Analysis
-
max time kernel
300s -
max time network
298s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
04-05-2024 18:36
Behavioral task
behavioral1
Sample
WinLocker_Builder_0.4.exe
Resource
win11-20240426-en
General
-
Target
WinLocker_Builder_0.4.exe
-
Size
699KB
-
MD5
81dd862410af80c9d2717af912778332
-
SHA1
8f1df476f58441db5973ccfdc211c8680808ffe1
-
SHA256
60e76eda46185d1d2e9463d15e31d4c87eb03535d368cc3471c55992bc99ad5f
-
SHA512
8dd014b91fb1e2122d2e4da444db78dd551513c500d447bb1e94ceb7f2f8d45223a8a706e2156102f8c8850d2bb02ae6b8ea0c9282abd7baaa2c84130112af15
-
SSDEEP
12288:0L/xX5KVeOnuH/u1Wig295xsmVXf6AaQLmEc+pdmWSwIHUOS6Vp:0bxpUz13g27raQmEcomWSHHUD
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 20 IoCs
Processes:
resource yara_rule behavioral1/memory/2364-2-0x0000000000400000-0x0000000000545000-memory.dmp modiloader_stage2 behavioral1/memory/2364-13-0x0000000000400000-0x0000000000545000-memory.dmp modiloader_stage2 behavioral1/memory/2364-15-0x0000000000400000-0x0000000000545000-memory.dmp modiloader_stage2 behavioral1/memory/2364-16-0x0000000000400000-0x0000000000545000-memory.dmp modiloader_stage2 behavioral1/memory/2364-17-0x0000000000400000-0x0000000000545000-memory.dmp modiloader_stage2 behavioral1/memory/2364-18-0x0000000000400000-0x0000000000545000-memory.dmp modiloader_stage2 behavioral1/memory/2364-20-0x0000000000400000-0x0000000000545000-memory.dmp modiloader_stage2 behavioral1/memory/2364-21-0x0000000000400000-0x0000000000545000-memory.dmp modiloader_stage2 behavioral1/memory/2364-22-0x0000000000400000-0x0000000000545000-memory.dmp modiloader_stage2 behavioral1/memory/2364-31-0x0000000000400000-0x0000000000545000-memory.dmp modiloader_stage2 behavioral1/memory/2364-43-0x0000000000400000-0x0000000000545000-memory.dmp modiloader_stage2 behavioral1/memory/2364-44-0x0000000000400000-0x0000000000545000-memory.dmp modiloader_stage2 behavioral1/memory/2364-47-0x0000000000400000-0x0000000000545000-memory.dmp modiloader_stage2 behavioral1/memory/2364-48-0x0000000000400000-0x0000000000545000-memory.dmp modiloader_stage2 behavioral1/memory/2364-49-0x0000000000400000-0x0000000000545000-memory.dmp modiloader_stage2 behavioral1/memory/2364-50-0x0000000000400000-0x0000000000545000-memory.dmp modiloader_stage2 behavioral1/memory/2364-51-0x0000000000400000-0x0000000000545000-memory.dmp modiloader_stage2 C:\Users\Admin\Desktop\RCXD55F.tmp modiloader_stage2 C:\Users\Admin\Desktop\asd.exe modiloader_stage2 C:\Users\Admin\Desktop\asd.exe modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
Upx.exepid process 868 Upx.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Upx.exe upx behavioral1/memory/868-101-0x0000000000400000-0x000000000057E000-memory.dmp upx behavioral1/memory/868-110-0x0000000000400000-0x000000000057E000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
Processes:
WinLocker_Builder_0.4.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU WinLocker_Builder_0.4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff WinLocker_Builder_0.4.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy WinLocker_Builder_0.4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ WinLocker_Builder_0.4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" WinLocker_Builder_0.4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257" WinLocker_Builder_0.4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff WinLocker_Builder_0.4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" WinLocker_Builder_0.4.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3} WinLocker_Builder_0.4.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 WinLocker_Builder_0.4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" WinLocker_Builder_0.4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 WinLocker_Builder_0.4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" WinLocker_Builder_0.4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 WinLocker_Builder_0.4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "2" WinLocker_Builder_0.4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" WinLocker_Builder_0.4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" WinLocker_Builder_0.4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" WinLocker_Builder_0.4.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 WinLocker_Builder_0.4.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell WinLocker_Builder_0.4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff WinLocker_Builder_0.4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" WinLocker_Builder_0.4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3" WinLocker_Builder_0.4.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags WinLocker_Builder_0.4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" WinLocker_Builder_0.4.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 WinLocker_Builder_0.4.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 WinLocker_Builder_0.4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" WinLocker_Builder_0.4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" WinLocker_Builder_0.4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" WinLocker_Builder_0.4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" WinLocker_Builder_0.4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" WinLocker_Builder_0.4.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} WinLocker_Builder_0.4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 WinLocker_Builder_0.4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" WinLocker_Builder_0.4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff WinLocker_Builder_0.4.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy WinLocker_Builder_0.4.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 WinLocker_Builder_0.4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" WinLocker_Builder_0.4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 WinLocker_Builder_0.4.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell WinLocker_Builder_0.4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 WinLocker_Builder_0.4.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656} WinLocker_Builder_0.4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" WinLocker_Builder_0.4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 WinLocker_Builder_0.4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff WinLocker_Builder_0.4.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy WinLocker_Builder_0.4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" WinLocker_Builder_0.4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" WinLocker_Builder_0.4.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} WinLocker_Builder_0.4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295" WinLocker_Builder_0.4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff WinLocker_Builder_0.4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff WinLocker_Builder_0.4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff WinLocker_Builder_0.4.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 WinLocker_Builder_0.4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000 WinLocker_Builder_0.4.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 WinLocker_Builder_0.4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "2" WinLocker_Builder_0.4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 WinLocker_Builder_0.4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" WinLocker_Builder_0.4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = ffffffff WinLocker_Builder_0.4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0" WinLocker_Builder_0.4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1" WinLocker_Builder_0.4.exe Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 WinLocker_Builder_0.4.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WinLocker_Builder_0.4.exepid process 2364 WinLocker_Builder_0.4.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
WinLocker_Builder_0.4.exepid process 2364 WinLocker_Builder_0.4.exe 2364 WinLocker_Builder_0.4.exe 2364 WinLocker_Builder_0.4.exe 2364 WinLocker_Builder_0.4.exe 2364 WinLocker_Builder_0.4.exe 2364 WinLocker_Builder_0.4.exe 2364 WinLocker_Builder_0.4.exe 2364 WinLocker_Builder_0.4.exe 2364 WinLocker_Builder_0.4.exe 2364 WinLocker_Builder_0.4.exe 2364 WinLocker_Builder_0.4.exe 2364 WinLocker_Builder_0.4.exe 2364 WinLocker_Builder_0.4.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WinLocker_Builder_0.4.exedescription pid process target process PID 2364 wrote to memory of 868 2364 WinLocker_Builder_0.4.exe Upx.exe PID 2364 wrote to memory of 868 2364 WinLocker_Builder_0.4.exe Upx.exe PID 2364 wrote to memory of 868 2364 WinLocker_Builder_0.4.exe Upx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe"C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\Upx.exe"C:\Users\Admin\AppData\Local\Temp\Upx.exe" "C:\Users\Admin\Desktop\asd.exe"2⤵
- Executes dropped EXE
PID:868
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:4144
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:1124
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:2492
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:2976
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:4668
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:3940
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:3176
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:4376
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:776
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:4464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5f636bb22c96d1d096ff4d6140f045a97
SHA1f0afce8b0a5c82fb52c70be4cdce039a7fff7cbc
SHA2569ee21216db71d8e730a5decee8d1e6a166470c38096cb716491e11759453f52a
SHA51220fd5108fa5cdc77bb325385968d3fd048c536f8ac51e7f66f51fe8e367c8cce35f93d3fc931a5c43945df3a1681e46191d00782e19b01e8975b50beb90e0b36
-
Filesize
14KB
MD5a1e53a66fae6381feb626622d4608a86
SHA1fd0ba6b10878bba45bab306bb89020b7d6233d76
SHA25633f0f4861ddcd5fea204612598a89d50aafd7750426a19bdaee401dde0f093a6
SHA5129bf4ec9f975b63faed933bdd301c8a312c940ce89732355f47e3ad2a661534db7c13747bb799e1709399032cb1ccef997ccd3f4f80853ca2f63ab6010e1db001
-
Filesize
14KB
MD5867c71eff6afffc64e7f41954bd2cb75
SHA125af5fd9e3d090aa1d99093eb33fb40c62e5d7e6
SHA256c00505ed4ec8951a3d2a4374ac2c7cc01affdc03d2d81da1006c2eddb64fc089
SHA51294a8d8c4a89335bc9ddb85013dc64ac12e910a7fff1e3203e5f82ab0d3d72072937c84f16f9bb87432be7592764c18f981feedde7a9397a26aba2e64bfa839a9
-
Filesize
283KB
MD5308f709a8f01371a6dd088a793e65a5f
SHA1a07c073d807ab0119b090821ee29edaae481e530
SHA256c0f9faffdf14ab2c853880457be19a237b10f8986755f184ecfe21670076cb35
SHA512c107f1af768d533d02fb82ae2ed5c126c63b53b11a2e5a5bbf45e396cb7796ca4e7984ce969b487ad38d817f4d4366e7953fb555b279aa019ffb5d1bbba57e28
-
Filesize
387KB
MD51d0aca621884b727941e738a116bf2a4
SHA1361e0f2e67de52443b89cbcbca96b067bc30eead
SHA25651df50d806004e4d59be7c497b2b474d838822747b53a5422b17526300b362cb
SHA5129dec55524dca4cfefcb0d4426d87fddf6c802f2babe973f170e540cc591ccc7f2e4a6b35c75c1a9c5a39e647370f0627556626aa85d2e63bf17e5da90de3cf39
-
Filesize
433KB
MD5ba86a45f0ec07371681bb896a102a09b
SHA110ad3f69451300fe5c7d733f9787df5987bbbf1e
SHA256c136b7595dcb6ca9850377d104a930bae2ffb0fc787b5a52b3cb5a5210df8cdd
SHA5125003e270d20c807e12391d99f5d57e2c2616a708e80b736228d40927afff474099345ae2aefee920d53198eb151de82184a8bbfc81cb49894a3288fef83b5519
-
Filesize
382KB
MD597eb6f7ec0586fe37b82dbe2f522da35
SHA17b9995845a89aec0a6eabe7e9eeb446abe8e5d58
SHA256f738afbd4c316267d35e2f4d7b818139a55d8ef6b636c3bf736f1672cb4c8ea1
SHA512888850fe4ea693a5168d6c0f2ab638862dc1a09a1e25f1de8cbfb373753cad982f2461826f5fa54144ba04ff6ed2c19c5850d70a3a2edc3bbb2024cf42710c49