86bcea956a17faa66f5354fe890fae5fc41d2156b28ec1030d58aa9c51e32299

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinlockerBuilderv0.6.exe
Size

1.3MB
MD5

4f768716267ee42c40f6cb0578bae261
SHA1

e143ab8ad439e224232bac5d0edc7f2051cbdc13
SHA256

86bcea956a17faa66f5354fe890fae5fc41d2156b28ec1030d58aa9c51e32299
SHA512

5f51a734c6eef7a9aba22e78c8dece02bff2adee06f8551f2f7fd57b77a6f2a22c39f46930bcf1f62c116725ef0fd5e56d7da7a893210a35c2f2721949de0a27
SSDEEP

24576:DbXvsRLDInc+3WNyc4aKZQ6VvDrVq3EXcWdFVtV6d/PHk:U0c+Gr1YBrNXcEFVf6pPH

Score

10^/10

defense_evasion discovery execution

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2472	powershell.exe
2604	powershell.exe
1992	powershell.exe
3036	powershell.exe
2148	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2088	Winlocker Builder .exe
2704	builder.exe

Loads dropped DLL 7 IoCs

pid	Process
1920	rundll32.exe
1920	rundll32.exe
1920	rundll32.exe
2784	cmd.exe
1192	Process not Found
1192	Process not Found
1192	Process not Found

Legitimate hosting services abused for malware hosting/C2 1 TTPs 18 IoCs

Web Service

T1102

flow	ioc
13	pastebin.com
15	pastebin.com
16	pastebin.com
18	pastebin.com
20	pastebin.com
22	pastebin.com
6	pastebin.com
8	pastebin.com
12	pastebin.com
21	pastebin.com
7	pastebin.com
10	pastebin.com
11	pastebin.com
17	pastebin.com
19	pastebin.com
4	pastebin.com
9	pastebin.com
14	pastebin.com

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\svchost.cpl	rundll32.exe
File opened for modification	C:\Windows\System32\svchost.cpl	rundll32.exe
File created	C:\Windows\System32\svchost.lnk	rundll32.exe
File opened for modification	C:\Windows\System32\svchost.lnk	rundll32.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winlocker Builder .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1620	schtasks.exe
1796	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1920	rundll32.exe
2604	powershell.exe
1992	powershell.exe
3036	powershell.exe
2148	powershell.exe
2472	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1920	rundll32.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2704	builder.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 2128	1568	WinlockerBuilderv0.6.exe	31
PID 1568 wrote to memory of 2128	1568	WinlockerBuilderv0.6.exe	31
PID 1568 wrote to memory of 2128	1568	WinlockerBuilderv0.6.exe	31
PID 1568 wrote to memory of 2088	1568	WinlockerBuilderv0.6.exe	32
PID 1568 wrote to memory of 2088	1568	WinlockerBuilderv0.6.exe	32
PID 1568 wrote to memory of 2088	1568	WinlockerBuilderv0.6.exe	32
PID 1568 wrote to memory of 2088	1568	WinlockerBuilderv0.6.exe	32
PID 2128 wrote to memory of 1920	2128	control.exe	33
PID 2128 wrote to memory of 1920	2128	control.exe	33
PID 2128 wrote to memory of 1920	2128	control.exe	33
PID 2088 wrote to memory of 2784	2088	Winlocker Builder .exe	34
PID 2088 wrote to memory of 2784	2088	Winlocker Builder .exe	34
PID 2088 wrote to memory of 2784	2088	Winlocker Builder .exe	34
PID 2088 wrote to memory of 2784	2088	Winlocker Builder .exe	34
PID 2784 wrote to memory of 2704	2784	cmd.exe	36
PID 2784 wrote to memory of 2704	2784	cmd.exe	36
PID 2784 wrote to memory of 2704	2784	cmd.exe	36
PID 2784 wrote to memory of 2704	2784	cmd.exe	36
PID 1920 wrote to memory of 2604	1920	rundll32.exe	38
PID 1920 wrote to memory of 2604	1920	rundll32.exe	38
PID 1920 wrote to memory of 2604	1920	rundll32.exe	38
PID 1920 wrote to memory of 1620	1920	rundll32.exe	40
PID 1920 wrote to memory of 1620	1920	rundll32.exe	40
PID 1920 wrote to memory of 1620	1920	rundll32.exe	40
PID 1920 wrote to memory of 2092	1920	rundll32.exe	42
PID 1920 wrote to memory of 2092	1920	rundll32.exe	42
PID 1920 wrote to memory of 2092	1920	rundll32.exe	42
PID 352 wrote to memory of 1968	352	taskeng.exe	45
PID 352 wrote to memory of 1968	352	taskeng.exe	45
PID 352 wrote to memory of 1968	352	taskeng.exe	45
PID 352 wrote to memory of 348	352	taskeng.exe	57
PID 352 wrote to memory of 348	352	taskeng.exe	57
PID 352 wrote to memory of 348	352	taskeng.exe	57
PID 352 wrote to memory of 2304	352	taskeng.exe	59
PID 352 wrote to memory of 2304	352	taskeng.exe	59
PID 352 wrote to memory of 2304	352	taskeng.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv0.6.exe
"C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv0.6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\svchost.cpl",
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\svchost.cpl"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2604
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "svchost" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\svchost.lnk\"\"\"\"\"\",0:close\"")"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1620
  - - C:\Windows\system32\SCHTASKS.exe
      SCHTASKS.exe /RUN /TN "svchost"
      4⤵
      PID:2092
- C:\Users\Admin\AppData\Local\Temp\Winlocker Builder .exe
  "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder .exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\CCFF.tmp\Builder #6.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\CCFF.tmp\builder.exe
      builder.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2704

