Overview
overview
8Static
static
3Destroy Wi...ng.exe
windows7-x64
6Destroy Wi...ng.exe
windows10-2004-x64
6unlocker1.9.0-x64.exe
windows7-x64
7unlocker1.9.0-x64.exe
windows10-2004-x64
7$PLUGINSDIR/Delay.dll
windows7-x64
3$PLUGINSDIR/Delay.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$TEMP/File...er.exe
windows7-x64
7$TEMP/File...er.exe
windows10-2004-x64
7$TEMP/Quic...er.exe
windows7-x64
7$TEMP/Quic...er.exe
windows10-2004-x64
7Unlocker.exe
windows7-x64
8Unlocker.exe
windows10-2004-x64
8UnlockerCOM.dll
windows7-x64
7UnlockerCOM.dll
windows10-2004-x64
7UnlockerDriver5.sys
windows7-x64
1UnlockerDriver5.sys
windows10-2004-x64
1UnlockerInject32.exe
windows7-x64
1UnlockerInject32.exe
windows10-2004-x64
1Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 01:18
Static task
static1
Behavioral task
behavioral1
Sample
Destroy Windows 10 Spying/Destroy Windows 10 Spying.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Destroy Windows 10 Spying/Destroy Windows 10 Spying.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
unlocker1.9.0-x64.exe
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
unlocker1.9.0-x64.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/Delay.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/Delay.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
$TEMP/FileUnlocker_Installer.exe
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
$TEMP/FileUnlocker_Installer.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
$TEMP/QuickStores_Unlocker.exe
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
$TEMP/QuickStores_Unlocker.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
Unlocker.exe
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
Unlocker.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
UnlockerCOM.dll
Resource
win7-20240419-en
Behavioral task
behavioral20
Sample
UnlockerCOM.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
UnlockerDriver5.sys
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
UnlockerDriver5.sys
Resource
win10v2004-20240426-en
Behavioral task
behavioral23
Sample
UnlockerInject32.exe
Resource
win7-20240215-en
Behavioral task
behavioral24
Sample
UnlockerInject32.exe
Resource
win10v2004-20240426-en
General
-
Target
$TEMP/FileUnlocker_Installer.exe
-
Size
886KB
-
MD5
68bdb2da97b513a6f5a7461b2086ae93
-
SHA1
706735e2d3b2714013670d7113cd66949e236c39
-
SHA256
88d9cde0fb6dbd9447bab7da5e5c1179d504da54d4f7605e2ddf22d64bb07820
-
SHA512
7a2355eaef00523d4fc14fd56da6efde1bfc4beaa37ecbea342bab86621c1413bb243fde3310d3bd08690efe575e98c624befd676c511f21728a8015f98cfa93
-
SSDEEP
12288:iYETKD+2Otvj+Iv2fyx3QP0MxvS6MxlnoP189Bh86+u1+4kS12cVrm:idA+2zfyxQPh2lnoPWCQ+Vs
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bing_toolbar.exebing_toolbar.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation bing_toolbar.exe Key value queried \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation bing_toolbar.exe -
Executes dropped EXE 2 IoCs
Processes:
bing_toolbar.exebing_toolbar.exepid process 2012 bing_toolbar.exe 316 bing_toolbar.exe -
Loads dropped DLL 12 IoCs
Processes:
FileUnlocker_Installer.exepid process 2920 FileUnlocker_Installer.exe 2920 FileUnlocker_Installer.exe 2920 FileUnlocker_Installer.exe 2920 FileUnlocker_Installer.exe 2920 FileUnlocker_Installer.exe 2920 FileUnlocker_Installer.exe 2920 FileUnlocker_Installer.exe 2920 FileUnlocker_Installer.exe 2920 FileUnlocker_Installer.exe 2920 FileUnlocker_Installer.exe 2920 FileUnlocker_Installer.exe 2920 FileUnlocker_Installer.exe -
Drops file in Program Files directory 32 IoCs
Processes:
bing_toolbar.exebing_toolbar.exedescription ioc process File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\0.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\2.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\1.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\12.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\6.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\1.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\11.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\14.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\6.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\8.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\install_start.htm bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\4.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\8.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\9.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\install_start.htm bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\0.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\13.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\7.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\9.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\13.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\14.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\12.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\3.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\5.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\11.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\4.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\5.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\7.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\10.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\2.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\3.png bing_toolbar.exe File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\10.png bing_toolbar.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
bing_toolbar.exebing_toolbar.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main bing_toolbar.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main bing_toolbar.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
FileUnlocker_Installer.exepid process 2920 FileUnlocker_Installer.exe 2920 FileUnlocker_Installer.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
FileUnlocker_Installer.exedescription pid process target process PID 2920 wrote to memory of 2012 2920 FileUnlocker_Installer.exe bing_toolbar.exe PID 2920 wrote to memory of 2012 2920 FileUnlocker_Installer.exe bing_toolbar.exe PID 2920 wrote to memory of 2012 2920 FileUnlocker_Installer.exe bing_toolbar.exe PID 2920 wrote to memory of 2012 2920 FileUnlocker_Installer.exe bing_toolbar.exe PID 2920 wrote to memory of 2012 2920 FileUnlocker_Installer.exe bing_toolbar.exe PID 2920 wrote to memory of 2012 2920 FileUnlocker_Installer.exe bing_toolbar.exe PID 2920 wrote to memory of 2012 2920 FileUnlocker_Installer.exe bing_toolbar.exe PID 2920 wrote to memory of 316 2920 FileUnlocker_Installer.exe bing_toolbar.exe PID 2920 wrote to memory of 316 2920 FileUnlocker_Installer.exe bing_toolbar.exe PID 2920 wrote to memory of 316 2920 FileUnlocker_Installer.exe bing_toolbar.exe PID 2920 wrote to memory of 316 2920 FileUnlocker_Installer.exe bing_toolbar.exe PID 2920 wrote to memory of 316 2920 FileUnlocker_Installer.exe bing_toolbar.exe PID 2920 wrote to memory of 316 2920 FileUnlocker_Installer.exe bing_toolbar.exe PID 2920 wrote to memory of 316 2920 FileUnlocker_Installer.exe bing_toolbar.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe"C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe" /silent /ignorebrowsercheck /forcedefaultsearch /launchie2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies Internet Explorer settings
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe"C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe" /silent /ignorebrowsercheck /forcedefaultsearch /launchie2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies Internet Explorer settings
PID:316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
213B
MD59fab81a2c85784079ce6a2426937f6e5
SHA1f0e29090dbfc60c565828e485e8a97be66b7d75c
SHA2565c8424bd478426ef1a2c4126fd68773596ec1191d95dc63b7bd87180d263eba0
SHA5127678e54539806b3369a003b61f5a1ae23f77d662f1dccf6415992a331f033d29c508ffea0732cce335f17d937b35d3bc93a18b73192189222617b401f1e8a404
-
Filesize
235B
MD5c49a86fae1a06dc1529fd28e0e76f08f
SHA16b7841ca9297369da54cd7076e2d95ed5cdd2a21
SHA256171b11d89b15f74b78684f5b75b86f356602d47fb17bf0361ab0278e6e09d990
SHA5128f69fad3be3ee47f99e43522c9542b4aa9ccca25c479c87a35ca793dbd645f3e3482c2987f2a13e182dcced01838181b33a861b45b41235d7c592f7a5e639061
-
Filesize
398B
MD5cc34894f597d5041059d5663f0b70dd0
SHA132c66ccdc8d48be5d158d533649e7c42e6faa902
SHA256d25968f1978264e2d82f9e9a8be4e01a0deeae5a11ed0e3fa4a39c36b35434eb
SHA5126eb54313aa638f32ebe16ef2cd59145c1c04f7aa934a03a0c0cb8bb274f9f351865a31854a23466c7a331e0147d4a87fcb6f2b4305bca97daaf424bc4fe68876
-
Filesize
399B
MD5342bc04d199ecad5f39f6cb8f914742e
SHA172fff58d9aa471e0f7ad019fd8598cec7dceff44
SHA256789b4ca216ad307f031d0f42ff52a815d4bfdf0a090a24074dfb720b0da39d14
SHA5127e9dba3afdee0c33edb2efd6d2f1e64898a818fa816ceb99ea518130ae9e0ac42e18baea5bb01ae6f9b826d69ad9a4e40022d3cbe896e26b9b8272b9e467df99
-
Filesize
398B
MD5fe6f7f06679176dff54241a9044c9072
SHA16c9f1242c4f9bd70779a6da4ca9f95b10973c2fc
SHA2563fcecb8d5f3a62640ffb6a6d9e12a071b332220519078eda57c133f194cbaa2f
SHA51290b13fd186bba74a006bb9348d0aea95d6fc4d8faa37c0e044f5cb12aff3fa1a8dcfd0df0c336ff961d0e1b61e071d1d03b330cd4773686399c9d00cced20079
-
Filesize
397B
MD516241b375e82116b54f57c4a7180444d
SHA174c00fd14827ae5044a0a1abf2da26a940ccd228
SHA25651f2c1d4160b4583f2a681e55044a5e02d6fce7d41c6c638fb01f78787280b3d
SHA512e1442b7025f869cf2f7ae3f11d11d6cfcd3067c4ea66a07098ccb55443f6e005aaccfd5537d99b5006ba696a72b9d61fa118f583d12936a8fd7fab0d3f05256f
-
Filesize
398B
MD52de3201aefb5bba956df641c31879a9f
SHA17328afca21b1762c9d5225f8eca4969a9359f58e
SHA256fa1fc1a522adf52e76ec6a3b9c0cb1791b7f781ab33c4e7335aa2d738627fb61
SHA512869831bc32d517587ef314348573b47e30adb6af80615e5a49af06815a4d04e73f0ada992defc98bd946c8f6c236ead6321b4ca0cf61a604a51648ca6a9ee09e
-
Filesize
261B
MD51100d2f62d61a60c82a3df3973756991
SHA1279d4a0080f886d3850c027bf3d6ed76f195a96c
SHA25683549254d62a490c354b0b18c6f78b6516ef7269b80befc27ce89b86f91ecf84
SHA512e75b186b81483b82443abbf00dde6687223566b0f4f90a8ad5cbf10a88df0ed4c2b3f858e8db01a66dd74158a3122e3cbc8692d45319938bb5972234d3cc6543
-
Filesize
303B
MD568850397554620ea213b4c5ac6fe2f75
