52ed2bfd74fa9e420c0deb826c568ba36eea651fb44ca6319bab005c87b52e9d

General

Target

2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe
Size

117KB
MD5

b1a133ba79ed6042e559989e63408183
SHA1

591140163fb3cff8a23477d1a28600d0f48de242
SHA256

52ed2bfd74fa9e420c0deb826c568ba36eea651fb44ca6319bab005c87b52e9d
SHA512

6f4d723150ed578d2e791066b043fe206db34de2686c88ddb1dd8746e4e60922b6bf4bea47603ba41b61e71a7211d604cdd0ebe6fe74c439a02e1f1e1d409671
SSDEEP

3072:tWACLYIgnqDP4/rZde/NXece9ZW8n4GNW:tWH2LTZ41FinL4

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
2764	OmwkQEMo.exe
4984	xQkAYoQA.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OmwkQEMo.exe = "C:\\Users\\Admin\\cYwcwIYc\\OmwkQEMo.exe"	2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OmwkQEMo.exe = "C:\\Users\\Admin\\cYwcwIYc\\OmwkQEMo.exe"	OmwkQEMo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xQkAYoQA.exe = "C:\\ProgramData\\KIIowcsY\\xQkAYoQA.exe"	2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xQkAYoQA.exe = "C:\\ProgramData\\KIIowcsY\\xQkAYoQA.exe"	xQkAYoQA.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
4160	reg.exe
3128	reg.exe
4276	reg.exe
728	reg.exe
2360	reg.exe
1388	reg.exe
2772	reg.exe
452	reg.exe
2868	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4172	2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe
4172	2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe
4172	2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe
4172	2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 2764	4172	2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe	91
PID 4172 wrote to memory of 2764	4172	2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe	91
PID 4172 wrote to memory of 2764	4172	2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe	91
PID 4172 wrote to memory of 4984	4172	2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe	92
PID 4172 wrote to memory of 4984	4172	2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe	92
PID 4172 wrote to memory of 4984	4172	2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe	92
PID 4172 wrote to memory of 4848	4172	2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe	93
PID 4172 wrote to memory of 4848	4172	2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe	93
PID 4172 wrote to memory of 4848	4172	2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe	93
PID 4172 wrote to memory of 4276	4172	2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe	99
PID 4172 wrote to memory of 4276	4172	2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe	99
PID 4172 wrote to memory of 4276	4172	2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe	99
PID 4172 wrote to memory of 3128	4172	2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe	98
PID 4172 wrote to memory of 3128	4172	2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe	98
PID 4172 wrote to memory of 3128	4172	2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe	98
PID 4172 wrote to memory of 4160	4172	2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe	97
PID 4172 wrote to memory of 4160	4172	2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe	97
PID 4172 wrote to memory of 4160	4172	2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe	97
PID 4172 wrote to memory of 1844	4172	2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe	96
PID 4172 wrote to memory of 1844	4172	2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe	96
PID 4172 wrote to memory of 1844	4172	2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe	96

C:\Users\Admin\AppData\Local\Temp\2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Users\Admin\cYwcwIYc\OmwkQEMo.exe
  "C:\Users\Admin\cYwcwIYc\OmwkQEMo.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2764
- C:\ProgramData\KIIowcsY\xQkAYoQA.exe
  "C:\ProgramData\KIIowcsY\xQkAYoQA.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-09_b1a133ba79ed6042e559989e63408183_virlock"
  2⤵
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-09_b1a133ba79ed6042e559989e63408183_virlock
    3⤵
    PID:4624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-09_b1a133ba79ed6042e559989e63408183_virlock"
      4⤵
      PID:1460
    - - C:\Users\Admin\AppData\Local\Temp\2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-09_b1a133ba79ed6042e559989e63408183_virlock
        5⤵
        
        PID:3704
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-09_b1a133ba79ed6042e559989e63408183_virlock"
        6⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-09_b1a133ba79ed6042e559989e63408183_virlock
        7⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-09_b1a133ba79ed6042e559989e63408183_virlock"
        8⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-09_b1a133ba79ed6042e559989e63408183_virlock
        9⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xSYQkocE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe""
        8⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4352
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQIYoEwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe""
        6⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2276
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:2360
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1388
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:2868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meIMYIwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe""
      4⤵
      PID:4820
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4492
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:2772
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:728
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAIwAYcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-09_b1a133ba79ed6042e559989e63408183_virlock.exe""
  2⤵
  PID:1844
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4864
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:4160
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3128
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KIIowcsY\xQkAYoQA.exe

Filesize
110KB

MD5
f00a26ba91bef560b351c8758ffbe29c

SHA1
cff2a58061f3b5e698d5503d3845918913a1ba31

SHA256
812addb0c89f7a3ab5fee2d9dc18801468c14cd196db42d90fd3881666265f7b

SHA512
d3be63bf294b565fe9f6880adacdf1f997b853eba79b20b8ef77cf581ee63cd8faca9bfc232c9ca0ff40b7a136ff45f53aa59a295b73a4fe4e8f38589905784f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-01-09_b1a133ba79ed6042e559989e63408183_virlock

Filesize
6KB

MD5
ef625f28a5fa08948768d1836c3227b1

SHA1
96a6f727228c1ace18c93c9b6117b0cfe7f66a74

SHA256
9074d2d9e945ad6999ea143b7ed0a3d0007ed71c2fd6703253ccbdf5238ed889

SHA512
0a72a13de0ad7e0bf32771d0c3c6483f5878bbc39393f671361454775bb01450ecb0a3a4443102fd4f76e26a2de58e720ea705465464ca376a8b517e2cd91635

Download Submit
C:\Users\Admin\AppData\Local\Temp\dAIwAYcE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\cYwcwIYc\OmwkQEMo.exe

Filesize
110KB

MD5
ff71c4782ed8d2b51da588c29391433a

SHA1
213b3dc160292b3208bcac669525feef81226c0f

SHA256
59d66ba3b1e59701621a6f203d0dfeb07e6df54885c9a06e92e6c46c12071bee

SHA512
81f47f001190e1016f56ade11de51a003bf3ad576aa6fc9ca176b1327c2c666fe753fd873148d79019f2954fcc7e8a81ef05b568e91a9963521fd28491405468

Download Submit
memory/376-52-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1920-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1920-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2764-5-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3704-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3704-28-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4172-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4172-19-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4624-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4624-20-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4984-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads