File name:	2024-12-14_0d7a340f7fee036c764994279e6d66cd_virlock
Full analysis:	https://app.any.run/tasks/9cbac6b1-93ac-43e7-bc12-b37544f5a05f
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access. Malware Trends Tracker >>>
Analysis date:	December 14, 2024, 05:25:14
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	virlock ransomware stealer nsb
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 2 sections
MD5:	0D7A340F7FEE036C764994279E6D66CD
SHA1:	F5556BFDD822D84EA795E5F3EAEBB09892F333B3
SHA256:	9C87960D54EDF8F4B4F1559DF83E9470E0D8E10B9B3F33207E6D8F1AA58D2440
SSDEEP:	24576:xupGf4fajxOwT3SZ2yT7QuouiwDOYUBjZ2BmUkeZy9:xup7fajxnT3SZlT7QuouiwDFUBjZomU6

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	1970:01:01 00:02:03+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	5.12
CodeSize:	816640
InitializedDataSize:	4608
UninitializedDataSize:	-
EntryPoint:	0xc2f63
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI


(PID) Process:	(6236) 2024-12-14_0d7a340f7fee036c764994279e6d66cd_virlock.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	SwoYcckM.exe
Value: C:\Users\admin\lEMYkwoU\SwoYcckM.exe
(PID) Process:	(6236) 2024-12-14_0d7a340f7fee036c764994279e6d66cd_virlock.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	XWAQAQUE.exe
Value: C:\ProgramData\usAgAgoI\XWAQAQUE.exe
(PID) Process:	(6256) SwoYcckM.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	SwoYcckM.exe
Value: C:\Users\admin\lEMYkwoU\SwoYcckM.exe
(PID) Process:	(6276) XWAQAQUE.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	XWAQAQUE.exe
Value: C:\ProgramData\usAgAgoI\XWAQAQUE.exe
(PID) Process:	(6952) dotnet-runtime-5.0.6-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{459fa3de-c871-4392-b56b-006ddd706d3c}
Operation:	write	Name:	BundleCachePath
Value: C:\ProgramData\Package Cache\{459fa3de-c871-4392-b56b-006ddd706d3c}\dotnet-runtime-5.0.6-win-x64.exe
(PID) Process:	(6952) dotnet-runtime-5.0.6-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{459fa3de-c871-4392-b56b-006ddd706d3c}
Operation:	write	Name:	BundleUpgradeCode
Value: {6D6E1D0E-58F3-4C1B-47B9-32F9A4A68D0B}
(PID) Process:	(6952) dotnet-runtime-5.0.6-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{459fa3de-c871-4392-b56b-006ddd706d3c}
Operation:	write	Name:	BundleAddonCode
Value:
(PID) Process:	(6952) dotnet-runtime-5.0.6-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{459fa3de-c871-4392-b56b-006ddd706d3c}
Operation:	write	Name:	BundleDetectCode
Value:
(PID) Process:	(6952) dotnet-runtime-5.0.6-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{459fa3de-c871-4392-b56b-006ddd706d3c}
Operation:	write	Name:	BundlePatchCode
Value:
(PID) Process:	(6952) dotnet-runtime-5.0.6-win-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{459fa3de-c871-4392-b56b-006ddd706d3c}
Operation:	write	Name:	BundleVersion
Value: 5.0.6.30020

PID	Process	Filename		Type
6236	2024-12-14_0d7a340f7fee036c764994279e6d66cd_virlock.exe	C:\ProgramData\usAgAgoI\XWAQAQUE.exe		executable
		MD5:3D81C75D2516614CA8C8EE3D8195E578	SHA256:76DAA88A6FEFB3EEDE51F627A87144DA8845B330494493B55F573A8DF5D83CFA
6236	2024-12-14_0d7a340f7fee036c764994279e6d66cd_virlock.exe	C:\Users\admin\AppData\Local\Temp\dotnet-runtime-5.0.6-win-x64.exe		executable
		MD5:9B610A7409EBC0BCEB522415F8A9AFEC	SHA256:39E6EF9C331E0129082766936AC211C63624D692DE38D6A9F29AF462F7E30EE6
6276	XWAQAQUE.exe	C:\ProgramData\usAgAgoI\XWAQAQUE.inf		text
		MD5:C4252127E029FDC5C9EEB3396BEF5B25	SHA256:43F149D4739F865FB2EE41B8D6F3F722442907092894050C6FDCD31A7142C330
6608	dotnet-runtime-5.0.6-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{3D66D8F5-32D9-46D6-8EBB-DAC43BBF989C}\.ba\1028\thm.wxl		xml
		MD5:518E7650B3AD6218E1CE96E156DF544A	SHA256:50109347FC59574721AA233C5D4C1088DE5D57A89DDCEA02D388C79676D39F16
6608	dotnet-runtime-5.0.6-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{3D66D8F5-32D9-46D6-8EBB-DAC43BBF989C}\.ba\1045\thm.wxl		xml
		MD5:0045F70232184C33B2A11E8E43E910F0	SHA256:F4EEAA698C20FCCD804D390E523D58AE8EAA0DFA3CD1C4CA4B8205B5DBD9DF56
6608	dotnet-runtime-5.0.6-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{3D66D8F5-32D9-46D6-8EBB-DAC43BBF989C}\.ba\thm.wxl		xml
		MD5:F44C2959EEEFF784D8ACA917A909D906	SHA256:835AA38B22480E84CCDF9F925EF2CD640E015BC2077674A6313C5175EA3DB5BE
6608	dotnet-runtime-5.0.6-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{3D66D8F5-32D9-46D6-8EBB-DAC43BBF989C}\.ba\1031\thm.wxl		xml
		MD5:E0E2317B04F6BA08AD3AD2864FA9665F	SHA256:CDDCAA846CA29C49AC65BED425776A50A341AE1A5EFEE550B235B430288D9FCF
6608	dotnet-runtime-5.0.6-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{3D66D8F5-32D9-46D6-8EBB-DAC43BBF989C}\.ba\wixstdba.dll		executable
		MD5:E5D8EAA8B7DC311A115484DBBF797E82	SHA256:ED6D806A19DC309DA425030BD3351BEB856E26CDEF96B93C267443D6458A1772
6236	2024-12-14_0d7a340f7fee036c764994279e6d66cd_virlock.exe	C:\Users\admin\AppData\Local\Temp\lWEEYgMU.bat		text
		MD5:295AEFBCFB8544047D685DE1DE8FDDD6	SHA256:0734CE167DC5C71507704FE1900007244B675AB0BC67EDA447F61002CFEB7B7D
6608	dotnet-runtime-5.0.6-win-x64.exe	C:\Users\admin\AppData\Local\Temp\{3D66D8F5-32D9-46D6-8EBB-DAC43BBF989C}\.ba\1029\thm.wxl		xml
		MD5:62260E884C9B7CC3F1453B4E059F09D4	SHA256:1C563D1CDF06DDF607E94489E01B4C70BFF1820A1562E824D6DCEB0456B9124D

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	—	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6256	SwoYcckM.exe	GET	301	142.250.184.206:80	http://google.com/	unknown	—	—	whitelisted
6276	XWAQAQUE.exe	GET	301	142.250.184.206:80	http://google.com/	unknown	—	—	whitelisted
—	—	POST	204	2.21.110.146:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
2632	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6256	SwoYcckM.exe	200.87.164.69:9999	—	Entel S.A. - EntelNet	BO	unknown
6276	XWAQAQUE.exe	200.87.164.69:9999	—	Entel S.A. - EntelNet	BO	unknown
6256	SwoYcckM.exe	142.250.184.206:80	google.com	GOOGLE	US	whitelisted
6276	XWAQAQUE.exe	142.250.184.206:80	google.com	GOOGLE	US	whitelisted
4712	MoUsoCoreWorker.exe	2.16.241.19:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 51.104.136.2 4.231.128.59	whitelisted
google.com	142.250.184.206	whitelisted
crl.microsoft.com	2.16.241.19 2.16.241.12	whitelisted
www.microsoft.com	2.23.181.156	whitelisted
www.bing.com	2.21.110.146 2.21.110.139	whitelisted
self.events.data.microsoft.com	20.42.65.84	whitelisted

PID	Process	Class	Message
—	—	A Network Trojan was detected	ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
—	—	A Network Trojan was detected	ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
—	—	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com)
—	—	A Network Trojan was detected	RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
—	—	A Network Trojan was detected	RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
—	—	A Network Trojan was detected	RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
—	—	A Network Trojan was detected	RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
—	—	A Network Trojan was detected	RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in
—	—	A Network Trojan was detected	RANSOMWARE [ANY.RUN] NSB Virlock.Gen Check-in

General Info

2024-12-14_0d7a340f7fee036c764994279e6d66cd_virlock

0D7A340F7FEE036C764994279E6D66CD

F5556BFDD822D84EA795E5F3EAEBB09892F333B3

9C87960D54EDF8F4B4F1559DF83E9470E0D8E10B9B3F33207E6D8F1AA58D2440

24576:xupGf4fajxOwT3SZ2yT7QuouiwDOYUBjZ2BmUkeZy9:xup7fajxnT3SZlT7QuouiwDFUBjZomU6

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

VIRLOCK mutex has been found

Changes the autorun value in the registry

Modifies files in the Chrome extension folder

Connects to the CnC server

Actions looks like stealing of personal data

NSB has been detected (SURICATA)

RANSOMWARE has been detected

SUSPICIOUS

Process drops legitimate windows executable

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Uses REG/REGEDIT.EXE to modify registry

The executable file from the user directory is run by the CMD process

Starts a Microsoft application from unusual location

Starts itself from another location

Searches for installed software

Connects to unusual port

Reads security settings of Internet Explorer

Creates a software uninstall entry

INFO

The sample compiled with english language support

Reads the computer name

Checks supported languages

Creates files in the program directory

Create files in a temporary directory

Process checks computer location settings

The process uses the downloaded file

Creates files or folders in the user directory

Drops encrypted VBS script (Microsoft Script Encoder)

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats