filesize
2.1MB

MD5
cf969db610434896688c316e65d0b255

SHA1
9763b794e07bf27c3ee81497e852670bb45f24c2

SHA256
e4bfa2bc34e525653315f453b9b853b943cde13e38f67a0e8dab4d3ab52cd0fd

SHA512
877842f13984e9498ee46e4987f91f269fca7f44b53ded1f3b135ab56645ad3ad2ec8ff648ceea5593377c9d375a2643e9e1ab5c6382a8269f9afb50dac41db1

Download Submit
C:\Users\Admin\YSgYcEUo\GGAgQckw.exe
Filesize
2.1MB

MD5
5e2492c07b93867d49552daf2728e6e8

SHA1
4a3c6c85ffa14ac2e7c5adbc66ab86c642bcb42b

SHA256
fdafc7c8deaf7a639a227f6a8a69b98d78ac4226c18a8e7b04d508e8ef778268

SHA512
3ee81e7d30f4a37a0b0b76eec2b6e72d47f2c7779992d4adbcacb3d18440bbc39b34d840236a945f46e08a46f564dc1b455fff5e534791aaf328f3560a7a26f4

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\ProgramData\dCAUEcQM\kyMkQAwA.exe
Filesize
2.1MB

MD5
0d31170deedaf79813865f2fef44d9aa

SHA1
dc0fc53e4be84ccd341e47c9b7ed30a74966fcf0

SHA256
00cc6123cbca3b49a70236859afe55891adeca2dbb54203e17bebe90f126e0db

SHA512
dc08a7a8cdcf072e7566c5a5bf7f00964bad04e152df14950eaf470b56aacfd5c4c0f03a7caacf9ae108fcb824ee3fb2856d692658f9606bff59401881d4283d

Download Submit
\ProgramData\dCAUEcQM\kyMkQAwA.exe
Filesize
2.1MB

MD5
0d31170deedaf79813865f2fef44d9aa

SHA1
dc0fc53e4be84ccd341e47c9b7ed30a74966fcf0

SHA256
00cc6123cbca3b49a70236859afe55891adeca2dbb54203e17bebe90f126e0db

SHA512
dc08a7a8cdcf072e7566c5a5bf7f00964bad04e152df14950eaf470b56aacfd5c4c0f03a7caacf9ae108fcb824ee3fb2856d692658f9606bff59401881d4283d

Download Submit
\Users\Admin\YSgYcEUo\GGAgQckw.exe
Filesize
2.1MB

MD5
5e2492c07b93867d49552daf2728e6e8

SHA1
4a3c6c85ffa14ac2e7c5adbc66ab86c642bcb42b

SHA256
fdafc7c8deaf7a639a227f6a8a69b98d78ac4226c18a8e7b04d508e8ef778268

SHA512
3ee81e7d30f4a37a0b0b76eec2b6e72d47f2c7779992d4adbcacb3d18440bbc39b34d840236a945f46e08a46f564dc1b455fff5e534791aaf328f3560a7a26f4

Download Submit
\Users\Admin\YSgYcEUo\GGAgQckw.exe
Filesize
2.1MB

MD5
5e2492c07b93867d49552daf2728e6e8

SHA1
4a3c6c85ffa14ac2e7c5adbc66ab86c642bcb42b

SHA256
fdafc7c8deaf7a639a227f6a8a69b98d78ac4226c18a8e7b04d508e8ef778268

SHA512
3ee81e7d30f4a37a0b0b76eec2b6e72d47f2c7779992d4adbcacb3d18440bbc39b34d840236a945f46e08a46f564dc1b455fff5e534791aaf328f3560a7a26f4

Download Submit
memory/896-66-0x0000000001F50000-0x0000000002F50000-memory.dmp

Filesize
16.0MB

Download
memory/896-58-0x0000000000000000-mapping.dmp

Download
memory/1124-63-0x0000000000000000-mapping.dmp

Download
memory/1208-60-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1208-54-0x0000000001F10000-0x0000000002F10000-memory.dmp

Filesize
16.0MB

Download
memory/1208-55-0x0000000000400000-0x0000000000642000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads