Overview
overview
8Static
static
3Destroy Wi...ng.exe
windows7-x64
6Destroy Wi...ng.exe
windows10-2004-x64
6unlocker1.9.0-x64.exe
windows7-x64
7unlocker1.9.0-x64.exe
windows10-2004-x64
7$PLUGINSDIR/Delay.dll
windows7-x64
3$PLUGINSDIR/Delay.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$TEMP/File...er.exe
windows7-x64
7$TEMP/File...er.exe
windows10-2004-x64
7$TEMP/Quic...er.exe
windows7-x64
7$TEMP/Quic...er.exe
windows10-2004-x64
7Unlocker.exe
windows7-x64
8Unlocker.exe
windows10-2004-x64
8UnlockerCOM.dll
windows7-x64
7UnlockerCOM.dll
windows10-2004-x64
7UnlockerDriver5.sys
windows7-x64
1UnlockerDriver5.sys
windows10-2004-x64
1UnlockerInject32.exe
windows7-x64
1UnlockerInject32.exe
windows10-2004-x64
1Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 01:18
Static task
static1
Behavioral task
behavioral1
Sample
Destroy Windows 10 Spying/Destroy Windows 10 Spying.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Destroy Windows 10 Spying/Destroy Windows 10 Spying.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
unlocker1.9.0-x64.exe
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
unlocker1.9.0-x64.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/Delay.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/Delay.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
$TEMP/FileUnlocker_Installer.exe
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
$TEMP/FileUnlocker_Installer.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
$TEMP/QuickStores_Unlocker.exe
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
$TEMP/QuickStores_Unlocker.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
Unlocker.exe
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
Unlocker.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
UnlockerCOM.dll
Resource
win7-20240419-en
Behavioral task
behavioral20
Sample
UnlockerCOM.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
UnlockerDriver5.sys
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
UnlockerDriver5.sys
Resource
win10v2004-20240426-en
Behavioral task
behavioral23
Sample
UnlockerInject32.exe
Resource
win7-20240215-en
Behavioral task
behavioral24
Sample
UnlockerInject32.exe
Resource
win10v2004-20240426-en
General
-
Target
UnlockerCOM.dll
-
Size
13KB
-
MD5
526cca0e9ffa289cfcce2df4fcee6e03
-
SHA1
96e3aba32f8fecfd1e18c9575b137fd251f56e8b
-
SHA256
d0bbc15241b0de1842e54a7addbc8b5d3a76ea087f21d4b026ec9923742bd029
-
SHA512
582dc656407e0ceaac0206b11d1e8dba38d1660a718a4cef9546781397558d73d80b283d45ec23090f59ae8ac9ef05ba1070974acf18c566c562c83ff2995147
-
SSDEEP
384:l0cviyVcgoH1a3FveCAmbtQ/o8DhQLMw:l03nTHsFv+/oih5
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UnlockerCOM.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32 regsvr32.exe -
Modifies registry class 11 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\software\classes\clsid\UnlockerShellExtension regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\UnlockerShellExtension\ = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllFileSystemObjects\shellex\ContextMenuHandlers\UnlockerShellExtension regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\UnlockerShellExtension\ = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\ = "UnlockerShellExtension" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UnlockerCOM.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\UnlockerShellExtension\ = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\folder\shellex\ContextMenuHandlers\UnlockerShellExtension regsvr32.exe