Overview

overview

10

Static

static

10

Tear.exe

windows7-x64

10

adochi.exe

windows7-x64

7

autoit.exe

windows7-x64

10

autoit2.exe

windows7-x64

10

autoit3.exe

windows7-x64

10

deviation.exe

windows7-x64

8

encoder.exe

windows7-x64

10

encoder2.exe

windows7-x64

9

encoder3.exe

windows7-x64

10

encoder4.exe

windows7-x64

5

encoder5.exe

windows7-x64

10

erebus.exe

windows7-x64

9

myxaha.exe

windows7-x64

7

$LOCALAPPD...er.exe

windows7-x64

7

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDIR/inetc.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows7-x64

7

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...om.dll

windows7-x64

5

trucry.exe

windows7-x64

10

wlock.exe

windows7-x64

3

wlock2.exe

windows7-x64

8

Analysis

  • max time kernel
    299s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 00:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wlock2.exe

  • Size

    229KB

  • MD5

    6e7d32b6a66ba7d6b6dbfe0adc5a7eff

  • SHA1

    394b5f38d3a5a1ce2d3d0f3b046898f1a5519543

  • SHA256

    e4e452529a55436c7608482ef47687ef48ece4b068a989ae5f86ef6c59ff49fc

  • SHA512

    648b4f95b02b7e2e5e0aba3439066ab766ff6c01e9fc2d3b05d44b4a8862d7c8a88d27a8572d7fe5e3a8471bb217cf9c7179bd7ab8bacfd4a3d42dcf1f4699c2

  • SSDEEP

    6144:6NjkWhUh1S4A05cYNe/8xXWwK80i6F+eco+Sxaat:8jkS50G5cXg66F+eeSQ

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\wlock2.exe
    "C:\Users\Admin\AppData\Local\Temp\wlock2.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2792
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2748
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
      PID:1052

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2792-0-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2792-1-0x0000000001080000-0x00000000010C2000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2792-2-0x0000000074E80000-0x000000007556E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2792-3-0x0000000074E80000-0x000000007556E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2792-4-0x0000000074E80000-0x000000007556E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2792-5-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2792-6-0x0000000074E80000-0x000000007556E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2792-7-0x0000000074E80000-0x000000007556E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2792-8-0x0000000074E80000-0x000000007556E000-memory.dmp

      Filesize

      6.9MB

      Download