modiloader | 60e76eda46185d1d2e9463d15e31d4c87eb03535d368cc3471c55992bc99ad5f

General

Target

WinLocker_Builder_0.4.exe
Size

699KB
MD5

81dd862410af80c9d2717af912778332
SHA1

8f1df476f58441db5973ccfdc211c8680808ffe1
SHA256

60e76eda46185d1d2e9463d15e31d4c87eb03535d368cc3471c55992bc99ad5f
SHA512

8dd014b91fb1e2122d2e4da444db78dd551513c500d447bb1e94ceb7f2f8d45223a8a706e2156102f8c8850d2bb02ae6b8ea0c9282abd7baaa2c84130112af15
SSDEEP

12288:0L/xX5KVeOnuH/u1Wig295xsmVXf6AaQLmEc+pdmWSwIHUOS6Vp:0bxpUz13g27raQmEcomWSHHUD

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2904-1-0x0000000000400000-0x0000000000545000-memory.dmp	modiloader_stage2
behavioral1/memory/2904-2-0x0000000000400000-0x0000000000545000-memory.dmp	modiloader_stage2
behavioral1/memory/2904-4-0x0000000000400000-0x0000000000545000-memory.dmp	modiloader_stage2
C:\Users\Admin\Desktop\123.exe	modiloader_stage2
C:\Users\Admin\Desktop\RCX60C8.tmp	modiloader_stage2
behavioral1/memory/2904-28-0x0000000000400000-0x0000000000545000-memory.dmp	modiloader_stage2
behavioral1/memory/2888-29-0x0000000000400000-0x0000000000466000-memory.dmp	modiloader_stage2
behavioral1/memory/2888-31-0x0000000000400000-0x0000000000466000-memory.dmp	modiloader_stage2
behavioral1/memory/2904-32-0x0000000000400000-0x0000000000545000-memory.dmp	modiloader_stage2
behavioral1/memory/2904-33-0x0000000000400000-0x0000000000545000-memory.dmp	modiloader_stage2

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 1 IoCs

Processes:

123.exe

pid process

2888 123.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

123.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\123.exe = "C:\\Users\\Admin\\Desktop\\123.exe"	123.exe

Drops file in Windows directory 2 IoCs

Processes:

WinLocker_Builder_0.4.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	WinLocker_Builder_0.4.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	WinLocker_Builder_0.4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 52 IoCs

Processes:

WinLocker_Builder_0.4.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	WinLocker_Builder_0.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	WinLocker_Builder_0.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	WinLocker_Builder_0.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	WinLocker_Builder_0.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	WinLocker_Builder_0.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	WinLocker_Builder_0.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	WinLocker_Builder_0.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	WinLocker_Builder_0.4.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	WinLocker_Builder_0.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000078000000	WinLocker_Builder_0.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	WinLocker_Builder_0.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	WinLocker_Builder_0.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	WinLocker_Builder_0.4.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	WinLocker_Builder_0.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	WinLocker_Builder_0.4.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	WinLocker_Builder_0.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	WinLocker_Builder_0.4.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	WinLocker_Builder_0.4.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings	WinLocker_Builder_0.4.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	WinLocker_Builder_0.4.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	WinLocker_Builder_0.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	WinLocker_Builder_0.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	WinLocker_Builder_0.4.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	WinLocker_Builder_0.4.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy	WinLocker_Builder_0.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	WinLocker_Builder_0.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	WinLocker_Builder_0.4.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	WinLocker_Builder_0.4.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	WinLocker_Builder_0.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	WinLocker_Builder_0.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	WinLocker_Builder_0.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	WinLocker_Builder_0.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "2"	WinLocker_Builder_0.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	WinLocker_Builder_0.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	WinLocker_Builder_0.4.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	WinLocker_Builder_0.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"	WinLocker_Builder_0.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	WinLocker_Builder_0.4.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy	WinLocker_Builder_0.4.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy	WinLocker_Builder_0.4.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	WinLocker_Builder_0.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewVersion = "0"	WinLocker_Builder_0.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	WinLocker_Builder_0.4.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	WinLocker_Builder_0.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	WinLocker_Builder_0.4.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	WinLocker_Builder_0.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	WinLocker_Builder_0.4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

123.exe

pid	process
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe
2888	123.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

WinLocker_Builder_0.4.exeexplorer.exe

pid process

2904 WinLocker_Builder_0.4.exe
1800 explorer.exe

pid	process
2904	WinLocker_Builder_0.4.exe
1800	explorer.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeShutdownPrivilege	1800	explorer.exe
Token: SeShutdownPrivilege	1800	explorer.exe
Token: SeShutdownPrivilege	1800	explorer.exe
Token: SeShutdownPrivilege	1800	explorer.exe
Token: SeShutdownPrivilege	1800	explorer.exe
Token: SeShutdownPrivilege	1800	explorer.exe
Token: SeShutdownPrivilege	1800	explorer.exe
Token: SeShutdownPrivilege	1800	explorer.exe
Token: SeShutdownPrivilege	1800	explorer.exe
Token: SeShutdownPrivilege	1800	explorer.exe
Token: SeShutdownPrivilege	1800	explorer.exe
Token: SeShutdownPrivilege	1800	explorer.exe
Token: SeShutdownPrivilege	1800	explorer.exe
Token: SeShutdownPrivilege	1800	explorer.exe
Token: SeShutdownPrivilege	1800	explorer.exe
Token: SeShutdownPrivilege	1800	explorer.exe
Token: SeShutdownPrivilege	1800	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

explorer.exe

pid	process
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

Processes:

explorer.exe

pid	process
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinLocker_Builder_0.4.exe

pid process

2904 WinLocker_Builder_0.4.exe

pid	process
2904	WinLocker_Builder_0.4.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

123.exe

description	pid	process	target process
PID 2888 wrote to memory of 1800	2888	123.exe	explorer.exe
PID 2888 wrote to memory of 1800	2888	123.exe	explorer.exe
PID 2888 wrote to memory of 1800	2888	123.exe	explorer.exe
PID 2888 wrote to memory of 1800	2888	123.exe	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe
"C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe"
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2904

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2672

C:\Users\Admin\Desktop\123.exe
"C:\Users\Admin\Desktop\123.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1800

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2876

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\123.exe
Filesize
382KB

MD5
97eb6f7ec0586fe37b82dbe2f522da35

SHA1
7b9995845a89aec0a6eabe7e9eeb446abe8e5d58

SHA256
f738afbd4c316267d35e2f4d7b818139a55d8ef6b636c3bf736f1672cb4c8ea1

SHA512
888850fe4ea693a5168d6c0f2ab638862dc1a09a1e25f1de8cbfb373753cad982f2461826f5fa54144ba04ff6ed2c19c5850d70a3a2edc3bbb2024cf42710c49

Download Submit
C:\Users\Admin\Desktop\RCX60C8.tmp
Filesize
387KB

MD5
b7a9bac5e1d13510aabb8873da52af23

SHA1
1d11860c87b1ed4855cfd1372b9d534cfc79c839

SHA256
b5de3b8a184dc755d8f009025e37d5de230215b8438baec52ae3418e7d8ef669

SHA512
a175ed00d491d418e99a858923af3c7ab5c33328c4cde9d7297fba81d1c07b1cbc546aa37eae885d6ed02ac9e9d4655c3f69c089287486364e1b832acb40d5f6

Download Submit
memory/2888-29-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2888-31-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2904-0-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/2904-1-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/2904-2-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/2904-3-0x0000000001FD0000-0x0000000001FD2000-memory.dmp

Filesize
8KB

Download
memory/2904-4-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/2904-28-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/2904-32-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/2904-33-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads