File name:	2024-12-27_79e148b914cc2cfdf7a52b7841f35fd7_virlock
Full analysis:	https://app.any.run/tasks/6eb9845c-c0f2-4e11-b371-d0c4ef85fc08
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access. Malware Trends Tracker >>>
Analysis date:	December 27, 2024, 11:53:08
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	virlock ransomware stealer nsb
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 2 sections
MD5:	79E148B914CC2CFDF7A52B7841F35FD7
SHA1:	3BE265DB312BE3F74BD59918B06781EAAFC75B0F
SHA256:	59F60EDF22186C9145B9BC6336D1EE91FC0927310FE0A7C9794BCCE61A240BE9
SSDEEP:	3072:OKPW9OpHyLLx0sFrte2FsJJ9JAWJZGH0WG7ob9XTaPyeQ055ypSS8:OsW92yLLx0Ie2sJ80WG7oxuC0vy8r

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	1970:01:01 00:02:03+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	5.12
CodeSize:	197120
InitializedDataSize:	4608
UninitializedDataSize:	-
EntryPoint:	0x2db6d
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI


(PID) Process:	(4160) 2024-12-27_79e148b914cc2cfdf7a52b7841f35fd7_virlock.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	SwoYcckM.exe
Value: C:\Users\admin\lEMYkwoU\SwoYcckM.exe
(PID) Process:	(4160) 2024-12-27_79e148b914cc2cfdf7a52b7841f35fd7_virlock.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	XWAQAQUE.exe
Value: C:\ProgramData\usAgAgoI\XWAQAQUE.exe
(PID) Process:	(4628) SwoYcckM.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	SwoYcckM.exe
Value: C:\Users\admin\lEMYkwoU\SwoYcckM.exe
(PID) Process:	(4308) XWAQAQUE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	XWAQAQUE.exe
Value: C:\ProgramData\usAgAgoI\XWAQAQUE.exe

PID	Process	Filename		Type
4160	2024-12-27_79e148b914cc2cfdf7a52b7841f35fd7_virlock.exe	C:\Users\admin\lEMYkwoU\SwoYcckM.exe		executable
		MD5:C618FF251F30A9C8673AA4924DB0A9DA	SHA256:D63F68E3A28811243D966AF864F2EFAB3AFA1008A3D44A0BB02933A840B3C59B
4160	2024-12-27_79e148b914cc2cfdf7a52b7841f35fd7_virlock.exe	C:\ProgramData\usAgAgoI\XWAQAQUE.exe		executable
		MD5:FE5FD0DF2DA43653412E83A02B0BF18C	SHA256:590DFABC3A326FE034769B815A45AD2C943A40C73BB28E992DE21AA49B3CD8DE
4628	SwoYcckM.exe	C:\Users\admin\lEMYkwoU\SwoYcckM.inf		text
		MD5:6DA530EA584F82243B302F86DFEA9CC5	SHA256:8AE47C5CC894D9EB548767A858EFA62DE89AAE0E5B8BD75CEFA10B34C4898AF2
4160	2024-12-27_79e148b914cc2cfdf7a52b7841f35fd7_virlock.exe	C:\Users\admin\AppData\Local\Temp\UOIwksQQ.bat		text
		MD5:BAE1095F340720D965898063FEDE1273	SHA256:EE5E0A414167C2ACA961A616274767C4295659517A814D1428248BD53C6E829A
4308	XWAQAQUE.exe	C:\ProgramData\usAgAgoI\XWAQAQUE.inf		text
		MD5:6DA530EA584F82243B302F86DFEA9CC5	SHA256:8AE47C5CC894D9EB548767A858EFA62DE89AAE0E5B8BD75CEFA10B34C4898AF2
3816	2024-12-27_79e148b914cc2cfdf7a52b7841f35fd7_virlock.exe	C:\Users\admin\AppData\Local\Temp\vUgwksQQ.bat		text
		MD5:09500800DBF755C5CC4959BB85475A5B	SHA256:15FA1BA30ED5A8195F732B3CE73F265BF2E6908A83A688BF5CEFE2BEE335EA76
3816	2024-12-27_79e148b914cc2cfdf7a52b7841f35fd7_virlock.exe	C:\Users\admin\AppData\Local\Temp\BsswksQQ.bat		text
		MD5:BAE1095F340720D965898063FEDE1273	SHA256:EE5E0A414167C2ACA961A616274767C4295659517A814D1428248BD53C6E829A
4076	2024-12-27_79e148b914cc2cfdf7a52b7841f35fd7_virlock.exe	C:\Users\admin\AppData\Local\Temp\WmUEAYco.bat		text
		MD5:CC76DA4BAACBB57CD0BF09C997214523	SHA256:9AD3A1146E1F9E89B57CBCD41DAF4DBF5EB847D46695D360E2475FBD7E71688B
4076	2024-12-27_79e148b914cc2cfdf7a52b7841f35fd7_virlock.exe	C:\Users\admin\AppData\Local\Temp\wwkEAYco.bat		text
		MD5:BAE1095F340720D965898063FEDE1273	SHA256:EE5E0A414167C2ACA961A616274767C4295659517A814D1428248BD53C6E829A
4628	SwoYcckM.exe	C:\Users\admin\Desktop\zIAy.ico		image
		MD5:8C44504BC8ECFA4C2D02F7668870EA6F	SHA256:C327C0485909F634C456CEA42F7DB6353FA4942EFE43A2C336D3932784C927ED

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4308	XWAQAQUE.exe	GET	301	142.250.185.142:80	http://google.com/	unknown	—	—	whitelisted
4628	SwoYcckM.exe	GET	301	142.250.185.142:80	http://google.com/	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
—	—	2.23.209.156:443	www.bing.com	Akamai International B.V.	GB	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4628	SwoYcckM.exe	200.87.164.69:9999	—	Entel S.A. - EntelNet	BO	unknown
4308	XWAQAQUE.exe	200.87.164.69:9999	—	Entel S.A. - EntelNet	BO	unknown
4628	SwoYcckM.exe	142.250.185.142:80	google.com	GOOGLE	US	whitelisted
4308	XWAQAQUE.exe	142.250.185.142:80	google.com	GOOGLE	US	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5732	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158	whitelisted
www.bing.com	2.23.209.156 2.23.209.182 2.23.209.150 2.23.209.179 2.23.209.181 2.23.209.158 2.23.209.176 2.23.209.183 2.23.209.177	whitelisted
google.com	142.250.185.142	whitelisted
crl.microsoft.com	2.16.164.120 2.16.164.49	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
self.events.data.microsoft.com	51.116.253.170	whitelisted

PID	Process	Class	Message
4308	XWAQAQUE.exe	A Network Trojan was detected	ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
4628	SwoYcckM.exe	A Network Trojan was detected	ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
4628	SwoYcckM.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com)
4628	SwoYcckM.exe	A Network Trojan was detected	RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
4308	XWAQAQUE.exe	A Network Trojan was detected	RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
4628	SwoYcckM.exe	A Network Trojan was detected	RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
4628	SwoYcckM.exe	A Network Trojan was detected	RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
4308	XWAQAQUE.exe	A Network Trojan was detected	RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in

General Info

2024-12-27_79e148b914cc2cfdf7a52b7841f35fd7_virlock

79E148B914CC2CFDF7A52B7841F35FD7

3BE265DB312BE3F74BD59918B06781EAAFC75B0F

59F60EDF22186C9145B9BC6336D1EE91FC0927310FE0A7C9794BCCE61A240BE9

3072:OKPW9OpHyLLx0sFrte2FsJJ9JAWJZGH0WG7ob9XTaPyeQ055ypSS8:OsW92yLLx0Ie2sJ80WG7oxuC0vy8r

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

VIRLOCK mutex has been found

Changes the autorun value in the registry

Uses sleep, probably for evasion detection (SCRIPT)

Connects to the CnC server

NSB has been detected (SURICATA)

Actions looks like stealing of personal data

SUSPICIOUS

Starts CMD.EXE for commands execution

The process executes VB scripts

Executable content was dropped or overwritten

Uses REG/REGEDIT.EXE to modify registry

Executing commands from a ".bat" file

Connects to unusual port

The process checks if it is being run in the virtual environment

INFO

Checks supported languages

Creates files in the program directory

Create files in a temporary directory

Reads the computer name

Reads security settings of Internet Explorer

Process checks computer location settings

Drops encrypted VBS script (Microsoft Script Encoder)

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings