fb6b1171776554a808c62f4045f5167603f70bf7611de64311ece0624b365397

Analysis

max time kernel
72s
max time network
66s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
15-07-2024 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Unlocker 1.9.2_x86-64.exe
Size

1.0MB
MD5

1e02d6aa4a199448719113ae3926afb2
SHA1

f1eff6451ced129c0e5c0a510955f234a01158a0
SHA256

fb6b1171776554a808c62f4045f5167603f70bf7611de64311ece0624b365397
SHA512

7d0f1416beb8c141ee992fe594111042309690c00741dff8f9f31b4652ed6a96b57532780e3169391440076d7ace63966fab526a076adcdc7f7ab389b4d0ff98
SSDEEP

24576:eLMeYSiGTpTLDxxwqQcqOj5eyHox6ZGmAuXE7ZBlbT:+PbVvwqQpoLHontDrlbT

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Unlocker 1.9.2_x86-64.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UnlockerDriver5\ImagePath = "\\??\\C:\\Program Files\\Unlocker\\UnlockerDriver5.sys"	Unlocker 1.9.2_x86-64.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 2 IoCs

Processes:

Unlocker.exeUnlocker.exe

pid	Process
3468	Unlocker.exe
5024	Unlocker.exe

Loads dropped DLL 8 IoCs

Processes:

Unlocker 1.9.2_x86-64.exeregsvr32.exeregsvr32.exe

pid	Process
128	Unlocker 1.9.2_x86-64.exe
128	Unlocker 1.9.2_x86-64.exe
128	Unlocker 1.9.2_x86-64.exe
128	Unlocker 1.9.2_x86-64.exe
128	Unlocker 1.9.2_x86-64.exe
1256	regsvr32.exe
1808	regsvr32.exe
3304

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

Processes:

Unlocker 1.9.2_x86-64.exe

description	ioc	Process
File created	C:\Program Files\Unlocker\Unlocker.exe	Unlocker 1.9.2_x86-64.exe
File created	C:\Program Files\Unlocker\UnlockerDriver5.sys	Unlocker 1.9.2_x86-64.exe
File created	C:\Program Files\Unlocker\UnlockerInject32.exe	Unlocker 1.9.2_x86-64.exe
File created	C:\Program Files\Unlocker\README.TXT	Unlocker 1.9.2_x86-64.exe
File created	C:\Program Files\Unlocker\UnlockerCOM.dll	Unlocker 1.9.2_x86-64.exe
File opened for modification	C:\Program Files\Unlocker\Unlocker.url	Unlocker 1.9.2_x86-64.exe
File created	C:\Program Files\Unlocker\uninst.exe	Unlocker 1.9.2_x86-64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

Processes:

regsvr32.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\ = "UnlockerShellExtension"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\UnlockerShellExtension\ = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\UnlockerShellExtension\ = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFileSystemObjects\shellex\ContextMenuHandlers\UnlockerShellExtension	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\folder\shellex\ContextMenuHandlers\UnlockerShellExtension	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\UnlockerShellExtension\ = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32\ = "C:\\Program Files\\Unlocker\\UnlockerCOM.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\software\classes\clsid\UnlockerShellExtension	regsvr32.exe

Suspicious behavior: LoadsDriver 4 IoCs

Processes:

Unlocker.exeUnlocker.exe

pid	Process
3468	Unlocker.exe
3468	Unlocker.exe
5024	Unlocker.exe
5024	Unlocker.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Unlocker.exeUnlocker.exe

description	pid	Process
Token: SeDebugPrivilege	3468	Unlocker.exe
Token: SeLoadDriverPrivilege	3468	Unlocker.exe
Token: SeBackupPrivilege	3468	Unlocker.exe
Token: SeTakeOwnershipPrivilege	3468	Unlocker.exe
Token: SeDebugPrivilege	5024	Unlocker.exe
Token: SeLoadDriverPrivilege	5024	Unlocker.exe
Token: SeBackupPrivilege	5024	Unlocker.exe
Token: SeTakeOwnershipPrivilege	5024	Unlocker.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Unlocker.exeUnlocker.exe

pid	Process
3468	Unlocker.exe
5024	Unlocker.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

Unlocker 1.9.2_x86-64.exeregsvr32.exe

description	pid	Process	procid_target
PID 128 wrote to memory of 1256	128	Unlocker 1.9.2_x86-64.exe	83
PID 128 wrote to memory of 1256	128	Unlocker 1.9.2_x86-64.exe	83
PID 128 wrote to memory of 1256	128	Unlocker 1.9.2_x86-64.exe	83
PID 1256 wrote to memory of 1808	1256	regsvr32.exe	84
PID 1256 wrote to memory of 1808	1256	regsvr32.exe	84

C:\Users\Admin\AppData\Local\Temp\Unlocker 1.9.2_x86-64.exe
"C:\Users\Admin\AppData\Local\Temp\Unlocker 1.9.2_x86-64.exe"
1⤵
- Sets service image path in registry
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:128
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Unlocker\UnlockerCOM.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files\Unlocker\UnlockerCOM.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1808

C:\Program Files\Unlocker\Unlocker.exe
"C:\Program Files\Unlocker\Unlocker.exe" "C:\Users\Admin\Desktop\SetLock.docx"
1⤵
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3468

C:\Program Files\Unlocker\Unlocker.exe
"C:\Program Files\Unlocker\Unlocker.exe" "C:\Users\Admin\Desktop\TraceMeasure.temp"
1⤵
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Unlocker\Unlocker.exe

Filesize
122KB

MD5
0a77f732624155a215f5ca54df9b2930

SHA1
172bdf71343dd6544cfbe04abbc3dec4535f7d84

SHA256
a0b651038c4301f70e4aea506eb90edc584a5c4ca46880c7dc2ae5eafa6dc506

SHA512
6482c9fc3b5ff9d5798deb9965b4dfab9ba62b889e921011696f29dd96b813194a59f76a52a88fa4962317c6a43a21122c857e4ca80c6c4360c2cee544117352

Download Submit
C:\Program Files\Unlocker\UnlockerCOM.dll

Filesize
19KB

MD5
5fe324d6c1dc481136742ab5fb8f6672

SHA1
02f2d4476006cecd771de3cbe247e432950ae916

SHA256
0a66b19bb38385a8879633dce1272b8acf1b4b264c88e254345ec249335b41b1

SHA512
faa76477503923d1c14a12f00d7d416e5fbb485560ea02ed1e6ef6337f9ad88bc612af241ea61c8f9003253ccf5f66b2c7ce4a508bb2adc761c4f36ac345195d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\Delta.ini

Filesize
1KB

MD5
638c373d11830327b055d63a00bb0bdd

SHA1
c6bce5e101aedf1fa4b48bf9233c5e9a70208eec

SHA256
640e1958423f236d5340b2b1e5fbc73c6d7b8293141f711c8a7ea9be21c25c14

SHA512
43ec5d90272ed6e3035d7eca672c6f5149b2cc25577d3a072fb1419e770babfa1b5dd629bdce27092ac832d68f99da1f2b54be2cec921be4e4e88f252ec2b0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\Delta.ini

Filesize
1KB

MD5
51011e222da69d9380b233c254aae825

SHA1
27abcb02eba321cc74059ad42d867c3675cf5771

SHA256
de5769a15266c496b1fa0bc7df45baac2a0356b22f24c2bbe6db53d004d9a17b

SHA512
65b0efe470201dd5fafe923052e8b04e1828bcadb58ed7fe0b7b48362f905e536b9a8e7486eb4502e57e55daae5f9a52707deafabd9d0b97e731ddf8d31aa5d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\Delta.ini

Filesize
1KB

MD5
7ec6349b7e825222ecdabb7171a88b4b

SHA1
82642d2552320aa29062d51c6325dec503ecaba5

SHA256
65fd5f6e4a474d77e0fd8e40c20202336f1232089126a360db36b07efc81e225

SHA512
f02b3d527d302f25b9cafdbac4dae2b96fca8cd5c40c81636e7c84a0f7cd12fb82b29eac30dbe31bf122b6c34b4b23d0f0e8a2595f38b1d721e8feb9d36d9a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\Delta.ini

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\Delta.ini

Filesize
1KB

MD5
99142d0353fe3b9faabb814be3636481

SHA1
0454d54de4c26ff566b2e3dd74932d41d79e46af

SHA256
2ad1bdf9989d0605524be2541dbed63364cf9a2db8094b93e5f7b921dc11afa3

SHA512
0f4491f27e5d4e6f39d7f00d0f7ac1b8ea367beda0325fb96df9626665431293d362d1b7ea5c964ff821df3b64681c0f084833ea579115d379437c49854e9400

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\Delta.ini

Filesize
1KB

MD5
44dd99d4c97a56bd3d770397b0b7b237

SHA1
0088f9c7f7fd1731783504add7f06c967957e72a

SHA256
13d6ac7e5d17088d1289aed4e673c7d32a56aa38f732e08196cae570184b5ed3

SHA512
5f0e5904ddbeefc953e0ca1cddd401e9d899076fbbd4623dd8e1d2b50e7d8663e9d432036624a67f35510810847aa7a2f5e0df5f41914933d8633f1325a2553a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\Delta.ini

Filesize
1KB

MD5
78b12494683bc8ea01fb8b560db8a2a1

SHA1
b572af8b6a8cdbf71c939a5f1a7353c6db9a8038

SHA256
38095abb4ae7fcb0cafded70ce28d3711be177cbb694c4e2229757d45ea40ed6

SHA512
d127b8cef2a5350df3a95b60f6d3f3d89e8bcc07f509330747df375b21056042825f91042c5c1b27564b118fd6824bb8e205616a31e58d13244105198c055e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\Delta.ini

Filesize
1KB

MD5
b5de913134562eca674c8072bd263773

SHA1
fe2a4d6b9254b2db45a2a55e75162849e6298da0

SHA256
b2350a7960d3652edafe01d7e5a16ec41a475d624b0626f5fb0f6c2fc79c3e92

SHA512
13f984fb450209937d66e97659d5b90f17f9a6c3528dbc25389f93db140ff025da3f2b728d14828f47f15f4d3be4808a3c2c7b5f60d9b662cb23403f8abba115

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\Delta.ini

Filesize
1KB

MD5
720f2e7df4aa2d86ce000578d80d54f8

SHA1
789dede5f072538b3ee634b7a754d3d0ab22fb35

SHA256
db9bcc414fa1fc931973a872d87205e10eb62b6ba84ee6ecc006f1b1af618a21

SHA512
43a8cb78c1ed207f99c2d17de3281f1c5206399754f8d9fb247091cb29820a384388b923a3f5137f13920c1bcb35d582da503e9f6911b96e797078fc817070b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\Delta.ini

Filesize
1KB

MD5
6603fd703bda062052ef59a7d4caa4c1

SHA1
d4cde32954eda393370d34b0ed9244cb12afa17a

SHA256
caf12b41cdf097ef74439c84f889bc218a8da5859660fe8d2a947c9f82968655

SHA512
ec97d49bc02bad0308c816c1bf51eb8d013fb128b164b63eb19240c0fa9f440a377226f7ddb43071ca79ef2a67596e50bc47034e64d8cb4ce9a51005a9a080e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\Delta.ini

Filesize
1KB

MD5
6d2914e715925f0402906956a2b5c638

SHA1
a8eacf1addacd33bb6d80c84172f46db23f50a5e

SHA256
fc1d0d6c3b3979c27ed56dc47f7f4bd7907ec8ed57e98fb1db34329db810e87c

SHA512
dbd4d0555e0e1dd70c473562ea0da818b71747c4922bf261745c43254333a4508b49a18572662b7d55fe84f291a2213f09c890f719bb08714d2e3c503963489b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\Delta.ini

Filesize
1KB

MD5
89f49aa27e0cb851581648ed375d686c

SHA1
91974965a6dbb553b8ca89584d28f86fe5823807

SHA256
196a9669f2eb47cbf8bc33ec250dc8c34cc07262ae9b109e91eac33546b4b9de

SHA512
e749e6dcacb910cfa6eed665d595e0f4cdd7830b0b2f9e9789c3638ebad166dccec34bdb5765ba2f2b8325ffb3cefb5912c58ca5d4eebac936a3b73717961e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\LangDLL.dll

Filesize
5KB

MD5
9384f4007c492d4fa040924f31c00166

SHA1
aba37faef30d7c445584c688a0b5638f5db31c7b

SHA256
60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5

SHA512
68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\delta_logo_small.bmp

Filesize
9KB

MD5
2786f736b7a2022a9117fa8cddf7269b

SHA1
feefba3044896eabe63545df3fc50056c7663002

SHA256
c92e8e901c8ff0b2384840200d2a22a9fd357f6a3d8784e5da6f93cd863d3cad

SHA512
f9160ad0d4b429250bd7b0701ceab4e7aaa643bb478309b7f684c12ba6ec3fb6f9f50141a347302314923929d74e9f5c1a6f2672f0056b0801215cdd64a030eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\ioSpecial.ini

Filesize
558B

MD5
8d493abb53a3a871aefd98a33450f95c

SHA1
d8ee519dc9095525ae82a40e3c60cbaced957859

SHA256
df7ab6aed87ad4884a545b3029daa9323dafed254e43cf72884758db85c7dbe8

SHA512
7016a7936f907635448d5003cc9d8a204cc7c47fd1b897d2c307f18e210b5118ee764d7e54e5a458ef93b8589b625547e6bd635a11fc91e37bec95f00899916a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\ioSpecial.ini

Filesize
735B

MD5
70e5058011c02125245a2498b45fbce1

SHA1
83b8ce223ca0c3fedd478035548631a9dcbc3254

SHA256
e8599ec80c09c1bbe3162c8f0873233a84fd79c127bc202403e9bdae99fedcfd

SHA512
d6507b3276fbe40d154ae8a0e42b61ce6dafb6d7a69b5fbfec491f482857b15db5ac7c9e09e0ef53d47d9d60d963add16afc3d3aca28b2d6170cdec673e67dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\ioSpecial.ini

Filesize
709B

MD5
0712c935247a1bb37373d9cd3c7e2f66

SHA1
90555f7bc276ed43da79413a42b064a3ec25acb8

SHA256
7d4c7fd71467a4c435dd6163054d57dddc381f0d878f0b93d007908070b776cd

SHA512
5309f4bf4b4f2f680f493da48f90259b905df5118ce26b9b8804b5159a89f96cc319e922adbf389a0b2680db5cf1fd304f8bf8924a52efad24d7e8b734374198

Download Submit