Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
29-11-2022 06:53
General
-
Target
d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe
-
Size
42KB
-
MD5
76fc6dd56b4f8ddc559c77036b76b937
-
SHA1
3e37d7bc9420c4fdde2d907d8d1ca1196e934bf1
-
SHA256
d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5
-
SHA512
4a6213f0ddbaeb68a7b17516ed51d52e8434ec91102a6023396c468c4c6cd50acc8adf02e3f172bf6ae22d478bf9161bbbc0aea02ab68b9c505b5fe7bdbfeef6
-
SSDEEP
768:gSz0/XBwayCUOwV3TNZHdrPeqzEWvpbPwSMX6+w6pqZxLdeVgol9D8888888888s:BzOCay4wV339rPjzbpLwRJ9pSdoI1
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
-
ASPack v2.12-2.42 18 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE 12 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 29 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 20 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe"C:\Users\Admin\AppData\Local\Temp\d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d2f50eee8786568c10f8e604ffdcd8441187a630d6eb6e79f999c35ceaf84dc5.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recycled\CTFMON.EXEFilesize
42KB
MD576b15f733b4d3c25ddc7211a4b2f45d2
SHA18f0f859c7f13df908f76a5e807bc9d514ee25a0a
SHA256d165a3683c0d08d20510f5d4af52881657a859b1d669e6cb6e161e82f3fcebfb
SHA5124659d824d0aabdca1a7057ceede496e45909982fd8e1080f8f342020e8c2cc440c119d1d84aea3e6c943ba8415a3442640e4abd453018e7ea20801a91f09ebd1
-
C:\Recycled\CTFMON.EXEFilesize
42KB
MD576b15f733b4d3c25ddc7211a4b2f45d2
SHA18f0f859c7f13df908f76a5e807bc9d514ee25a0a
SHA256d165a3683c0d08d20510f5d4af52881657a859b1d669e6cb6e161e82f3fcebfb
SHA5124659d824d0aabdca1a7057ceede496e45909982fd8e1080f8f342020e8c2cc440c119d1d84aea3e6c943ba8415a3442640e4abd453018e7ea20801a91f09ebd1
-
C:\Recycled\CTFMON.EXEFilesize
42KB
MD576b15f733b4d3c25ddc7211a4b2f45d2
SHA18f0f859c7f13df908f76a5e807bc9d514ee25a0a
SHA256d165a3683c0d08d20510f5d4af52881657a859b1d669e6cb6e161e82f3fcebfb
SHA5124659d824d0aabdca1a7057ceede496e45909982fd8e1080f8f342020e8c2cc440c119d1d84aea3e6c943ba8415a3442640e4abd453018e7ea20801a91f09ebd1
-
C:\Recycled\CTFMON.EXEFilesize
42KB
MD576b15f733b4d3c25ddc7211a4b2f45d2
SHA18f0f859c7f13df908f76a5e807bc9d514ee25a0a
SHA256d165a3683c0d08d20510f5d4af52881657a859b1d669e6cb6e161e82f3fcebfb
SHA5124659d824d0aabdca1a7057ceede496e45909982fd8e1080f8f342020e8c2cc440c119d1d84aea3e6c943ba8415a3442640e4abd453018e7ea20801a91f09ebd1
-
C:\Recycled\SPOOLSV.EXEFilesize
42KB
MD5ec30c4f66a87aade18d25772db7d1293
SHA1113f9f8918904a5a8df084dc678b886bd4ce2a71
SHA2568a4e31814896f3b03d1c52dd854b1f5f970186031c42cdee033549ecd8981964
SHA5129666fe054c089fac92e4f66ae34275b8380f92c43689b909c403c8cbc2d39a9738bf9ed8711271eaeeff374ff730bf484cf539c068f5a9a662ad0b1b7d8a6aed
-
C:\Recycled\SPOOLSV.EXEFilesize
42KB
MD5ec30c4f66a87aade18d25772db7d1293
SHA1113f9f8918904a5a8df084dc678b886bd4ce2a71
SHA2568a4e31814896f3b03d1c52dd854b1f5f970186031c42cdee033549ecd8981964
SHA5129666fe054c089fac92e4f66ae34275b8380f92c43689b909c403c8cbc2d39a9738bf9ed8711271eaeeff374ff730bf484cf539c068f5a9a662ad0b1b7d8a6aed
-
C:\Recycled\SPOOLSV.EXEFilesize
42KB
MD5ec30c4f66a87aade18d25772db7d1293
SHA1113f9f8918904a5a8df084dc678b886bd4ce2a71
SHA2568a4e31814896f3b03d1c52dd854b1f5f970186031c42cdee033549ecd8981964
SHA5129666fe054c089fac92e4f66ae34275b8380f92c43689b909c403c8cbc2d39a9738bf9ed8711271eaeeff374ff730bf484cf539c068f5a9a662ad0b1b7d8a6aed
-
C:\Recycled\SPOOLSV.EXEFilesize
42KB
MD5ec30c4f66a87aade18d25772db7d1293
SHA1113f9f8918904a5a8df084dc678b886bd4ce2a71
SHA2568a4e31814896f3b03d1c52dd854b1f5f970186031c42cdee033549ecd8981964
SHA5129666fe054c089fac92e4f66ae34275b8380f92c43689b909c403c8cbc2d39a9738bf9ed8711271eaeeff374ff730bf484cf539c068f5a9a662ad0b1b7d8a6aed
-
C:\Recycled\SVCHOST.EXEFilesize
42KB
MD581f5ba7ee3b9a7fca1cd5bd8ef0708ec
SHA19101550e7482e6452d38b278503e650f61ddea5a
SHA2565a2f8867f162da938014b6f4649c31ef14b01964e55e06d3f4f2237f93705a26
SHA512ffaeb98e4f600856c48c7f32dad5f74bb00779e9d5868f782ff451bdd3c123d7c491c00d44ef4ae7e42f7e7fdb4c22fae3a0ef73e8d83835eedc9408c72ec3c1
-
C:\Recycled\SVCHOST.EXEFilesize
42KB
MD581f5ba7ee3b9a7fca1cd5bd8ef0708ec
SHA19101550e7482e6452d38b278503e650f61ddea5a
SHA2565a2f8867f162da938014b6f4649c31ef14b01964e55e06d3f4f2237f93705a26
SHA512ffaeb98e4f600856c48c7f32dad5f74bb00779e9d5868f782ff451bdd3c123d7c491c00d44ef4ae7e42f7e7fdb4c22fae3a0ef73e8d83835eedc9408c72ec3c1
-
C:\Recycled\SVCHOST.EXEFilesize
42KB
MD581f5ba7ee3b9a7fca1cd5bd8ef0708ec
SHA19101550e7482e6452d38b278503e650f61ddea5a
SHA2565a2f8867f162da938014b6f4649c31ef14b01964e55e06d3f4f2237f93705a26
SHA512ffaeb98e4f600856c48c7f32dad5f74bb00779e9d5868f782ff451bdd3c123d7c491c00d44ef4ae7e42f7e7fdb4c22fae3a0ef73e8d83835eedc9408c72ec3c1
-
C:\Recycled\SVCHOST.EXEFilesize
42KB
MD581f5ba7ee3b9a7fca1cd5bd8ef0708ec
SHA19101550e7482e6452d38b278503e650f61ddea5a
SHA2565a2f8867f162da938014b6f4649c31ef14b01964e55e06d3f4f2237f93705a26
SHA512ffaeb98e4f600856c48c7f32dad5f74bb00779e9d5868f782ff451bdd3c123d7c491c00d44ef4ae7e42f7e7fdb4c22fae3a0ef73e8d83835eedc9408c72ec3c1
-
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txtFilesize
2KB
MD51a1dce35d60d2c70ca8894954fd5d384
SHA158547dd65d506c892290755010d0232da34ee000
SHA2562661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c
SHA5124abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e
-
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txtFilesize
2KB
MD51a1dce35d60d2c70ca8894954fd5d384
SHA158547dd65d506c892290755010d0232da34ee000
SHA2562661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c
SHA5124abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e
-
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txtFilesize
2KB
MD51a1dce35d60d2c70ca8894954fd5d384
SHA158547dd65d506c892290755010d0232da34ee000
SHA2562661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c
SHA5124abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e
-
C:\Windows\Fonts\ Explorer.exeFilesize
42KB
MD5d3151c6ce92402e22e174aefeec794a5
SHA1a5aa55df177cc30271f6356cceee6752adeb2680
SHA25605f6e08489798296e4e51115e2e4e27d043124c774c856d40356e5a8bbf8cfdd
SHA512feb8f43910d708f289fc55fb67df4cfaa377cb283da5e8e41716fd6c7f630e73ec247c99a7c77c467573441428ed349d4a4b7563099e7092e605176974bd0452
-
C:\Windows\Fonts\ Explorer.exeFilesize
42KB
MD537d243b0f23821ae1df624320883c58a
SHA1de14b3c4436448ccec2dc358e175fd6ba68ef776
SHA2566bd5ee1ec8a96e94212f212e391a12ba4319cfe05d400a5ecce68f9837b34875
SHA512efb8a0def2a7097056eca50df31348d356d6061aa48cfcd5af7d428ca15b3fd18491213b34105073338943b843535274f85ec0410cdec3ff4afa373f460ffb09
-
C:\Windows\Fonts\ Explorer.exeFilesize
42KB
MD56ad98ed21a8e6ec8be965aa8f3721e9f
SHA115cbd7d8ff52d89a8ad998f2d6d242ac98203f95
SHA256c1b4f402947d3926e703315569bd2945a17d534901efa5394e9591d0cb3a657a
SHA512eb41d965db03861a1a05fa3b602528a1e4ad9b6f10eee627d2c2ab4596e95439846ee7101061c2e9afcfb95b6d004be80b8d370957b21cc756d09292de787202
-
C:\recycled\CTFMON.EXEFilesize
42KB
MD576b15f733b4d3c25ddc7211a4b2f45d2
SHA18f0f859c7f13df908f76a5e807bc9d514ee25a0a
SHA256d165a3683c0d08d20510f5d4af52881657a859b1d669e6cb6e161e82f3fcebfb
SHA5124659d824d0aabdca1a7057ceede496e45909982fd8e1080f8f342020e8c2cc440c119d1d84aea3e6c943ba8415a3442640e4abd453018e7ea20801a91f09ebd1
-
C:\recycled\SPOOLSV.EXEFilesize
42KB
MD5ec30c4f66a87aade18d25772db7d1293
SHA1113f9f8918904a5a8df084dc678b886bd4ce2a71
SHA2568a4e31814896f3b03d1c52dd854b1f5f970186031c42cdee033549ecd8981964
SHA5129666fe054c089fac92e4f66ae34275b8380f92c43689b909c403c8cbc2d39a9738bf9ed8711271eaeeff374ff730bf484cf539c068f5a9a662ad0b1b7d8a6aed
-
C:\recycled\SVCHOST.EXEFilesize
42KB
MD581f5ba7ee3b9a7fca1cd5bd8ef0708ec
SHA19101550e7482e6452d38b278503e650f61ddea5a
SHA2565a2f8867f162da938014b6f4649c31ef14b01964e55e06d3f4f2237f93705a26
SHA512ffaeb98e4f600856c48c7f32dad5f74bb00779e9d5868f782ff451bdd3c123d7c491c00d44ef4ae7e42f7e7fdb4c22fae3a0ef73e8d83835eedc9408c72ec3c1
-
memory/1412-148-0x0000000000000000-mapping.dmp
-
memory/1412-172-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1412-217-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1560-213-0x00007FFF53BF0000-0x00007FFF53C00000-memory.dmpFilesize
64KB
-
memory/1560-206-0x0000000000000000-mapping.dmp
-
memory/1560-208-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1560-209-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1560-210-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1560-211-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1560-212-0x00007FFF56550000-0x00007FFF56560000-memory.dmpFilesize
64KB
-
memory/1560-214-0x00007FFF53BF0000-0x00007FFF53C00000-memory.dmpFilesize
64KB
-
memory/1828-179-0x0000000000000000-mapping.dmp
-
memory/1828-186-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1872-161-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1872-156-0x0000000000000000-mapping.dmp
-
memory/2076-215-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2076-135-0x0000000000000000-mapping.dmp
-
memory/2076-146-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2316-190-0x0000000000000000-mapping.dmp
-
memory/2316-194-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2316-195-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3160-207-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3160-132-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3332-171-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3332-166-0x0000000000000000-mapping.dmp
-
memory/3332-216-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3572-165-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3572-160-0x0000000000000000-mapping.dmp
-
memory/3612-142-0x0000000000000000-mapping.dmp
-
memory/3612-147-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3612-150-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3644-175-0x0000000000000000-mapping.dmp
-
memory/3644-180-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4392-200-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4392-196-0x0000000000000000-mapping.dmp
-
memory/4400-205-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4400-201-0x0000000000000000-mapping.dmp
-
memory/4604-189-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4604-184-0x0000000000000000-mapping.dmp