3269287c1b809346c7b67dbb5466d3a33f026db667e1e3e184cfc12b4214ee02

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lockfolder.exe
Size

943KB
MD5

6485f94e7623906927dbf2d80674d8fb
SHA1

766ee84733a14d0715799c954b42887ee3d02366
SHA256

4cf1567186a276ad04f7c63e2c726924f97b78314bcb28f6af810201ae182782
SHA512

c73d2ebdc3f164c6be568dfb3d2d4d5277b968dcf97a0570d2b91c31eb22b0fb0ca61e81333866a86fda2539a6d39d9291386e4ab2b7d40ab29c41443650746c
SSDEEP

24576:fxA3Z0z9d6/aqD1y62w0Wx/qkWYP4DpDzrrrpb/XKEqLBQI9mNl:fuZu9IpKoykWYP4DRwNQ4m

Score

7^/10

adware bootkit persistence stealer upx

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
4752	regsvr32.exe
3512	regsvr32.exe
3512	regsvr32.exe

UPX packed file 41 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/memory/4772-0-0x0000000000400000-0x0000000000663000-memory.dmp	upx
behavioral4/memory/4772-1-0x0000000002530000-0x000000000256E000-memory.dmp	upx
behavioral4/memory/4772-39-0x0000000002530000-0x000000000256E000-memory.dmp	upx
behavioral4/memory/4772-56-0x0000000002530000-0x000000000256E000-memory.dmp	upx
behavioral4/memory/4772-54-0x0000000002530000-0x000000000256E000-memory.dmp	upx
behavioral4/memory/4772-50-0x0000000002530000-0x000000000256E000-memory.dmp	upx
behavioral4/memory/4772-49-0x0000000002530000-0x000000000256E000-memory.dmp	upx
behavioral4/memory/4772-48-0x0000000002530000-0x000000000256E000-memory.dmp	upx
behavioral4/memory/4772-46-0x0000000002530000-0x000000000256E000-memory.dmp	upx
behavioral4/memory/4772-43-0x0000000002530000-0x000000000256E000-memory.dmp	upx
behavioral4/memory/4772-41-0x0000000002530000-0x000000000256E000-memory.dmp	upx
behavioral4/memory/4772-34-0x0000000002530000-0x000000000256E000-memory.dmp	upx
behavioral4/memory/4772-35-0x0000000002530000-0x000000000256E000-memory.dmp	upx
behavioral4/memory/4772-32-0x0000000002530000-0x000000000256E000-memory.dmp	upx
behavioral4/memory/4772-30-0x0000000002530000-0x000000000256E000-memory.dmp	upx
behavioral4/memory/4772-28-0x0000000002530000-0x000000000256E000-memory.dmp	upx
behavioral4/memory/4772-26-0x0000000002530000-0x000000000256E000-memory.dmp	upx
behavioral4/memory/4772-24-0x0000000002530000-0x000000000256E000-memory.dmp	upx
behavioral4/memory/4772-18-0x0000000002530000-0x000000000256E000-memory.dmp	upx
behavioral4/memory/4772-17-0x0000000002530000-0x000000000256E000-memory.dmp	upx
behavioral4/memory/4772-15-0x0000000002530000-0x000000000256E000-memory.dmp	upx
behavioral4/memory/4772-7-0x0000000002530000-0x000000000256E000-memory.dmp	upx
behavioral4/memory/4772-20-0x0000000002530000-0x000000000256E000-memory.dmp	upx
behavioral4/memory/4772-13-0x0000000002530000-0x000000000256E000-memory.dmp	upx
behavioral4/memory/4772-11-0x0000000002530000-0x000000000256E000-memory.dmp	upx
behavioral4/memory/4772-9-0x0000000002530000-0x000000000256E000-memory.dmp	upx
behavioral4/memory/4772-3-0x0000000002530000-0x000000000256E000-memory.dmp	upx
behavioral4/memory/4772-70-0x0000000000400000-0x0000000000663000-memory.dmp	upx
behavioral4/memory/4772-71-0x0000000000400000-0x0000000000663000-memory.dmp	upx
behavioral4/memory/4772-74-0x0000000000400000-0x0000000000663000-memory.dmp	upx
behavioral4/memory/4772-75-0x0000000000400000-0x0000000000663000-memory.dmp	upx
behavioral4/memory/4772-76-0x0000000000400000-0x0000000000663000-memory.dmp	upx
behavioral4/memory/4772-77-0x0000000000400000-0x0000000000663000-memory.dmp	upx
behavioral4/memory/4772-78-0x0000000000400000-0x0000000000663000-memory.dmp	upx
behavioral4/memory/4772-79-0x0000000000400000-0x0000000000663000-memory.dmp	upx
behavioral4/memory/4772-80-0x0000000000400000-0x0000000000663000-memory.dmp	upx
behavioral4/memory/4772-81-0x0000000000400000-0x0000000000663000-memory.dmp	upx
behavioral4/memory/4772-82-0x0000000000400000-0x0000000000663000-memory.dmp	upx
behavioral4/memory/4772-83-0x0000000000400000-0x0000000000663000-memory.dmp	upx
behavioral4/memory/4772-84-0x0000000000400000-0x0000000000663000-memory.dmp	upx
behavioral4/memory/4772-85-0x0000000000400000-0x0000000000663000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6C788253-1062-4DDE-BBAA-14C6C9C80B70}	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	lockfolder.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\hfile.sys	lockfolder.exe
File created	C:\Windows\SysWOW64\FileHook.dll	lockfolder.exe
File opened for modification	C:\Windows\SysWOW64\FileHook.dll	lockfolder.exe
File created	C:\Windows\SysWOW64\FileBho.dll	lockfolder.exe
File opened for modification	C:\Windows\SysWOW64\FileBho.dll	lockfolder.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\lockfd.dll	lockfolder.exe
File created	C:\Windows\lockfd.dll	lockfolder.exe
File opened for modification	C:\Windows\systemlockfile008	lockfolder.exe

