Windows
Analysis Report
WinLock.bin
Overview
General Information
Detection
Score: | 60 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- WinLock.exe (PID: 5636 cmdline:
"C:\Users\ user\Deskt op\WinLock .exe" MD5: 5E5043A0455E8652D0A58C8611E47903)
- explorer.exe (PID: 5784 cmdline:
explorer.e xe MD5: AD5296B280E8F522A8A897C96BAB0E1D)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Joe Sandbox ML: |
Source: | Avira: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | File written: | Jump to behavior |
Source: | Classification label: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Process created: |
Source: | File read: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: |
Boot Survival |
---|
Source: | Key value created or modified: | Jump to behavior |
Source: | Key value created or modified: | Jump to behavior | ||
Source: | Key value created or modified: | Jump to behavior |
Source: | Registry key created or modified: | Jump to behavior |
Source: | Process information set: | Jump to behavior |
Source: | Process information queried: | Jump to behavior |
Lowering of HIPS / PFW / Operating System Security Settings |
---|
Source: | Registry key created or modified: | Jump to behavior |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | 1 Registry Run Keys / Startup Folder | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 1 Process Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | 1 Image File Execution Options Injection | 1 Registry Run Keys / Startup Folder | 1 Disable or Modify Tools | LSASS Memory | 2 File and Directory Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | 1 Image File Execution Options Injection | 21 Software Packing | Security Account Manager | 1 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 Process Injection | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | W32/Induc.ciw | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | DR/Delphi.Gen | Download File |
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 633960 |
Start date and time: 25/05/202212:16:07 | 2022-05-25 12:16:07 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 36s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | WinLock.bin (renamed file extension from bin to exe) |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 25 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal60.evad.winEXE@2/2@0/0 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
- Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
- Execution Graph export aborted for target WinLock.exe, PID 5636 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtQueryValueKey calls found.
Process: | C:\Users\user\Desktop\WinLock.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 18 |
Entropy (8bit): | 3.3921472236645345 |
Encrypted: | false |
SSDEEP: | 3:zSn:zS |
MD5: | 0E28E5A1D1A07BDF23D9A9C7EEC8F365 |
SHA1: | 293893C3C9AC12C410493180B7B0DD3CF359025F |
SHA-256: | BA469C29CE2BE61150FCC404AA05D29D47E66E85D70B50B89DB00D79DB63E9AC |
SHA-512: | DF729850229BD7370403972EB8FF50D0BA5BF49FD0C0972D2EA57C63300D45FDA7E63F7D500F1982D0CDEDCD39BE2C37F6E3CDD1F240C6D01A143DC699B68FA8 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\WinLock.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 21 |
Entropy (8bit): | 3.6304126608739984 |
Encrypted: | false |
SSDEEP: | 3:XTzVsn:DzVs |
MD5: | A0368CBFFB159B4F62A8A9C9FEFC66B8 |
SHA1: | B70134A786195E48BC1B065D68E898F180631E7E |
SHA-256: | 77E5260759F88CCC1A8D4C72FC7B6636497CD7140D81B55579FF010D7E0B4854 |
SHA-512: | 5582DE2614BF4EA5B512B7DB2DB0908FFF8788252884E6A566D36EB1FB091C65551F52FD834ECDB7A9BEF9C87ACE76B78D6FF24D3FBF7357A63FE09B48252DF1 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 7.905186421158123 |
TrID: |
|
File name: | WinLock.exe |
File size: | 492544 |
MD5: | 5e5043a0455e8652d0a58c8611e47903 |
SHA1: | 8c277a2c32d211b5faa0dd65a8872c903e1ed429 |
SHA256: | b25818cfa65b13e2be6358f5c28dfae35578d72fea8d0120486d8ec6629a1bf4 |
SHA512: | f694e0ac611ce214bb8615f7453933cdb94cf83d220bb0c42896f88289506e0cd281d5a51f91c15c09a67a2fcaa607f4ee1e6420bdd94bb12dbfe954955ce719 |
SSDEEP: | 12288:Lp/PKhWltltmVU/BvHLts2kBrHVJ0cjdUMBsXj95RN:EhWlPtr/BvHJsLHiYBsXj9nN |
TLSH: | 9FA42383F743BD13C526AEF11291C7149F1048F91A9A7FBB9E1DF85ABAFE4025940352 |
File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
Icon Hash: | b24dc6030fcc4db2 |
Entrypoint: | 0x552f60 |
Entrypoint Section: | UPX1 |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 32a3b7658be85c7c43fe36e3e5b0f5a3 |
Instruction |
---|
pushad |
mov esi, 004DE000h |
lea edi, dword ptr [esi-000DD000h] |
mov dword ptr [edi+0011A0A0h], 20FD7E2Ch |
push edi |
or ebp, FFFFFFFFh |
jmp 00007F1790947D70h |
nop |
nop |
nop |
nop |
mov al, byte ptr [esi] |
inc esi |
mov byte ptr [edi], al |
inc edi |
add ebx, ebx |
jne 00007F1790947D69h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
jc 00007F1790947D4Fh |
mov eax, 00000001h |
add ebx, ebx |
jne 00007F1790947D69h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
adc eax, eax |
add ebx, ebx |
jnc 00007F1790947D6Dh |
jne 00007F1790947D8Ah |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
jc 00007F1790947D81h |
dec eax |
add ebx, ebx |
jne 00007F1790947D69h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
adc eax, eax |
jmp 00007F1790947D36h |
add ebx, ebx |
jne 00007F1790947D69h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
adc ecx, ecx |
jmp 00007F1790947DB4h |
xor ecx, ecx |
sub eax, 03h |
jc 00007F1790947D73h |
shl eax, 08h |
mov al, byte ptr [esi] |
inc esi |
xor eax, FFFFFFFFh |
je 00007F1790947DD7h |
sar eax, 1 |
mov ebp, eax |
jmp 00007F1790947D6Dh |
add ebx, ebx |
jne 00007F1790947D69h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
jc 00007F1790947D2Eh |
inc ecx |
add ebx, ebx |
jne 00007F1790947D69h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
jc 00007F1790947D20h |
add ebx, ebx |
jne 00007F1790947D69h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
adc ecx, ecx |
add ebx, ebx |
jnc 00007F1790947D51h |
jne 00007F1790947D6Bh |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
jnc 00007F1790947D46h |
add ecx, 02h |
cmp ebp, 00000000h |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x156ad8 | 0x2a4 | .rsrc |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x154000 | 0x2ad8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x153118 | 0x18 | UPX1 |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
UPX0 | 0x1000 | 0xdd000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ |
UPX1 | 0xde000 | 0x76000 | 0x75200 | False | 0.992122882204 | data | 7.92981825597 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x154000 | 0x3000 | 0x2e00 | False | 0.279466711957 | data | 4.48965207385 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_CURSOR | 0x1365f0 | 0x134 | data | English | United States |
RT_CURSOR | 0x136724 | 0x134 | data | ||
RT_CURSOR | 0x136858 | 0x134 | data | ||
RT_CURSOR | 0x13698c | 0x134 | data | ||
RT_CURSOR | 0x136ac0 | 0x134 | data | ||
RT_CURSOR | 0x136bf4 | 0x134 | data | ||
RT_CURSOR | 0x136d28 | 0x134 | data | ||
RT_CURSOR | 0x136e5c | 0x134 | data | ||
RT_BITMAP | 0x136f90 | 0x1d0 | data | ||
RT_BITMAP | 0x137160 | 0x1e4 | data | ||
RT_BITMAP | 0x137344 | 0x1d0 | data | ||
RT_BITMAP | 0x137514 | 0x1d0 | data | ||
RT_BITMAP | 0x1376e4 | 0x1d0 | data | ||
RT_BITMAP | 0x1378b4 | 0x1d0 | data | ||
RT_BITMAP | 0x137a84 | 0x1d0 | data | ||
RT_BITMAP | 0x137c54 | 0x1d0 | data | ||
RT_BITMAP | 0x137e24 | 0x1d0 | data | ||
RT_BITMAP | 0x137ff4 | 0x1d0 | data | ||
RT_BITMAP | 0x1381c4 | 0x488 | data | Russian | Russia |
RT_BITMAP | 0x13864c | 0xc0 | data | ||
RT_BITMAP | 0x13870c | 0xe0 | data | ||
RT_BITMAP | 0x1387ec | 0xe0 | data | ||
RT_BITMAP | 0x1388cc | 0xe0 | data | ||
RT_BITMAP | 0x1389ac | 0xc0 | data | ||
RT_BITMAP | 0x138a6c | 0xc0 | data | ||
RT_BITMAP | 0x138b2c | 0xe0 | data | ||
RT_BITMAP | 0x138c0c | 0xc58 | data | English | United States |
RT_BITMAP | 0x139864 | 0x328 | data | English | United States |
RT_BITMAP | 0x139b8c | 0xc0 | data | ||
RT_BITMAP | 0x139c4c | 0xe0 | data | ||
RT_BITMAP | 0x139d2c | 0xe8 | data | Russian | Russia |
RT_BITMAP | 0x139e14 | 0x328 | data | English | United States |
RT_BITMAP | 0x13a13c | 0xc0 | data | ||
RT_BITMAP | 0x13a1fc | 0x328 | data | English | United States |
RT_BITMAP | 0x13a524 | 0x328 | data | English | United States |
RT_BITMAP | 0x13a84c | 0x328 | data | English | United States |
RT_BITMAP | 0x13ab74 | 0xe0 | data | ||
RT_ICON | 0x1555f4 | 0xea8 | dBase III DBT, version number 0, next free block index 40 | Russian | Russia |
RT_DIALOG | 0x13bafc | 0x52 | data | ||
RT_STRING | 0x13bb50 | 0x4c | data | ||
RT_STRING | 0x13bb9c | 0xaa | data | ||
RT_STRING | 0x13bc48 | 0x186 | data | ||
RT_STRING | 0x13bdd0 | 0x1ce | data | ||
RT_STRING | 0x13bfa0 | 0x144 | data | ||
RT_STRING | 0x13c0e4 | 0x7e | data | ||
RT_STRING | 0x13c164 | 0x24 | data | ||
RT_STRING | 0x13c188 | 0x228 | data | ||
RT_STRING | 0x13c3b0 | 0x1e0 | data | ||
RT_STRING | 0x13c590 | 0x198 | data | ||
RT_STRING | 0x13c728 | 0x158 | data | ||
RT_STRING | 0x13c880 | 0x2ec | data | ||
RT_STRING | 0x13cb6c | 0xd8 | data | ||
RT_STRING | 0x13cc44 | 0x118 | data | ||
RT_STRING | 0x13cd5c | 0x268 | data | ||
RT_STRING | 0x13cfc4 | 0x3fc | data | ||
RT_STRING | 0x13d3c0 | 0x390 | data | ||
RT_STRING | 0x13d750 | 0x378 | data | ||
RT_STRING | 0x13dac8 | 0x408 | data | ||
RT_STRING | 0x13ded0 | 0xec | data | ||
RT_STRING | 0x13dfbc | 0xd0 | data | ||
RT_STRING | 0x13e08c | 0x29c | data | ||
RT_STRING | 0x13e328 | 0x40c | data | ||
RT_STRING | 0x13e734 | 0x330 | data | ||
RT_STRING | 0x13ea64 | 0x314 | SysEx File - AdamsSmith | ||
RT_RCDATA | 0x13ed78 | 0x4 | data | ||
RT_RCDATA | 0x13ed7c | 0xcbf | data | English | United States |
RT_RCDATA | 0x13fa3c | 0x3a5 | data | English | United States |
RT_RCDATA | 0x13fde4 | 0xd58 | data | Russian | Russia |
RT_RCDATA | 0x140b3c | 0xd0d | data | Russian | Russia |
RT_RCDATA | 0x14184c | 0x10 | data | ||
RT_RCDATA | 0x14185c | 0x4 | ISO-8859 text, with no line terminators | ||
RT_RCDATA | 0x141860 | 0x618 | data | ||
RT_RCDATA | 0x141e78 | 0x434 | data | English | United States |
RT_RCDATA | 0x1422ac | 0x4b1 | data | English | United States |
RT_RCDATA | 0x142760 | 0x1a1 | data | English | United States |
RT_RCDATA | 0x142904 | 0x671 | data | English | United States |
RT_RCDATA | 0x142f78 | 0x7b1 | data | English | United States |
RT_RCDATA | 0x14372c | 0x8 | data | ||
RT_RCDATA | 0x143734 | 0x2a7d | data | ||
RT_RCDATA | 0x1461b4 | 0x640 | data | ||
RT_RCDATA | 0x1467f4 | 0x1bdb | data | ||
RT_RCDATA | 0x1483d0 | 0x2545 | data | ||
RT_RCDATA | 0x14a918 | 0x2f3 | data | ||
RT_RCDATA | 0x14ac0c | 0x1adc | data | ||
RT_RCDATA | 0x14c6e8 | 0x1adc | data | ||
RT_GROUP_CURSOR | 0x14e1c4 | 0x14 | data | English | United States |
RT_GROUP_CURSOR | 0x14e1d8 | 0x14 | data | ||
RT_GROUP_CURSOR | 0x14e1ec | 0x14 | data | ||
RT_GROUP_CURSOR | 0x14e200 | 0x14 | data | ||
RT_GROUP_CURSOR | 0x14e214 | 0x14 | data | ||
RT_GROUP_CURSOR | 0x14e228 | 0x14 | data | ||
RT_GROUP_CURSOR | 0x14e23c | 0x14 | Non-ISO extended-ASCII text, with escape sequences | ||
RT_GROUP_CURSOR | 0x14e250 | 0x14 | Non-ISO extended-ASCII text, with no line terminators | ||
RT_GROUP_ICON | 0x1564a0 | 0x14 | data | Russian | Russia |
RT_MANIFEST | 0x1564b8 | 0x32c | XML 1.0 document, ASCII text, with CRLF line terminators | French | France |
RT_MANIFEST | 0x1567e8 | 0x2f0 | XML 1.0 document, ASCII text, with CRLF line terminators | Russian | Russia |
DLL | Import |
---|---|
advapi32.dll | RegCloseKey |
comctl32.dll | ImageList_Add |
gdi32.dll | SaveDC |
KERNEL32.DLL | LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect |
ntdll | RtlAdjustPrivilege |
ntdll.dll | RtlSetProcessIsCritical |
ole32.dll | CoInitialize |
oleaut32.dll | VariantCopy |
shell32.dll | SHGetMalloc |
user32.dll | GetDC |
version.dll | VerQueryValueA |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States | |
Russian | Russia | |
French | France |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 12:17:12 |
Start date: | 25/05/2022 |
Path: | C:\Users\user\Desktop\WinLock.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 492544 bytes |
MD5 hash: | 5E5043A0455E8652D0A58C8611E47903 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | Borland Delphi |
Reputation: | low |
Target ID: | 1 |
Start time: | 12:17:13 |
Start date: | 25/05/2022 |
Path: | C:\Windows\explorer.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6f3b00000 |
File size: | 3933184 bytes |
MD5 hash: | AD5296B280E8F522A8A897C96BAB0E1D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |