Analysis Overview
SHA256
f3fa585e7418f8b33bb279c72461d1822d0da9c0da673d158acfeecfd0ca6017
Threat Level: Known bad
The file WinLocker Builder (test version).exe was found to be: Known bad.
Malicious Activity Summary
BitRAT
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Writes to the Master Boot Record (MBR)
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-04 07:59
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-04 07:59
Reported
2023-03-04 08:01
Platform
win7-20230220-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
BitRAT
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\MsMpEng = "C:\\Users\\Admin\\AppData\\Local\\MsSystemDriver\\MsMpEng.exe" | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe
"C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | current-necessity.at.ply.gg | udp |
| US | 209.25.141.212:49446 | current-necessity.at.ply.gg | tcp |
Files
memory/1772-55-0x0000000001170000-0x0000000001E1B000-memory.dmp
memory/1772-56-0x0000000001170000-0x0000000001E1B000-memory.dmp
memory/1772-57-0x0000000001170000-0x0000000001E1B000-memory.dmp
memory/1772-58-0x0000000001170000-0x0000000001E1B000-memory.dmp
memory/1772-59-0x0000000001170000-0x0000000001E1B000-memory.dmp
memory/1772-61-0x0000000001170000-0x0000000001E1B000-memory.dmp
memory/1772-60-0x0000000001170000-0x0000000001E1B000-memory.dmp
memory/1772-62-0x0000000001170000-0x0000000001E1B000-memory.dmp
memory/1772-63-0x0000000000160000-0x000000000016A000-memory.dmp
memory/1772-64-0x0000000000160000-0x000000000016A000-memory.dmp
memory/1772-65-0x0000000001170000-0x0000000001E1B000-memory.dmp
memory/1772-66-0x0000000000160000-0x000000000016A000-memory.dmp
memory/1772-67-0x0000000000160000-0x000000000016A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-04 07:59
Reported
2023-03-04 08:01
Platform
win10v2004-20230220-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
BitRAT
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsMpEng = "C:\\Users\\Admin\\AppData\\Local\\MsSystemDriver\\MsMpEng.exe耀" | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsMpEng = "C:\\Users\\Admin\\AppData\\Local\\MsSystemDriver\\MsMpEng.exe" | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe
"C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.176.139.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | current-necessity.at.ply.gg | udp |
| US | 8.8.8.8:53 | 58.104.205.20.in-addr.arpa | udp |
| US | 209.25.141.212:49446 | current-necessity.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 212.141.25.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 209.25.141.212:49446 | current-necessity.at.ply.gg | tcp |
| US | 209.25.141.212:49446 | current-necessity.at.ply.gg | tcp |
| US | 209.25.141.212:49446 | current-necessity.at.ply.gg | tcp |
| US | 20.189.173.12:443 | tcp | |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| NL | 8.238.20.126:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 8.238.20.126:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp |
Files
memory/3464-133-0x0000000000750000-0x00000000013FB000-memory.dmp
memory/3464-135-0x0000000000750000-0x00000000013FB000-memory.dmp
memory/3464-136-0x0000000000750000-0x00000000013FB000-memory.dmp
memory/3464-137-0x0000000000750000-0x00000000013FB000-memory.dmp
memory/3464-138-0x0000000000750000-0x00000000013FB000-memory.dmp
memory/3464-139-0x0000000000750000-0x00000000013FB000-memory.dmp
memory/3464-140-0x0000000000750000-0x00000000013FB000-memory.dmp
memory/3464-141-0x0000000000750000-0x00000000013FB000-memory.dmp
memory/3464-143-0x0000000074A60000-0x0000000074A99000-memory.dmp
memory/3464-142-0x0000000074AF0000-0x0000000074B29000-memory.dmp
memory/3464-144-0x0000000000750000-0x00000000013FB000-memory.dmp
memory/3464-145-0x0000000074AF0000-0x0000000074B29000-memory.dmp
memory/3464-146-0x0000000074A60000-0x0000000074A99000-memory.dmp