42e09b70c772bdc92d6d5967c2ccafa94afa9d40a57ad12f1a9b467800f149db

Resubmissions

30/04/2024, 13:52

240430-q6kc5aaa75 10

30/04/2024, 13:45

240430-q2gfnsgc5z 10

Analysis

max time kernel
15s
max time network
15s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-30_18d4e2a9d29bbb1fb3ca7aecb8599fef_virlock.exe
Size

563KB
MD5

18d4e2a9d29bbb1fb3ca7aecb8599fef
SHA1

84adad96793eaacc2c88cce5fa8c530fc682016b
SHA256

42e09b70c772bdc92d6d5967c2ccafa94afa9d40a57ad12f1a9b467800f149db
SHA512

e63e83891129b9af8a0aa25373a25c6eaec417ab692b1dc4286c4fdcdb32fa498f5efcc12525ccc7e062b9bf95256105b5ec130fb7d5c288a48e3dd7c0cf7051
SSDEEP

12288:1T51V/J0Ndm8wuNeCiLpYX3a01HP9mwijqTx:nadmMNvN1g

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1072	eOwQwEwY.exe
4840	ggYQQoIg.exe
3772	setup.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eOwQwEwY.exe = "C:\\Users\\Admin\\YCgUIUEQ\\eOwQwEwY.exe"	2024-04-30_18d4e2a9d29bbb1fb3ca7aecb8599fef_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ggYQQoIg.exe = "C:\\ProgramData\\MOAogcck\\ggYQQoIg.exe"	2024-04-30_18d4e2a9d29bbb1fb3ca7aecb8599fef_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eOwQwEwY.exe = "C:\\Users\\Admin\\YCgUIUEQ\\eOwQwEwY.exe"	eOwQwEwY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ggYQQoIg.exe = "C:\\ProgramData\\MOAogcck\\ggYQQoIg.exe"	ggYQQoIg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
3348	reg.exe
4828	reg.exe
1112	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2024	2024-04-30_18d4e2a9d29bbb1fb3ca7aecb8599fef_virlock.exe
2024	2024-04-30_18d4e2a9d29bbb1fb3ca7aecb8599fef_virlock.exe
2024	2024-04-30_18d4e2a9d29bbb1fb3ca7aecb8599fef_virlock.exe
2024	2024-04-30_18d4e2a9d29bbb1fb3ca7aecb8599fef_virlock.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3772	setup.exe
3772	setup.exe
3772	setup.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1072	2024	2024-04-30_18d4e2a9d29bbb1fb3ca7aecb8599fef_virlock.exe	84
PID 2024 wrote to memory of 1072	2024	2024-04-30_18d4e2a9d29bbb1fb3ca7aecb8599fef_virlock.exe	84
PID 2024 wrote to memory of 1072	2024	2024-04-30_18d4e2a9d29bbb1fb3ca7aecb8599fef_virlock.exe	84
PID 2024 wrote to memory of 4840	2024	2024-04-30_18d4e2a9d29bbb1fb3ca7aecb8599fef_virlock.exe	85
PID 2024 wrote to memory of 4840	2024	2024-04-30_18d4e2a9d29bbb1fb3ca7aecb8599fef_virlock.exe	85
PID 2024 wrote to memory of 4840	2024	2024-04-30_18d4e2a9d29bbb1fb3ca7aecb8599fef_virlock.exe	85
PID 2024 wrote to memory of 3524	2024	2024-04-30_18d4e2a9d29bbb1fb3ca7aecb8599fef_virlock.exe	86
PID 2024 wrote to memory of 3524	2024	2024-04-30_18d4e2a9d29bbb1fb3ca7aecb8599fef_virlock.exe	86
PID 2024 wrote to memory of 3524	2024	2024-04-30_18d4e2a9d29bbb1fb3ca7aecb8599fef_virlock.exe	86
PID 2024 wrote to memory of 3348	2024	2024-04-30_18d4e2a9d29bbb1fb3ca7aecb8599fef_virlock.exe	89
PID 2024 wrote to memory of 3348	2024	2024-04-30_18d4e2a9d29bbb1fb3ca7aecb8599fef_virlock.exe	89
PID 2024 wrote to memory of 3348	2024	2024-04-30_18d4e2a9d29bbb1fb3ca7aecb8599fef_virlock.exe	89
PID 2024 wrote to memory of 4828	2024	2024-04-30_18d4e2a9d29bbb1fb3ca7aecb8599fef_virlock.exe	90
PID 2024 wrote to memory of 4828	2024	2024-04-30_18d4e2a9d29bbb1fb3ca7aecb8599fef_virlock.exe	90
PID 2024 wrote to memory of 4828	2024	2024-04-30_18d4e2a9d29bbb1fb3ca7aecb8599fef_virlock.exe	90
PID 2024 wrote to memory of 1112	2024	2024-04-30_18d4e2a9d29bbb1fb3ca7aecb8599fef_virlock.exe	91
PID 2024 wrote to memory of 1112	2024	2024-04-30_18d4e2a9d29bbb1fb3ca7aecb8599fef_virlock.exe	91
PID 2024 wrote to memory of 1112	2024	2024-04-30_18d4e2a9d29bbb1fb3ca7aecb8599fef_virlock.exe	91
PID 3524 wrote to memory of 3772	3524	cmd.exe	92
PID 3524 wrote to memory of 3772	3524	cmd.exe	92
PID 3524 wrote to memory of 3772	3524	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\2024-04-30_18d4e2a9d29bbb1fb3ca7aecb8599fef_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-30_18d4e2a9d29bbb1fb3ca7aecb8599fef_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\YCgUIUEQ\eOwQwEwY.exe
  "C:\Users\Admin\YCgUIUEQ\eOwQwEwY.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1072
- C:\ProgramData\MOAogcck\ggYQQoIg.exe
  "C:\ProgramData\MOAogcck\ggYQQoIg.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\setup.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    C:\Users\Admin\AppData\Local\Temp\setup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3772
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:3348
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4828
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

