General
-
Target
WinLock.exe
-
Size
444KB
-
Sample
241122-xrfjyssmdm
-
MD5
a24762cd597c2a20687de37cbc07900e
-
SHA1
51974ef5ac4e6822acb2e9c1641713be08bbaaef
-
SHA256
23635d7a882e7049cfaeb2228abe6cf8b63245751e5d0f48d3ddb13551251932
-
SHA512
383213c3751c6fc722e90d8d66e10e2ee13378beec826e89227dcc0c40ed6402d7199e0c7823e4ef8fc847880700e305bbda5e64ec643a96ab776f4691b7e8ff
-
SSDEEP
12288:KF2itC7rxZjmoXuaiHi/Xy3I3sBmy1CLoMavQ9m:QHSZqoXuWPzloMaI9
Malware Config
Targets
-
-
Target
WinLock.exe
-
Size
444KB
-
MD5
a24762cd597c2a20687de37cbc07900e
-
SHA1
51974ef5ac4e6822acb2e9c1641713be08bbaaef
-
SHA256
23635d7a882e7049cfaeb2228abe6cf8b63245751e5d0f48d3ddb13551251932
-
SHA512
383213c3751c6fc722e90d8d66e10e2ee13378beec826e89227dcc0c40ed6402d7199e0c7823e4ef8fc847880700e305bbda5e64ec643a96ab776f4691b7e8ff
-
SSDEEP
12288:KF2itC7rxZjmoXuaiHi/Xy3I3sBmy1CLoMavQ9m:QHSZqoXuWPzloMaI9
Score10/10-
UAC bypass
-
Windows security bypass
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5