73f79c9a74c2b184936cc56328ae2f9b389284018b3f38bbb15f67c89e856bd1

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0419fa158298e87fd6342b25884f7ca2.exe
Size

88KB
MD5

0419fa158298e87fd6342b25884f7ca2
SHA1

f219af924f85542b88f71842367bbd39e4379179
SHA256

73f79c9a74c2b184936cc56328ae2f9b389284018b3f38bbb15f67c89e856bd1
SHA512

b9a1806e87348365a265e0a09b57a6897d290bbce188610e64948ef5fc7e1fb44c96363db163013ef47766346b1cdea5f86a01319686de82079e29380ec8fc2b
SSDEEP

768:L7mv35BMCHSTLUPdzqVegTLw4aMzI8ryPIaFG0YIb5ZnsxD5BMC8v:L7Q5bSTLUPduVe34aMc8WP/b5ZsxD5

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Program Files\\Microsoft Office\\Temp.exe\""	ISASS.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ISASS.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ISASS.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	ISASS.exe

Executes dropped EXE 12 IoCs

pid	Process
2400	ISASS.exe
932	LNETINFO.exe
500	ISASS.exe
400	krnl32.bat
2200	LNETINFO.exe
436	ISASS.exe
752	LNETINFO.exe
2036	ISASS.exe
4284	LNETINFO.exe
3848	ISASS.exe
3184	ISASS.exe
3196	LNETINFO.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Patah Hati = "C:\\WINDOWS\\system\\ISASS.exe"	ISASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\user logon = "C:\\WINDOWS\\Help\\user logon.exe"	ISASS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HotKeysCmds = "C:\\WINDOWS\\hkcmd.exe"	ISASS.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\Patah_08154.exe	LNETINFO.exe
File created	C:\WINDOWS\SysWOW64\Patah_07065.exe	LNETINFO.exe
File created	C:\WINDOWS\SysWOW64\Patah_05805.exe	LNETINFO.exe
File opened for modification	C:\WINDOWS\SysWOW64\Patah_05805.exe	LNETINFO.exe
File created	C:\WINDOWS\SysWOW64\Patah_03029.exe	LNETINFO.exe
File created	C:\WINDOWS\SysWOW64\Patah_0150.exe	LNETINFO.exe
File opened for modification	C:\WINDOWS\SysWOW64\Patah_0150.exe	LNETINFO.exe
File opened for modification	C:\WINDOWS\SysWOW64\Patah_07065.exe	LNETINFO.exe
File opened for modification	C:\WINDOWS\SysWOW64\Patah_03029.exe	LNETINFO.exe
File created	C:\WINDOWS\SysWOW64\Patah_08154.exe	LNETINFO.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Temp.exe	ISASS.exe
File opened for modification	C:\Program Files\Microsoft Office\Temp.exe	ISASS.exe

Drops file in Windows directory 31 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\hkcmd.exe	ISASS.exe
File created	C:\WINDOWS\system\ISASS.exe	0419fa158298e87fd6342b25884f7ca2.exe
File created	C:\WINDOWS\system\LNETINFO.exe	ISASS.exe
File created	C:\WINDOWS\system\Aku Bisa Tanpamu.exe	LNETINFO.exe
File opened for modification	C:\WINDOWS\Help\user logon.exe	ISASS.exe
File created	C:\WINDOWS\system\Sejauh Mungkin.exe	LNETINFO.exe
File opened for modification	C:\WINDOWS\system\Sejauh Mungkin.exe	LNETINFO.exe
File created	C:\WINDOWS\system\Viva Elektro.exe	LNETINFO.exe
File opened for modification	C:\WINDOWS\system\ISASS.exe	0419fa158298e87fd6342b25884f7ca2.exe
File opened for modification	C:\WINDOWS\system\Tak Seperti Dulu.exe	LNETINFO.exe
File opened for modification	C:\WINDOWS\system\Kau Pikir Kaulah Segalanya.exe	LNETINFO.exe
File opened for modification	C:\WINDOWS\system\Aku Kecewa.exe	LNETINFO.exe
File opened for modification	C:\WINDOWS\security\krnl32.bat	ISASS.exe
File opened for modification	C:\WINDOWS\system\Aku Bisa Tanpamu.exe	LNETINFO.exe
File created	C:\WINDOWS\system\Dibalas Dengan Dusta.exe	LNETINFO.exe
File created	C:\WINDOWS\system\Kau Pikir Kaulah Segalanya.exe	LNETINFO.exe
File created	C:\WINDOWS\system\Aku Kecewa.exe	LNETINFO.exe
File opened for modification	C:\WINDOWS\system	LNETINFO.exe
File created	C:\WINDOWS\hkcmd.exe	ISASS.exe
File created	C:\WINDOWS\system\Tak Seperti Dulu.exe	LNETINFO.exe
File created	C:\WINDOWS\system.exe	LNETINFO.exe
File created	C:\WINDOWS\Help\user logon.exe	ISASS.exe
File opened for modification	C:\WINDOWS\system\LNETINFO.exe	ISASS.exe
File created	C:\WINDOWS\system\mr.abram's.exe	LNETINFO.exe
File opened for modification	C:\WINDOWS\system.exe	LNETINFO.exe
File opened for modification	C:\WINDOWS\system\ISASS.exe	LNETINFO.exe
File created	C:\WINDOWS\security\krnl32.bat	ISASS.exe
File opened for modification	C:\WINDOWS\system\Dibalas Dengan Dusta.exe	LNETINFO.exe
File opened for modification	C:\WINDOWS\system\Viva Elektro.exe	LNETINFO.exe
File opened for modification	C:\WINDOWS\system\mr.abram's.exe	LNETINFO.exe
File created	C:\WINDOWS\system\ISASS.exe	LNETINFO.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings	Explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2400	ISASS.exe
2400	ISASS.exe
400	krnl32.bat
400	krnl32.bat
2400	ISASS.exe
2400	ISASS.exe
400	krnl32.bat
400	krnl32.bat
2400	ISASS.exe
2400	ISASS.exe
400	krnl32.bat
400	krnl32.bat
2400	ISASS.exe
2400	ISASS.exe
400	krnl32.bat
400	krnl32.bat
2400	ISASS.exe
2400	ISASS.exe
400	krnl32.bat
400	krnl32.bat
2400	ISASS.exe
2400	ISASS.exe
400	krnl32.bat
400	krnl32.bat
2400	ISASS.exe
2400	ISASS.exe
400	krnl32.bat
400	krnl32.bat
2400	ISASS.exe
2400	ISASS.exe
400	krnl32.bat
400	krnl32.bat
2400	ISASS.exe
2400	ISASS.exe
400	krnl32.bat
400	krnl32.bat
2400	ISASS.exe
2400	ISASS.exe
400	krnl32.bat
400	krnl32.bat
2400	ISASS.exe
2400	ISASS.exe
400	krnl32.bat
400	krnl32.bat
2400	ISASS.exe
2400	ISASS.exe
400	krnl32.bat
400	krnl32.bat
2400	ISASS.exe
2400	ISASS.exe
400	krnl32.bat
400	krnl32.bat
2400	ISASS.exe
2400	ISASS.exe
400	krnl32.bat
400	krnl32.bat
2400	ISASS.exe
2400	ISASS.exe
400	krnl32.bat
400	krnl32.bat
2400	ISASS.exe
2400	ISASS.exe
400	krnl32.bat
400	krnl32.bat

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
860	0419fa158298e87fd6342b25884f7ca2.exe
2400	ISASS.exe
932	LNETINFO.exe
500	ISASS.exe
400	krnl32.bat
2200	LNETINFO.exe
436	ISASS.exe
752	LNETINFO.exe
2036	ISASS.exe
4284	LNETINFO.exe
3848	ISASS.exe
3184	ISASS.exe
3196	LNETINFO.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 2400	860	0419fa158298e87fd6342b25884f7ca2.exe	90
PID 860 wrote to memory of 2400	860	0419fa158298e87fd6342b25884f7ca2.exe	90
PID 860 wrote to memory of 2400	860	0419fa158298e87fd6342b25884f7ca2.exe	90
PID 2400 wrote to memory of 932	2400	ISASS.exe	91
PID 2400 wrote to memory of 932	2400	ISASS.exe	91
PID 2400 wrote to memory of 932	2400	ISASS.exe	91
PID 932 wrote to memory of 500	932	LNETINFO.exe	92
PID 932 wrote to memory of 500	932	LNETINFO.exe	92
PID 932 wrote to memory of 500	932	LNETINFO.exe	92
PID 2400 wrote to memory of 400	2400	ISASS.exe	93
PID 2400 wrote to memory of 400	2400	ISASS.exe	93
PID 2400 wrote to memory of 400	2400	ISASS.exe	93
PID 860 wrote to memory of 3620	860	0419fa158298e87fd6342b25884f7ca2.exe	94
PID 860 wrote to memory of 3620	860	0419fa158298e87fd6342b25884f7ca2.exe	94
PID 2400 wrote to memory of 2200	2400	ISASS.exe	106
PID 2400 wrote to memory of 2200	2400	ISASS.exe	106
PID 2400 wrote to memory of 2200	2400	ISASS.exe	106
PID 932 wrote to memory of 436	932	LNETINFO.exe	107
PID 932 wrote to memory of 436	932	LNETINFO.exe	107
PID 932 wrote to memory of 436	932	LNETINFO.exe	107
PID 2400 wrote to memory of 752	2400	ISASS.exe	112
PID 2400 wrote to memory of 752	2400	ISASS.exe	112
PID 2400 wrote to memory of 752	2400	ISASS.exe	112
PID 932 wrote to memory of 2036	932	LNETINFO.exe	113
PID 932 wrote to memory of 2036	932	LNETINFO.exe	113
PID 932 wrote to memory of 2036	932	LNETINFO.exe	113
PID 2400 wrote to memory of 4284	2400	ISASS.exe	118
PID 2400 wrote to memory of 4284	2400	ISASS.exe	118
PID 2400 wrote to memory of 4284	2400	ISASS.exe	118
PID 932 wrote to memory of 3848	932	LNETINFO.exe	119
PID 932 wrote to memory of 3848	932	LNETINFO.exe	119
PID 932 wrote to memory of 3848	932	LNETINFO.exe	119
PID 932 wrote to memory of 3184	932	LNETINFO.exe	120
PID 2400 wrote to memory of 3196	2400	ISASS.exe	121
PID 932 wrote to memory of 3184	932	LNETINFO.exe	120
PID 932 wrote to memory of 3184	932	LNETINFO.exe	120
PID 2400 wrote to memory of 3196	2400	ISASS.exe	121
PID 2400 wrote to memory of 3196	2400	ISASS.exe	121

C:\Users\Admin\AppData\Local\Temp\0419fa158298e87fd6342b25884f7ca2.exe
"C:\Users\Admin\AppData\Local\Temp\0419fa158298e87fd6342b25884f7ca2.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:860
- C:\WINDOWS\system\ISASS.exe
  C:\WINDOWS\system\ISASS.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\WINDOWS\system\LNETINFO.exe
    C:\WINDOWS\system\LNETINFO.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\WINDOWS\system\ISASS.exe
      C:\WINDOWS\system\ISASS.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:500
  - - C:\WINDOWS\system\ISASS.exe
      C:\WINDOWS\system\ISASS.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:436
  - - C:\WINDOWS\system\ISASS.exe
      C:\WINDOWS\system\ISASS.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2036
  - - C:\WINDOWS\system\ISASS.exe
      C:\WINDOWS\system\ISASS.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3848
  - - C:\WINDOWS\system\ISASS.exe
      C:\WINDOWS\system\ISASS.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3184
- - C:\WINDOWS\security\krnl32.bat
    C:\WINDOWS\security\krnl32.bat
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:400
- - C:\WINDOWS\system\LNETINFO.exe
    C:\WINDOWS\system\LNETINFO.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2200
- - C:\WINDOWS\system\LNETINFO.exe
    C:\WINDOWS\system\LNETINFO.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:752
- - C:\WINDOWS\system\LNETINFO.exe
    C:\WINDOWS\system\LNETINFO.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4284
- - C:\WINDOWS\system\LNETINFO.exe
    C:\WINDOWS\system\LNETINFO.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3196
- C:\WINDOWS\Explorer.exe
  C:\WINDOWS\Explorer.exe
  2⤵
  - Modifies registry class
  PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Patah Hati.txt

Filesize
281B

MD5
8b45c9539b312faf6edbd2f29d80aa9f

SHA1
8fba44d7f1139f77be3b3cd158be710cf47e3c3c

SHA256
1936c3a6dd6f44505ffe7986168de41c593ac127dd46f5305ad5b4c6c5d25773

SHA512
65763efb1fa2690817ea89faa1c8cce41aa9b7e51fcec0c8f16404d5e19637a1042bda808c43eb5acf0b65631b84782a1c601f7522a052374c2596a4ae580e85

Download Submit
C:\Windows\System\ISASS.exe

Filesize
88KB

MD5
0419fa158298e87fd6342b25884f7ca2

SHA1
f219af924f85542b88f71842367bbd39e4379179

SHA256
73f79c9a74c2b184936cc56328ae2f9b389284018b3f38bbb15f67c89e856bd1

SHA512
b9a1806e87348365a265e0a09b57a6897d290bbce188610e64948ef5fc7e1fb44c96363db163013ef47766346b1cdea5f86a01319686de82079e29380ec8fc2b

Download Submit
memory/436-169-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/500-50-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/752-255-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/752-265-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/860-65-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/860-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2036-271-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2200-168-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3184-477-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3196-479-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3848-375-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4284-374-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download