Malware Analysis Report

2025-01-03 05:11

Sample ID 230304-jve6psdc77
Target WinLocker Builder (test version).exe
SHA256 f3fa585e7418f8b33bb279c72461d1822d0da9c0da673d158acfeecfd0ca6017
Tags
bitrat bootkit evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f3fa585e7418f8b33bb279c72461d1822d0da9c0da673d158acfeecfd0ca6017

Threat Level: Known bad

The file WinLocker Builder (test version).exe was found to be: Known bad.

Malicious Activity Summary

bitrat bootkit evasion persistence trojan

BitRAT

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-04 07:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-04 07:59

Reported

2023-03-04 08:01

Platform

win7-20230220-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe"

Signatures

BitRAT

trojan bitrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\MsMpEng = "C:\\Users\\Admin\\AppData\\Local\\MsSystemDriver\\MsMpEng.exe" C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe

"C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 current-necessity.at.ply.gg udp
US 209.25.141.212:49446 current-necessity.at.ply.gg tcp

Files

memory/1772-55-0x0000000001170000-0x0000000001E1B000-memory.dmp

memory/1772-56-0x0000000001170000-0x0000000001E1B000-memory.dmp

memory/1772-57-0x0000000001170000-0x0000000001E1B000-memory.dmp

memory/1772-58-0x0000000001170000-0x0000000001E1B000-memory.dmp

memory/1772-59-0x0000000001170000-0x0000000001E1B000-memory.dmp

memory/1772-61-0x0000000001170000-0x0000000001E1B000-memory.dmp

memory/1772-60-0x0000000001170000-0x0000000001E1B000-memory.dmp

memory/1772-62-0x0000000001170000-0x0000000001E1B000-memory.dmp

memory/1772-63-0x0000000000160000-0x000000000016A000-memory.dmp

memory/1772-64-0x0000000000160000-0x000000000016A000-memory.dmp

memory/1772-65-0x0000000001170000-0x0000000001E1B000-memory.dmp

memory/1772-66-0x0000000000160000-0x000000000016A000-memory.dmp

memory/1772-67-0x0000000000160000-0x000000000016A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-04 07:59

Reported

2023-03-04 08:01

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe"

Signatures

BitRAT

trojan bitrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsMpEng = "C:\\Users\\Admin\\AppData\\Local\\MsSystemDriver\\MsMpEng.exe耀" C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsMpEng = "C:\\Users\\Admin\\AppData\\Local\\MsSystemDriver\\MsMpEng.exe" C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe

"C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
US 8.8.8.8:53 current-necessity.at.ply.gg udp
US 8.8.8.8:53 58.104.205.20.in-addr.arpa udp
US 209.25.141.212:49446 current-necessity.at.ply.gg tcp
US 8.8.8.8:53 212.141.25.209.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 209.25.141.212:49446 current-necessity.at.ply.gg tcp
US 209.25.141.212:49446 current-necessity.at.ply.gg tcp
US 209.25.141.212:49446 current-necessity.at.ply.gg tcp
US 20.189.173.12:443 tcp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
NL 8.238.20.126:80 tcp
US 93.184.220.29:80 tcp
NL 8.238.20.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp

Files

memory/3464-133-0x0000000000750000-0x00000000013FB000-memory.dmp

memory/3464-135-0x0000000000750000-0x00000000013FB000-memory.dmp

memory/3464-136-0x0000000000750000-0x00000000013FB000-memory.dmp

memory/3464-137-0x0000000000750000-0x00000000013FB000-memory.dmp

memory/3464-138-0x0000000000750000-0x00000000013FB000-memory.dmp

memory/3464-139-0x0000000000750000-0x00000000013FB000-memory.dmp

memory/3464-140-0x0000000000750000-0x00000000013FB000-memory.dmp

memory/3464-141-0x0000000000750000-0x00000000013FB000-memory.dmp

memory/3464-143-0x0000000074A60000-0x0000000074A99000-memory.dmp

memory/3464-142-0x0000000074AF0000-0x0000000074B29000-memory.dmp

memory/3464-144-0x0000000000750000-0x00000000013FB000-memory.dmp

memory/3464-145-0x0000000074AF0000-0x0000000074B29000-memory.dmp

memory/3464-146-0x0000000074A60000-0x0000000074A99000-memory.dmp