9ef4f965c7895c14f6dc4a0496af716447a0a285be888393a1deefc619d94c3d

Analysis

max time kernel
147s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202304293bdc60824f7aeeedf12e4045d9d3a683virlock.exe
Size

307KB
MD5

3bdc60824f7aeeedf12e4045d9d3a683
SHA1

63e1058b10646c493473541d9737f5fdf1eb12b0
SHA256

9ef4f965c7895c14f6dc4a0496af716447a0a285be888393a1deefc619d94c3d
SHA512

8c2028bcf1eb9f514e04668dd1c4cddfc8258454346507a38fa3f67503713a2d2346ffe39c00acf8deb064489271bd804870b536ab09ad5e076456db73456dae
SSDEEP

6144:CTNAEn9aiLiSPXCxmG58l/rlhRQF7qmynDOT4Nj/0l:ENAK9aiLieCxmG5W/oGmynyTuj8l

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
3188	qUcocowQ.exe
1416	eeEgAAUQ.exe
3896	calc_avx_clear_pattern.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qUcocowQ.exe = "C:\\Users\\Admin\\hCkwkUYY\\qUcocowQ.exe"	202304293bdc60824f7aeeedf12e4045d9d3a683virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eeEgAAUQ.exe = "C:\\ProgramData\\skYgAAog\\eeEgAAUQ.exe"	202304293bdc60824f7aeeedf12e4045d9d3a683virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qUcocowQ.exe = "C:\\Users\\Admin\\hCkwkUYY\\qUcocowQ.exe"	qUcocowQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eeEgAAUQ.exe = "C:\\ProgramData\\skYgAAog\\eeEgAAUQ.exe"	eeEgAAUQ.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4912	taskkill.exe
3780	taskkill.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
1808	reg.exe
4064	reg.exe
396	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
684	202304293bdc60824f7aeeedf12e4045d9d3a683virlock.exe
684	202304293bdc60824f7aeeedf12e4045d9d3a683virlock.exe
684	202304293bdc60824f7aeeedf12e4045d9d3a683virlock.exe
684	202304293bdc60824f7aeeedf12e4045d9d3a683virlock.exe
3780	taskkill.exe
3780	taskkill.exe
4912	taskkill.exe
4912	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4912	taskkill.exe
Token: SeDebugPrivilege	3780	taskkill.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 3188	684	202304293bdc60824f7aeeedf12e4045d9d3a683virlock.exe	82
PID 684 wrote to memory of 3188	684	202304293bdc60824f7aeeedf12e4045d9d3a683virlock.exe	82
PID 684 wrote to memory of 3188	684	202304293bdc60824f7aeeedf12e4045d9d3a683virlock.exe	82
PID 684 wrote to memory of 1416	684	202304293bdc60824f7aeeedf12e4045d9d3a683virlock.exe	83
PID 684 wrote to memory of 1416	684	202304293bdc60824f7aeeedf12e4045d9d3a683virlock.exe	83
PID 684 wrote to memory of 1416	684	202304293bdc60824f7aeeedf12e4045d9d3a683virlock.exe	83
PID 684 wrote to memory of 3156	684	202304293bdc60824f7aeeedf12e4045d9d3a683virlock.exe	84
PID 684 wrote to memory of 3156	684	202304293bdc60824f7aeeedf12e4045d9d3a683virlock.exe	84
PID 684 wrote to memory of 3156	684	202304293bdc60824f7aeeedf12e4045d9d3a683virlock.exe	84
PID 684 wrote to memory of 1808	684	202304293bdc60824f7aeeedf12e4045d9d3a683virlock.exe	86
PID 684 wrote to memory of 1808	684	202304293bdc60824f7aeeedf12e4045d9d3a683virlock.exe	86
PID 684 wrote to memory of 1808	684	202304293bdc60824f7aeeedf12e4045d9d3a683virlock.exe	86
PID 684 wrote to memory of 396	684	202304293bdc60824f7aeeedf12e4045d9d3a683virlock.exe	88
PID 684 wrote to memory of 396	684	202304293bdc60824f7aeeedf12e4045d9d3a683virlock.exe	88
PID 684 wrote to memory of 396	684	202304293bdc60824f7aeeedf12e4045d9d3a683virlock.exe	88
PID 684 wrote to memory of 4064	684	202304293bdc60824f7aeeedf12e4045d9d3a683virlock.exe	87
PID 684 wrote to memory of 4064	684	202304293bdc60824f7aeeedf12e4045d9d3a683virlock.exe	87
PID 684 wrote to memory of 4064	684	202304293bdc60824f7aeeedf12e4045d9d3a683virlock.exe	87
PID 3156 wrote to memory of 3896	3156	cmd.exe	92
PID 3156 wrote to memory of 3896	3156	cmd.exe	92
PID 3156 wrote to memory of 3896	3156	cmd.exe	92
PID 1416 wrote to memory of 4912	1416	eeEgAAUQ.exe	94
PID 1416 wrote to memory of 4912	1416	eeEgAAUQ.exe	94
PID 1416 wrote to memory of 4912	1416	eeEgAAUQ.exe	94
PID 3188 wrote to memory of 3780	3188	qUcocowQ.exe	95
PID 3188 wrote to memory of 3780	3188	qUcocowQ.exe	95
PID 3188 wrote to memory of 3780	3188	qUcocowQ.exe	95

C:\Users\Admin\AppData\Local\Temp\202304293bdc60824f7aeeedf12e4045d9d3a683virlock.exe
"C:\Users\Admin\AppData\Local\Temp\202304293bdc60824f7aeeedf12e4045d9d3a683virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:684
- C:\Users\Admin\hCkwkUYY\qUcocowQ.exe
  "C:\Users\Admin\hCkwkUYY\qUcocowQ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "USERNAME eq Admin" /F /IM eeEgAAUQ.exe
    3⤵
    - Kills process with taskkill
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3780
- C:\ProgramData\skYgAAog\eeEgAAUQ.exe
  "C:\ProgramData\skYgAAog\eeEgAAUQ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "USERNAME eq Admin" /F /IM qUcocowQ.exe
    3⤵
    - Kills process with taskkill
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\calc_avx_clear_pattern.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Users\Admin\AppData\Local\Temp\calc_avx_clear_pattern.exe
    C:\Users\Admin\AppData\Local\Temp\calc_avx_clear_pattern.exe
    3⤵
    - Executes dropped EXE
    PID:3896
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:1808
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:4064
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\skYgAAog\eeEgAAUQ.exe

Filesize
198KB

MD5
2cc277d5cbeef9da5322cb9e55d75d1d

SHA1
7b5c877baca924c0ba252738e37eff99019db6e6

SHA256
00e6330b5e710106fccca1fcff3e3b8c1de91e8d35ec09a9702c3d62798de761

SHA512
a233cce50d4c12007b768233d97f2c8210e7f5ba7a7fbb8aabec812330df264c3301797260968f37a066b22cf19e845005bad95745b596515f63e8eba6af7ab2

Download Submit
C:\ProgramData\skYgAAog\eeEgAAUQ.exe

Filesize
198KB

MD5
2cc277d5cbeef9da5322cb9e55d75d1d

SHA1
7b5c877baca924c0ba252738e37eff99019db6e6

SHA256
00e6330b5e710106fccca1fcff3e3b8c1de91e8d35ec09a9702c3d62798de761

SHA512
a233cce50d4c12007b768233d97f2c8210e7f5ba7a7fbb8aabec812330df264c3301797260968f37a066b22cf19e845005bad95745b596515f63e8eba6af7ab2

Download Submit
C:\ProgramData\skYgAAog\eeEgAAUQ.inf

Filesize
4B

MD5
0ded937e3c6d848cc173918bf5642605

SHA1
9b3c128bcdbeb756dfb77cdada90e48dbed124f8

SHA256
353a1cdfd4c24351c7a6855a5ff7474e05a8dfa877192fc820bd3159f0a55d5e

SHA512
ca929fb50231debfa1eb3c9af219bf89dd74cd3def057e09e0bd8952cfad45c8b9b8589c333ddf8d65253ddabe4982d1ef19da30c8fb4791148254a99e7e4a5f

Download Submit
C:\ProgramData\skYgAAog\eeEgAAUQ.inf

Filesize
4B

MD5
b3755acba7bf26dcde1f12393b9146e9

SHA1
29db77fdec6f33b12b1e6a5bc67fe804d9c29665

SHA256
b6244e293442d416d617e535381b877515175bb0da045edda635a11c12c38719

SHA512
81fbaf1292840ff71825b5fbe414ce1e066baa5452602c084c949c7e60c2bb0e59932732c4b2e8a5a7827f6b1cd65fa026585791afdf5bed5cf599fe89ad77f3

Download Submit
C:\ProgramData\skYgAAog\eeEgAAUQ.inf

Filesize
4B

MD5
226094f03cf48d0d6c10c4fa34741754

SHA1
9f4cdffcb9402707b3cf69da361f9bfe77005896

SHA256
8c5acd1a036fcb0ccad9f4f001d136954b8aa5907ef118b82ad80e97a9755933

SHA512
b0362ef937a9d302beb73623980c1b4a6d239e8e94af45005ce11e66cde08661d520c7c8a30709abc0ea14b6cff170a58c2517693e7bbb7de03c73ea6a8a6cad

Download Submit
C:\ProgramData\skYgAAog\eeEgAAUQ.inf

Filesize
4B

MD5
aea8777ee85811357205b8057c46e0e9

SHA1
a6d5bafc7ccc545a89a4cf61f65e528e27825526

SHA256
d544e128981702b329794586a8e0a33c3c6335c3585001552e4c6187d500c249

SHA512
4f3038cbe3492c48ccdc7ca2a8416f6063b3c066211de42ca8ddbc619290d9fb0041f6a5203cc3e50ba07365c87d4db68735f29f7f0339f22b9057b19cc64e72

Download Submit
C:\ProgramData\skYgAAog\eeEgAAUQ.inf

Filesize
4B

MD5
972735fe89b6d7bfdab7cfbaf6021751

SHA1
9880c3e0dee9e73a68d7bb0bff668da9f34dad29

SHA256
795fd894b572644bc0ec9af4489626c7eb6506dbfa33d6fd298883dec4b32423

SHA512
e3b8daa2c49a1a491f3d01744be40456156088c9e15c0585df30a537d057ed360e68322d3d77601f49220b6addc1f813934ca14b117d0a8ec6e5995bbcb7123b

Download Submit
C:\ProgramData\skYgAAog\eeEgAAUQ.inf

Filesize
4B

MD5
c11e38e3905cbc47fbfd9ed1bdaca7cd

SHA1
aa96cce29ae4a87482ece114fcedd39c8725d828

SHA256
2d77dc83e00ba0f2ff5d26045758564e66cc8330a9c692cedfa7a254c7833bc7

SHA512
607956921bd997bf353625e848c95891aedf83ab2f76546dcf39448c806a9572ff014136c0c88ebc27f6b72ab3551df19450c9361ffcca46bef18c26e64abbcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\calc_avx_clear_pattern.exe

Filesize
112KB

MD5
e9cc8c20b0e682c77b97e6787de16e5d

SHA1
8be674dec4fcf14ae853a5c20a9288bff3e0520a

SHA256
ef854d21cbf297ee267f22049b773ffeb4c1ff1a3e55227cc2a260754699d644

SHA512
1a3b9b2d16a4404b29675ab1132ad542840058fd356e0f145afe5d0c1d9e1653de28314cd24406b85f09a9ec874c4339967d9e7acb327065448096c5734502c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\calc_avx_clear_pattern.exe

Filesize
112KB

MD5
e9cc8c20b0e682c77b97e6787de16e5d

SHA1
8be674dec4fcf14ae853a5c20a9288bff3e0520a

SHA256
ef854d21cbf297ee267f22049b773ffeb4c1ff1a3e55227cc2a260754699d644

SHA512
1a3b9b2d16a4404b29675ab1132ad542840058fd356e0f145afe5d0c1d9e1653de28314cd24406b85f09a9ec874c4339967d9e7acb327065448096c5734502c7

Download Submit
C:\Users\Admin\hCkwkUYY\qUcocowQ.exe

Filesize
190KB

MD5
4cb87626f5c1b943a9627bc51687cb99

SHA1
875968652cc93486ab47463231cbca91982cd82a

SHA256
8e58e6135d9d06d7898120dcdf3e0ae8991ee10ce0918beb6a36831e395fa1a6

SHA512
1687c969261d8369d1dc2de55a431d58b469bf022b21d1358dd0b95fb5be594314addcd0ea19b013377927af909cdd6d84b715d8c0a915bd901b062be7c1c0f1

