92e5a2fb9c2403bcdfffc5d91c7cc959da76e0ddd843b2d43a8a3a858f9c90a6

Analysis

max time kernel
6s
max time network
8s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 16:53

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120.exe
Size

46KB
MD5

d48aeac430e7a71d766d99cbe983ffcb
SHA1

bede4570886ef435dc7ec27f4caebbd3180a5ee5
SHA256

13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120
SHA512

58f088823547fc1dcb0211396b2cac2708e434e05fcf64ebf7af8cdbafb5ec2b0cc6b8732a32e7c1836ac4021ad1bdb0740bb76e51637dbb72b180f2e7b7b2f1
SSDEEP

768:n95rEUR7jA2RLs89oEd5aYmz22HRjIiuFxN/iJh1gOWgqtCK/Q/nGqSF:/w0jA2/9Zmz7H1qPN/iJhaDYG8npSF

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2568 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

wlock.exe

pid process

2776 wlock.exe

pid	process
2568	cmd.exe

pid	process
2776	wlock.exe

Loads dropped DLL 2 IoCs

Processes:

13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120.exe

pid	process
2732	13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120.exe
2732	13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral4/memory/2732-1-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

2608 taskkill.exe
1884 taskkill.exe
1952 taskkill.exe

pid	process
2608	taskkill.exe
1884	taskkill.exe
1952	taskkill.exe

Modifies Control Panel 1 IoCs

evasion

Processes:

wlock.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\ScreenSaveActive = "0"	wlock.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120.exeshutdown.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2732	13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120.exe
Token: SeShutdownPrivilege	2688	shutdown.exe
Token: SeRemoteShutdownPrivilege	2688	shutdown.exe
Token: SeDebugPrivilege	2608	taskkill.exe
Token: SeDebugPrivilege	1884	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

wlock.exe

pid process

2776 wlock.exe
2776 wlock.exe

pid	process
2776	wlock.exe
2776	wlock.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120.exewlock.exe

description	pid	process	target process
PID 2732 wrote to memory of 2852	2732	13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120.exe	cmd.exe
PID 2732 wrote to memory of 2852	2732	13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120.exe	cmd.exe
PID 2732 wrote to memory of 2852	2732	13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120.exe	cmd.exe
PID 2732 wrote to memory of 2852	2732	13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120.exe	cmd.exe
PID 2732 wrote to memory of 2776	2732	13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120.exe	wlock.exe
PID 2732 wrote to memory of 2776	2732	13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120.exe	wlock.exe
PID 2732 wrote to memory of 2776	2732	13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120.exe	wlock.exe
PID 2732 wrote to memory of 2776	2732	13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120.exe	wlock.exe
PID 2732 wrote to memory of 2568	2732	13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120.exe	cmd.exe
PID 2732 wrote to memory of 2568	2732	13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120.exe	cmd.exe
PID 2732 wrote to memory of 2568	2732	13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120.exe	cmd.exe
PID 2732 wrote to memory of 2568	2732	13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120.exe	cmd.exe
PID 2732 wrote to memory of 2688	2732	13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120.exe	shutdown.exe
PID 2732 wrote to memory of 2688	2732	13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120.exe	shutdown.exe
PID 2732 wrote to memory of 2688	2732	13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120.exe	shutdown.exe
PID 2732 wrote to memory of 2688	2732	13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120.exe	shutdown.exe
PID 2776 wrote to memory of 2608	2776	wlock.exe	taskkill.exe
PID 2776 wrote to memory of 2608	2776	wlock.exe	taskkill.exe
PID 2776 wrote to memory of 2608	2776	wlock.exe	taskkill.exe
PID 2776 wrote to memory of 2608	2776	wlock.exe	taskkill.exe
PID 2776 wrote to memory of 1884	2776	wlock.exe	taskkill.exe
PID 2776 wrote to memory of 1884	2776	wlock.exe	taskkill.exe
PID 2776 wrote to memory of 1884	2776	wlock.exe	taskkill.exe
PID 2776 wrote to memory of 1884	2776	wlock.exe	taskkill.exe
PID 2776 wrote to memory of 1952	2776	wlock.exe	taskkill.exe
PID 2776 wrote to memory of 1952	2776	wlock.exe	taskkill.exe
PID 2776 wrote to memory of 1952	2776	wlock.exe	taskkill.exe
PID 2776 wrote to memory of 1952	2776	wlock.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120.exe
"C:\Users\Admin\AppData\Local\Temp\13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2852

C:\Users\Admin\wlock\wlock.exe
"C:\Users\Admin\wlock\wlock.exe" f
2⤵
- Executes dropped EXE
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\SysWOW64\taskkill.exe
taskkill /im taskmgr.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\SysWOW64\taskkill.exe
taskkill /im taskmgr.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\SysWOW64\taskkill.exe
taskkill /im taskmgr.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C DEL C:\Users\Admin\AppData\Local\Temp\13AD5C~1.EXE
2⤵
- Deletes itself
PID:2568

C:\Windows\SysWOW64\shutdown.exe
"C:\Windows\System32\shutdown.exe" /r /f /t 2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:668

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\wlock\wlock.exe

Filesize
71KB

MD5
f3fc6132327a9052d998bbc98bbfb3f3

SHA1
e02fdddf105d87b2ce66386705c5f1d41b1941f7

SHA256
70d4bfca1f13042c70daae729a925a8efd311fb5f260a0a55f10a32a621bd4fa

SHA512
3f68dca42620ab42a6c7d6340e7e8d4bfd01b93233d043ddf53fbfe90b0d3ab87833b6dda20fb3a3920409e57f7c879bbca6a2f79efeb3c670c08159169d2807

Download Submit
memory/668-217-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/708-218-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/2732-1-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2732-10-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2732-11-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2776-162-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2776-159-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2776-22-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2776-21-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2776-17-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2776-16-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2776-14-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2776-12-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2776-58-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2776-93-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2776-24-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2776-161-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2776-160-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2776-23-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2776-158-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2776-157-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2776-156-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2776-155-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2776-154-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2776-153-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2776-152-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2776-151-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2776-150-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2776-163-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2776-164-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2776-20-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2776-18-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads