a6fce61792c9ec95e7245c7b76771c984f5e897cb4f35c0661639f197e289433

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinlockerBuilderv0.6.exe
Size

1.3MB
MD5

22f77fb76f7478b05dd829e1a5dd12e1
SHA1

69edbca2063b2446fc6209bc4545cf901c83ada6
SHA256

a6fce61792c9ec95e7245c7b76771c984f5e897cb4f35c0661639f197e289433
SHA512

ef7ee6750f58461fd21690e8ab0f43dea72d4a3ab8f130e086f24d8f5c5295a3585947ae697d7aeb5f2bca5ab42b24a804cb50c39e9adbaffb2edc38cb09a368
SSDEEP

24576:qMbXvsRLDInc+3WNyc4aKZQ6VvDrVq3EXcWdFVtV6d/PH:o0c+Gr1YBrNXcEFVf6pPH

Score

10^/10

defense_evasion discovery execution

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1184	powershell.exe
2084	powershell.exe
1032	powershell.exe
2692	powershell.exe
1756	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2132	Winlocker Builder v0.6.exe
2668	builder.exe

Loads dropped DLL 7 IoCs

pid	Process
2892	rundll32.exe
2892	rundll32.exe
2892	rundll32.exe
2740	cmd.exe
1192	Process not Found
1192	Process not Found
1192	Process not Found

Legitimate hosting services abused for malware hosting/C2 1 TTPs 35 IoCs

Web Service

T1102

flow	ioc
37	pastebin.com
7	pastebin.com
16	pastebin.com
17	pastebin.com
22	pastebin.com
26	pastebin.com
28	pastebin.com
33	pastebin.com
19	pastebin.com
21	pastebin.com
25	pastebin.com
32	pastebin.com
9	pastebin.com
23	pastebin.com
40	pastebin.com
8	pastebin.com
14	pastebin.com
29	pastebin.com
31	pastebin.com
35	pastebin.com
36	pastebin.com
12	pastebin.com
15	pastebin.com
34	pastebin.com
41	pastebin.com
10	pastebin.com
30	pastebin.com
38	pastebin.com
11	pastebin.com
13	pastebin.com
20	pastebin.com
24	pastebin.com
27	pastebin.com
39	pastebin.com
42	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File created	C:\Windows\System32\WinLocker.lnk	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winlocker Builder v0.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1716	schtasks.exe
1784	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2892	rundll32.exe
1184	powershell.exe
2084	powershell.exe
1032	powershell.exe
2692	powershell.exe
1756	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1288	WinlockerBuilderv0.6.exe
Token: SeDebugPrivilege	2892	rundll32.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2668	builder.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 2312	1288	WinlockerBuilderv0.6.exe	31
PID 1288 wrote to memory of 2312	1288	WinlockerBuilderv0.6.exe	31
PID 1288 wrote to memory of 2312	1288	WinlockerBuilderv0.6.exe	31
PID 1288 wrote to memory of 2132	1288	WinlockerBuilderv0.6.exe	32
PID 1288 wrote to memory of 2132	1288	WinlockerBuilderv0.6.exe	32
PID 1288 wrote to memory of 2132	1288	WinlockerBuilderv0.6.exe	32
PID 1288 wrote to memory of 2132	1288	WinlockerBuilderv0.6.exe	32
PID 2312 wrote to memory of 2892	2312	control.exe	33
PID 2312 wrote to memory of 2892	2312	control.exe	33
PID 2312 wrote to memory of 2892	2312	control.exe	33
PID 2132 wrote to memory of 2740	2132	Winlocker Builder v0.6.exe	34
PID 2132 wrote to memory of 2740	2132	Winlocker Builder v0.6.exe	34
PID 2132 wrote to memory of 2740	2132	Winlocker Builder v0.6.exe	34
PID 2132 wrote to memory of 2740	2132	Winlocker Builder v0.6.exe	34
PID 2740 wrote to memory of 2668	2740	cmd.exe	36
PID 2740 wrote to memory of 2668	2740	cmd.exe	36
PID 2740 wrote to memory of 2668	2740	cmd.exe	36
PID 2740 wrote to memory of 2668	2740	cmd.exe	36
PID 2892 wrote to memory of 1184	2892	rundll32.exe	37
PID 2892 wrote to memory of 1184	2892	rundll32.exe	37
PID 2892 wrote to memory of 1184	2892	rundll32.exe	37
PID 2892 wrote to memory of 1716	2892	rundll32.exe	39
PID 2892 wrote to memory of 1716	2892	rundll32.exe	39
PID 2892 wrote to memory of 1716	2892	rundll32.exe	39
PID 2892 wrote to memory of 1256	2892	rundll32.exe	41
PID 2892 wrote to memory of 1256	2892	rundll32.exe	41
PID 2892 wrote to memory of 1256	2892	rundll32.exe	41
PID 1496 wrote to memory of 2592	1496	taskeng.exe	44
PID 1496 wrote to memory of 2592	1496	taskeng.exe	44
PID 1496 wrote to memory of 2592	1496	taskeng.exe	44
PID 1496 wrote to memory of 2408	1496	taskeng.exe	57
PID 1496 wrote to memory of 2408	1496	taskeng.exe	57
PID 1496 wrote to memory of 2408	1496	taskeng.exe	57
PID 1496 wrote to memory of 2736	1496	taskeng.exe	59
PID 1496 wrote to memory of 2736	1496	taskeng.exe	59
PID 1496 wrote to memory of 2736	1496	taskeng.exe	59
PID 1496 wrote to memory of 580	1496	taskeng.exe	60
PID 1496 wrote to memory of 580	1496	taskeng.exe	60
PID 1496 wrote to memory of 580	1496	taskeng.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv0.6.exe
"C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv0.6.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1184
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1716
  - - C:\Windows\system32\SCHTASKS.exe
      SCHTASKS.exe /RUN /TN "WinLocker"
      4⤵
      PID:1256
- C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
  "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\BB34.tmp\Builder #6.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\BB34.tmp\builder.exe
      builder.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2668

C:\Windows\system32\taskeng.exe
taskeng.exe {5ACA3435-6FE1-4077-8862-6BD38AAD528A} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\system32\mshta.exe
  mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
  2⤵
  - Modifies Internet Explorer settings
  PID:2592
- C:\Users\Public\explorer.exe
  C:\Users\Public\explorer.exe
  2⤵
  PID:2408
- C:\Users\Public\explorer.exe
  C:\Users\Public\explorer.exe
  2⤵
  PID:2736
- C:\Users\Public\explorer.exe
  C:\Users\Public\explorer.exe
  2⤵
  PID:580

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:1748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Explorer.EXE'
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Explorer.EXE'
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\explorer.exe'
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Public\explorer.exe"
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BB34.tmp\Builder #6.bat

Filesize
28B

MD5
8051f1a637f4635ede0c96f81302993b

SHA1
1712fdb1a9d64edae50acc063574c1109d613546

SHA256
ff61e26e4d145be670bc4512afdf87210da097acaa43bf97cf278def640b3110

SHA512
b54aec0ff9ec591e2c8507ef4729c3b69e0263337eb52c58dd69f5b2e0b50d5d8f3bc17c32b5c55a2327809f0cd17713f511f3ab7a03bfa826e53da0d8a96c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB34.tmp\builder.exe

Filesize
2.4MB

MD5
9729d33f5cc788e9c1930bcc968acffa

SHA1
68c662875f7b805dd6f246919d406c8d92158073

SHA256
3711a334cb3c6e2a92461067f2d7db2946e9b139f1517b214bc929ba42a86aae

SHA512
af12beee6da79e5498eb292eb4a122667bf5dcdf840def97a5476adb31e0701a2aa0585b4266547bb4307c3524c7f9733dbf32f2a87c87b33fadb4bb1ecd0c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe

Filesize
1.3MB

MD5
4caed3373183b76693cebb8f917faa1f

SHA1
10d2a0c799b6231bc90d66fe59a8245e74bbbaf0

SHA256
a4b302ddaecc5ca50b48152644e3a101d389ed6b72abeb3c610f5f1facaf4547

SHA512
83670f489cb7e4be492e3361ba2291dc725ce5ce7694c5f6e9c988b680dca4147042b2ae8c0d2e78bbda5fa2d6b8c7ca83c8299bd4f1594107262ca26d276128

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
84ee14b49dac66d856ebc30617869a3e

SHA1
9541b64395269860fba29940e81c02619414c058

SHA256
5992c8954b05e55f213203c700470e1b4f805c4ceaf814b1b80f07ba749b1a7e

SHA512
b244e4dee18493a948824aa6ad6566a4812eefd4baca92b4e79d0e515d276a139d08e0bfc7c5ce5453b28fac86a8f4703129ff502e11c13864706ace2cbb6653

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DA4ZHCBVUDCE4JHMHN2Z.temp

Filesize
7KB

MD5
b441846a6632b6aeea12e05f56ac1c81

SHA1
607b8e6aabfa6d8c8fdbd27bdb298e82b89e9788

SHA256
a1073ef5db5f783648a32bf9aef673eb8066198bd49ca7bf5320c829af4f5863

SHA512
3324bae27a326781e76a01a4f96ac23a03173713e0d3ff62a908f3d027ea09239c07c6fb9578c44d761c0951ad99e31a55016273b7799521255bcf6a8669018e

Download Submit
C:\Windows\System32\WinLocker.lnk

Filesize
144B

MD5
c558b32752f713dfd844f5e802d9bb2f

SHA1
1b8ec6eeccfb34e57811f50e3f214e95486f5d2f

SHA256
6fdb6e248a2f917f4a4559f03bdc75548187b6cf53783b92e6e6b3149f494bfd

SHA512
d4fe663ad10eadabd66d921cf1a59d25736a02aa7502a74f99efdee6d473fc3045748549e7aa7622854965b3680f4038bc291b27440dd33c3fb10a8eb2163835

Download Submit
\Users\Admin\AppData\Local\Temp\WinLocker.cpl

Filesize
49KB

MD5
8fe4b2ca0b85980b73050ab7e8eb58a8

SHA1
d78af51db795dd51ffe48f96321d7a3fdd853117

SHA256
16160a0f94f668219b4b69aa3c396aef00388c305e66a887f7a891fb460bc914

SHA512
6d73f190d657b9f04887d7d88ef8aa913e61b3eb8de50de4607f035a32fde9f9bb2f76a9918d73039ca294a56d98e2a7de7f233ff5b43079a5d80bbf7b2392f1

Download Submit
memory/1032-69-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1032-68-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/1184-45-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/1184-46-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/1288-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/1288-55-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/1288-2-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/1288-1-0x0000000000810000-0x000000000096A000-memory.dmp

Filesize
1.4MB

Download
memory/1756-80-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/2084-62-0x0000000002070000-0x0000000002078000-memory.dmp

Filesize
32KB

Download
memory/2084-61-0x000000001B460000-0x000000001B742000-memory.dmp

Filesize
2.9MB

Download
memory/2132-18-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2132-40-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2668-81-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/2892-16-0x00000000002D0000-0x00000000002E4000-memory.dmp

Filesize
80KB

Download
memory/2892-17-0x0000000075350000-0x0000000075364000-memory.dmp

Filesize
80KB

Download