Download Submit
C:\Users\Admin\hCkwkUYY\qUcocowQ.exe

Filesize
190KB

MD5
4cb87626f5c1b943a9627bc51687cb99

SHA1
875968652cc93486ab47463231cbca91982cd82a

SHA256
8e58e6135d9d06d7898120dcdf3e0ae8991ee10ce0918beb6a36831e395fa1a6

SHA512
1687c969261d8369d1dc2de55a431d58b469bf022b21d1358dd0b95fb5be594314addcd0ea19b013377927af909cdd6d84b715d8c0a915bd901b062be7c1c0f1

Download Submit
C:\Users\Admin\hCkwkUYY\qUcocowQ.inf

Filesize
4B

MD5
0ded937e3c6d848cc173918bf5642605

SHA1
9b3c128bcdbeb756dfb77cdada90e48dbed124f8

SHA256
353a1cdfd4c24351c7a6855a5ff7474e05a8dfa877192fc820bd3159f0a55d5e

SHA512
ca929fb50231debfa1eb3c9af219bf89dd74cd3def057e09e0bd8952cfad45c8b9b8589c333ddf8d65253ddabe4982d1ef19da30c8fb4791148254a99e7e4a5f

Download Submit
C:\Users\Admin\hCkwkUYY\qUcocowQ.inf

Filesize
4B

MD5
b3755acba7bf26dcde1f12393b9146e9

SHA1
29db77fdec6f33b12b1e6a5bc67fe804d9c29665

SHA256
b6244e293442d416d617e535381b877515175bb0da045edda635a11c12c38719

SHA512
81fbaf1292840ff71825b5fbe414ce1e066baa5452602c084c949c7e60c2bb0e59932732c4b2e8a5a7827f6b1cd65fa026585791afdf5bed5cf599fe89ad77f3

Download Submit
C:\Users\Admin\hCkwkUYY\qUcocowQ.inf

Filesize
4B

MD5
226094f03cf48d0d6c10c4fa34741754

SHA1
9f4cdffcb9402707b3cf69da361f9bfe77005896

SHA256
8c5acd1a036fcb0ccad9f4f001d136954b8aa5907ef118b82ad80e97a9755933

SHA512
b0362ef937a9d302beb73623980c1b4a6d239e8e94af45005ce11e66cde08661d520c7c8a30709abc0ea14b6cff170a58c2517693e7bbb7de03c73ea6a8a6cad

Download Submit
C:\Users\Admin\hCkwkUYY\qUcocowQ.inf

Filesize
4B

MD5
aea8777ee85811357205b8057c46e0e9

SHA1
a6d5bafc7ccc545a89a4cf61f65e528e27825526

SHA256
d544e128981702b329794586a8e0a33c3c6335c3585001552e4c6187d500c249

SHA512
4f3038cbe3492c48ccdc7ca2a8416f6063b3c066211de42ca8ddbc619290d9fb0041f6a5203cc3e50ba07365c87d4db68735f29f7f0339f22b9057b19cc64e72

Download Submit
C:\Users\Admin\hCkwkUYY\qUcocowQ.inf

Filesize
4B

MD5
972735fe89b6d7bfdab7cfbaf6021751

SHA1
9880c3e0dee9e73a68d7bb0bff668da9f34dad29

SHA256
795fd894b572644bc0ec9af4489626c7eb6506dbfa33d6fd298883dec4b32423

SHA512
e3b8daa2c49a1a491f3d01744be40456156088c9e15c0585df30a537d057ed360e68322d3d77601f49220b6addc1f813934ca14b117d0a8ec6e5995bbcb7123b

Download Submit
C:\Users\Admin\hCkwkUYY\qUcocowQ.inf

Filesize
4B

MD5
c11e38e3905cbc47fbfd9ed1bdaca7cd

SHA1
aa96cce29ae4a87482ece114fcedd39c8725d828

SHA256
2d77dc83e00ba0f2ff5d26045758564e66cc8330a9c692cedfa7a254c7833bc7

SHA512
607956921bd997bf353625e848c95891aedf83ab2f76546dcf39448c806a9572ff014136c0c88ebc27f6b72ab3551df19450c9361ffcca46bef18c26e64abbcc

Download Submit
memory/684-148-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1416-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-153-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3188-187-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download