d3e00146f485478786404bbace60071b9add4db24714a24696bb24576e6e952c

Analysis

max time kernel
11s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe
Size

2.3MB
MD5

fe04426caaf094ed341ccc1657e64ae3
SHA1

d1a4ee9243b09c32b52c90d7ee887d5ecacbdd19
SHA256

d3e00146f485478786404bbace60071b9add4db24714a24696bb24576e6e952c
SHA512

077c686419e856e7972936221900374e089b54ee91d9d97b5b85a1657e33b3882b996ceb561f082d36f6788f1086fa60dc5ccc8abe8c1110da9c2ec838835572
SSDEEP

24576:ApeV0t19s+nurr5d7oQUEZZ9ZEB7pZsUcgQqudlaoSJ8XfgR7Gf6A3Lsnjl6/KHo:A0QUdhNoQLrElcRvlaoPoNAyjlRHGP

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\dCAUEcQM\\kyMkQAwA.exe,"	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\ProgramData\\dCAUEcQM\\kyMkQAwA.exe,"	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe

Executes dropped EXE 3 IoCs

Processes:

GGAgQckw.exekyMkQAwA.exeHckEAcIA.exe

pid process

896 GGAgQckw.exe
1124 kyMkQAwA.exe
936 HckEAcIA.exe

pid	process
896	GGAgQckw.exe
1124	kyMkQAwA.exe
936	HckEAcIA.exe

Loads dropped DLL 7 IoCs

Processes:

2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exekyMkQAwA.exe

pid	process
1208	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe
1208	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe
1208	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe
1208	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe
1124	kyMkQAwA.exe
1124	kyMkQAwA.exe
1124	kyMkQAwA.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kyMkQAwA.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kyMkQAwA.exe = "C:\\ProgramData\\dCAUEcQM\\kyMkQAwA.exe"	kyMkQAwA.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe

pid process

1208 2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe
1208 2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe

description	pid	process	target process
PID 1208 wrote to memory of 896	1208	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	GGAgQckw.exe
PID 1208 wrote to memory of 896	1208	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	GGAgQckw.exe
PID 1208 wrote to memory of 896	1208	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	GGAgQckw.exe
PID 1208 wrote to memory of 896	1208	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	GGAgQckw.exe
PID 1208 wrote to memory of 1124	1208	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	kyMkQAwA.exe
PID 1208 wrote to memory of 1124	1208	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	kyMkQAwA.exe
PID 1208 wrote to memory of 1124	1208	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	kyMkQAwA.exe
PID 1208 wrote to memory of 1124	1208	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	kyMkQAwA.exe

C:\Users\Admin\AppData\Local\Temp\2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\YSgYcEUo\GGAgQckw.exe
"C:\Users\Admin\YSgYcEUo\GGAgQckw.exe"
2⤵
- Executes dropped EXE
PID:896

C:\ProgramData\dCAUEcQM\kyMkQAwA.exe
"C:\ProgramData\dCAUEcQM\kyMkQAwA.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1124

C:\ProgramData\nqQcwcEc\HckEAcIA.exe
C:\ProgramData\nqQcwcEc\HckEAcIA.exe
1⤵
- Executes dropped EXE
PID:936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dCAUEcQM\kyMkQAwA.exe

Filesize
2.1MB

MD5
0d31170deedaf79813865f2fef44d9aa

SHA1
dc0fc53e4be84ccd341e47c9b7ed30a74966fcf0

SHA256
00cc6123cbca3b49a70236859afe55891adeca2dbb54203e17bebe90f126e0db

SHA512
dc08a7a8cdcf072e7566c5a5bf7f00964bad04e152df14950eaf470b56aacfd5c4c0f03a7caacf9ae108fcb824ee3fb2856d692658f9606bff59401881d4283d

Download Submit
C:\ProgramData\nqQcwcEc\HckEAcIA.exe

Filesize
2.1MB

MD5
cf969db610434896688c316e65d0b255

SHA1
9763b794e07bf27c3ee81497e852670bb45f24c2

SHA256
e4bfa2bc34e525653315f453b9b853b943cde13e38f67a0e8dab4d3ab52cd0fd

SHA512
877842f13984e9498ee46e4987f91f269fca7f44b53ded1f3b135ab56645ad3ad2ec8ff648ceea5593377c9d375a2643e9e1ab5c6382a8269f9afb50dac41db1

Download Submit
C:\Users\Admin\YSgYcEUo\GGAgQckw.exe

Filesize
2.1MB

MD5
5e2492c07b93867d49552daf2728e6e8

SHA1
4a3c6c85ffa14ac2e7c5adbc66ab86c642bcb42b

SHA256
fdafc7c8deaf7a639a227f6a8a69b98d78ac4226c18a8e7b04d508e8ef778268

SHA512
3ee81e7d30f4a37a0b0b76eec2b6e72d47f2c7779992d4adbcacb3d18440bbc39b34d840236a945f46e08a46f564dc1b455fff5e534791aaf328f3560a7a26f4

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\ProgramData\dCAUEcQM\kyMkQAwA.exe

Filesize
2.1MB

MD5
0d31170deedaf79813865f2fef44d9aa

SHA1
dc0fc53e4be84ccd341e47c9b7ed30a74966fcf0

SHA256
00cc6123cbca3b49a70236859afe55891adeca2dbb54203e17bebe90f126e0db

SHA512
dc08a7a8cdcf072e7566c5a5bf7f00964bad04e152df14950eaf470b56aacfd5c4c0f03a7caacf9ae108fcb824ee3fb2856d692658f9606bff59401881d4283d

Download Submit
\ProgramData\dCAUEcQM\kyMkQAwA.exe

Filesize
2.1MB

MD5
0d31170deedaf79813865f2fef44d9aa

SHA1
dc0fc53e4be84ccd341e47c9b7ed30a74966fcf0

SHA256
00cc6123cbca3b49a70236859afe55891adeca2dbb54203e17bebe90f126e0db

SHA512
dc08a7a8cdcf072e7566c5a5bf7f00964bad04e152df14950eaf470b56aacfd5c4c0f03a7caacf9ae108fcb824ee3fb2856d692658f9606bff59401881d4283d

Download Submit
\Users\Admin\YSgYcEUo\GGAgQckw.exe

Filesize
2.1MB

MD5
5e2492c07b93867d49552daf2728e6e8

SHA1
4a3c6c85ffa14ac2e7c5adbc66ab86c642bcb42b

SHA256
fdafc7c8deaf7a639a227f6a8a69b98d78ac4226c18a8e7b04d508e8ef778268

SHA512
3ee81e7d30f4a37a0b0b76eec2b6e72d47f2c7779992d4adbcacb3d18440bbc39b34d840236a945f46e08a46f564dc1b455fff5e534791aaf328f3560a7a26f4

Download Submit
\Users\Admin\YSgYcEUo\GGAgQckw.exe

Filesize
2.1MB

MD5
5e2492c07b93867d49552daf2728e6e8

SHA1
4a3c6c85ffa14ac2e7c5adbc66ab86c642bcb42b

SHA256
fdafc7c8deaf7a639a227f6a8a69b98d78ac4226c18a8e7b04d508e8ef778268

SHA512
3ee81e7d30f4a37a0b0b76eec2b6e72d47f2c7779992d4adbcacb3d18440bbc39b34d840236a945f46e08a46f564dc1b455fff5e534791aaf328f3560a7a26f4

Download Submit
memory/896-66-0x0000000001F50000-0x0000000002F50000-memory.dmp

Filesize
16.0MB

Download
memory/896-58-0x0000000000000000-mapping.dmp

Download
memory/1124-63-0x0000000000000000-mapping.dmp

Download
memory/1208-60-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1208-54-0x0000000001F10000-0x0000000002F10000-memory.dmp

Filesize
16.0MB

Download
memory/1208-55-0x0000000000400000-0x0000000000642000-memory.dmp

Filesize
2.3MB

Download