44e4a132d32101a8ecbd48436e2a538ac0e5e685d65b03f14dbd65d38b99c618

Analysis

max time kernel
145s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_1534eaa496c539f651cba0673aa69fe0_virlock.exe
Size

255KB
MD5

1534eaa496c539f651cba0673aa69fe0
SHA1

777326725c2915a75cc2bf9608478d9e4bbf36e9
SHA256

44e4a132d32101a8ecbd48436e2a538ac0e5e685d65b03f14dbd65d38b99c618
SHA512

3ea8d44e931ee2a237b2acc957da926215bab93e5859002a3028ec81c80aedb934190cd17c0c0d19313f2053b34e310dc9b2221188621d6aed1d8af593487693
SSDEEP

6144:lZyKQfO3YW4hhXFWAvSIuqCffLbekukaXDxylaT:vy44xWAKmCfffekO

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (85) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	OEAsEMMY.exe

Executes dropped EXE 3 IoCs

pid	Process
3172	OEAsEMMY.exe
1612	osMowwws.exe
4868	clist.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OEAsEMMY.exe = "C:\\Users\\Admin\\cIAkYYYw\\OEAsEMMY.exe"	2024-01-10_1534eaa496c539f651cba0673aa69fe0_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\osMowwws.exe = "C:\\ProgramData\\BEsUoQkA\\osMowwws.exe"	2024-01-10_1534eaa496c539f651cba0673aa69fe0_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OEAsEMMY.exe = "C:\\Users\\Admin\\cIAkYYYw\\OEAsEMMY.exe"	OEAsEMMY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\osMowwws.exe = "C:\\ProgramData\\BEsUoQkA\\osMowwws.exe"	osMowwws.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	OEAsEMMY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
4836	reg.exe
1212	reg.exe
4288	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3044	2024-01-10_1534eaa496c539f651cba0673aa69fe0_virlock.exe
3044	2024-01-10_1534eaa496c539f651cba0673aa69fe0_virlock.exe
3044	2024-01-10_1534eaa496c539f651cba0673aa69fe0_virlock.exe
3044	2024-01-10_1534eaa496c539f651cba0673aa69fe0_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3172	OEAsEMMY.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe
3172	OEAsEMMY.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 3172	3044	2024-01-10_1534eaa496c539f651cba0673aa69fe0_virlock.exe	30
PID 3044 wrote to memory of 3172	3044	2024-01-10_1534eaa496c539f651cba0673aa69fe0_virlock.exe	30
PID 3044 wrote to memory of 3172	3044	2024-01-10_1534eaa496c539f651cba0673aa69fe0_virlock.exe	30
PID 3044 wrote to memory of 1612	3044	2024-01-10_1534eaa496c539f651cba0673aa69fe0_virlock.exe	29
PID 3044 wrote to memory of 1612	3044	2024-01-10_1534eaa496c539f651cba0673aa69fe0_virlock.exe	29
PID 3044 wrote to memory of 1612	3044	2024-01-10_1534eaa496c539f651cba0673aa69fe0_virlock.exe	29
PID 3044 wrote to memory of 2304	3044	2024-01-10_1534eaa496c539f651cba0673aa69fe0_virlock.exe	28
PID 3044 wrote to memory of 2304	3044	2024-01-10_1534eaa496c539f651cba0673aa69fe0_virlock.exe	28
PID 3044 wrote to memory of 2304	3044	2024-01-10_1534eaa496c539f651cba0673aa69fe0_virlock.exe	28
PID 2304 wrote to memory of 4868	2304	cmd.exe	26
PID 2304 wrote to memory of 4868	2304	cmd.exe	26
PID 3044 wrote to memory of 4288	3044	2024-01-10_1534eaa496c539f651cba0673aa69fe0_virlock.exe	25
PID 3044 wrote to memory of 4288	3044	2024-01-10_1534eaa496c539f651cba0673aa69fe0_virlock.exe	25
PID 3044 wrote to memory of 4288	3044	2024-01-10_1534eaa496c539f651cba0673aa69fe0_virlock.exe	25
PID 3044 wrote to memory of 1212	3044	2024-01-10_1534eaa496c539f651cba0673aa69fe0_virlock.exe	24
PID 3044 wrote to memory of 1212	3044	2024-01-10_1534eaa496c539f651cba0673aa69fe0_virlock.exe	24
PID 3044 wrote to memory of 1212	3044	2024-01-10_1534eaa496c539f651cba0673aa69fe0_virlock.exe	24
PID 3044 wrote to memory of 4836	3044	2024-01-10_1534eaa496c539f651cba0673aa69fe0_virlock.exe	23
PID 3044 wrote to memory of 4836	3044	2024-01-10_1534eaa496c539f651cba0673aa69fe0_virlock.exe	23
PID 3044 wrote to memory of 4836	3044	2024-01-10_1534eaa496c539f651cba0673aa69fe0_virlock.exe	23

C:\Users\Admin\AppData\Local\Temp\2024-01-10_1534eaa496c539f651cba0673aa69fe0_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_1534eaa496c539f651cba0673aa69fe0_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:4836
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1212
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:4288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\clist.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2304
- C:\ProgramData\BEsUoQkA\osMowwws.exe
  "C:\ProgramData\BEsUoQkA\osMowwws.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1612
- C:\Users\Admin\cIAkYYYw\OEAsEMMY.exe
  "C:\Users\Admin\cIAkYYYw\OEAsEMMY.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3172

C:\Users\Admin\AppData\Local\Temp\clist.exe
C:\Users\Admin\AppData\Local\Temp\clist.exe
1⤵
- Executes dropped EXE
PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

Filesize
92KB

MD5
44ac9565a607af6ba841954a027d0e27

SHA1
67d6cf532b4a77a818aa224f010f881d949546af

SHA256
dc417ebf3c01fd8370a6250d4bbdaf332f1be0e87784d8cba7be7f3d967d9219

SHA512
7bb93e310d10428f206a65b1d908c8a60a376747e4955649cb070da41815a650b734bcd822728cddbd5eb11d7b44b1f64848ddd02779e7df496e4a2524a8ba66

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eogk.exe

Filesize
92KB

MD5
5329e980a381cafdf8b0fe0f6a69e3ad

SHA1
6fac7703e6fd6889514759ba374a6fe40a45d322

SHA256
487bf795a5283fa6d2ac84c133d84bbbe43b80bf24a1922e20986a8fb4684fe1

SHA512
15048df188cb2ebd934d3ff5dd648bb9bc653c9bd67c6ae907626ef9e82cfdef95f2d1eb7f477822671ef6e1729a9cfc45ca47031743bd0fcee8932e78cce5e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcoE.exe

Filesize
1.1MB

MD5
201841cd5e184dcab29cbce2715f1e88

SHA1
235e869d232f6a8e0c47b416ede773a8dc3b682e

SHA256
c3bce10c4a7cbef25e5e14e6aca21e886e53d25860d3610a2233f8ffbf39d0c2

SHA512
a1121b1f6486a999ebde55e983a29870e2b3b549ece5957ba619aa3bc2daa454e8dbeda6729740b29c3ba085d36ddd39243aecead9a05a7afe76c782b80c4939

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMAA.exe

Filesize
92KB

MD5
99f051a2d144ed1d94d9d6891640d9a9

SHA1
24756f1d3f0344b7344456d418e576ff334a80dd

SHA256
d5887ef3dc4cc7e79e2cef1a4df677236c048e3e069bbcd7b8d8a0f4514d48a0

SHA512
58111bafa754d17f7cb8e219f62b6c881bf0e71f5e7f8b7df133d3440a0f84261c1a59724c06af746a6e69d226eac362008fe678302684e93cb1b40b4f757f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoIo.exe

Filesize
569KB

MD5
8bfd2f825dde62012345b1b2133431a7

SHA1
74941b7111c7d5848a9076f517070ce2554e67ad

SHA256
bc42eb92c4ed6c2dd3fc57777f30842fe3c8d2df7e33a8a1c1ff5cb3a615848d

SHA512
38e6f372c2a7b853538aae0186d64e2e642e8567830678192b2f4848f5e959288ffd6500eea2ead1e34765e52c08910fda5937a26451b2137935e3ba040d4117

Download Submit
memory/1612-14-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3044-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3044-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3172-8-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4868-20-0x00000000005E0000-0x0000000000608000-memory.dmp

Filesize
160KB

Download
memory/4868-23-0x00007FF8631E0000-0x00007FF863CA1000-memory.dmp

Filesize
10.8MB

Download
memory/4868-1384-0x00007FF8631E0000-0x00007FF863CA1000-memory.dmp

Filesize
10.8MB

Download