Malware Analysis Report

2025-08-05 16:57

Sample ID 250127-zbxveavnhj
Target Winlocker Builder v0.6.rar
SHA256 db1ed914707af2fc9d0f262dbc8951d00d83ae59f5955dafbe7778e5f1ba5e06
Tags
defense_evasion
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

db1ed914707af2fc9d0f262dbc8951d00d83ae59f5955dafbe7778e5f1ba5e06

Threat Level: Likely malicious

The file Winlocker Builder v0.6.rar was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Checks BIOS information in registry

Maps connected drives based on registry

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-27 20:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-27 20:33

Reported

2025-01-27 20:34

Platform

win10ltsc2021-20250113-en

Max time kernel

33s

Max time network

39s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"

Signatures

Looks for VirtualBox Guest Additions in registry

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe N/A

Looks for VMWare Tools registry key

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe

"C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 13.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp

Files

memory/2472-0-0x00007FFAF0193000-0x00007FFAF0195000-memory.dmp

memory/2472-1-0x00000000004A0000-0x00000000006A2000-memory.dmp