d3e00146f485478786404bbace60071b9add4db24714a24696bb24576e6e952c

General

Target

2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe
Size

2.3MB
MD5

fe04426caaf094ed341ccc1657e64ae3
SHA1

d1a4ee9243b09c32b52c90d7ee887d5ecacbdd19
SHA256

d3e00146f485478786404bbace60071b9add4db24714a24696bb24576e6e952c
SHA512

077c686419e856e7972936221900374e089b54ee91d9d97b5b85a1657e33b3882b996ceb561f082d36f6788f1086fa60dc5ccc8abe8c1110da9c2ec838835572
SSDEEP

24576:ApeV0t19s+nurr5d7oQUEZZ9ZEB7pZsUcgQqudlaoSJ8XfgR7Gf6A3Lsnjl6/KHo:A0QUdhNoQLrElcRvlaoPoNAyjlRHGP

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\YQIkIAQI\\MywsMQMo.exe,"	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\YQIkIAQI\\MywsMQMo.exe,"	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Executes dropped EXE 4 IoCs

Processes:

wWIkMAkk.exeMywsMQMo.exeaCUccYok.execuninst.exe

pid process

1648 wWIkMAkk.exe
4164 MywsMQMo.exe
4168 aCUccYok.exe
2688 cuninst.exe
Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

3924 reg.exe
3068 reg.exe
3232 reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

pid	process
1648	wWIkMAkk.exe
4164	MywsMQMo.exe
4168	aCUccYok.exe
2688	cuninst.exe

pid	process
3924	reg.exe
3068	reg.exe
3232	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe

pid	process
4900	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe
4900	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe
4900	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe
4900	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 4668 vssvc.exe
Token: SeRestorePrivilege 4668 vssvc.exe
Token: SeAuditPrivilege 4668 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	4668	vssvc.exe
Token: SeRestorePrivilege	4668	vssvc.exe
Token: SeAuditPrivilege	4668	vssvc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.execmd.exe

description	pid	process	target process
PID 4900 wrote to memory of 1648	4900	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	wWIkMAkk.exe
PID 4900 wrote to memory of 1648	4900	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	wWIkMAkk.exe
PID 4900 wrote to memory of 1648	4900	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	wWIkMAkk.exe
PID 4900 wrote to memory of 4164	4900	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	MywsMQMo.exe
PID 4900 wrote to memory of 4164	4900	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	MywsMQMo.exe
PID 4900 wrote to memory of 4164	4900	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	MywsMQMo.exe
PID 4900 wrote to memory of 4264	4900	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	cmd.exe
PID 4900 wrote to memory of 4264	4900	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	cmd.exe
PID 4900 wrote to memory of 4264	4900	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	cmd.exe
PID 4900 wrote to memory of 3924	4900	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	reg.exe
PID 4900 wrote to memory of 3924	4900	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	reg.exe
PID 4900 wrote to memory of 3924	4900	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	reg.exe
PID 4900 wrote to memory of 3068	4900	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	reg.exe
PID 4900 wrote to memory of 3068	4900	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	reg.exe
PID 4900 wrote to memory of 3068	4900	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	reg.exe
PID 4900 wrote to memory of 3232	4900	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	reg.exe
PID 4900 wrote to memory of 3232	4900	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	reg.exe
PID 4900 wrote to memory of 3232	4900	2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe	reg.exe
PID 4264 wrote to memory of 2688	4264	cmd.exe	cuninst.exe
PID 4264 wrote to memory of 2688	4264	cmd.exe	cuninst.exe

C:\Users\Admin\AppData\Local\Temp\2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2022-11-23_fe04426caaf094ed341ccc1657e64ae3_virlock.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4900

C:\Users\Admin\oQwsgEcs\wWIkMAkk.exe
"C:\Users\Admin\oQwsgEcs\wWIkMAkk.exe"
2⤵
- Executes dropped EXE
PID:1648

C:\ProgramData\YQIkIAQI\MywsMQMo.exe
"C:\ProgramData\YQIkIAQI\MywsMQMo.exe"
2⤵
- Executes dropped EXE
PID:4164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuninst.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4264

C:\Users\Admin\AppData\Local\Temp\cuninst.exe
C:\Users\Admin\AppData\Local\Temp\cuninst.exe
3⤵
- Executes dropped EXE
PID:2688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:3068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
- Modifies registry key
PID:3232

C:\ProgramData\XIgIokMI\aCUccYok.exe
C:\ProgramData\XIgIokMI\aCUccYok.exe
1⤵
- Executes dropped EXE
PID:4168

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Winlogon Helper DLL

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\XIgIokMI\aCUccYok.exe

Filesize
2.1MB

MD5
3efef294f0550c1a98d47e6c8c59fb03

SHA1
b9c040d21a43d3cde4df997aaac1596e8aca79bf

SHA256
997939aa3286cbe1497977481e4b72aec07ff0fb0ee3c1acaad5171bc2103707

SHA512
4fe258b7734ec3d44dbb0c0d6b2df1c54f7d1e2e2ecd5e00b1b0ff49f4d467b858bdb4e32352b786bc2cbea9acdd86a91d40789ddd158a4e36fc678b4524c997

Download Submit
C:\ProgramData\XIgIokMI\aCUccYok.exe

Filesize
2.1MB

MD5
3efef294f0550c1a98d47e6c8c59fb03

SHA1
b9c040d21a43d3cde4df997aaac1596e8aca79bf

SHA256
997939aa3286cbe1497977481e4b72aec07ff0fb0ee3c1acaad5171bc2103707

SHA512
4fe258b7734ec3d44dbb0c0d6b2df1c54f7d1e2e2ecd5e00b1b0ff49f4d467b858bdb4e32352b786bc2cbea9acdd86a91d40789ddd158a4e36fc678b4524c997

Download Submit
C:\ProgramData\YQIkIAQI\MywsMQMo.exe

Filesize
2.2MB

MD5
620567c36bf7857264beff49d72a7703

SHA1
011678a829bc421ea32a105446087061990f6672

SHA256
3e3c76b1e55cffa2068def53de1cde2777b27c4d1fd64d1efaec271ce21f5d9e

SHA512
9b6d6323d2b5c22ea0bbe2c442e6ad6ea3311bd2f793550b8666f5b6f5c5ac7876f2e6ecad18496df714e984a79c7c93baee4b24d40e310517e3f3c403b130b7

Download Submit
C:\ProgramData\YQIkIAQI\MywsMQMo.exe

Filesize
2.2MB

MD5
620567c36bf7857264beff49d72a7703

SHA1
011678a829bc421ea32a105446087061990f6672

SHA256
3e3c76b1e55cffa2068def53de1cde2777b27c4d1fd64d1efaec271ce21f5d9e

SHA512
9b6d6323d2b5c22ea0bbe2c442e6ad6ea3311bd2f793550b8666f5b6f5c5ac7876f2e6ecad18496df714e984a79c7c93baee4b24d40e310517e3f3c403b130b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cuninst.exe

Filesize
140KB

MD5
3bc2cb2446a5b8fffd7ab3a98b9f51f6

SHA1
4f898bd1af88359128837e58cfe2a52f192a5d1f

SHA256
2ae11cc8a144df879a7be3fb6b1ce2cdce6c720a3e8c73b3a33fe120133b51b8

SHA512
482f58d2f62b6ebfc5822b5afd63b64a1fc99dd32cafdbd67ac0b206f055b3ca9415905494c375c4d7c5f22e86b53fb8d7a8943504b157df21c5a5b52e9b632b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cuninst.exe

Filesize
140KB

MD5
3bc2cb2446a5b8fffd7ab3a98b9f51f6

SHA1
4f898bd1af88359128837e58cfe2a52f192a5d1f

SHA256
2ae11cc8a144df879a7be3fb6b1ce2cdce6c720a3e8c73b3a33fe120133b51b8

SHA512
482f58d2f62b6ebfc5822b5afd63b64a1fc99dd32cafdbd67ac0b206f055b3ca9415905494c375c4d7c5f22e86b53fb8d7a8943504b157df21c5a5b52e9b632b

Download Submit
C:\Users\Admin\oQwsgEcs\wWIkMAkk.exe

Filesize
2.1MB

MD5
1571b23fade630c2f284dcb940c28c01

SHA1
53ac556a8a927cc5fff89aa59a9ecc03d5af1fa5

SHA256
4146c1013b6f9d9e16598dbe112aebec2cd1e9fffc03ffa3ca5837a96c2f682e

SHA512
c8138c01167ab67fcdf03a9164de56b1c139fae68240ce8445ea7a9af5f840200c21b65bdc5ad1647e7ccc0d4dbbdc7dbd22d4afee661bcb2b5296be4670c735

Download Submit
C:\Users\Admin\oQwsgEcs\wWIkMAkk.exe

Filesize
2.1MB

MD5
1571b23fade630c2f284dcb940c28c01

SHA1
53ac556a8a927cc5fff89aa59a9ecc03d5af1fa5

SHA256
4146c1013b6f9d9e16598dbe112aebec2cd1e9fffc03ffa3ca5837a96c2f682e

SHA512
c8138c01167ab67fcdf03a9164de56b1c139fae68240ce8445ea7a9af5f840200c21b65bdc5ad1647e7ccc0d4dbbdc7dbd22d4afee661bcb2b5296be4670c735

Download Submit
memory/1648-141-0x0000000002110000-0x0000000003110000-memory.dmp

Filesize
16.0MB

Download
memory/1648-135-0x0000000000000000-mapping.dmp

Download
memory/1648-147-0x0000000002110000-0x0000000003110000-memory.dmp

Filesize
16.0MB

Download
memory/2688-157-0x0000000000100000-0x0000000000128000-memory.dmp

Filesize
160KB

Download
memory/2688-154-0x0000000000000000-mapping.dmp

Download
memory/2688-158-0x00007FF9F3300000-0x00007FF9F3DC1000-memory.dmp

Filesize
10.8MB

Download
memory/3068-152-0x0000000000000000-mapping.dmp

Download
memory/3232-153-0x0000000000000000-mapping.dmp

Download
memory/3924-150-0x0000000000000000-mapping.dmp

Download
memory/4164-144-0x0000000002240000-0x0000000003240000-memory.dmp

Filesize
16.0MB

Download
memory/4164-138-0x0000000000000000-mapping.dmp

Download
memory/4168-151-0x0000000000F40000-0x0000000001F40000-memory.dmp

Filesize
16.0MB

Download
memory/4168-148-0x0000000000F40000-0x0000000001F40000-memory.dmp

Filesize
16.0MB

Download
memory/4168-145-0x0000000000F40000-0x0000000001F40000-memory.dmp

Filesize
16.0MB

Download
memory/4264-149-0x0000000000000000-mapping.dmp

Download
memory/4900-146-0x0000000000400000-0x0000000000642000-memory.dmp

Filesize
2.3MB

Download
memory/4900-132-0x00000000023C0000-0x00000000033C0000-memory.dmp

Filesize
16.0MB

Download
memory/4900-134-0x0000000000400000-0x0000000000642000-memory.dmp

Filesize
2.3MB

Download
memory/4900-133-0x00000000023C0000-0x00000000033C0000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads