Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
23-11-2022 17:15
General
-
Target
4704beb76220f05db53d767ef764256d6ff0831e47b382523aff135e18906475.exe
-
Size
45KB
-
MD5
0a55a7fb53951bd641630925954bec57
-
SHA1
a78a373a36add2a44d47aea4659eed74aa67f0b1
-
SHA256
4704beb76220f05db53d767ef764256d6ff0831e47b382523aff135e18906475
-
SHA512
571fd59005f7e5668d440f02a1f04b600e65be5c9e23bc2d5bb659475fa5526f0927e5a86cb10f6391f55b00295eed43f438c6abbba12f4d6bf6204abef0e8cd
-
SSDEEP
768:E1AuwHyeFo6NPIFAoslbf8eRYLGXdoIFbb5omuKWcbsvwnoT9D88888888888JXD:EOxyeFo6NPCAosxYyXdF5oy3VoKD
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
-
Executes dropped EXE 12 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 29 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 20 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4704beb76220f05db53d767ef764256d6ff0831e47b382523aff135e18906475.exe"C:\Users\Admin\AppData\Local\Temp\4704beb76220f05db53d767ef764256d6ff0831e47b382523aff135e18906475.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\userinit.exeC:\Windows\system32\userinit.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Explorer.exeExplorer.exe "C:\recycled\SVCHOST.exe"4⤵
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4704beb76220f05db53d767ef764256d6ff0831e47b382523aff135e18906475.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recycled\CTFMON.EXEFilesize
45KB
MD558afc26e17fdaefa948302f8514c93b7
SHA1af4a7716ff3261a7b38e0c22d3bfcb7486b002c7
SHA256a85b01840a68428006d13be53ba0eb4bdac556130eb16ba9dc783b49747d3c1c
SHA51264ca8c35733c12c8d8007e6aad2a8b3411c13e3e8e659a16f2c58aac828fc142add30edcbb85d261e801549692a4a777096e9c8fff8bd780fc236c0f6f0abfec
-
C:\Recycled\CTFMON.EXEFilesize
45KB
MD558afc26e17fdaefa948302f8514c93b7
SHA1af4a7716ff3261a7b38e0c22d3bfcb7486b002c7
SHA256a85b01840a68428006d13be53ba0eb4bdac556130eb16ba9dc783b49747d3c1c
SHA51264ca8c35733c12c8d8007e6aad2a8b3411c13e3e8e659a16f2c58aac828fc142add30edcbb85d261e801549692a4a777096e9c8fff8bd780fc236c0f6f0abfec
-
C:\Recycled\CTFMON.EXEFilesize
45KB
MD558afc26e17fdaefa948302f8514c93b7
SHA1af4a7716ff3261a7b38e0c22d3bfcb7486b002c7
SHA256a85b01840a68428006d13be53ba0eb4bdac556130eb16ba9dc783b49747d3c1c
SHA51264ca8c35733c12c8d8007e6aad2a8b3411c13e3e8e659a16f2c58aac828fc142add30edcbb85d261e801549692a4a777096e9c8fff8bd780fc236c0f6f0abfec
-
C:\Recycled\CTFMON.EXEFilesize
45KB
MD558afc26e17fdaefa948302f8514c93b7
SHA1af4a7716ff3261a7b38e0c22d3bfcb7486b002c7
SHA256a85b01840a68428006d13be53ba0eb4bdac556130eb16ba9dc783b49747d3c1c
SHA51264ca8c35733c12c8d8007e6aad2a8b3411c13e3e8e659a16f2c58aac828fc142add30edcbb85d261e801549692a4a777096e9c8fff8bd780fc236c0f6f0abfec
-
C:\Recycled\SPOOLSV.EXEFilesize
45KB
MD57b3aaf50d51a2fb7888c48d94b73da20
SHA181c7eb48895d3ea8ad045fdc47d650b99038d50d
SHA256489035eb9e0f6bc22d5a352e7444415b87aee0fdae10f88a0677834967a43a62
SHA51216e29d7cc144163877ec992f1d9f21c882d8ba804ede436273834e584b05a0c3d1c0749ae129890b3312c0556859c5a43baa4ddc1cebbd364d625149d56e9bbf
-
C:\Recycled\SPOOLSV.EXEFilesize
45KB
MD57b3aaf50d51a2fb7888c48d94b73da20
SHA181c7eb48895d3ea8ad045fdc47d650b99038d50d
SHA256489035eb9e0f6bc22d5a352e7444415b87aee0fdae10f88a0677834967a43a62
SHA51216e29d7cc144163877ec992f1d9f21c882d8ba804ede436273834e584b05a0c3d1c0749ae129890b3312c0556859c5a43baa4ddc1cebbd364d625149d56e9bbf
-
C:\Recycled\SPOOLSV.EXEFilesize
45KB
MD57b3aaf50d51a2fb7888c48d94b73da20
SHA181c7eb48895d3ea8ad045fdc47d650b99038d50d
SHA256489035eb9e0f6bc22d5a352e7444415b87aee0fdae10f88a0677834967a43a62
SHA51216e29d7cc144163877ec992f1d9f21c882d8ba804ede436273834e584b05a0c3d1c0749ae129890b3312c0556859c5a43baa4ddc1cebbd364d625149d56e9bbf
-
C:\Recycled\SPOOLSV.EXEFilesize
45KB
MD57b3aaf50d51a2fb7888c48d94b73da20
SHA181c7eb48895d3ea8ad045fdc47d650b99038d50d
SHA256489035eb9e0f6bc22d5a352e7444415b87aee0fdae10f88a0677834967a43a62
SHA51216e29d7cc144163877ec992f1d9f21c882d8ba804ede436273834e584b05a0c3d1c0749ae129890b3312c0556859c5a43baa4ddc1cebbd364d625149d56e9bbf
-
C:\Recycled\SVCHOST.EXEFilesize
45KB
MD55fdff9fbde69014b58a1fc6b7c6e754e
SHA19b7417b6e5c3c393d8c3e9297fe5b8629d1f8acf
SHA2569ed8a20f6841b63231b41919e765434e02418544f71a7eb3a9b00014569645f2
SHA512cc4eade9adb28db8a1bd2ccc4c9138b1a42da1a2b70e7c5de7d6b8425398ecf50a0f17ea086a64f6af42a503918608a9cfd59a43aeba46e0f2d80f7562eb01f6
-
C:\Recycled\SVCHOST.EXEFilesize
45KB
MD55fdff9fbde69014b58a1fc6b7c6e754e
SHA19b7417b6e5c3c393d8c3e9297fe5b8629d1f8acf
SHA2569ed8a20f6841b63231b41919e765434e02418544f71a7eb3a9b00014569645f2
SHA512cc4eade9adb28db8a1bd2ccc4c9138b1a42da1a2b70e7c5de7d6b8425398ecf50a0f17ea086a64f6af42a503918608a9cfd59a43aeba46e0f2d80f7562eb01f6
-
C:\Recycled\SVCHOST.EXEFilesize
45KB
MD55fdff9fbde69014b58a1fc6b7c6e754e
SHA19b7417b6e5c3c393d8c3e9297fe5b8629d1f8acf
SHA2569ed8a20f6841b63231b41919e765434e02418544f71a7eb3a9b00014569645f2
SHA512cc4eade9adb28db8a1bd2ccc4c9138b1a42da1a2b70e7c5de7d6b8425398ecf50a0f17ea086a64f6af42a503918608a9cfd59a43aeba46e0f2d80f7562eb01f6
-
C:\Recycled\SVCHOST.EXEFilesize
45KB
MD55fdff9fbde69014b58a1fc6b7c6e754e
SHA19b7417b6e5c3c393d8c3e9297fe5b8629d1f8acf
SHA2569ed8a20f6841b63231b41919e765434e02418544f71a7eb3a9b00014569645f2
SHA512cc4eade9adb28db8a1bd2ccc4c9138b1a42da1a2b70e7c5de7d6b8425398ecf50a0f17ea086a64f6af42a503918608a9cfd59a43aeba46e0f2d80f7562eb01f6
-
C:\Recycled\desktop.iniFilesize
65B
MD5ad0b0b4416f06af436328a3c12dc491b
SHA1743c7ad130780de78ccbf75aa6f84298720ad3fa
SHA25623521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416
SHA512884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56
-
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txtFilesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txtFilesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txtFilesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
C:\recycled\CTFMON.EXEFilesize
45KB
MD558afc26e17fdaefa948302f8514c93b7
SHA1af4a7716ff3261a7b38e0c22d3bfcb7486b002c7
SHA256a85b01840a68428006d13be53ba0eb4bdac556130eb16ba9dc783b49747d3c1c
SHA51264ca8c35733c12c8d8007e6aad2a8b3411c13e3e8e659a16f2c58aac828fc142add30edcbb85d261e801549692a4a777096e9c8fff8bd780fc236c0f6f0abfec
-
C:\recycled\SPOOLSV.EXEFilesize
45KB
MD57b3aaf50d51a2fb7888c48d94b73da20
SHA181c7eb48895d3ea8ad045fdc47d650b99038d50d
SHA256489035eb9e0f6bc22d5a352e7444415b87aee0fdae10f88a0677834967a43a62
SHA51216e29d7cc144163877ec992f1d9f21c882d8ba804ede436273834e584b05a0c3d1c0749ae129890b3312c0556859c5a43baa4ddc1cebbd364d625149d56e9bbf
-
C:\recycled\SVCHOST.EXEFilesize
45KB
MD55fdff9fbde69014b58a1fc6b7c6e754e
SHA19b7417b6e5c3c393d8c3e9297fe5b8629d1f8acf
SHA2569ed8a20f6841b63231b41919e765434e02418544f71a7eb3a9b00014569645f2
SHA512cc4eade9adb28db8a1bd2ccc4c9138b1a42da1a2b70e7c5de7d6b8425398ecf50a0f17ea086a64f6af42a503918608a9cfd59a43aeba46e0f2d80f7562eb01f6
-
memory/972-191-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/972-186-0x0000000000000000-mapping.dmp
-
memory/1104-185-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1104-181-0x0000000000000000-mapping.dmp
-
memory/1344-146-0x0000000000000000-mapping.dmp
-
memory/1344-166-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1344-214-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1404-132-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1404-205-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1548-145-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1548-141-0x0000000000000000-mapping.dmp
-
memory/1788-161-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1788-156-0x0000000000000000-mapping.dmp
-
memory/1876-190-0x0000000000000000-mapping.dmp
-
memory/1876-197-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2032-176-0x0000000000000000-mapping.dmp
-
memory/2032-180-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2932-212-0x00007FFA1FBA0000-0x00007FFA1FBB0000-memory.dmpFilesize
64KB
-
memory/2932-211-0x00007FFA1FBA0000-0x00007FFA1FBB0000-memory.dmpFilesize
64KB
-
memory/2932-210-0x00007FFA22010000-0x00007FFA22020000-memory.dmpFilesize
64KB
-
memory/2932-209-0x00007FFA22010000-0x00007FFA22020000-memory.dmpFilesize
64KB
-
memory/2932-208-0x00007FFA22010000-0x00007FFA22020000-memory.dmpFilesize
64KB
-
memory/2932-207-0x00007FFA22010000-0x00007FFA22020000-memory.dmpFilesize
64KB
-
memory/2932-206-0x00007FFA22010000-0x00007FFA22020000-memory.dmpFilesize
64KB
-
memory/2932-204-0x0000000000000000-mapping.dmp
-
memory/3204-195-0x0000000000000000-mapping.dmp
-
memory/3236-157-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3236-152-0x0000000000000000-mapping.dmp
-
memory/3388-202-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3388-196-0x0000000000000000-mapping.dmp
-
memory/3488-200-0x0000000000000000-mapping.dmp
-
memory/4404-164-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4404-213-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4404-135-0x0000000000000000-mapping.dmp
-
memory/4908-171-0x0000000000000000-mapping.dmp
-
memory/4908-175-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4920-162-0x0000000000000000-mapping.dmp
-
memory/4920-167-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4920-215-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB