File name:	wormlocker.zip
Full analysis:	https://app.any.run/tasks/d7a96923-30e2-4768-953e-5d94285c0945
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	April 25, 2025, 03:20:52
OS:	Windows 11 Professional (build: 22000, 64 bit)
Tags:	wormlocker ransomware ransomware
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:	91CF2586B60B7D7B93C42E71877868EC
SHA1:	64FC3726753697A379C6B9CE3C60312C5F174AEA
SHA256:	15C7AEA528C2C94D585217EC6C0C78CB388053378606E3883E428CBD2D2BD595
SSDEEP:	6144:9+M2MW5bZwOkxUdhm1nEES8SlqTqqdm685BINYrPis2ZG1848A:9HIZwOHdwnEEj4qoF5eePyZG1+A

ZipRequiredVersion:	51
ZipBitFlag:	0x0009
ZipCompression:	Unknown (99)
ZipModifyDate:	2025:04:23 00:27:08
ZipCRC:	0xd8423c30
ZipCompressedSize:	204427
ZipUncompressedSize:	321536
ZipFileName:	worm.bin


(PID) Process:	(1340) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(1340) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(1340) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(1340) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(1340) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\wormlocker.zip
(PID) Process:	(1340) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(1340) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(1340) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(1340) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(1340) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0

PID	Process	Filename		Type
5872	worm.exe	C:\Windows\System32\LogonUIinf.exe		executable
		MD5:31618202EB911F6606405D237E098AD0	SHA256:7944285565408818FAE6F861D45D7A722F5AC630DA98FB762826F061831E46F4
3620	WormLocker2.0.exe	C:\Users\admin\Downloads\worm_tool.sys		text
		MD5:5031E9989AE1AB3BA509B7D4220C0DDF	SHA256:954D1BB83D80BB6F6E746B28F0DE3EC4C4ED980CFE67ED23A9159CD464FF339A
5872	worm.exe	C:\Windows\System32\LogonUI.exe		executable
		MD5:31618202EB911F6606405D237E098AD0	SHA256:7944285565408818FAE6F861D45D7A722F5AC630DA98FB762826F061831E46F4
5872	worm.exe	C:\Windows\System32\ransom_voice.vbs		text
		MD5:C1F9613622F740C2F00C2FA8881BA7BA	SHA256:D200A1E942B8CFDCD8190D1AD59F92E27E39B919BA230F2DD88D70C3DF428C7B
3620	WormLocker2.0.exe	C:\Users\admin\Downloads\sourcesfloor.jpg		binary
		MD5:D1C913D81C11E785ECC1A62EF5BDA08A	SHA256:DA2EE5B851438CE5009785E6B1B008E686A62D1BF5F17FB55DAC3786AB050347
3620	WormLocker2.0.exe	C:\Users\admin\Desktop\stonesmall.rtf		binary
		MD5:A01841D35E8F86B3DEE91211F10D2426	SHA256:B2DFB5C0D0816FD9B65EF33BA687AC29868388D43946BD2461EEF8B2C512E7F4
3620	WormLocker2.0.exe	C:\Users\admin\Desktop\pokerclothing.jpg		binary
		MD5:90C5C7172BF2460015E22B67B505917F	SHA256:8367C194D34F47AB487E21B9EF691EBCFF291DC3FD07F4454CFBB6CDB3533A9F
3620	WormLocker2.0.exe	C:\Users\admin\Desktop\justkitchen.jpg		binary
		MD5:A7648A404268E0E40F4A6702FAC300D3	SHA256:5D64C62B5203908752E9EEA9A2195187A810E36107B52B3E81790F619D6FB1E8
1340	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb1340.7972\worm.bin		executable
		MD5:625B3BC77882BF44C130764523809880	SHA256:E669612603FF42188ED3356DA7DD568550E61EC6B9B69992DE371B4317C9E068
3620	WormLocker2.0.exe	C:\Users\admin\Downloads\hostingpricing.png		binary
		MD5:D11B2549F406A5F52624061FF6A0474D	SHA256:0F651D459D2BF63362DF3A84354152F6064C72F83C5E46CC453A77C88CD276AA

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2440	smartscreen.exe	GET	200	208.89.74.31:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?4860b3a47440b4af	unknown	—	—	whitelisted
2440	smartscreen.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
2768	svchost.exe	GET	200	199.232.214.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?cd93d97035913c62	unknown	—	—	whitelisted
2768	svchost.exe	GET	200	199.232.214.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?966e481a9fe01acd	unknown	—	—	whitelisted
2768	svchost.exe	GET	200	199.232.214.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?ec355da27201ae0c	unknown	—	—	whitelisted
1352	svchost.exe	GET	200	23.32.239.82:80	http://www.msftconnecttest.com/connecttest.txt	unknown	—	—	whitelisted
2768	svchost.exe	GET	200	199.232.214.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?96d7e1e649d02ef8	unknown	—	—	whitelisted
3640	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
2988	OfficeClickToRun.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1352	svchost.exe	23.32.239.16:80	—	Akamai International B.V.	DE	unknown
—	—	239.255.255.250:1900	—	—	—	whitelisted
2440	smartscreen.exe	48.209.144.71:443	checkappexec.microsoft.com	—	US	whitelisted
2440	smartscreen.exe	208.89.74.31:80	ctldl.windowsupdate.com	—	US	whitelisted
2440	smartscreen.exe	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
3560	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3640	svchost.exe	20.190.160.65:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3640	svchost.exe	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
5136	svchost.exe	23.197.142.186:443	fs.microsoft.com	Akamai International B.V.	US	whitelisted

Domain	IP	Reputation
google.com	216.58.206.78	whitelisted
checkappexec.microsoft.com	48.209.144.71	whitelisted
ctldl.windowsupdate.com	208.89.74.31 208.89.74.21 208.89.74.19 208.89.74.27 208.89.74.29 208.89.74.23 208.89.74.17 199.232.214.172 199.232.210.172	whitelisted
ocsp.digicert.com	184.30.131.245 2.23.77.188	whitelisted
settings-win.data.microsoft.com	4.231.128.59	whitelisted
login.live.com	20.190.160.65 20.190.160.14 40.126.32.72 20.190.160.3 40.126.32.136 20.190.160.67 20.190.160.20 20.190.160.2	whitelisted
fs.microsoft.com	23.197.142.186	whitelisted
self.events.data.microsoft.com	52.168.117.168	whitelisted

General Info

wormlocker.zip

91CF2586B60B7D7B93C42E71877868EC

64FC3726753697A379C6B9CE3C60312C5F174AEA

15C7AEA528C2C94D585217EC6C0C78CB388053378606E3883E428CBD2D2BD595

6144:9+M2MW5bZwOkxUdhm1nEES8SlqTqqdm685BINYrPis2ZG1848A:9HIZwOHdwnEEj4qoF5eePyZG1+A

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Disables task manager

WORMLOCKER has been detected (YARA)

WORMLOCKER has been detected

Changes the login/logoff helper path in the registry

SUSPICIOUS

Reads the date of Windows installation

Reads the Internet Settings

Starts CMD.EXE for commands execution

Reads security settings of Internet Explorer

Takes ownership (TAKEOWN.EXE)

Uses ICACLS.EXE to modify access control lists

The process checks if it is being run in the virtual environment

Executable content was dropped or overwritten

Process drops legitimate windows executable

The process executes VB scripts

INFO

Manual execution by a user

Executable content was dropped or overwritten

Reads the computer name

Reads the machine GUID from the registry

Checks supported languages

Creates files or folders in the user directory

The sample compiled with english language support

Reads security settings of Internet Explorer

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings