Analysis
-
max time kernel
49s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:36
Static task
static1
Behavioral task
behavioral1
Sample
20240106c59699d888ae2a654a972c74d44151c6lock.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
20240106c59699d888ae2a654a972c74d44151c6lock.exe
Resource
win10v2004-20231215-en
General
-
Target
20240106c59699d888ae2a654a972c74d44151c6lock.exe
-
Size
255KB
-
MD5
c59699d888ae2a654a972c74d44151c6
-
SHA1
288adc9e534496a38187a875125a8064894979fe
-
SHA256
8354fa469e0c4dd3dc859d96fd1e6d6d3446bafd494bd6c0f001f16de010829f
-
SHA512
7e3d6e965206e7de907f22095bac4053465ff8055f62a8d5b94005c196e2b2b66bfbaea37290ce929d2549266a27ec890989e4fa24541e131b9aa92be3cdd63d
-
SSDEEP
3072:OL8+LIf73ZitTARWYLtO+dNbg/9Ph4KIZ4BCBh4Bip10GgYaT2/Xm+pu6auenThX:I8JfLEtoJO+T4nB3MKhX
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Executes dropped EXE 3 IoCs
pid Process 4580 oqksUEcE.exe 952 osMMYcUk.exe 2944 cuninst.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oqksUEcE.exe = "C:\\Users\\Admin\\ciYsEoEg\\oqksUEcE.exe" 20240106c59699d888ae2a654a972c74d44151c6lock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\osMMYcUk.exe = "C:\\ProgramData\\cmcYwEAQ\\osMMYcUk.exe" 20240106c59699d888ae2a654a972c74d44151c6lock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oqksUEcE.exe = "C:\\Users\\Admin\\ciYsEoEg\\oqksUEcE.exe" oqksUEcE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\osMMYcUk.exe = "C:\\ProgramData\\cmcYwEAQ\\osMMYcUk.exe" osMMYcUk.exe -
Modifies registry key 1 TTPs 3 IoCs
pid Process 4780 reg.exe 648 reg.exe 980 reg.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3764 20240106c59699d888ae2a654a972c74d44151c6lock.exe 3764 20240106c59699d888ae2a654a972c74d44151c6lock.exe 3764 20240106c59699d888ae2a654a972c74d44151c6lock.exe 3764 20240106c59699d888ae2a654a972c74d44151c6lock.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 3764 wrote to memory of 4580 3764 20240106c59699d888ae2a654a972c74d44151c6lock.exe 73 PID 3764 wrote to memory of 4580 3764 20240106c59699d888ae2a654a972c74d44151c6lock.exe 73 PID 3764 wrote to memory of 4580 3764 20240106c59699d888ae2a654a972c74d44151c6lock.exe 73 PID 3764 wrote to memory of 952 3764 20240106c59699d888ae2a654a972c74d44151c6lock.exe 83 PID 3764 wrote to memory of 952 3764 20240106c59699d888ae2a654a972c74d44151c6lock.exe 83 PID 3764 wrote to memory of 952 3764 20240106c59699d888ae2a654a972c74d44151c6lock.exe 83 PID 3764 wrote to memory of 4920 3764 20240106c59699d888ae2a654a972c74d44151c6lock.exe 82 PID 3764 wrote to memory of 4920 3764 20240106c59699d888ae2a654a972c74d44151c6lock.exe 82 PID 3764 wrote to memory of 4920 3764 20240106c59699d888ae2a654a972c74d44151c6lock.exe 82 PID 3764 wrote to memory of 4780 3764 20240106c59699d888ae2a654a972c74d44151c6lock.exe 81 PID 3764 wrote to memory of 4780 3764 20240106c59699d888ae2a654a972c74d44151c6lock.exe 81 PID 3764 wrote to memory of 4780 3764 20240106c59699d888ae2a654a972c74d44151c6lock.exe 81 PID 3764 wrote to memory of 980 3764 20240106c59699d888ae2a654a972c74d44151c6lock.exe 80 PID 3764 wrote to memory of 980 3764 20240106c59699d888ae2a654a972c74d44151c6lock.exe 80 PID 3764 wrote to memory of 980 3764 20240106c59699d888ae2a654a972c74d44151c6lock.exe 80 PID 3764 wrote to memory of 648 3764 20240106c59699d888ae2a654a972c74d44151c6lock.exe 78 PID 3764 wrote to memory of 648 3764 20240106c59699d888ae2a654a972c74d44151c6lock.exe 78 PID 3764 wrote to memory of 648 3764 20240106c59699d888ae2a654a972c74d44151c6lock.exe 78 PID 4920 wrote to memory of 2944 4920 cmd.exe 76 PID 4920 wrote to memory of 2944 4920 cmd.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe"C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Users\Admin\ciYsEoEg\oqksUEcE.exe"C:\Users\Admin\ciYsEoEg\oqksUEcE.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4580
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
- Modifies registry key
PID:648
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
PID:980
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4780
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuninst.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4920
-
-
C:\ProgramData\cmcYwEAQ\osMMYcUk.exe"C:\ProgramData\cmcYwEAQ\osMMYcUk.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:952
-
-
C:\Users\Admin\AppData\Local\Temp\cuninst.exeC:\Users\Admin\AppData\Local\Temp\cuninst.exe1⤵
- Executes dropped EXE
PID:2944
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
Filesize4KB
MD5edcc944bea1f9c3d9537664337bd76ac
SHA1fa1bca12572f0a2eb7bb22dfde86f3c5528e5661
SHA2569973ffb5c297c99869623b8bb5233b7add9a8d27303e3b54433f26f79633f254
SHA512b9f04a57155d047466fa8d1aa78a99733962beea8ef040f832fb7ffa9641dbb746f3285be90549db136ec0152d0f86e1565213516e0403bac4c496a2c37c9d3f
-
Filesize
36KB
MD5ccc9b5144e8774400948bebc3161812d
SHA1a869cb9cbeb2c892d8cf8b8617abe5bb3c022b2c
SHA256033ea1f0bfb8b771d9ba92a7fe5ec919d96acab211a4168094d1666d45a04a64
SHA5129f5813e594f5cbd14fee985e4afeeeaa6af4ba9f413eaf41a5904e71c614dff110c476d42d8f0934d7895b599dd0011837410bd82d85183fb2b91f8e0f5454ab
-
Filesize
7KB
MD5ee12112ead960fc942a652de1a224b82
SHA116b6274d15e3f9a033fd8e87c7af88f968dc02c8
SHA2561faf059824f639e25466b54d9bb309801085ba884e70958eb0db0bcb084447ec
SHA512ee045459ecf4ea70e5566fb8e7e5dd3cd76e4d38706c6916752f09cdfdc12a8af98a09e37ae73936118c57b54b3639e00509eb23e026d852409f92918ffbbd11
-
Filesize
27KB
MD5776a9f608a2307f5f439f7f187b9b086
SHA1ac8111ed35e605aeed0ce60a6e7a11bb85c5ecc5
SHA256358c61c97f802589dcecb8f7db9b26e97d5dbed74ee3f47aa6cdb2fbe8891270
SHA512445fa4d1642423c2be6d74ea1144abf739ac90a81179b9c9a4ca57cbc1298e046e836162509b490343efe74513429316f667b5d162319209d572466a85deb68d
-
Filesize
11KB
MD550fa2ce45dddb1344c0f79344a77b3e3
SHA1eecef7e5923627a7add64945331a5301093a7585
SHA256f2a5c2b24649cb0cc9f46819781c04112ef1db3df4dd1b795198553a191590c3
SHA5120a183b46e2724284b106eb3ae8e4ca911b25e9f4b82e8815222ff7af82ecebe1b69ee82bb775221c087c84a99422ec8f0051c77ef515131c096fd9d1e1eab9eb
-
Filesize
23KB
MD5a9954bff9468247c4411f91525fac6e9
SHA1a19a2caa64480ba887ba0bcb830de33e57f7d64e
SHA256b2db2bf7319be22b86c0ca9df102f3d6d443aece826457f0815cbcfc4ff5e538
SHA5124bb561b6f0ae29edd7e3670d628a49865768be6efc7e97de029d0849b6967fa01cdf2ed67cf0c58a54fba91337ea99d4192e1c71a68efa93465f0dc22d634858
-
Filesize
10KB
MD5de2ed303a5aa0ad479af80bb174298e8
SHA12f522710e6eca27c36b7fef67379173762a7fcd7
SHA256703cdbd142dac82495e363bd6da299f6a5c78bd205521cf8b62ea05fffdef7d0
SHA5126f10d0f020874db08617eaa5c20b6a346bc41355534ac186893a4dc482396c5a62bb545669dabd60da61356fd20ac13f26c601590dc994ba65a7402444cb9a14
-
Filesize
24KB
MD59a7dbb72539f76773fdfcb8dfa6eda97
SHA1d4d294dfb6120aa9923af008bd7189e2acfa2aff
SHA25663decda367c6d52734c2d2c95ee96c685ceb26952d94fcc039249942aafaf169
SHA512df20c1026ab1e1805a8758c892b526d6f4dec506ff0c1881bf7979347d2144ecfd79f027c24b2fbcd4fc0648dc16f47f8576dbed3eb76e86f089188863fca670
-
Filesize
10KB
MD5b05ee93af1f4db69b4b5357394cf1fef
SHA15dbc20fa7827031a6e99e829a4c6c3e3afd4366d
SHA256a4618aa6a34cac856f59c9d91042636dfc5bcc6d6da6b653fbe4b646fb788507
SHA512b013e357d48682d95ed4106deff80632c7ad61f46dba9a49a30bad5bf36119b0c73fa3d25073cad5b3ed888bde1333fa5430b09498799b2d0b666439284c6613
-
Filesize
4KB
MD573c297e36b8cf3becaaf6079b689fca0
SHA197f5d21fd7d0bfaeb5df9721d0ed230379700fb8
SHA2562926860b0b41d67440769b7c1b0681171ec56323a944520bb61f9329e7792221
SHA512144f191e57e05a6a7d590f97207f02583bcb720c21971d5d92497a3337cd981639229f137eb18be838f74666d610fe5eee3d37a0d987f0b215c141d269864afb
-
Filesize
3KB
MD5367593571081045fc74c9c3293c27ca6
SHA114ac7f60aaaffe576fb1935b580992374b79110f
SHA256d1b70d82753b959bf5d16a1565b5f2b04fde60fd8c8466a01674b66ad78f0c18
SHA5123a05146f413b704c717a39b952689dcbceca05d3ecf23040f80920bedc5fb2fcc1ec499c5ca9dd1b238b936dc39f0a19d620d86753b0d21e924a29a51dfbb1e8
-
Filesize
38KB
MD552ea716a4a4def8177a4665d181382fc
SHA135002f63e3048b78edd7e97c3f4b3ec30eed1dd4
SHA256fb73e9d7795c6e4bada17baa0b74afb759049806ddc264db8a2a902ad4d5c8c9
SHA51263e3672d29a988eeeabb95783c1c14ec27f9ce02f254f456133bcca42fc1313c56efb2cf2a98ae8601f8bb8d856a0794d435f09094446ec13863727429e2bf1e
-
Filesize
8KB
MD5f888cc5ab65e93dd65d2950b39f3f032
SHA1f99cb9e6e1898e4918e1e5808fc5efede31d0bcb
SHA256225692466e0a1c6a510e4da9465844dc09fad7bcd29e2716dc955bf92b3dd21f
SHA5127739a03ae04b7137219fed74340a245fb5836e7109a5e5567f50735c3dc11d98620ee30006739bd97ccafb91e898a5da21502f002bdec3b9bb9292317adf6e86
-
Filesize
4KB
MD5ac4b56cc5c5e71c3bb226181418fd891
SHA1e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998
-
Filesize
8KB
MD5953a0793668212959f5dfa3309b8ab4a
SHA163c8d3b81d8df7e7d8ad76d508e82cfc864f083d
SHA25690dcfff6da40e585ac9f7dac3f8ecc0ed3a9baf8431753226cf7b7eb4c07f506
SHA51281f004183b9b0158e08892b0b2b669772243bf7871c34ba53377d0d72352e220e22682a68bb8b5a1af1aedc4576984529696949ef18a287303441467db0001d6
-
Filesize
30KB
MD52cc95e79418fad3b26d346d7db809975
SHA113cd6583e948819472229f02390918efc2e8d386
SHA256a5d8d5b32d17c8a2d0ccaa21604d725bc43891fe4b50a9b163570ce3fb1a364c
SHA512a938a1f0a9a6623d358e50c0964a4842a743995c311e2afcc62aba6188aef1628f16cd5746df245e8832fdfdf0953f0e5c27395017c2e9ffd0b086aa200bc2ca
-
Filesize
19KB
MD5fd5a04b77ca6ffcb29192aa473c3b3fd
SHA1f54fafb1cabf48a69b9a9286273e236316d223a6
SHA256dc54eb3be63de4312bc5f629452ced698cca42b5af2453989ff5485fe130b529
SHA5128ff40e73b7b5a44bf080444be5441cba4da4c107d5ca6a10729a6ebfca2f1db0fa2f286799ee9e99d14bf9fe1bde7a552a374486cc6168ac123c944b55f99b6c
-
Filesize
4KB
MD587c1aec739f383ed7dac5bba29656c4d
SHA19870c62b3e43a0810c84bcbea5c6c386557405ee
SHA256cf604a547846ba3ddd1e3a9fc397f95a4dd09d0004f8f1fd993f767f45572125
SHA5128fdb23bccaf877d94f203ba42996280ebd26e0fa6ef39a31bc51e4b9195f29b51cf7a8a35b5786e11e6ec02a601030230c098b1dc98ce5e9ea7ba9d6e48b1eec
-
Filesize
8KB
MD5e6cfad21f1370a6b54612f8963065495
SHA1ca0d86d594a4923fb2b3c5875f28cbdfe1f5c2cd
SHA25681293e063a399642f637ae273d7f956de811a50129833d557d6a78b9c03040d8
SHA512e6fcc1b1ea957ae78e89bb41cc61bdbcce6b4f5f475d03fa359a79da76865bbd8cd91cd9080912c097b02ee72e376f2e5375484d1ac61ce8015338288fdc5da3
-
Filesize
4KB
MD5393bde2e42c99db83bd2fa0a20441477
SHA147b72bccca393fb5d823f772c98657988059ecfd
SHA256e7cef3c255a77e35d9abf5775535e1c50d329f2ac6121c3130dfc609ed2835a8
SHA51268893be1e46a2e494681b3cbe4fd8d9e15d2da526a99eddf3deaced84f1411923d92933118501c881bfe193fd2017b783cab6a79168f9af7d5fa86e83043e6d3
-
Filesize
34KB
MD5ae664845a7d835ce0d0775c8f3422ef4
SHA11c3f76658c45b463e580402b06e82105c34cd248
SHA25622dc3f1176286aea3031e884c1801697508759a2355cb95c68d172a898561380
SHA51294a3bd7c827e345177b1bde096412b2a8adc9edfbcd437785b17eb471b92eaf6ba57173cff5063dd2924f687e824a5685abea2e4563d957da40cf0baa7f6d54c
-
Filesize
9KB
MD5dc254e346336506d53fc3829242f9c3b
SHA1f9176d9bd98ae73ae8806e556cd6bd9c80d6d24a
SHA2561c316df6458e3c565e009fc05fa2c6f6fa730bb7f247b123f6e5ae53a7dee456
SHA512722d16a94f04106de1ccc21ac15de6e6f47e8bafb0d41f3b04dc47088b7205ee5a7e7fe1ff6ef5602756d5ccd2030bf32db17abb1759b90a46e4641565c5879c
-
Filesize
83KB
MD509938aa3f1c55a7e660bf044d95d3963
SHA1fb46c7f00e59a3340e130c281202e5cbbf39b67a
SHA256bce69c4d2356f5cd46b618aca455e2ab2e372dfc80f6ea249763f34be81377d2
SHA5128be8b94350a71b55a439d96287f730c960af3089238c4bcf290045c038460c697198de3767725cf01a587e49d7043bc5bd94d4bce6a63c2bef6d436419e226be
-
Filesize
21KB
MD55f8ed3d12021df83a709d4c1902847ca
SHA18424bd20c352ecc2e67377650d2a49680bbdd6fe
SHA256fecdf274323f4d2ce3f338f75837acdb293b773188aa982a127e1f063237581a
SHA51243da541a164debb86867d8d4a13c692ea07afe51378ef3ee5fcb496b6dfe92cfb28438360c835dc56b3e8fde2e5c26c5bed4d33e885fe493d692bbb0db7574a1