Filesize
568KB

MD5
e20ce7b7a0a3cbab546381145c71cdbc

SHA1
ddad308b81cd4d0640e4ebc286178e8d16ac6bb9

SHA256
c37c929957450cb74356ab81f81b2b4c901f93a7904e10ec0fd4b00d2edd3888

SHA512
71350e9249a583f6a2bbaf3f973e804b85f5df192943b4cd7111e31b5a73dbe8cdc0b52017c85c5b650ce84102fcfe990b5246a6bb6b345eefb7de17aacdbeac

Download Submit
C:\ProgramData\MOAogcck\ggYQQoIg.exe

Filesize
109KB

MD5
0b8308efa9c9e7059f39418d341ac0fe

SHA1
03e27ce19331bcb9b6e14b44c0967b556ba459ec

SHA256
569d4b4bdaab3bd3d89b691cc24de87d3f66c3c0fa80f7e0b341df47fd8871c3

SHA512
614244217e21973be7e59fb3ee2dfc0d604cdb040b986b61cb36a7db5c9f36f66cee2e7ee720ee3e15aa0b663c9ca90bddab53f70234b25e6a64c5583657b29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMIy.exe

Filesize
237KB

MD5
ede61d8a80112eb3846d52a4e077c339

SHA1
d7b29817b643f4b198c114f8153e6f35efd62250

SHA256
2386d8e3c2e27eddc529700493192d41ad742a0bda64d3ddfd83da5f0554db1c

SHA512
176a74f00d1feb44261c7193ee63796082cbe6167de8c94f039a2de07f7e45ee59cdc64e68e9ebb76eee050215049d238df588fee606a25cc10b890f065bbd92

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEsM.exe

Filesize
156KB

MD5
db6bd1fa2b37a49175e259f1172e4857

SHA1
bc0bb757bc3a745198df24b2679dd28df54693ca

SHA256
46907b6fdfbd40dc16f6464e7d5238c5edc65f95948416fab6b11d98e1e271e0

SHA512
b19fe2849ff342847ba60297db9896b92b1eb508f1fcd1f6239d627b37ecd8bf44493aeb973d636aafce249cfd418b368df2e6461e71c1aff95f9e7b5ce91088

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYIU.exe

Filesize
240KB

MD5
16117051bc1fcee77132a5210c6f36e5

SHA1
80a00c0a09bde7e61f8ab4fe26c61d12112ebf50

SHA256
362a9a878d56fc0c5925873ca4ae797641d4b186b2111672e364406f9b03c3d3

SHA512
a4cf805331250b61c04ce7b9b23a700d4530f3518dd08769682405bab2bb4412c7927f46d1a982744537041275161cf981dc53fdaee91578ec41327c68011748

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwoM.exe

Filesize
138KB

MD5
8c76f48541740ca70bc2b49c1dea1ef1

SHA1
dad0777fce0e33be5e5141875c096350512af66e

SHA256
9f6cff83866e86d7b555e68f03ac1450eebea6006de65dad1296f3464b4d404f

SHA512
ee6f197aed677f3027bbcd2a0235e401bdfcbcc7f37a47fc78d16025a74b8c0a156914725f731236870ebaf3e36d0e9684da80a1b1e2490e14036ad17d150e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYcC.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
453KB

MD5
96f7cb9f7481a279bd4bc0681a3b993e

SHA1
deaedb5becc6c0bd263d7cf81e0909b912a1afd4

SHA256
d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290

SHA512
694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYUA.exe

Filesize
151KB

MD5
5cfd23d5cf621c485f2e56727c06f35d

SHA1
4513b1d7020e83b4751450fb0ad2fe9c306cf91f

SHA256
70143b982557ab4c65a1f83f7eff68db771d57fc19aa0e8b4ccf7f2b26f62207

SHA512
e558e6c620a55a72842988f694eeb5f2b69ee4a92916700c1de9634e7570a1096e6371305452f5c63b0f986b9255941fc949cb6b4e313f54d8d60553f3a52c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycwA.exe

Filesize
139KB

MD5
3006055ca16822f6dcde299219b9a2f4

SHA1
59608d00c43e091256c8472248681c80462067b2

SHA256
33cc8af2089f008340d6c5159215d7a8120a6e8cc722bb813c5a13431119cc2e

SHA512
b12ac71933c3cc111bca9d3688de7a5ba5b50899e2d70f06acbfa131c2f602ed8e85909f8a8ef3090325b204382ecd28ccc044ee1df64cdaed44ca02cc1372ca

Download Submit
C:\Users\Admin\YCgUIUEQ\eOwQwEwY.exe

Filesize
109KB

MD5
46d5f59cf0e441dac0b6b6dbc9917d51

SHA1
6be9369944d0f01efff9e501bf3b6500482e5cb4

SHA256
781ff99cb1a6280668199df01af5d68482fa7420ca302275cc7185389950d3a1

SHA512
4b0e6dbfb9f036a930cd4656c4b59ebf6ec5b21901b9a5e33004c99ff3c9aea38d7aff1757cc46b9b380dc16e22362758872f2c03a33e7ddc1a900c640d4cfe2

Download Submit
memory/1072-5-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2024-17-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2024-0-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4840-15-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download