SHA1722a3bdba8408c4c3618e149e549c04b7cec88de
SHA256df672b7090a55e13e9dc3ed767b601aa211b6deed6f7c79a4c6cb95665829ae2
SHA512c64b77d57a2d3f19a2350cb575f1f1002b75592c62da06d922c9d23390d54aa91c737b4e0e0f0d9559a7ca057f1710ac605755d2da90a244d76f2d280b28366b
-
Filesize
327B
MD57053ee00ed19203bef761a38d1b8450f
SHA19bb7d635523aa7e85586892eb25b87074c4567fb
SHA25676f3cad2c2336f134d1ef19d356adc88464357252bf349b37a25a9a457454423
SHA512677035f4bc9903d4d39db263cc221d77c033fbc7593b63b5cc7f0bfffbdfaa43bb5eb3109a7f956ade00ebea61b1bc6f8466b218e36bc8181aa8f2d3f0c46beb
-
Filesize
354B
MD5a26abdfd764dd7e803271e963ceda310
SHA1e0deb4b9545dbe90361c25ddcfe479e589fd136a
SHA2561234d63208f55e89857d444ba3e12155a9f3cd9d179a686187d9f17149931103
SHA512e51bb0fbdddc1441fcf02916cf0ab5da25a5c17846e6770d0962222366198d635229250a327010d9aa09bfda5511467a51d0428913c43aaa4dca6dc37d424f27
-
Filesize
380B
MD5b272e5ff20eabccd7eeebba905c54b2f
SHA1682baa363ce3cd8a9b3f17e48c924a1cecb9a143
SHA256f414dbb771ecd22d29c267283db135e830fb3bd478e32db2b0aa24d3eb4c18dc
SHA5122a42729f6a66db7892289a51719a434585b2f241d64395ba90cec4b74ef57c38237becdf9c723c2da22df90092f502ec27a17f5b09131b547ff77cd3b560eb01
-
Filesize
399B
MD549b280b4adcf8ba31b748c5e188881e1
SHA102c68a5f85290813ef6ecee6f4239e515b01d8c6
SHA2563adbf19b0a4adb9318d8babb0bd2f9a40fe4f92c9c3592bfeab42cf38c28978f
SHA512d21cdefa8892592db1b789e292b74b91c2d82d6d85b0928fa58cdb41823dcd97ef20df4f7b4beb3777b14d47c6cb59f786dbe6449e2b6fe8a7eea94d49f9c0d4
-
Filesize
398B
MD56225c545f4621a6762ec0b4625454b81
SHA15e688967ed12d8b726991fb26815df8f5c33200a
SHA2563f07315a1e739c546b7d8f3f027c14c56fa4baaf675480b35adf88aa65418b31
SHA512f74831ed3347058626f46340a0e8f7af2083e371e9da12ede5d222f9eca8b64a378273a91e82c99774f3186562f102f38b5a283386f42951076438fbc6e29dcd
-
Filesize
397B
MD592dab8a92497e385c3016472aa89d9ff
SHA100d5b63b196ef5de4ffd508e04f9339bb01275ce
SHA2561a2fa17fa54be4fff3032ad4a3c66c56792f1e3c51dde84c4ec5177e3837b2e2
SHA51290473166f2b91d94f155b62c59d375c25e075baca1b2c7e74d46cd6779f09bc8419acf91c8ae2ef02f6122870e1d03cbf83466a7047278cfea0d0d35354ec1e3
-
Filesize
1KB
MD5719908909ad6eb41b6f21c7cae92cb73
SHA1881cd0db051aef989afa72db48cb6797397eb6de
SHA2562285508a51ff8d53e0aef95d124dad94f31dcb07023eca304c4b9fc00f6c06a6
SHA51264dabd85282f71c534641e213c650df3830087c85650a59b23e1260d734640f71695db38bc8fc68b6bb76740f8eeb71ed9dcf421cf032a52f7ff9844f34307e5
-
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ae0fecb16efd8cc4e62a978d47949200_a42634aa-f501-41cf-bed1-b8158857da02
Filesize1KB
MD5d1119605276823bc705491abee54968e
SHA1814c636d1a7757a90ef13afc04d253d670bcc9d6
SHA2568c893f4e7cf5dc0dfdebc122caa5aa1dbeb2172dff9f177cdc1a0d93d9347620
SHA512385598c26bc0c7e5f9315b26cde4c997e97042040b29185baf80c7b0e57b3f886d23bf5604cb3529b41051b38434da397918759ebaae06cf2e2260a7263a4745
-
Filesize
3KB
MD53b5395f4aca99fc43945e5a491367b1d
SHA1a80f3a07632987c06b63a65ce03eff69332dc02a
SHA256b28bb3a7b5de2ca40dcc28d8887cc467b87df8f37bb4984575b8237f35255110
SHA5123111af751c79e9a1f5224f4c938a21b91ecb280fb8a16f0e9a49735959f1ea78c1500f90fd2307b0f88f608ba92cfe001e4c336ffc520fa4b18e70c959b07fff
-
Filesize
329KB
MD5ecec9204d3a794306cc4af1d260932e3
SHA13269a4724e61d9d97d807c1f4224e77f98333cd6
SHA2560e3123bce0fcf8c1d37ecc7b52bd8b5dacb9954b15d7f84d19d64e44a2e92fa6
SHA512d94b48c0e633d920c8f1745f63ef983556af10df0208eb88ca0e51c91c7b3f0f629245143b7d0cc64ff9e47d9b2e39f860a6eebcc98c186a1dccdf742d42b321