C:\Windows\system32\taskeng.exe
taskeng.exe {67F00193-38E3-4941-A587-98D3C0E7E3DA} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:352
- C:\Windows\system32\mshta.exe
  mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\svchost.lnk"""""",0:close")
  2⤵
  - Modifies Internet Explorer settings
  PID:1968
- C:\Users\Public\explorer.exe
  C:\Users\Public\explorer.exe
  2⤵
  PID:348
- C:\Users\Public\explorer.exe
  C:\Users\Public\explorer.exe
  2⤵
  PID:2304

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:1956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Explorer.EXE'
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Explorer.EXE'
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\explorer.exe'
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Public\explorer.exe"
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CCFF.tmp\Builder #6.bat

Filesize
28B

MD5
8051f1a637f4635ede0c96f81302993b

SHA1
1712fdb1a9d64edae50acc063574c1109d613546

SHA256
ff61e26e4d145be670bc4512afdf87210da097acaa43bf97cf278def640b3110

SHA512
b54aec0ff9ec591e2c8507ef4729c3b69e0263337eb52c58dd69f5b2e0b50d5d8f3bc17c32b5c55a2327809f0cd17713f511f3ab7a03bfa826e53da0d8a96c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Winlocker Builder .exe

Filesize
1.3MB

MD5
4caed3373183b76693cebb8f917faa1f

SHA1
10d2a0c799b6231bc90d66fe59a8245e74bbbaf0

SHA256
a4b302ddaecc5ca50b48152644e3a101d389ed6b72abeb3c610f5f1facaf4547

SHA512
83670f489cb7e4be492e3361ba2291dc725ce5ce7694c5f6e9c988b680dca4147042b2ae8c0d2e78bbda5fa2d6b8c7ca83c8299bd4f1594107262ca26d276128

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
eaad0869fb9262a6383561e01d48bda2

SHA1
9226b5cc727084d6b5d28baf88da48eb8853eaa6

SHA256
4debbba4d4235a9261767c34fb84e8801c78dff5e58fdf20e5ed79a19fe032ea

SHA512
3e05ca826904171ac6734bc765cb9cbedeff1647c98a3368ce4bec84d604a10f684f33fbdbb34cdb0f9f35cdd3a805895d5abb6b4fd3d3ba30916c1d311e7356

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W26VCSW8A0G7Z83TZ20F.temp

Filesize
7KB

MD5
377e4fc21a581781436f86567103c8f6

SHA1
381c1b59c9d1b1ca9652f2a5f835701ec6aef197

SHA256
aacd0bd55ff0e54dd2522be32b554c94fbc838b2439bc9b380420074594f8e1f

SHA512
389d6ac7bf5b8961967a7d008e4fc8a396b2f0a85223c2243fc352279e1ff045bac776d60d60a30a84e66dadc19efafe4b5a5646b53d8cf93721b84d54e3968c

Download Submit
C:\Windows\System32\svchost.lnk

Filesize
144B

MD5
c558b32752f713dfd844f5e802d9bb2f

SHA1
1b8ec6eeccfb34e57811f50e3f214e95486f5d2f

SHA256
6fdb6e248a2f917f4a4559f03bdc75548187b6cf53783b92e6e6b3149f494bfd

SHA512
d4fe663ad10eadabd66d921cf1a59d25736a02aa7502a74f99efdee6d473fc3045748549e7aa7622854965b3680f4038bc291b27440dd33c3fb10a8eb2163835

Download Submit
\Users\Admin\AppData\Local\Temp\CCFF.tmp\builder.exe

Filesize
2.4MB

MD5
9729d33f5cc788e9c1930bcc968acffa

SHA1
68c662875f7b805dd6f246919d406c8d92158073

SHA256
3711a334cb3c6e2a92461067f2d7db2946e9b139f1517b214bc929ba42a86aae

SHA512
af12beee6da79e5498eb292eb4a122667bf5dcdf840def97a5476adb31e0701a2aa0585b4266547bb4307c3524c7f9733dbf32f2a87c87b33fadb4bb1ecd0c3f

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.cpl

Filesize
49KB

MD5
8fe4b2ca0b85980b73050ab7e8eb58a8

SHA1
d78af51db795dd51ffe48f96321d7a3fdd853117

SHA256
16160a0f94f668219b4b69aa3c396aef00388c305e66a887f7a891fb460bc914

SHA512
6d73f190d657b9f04887d7d88ef8aa913e61b3eb8de50de4607f035a32fde9f9bb2f76a9918d73039ca294a56d98e2a7de7f233ff5b43079a5d80bbf7b2392f1

Download Submit
memory/1568-10-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/1568-0-0x000007FEF57B3000-0x000007FEF57B4000-memory.dmp

Filesize
4KB

Download
memory/1568-1-0x00000000008D0000-0x0000000000A2A000-memory.dmp

Filesize
1.4MB

Download
memory/1568-13-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/1920-21-0x0000000000330000-0x0000000000344000-memory.dmp

Filesize
80KB

Download
memory/1920-22-0x0000000074E20000-0x0000000074E34000-memory.dmp

Filesize
80KB

Download
memory/1992-61-0x00000000026A0000-0x00000000026A8000-memory.dmp

Filesize
32KB

Download
memory/1992-60-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2088-12-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2088-40-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2604-46-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2604-45-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2704-80-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/3036-67-0x000000001B880000-0x000000001BB62000-memory.dmp

Filesize
2.9MB

Download
memory/3036-68-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download