File name:	2025-05-16_af97a84ec18cc429e0273cfde917ba6a_elex_virlock
Full analysis:	https://app.any.run/tasks/0e9de2de-d4e3-48c9-9f9a-e230da8a6979
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access. Malware Trends Tracker >>>
Analysis date:	May 17, 2025, 00:24:41
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	virlock ransomware auto-reg nsb
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 2 sections
MD5:	AF97A84EC18CC429E0273CFDE917BA6A
SHA1:	41B2998F1DAD9B2D7AD6FB6CB789B7B62B230A36
SHA256:	4881FD36D534E5B32CD49BB586C8423941322E5BBAA115DA5C7537AC1AFE08AB
SSDEEP:	6144:u0tgUMx/IEZxd6s42MUmjPxIWz2j/697qxafHW:jgB6s42M3IWyjC92xae

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	1970:01:01 00:02:03+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	5.12
CodeSize:	197120
InitializedDataSize:	-
UninitializedDataSize:	-
EntryPoint:	0x2d8ae
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI


(PID) Process:	(1324) 2025-05-16_af97a84ec18cc429e0273cfde917ba6a_elex_virlock.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	SwoYcckM.exe
Value: C:\Users\admin\lEMYkwoU\SwoYcckM.exe
(PID) Process:	(1324) 2025-05-16_af97a84ec18cc429e0273cfde917ba6a_elex_virlock.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	XWAQAQUE.exe
Value: C:\ProgramData\usAgAgoI\XWAQAQUE.exe
(PID) Process:	(5892) SwoYcckM.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	SwoYcckM.exe
Value: C:\Users\admin\lEMYkwoU\SwoYcckM.exe
(PID) Process:	(5728) XWAQAQUE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	XWAQAQUE.exe
Value: C:\ProgramData\usAgAgoI\XWAQAQUE.exe
(PID) Process:	(7920) SwoYcckM.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	SwoYcckM.exe
Value: C:\Users\admin\lEMYkwoU\SwoYcckM.exe
(PID) Process:	(7892) XWAQAQUE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	XWAQAQUE.exe
Value: C:\ProgramData\usAgAgoI\XWAQAQUE.exe

PID	Process	Filename		Type
1324	2025-05-16_af97a84ec18cc429e0273cfde917ba6a_elex_virlock.exe	C:\Users\admin\AppData\Local\Temp\VKkkMgAw.bat		text
		MD5:BAE1095F340720D965898063FEDE1273	SHA256:EE5E0A414167C2ACA961A616274767C4295659517A814D1428248BD53C6E829A
1324	2025-05-16_af97a84ec18cc429e0273cfde917ba6a_elex_virlock.exe	C:\Users\admin\AppData\Local\Temp\mywEMgAw.bat		text
		MD5:BC4470074EE6CBA13E9BE90855097085	SHA256:E3ECFEF8E1F5097048ABA579F0A8CE73BEB3477860BF4203DF4CCFC44EBEDA69
1324	2025-05-16_af97a84ec18cc429e0273cfde917ba6a_elex_virlock.exe	C:\Users\admin\lEMYkwoU\SwoYcckM.exe		executable
		MD5:D3C1071B0074F6CEDC97C2B97F67C953	SHA256:A18C09CEEE68D0417311F96BF5A2A183A7F713C76B9F59B909407A30AFFFCB56
1324	2025-05-16_af97a84ec18cc429e0273cfde917ba6a_elex_virlock.exe	C:\ProgramData\usAgAgoI\XWAQAQUE.exe		executable
		MD5:F826E280658C8A213D3091E81A1EC889	SHA256:26A2F1517686E58CADCB5DE65BFB0753234523453B0831B520D89DF15F571036
5892	SwoYcckM.exe	C:\Users\admin\lEMYkwoU\SwoYcckM.inf		text
		MD5:D7247C9AA614F7FE89B03E1F5D1566CB	SHA256:8BB344C420B786B8DB9AA9DD64F1D0BDCBD2756240684BE985058B59979698DF
1272	2025-05-16_af97a84ec18cc429e0273cfde917ba6a_elex_virlock.exe	C:\Users\admin\AppData\Local\Temp\UMUYcgAw.bat		text
		MD5:EA89D84084436EE977247B87CECAC2DB	SHA256:885AC131BAF96D103103288101D736FE31EF61FD1B2237860A4CE2A16B64A63D
5728	XWAQAQUE.exe	C:\ProgramData\usAgAgoI\XWAQAQUE.inf		text
		MD5:D7247C9AA614F7FE89B03E1F5D1566CB	SHA256:8BB344C420B786B8DB9AA9DD64F1D0BDCBD2756240684BE985058B59979698DF
4944	cmd.exe	C:\Users\admin\AppData\Local\Temp\file.vbs		text
		MD5:4AFB5C4527091738FAF9CD4ADDF9D34E	SHA256:59D889A2BF392F4B117340832B4C73425A7FB1DE6C2F83A1AAA779D477C7C6CC
4268	2025-05-16_af97a84ec18cc429e0273cfde917ba6a_elex_virlock.exe	C:\Users\admin\AppData\Local\Temp\LqkIcgAw.bat		text
		MD5:4EF4C5BC8D87449117917470EF681E3D	SHA256:E97D98D206224ADF102BFBC337E9CEA20A9CC8CE1C32FCC8E064604CE980A92F
7424	2025-05-16_af97a84ec18cc429e0273cfde917ba6a_elex_virlock.exe	C:\Users\admin\AppData\Local\Temp\xQsYcgAw.bat		text
		MD5:E6F1FE3184B128FA889194311FDFE780	SHA256:F063B3B24474B69A04A7982D28CF26C4CDE29810EF7EAF07560B5BE7ACE3F76F

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5892	SwoYcckM.exe	GET	—	142.250.185.110:80	http://google.com/	unknown	—	—	whitelisted
5728	XWAQAQUE.exe	GET	—	142.250.185.110:80	http://google.com/	unknown	—	—	whitelisted
7920	SwoYcckM.exe	GET	—	142.250.185.110:80	http://google.com/	unknown	—	—	whitelisted
7892	XWAQAQUE.exe	GET	—	142.250.185.110:80	http://google.com/	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5728	XWAQAQUE.exe	200.87.164.69:9999	—	Entel S.A. - EntelNet	BO	unknown
5892	SwoYcckM.exe	200.87.164.69:9999	—	Entel S.A. - EntelNet	BO	unknown
5728	XWAQAQUE.exe	142.250.185.110:80	google.com	GOOGLE	US	whitelisted
5892	SwoYcckM.exe	142.250.185.110:80	google.com	GOOGLE	US	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
7920	SwoYcckM.exe	200.87.164.69:9999	—	Entel S.A. - EntelNet	BO	unknown
7892	XWAQAQUE.exe	200.87.164.69:9999	—	Entel S.A. - EntelNet	BO	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
google.com	142.250.185.110	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted
fe3cr.delivery.mp.microsoft.com	20.3.187.198	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted
nexusrules.officeapps.live.com	52.111.227.13	whitelisted
login.live.com	20.190.160.132 40.126.32.133 20.190.160.67 20.190.160.17 40.126.32.140 20.190.160.20 20.190.160.3 20.190.160.2	whitelisted

PID	Process	Class	Message
5892	SwoYcckM.exe	A Network Trojan was detected	ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
5728	XWAQAQUE.exe	A Network Trojan was detected	RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
5892	SwoYcckM.exe	A Network Trojan was detected	RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
7892	XWAQAQUE.exe	A Network Trojan was detected	ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
7892	XWAQAQUE.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com)
5728	XWAQAQUE.exe	A Network Trojan was detected	ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
5728	XWAQAQUE.exe	A Network Trojan was detected	ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
7892	XWAQAQUE.exe	A Network Trojan was detected	RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
7920	SwoYcckM.exe	A Network Trojan was detected	RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
5728	XWAQAQUE.exe	A Network Trojan was detected	RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in

General Info

2025-05-16_af97a84ec18cc429e0273cfde917ba6a_elex_virlock

AF97A84EC18CC429E0273CFDE917BA6A

41B2998F1DAD9B2D7AD6FB6CB789B7B62B230A36

4881FD36D534E5B32CD49BB586C8423941322E5BBAA115DA5C7537AC1AFE08AB

6144:u0tgUMx/IEZxd6s42MUmjPxIWz2j/697qxafHW:jgB6s42M3IWyjC92xae

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

VIRLOCK mutex has been found

Uses sleep, probably for evasion detection (SCRIPT)

Connects to the CnC server

NSB has been detected (SURICATA)

SUSPICIOUS

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

Uses REG/REGEDIT.EXE to modify registry

The process executes VB scripts

Connects to unusual port

INFO

Checks supported languages

Create files in a temporary directory

Reads the computer name

Auto-launch of the file from Registry key

Creates files in the program directory

Reads security settings of Internet Explorer

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings