af1fd53a1ac9557a43b85931b7b87cc4f756f7dc9c27c52e9ea1a8c25748ac31

General

Target

5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe
Size

2.2MB
MD5

5f0ad7e7f26781dc32c59dbcb9de2e77
SHA1

15786ffa979f179248cbb9fe9da72761eb8db4ce
SHA256

af1fd53a1ac9557a43b85931b7b87cc4f756f7dc9c27c52e9ea1a8c25748ac31
SHA512

190acbc4759a0a19441b86a75567abda0401ffe36307e6ca288d8d31714f1931df7f75e2ad68561529214ef0e22d6e77de05e7ee2063a283844771cafab198f6
SSDEEP

24576:tkcNojuh4Pczh9Z7JeIrolfvnhOgNOsqzN/qm/jD8gNdZL/7JLyc3YK1gQwy2WS0:tkcNoju6PEHeJfPhlRays8gqQ9n3tx

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\WWMYUAEw\\tewIYcIo.exe,"	5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\WWMYUAEw\\tewIYcIo.exe,"	5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1004	KekMAcQE.exe
4092	tewIYcIo.exe
4196	HoUMUMEU.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KekMAcQE.exe = "C:\\Users\\Admin\\MAMkwIwI\\KekMAcQE.exe"	5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tewIYcIo.exe = "C:\\ProgramData\\WWMYUAEw\\tewIYcIo.exe"	5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\MAMkwIwI	HoUMUMEU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\MAMkwIwI\KekMAcQE	HoUMUMEU.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
1600	reg.exe
1996	reg.exe
5008	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
640	5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe
640	5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe
640	5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe
640	5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1004	KekMAcQE.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	4528	vssvc.exe
Token: SeRestorePrivilege	4528	vssvc.exe
Token: SeAuditPrivilege	4528	vssvc.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 1004	640	5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe	90
PID 640 wrote to memory of 1004	640	5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe	90
PID 640 wrote to memory of 1004	640	5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe	90
PID 640 wrote to memory of 4092	640	5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe	91
PID 640 wrote to memory of 4092	640	5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe	91
PID 640 wrote to memory of 4092	640	5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe	91
PID 640 wrote to memory of 4840	640	5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe	93
PID 640 wrote to memory of 4840	640	5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe	93
PID 640 wrote to memory of 4840	640	5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe	93
PID 640 wrote to memory of 1600	640	5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe	95
PID 640 wrote to memory of 1600	640	5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe	95
PID 640 wrote to memory of 1600	640	5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe	95
PID 640 wrote to memory of 1996	640	5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe	96
PID 640 wrote to memory of 1996	640	5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe	96
PID 640 wrote to memory of 1996	640	5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe	96
PID 640 wrote to memory of 5008	640	5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe	98
PID 640 wrote to memory of 5008	640	5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe	98
PID 640 wrote to memory of 5008	640	5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe	98
PID 4840 wrote to memory of 1648	4840	cmd.exe	101
PID 4840 wrote to memory of 1648	4840	cmd.exe	101
PID 4840 wrote to memory of 1648	4840	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe
"C:\Users\Admin\AppData\Local\Temp\5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:640
- C:\Users\Admin\MAMkwIwI\KekMAcQE.exe
  "C:\Users\Admin\MAMkwIwI\KekMAcQE.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1004
- C:\ProgramData\WWMYUAEw\tewIYcIo.exe
  "C:\ProgramData\WWMYUAEw\tewIYcIo.exe"
  2⤵
  - Executes dropped EXE
  PID:4092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Users\Admin\AppData\Local\Temp\5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC.exe
    C:\Users\Admin\AppData\Local\Temp\5f0ad7e7f26781dc32c59dbcb9de2e77_virlock_JC
    3⤵
    PID:1648
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:1600
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1996
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:5008

C:\ProgramData\XQIUkckw\HoUMUMEU.exe
C:\ProgramData\XQIUkckw\HoUMUMEU.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4196

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WWMYUAEw\tewIYcIo.exe

Filesize
2.2MB

MD5
bfc33ec8e4b197481194e8d5ca9466d0

SHA1
83378ad4ecbfebef311b3b7b7d69a2442a386245

SHA256
51a3afd9760f3107151598923b9c5e92861689da823f7eccc6ae94e2697b00f6

SHA512
a0f409cda6d65b75c088f9f347cb2ace9dc551c89333341481017a098210e39d335c9a775fe39158d7e67f85a58517fc8dc8a75e843b98c86705735dc4343dbe

Download Submit
C:\ProgramData\WWMYUAEw\tewIYcIo.exe

Filesize
2.2MB

MD5
bfc33ec8e4b197481194e8d5ca9466d0

SHA1
83378ad4ecbfebef311b3b7b7d69a2442a386245

SHA256
51a3afd9760f3107151598923b9c5e92861689da823f7eccc6ae94e2697b00f6

SHA512
a0f409cda6d65b75c088f9f347cb2ace9dc551c89333341481017a098210e39d335c9a775fe39158d7e67f85a58517fc8dc8a75e843b98c86705735dc4343dbe

Download Submit
C:\ProgramData\XQIUkckw\HoUMUMEU.exe

Filesize
2.1MB

MD5
314c28f841859cf39e818484432bced3

SHA1
f204de650302ab7c7c39dff62fc15f9e4c855f2c

SHA256
6dc30070a13fd7746003c4adae4dcf5e6abe787aeabd6eaf44b4abde182e1f49

SHA512
87ea0f2a008f93a2ccaf221c45ddcce907c2f5792682fadca925cccd0fc25b47f6b4cf6c4d926621a35352975f3b7f37ee5c9706628ec38df9a34cc2217e2385

Download Submit
C:\ProgramData\XQIUkckw\HoUMUMEU.exe

Filesize
2.1MB

MD5
314c28f841859cf39e818484432bced3

SHA1
f204de650302ab7c7c39dff62fc15f9e4c855f2c

SHA256
6dc30070a13fd7746003c4adae4dcf5e6abe787aeabd6eaf44b4abde182e1f49

SHA512
87ea0f2a008f93a2ccaf221c45ddcce907c2f5792682fadca925cccd0fc25b47f6b4cf6c4d926621a35352975f3b7f37ee5c9706628ec38df9a34cc2217e2385

Download Submit
C:\Users\Admin\MAMkwIwI\KekMAcQE.exe

Filesize
2.2MB

MD5
de9ed2be9c9a165273d6d87fc5681cd9

SHA1
de285882a23ab3a8ae217a081864ebdc39f607a8

SHA256
2c65f834896a0da6c36220f192c678dff043a7faaaf76978b2daa011f782be3d

SHA512
d0258becd0911d61ad4147bfeb3d1ee4744f8445a7f625d676dcaff1c84f2600ae08477e122b59a06195ce240825c479957e579a701b727f0c8f7d65d1bb8185

Download Submit
C:\Users\Admin\MAMkwIwI\KekMAcQE.exe

Filesize
2.2MB

MD5
de9ed2be9c9a165273d6d87fc5681cd9

SHA1
de285882a23ab3a8ae217a081864ebdc39f607a8

SHA256
2c65f834896a0da6c36220f192c678dff043a7faaaf76978b2daa011f782be3d

SHA512
d0258becd0911d61ad4147bfeb3d1ee4744f8445a7f625d676dcaff1c84f2600ae08477e122b59a06195ce240825c479957e579a701b727f0c8f7d65d1bb8185

Download Submit
memory/640-133-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/640-150-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/4196-145-0x0000000000400000-0x0000000000618000-memory.dmp

Filesize
2.1MB

Download
memory/4196-151-0x0000000000400000-0x0000000000618000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads