Overview

overview

10

Static

static

3

2024-01-06...ck.exe

windows7-x64

10

2024-01-06...ck.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    15s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-01-2024 12:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-06_57ce35ea53f175ab1a6b5c4ac6ba0a58_virlock.exe

  • Size

    254KB

  • MD5

    57ce35ea53f175ab1a6b5c4ac6ba0a58

  • SHA1

    7da2d42f85e73ae0531b67a0d01054911fe77b5e

  • SHA256

    ed5bb4d7ce6662c79b8fc1e9804b681ee8c5b422f2ce79ce8970f41bf4251976

  • SHA512

    557cd01facf32de068e49cb2c36a58895e3ee310d7e45f8c7612a3777c2f4ef45406576aa30d009906d9a6f46fa45a0bc251363c1781eadb04908ad73f6d58ea

  • SSDEEP

    3072:35/RhkI6v+j1CKYEBy8eKGNgwvbxGTweSzFJC/SDi6ugdsuPnOjGx3y:35MkrfkewvbAce+y/SDkg6Hj0y

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-06_57ce35ea53f175ab1a6b5c4ac6ba0a58_virlock.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-06_57ce35ea53f175ab1a6b5c4ac6ba0a58_virlock.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:444
    • C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      2⤵
      • UAC bypass
      • Modifies registry key
      PID:4532
    • C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      2⤵
      • Modifies registry key
      PID:3084
    • C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies registry key
      PID:1632
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\chocolatey.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4452
    • C:\ProgramData\hsEogYso\QQogAgMI.exe
      "C:\ProgramData\hsEogYso\QQogAgMI.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:2940
    • C:\Users\Admin\QUMgAQgs\IkEQAIQw.exe
      "C:\Users\Admin\QUMgAQgs\IkEQAIQw.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:3036
  • C:\Users\Admin\AppData\Local\Temp\chocolatey.exe
    C:\Users\Admin\AppData\Local\Temp\chocolatey.exe
    1⤵
    • Executes dropped EXE
    PID:2760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\hsEogYso\QQogAgMI.exe
    Filesize

    98KB

    MD5

    f59b10cd1cd733fb55f3e9337837650f

    SHA1

    c6f8ef5320e875c6854b3d5d2513c7f4e6b2461b

    SHA256

    373599adca7034defe8399faa9b702a052fa491ee2b47cdab01c9932a465a722

    SHA512

    c33383b35bb634e66937c7bc3750c54bafde6d322e0a0687e11370579a79fd88860bdc9d08e1838ba48c09d4de9eefa57f90522a0be2778cc63c9b840eb5cb56

    Download Submit

  • C:\ProgramData\hsEogYso\QQogAgMI.exe
    Filesize

    92KB

    MD5

    5a8e0daba8ce26a198e3426ba2a7adc6

    SHA1

    82cd76a90bd09e7b8915799c353e838c3994cce6

    SHA256

    787748bd873edec721b836c2830b38edc40c2670f34176cd1a5995af5092ed32

    SHA512

    9c1c5b9a7d1f49b349c12109484379edd423ac8eb1487cf86cfe359bd96ecaaf89c3ddf333a4039555510eb40e7c73aa19fdf7ab949080c671d826689aafd4f4

    Download Submit

  • C:\Users\Admin\QUMgAQgs\IkEQAIQw.exe
    Filesize

    109KB

    MD5

    7635d5a236fae87c66c40471a65ddcdd

    SHA1

    90ac038f0ebf7bb94e88134cf1750dcbd76d1471

    SHA256

    b1005b29c1d90e8ddad230779fb30a366c79622824de8898a22bc4868628b396

    SHA512

    3456d2c73f76fe0611e3b7f2681d3cbbc291285f5c422f172ee44dd452a0cb598d59b482520c5e1b922352053c06abdeb3dc1474f62e623a10da2fbeb3b62ba1

    Download Submit

  • memory/444-0-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/444-21-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2760-23-0x00007FFBAD920000-0x00007FFBAE3E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2760-20-0x00000000004D0000-0x00000000004F8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2760-1373-0x00007FFBAD920000-0x00007FFBAE3E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2940-15-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/3036-8-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download