fb6b1171776554a808c62f4045f5167603f70bf7611de64311ece0624b365397

Analysis

max time kernel
31s
max time network
32s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Unlocker1.9.2.exe
Size

1.0MB
MD5

1e02d6aa4a199448719113ae3926afb2
SHA1

f1eff6451ced129c0e5c0a510955f234a01158a0
SHA256

fb6b1171776554a808c62f4045f5167603f70bf7611de64311ece0624b365397
SHA512

7d0f1416beb8c141ee992fe594111042309690c00741dff8f9f31b4652ed6a96b57532780e3169391440076d7ace63966fab526a076adcdc7f7ab389b4d0ff98
SSDEEP

24576:eLMeYSiGTpTLDxxwqQcqOj5eyHox6ZGmAuXE7ZBlbT:+PbVvwqQpoLHontDrlbT

Score

8^/10

discovery persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UnlockerDriver5\ImagePath = "\\??\\C:\\Program Files\\Unlocker\\UnlockerDriver5.sys"	Unlocker1.9.2.exe

Executes dropped EXE 2 IoCs

pid	Process
2824	Unlocker.exe
4824	Unlocker.exe

Loads dropped DLL 5 IoCs

pid	Process
4288	Unlocker1.9.2.exe
4288	Unlocker1.9.2.exe
4288	Unlocker1.9.2.exe
4288	Unlocker1.9.2.exe
4288	Unlocker1.9.2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Unlocker\uninst.exe	Unlocker1.9.2.exe
File created	C:\Program Files\Unlocker\Unlocker.exe	Unlocker1.9.2.exe
File created	C:\Program Files\Unlocker\UnlockerDriver5.sys	Unlocker1.9.2.exe
File created	C:\Program Files\Unlocker\UnlockerInject32.exe	Unlocker1.9.2.exe
File created	C:\Program Files\Unlocker\README.TXT	Unlocker1.9.2.exe
File opened for modification	C:\Program Files\Unlocker\Unlocker.url	Unlocker1.9.2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
2824	Unlocker.exe
2824	Unlocker.exe
4824	Unlocker.exe
4824	Unlocker.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	Unlocker.exe
Token: SeLoadDriverPrivilege	2824	Unlocker.exe
Token: SeBackupPrivilege	2824	Unlocker.exe
Token: SeTakeOwnershipPrivilege	2824	Unlocker.exe
Token: SeDebugPrivilege	4824	Unlocker.exe
Token: SeLoadDriverPrivilege	4824	Unlocker.exe
Token: SeBackupPrivilege	4824	Unlocker.exe
Token: SeTakeOwnershipPrivilege	4824	Unlocker.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2824	Unlocker.exe
4824	Unlocker.exe

C:\Users\Admin\AppData\Local\Temp\Unlocker1.9.2.exe
"C:\Users\Admin\AppData\Local\Temp\Unlocker1.9.2.exe"
1⤵
- Sets service image path in registry
- Loads dropped DLL
- Drops file in Program Files directory
PID:4288

C:\Program Files\Unlocker\Unlocker.exe
"C:\Program Files\Unlocker\Unlocker.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2824

C:\Program Files\Unlocker\Unlocker.exe
"C:\Program Files\Unlocker\Unlocker.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Unlocker\Unlocker.exe

Filesize
122KB

MD5
0a77f732624155a215f5ca54df9b2930

SHA1
172bdf71343dd6544cfbe04abbc3dec4535f7d84

SHA256
a0b651038c4301f70e4aea506eb90edc584a5c4ca46880c7dc2ae5eafa6dc506

SHA512
6482c9fc3b5ff9d5798deb9965b4dfab9ba62b889e921011696f29dd96b813194a59f76a52a88fa4962317c6a43a21122c857e4ca80c6c4360c2cee544117352

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa4799.tmp\Delta.ini

Filesize
1KB

MD5
c448e42e551280591e427ed770e96ce6

SHA1
cc7e3b1bbdc006a76c4a47bc755c95be693a2aac

SHA256
520d512b4e2e1e9e39715964c6ea4ec6e6bedef2697b664dec7568b5740d80ae

SHA512
4c2574a5149f5a7e05a2070facfa18ab1ced1e944e983ae7f923873ce57bd8c782d7cfab7a3e7581b4afdb5fc53659ed016f65222ac4de78e2ee2ddbe843dd1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa4799.tmp\Delta.ini

Filesize
1KB

MD5
68c679ea4767daa446f4f94f8794ecbe

SHA1
508e63ee520fa63d6522ae0ff8f115ee161d21f2

SHA256
d48e53d479b6557077a4d50cd8f56a33345d34812b2fade012e7344ba854a49d

SHA512
fae1b8be932641b64a6847d7462cf7323acc89e76312415c87c09e1572abb8f9fa7514520621614e73193c7ea1a01f1bddc8720bfe630828a02d84f9c908050c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa4799.tmp\Delta.ini

Filesize
1KB

MD5
699a6ffb0a5611da5fd1839ae9f587ac

SHA1
7235badb212ad354c88349351e1c47a3b8b92d35

SHA256
9f62abfdd086b9a0c81ee7df5889a4f9944fd39a566b373b22ef105fa98e3e4d

SHA512
020a6cb93c4f93cf58deec330b1b692ded41f3e28950d07050776cf3f937acad2ca6ee1bae5b83b35f211a59b9e292ce456202430c1485361df39a38674e248a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa4799.tmp\Delta.ini

Filesize
1KB

MD5
aea1a37e1a6d1f4dbf58ab7bdf8c1ba5

SHA1
492dab632849e2eec6e867443fd7d1a54c765851

SHA256
5a7ab43897d0243b152cb36fd869a97c5fa447d1ad87f5c3a56f876b0481892f

SHA512
03c6650cb8f5fad497e5f4775620def0600d7b037077b722016218603d26ae2d7fb0dde9ee3501936c7204a895d906492b2ace7626965b8122906bbab05d20ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa4799.tmp\Delta.ini

Filesize
1KB

MD5
7ccbb69a02f30bf8a792b5e63473454e

SHA1
0a99ea69bcbee5b69366eccc148ec6b60ed04597

SHA256
5c0568ae72909df98e74ddab1023cc9011ff09665aaaa05acf4d434fd3065505

SHA512
79cc299c2e42f8f7d21c4968c0ac38382bdf51dbd779e242fc85235159fc3eb221822141f7c1405c9bba1f36ccfec6074862cc84f645018e61c405b56c4b6514

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa4799.tmp\Delta.ini

Filesize
1KB

MD5
e30408ea253ad2751df24952c8f9b598

SHA1
19792119953fef96811bf9e938f52e7179dc9850

SHA256
cba7d279c49f99d04029e55c28f546b359c4c7fa3c61a75c78db488a871a069f

SHA512
bcd6ff9f27739fd3961ab573c72a0b91f4cda362d2b0d560cdb08937e1a614eb2f654f4513d4f9def7d274bdab82bb81eb2205bed0601e7f4951c2f7fb0666f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa4799.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa4799.tmp\LangDLL.dll

Filesize
5KB

MD5
9384f4007c492d4fa040924f31c00166

SHA1
aba37faef30d7c445584c688a0b5638f5db31c7b

SHA256
60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5

SHA512
68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa4799.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa4799.tmp\delta_logo_small.bmp

Filesize
9KB

MD5
2786f736b7a2022a9117fa8cddf7269b

SHA1
feefba3044896eabe63545df3fc50056c7663002

SHA256
c92e8e901c8ff0b2384840200d2a22a9fd357f6a3d8784e5da6f93cd863d3cad

SHA512
f9160ad0d4b429250bd7b0701ceab4e7aaa643bb478309b7f684c12ba6ec3fb6f9f50141a347302314923929d74e9f5c1a6f2672f0056b0801215cdd64a030eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa4799.tmp\ioSpecial.ini

Filesize
696B

MD5
4bc8178bc06356db6d0c5451f9a42a31

SHA1
2d30c3f45b5c289f2edfe8794fad7a59dd214460

SHA256
76ee5cab01fe8b0b980efe7e438937faf9877eef5de4c42bbc8218cd10674d98

SHA512
abe71f7db040ec6a6120491f7bebf1e33ce48fa7752228dc9d2b2ea2ecda71b79f71310a3a058ad8a3b73bf94977c89131ed52ca2f35671ddf695f74c947f7f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa4799.tmp\ioSpecial.ini

Filesize
558B

MD5
55f2cf682ec68f8e8e68b4b4456286b1

SHA1
02c6422bc2f3064abd4fd5394dcf8a49eb0e449e

SHA256
df2979dea0c39e9d81a2052ac6b17b44f4c335a14aced1ccf5d365b8bb9c53dc

SHA512
d178bd2494eba42558026faa1e41574926bf79def9589cbbbc8df60bf369eb4504f310ce3fadf22ec9bbb57bf7445099caeee072e0c46dbfecf094dd29c8315b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads