85b0ceb80b672816c2590e2753122d7f3f66bea3f3d4856be5bc47a50396e6e0

Analysis

max time kernel
0s
max time network
4s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_6058cbdb2fccd92422631ad09c3a8e04_virlock.exe
Size

179KB
MD5

6058cbdb2fccd92422631ad09c3a8e04
SHA1

06addaa7094cbc332f86bbb1d75f8f797b0e3730
SHA256

85b0ceb80b672816c2590e2753122d7f3f66bea3f3d4856be5bc47a50396e6e0
SHA512

d750e9f7e5d6ad1b4e9a2ce3b25ac3183757e033546c7ed731b408b08b4603efbe1523263edaf81e1b6486badbf174bea88e5d496227312ba747a2ded5dd18a6
SSDEEP

3072:WiyKOG2r2WHapCLPpMR2zzm2QdPNjR4OKwnQyo:WiYaULPpMJ9mWnQh

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2028	FUkAMsIg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FUkAMsIg.exe = "C:\\Users\\Admin\\LAAcowkk\\FUkAMsIg.exe"	2024-02-21_6058cbdb2fccd92422631ad09c3a8e04_virlock.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3504	2024-02-21_6058cbdb2fccd92422631ad09c3a8e04_virlock.exe
3504	2024-02-21_6058cbdb2fccd92422631ad09c3a8e04_virlock.exe
3504	2024-02-21_6058cbdb2fccd92422631ad09c3a8e04_virlock.exe
3504	2024-02-21_6058cbdb2fccd92422631ad09c3a8e04_virlock.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 2028	3504	2024-02-21_6058cbdb2fccd92422631ad09c3a8e04_virlock.exe	85
PID 3504 wrote to memory of 2028	3504	2024-02-21_6058cbdb2fccd92422631ad09c3a8e04_virlock.exe	85
PID 3504 wrote to memory of 2028	3504	2024-02-21_6058cbdb2fccd92422631ad09c3a8e04_virlock.exe	85

C:\Users\Admin\AppData\Local\Temp\2024-02-21_6058cbdb2fccd92422631ad09c3a8e04_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_6058cbdb2fccd92422631ad09c3a8e04_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Users\Admin\LAAcowkk\FUkAMsIg.exe
  "C:\Users\Admin\LAAcowkk\FUkAMsIg.exe"
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\ProgramData\xOkEgUQU\mYkcsYso.exe
  "C:\ProgramData\xOkEgUQU\mYkcsYso.exe"
  2⤵
  PID:3500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-02-21_6058cbdb2fccd92422631ad09c3a8e04_virlock"
  2⤵
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\xOkEgUQU\mYkcsYso.exe

Filesize
108KB

MD5
da6a863bb77fa8218e55cb6048ac5789

SHA1
ce47fc44a4076de2d18134f6e5de0f85596f1521

SHA256
0bf9bcd3ee3752182353c0012ee4fb7a8149a79565eb1054f31ee8ea4a9ef135

SHA512
9df95b7653c6b21c221ae7996c18f433577afe32e26efdb2b3d4142ae6db7cdd972f1bae491c548fcc329a07caa623eaed27cb1925f1cfeadc1ddf49029fcbc6

Download Submit
C:\Users\Admin\LAAcowkk\FUkAMsIg.exe

Filesize
109KB

MD5
0c3d92e109b966137dc04a795efe05bd

SHA1
579d6d0c161b132da0f245373632851cf94e962f

SHA256
7d34f803e008e7c0e5b8e2729dfedf0f18ab1e159956344a15455f91e100dfea

SHA512
5e4a0d86279943e4fe78c37071104d2be2667ab5b7d9cd186b3385d770bf05c94c3137a0978d9b4bdab6645d0a00640d9b92d7d32899c3633d6fb82c249470e9

Download Submit
memory/2028-8-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3504-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download