Analysis

  • max time kernel
    49s
  • max time network
    117s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2024, 19:36

General

  • Target

    20240106c59699d888ae2a654a972c74d44151c6lock.exe

  • Size

    255KB

  • MD5

    c59699d888ae2a654a972c74d44151c6

  • SHA1

    288adc9e534496a38187a875125a8064894979fe

  • SHA256

    8354fa469e0c4dd3dc859d96fd1e6d6d3446bafd494bd6c0f001f16de010829f

  • SHA512

    7e3d6e965206e7de907f22095bac4053465ff8055f62a8d5b94005c196e2b2b66bfbaea37290ce929d2549266a27ec890989e4fa24541e131b9aa92be3cdd63d

  • SSDEEP

    3072:OL8+LIf73ZitTARWYLtO+dNbg/9Ph4KIZ4BCBh4Bip10GgYaT2/Xm+pu6auenThX:I8JfLEtoJO+T4nB3MKhX

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe
    "C:\Users\Admin\AppData\Local\Temp\20240106c59699d888ae2a654a972c74d44151c6lock.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3764
    • C:\Users\Admin\ciYsEoEg\oqksUEcE.exe
      "C:\Users\Admin\ciYsEoEg\oqksUEcE.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:4580
    • C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      2⤵
      • UAC bypass
      • Modifies registry key
      PID:648
    • C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      2⤵
      • Modifies registry key
      PID:980
    • C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies registry key
      PID:4780
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuninst.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4920
    • C:\ProgramData\cmcYwEAQ\osMMYcUk.exe
      "C:\ProgramData\cmcYwEAQ\osMMYcUk.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:952
  • C:\Users\Admin\AppData\Local\Temp\cuninst.exe
    C:\Users\Admin\AppData\Local\Temp\cuninst.exe
    1⤵
    • Executes dropped EXE
    PID:2944

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

          Filesize

          4KB

          MD5

          edcc944bea1f9c3d9537664337bd76ac

          SHA1

          fa1bca12572f0a2eb7bb22dfde86f3c5528e5661

          SHA256

          9973ffb5c297c99869623b8bb5233b7add9a8d27303e3b54433f26f79633f254

          SHA512

          b9f04a57155d047466fa8d1aa78a99733962beea8ef040f832fb7ffa9641dbb746f3285be90549db136ec0152d0f86e1565213516e0403bac4c496a2c37c9d3f

        • C:\ProgramData\Microsoft\User Account Pictures\user-48.png.exe

          Filesize

          36KB

          MD5

          ccc9b5144e8774400948bebc3161812d

          SHA1

          a869cb9cbeb2c892d8cf8b8617abe5bb3c022b2c

          SHA256

          033ea1f0bfb8b771d9ba92a7fe5ec919d96acab211a4168094d1666d45a04a64

          SHA512

          9f5813e594f5cbd14fee985e4afeeeaa6af4ba9f413eaf41a5904e71c614dff110c476d42d8f0934d7895b599dd0011837410bd82d85183fb2b91f8e0f5454ab

        • C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

          Filesize

          7KB

          MD5

          ee12112ead960fc942a652de1a224b82

          SHA1

          16b6274d15e3f9a033fd8e87c7af88f968dc02c8

          SHA256

          1faf059824f639e25466b54d9bb309801085ba884e70958eb0db0bcb084447ec

          SHA512

          ee045459ecf4ea70e5566fb8e7e5dd3cd76e4d38706c6916752f09cdfdc12a8af98a09e37ae73936118c57b54b3639e00509eb23e026d852409f92918ffbbd11

        • C:\ProgramData\cmcYwEAQ\osMMYcUk.exe

          Filesize

          27KB

          MD5

          776a9f608a2307f5f439f7f187b9b086

          SHA1

          ac8111ed35e605aeed0ce60a6e7a11bb85c5ecc5

          SHA256

          358c61c97f802589dcecb8f7db9b26e97d5dbed74ee3f47aa6cdb2fbe8891270

          SHA512

          445fa4d1642423c2be6d74ea1144abf739ac90a81179b9c9a4ca57cbc1298e046e836162509b490343efe74513429316f667b5d162319209d572466a85deb68d

        • C:\ProgramData\cmcYwEAQ\osMMYcUk.exe

          Filesize

          11KB

          MD5

          50fa2ce45dddb1344c0f79344a77b3e3

          SHA1

          eecef7e5923627a7add64945331a5301093a7585

          SHA256

          f2a5c2b24649cb0cc9f46819781c04112ef1db3df4dd1b795198553a191590c3

          SHA512

          0a183b46e2724284b106eb3ae8e4ca911b25e9f4b82e8815222ff7af82ecebe1b69ee82bb775221c087c84a99422ec8f0051c77ef515131c096fd9d1e1eab9eb

        • C:\Users\Admin\AppData\Local\Temp\HAgC.exe

          Filesize

          23KB

          MD5

          a9954bff9468247c4411f91525fac6e9

          SHA1

          a19a2caa64480ba887ba0bcb830de33e57f7d64e

          SHA256

          b2db2bf7319be22b86c0ca9df102f3d6d443aece826457f0815cbcfc4ff5e538

          SHA512

          4bb561b6f0ae29edd7e3670d628a49865768be6efc7e97de029d0849b6967fa01cdf2ed67cf0c58a54fba91337ea99d4192e1c71a68efa93465f0dc22d634858

        • C:\Users\Admin\AppData\Local\Temp\KAkk.exe

          Filesize

          10KB

          MD5

          de2ed303a5aa0ad479af80bb174298e8

          SHA1

          2f522710e6eca27c36b7fef67379173762a7fcd7

          SHA256

          703cdbd142dac82495e363bd6da299f6a5c78bd205521cf8b62ea05fffdef7d0

          SHA512

          6f10d0f020874db08617eaa5c20b6a346bc41355534ac186893a4dc482396c5a62bb545669dabd60da61356fd20ac13f26c601590dc994ba65a7402444cb9a14

        • C:\Users\Admin\AppData\Local\Temp\TYMy.exe

          Filesize

          24KB

          MD5

          9a7dbb72539f76773fdfcb8dfa6eda97

          SHA1

          d4d294dfb6120aa9923af008bd7189e2acfa2aff

          SHA256

          63decda367c6d52734c2d2c95ee96c685ceb26952d94fcc039249942aafaf169

          SHA512

          df20c1026ab1e1805a8758c892b526d6f4dec506ff0c1881bf7979347d2144ecfd79f027c24b2fbcd4fc0648dc16f47f8576dbed3eb76e86f089188863fca670

        • C:\Users\Admin\AppData\Local\Temp\ZAks.exe

          Filesize

          10KB

          MD5

          b05ee93af1f4db69b4b5357394cf1fef

          SHA1

          5dbc20fa7827031a6e99e829a4c6c3e3afd4366d

          SHA256

          a4618aa6a34cac856f59c9d91042636dfc5bcc6d6da6b653fbe4b646fb788507

          SHA512

          b013e357d48682d95ed4106deff80632c7ad61f46dba9a49a30bad5bf36119b0c73fa3d25073cad5b3ed888bde1333fa5430b09498799b2d0b666439284c6613

        • C:\Users\Admin\AppData\Local\Temp\bkYK.exe

          Filesize

          4KB

          MD5

          73c297e36b8cf3becaaf6079b689fca0

          SHA1

          97f5d21fd7d0bfaeb5df9721d0ed230379700fb8

          SHA256

          2926860b0b41d67440769b7c1b0681171ec56323a944520bb61f9329e7792221

          SHA512

          144f191e57e05a6a7d590f97207f02583bcb720c21971d5d92497a3337cd981639229f137eb18be838f74666d610fe5eee3d37a0d987f0b215c141d269864afb

        • C:\Users\Admin\AppData\Local\Temp\cuninst.exe

          Filesize

          3KB

          MD5

          367593571081045fc74c9c3293c27ca6

          SHA1

          14ac7f60aaaffe576fb1935b580992374b79110f

          SHA256

          d1b70d82753b959bf5d16a1565b5f2b04fde60fd8c8466a01674b66ad78f0c18

          SHA512

          3a05146f413b704c717a39b952689dcbceca05d3ecf23040f80920bedc5fb2fcc1ec499c5ca9dd1b238b936dc39f0a19d620d86753b0d21e924a29a51dfbb1e8

        • C:\Users\Admin\AppData\Local\Temp\cuninst.exe

          Filesize

          38KB

          MD5

          52ea716a4a4def8177a4665d181382fc

          SHA1

          35002f63e3048b78edd7e97c3f4b3ec30eed1dd4

          SHA256

          fb73e9d7795c6e4bada17baa0b74afb759049806ddc264db8a2a902ad4d5c8c9

          SHA512

          63e3672d29a988eeeabb95783c1c14ec27f9ce02f254f456133bcca42fc1313c56efb2cf2a98ae8601f8bb8d856a0794d435f09094446ec13863727429e2bf1e

        • C:\Users\Admin\AppData\Local\Temp\ekEa.exe

          Filesize

          8KB

          MD5

          f888cc5ab65e93dd65d2950b39f3f032

          SHA1

          f99cb9e6e1898e4918e1e5808fc5efede31d0bcb

          SHA256

          225692466e0a1c6a510e4da9465844dc09fad7bcd29e2716dc955bf92b3dd21f

          SHA512

          7739a03ae04b7137219fed74340a245fb5836e7109a5e5567f50735c3dc11d98620ee30006739bd97ccafb91e898a5da21502f002bdec3b9bb9292317adf6e86

        • C:\Users\Admin\AppData\Local\Temp\ikci.ico

          Filesize

          4KB

          MD5

          ac4b56cc5c5e71c3bb226181418fd891

          SHA1

          e62149df7a7d31a7777cae68822e4d0eaba2199d

          SHA256

          701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

          SHA512

          a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

        • C:\Users\Admin\AppData\Local\Temp\ossG.exe

          Filesize

          8KB

          MD5

          953a0793668212959f5dfa3309b8ab4a

          SHA1

          63c8d3b81d8df7e7d8ad76d508e82cfc864f083d

          SHA256

          90dcfff6da40e585ac9f7dac3f8ecc0ed3a9baf8431753226cf7b7eb4c07f506

          SHA512

          81f004183b9b0158e08892b0b2b669772243bf7871c34ba53377d0d72352e220e22682a68bb8b5a1af1aedc4576984529696949ef18a287303441467db0001d6

        • C:\Users\Admin\AppData\Local\Temp\psoq.exe

          Filesize

          30KB

          MD5

          2cc95e79418fad3b26d346d7db809975

          SHA1

          13cd6583e948819472229f02390918efc2e8d386

          SHA256

          a5d8d5b32d17c8a2d0ccaa21604d725bc43891fe4b50a9b163570ce3fb1a364c

          SHA512

          a938a1f0a9a6623d358e50c0964a4842a743995c311e2afcc62aba6188aef1628f16cd5746df245e8832fdfdf0953f0e5c27395017c2e9ffd0b086aa200bc2ca

        • C:\Users\Admin\AppData\Local\Temp\sMwa.exe

          Filesize

          19KB

          MD5

          fd5a04b77ca6ffcb29192aa473c3b3fd

          SHA1

          f54fafb1cabf48a69b9a9286273e236316d223a6

          SHA256

          dc54eb3be63de4312bc5f629452ced698cca42b5af2453989ff5485fe130b529

          SHA512

          8ff40e73b7b5a44bf080444be5441cba4da4c107d5ca6a10729a6ebfca2f1db0fa2f286799ee9e99d14bf9fe1bde7a552a374486cc6168ac123c944b55f99b6c

        • C:\Users\Admin\AppData\Local\Temp\ucoI.exe

          Filesize

          4KB

          MD5

          87c1aec739f383ed7dac5bba29656c4d

          SHA1

          9870c62b3e43a0810c84bcbea5c6c386557405ee

          SHA256

          cf604a547846ba3ddd1e3a9fc397f95a4dd09d0004f8f1fd993f767f45572125

          SHA512

          8fdb23bccaf877d94f203ba42996280ebd26e0fa6ef39a31bc51e4b9195f29b51cf7a8a35b5786e11e6ec02a601030230c098b1dc98ce5e9ea7ba9d6e48b1eec

        • C:\Users\Admin\AppData\Local\Temp\vMEM.exe

          Filesize

          8KB

          MD5

          e6cfad21f1370a6b54612f8963065495

          SHA1

          ca0d86d594a4923fb2b3c5875f28cbdfe1f5c2cd

          SHA256

          81293e063a399642f637ae273d7f956de811a50129833d557d6a78b9c03040d8

          SHA512

          e6fcc1b1ea957ae78e89bb41cc61bdbcce6b4f5f475d03fa359a79da76865bbd8cd91cd9080912c097b02ee72e376f2e5375484d1ac61ce8015338288fdc5da3

        • C:\Users\Admin\AppData\Local\Temp\vwEm.exe

          Filesize

          4KB

          MD5

          393bde2e42c99db83bd2fa0a20441477

          SHA1

          47b72bccca393fb5d823f772c98657988059ecfd

          SHA256

          e7cef3c255a77e35d9abf5775535e1c50d329f2ac6121c3130dfc609ed2835a8

          SHA512

          68893be1e46a2e494681b3cbe4fd8d9e15d2da526a99eddf3deaced84f1411923d92933118501c881bfe193fd2017b783cab6a79168f9af7d5fa86e83043e6d3

        • C:\Users\Admin\AppData\Local\Temp\xcgg.exe

          Filesize

          34KB

          MD5

          ae664845a7d835ce0d0775c8f3422ef4

          SHA1

          1c3f76658c45b463e580402b06e82105c34cd248

          SHA256

          22dc3f1176286aea3031e884c1801697508759a2355cb95c68d172a898561380

          SHA512

          94a3bd7c827e345177b1bde096412b2a8adc9edfbcd437785b17eb471b92eaf6ba57173cff5063dd2924f687e824a5685abea2e4563d957da40cf0baa7f6d54c

        • C:\Users\Admin\AppData\Local\Temp\xkQy.exe

          Filesize

          9KB

          MD5

          dc254e346336506d53fc3829242f9c3b

          SHA1

          f9176d9bd98ae73ae8806e556cd6bd9c80d6d24a

          SHA256

          1c316df6458e3c565e009fc05fa2c6f6fa730bb7f247b123f6e5ae53a7dee456

          SHA512

          722d16a94f04106de1ccc21ac15de6e6f47e8bafb0d41f3b04dc47088b7205ee5a7e7fe1ff6ef5602756d5ccd2030bf32db17abb1759b90a46e4641565c5879c

        • C:\Users\Admin\ciYsEoEg\oqksUEcE.exe

          Filesize

          83KB

          MD5

          09938aa3f1c55a7e660bf044d95d3963

          SHA1

          fb46c7f00e59a3340e130c281202e5cbbf39b67a

          SHA256

          bce69c4d2356f5cd46b618aca455e2ab2e372dfc80f6ea249763f34be81377d2

          SHA512

          8be8b94350a71b55a439d96287f730c960af3089238c4bcf290045c038460c697198de3767725cf01a587e49d7043bc5bd94d4bce6a63c2bef6d436419e226be

        • C:\Users\Admin\ciYsEoEg\oqksUEcE.exe

          Filesize

          21KB

          MD5

          5f8ed3d12021df83a709d4c1902847ca

          SHA1

          8424bd20c352ecc2e67377650d2a49680bbdd6fe

          SHA256

          fecdf274323f4d2ce3f338f75837acdb293b773188aa982a127e1f063237581a

          SHA512

          43da541a164debb86867d8d4a13c692ea07afe51378ef3ee5fcb496b6dfe92cfb28438360c835dc56b3e8fde2e5c26c5bed4d33e885fe493d692bbb0db7574a1

        • memory/952-15-0x0000000000400000-0x000000000041D000-memory.dmp

          Filesize

          116KB

        • memory/2944-21-0x0000000000AB0000-0x0000000000AD8000-memory.dmp

          Filesize

          160KB

        • memory/2944-23-0x00007FF987D20000-0x00007FF9887E1000-memory.dmp

          Filesize

          10.8MB

        • memory/2944-52-0x00007FF987D20000-0x00007FF9887E1000-memory.dmp

          Filesize

          10.8MB

        • memory/3764-0-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

        • memory/3764-17-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

        • memory/4580-6-0x0000000000400000-0x000000000041D000-memory.dmp

          Filesize

          116KB