4f3dc347f531ef6a408c5f432952a458a0ba635644647e9a8de1982f5428dce2

General

Target

WinLocker.exe
Size

2.5MB
MD5

8db22c05021308aa1f21e00b7c754510
SHA1

df1a966bcee343fcc47466a7987d439d3e7fbc6d
SHA256

4f3dc347f531ef6a408c5f432952a458a0ba635644647e9a8de1982f5428dce2
SHA512

53e3c137710ebcdfff7c8caf75235fdcf230dc980829978c31226b4a3e356b8717d9e94e5aa6e70855d89e734de9db892dee759f7201bda2c81a172e69bf6c9c
SSDEEP

49152:7zf6V1jqp9ekTD4SxfHLqY+xKkmyLW5RhM0glT:7zyV0pJfOtIFIlT

Score

10^/10

bootkit discovery evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

WinLocker.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WinLocker.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinLocker.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

WinLocker.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinLocker.exe"	WinLocker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	WinLocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinLocker.exe"	WinLocker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	WinLocker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WinLocker.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Java = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinLocker.exe"	WinLocker.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

WinLocker.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WinLocker.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

WinLocker.exe

description ioc process

File opened for modification \??\PhysicalDrive0 WinLocker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinLocker.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	WinLocker.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WinLocker.exeWinLocker.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinLocker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WinLocker.exe

pid	process
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe
3748	WinLocker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WinLocker.exe

pid process

3748 WinLocker.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WinLocker.exe

description pid process

Token: SeBackupPrivilege 3748 WinLocker.exe
Token: SeRestorePrivilege 3748 WinLocker.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WinLocker.exeWinLocker.exe

pid process

3748 WinLocker.exe
3456 WinLocker.exe

description	pid	process
Token: SeBackupPrivilege	3748	WinLocker.exe
Token: SeRestorePrivilege	3748	WinLocker.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

WinLocker.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WinLocker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinLocker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1"	WinLocker.exe

C:\Users\Admin\AppData\Local\Temp\WinLocker.exe
"C:\Users\Admin\AppData\Local\Temp\WinLocker.exe"
1⤵
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3748

C:\Users\Admin\AppData\Local\Temp\WinLocker.exe
C:\Users\Admin\AppData\Local\Temp\WinLocker.exe explorer.exe
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Image File Execution Options Injection

1

T1546.012

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Image File Execution Options Injection

1

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Pre-OS Boot

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3456-13-0x0000000000400000-0x00000000006CC000-memory.dmp

Filesize
2.8MB

Download
memory/3456-12-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/3748-107-0x0000000000400000-0x00000000006CC000-memory.dmp

Filesize
2.8MB

Download
memory/3748-22-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/3748-25-0x0000000000400000-0x00000000006CC000-memory.dmp

Filesize
2.8MB

Download
memory/3748-44-0x0000000000400000-0x00000000006CC000-memory.dmp

Filesize
2.8MB

Download
memory/3748-65-0x0000000000400000-0x00000000006CC000-memory.dmp

Filesize
2.8MB

Download
memory/3748-86-0x0000000000400000-0x00000000006CC000-memory.dmp

Filesize
2.8MB

Download
memory/3748-0-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/3748-128-0x0000000000400000-0x00000000006CC000-memory.dmp

Filesize
2.8MB

Download
memory/3748-149-0x0000000000400000-0x00000000006CC000-memory.dmp

Filesize
2.8MB

Download
memory/3748-170-0x0000000000400000-0x00000000006CC000-memory.dmp

Filesize
2.8MB

Download
memory/3748-191-0x0000000000400000-0x00000000006CC000-memory.dmp

Filesize
2.8MB

Download
memory/3748-214-0x0000000000400000-0x00000000006CC000-memory.dmp

Filesize
2.8MB

Download
memory/3748-235-0x0000000000400000-0x00000000006CC000-memory.dmp

Filesize
2.8MB

Download
memory/3748-256-0x0000000000400000-0x00000000006CC000-memory.dmp

Filesize
2.8MB

Download
memory/3748-275-0x0000000000400000-0x00000000006CC000-memory.dmp

Filesize
2.8MB

Download
memory/3748-296-0x0000000000400000-0x00000000006CC000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads