Overview

overview

10

Static

static

3

eeeeeeeeee...00.exe

windows7-x64

eeeeeeeeee...um.exe

windows7-x64

10

eeeeeeeeee...ug.exe

windows7-x64

6

eeeeeeeeee...le.exe

windows7-x64

3

eeeeeeeeee...er.exe

windows7-x64

7

eeeeeeeeee...us.exe

windows7-x64

3

MEMZ 3.0/MEMZ.bat

windows7-x64

7

MEMZ 3.0/MEMZ.exe

windows7-x64

6

eeeeeeeeee...MZ.bat

windows7-x64

7

eeeeeeeeee...MZ.exe

windows7-x64

6

eeeeeeeeee...ld.exe

windows7-x64

3

eeeeeeeeee....A.exe

windows7-x64

6

eeeeeeeeee...al.exe

windows7-x64

7

eeeeeeeeee...15.exe

windows7-x64

3

eeeeeeeeee...al.exe

windows7-x64

7

eeeeeeeeee...0r.exe

windows7-x64

10

eeeeeeeeee...ro.exe

windows7-x64

eeeeeeeeee...od.exe

windows7-x64

10

eeeeeeeeee...ts.dll

windows7-x64

1

eeeeeeeeee...ts.dll

windows7-x64

3

eeeeeeeeee...ot.exe

windows7-x64

3

Resubmissions

15-09-2024 23:12

240915-27aqvsxhjq 8

15-09-2024 23:02

240915-21efgaxake 8

15-09-2024 22:58

240915-2xypyaxdkj 3

15-09-2024 22:56

240915-2wn44sxcpk 3

15-09-2024 22:43

240915-2np2fawhpr 3

15-09-2024 22:42

240915-2m3k5swhmk 10

15-09-2024 22:33

240915-2gqdmawbja 8

15-09-2024 22:27

240915-2de4gswekk 7

15-09-2024 22:15

240915-16esravenh 10

Analysis

  • max time kernel
    1559s
  • max time network
    1561s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-09-2024 22:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Winlocker.VB6.Blacksod/[email protected]

  • Size

    2.4MB

  • MD5

    dbfbf254cfb84d991ac3860105d66fc6

  • SHA1

    893110d8c8451565caa591ddfccf92869f96c242

  • SHA256

    68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c

  • SHA512

    5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d

  • SSDEEP

    49152:6kAG2QGTC5xvMdgpdb1KRHGepUu2cGbqPs9+q2HRPTnFVSLE:6kAjQGTCnvMmpYQqPNRPTnF4Y

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 15 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\Winlocker.VB6.Blacksod\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\Winlocker.VB6.Blacksod\[email protected]"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\Winlocker.VB6.Blacksod\[email protected] SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\Winlocker.VB6.Blacksod\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2804
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Modifies WinLogon for persistence
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2784
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding D0ADDC51D0899FE9996EA8BBB28C32E3
      2⤵
      • Loads dropped DLL
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      PID:2768
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding C4EA71171746CF9FFCC1A7DEC3965FC9 M Global\MSI0000
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:692
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {6E15069F-3F24-4E92-99BC-5BCB75BA2561} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe
      "C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2456
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x2e8
    1⤵
      PID:2520

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\f76fcab.rbs
      Filesize

      99KB

      MD5

      472bc982be450d944756dcb7624f4693

      SHA1

      eae2cd1ed0be6697422ee55a089c70db4717ab93

      SHA256

      6f94c30110a3c99c3b0bb10c1ff8b5b65d5a0bab5570cc2a51803dca575cb426

      SHA512

      440f813356b674ff4cb808bf9e552c9dcc0025a5bafeea5c77764444d3fa363055523e5f023160aa0d2ecfaeece47986ac558cdb99efc4478d81fe6d32d5076d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini
      Filesize

      69B

      MD5

      5313feb29105ff56a14ad6bf3689533b

      SHA1

      b7a3063c99e08f137eaaf033e5433eec7129f5be

      SHA256

      bcf30faa5544db2bdc03a1c13d73928889f0adce87a0d495d6aad8ed5a1b2791

      SHA512

      ea256a3ed92807378b1d39cf5055f8123a6a50b608cd23951b649f28de3ffe5ab4857131545d940fef91b17b324543eba5f4ecaf0e61b5badef7559254407ec8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini
      Filesize

      84B

      MD5

      347ea2e48d9827d758fea11196cc875c

      SHA1

      e2de7ab3e2ee2625c6de8d4d864b042fa68d94a8

      SHA256

      fdb286d65f411ce7652809f17f2810499cbcd704a15dd213da556a0779541038

      SHA512

      56fb2ba61922b940fbc2743ca40d1968c1ea30a9f793fcdd984e7723df976b829322fb45c2c63791ee23983183690ceae9a99344d2f50dab7982abd33305e2f8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{29DD234C-31B5-4193-A4B1-1AE5D3EF36FE}.session
      Filesize

      4KB

      MD5

      0c1165a492fcc63fe1a8279457e84c2b

      SHA1

      b879ae336501f63dae79d3a6e4bf7fd05e5f5c51

      SHA256

      1d59320e6fe8a0a63e9ba347004ed01bef98eb5d2a767f004e4b6ad2abe4cd1c

      SHA512

      bb8e5d9b594bf0684dfd87152da2659caf8534f16f3d996158f6689e5c84608721e6f2d05d85a1b53dd359fe5cb23e237a5d440216d51eebecc98c66b6561b15

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{29DD234C-31B5-4193-A4B1-1AE5D3EF36FE}.session
      Filesize

      1KB

      MD5

      b58c40c8d6ffebeb29bf139941a36326

      SHA1

      d48855bf28a0bf434b1d64d2e9c751f44afcea27

      SHA256

      fbcd2ce2b89f72fb399106d4720c490f7c986979b817c26d2b998257eb19de99

      SHA512

      279cc4a0e1013666582bd7e52a54a35162c66113ef0a96036c14d8370e7994e22e593a8c5e11f2b49c05de5d89384a3228c22b130cfb1bb74b25ac365f054653

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{29DD234C-31B5-4193-A4B1-1AE5D3EF36FE}.session
      Filesize

      1KB

      MD5

      2e5a66325eeae060c22c592f6db182a7

      SHA1

      ed4684f7054373f5284b1c3627591a7786918245

      SHA256

      9382aeceabdb1b5940db8b67413fc80059756a7da94d057a1b4cb4da92762385

      SHA512

      9b3ce44e0d173a8a32ab56628ab0f0cd17a5fe4767ce548a2aca7b479b09082e67d743875e17641c2256acffb532906f5464e5c78d63ebdfc1db2e2f794f1cc1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{29DD234C-31B5-4193-A4B1-1AE5D3EF36FE}.session
      Filesize

      1KB

      MD5

      b44c7a72462e632d1e59670607b1381f

      SHA1

      4e7f549a27b2530a35098c0313f4a1f14a781d77

      SHA256

      3c126c2d991ab717ea09d0c2580db3f59c46c5c0ba5605cba74fec91199543a2

      SHA512

      5bfb2a571a5ee0dcd20b5e2625f83a7678682edfb5e39c74054e2dfbfc00b6ddc228e939add0ea5c20fdbd039eb8f0b042a12a515f0cc04a5f17a7e2c9615634

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{29DD234C-31B5-4193-A4B1-1AE5D3EF36FE}.session
      Filesize

      2KB

      MD5

      ff1543d7951d87f8bae0046d412411b7

      SHA1

      64c2adcc6d4b5483ac8b9b134507ec598e86034d

      SHA256

      4854388a34ca686cc100e303cba56a934ad4eba7b5a837dbf9ed4951bb20356e

      SHA512

      3424870b8fc6a8610944b9b70cd0682d130daeb4dc1c3ca3b2c5942d246fcff420471ead0ad728e4dba659095eed256544050d7bbcc36e9e7d30b712d4007eef

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{29DD234C-31B5-4193-A4B1-1AE5D3EF36FE}.session
      Filesize

      2KB

      MD5

      d7030acb496f17a1ccd98a2442cdcb3e

      SHA1

      573abb7e1fc91b59429498d9c29f72c9975ed299

      SHA256

      1ea9abd065aa03c5402b5a23da4c826f39ed33fd38842388ca25d875bbdc02a7

      SHA512

      62d3d35a15e55ca6c56b93bb3f3e68c62e8c6545be2edbed27f7bc2da94087429a2cee0eec89cd4fb78e8a411085806d9ac2db2d87bf8a5c43794af936572152

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{29DD234C-31B5-4193-A4B1-1AE5D3EF36FE}.session
      Filesize

      3KB

      MD5

      edbcf609d165cf20176340bae2e42d1b

      SHA1

      8e5f559472cb7798f2753a82c0ae2dc52556aa29

      SHA256

      803dbaf78754699afe9bf1c37aa35faa439c36fa242fb357e97d25a38ca5094b

      SHA512

      f2e1f0d41a0b5cbfd42520e3f8fb0f98391d052a5b6bb204f392a8bc30d266a8936fee8836f1f5e07b919637e33f5f6d8e9b6c0f3297ba5094f23359a2b7f8fe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{29DD234C-31B5-4193-A4B1-1AE5D3EF36FE}.session
      Filesize

      3KB

      MD5

      251d4d19b2911064406b43f206fea56a

      SHA1

      b03e720505e2b0dd2e52c9653b54a98092c9f912

      SHA256

      e9040a95476e5b4ac31e30535fcb2c18376d6dc709cffb68274dbab49e109b79

      SHA512

      2d453b6c9073b682acb9398806e454db4794005f30fb7952a32ce0cd60ead9dda8cd51a9611f0c6df7250534d0863fea0fc162236ca85d40fd746f8994564e62

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{29DD234C-31B5-4193-A4B1-1AE5D3EF36FE}.session
      Filesize

      3KB

      MD5

      a20a79ef53639b8969f570037b7631fb

      SHA1

      857fafd405c01244936cb41e381e51d8c129d196

      SHA256

      cc3fa3d89caf3589c42a46706d01c242d46634dfe8b30bdbd8e683c69063b20b

      SHA512

      4cba5a58cceaa4b54f509f217c7867407512e6522b0709379f49264c22df17357f2ea5f10f707f3da1731f5c22e28cdc3de97381f195ade9319e55c85ce4db69

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi
      Filesize

      1010KB

      MD5

      27bc9540828c59e1ca1997cf04f6c467

      SHA1

      bfa6d1ce9d4df8beba2bedf59f86a698de0215f3

      SHA256

      05c18698c3dc3b2709afd3355ad5b91a60b2121a52e5fcc474e4e47fb8e95e2a

      SHA512

      a3ae822116cddb52d859de7ffc958541bb47c355a835c5129aade9cc0e5fba3ff25387061deb5b55b5694a535f09fe8669485282eb6e7c818cc7092eb3392848

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Windows Logoff Sound.wav
      Filesize

      724KB

      MD5

      bab1293f4cf987216af8051acddaf97f

      SHA1

      00abe5cfb050b4276c3dd2426e883cd9e1cde683

      SHA256

      bc26b1b97eeb45995bbd5f854db19f994cce1bb9ac9fb625eb207302dccdf344

      SHA512

      3b44371756f069be4f70113a09761a855d80e96c23c8cd76d0c19a43e93d1a159af079ba5189b88b5ee2c093099a02b00ea4dc20a498c9c0c2df7dc95e5ddd49

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\fatalerror.exe
      Filesize

      24KB

      MD5

      e579c5b3c386262e3dd4150eb2b13898

      SHA1

      5ab7b37956511ea618bf8552abc88f8e652827d3

      SHA256

      e9573a3041e5a45ed8133576d199eb8d12f8922bbe47d194fef9ac166a96b9e2

      SHA512

      9cf947bad87a701f0e0ad970681767e64b7588089cd9064c72bf24ba6ca0a922988f95b141b29a68ae0e0097f03a66d9b25b9d52197ff71f6e369cde0438e0bb

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\decoder.dll
      Filesize

      126KB

      MD5

      3531cf7755b16d38d5e9e3c43280e7d2

      SHA1

      19981b17ae35b6e9a0007551e69d3e50aa1afffe

      SHA256

      76133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089

      SHA512

      7b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd

      Download Submit

    • C:\Windows\Installer\MSI37.tmp
      Filesize

      96KB

      MD5

      3cab78d0dc84883be2335788d387601e

      SHA1

      14745df9595f190008c7e5c190660361f998d824

      SHA256

      604e79fe970c5ed044517a9a35e4690ea6f7d959d21173ebef45cdd3d3a22bdd

      SHA512

      df6b49f2b5cddebd7e23e81b0f89e4883fc12d95735a9b3f84d2f402f4996c54b5fdea8adb9eaa98e8c973b089656d18d6b322bd71cb42d7807f7fa8a7348820

      Download Submit

    • C:\Windows\Installer\MSI57.tmp
      Filesize

      128KB

      MD5

      7e6b88f7bb59ec4573711255f60656b5

      SHA1

      5e7a159825a2d2cb263a161e247e9db93454d4f6

      SHA256

      59ff5bc12b155cc2e666bd8bc34195c3750eb742542374fc5e53fb22d11e862f

      SHA512

      294a379c99403f928d476e04668717cdabc7dc3e33bcf6bcad5c3d93d4268971811ff7303aa5b4b2ed2b59d59c8eba350a9a30888d4b5b3064708521ac21439c

      Download Submit

    • C:\Windows\Installer\MSIFCE5.tmp
      Filesize

      180KB

      MD5

      d552dd4108b5665d306b4a8bd6083dde

      SHA1

      dae55ccba7adb6690b27fa9623eeeed7a57f8da1

      SHA256

      a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5

      SHA512

      e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969

      Download Submit

    • \Windows\Installer\MSID5.tmp
      Filesize

      312KB

      MD5

      aa82345a8f360804ea1d8d935f0377aa

      SHA1

      c09cf3b1666d9192fa524c801bb2e3542c0840e2

      SHA256

      9c155d4214cebda186647c035ada552963dcac8f88a6b38a23ea34f9ecd1d437

      SHA512

      c051a381d87ba933ea7929c899fb01af2207cb2462dcb2b55c28cff65596b27bdb05a48207624eeea40fddb85003133ad7af09ca93cfb2426c155daea5a9a6db

      Download Submit

    • \Windows\Installer\MSIFDC2.tmp
      Filesize

      88KB

      MD5

      4083cb0f45a747d8e8ab0d3e060616f2

      SHA1

      dcec8efa7a15fa432af2ea0445c4b346fef2a4d6

      SHA256

      252b7423b01ff81aea6fe7b40de91abf49f515e9c0c7b95aa982756889f8ac1a

      SHA512

      26f8949cad02334f9942fda8509579303b81b11bc052a962c5c31a7c6c54a1c96957f30ee241c2206d496d2c519d750d7f6a12b52afdb282fa706f9fee385133

      Download Submit

    • memory/2456-290-0x0000000005440000-0x0000000005852000-memory.dmp

      Filesize

      4.1MB

      Download