Overview
overview
8Static
static
3Destroy Wi...ng.exe
windows7-x64
6Destroy Wi...ng.exe
windows10-2004-x64
6unlocker1.9.0-x64.exe
windows7-x64
7unlocker1.9.0-x64.exe
windows10-2004-x64
7$PLUGINSDIR/Delay.dll
windows7-x64
3$PLUGINSDIR/Delay.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$TEMP/File...er.exe
windows7-x64
7$TEMP/File...er.exe
windows10-2004-x64
7$TEMP/Quic...er.exe
windows7-x64
7$TEMP/Quic...er.exe
windows10-2004-x64
7Unlocker.exe
windows7-x64
8Unlocker.exe
windows10-2004-x64
8UnlockerCOM.dll
windows7-x64
7UnlockerCOM.dll
windows10-2004-x64
7UnlockerDriver5.sys
windows7-x64
1UnlockerDriver5.sys
windows10-2004-x64
1UnlockerInject32.exe
windows7-x64
1UnlockerInject32.exe
windows10-2004-x64
1Analysis
-
max time kernel
133s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 01:18
Static task
static1
Behavioral task
behavioral1
Sample
Destroy Windows 10 Spying/Destroy Windows 10 Spying.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Destroy Windows 10 Spying/Destroy Windows 10 Spying.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
unlocker1.9.0-x64.exe
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
unlocker1.9.0-x64.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/Delay.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/Delay.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
$TEMP/FileUnlocker_Installer.exe
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
$TEMP/FileUnlocker_Installer.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
$TEMP/QuickStores_Unlocker.exe
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
$TEMP/QuickStores_Unlocker.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
Unlocker.exe
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
Unlocker.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
UnlockerCOM.dll
Resource
win7-20240419-en
Behavioral task
behavioral20
Sample
UnlockerCOM.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
UnlockerDriver5.sys
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
UnlockerDriver5.sys
Resource
win10v2004-20240426-en
Behavioral task
behavioral23
Sample
UnlockerInject32.exe
Resource
win7-20240215-en
Behavioral task
behavioral24
Sample
UnlockerInject32.exe
Resource
win10v2004-20240426-en
General
-
Target
$TEMP/FileUnlocker_Installer.exe
-
Size
886KB
-
MD5
68bdb2da97b513a6f5a7461b2086ae93
-
SHA1
706735e2d3b2714013670d7113cd66949e236c39
-
SHA256
88d9cde0fb6dbd9447bab7da5e5c1179d504da54d4f7605e2ddf22d64bb07820
-
SHA512
7a2355eaef00523d4fc14fd56da6efde1bfc4beaa37ecbea342bab86621c1413bb243fde3310d3bd08690efe575e98c624befd676c511f21728a8015f98cfa93
-
SSDEEP
12288:iYETKD+2Otvj+Iv2fyx3QP0MxvS6MxlnoP189Bh86+u1+4kS12cVrm:idA+2zfyxQPh2lnoPWCQ+Vs
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
FileUnlocker_Installer.exebing_toolbar.exebing_toolbar.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation FileUnlocker_Installer.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation bing_toolbar.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation bing_toolbar.exe -
Executes dropped EXE 2 IoCs
Processes:
bing_toolbar.exebing_toolbar.exepid process 452 bing_toolbar.exe 2372 bing_toolbar.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
FileUnlocker_Installer.exebing_toolbar.exebing_toolbar.exepid process 3732 FileUnlocker_Installer.exe 452 bing_toolbar.exe 2372 bing_toolbar.exe 3732 FileUnlocker_Installer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
FileUnlocker_Installer.exedescription pid process target process PID 3732 wrote to memory of 452 3732 FileUnlocker_Installer.exe bing_toolbar.exe PID 3732 wrote to memory of 452 3732 FileUnlocker_Installer.exe bing_toolbar.exe PID 3732 wrote to memory of 452 3732 FileUnlocker_Installer.exe bing_toolbar.exe PID 3732 wrote to memory of 2372 3732 FileUnlocker_Installer.exe bing_toolbar.exe PID 3732 wrote to memory of 2372 3732 FileUnlocker_Installer.exe bing_toolbar.exe PID 3732 wrote to memory of 2372 3732 FileUnlocker_Installer.exe bing_toolbar.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe"C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe" /silent /ignorebrowsercheck /forcedefaultsearch /launchie2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:452 -
C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe"C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe" /silent /ignorebrowsercheck /forcedefaultsearch /launchie2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2372
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ae0fecb16efd8cc4e62a978d47949200_4d0966de-9ba4-4ee9-b282-eaf9cf9c9160
Filesize1KB
MD5e5fe89e70c78bc4e160a52bacbb97363
SHA1645362dc00e20a791cccbbe5643be33e7873500a
SHA256675a2d0bc3b56ae96f9666f8d0850365049e897614e516d9ff6396874dc8a13c
SHA51268235a3b3a9ccab577f9b71412f40123806cd27a3e802376983832aaa594c9f8e85ccc52b2e67ba295390e4c32d0103a2b959e94ddcb50c00e0bfb6fb06f301c
-
Filesize
329KB
MD5ecec9204d3a794306cc4af1d260932e3
SHA13269a4724e61d9d97d807c1f4224e77f98333cd6
SHA2560e3123bce0fcf8c1d37ecc7b52bd8b5dacb9954b15d7f84d19d64e44a2e92fa6
SHA512d94b48c0e633d920c8f1745f63ef983556af10df0208eb88ca0e51c91c7b3f0f629245143b7d0cc64ff9e47d9b2e39f860a6eebcc98c186a1dccdf742d42b321