2ea6f1b7f57e6fb1190b5a8c9dab9ed8a3c097bc250061dd34e9c27089362b42

Analysis

max time kernel
17s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_47f3c001dc7c413522614ed66223140c_virlock.exe
Size

223KB
MD5

47f3c001dc7c413522614ed66223140c
SHA1

5401dcacd15e0d4384777bf5d7edb94b01687b78
SHA256

2ea6f1b7f57e6fb1190b5a8c9dab9ed8a3c097bc250061dd34e9c27089362b42
SHA512

97d6f0424b98e43c92b4d49e1be8734e767640511034ea5f1e97f7044fa5cedb43242cd5903312ecdde9e70287a320ea0396fccf8e4590a613ba641796f1b1d9
SSDEEP

6144:PgF1ozMwnGvjpHf/DOY9zlITVgt5GMppppppppppppppppppppppp:PgF1ogeo1NN6TOW

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
3536	YAoIIAUM.exe
1820	uaIkcEEQ.exe
4284	calc_avx_clear_pattern.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YAoIIAUM.exe = "C:\\Users\\Admin\\xMEsgMwY\\YAoIIAUM.exe"	2024-01-10_47f3c001dc7c413522614ed66223140c_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uaIkcEEQ.exe = "C:\\ProgramData\\EcEAkoIg\\uaIkcEEQ.exe"	2024-01-10_47f3c001dc7c413522614ed66223140c_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YAoIIAUM.exe = "C:\\Users\\Admin\\xMEsgMwY\\YAoIIAUM.exe"	YAoIIAUM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uaIkcEEQ.exe = "C:\\ProgramData\\EcEAkoIg\\uaIkcEEQ.exe"	uaIkcEEQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
3484	reg.exe
2848	reg.exe
1796	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2424	2024-01-10_47f3c001dc7c413522614ed66223140c_virlock.exe
2424	2024-01-10_47f3c001dc7c413522614ed66223140c_virlock.exe
2424	2024-01-10_47f3c001dc7c413522614ed66223140c_virlock.exe
2424	2024-01-10_47f3c001dc7c413522614ed66223140c_virlock.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 3536	2424	2024-01-10_47f3c001dc7c413522614ed66223140c_virlock.exe	89
PID 2424 wrote to memory of 3536	2424	2024-01-10_47f3c001dc7c413522614ed66223140c_virlock.exe	89
PID 2424 wrote to memory of 3536	2424	2024-01-10_47f3c001dc7c413522614ed66223140c_virlock.exe	89
PID 2424 wrote to memory of 1820	2424	2024-01-10_47f3c001dc7c413522614ed66223140c_virlock.exe	91
PID 2424 wrote to memory of 1820	2424	2024-01-10_47f3c001dc7c413522614ed66223140c_virlock.exe	91
PID 2424 wrote to memory of 1820	2424	2024-01-10_47f3c001dc7c413522614ed66223140c_virlock.exe	91
PID 2424 wrote to memory of 2480	2424	2024-01-10_47f3c001dc7c413522614ed66223140c_virlock.exe	92
PID 2424 wrote to memory of 2480	2424	2024-01-10_47f3c001dc7c413522614ed66223140c_virlock.exe	92
PID 2424 wrote to memory of 2480	2424	2024-01-10_47f3c001dc7c413522614ed66223140c_virlock.exe	92
PID 2424 wrote to memory of 3484	2424	2024-01-10_47f3c001dc7c413522614ed66223140c_virlock.exe	94
PID 2424 wrote to memory of 3484	2424	2024-01-10_47f3c001dc7c413522614ed66223140c_virlock.exe	94
PID 2424 wrote to memory of 3484	2424	2024-01-10_47f3c001dc7c413522614ed66223140c_virlock.exe	94
PID 2424 wrote to memory of 1796	2424	2024-01-10_47f3c001dc7c413522614ed66223140c_virlock.exe	96
PID 2424 wrote to memory of 1796	2424	2024-01-10_47f3c001dc7c413522614ed66223140c_virlock.exe	96
PID 2424 wrote to memory of 1796	2424	2024-01-10_47f3c001dc7c413522614ed66223140c_virlock.exe	96
PID 2424 wrote to memory of 2848	2424	2024-01-10_47f3c001dc7c413522614ed66223140c_virlock.exe	95
PID 2424 wrote to memory of 2848	2424	2024-01-10_47f3c001dc7c413522614ed66223140c_virlock.exe	95
PID 2424 wrote to memory of 2848	2424	2024-01-10_47f3c001dc7c413522614ed66223140c_virlock.exe	95
PID 2480 wrote to memory of 4284	2480	cmd.exe	100
PID 2480 wrote to memory of 4284	2480	cmd.exe	100
PID 2480 wrote to memory of 4284	2480	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\2024-01-10_47f3c001dc7c413522614ed66223140c_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_47f3c001dc7c413522614ed66223140c_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\xMEsgMwY\YAoIIAUM.exe
  "C:\Users\Admin\xMEsgMwY\YAoIIAUM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3536
- C:\ProgramData\EcEAkoIg\uaIkcEEQ.exe
  "C:\ProgramData\EcEAkoIg\uaIkcEEQ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\calc_avx_clear_pattern.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Users\Admin\AppData\Local\Temp\calc_avx_clear_pattern.exe
    C:\Users\Admin\AppData\Local\Temp\calc_avx_clear_pattern.exe
    3⤵
    - Executes dropped EXE
    PID:4284
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:3484
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2848
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EcEAkoIg\uaIkcEEQ.exe

Filesize
111KB

MD5
fad561f7a22b327b6a4c3a65b4b21881

SHA1
8213a130572b54b4036f38c4526fd4a197016cf0

SHA256
2bddc6ef22b52508995b974da021b8315a37ae9a3c8a22033e8ba86b8d09f761

SHA512
c46748f223a107388ab2009b27a5f55f035b3f713166ee6cedfe964c1808beaafca5a7053a7319640a967afd8ebf2779d45bba1b8db49369c8e27c30f0733f60

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
140KB

MD5
5460f825bfb2abac5b630aca6ae9e8ab

SHA1
6e4f681df79f477545e5755ef276ef769f112137

SHA256
b86cdb11361260ca5ef19ef9710f733883c5c222193d105af7e3c976093430c0

SHA512
2ab3866085230152e713a76b2470d0c293909b51f852f793da676008791e9d544f4cde814b17fad465c44cef18b961b6db8ef2b10597c866124267764868e663

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
238KB

MD5
64a1eaa089e83073c37bab08d786c64a

SHA1
133527b6dc00752d9e26fff6cec1fceced6987fd

SHA256
93eed9c56dc86fb5ea43f5aea0b2f5c41c9aa186762254fe1d68d907818eb1c1

SHA512
78c05ad4536f0a8d811c063441d04e09586e6c6e2a7008827fadf325c42182939887ed591a4cc385dca74be0eba502a8b6f27802a00f5b832b179526be8f854a

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
139KB

MD5
57e69a1faa0c1b1302d4157da47a6f7a

SHA1
2b779baddbf14451087f14f48971477a46add330

SHA256
a647e79c717d1a2e6416ee06e9b73a68e8dffe49b6c1aba0fb6ee361908a5e87

SHA512
1ac14fb0c34b60825275373f28ba06d5e54185c7eefd8b9ebd84c557757f1137b9ff7eb63ea85c2c9e2dc39f711fbb57bfe3e2e44ceead0448591cc29d9e1b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsAg.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEIW.exe

Filesize
92KB

MD5
964506e586904dfe0bcb16d10e4399b3

SHA1
6700968724f1e9b7a918be369d392cacf5ac4211

SHA256
99f1aaf242152445539a45f38572c42c88477c46f180f1c9384765789a12714d

SHA512
9c4d2916a72c0bcf421a64e50930cea36feea6b9e1b3d3dfcf3537b6dc6d00f3de53664759d941fee7c4a7a34ffbdf95b70be7de22d0b0a430717edc44618934

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qswk.exe

Filesize
237KB

MD5
f845fc5a14eb038ef25315ab98462386

SHA1
6af99d6203aa72dac9a007a162be5e2b0cff9fa1

SHA256
99d0585e81172e6c639e059115825b8abee8fd75a8572507a62c8c253aff42a8

SHA512
925384027edc83f77c4bfe7159cf1ffa4a6f449af1f0642db37730e06bf2c8a25120576c29829c8aa356331d1669f47f259aa5fc1d29e3929c8b0e21a53d138f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUIa.exe

Filesize
152KB

MD5
9b3780cf3538cdd74ff46e24c308fc3b

SHA1
a1a2e29b4c3d02bf9317c54ef334c52143d284a9

SHA256
5eda66b17c9f566b784633b17f9dabefd8b83e292daa182d6cc5e9538ccbfd14

SHA512
22a33c19a7ad4ed4230eac2c58ed26971ec7cb222005df53dcf376998c4416910fbab4cafc6d2f6ac72879301058102acf425b4576ab1a1360066ef2087cbb49

Download Submit
C:\Users\Admin\AppData\Local\Temp\calc_avx_clear_pattern.exe

Filesize
112KB

MD5
e9cc8c20b0e682c77b97e6787de16e5d

SHA1
8be674dec4fcf14ae853a5c20a9288bff3e0520a

SHA256
ef854d21cbf297ee267f22049b773ffeb4c1ff1a3e55227cc2a260754699d644

SHA512
1a3b9b2d16a4404b29675ab1132ad542840058fd356e0f145afe5d0c1d9e1653de28314cd24406b85f09a9ec874c4339967d9e7acb327065448096c5734502c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUMO.exe

Filesize
150KB

MD5
72b58f0248e487b54916d520566f59e6

SHA1
f2b66dc0315a5711765a8f9b51abb028d38cccf7

SHA256
c7525c5a737f1a638ef3309418cb27251ebfd474d433c4118563e01734c2a71f

SHA512
874effbd8ec8a5e5e106a22d412d8dba20c2c6445211e8d735d634c515341a7f93d86528f65621c5b29898b952c97e5db517b9ab633880786965290fec1bc65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gscc.exe

Filesize
3KB

MD5
f75ed4ea8d9f4ae281ff81a73b0f4aa8

SHA1
5450958bdc500bed952c548e99be446d98c0ece5

SHA256
5562ca205bf72038d9a2958ce783d06fdfc44a2fda1d021db830b99b4ce967ba

SHA512
bfacb1c9ef249ca10be0c6daef15c100779c6190ff98ec2b3b71605ee987841ae16003b921d77d35369ab89dfe3cff1af98ba3e546edead8cf4a9eed447dd038

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikAy.exe

Filesize
2.3MB

MD5
1d0bd1e9dd2661fe266860db04891806

SHA1
ab811633ea163021a691a3cc7c6fd527a861d63c

SHA256
04fd5945cc04be6ebf52087d7c14549e00034323387060092ff31581cd4c66fc

SHA512
dbe71743d1c773adaabadce82c239690958dc71c0b2f734ba417fd7a5ffce4be62b3dc93975e4aace1250dd4893874e507a0eb951ef14c2006c81f7a95691724

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsMu.exe

Filesize
569KB

MD5
ca85bbd2bde88989673e97236dfae897

SHA1
55e25f0cfe206d915c9f706a89a4ea0927b4ae58

SHA256
6f8bef4a27e6497a24f2fd151d5806135de2dc515eef938ba339f0f27b8d9e08

SHA512
6336c6edc45c98f2aee1d931303d62cf1796f924af0e8757f32f85c886e588559b2c0cd1f686510f8b8646b1cbada104329a6504e033749c9cec2fe9a34f3dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yokk.exe

Filesize
92KB

MD5
d3c05492b8f570bbf779e40fdbe79be2

SHA1
ff6d9b5456b01dda48b187c0604051231715d83f

SHA256
5fe5ca64118a34406efc6cfd095e3a98adfee38a0db761a6cf7a72f8fdc93940

SHA512
b0a2da81061ae62f4995216bbcd950b50a9ac53b455797f9bdac5724554ccd121f13c31901545cf76271ad9b4d1ceb6162559c3916d456e95d9663d054a0ead1

Download Submit
C:\Users\Admin\xMEsgMwY\YAoIIAUM.exe

Filesize
110KB

MD5
17a4c6c66a31c0357f5c06a70d003fa0

SHA1
2d89ba985ab32bce2086ad687c8556666ee94b5a

SHA256
ad34e98bf55e5a515ee4399983abe2430391fd1bea0cac3de87b1be66e9dabc7

SHA512
2d0a1dc05e2092dc06fb6313d052cd50bb4573a59028f4c11dceca9cb13eb46774ed4372e0900c6979db2a74254b2b7c3aafba9e39a0d5fc4eea31bdcdbbb033

Download Submit
memory/1820-15-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2424-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2424-17-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3536-12-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download