Overview

overview

10

Static

static

3

60a7e6244f...9d.exe

windows7-x64

7

60a7e6244f...9d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    176s
  • max time network
    188s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 08:42

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    60a7e6244fa20ced7cd376ac1893ca9d.exe

  • Size

    45KB

  • MD5

    60a7e6244fa20ced7cd376ac1893ca9d

  • SHA1

    3e3e9758146ecccedfd698510b9ca3001d302249

  • SHA256

    49bca1b2bff0e814b357e6e31573fa9cfe9de8054e1a73d5b691347f0799fe3b

  • SHA512

    5e30fcf66d8893d47a30e4d6e28009625e09dfd20f049bfdf26261e10feabd2a3599f79bf232208ec09ce6de843631b402965bc53d8802f6f92d29a9988eca94

  • SSDEEP

    768:E1AuwHyeFo6NPIFAoslbf8eRYLGXdoIFbb5omuKWcbsvwnoT9D88888888888JXm:EOxyeFo6NPCAosxYyXdF5oy3VoKm

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 29 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 23 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60a7e6244fa20ced7cd376ac1893ca9d.exe
    "C:\Users\Admin\AppData\Local\Temp\60a7e6244fa20ced7cd376ac1893ca9d.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5028
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1280
      • C:\Windows\SysWOW64\userinit.exe
        C:\Windows\system32\userinit.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1440
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:452
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Enumerates connected drives
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4476
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:5040
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4052
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4120
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3432
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1540
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\60a7e6244fa20ced7cd376ac1893ca9d.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:988
  • C:\recycled\SVCHOST.EXE
    C:\recycled\SVCHOST.EXE :agent
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetWindowsHookEx
    PID:1860
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
      PID:3012
    • C:\Windows\SysWOW64\Explorer.exe
      Explorer.exe "C:\recycled\SVCHOST.exe"
      1⤵
        PID:1336
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:5104
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3416
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2696
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        1⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Enumerates connected drives
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3500
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:336
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2212

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Recycled\SPOOLSV.EXE
              Filesize

              45KB

              MD5

              4b21141a137bb5922c60744237c0cb3e

              SHA1

              0ec5a7b9dbe40af28d4cbb81d66ac92e47c98d60

              SHA256

              5929f9dd887d2c71fccfa35e4223c737c2becb3d83509eda821636cdefead01d

              SHA512

              c03a2f556c353a202882f824ce1e8866ee6c8cf5f1591b3078038e9c37348b911696161204f9a7857ef7bcae4671e5e296f236901d01ca0c7bb7e66e31336b71

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
              Filesize

              1KB

              MD5

              0269b6347e473980c5378044ac67aa1f

              SHA1

              c3334de50e320ad8bce8398acff95c363d039245

              SHA256

              68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

              SHA512

              e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

              Download Submit

            • C:\begolu.txt
              Filesize

              2B

              MD5

              2b9d4fa85c8e82132bde46b143040142

              SHA1

              a02431cf7c501a5b368c91e41283419d8fa9fb03

              SHA256

              4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

              SHA512

              c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

              Download Submit

            • C:\recycled\SVCHOST.EXE
              Filesize

              45KB

              MD5

              7f8345904f3807eae2e120f9744f9a64

              SHA1

              8b5debbf48a92a032aeabb457ad253768d2e54f9

              SHA256

              9a8ce9d78c7166fc4c65df7c8680956370d37765480070c1bc022935b321aa05

              SHA512

              1e37d37b081605aa73c8d796955ad3c41b3feccdfb295373da043f002e3a7e1cd3b485c71204727b9b710b8e18a7507f387c7847d787452a6bfbf3bda1a6578b

              Download Submit

            • F:\Recycled\SVCHOST.EXE
              Filesize

              45KB

              MD5

              e12562448ed78223b174df70213befe7

              SHA1

              1469596d4517f4789510ded8f2c2ef84b4976e2d

              SHA256

              0588bf97aa128f601446b12996ef5009ca1b9a369d7d46561204a8d866c0b615

              SHA512

              15379667a0e3f2f70d8fc2e328990c23d9bbf16ed7e15f35240cdde5e2490294726bbf85bf8513ba85eb508c8fb67f3f4c101f3338f0361c8a8dc76763c06a38

              Download Submit

            • memory/336-41-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/452-69-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/452-65-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/988-95-0x00007FFCD07F0000-0x00007FFCD0800000-memory.dmp

              Filesize

              64KB

              Download

            • memory/988-112-0x00007FFD10770000-0x00007FFD10965000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/988-135-0x00007FFD10770000-0x00007FFD10965000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/988-134-0x00007FFD10770000-0x00007FFD10965000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/988-133-0x00007FFD10770000-0x00007FFD10965000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/988-94-0x00007FFCD07F0000-0x00007FFCD0800000-memory.dmp

              Filesize

              64KB

              Download

            • memory/988-96-0x00007FFD10770000-0x00007FFD10965000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/988-98-0x00007FFD10770000-0x00007FFD10965000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/988-99-0x00007FFCD07F0000-0x00007FFCD0800000-memory.dmp

              Filesize

              64KB

              Download

            • memory/988-102-0x00007FFD10770000-0x00007FFD10965000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/988-101-0x00007FFCD07F0000-0x00007FFCD0800000-memory.dmp

              Filesize

              64KB

              Download

            • memory/988-97-0x00007FFCD07F0000-0x00007FFCD0800000-memory.dmp

              Filesize

              64KB

              Download

            • memory/988-100-0x00007FFD10770000-0x00007FFD10965000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/988-103-0x00007FFD10770000-0x00007FFD10965000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/988-105-0x00007FFD10770000-0x00007FFD10965000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/988-106-0x00007FFD10770000-0x00007FFD10965000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/988-109-0x00007FFD10770000-0x00007FFD10965000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/988-110-0x00007FFD10770000-0x00007FFD10965000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/988-111-0x00007FFD10770000-0x00007FFD10965000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/988-113-0x00007FFD10770000-0x00007FFD10965000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/988-114-0x00007FFD10770000-0x00007FFD10965000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/988-104-0x00007FFD10770000-0x00007FFD10965000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/988-108-0x00007FFCCDF30000-0x00007FFCCDF40000-memory.dmp

              Filesize

              64KB

              Download

            • memory/988-107-0x00007FFD10770000-0x00007FFD10965000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/988-115-0x00007FFCCDF30000-0x00007FFCCDF40000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1280-17-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/1540-70-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/1540-74-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/1860-22-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/1860-26-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/2212-38-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/2696-51-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/2696-55-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/3416-59-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/3432-79-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/3500-45-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/4052-91-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/4120-84-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/4476-30-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/5028-0-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/5028-93-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/5040-88-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/5104-63-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/5104-61-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download