Modifies registry class 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C788253-1062-4DDE-BBAA-14C6C9C80B70}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FileBho.FileBho\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\folderCopyHook	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C788253-1062-4DDE-BBAA-14C6C9C80B70}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C788253-1062-4DDE-BBAA-14C6C9C80B70}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FileBho.FileBho\Clsid\ = "{6C788253-1062-4DDE-BBAA-14C6C9C80B70}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD11ABAA-6F3F-4C5C-90A3-AEDFB93A01CE}\InprocServer32\ = "C:\\Windows\\SysWow64\\FileHook.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD11ABAA-6F3F-4C5C-90A3-AEDFB93A01CE}\ = "folder CopyHook Shell Extension"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD11ABAA-6F3F-4C5C-90A3-AEDFB93A01CE}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FileBho.FileBho	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C788253-1062-4DDE-BBAA-14C6C9C80B70}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C788253-1062-4DDE-BBAA-14C6C9C80B70}\ProgID\ = "FileBho.FileBho"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD11ABAA-6F3F-4C5C-90A3-AEDFB93A01CE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\folderCopyHook\ = "{FD11ABAA-6F3F-4C5C-90A3-AEDFB93A01CE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C788253-1062-4DDE-BBAA-14C6C9C80B70}\InprocServer32\ = "C:\\Windows\\SysWow64\\FileBho.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C788253-1062-4DDE-BBAA-14C6C9C80B70}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FileBho.FileBho\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD11ABAA-6F3F-4C5C-90A3-AEDFB93A01CE}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4772	lockfolder.exe
4772	lockfolder.exe
4772	lockfolder.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 4752	4772	lockfolder.exe	80
PID 4772 wrote to memory of 4752	4772	lockfolder.exe	80
PID 4772 wrote to memory of 4752	4772	lockfolder.exe	80
PID 4772 wrote to memory of 3512	4772	lockfolder.exe	81
PID 4772 wrote to memory of 3512	4772	lockfolder.exe	81
PID 4772 wrote to memory of 3512	4772	lockfolder.exe	81

C:\Users\Admin\AppData\Local\Temp\lockfolder.exe
"C:\Users\Admin\AppData\Local\Temp\lockfolder.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe FileHook.dll /s
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:4752
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe FileBho.dll /s
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\FileBho.dll

Filesize
442KB

MD5
3fcdcbae358301e557fa2786078e5552

SHA1
76137300f6527076add1b819083db3a46854dee0

SHA256
a8443d0bfa626b818dbb09de2305e56ab0f1ebeebb1da6aabd7599523c0daf77

SHA512
1028a719a56a91a48979b324904edd34ab54811a1c2c9d5fe34189a2b8bea31a9bc384abdaf43b9dad824d7662b83566745e9a3a14fff08e0998456cb782d20d

Download Submit
C:\Windows\SysWOW64\FileHook.dll

Filesize
127KB

MD5
a5da15da770f9b00926cdcc6baed7fff

SHA1
0abb35c6b3f6d27c08bdd5679891c1a9a43179d2

SHA256
38c8637696d8f485889b9ab2a995d8c86573915e2f1c74878bbe6bfd8165dbf8

SHA512
38740e71a9db1725f3a50ea90407b61948d09ef9a29995bb3480d9a382a90f2bdd46bd5e09416f894625ad6c8a80bde88802a540002bd5530c557551b5b3979c

Download Submit
memory/3512-66-0x0000000001F30000-0x0000000001FA4000-memory.dmp

Filesize
464KB

Download
memory/4772-7-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4772-28-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4772-56-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4772-39-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4772-1-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4772-50-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4772-49-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4772-48-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4772-46-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4772-43-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4772-41-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4772-34-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4772-35-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4772-11-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4772-30-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4772-13-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4772-26-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4772-24-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4772-18-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4772-17-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4772-15-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4772-0-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/4772-54-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4772-20-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4772-32-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4772-9-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4772-4-0x0000000000D00000-0x0000000000D06000-memory.dmp

Filesize
24KB

Download
memory/4772-3-0x0000000002530000-0x000000000256E000-memory.dmp

Filesize
248KB

Download
memory/4772-2-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/4772-70-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/4772-71-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/4772-73-0x0000000000D00000-0x0000000000D06000-memory.dmp

Filesize
24KB

Download
memory/4772-72-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/4772-74-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/4772-75-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/4772-76-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/4772-77-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/4772-78-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/4772-79-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/4772-80-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/4772-81-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/4772-82-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/4772-83-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/4772-84-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/4772-85-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads