e4bf0ada567b4b07493c487bdb2141a93bdc864938039d1312f7823a5c6d66c0

Analysis

max time kernel
81s
max time network
62s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe
Size

594KB
MD5

ded4167c3af8b568ba55b1b4f1e4411c
SHA1

a4775eb3fa1285bfc17127ec421a0b9739345194
SHA256

e4bf0ada567b4b07493c487bdb2141a93bdc864938039d1312f7823a5c6d66c0
SHA512

e0ec7c5af8949381e70e48e82bd9082f99363f976f3a054949b1af0d9b6da841082c9da7c61da1e95f214bd5610f2d92102dc41ef1941e0af55fb661881fdcb3
SSDEEP

12288:yNYscz7ybajpHgG2gPU33mo9orabR55HlmsjN+S0zz+9wFt8j4NUX9+9HlA1A5OY:yNLczWo32N3mo9o/mhb4HNb

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
2684	eGUUgkEY.exe
2736	SoskUEog.exe
2780	setup.exe

Loads dropped DLL 13 IoCs

pid	Process
2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe
2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe
2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe
2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe
2912	cmd.exe
2684	eGUUgkEY.exe
2684	eGUUgkEY.exe
2684	eGUUgkEY.exe
2684	eGUUgkEY.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\eGUUgkEY.exe = "C:\\Users\\Admin\\BicccMos\\eGUUgkEY.exe"	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoskUEog.exe = "C:\\ProgramData\\kcocEock\\SoskUEog.exe"	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\eGUUgkEY.exe = "C:\\Users\\Admin\\BicccMos\\eGUUgkEY.exe"	eGUUgkEY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoskUEog.exe = "C:\\ProgramData\\kcocEock\\SoskUEog.exe"	SoskUEog.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2252	2684	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eGUUgkEY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SoskUEog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
2652	reg.exe
2836	reg.exe
2704	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe
2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2780	setup.exe
2780	setup.exe
2780	setup.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2684	2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe	30
PID 2400 wrote to memory of 2684	2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe	30
PID 2400 wrote to memory of 2684	2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe	30
PID 2400 wrote to memory of 2684	2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe	30
PID 2400 wrote to memory of 2736	2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe	31
PID 2400 wrote to memory of 2736	2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe	31
PID 2400 wrote to memory of 2736	2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe	31
PID 2400 wrote to memory of 2736	2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe	31
PID 2400 wrote to memory of 2912	2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe	32
PID 2400 wrote to memory of 2912	2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe	32
PID 2400 wrote to memory of 2912	2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe	32
PID 2400 wrote to memory of 2912	2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe	32
PID 2400 wrote to memory of 2704	2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe	34
PID 2400 wrote to memory of 2704	2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe	34
PID 2400 wrote to memory of 2704	2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe	34
PID 2400 wrote to memory of 2704	2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe	34
PID 2400 wrote to memory of 2652	2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe	36
PID 2400 wrote to memory of 2652	2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe	36
PID 2400 wrote to memory of 2652	2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe	36
PID 2400 wrote to memory of 2652	2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe	36
PID 2400 wrote to memory of 2836	2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe	37
PID 2400 wrote to memory of 2836	2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe	37
PID 2400 wrote to memory of 2836	2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe	37
PID 2400 wrote to memory of 2836	2400	20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe	37
PID 2912 wrote to memory of 2780	2912	cmd.exe	35
PID 2912 wrote to memory of 2780	2912	cmd.exe	35
PID 2912 wrote to memory of 2780	2912	cmd.exe	35
PID 2912 wrote to memory of 2780	2912	cmd.exe	35
PID 2912 wrote to memory of 2780	2912	cmd.exe	35
PID 2912 wrote to memory of 2780	2912	cmd.exe	35
PID 2912 wrote to memory of 2780	2912	cmd.exe	35
PID 2684 wrote to memory of 2252	2684	eGUUgkEY.exe	41
PID 2684 wrote to memory of 2252	2684	eGUUgkEY.exe	41
PID 2684 wrote to memory of 2252	2684	eGUUgkEY.exe	41
PID 2684 wrote to memory of 2252	2684	eGUUgkEY.exe	41

C:\Users\Admin\AppData\Local\Temp\20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe
"C:\Users\Admin\AppData\Local\Temp\20240920ded4167c3af8b568ba55b1b4f1e4411cvirlock.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\BicccMos\eGUUgkEY.exe
  "C:\Users\Admin\BicccMos\eGUUgkEY.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 696
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2252
- C:\ProgramData\kcocEock\SoskUEog.exe
  "C:\ProgramData\kcocEock\SoskUEog.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\setup.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    C:\Users\Admin\AppData\Local\Temp\setup.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2780
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - System Location Discovery: System Language Discovery
  - Modifies registry key
  PID:2704
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry key
  PID:2652
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - System Location Discovery: System Language Discovery
  - Modifies registry key
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
160KB

MD5
72b2ec56ec1dde9966e177fd9e43f27c

SHA1
4d4470a60b8e3952f8fe701d00e822bcc2675ed2

SHA256
71ef311f80f5f6eef4bb5801e89a86985c9f7daf4e3a09556ae9276a331e6f85

SHA512
4ca479fcfa2cbb018b530f34a0dbd274c0402b6e94dca32f376bc4c2a1808c2f2279d85811dcac94b4efcd03844525fb7ce5b10a6d1d9a3cabc6d1a76516b20c

Download Submit
C:\ProgramData\kcocEock\SoskUEog.exe

Filesize
143KB

MD5
67df8647abe86540e87bd41f0a5ba137

SHA1
530e181f3145259628a8b7898dc7e38e537b7502

SHA256
727b77e427b72ab1f913301441dd089cdd9cc201dd5ba89b709c53175cfeed7d

SHA512
3c79819ae175349910b043688ffe9446f10723477e7e717a6cdf9218c5eca8c84cea532d6341a554f5a3a4d3caaf1a6df1ac1513ef1c0e5100b2de0d0e563d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewQK.exe

Filesize
183KB

MD5
35904a275b9876c61c2673d498c6370c

SHA1
d1d33f5dfcf7286cc4d5cf85c9c02c8c93292760

SHA256
a053d78948c8e6d5f28a535a60b326a2607a06f0f696a4c3fc421a519c0a9bcc

SHA512
bd97c1d0dc8e36116bceea7bbea5a087643145d816c60f70eb73de182eace234ba804e81bd22a0f7a9f0672f34a746d2bf9261e710cee7d47b44ad41476db3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkkG.exe

Filesize
251KB

MD5
50c9e4ce0935c36e4189726e03a12030

SHA1
0fd1b6ec6039afee8247a3c3d3f32f61831f03e0

SHA256
1b22520bece05d338aa2b768d40529da7e96ae14fb0dc0b5758d241a27a54542

SHA512
8ff842bf0efc639d6ecf96dfa56d9300ed8919e4d3535cdd27d7d23bc9fbaea83ee9386b3583668009aca83a342c1a865b070471881cecc4fbec56c9d3cc68ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcsc.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAIa.exe

Filesize
164KB

MD5
f73a324d17b410f237f8cfe168bc7285

SHA1
936113b917f002cc4baf733fffd53ba8eb8c0d51

SHA256
9f81c27393b581b9bfbc418c045d6ebfb751ee3c1ab6aabe874c1e98ad717bf1

SHA512
e89fb8dfaf31dd290d0e003939b228ccdd55b7e60d9fc4116a9189be73a9d417a3f6ede32cbb9a5b72e16a0036f62e62e94b8f29929feeba3b717a72e10d8ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQYS.exe

Filesize
1.2MB

MD5
3846ee0a2ea62363f91ab29df260193f

SHA1
cb918567a960d4d65e1d35b7939cc400d103f886

SHA256
2b33ae57835d6be857d7bae7404fcba634de05756d97a76448999311a1508b7b

SHA512
7339361db28cbcf4efe09a1aac2704b9586f2da41cab16aca10b9d8ebde28bce808e1fa2aa3bb3e15677b8c66174d4197e91cac4c7acba256eef63acf9d222b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qaUsYccY.bat

Filesize
4B

MD5
3b736a48aef3775df294e0835b9d802d

SHA1
b3d7addb01bf59e2d8ee86517029131ac8dcbf10

SHA256
6be1fb4d9d96f8720b0476bea3bac05564622ca81f13fee323b90f38499507a5

SHA512
60787f604c6ef0e772c83dcfbd5f0428fbc072c7bf19bdd8f25f36ca76ee089017ecc231235f7a6f6f2a11af19431b6be28af47dcf208c205b393a0aa478671a

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
453KB

MD5
96f7cb9f7481a279bd4bc0681a3b993e

SHA1
deaedb5becc6c0bd263d7cf81e0909b912a1afd4

SHA256
d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290

SHA512
694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149

Download Submit
\Users\Admin\BicccMos\eGUUgkEY.exe

Filesize
144KB

MD5
c23790d2782bf16498bdfbbfe4682886

SHA1
d7b6e429523acbdba51c4be6bf849c0896c384db

SHA256
ed7f9722581988e91fb7f6b2dddea213cb11b90e0bfe5cd35540f80884445635

SHA512
2b572c8f9ba0d9a9b970e3c657497874ff8ae2ca43a203bc39d16a0f43e9d1b635a420cb5fa24bfe93bd3e7e6d893240560b4f7ad846ca3cbda8647fa07cda5c

Download Submit
memory/2400-35-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2400-11-0x00000000004A0000-0x00000000004C5000-memory.dmp

Filesize
148KB

Download
memory/2400-28-0x00000000004A0000-0x00000000004C5000-memory.dmp

Filesize
148KB

Download
memory/2400-0-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2400-12-0x00000000004A0000-0x00000000004C5000-memory.dmp

Filesize
148KB

Download
memory/2684-14-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2684-135-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2736-31-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2736-136-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download