Resubmissions
15-09-2024 23:12
240915-27aqvsxhjq 815-09-2024 23:02
240915-21efgaxake 815-09-2024 22:58
240915-2xypyaxdkj 315-09-2024 22:56
240915-2wn44sxcpk 315-09-2024 22:43
240915-2np2fawhpr 315-09-2024 22:42
240915-2m3k5swhmk 1015-09-2024 22:33
240915-2gqdmawbja 815-09-2024 22:27
240915-2de4gswekk 715-09-2024 22:15
240915-16esravenh 10Analysis
-
max time kernel
840s -
max time network
844s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
15-09-2024 22:15
General
-
Target
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Winlocker.VB6.Blacksod/[email protected]
-
Size
2.4MB
-
MD5
dbfbf254cfb84d991ac3860105d66fc6
-
SHA1
893110d8c8451565caa591ddfccf92869f96c242
-
SHA256
68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c
-
SHA512
5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d
-
SSDEEP
49152:6kAG2QGTC5xvMdgpdb1KRHGepUu2cGbqPs9+q2HRPTnFVSLE:6kAjQGTCnvMmpYQqPNRPTnF4Y
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 15 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 19 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 39 IoCs
-
Modifies data under HKEY_USERS 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SetWindowsHookEx 13 IoCs
-
Suspicious use of WriteProcessMemory 41 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\Winlocker.VB6.Blacksod\[email protected]"C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\Winlocker.VB6.Blacksod\[email protected]"1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\Winlocker.VB6.Blacksod\[email protected] SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\Winlocker.VB6.Blacksod\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Modifies WinLogon for persistence
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 15D75181BB292912DDD9C98591DB6E462⤵
- Loads dropped DLL
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C785CF6CFB811BA72E8C7DDBFC22A58A M Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {9A6AE957-E4E4-4675-92FF-E0F51775F6FB} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe"C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.microsoft.aios.us3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2512 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2512 CREDAT:209933 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.microsoft.aios.us3⤵
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x56c1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD5444b1d981b5d28109a85ac791b3512c8
SHA1be95d8b9fa8d62e1a4376755e1eb771e4dc0ac3c
SHA25626f6b0bd101a2c2244d100d6f60e5627e5ecbf4151c550d7fe11b733b0616c5d
SHA512b99dce01d976d181ac12bc92165cdf5be3330119d65e73686111c3086c1eb25bc4941e5c9fd9677ad1bc4f244aaab0a6ff6e44fa614da10eb27f5b152ab033e2
-
Filesize
342B
MD51c17c85417a6e7b951611c0297b4bbc4
SHA13fa3c5ca5025511c811c1f19e383e8ef73e7a9fb
SHA256c688df116524b852a6fe410ea48f77089234ae1b3d64742d59f1c11d2fa7372f
SHA51235c6a88bb4e738a17cf15689f1e847a236606847c761dcc2b329450a6e0ef14c15f349f27e3daf5519fb38567ffe9f4c05e0586e688748d60271a3583e740632
-
Filesize
342B
MD5b8e8e4f9bd92c1d1a62192025f9a349c
SHA1866a62424b350ea22b70d377321a41ee2ad4bbc3
SHA2563156882f55c207646abd3b5ec2afd9e423316b5e4bdddc740576c5e993ce8e0a
SHA512cea89a14c12bf280edca1c439dd42fc9a93f66603e4cf6e057fa837b95f6c9e0e9aecd5112398b1b9ef5500c876d773b559da7f3c39a867de73f80eec14ad16c
-
Filesize
342B
MD5a9f0e0133330208906e058a5170b3209
SHA1a5fb946c8421ac1fd7359104e876133f035e4991
SHA25681721090115709bf819725d3643efbe3a4a822b13c23557035180f7add17591f
SHA512c0b76ddbdf40054bc6ef93a5aacded58c44ec784eed4e9cd1d4514370df8bd1f338c1e3ef703076ed5546a6e8cf015122f2bf0988144676e13a82fe99f48b4e5
-
Filesize
342B
MD58760b6d18a1cf76ef5756290afe3990d
SHA16b73746b3e4af3a7328caf0678220b575a9a1a13
SHA256e17f04db2e13a2fdf4aaedf4a851c6f4d77c8106118c94f3db149005a6701ad1
SHA512721f58a8c242af205952f59b7373a4a43c2ec3fabab4178ad4643dd2edcb052ba126a81aed0b13b61bbdadf31b2b5274ffda37f9497c8d2558121f0873972615
-
Filesize
342B
MD5044ad0bb6228350a03523a4ff07088d2
SHA13677aeac05ce0c40d9c6e977c4d311aeeb073a71
SHA2562628b9f2136a8d9dd42fcc3e8901d36e032d0b62de8b19f07de78c5e2ed6b644
SHA512ecbc278ad9fe73446f9e5da4ff0ddf9c11b28f6e843973d6e955b47cb44afa43d9969dab03e4706ed7e6551fa2d2b86cc71f4236a8581615b2c2571477846cc4
-
Filesize
342B
MD5e8e766487d8b3d797c8fa3766043a74f
SHA16cc183f341b8e411c54d2b1da70959d23074ebd5
SHA25693486ae2c2b60867b15598549bf7449389bf01512cd11281528bbb27cdda1873
SHA512e11bd0df062b1123f1ccd7b75a8aa2f205e34db5cc7c0be8ab7c044353bd19013902b8891e60eb6e2e69f4fc0e0acb60c42d010577321e666946c1863200e500
-
Filesize
342B
MD5d6d218bfa6250de9ce706b779569d5b9
SHA190dc65db188600e11466f296f14eb1814dfcb08d
SHA2565e92b2bd9477af90385670980314dcba1e8d5b3868ba06b77780959e566643d5
SHA512d80ed1efe6e83f6f126689fda58a77a64c3b5f0ae8cbe22660e850ae30d55c6c97a5e4707a8144787608929e31f145dde3b453d2d9d2b0acc594c506fed9d930
-
Filesize
342B
MD50fc0528e66247d80a632115101f72cbe
SHA156a9268c4449df1b92f987d8548aab059528fdf8
SHA256a4f25b11447bffedbe1a74fb8ea8759b46036a7b9293c61dea57f062cb3cc07e
SHA5121ccb76baf7ce9a7309c00445836e1e5e52840f61b6e50640c42dc9f799580d3b9922d5426b16f9e82257da9f5af36f9040669dd15175eef8a859244d8c6523af
-
Filesize
342B
MD5d1062f8c4ad437efe97873aea1c9576c
SHA189b4e8748e3e0098bbeb669e2811d44a043955b1
SHA2564a9875edad9a014e9912fa52bdd12d96a82a74fee97081042943ba3c296f3145
SHA512b8168876a953f8a9bc2f19ec93c60ccf7d219a1154429904d3c2466ef9ef8f72195a0d86f9667150ad335f3d29b960c475bee1919082824ac395fed25503ef54
-
Filesize
2KB
MD5e3e4a98353f119b80b323302f26b78fa
SHA120ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA2569466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee
-
Filesize
8KB
MD53f57b781cb3ef114dd0b665151571b7b
SHA1ce6a63f996df3a1cccb81720e21204b825e0238c
SHA25646e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA5128cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa
-
Filesize
84B
MD59037f5260ecf1f1e895817fbfb52ed20
SHA1c13d66a43e0c09a9c1952bc8b64d7273809eea4c
SHA256b44a5b1b3713c52a80aa67b2d4bc52318d4c72f6db40568c7003851fbf7d61c9
SHA512c4785d087e34239c6b40276271ff50ad55e0c3f1d4e57d16928eda84725e8f1a7babb0d14a44896d905e9eed8d25d89d9e0cedd4971900dd206d881d0e9b8dda
-
Filesize
84B
MD56862c58cc3c4c4fb501048e45d7fdc37
SHA1a8287e4f884e61035945612b9b7fe884d57a4006
SHA2564cf7c34a96ffff992a6876a77f70a7bbe2348272e5ac971419e60a4efecd0cd5
SHA51294e6df6e74a4d13152b690e5ef4ad1538b0e3593c8f7907b3a9e48aec2ff04d13fdbf9acd040be52596783e2e44f7dbabc92b92938a046d0616db460d499e564
-
Filesize
1KB
MD501dc1e6389c0bfb2e509f2f4bee3dcd3
SHA17ba2f86636872ab346148fb4963671b8292d7cf0
SHA256cfaa067b97c38131c86d261a1c6d428ce0f9dd9fe5a7faaee609159e0883e34c
SHA5120db91cd519a04750a87c24f503da8e67ec9101e466d6d0f58f9bd12875428d6208610e535b6035b1f6a8d2b13f054f80a59f2c7ca74920bcfc3cb83eef887078
-
Filesize
2KB
MD55cae28c041cc2791d9d09546fb6734f6
SHA153e5162ef76f1de7ffe43b46b860b539d7ff2d20
SHA256291bec0b84ee27d601a1d33fa6e55fb0b54f18e8f249faf5bb6cd95e31af54a3
SHA51274f0a1d050a04ca4c9976ecb46e10f2435c71edd810942659019d1366bfbcfaebc1c9b2fb523bac47050f9ec3cafd298715cdac350655da0ec7cc28c8734f2fb
-
Filesize
3KB
MD554d2fcb2b46726898c74cb74e74154cd
SHA11a1e7f04555e2a651adc4e9c5c648dc9c3890e06
SHA25642671812ea10f4174a99abe8ef557a75af954916fe9a39bd5e1f0931cf3bf1cf
SHA5125419c7fe0339565bbe7dcbf1535891809f1264233b4045de8fe692507122f8a7904a84760f2cb5728f51394dbf32ba6f443c4333ff97a0ea41306b181ecf85ea
-
Filesize
4KB
MD516a1fa587771973d1ac5ffa144dff5aa
SHA19d636228787ef8cbc8c74d09966a4586f577528d
SHA2563bad65b9d885c607ffaf2970f851386b5ed06f3a0795beff9228ff0eacc0facc
SHA512e11c175921eaf0ddb088cd194bb6c89ea111309664a815835ea186e19f660f78f0eaf2d594643897b22266486db56180b385033279090dd1470a05facf22e5d0
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1010KB
MD527bc9540828c59e1ca1997cf04f6c467
SHA1bfa6d1ce9d4df8beba2bedf59f86a698de0215f3
SHA25605c18698c3dc3b2709afd3355ad5b91a60b2121a52e5fcc474e4e47fb8e95e2a
SHA512a3ae822116cddb52d859de7ffc958541bb47c355a835c5129aade9cc0e5fba3ff25387061deb5b55b5694a535f09fe8669485282eb6e7c818cc7092eb3392848
-
Filesize
724KB
MD5bab1293f4cf987216af8051acddaf97f
SHA100abe5cfb050b4276c3dd2426e883cd9e1cde683
SHA256bc26b1b97eeb45995bbd5f854db19f994cce1bb9ac9fb625eb207302dccdf344
SHA5123b44371756f069be4f70113a09761a855d80e96c23c8cd76d0c19a43e93d1a159af079ba5189b88b5ee2c093099a02b00ea4dc20a498c9c0c2df7dc95e5ddd49
-
Filesize
24KB
MD5e579c5b3c386262e3dd4150eb2b13898
SHA15ab7b37956511ea618bf8552abc88f8e652827d3
SHA256e9573a3041e5a45ed8133576d199eb8d12f8922bbe47d194fef9ac166a96b9e2
SHA5129cf947bad87a701f0e0ad970681767e64b7588089cd9064c72bf24ba6ca0a922988f95b141b29a68ae0e0097f03a66d9b25b9d52197ff71f6e369cde0438e0bb
-
Filesize
180KB
MD5d552dd4108b5665d306b4a8bd6083dde
SHA1dae55ccba7adb6690b27fa9623eeeed7a57f8da1
SHA256a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5
SHA512e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969
-
Filesize
88KB
MD54083cb0f45a747d8e8ab0d3e060616f2
SHA1dcec8efa7a15fa432af2ea0445c4b346fef2a4d6
SHA256252b7423b01ff81aea6fe7b40de91abf49f515e9c0c7b95aa982756889f8ac1a
SHA51226f8949cad02334f9942fda8509579303b81b11bc052a962c5c31a7c6c54a1c96957f30ee241c2206d496d2c519d750d7f6a12b52afdb282fa706f9fee385133
-
Filesize
96KB
MD53cab78d0dc84883be2335788d387601e
SHA114745df9595f190008c7e5c190660361f998d824
SHA256604e79fe970c5ed044517a9a35e4690ea6f7d959d21173ebef45cdd3d3a22bdd
SHA512df6b49f2b5cddebd7e23e81b0f89e4883fc12d95735a9b3f84d2f402f4996c54b5fdea8adb9eaa98e8c973b089656d18d6b322bd71cb42d7807f7fa8a7348820
-
Filesize
128KB
MD57e6b88f7bb59ec4573711255f60656b5
SHA15e7a159825a2d2cb263a161e247e9db93454d4f6
SHA25659ff5bc12b155cc2e666bd8bc34195c3750eb742542374fc5e53fb22d11e862f
SHA512294a379c99403f928d476e04668717cdabc7dc3e33bcf6bcad5c3d93d4268971811ff7303aa5b4b2ed2b59d59c8eba350a9a30888d4b5b3064708521ac21439c
-
Filesize
312KB
MD5aa82345a8f360804ea1d8d935f0377aa
SHA1c09cf3b1666d9192fa524c801bb2e3542c0840e2
SHA2569c155d4214cebda186647c035ada552963dcac8f88a6b38a23ea34f9ecd1d437
SHA512c051a381d87ba933ea7929c899fb01af2207cb2462dcb2b55c28cff65596b27bdb05a48207624eeea40fddb85003133ad7af09ca93cfb2426c155daea5a9a6db
-
Filesize
126KB
MD53531cf7755b16d38d5e9e3c43280e7d2
SHA119981b17ae35b6e9a0007551e69d3e50aa1afffe
SHA25676133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089
SHA5127b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd
-
Filesize
4.1MB
-
Filesize
184KB
-
Filesize
44KB