Overview

overview

10

Static

static

3

0720771916...ab.exe

windows7-x64

10

0720771916...ab.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 19:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0720771916f404e2cd628efabb7e3de832e62a56deec70b3df3a8a2ba71aa6ab.exe

  • Size

    97KB

  • MD5

    26f62a6cc9fcd51786bb9f650254e8f0

  • SHA1

    4e1c14b29498ff62563b3c646d6dc55d5662491c

  • SHA256

    0720771916f404e2cd628efabb7e3de832e62a56deec70b3df3a8a2ba71aa6ab

  • SHA512

    2059661ebe77af71bfec0994b283c6f4a42e6f375a9f74d90242edd025ef44413b89e397b47a707134123fecbf59328446f23738c84a7a1a87134acfb8bfbdd7

  • SSDEEP

    1536:4a3+ddygX7y9v7Z+NoykJHBOAFRfBjG3YdoI8:J8dfX7y9DZ+N7eB+tI8

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 29 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0720771916f404e2cd628efabb7e3de832e62a56deec70b3df3a8a2ba71aa6ab.exe
    "C:\Users\Admin\AppData\Local\Temp\0720771916f404e2cd628efabb7e3de832e62a56deec70b3df3a8a2ba71aa6ab.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4640
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1860
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1988
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4932
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2724
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:5612
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5660
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1764
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4940
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:5384
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3428
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3488
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2412
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0720771916f404e2cd628efabb7e3de832e62a56deec70b3df3a8a2ba71aa6ab.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recycled\SPOOLSV.EXE
    Filesize

    97KB

    MD5

    912dc82fe9e1f4db5729a0e832fbbfaa

    SHA1

    7257223c42668ece9bde934eb07dc7f33c5ea7f9

    SHA256

    0446d08b8d3acf98e4739d8f20ce737fa30fd010638107e88331bcdad27de6f2

    SHA512

    42b0c94953c2a50825ead1fb6bc44877d15e7a38ded507c0aef83e372694cdebf9233f61123ead3be521c8a05d2ec81dfa77b976b4682f2162492f4cefc28ce1

    Download Submit

  • C:\Recycled\SVCHOST.EXE
    Filesize

    97KB

    MD5

    c6ecc727192c7e63c29cf7da3dff4f12

    SHA1

    d06642911952f6ab503d7ab23af4bbbdb5b76eeb

    SHA256

    718a0c80d7f6b9604512715bb428e788e8c9c7dceb437c34c1d0e1b6d3b72dbd

    SHA512

    225a56c1cceb9495a38768daef920e7b9ee167271f0934f175c75d2197e9253451fed495220d609a0e4ad6de3f0f3f362fc0638fb7bdfa3721813e6e454c29d0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
    Filesize

    2KB

    MD5

    1a1dce35d60d2c70ca8894954fd5d384

    SHA1

    58547dd65d506c892290755010d0232da34ee000

    SHA256

    2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

    SHA512

    4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCD942A.tmp\gb.xsl
    Filesize

    262KB

    MD5

    51d32ee5bc7ab811041f799652d26e04

    SHA1

    412193006aa3ef19e0a57e16acf86b830993024a

    SHA256

    6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

    SHA512

    5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

    Download Submit

  • C:\Windows\Fonts\ Explorer.exe
    Filesize

    97KB

    MD5

    c0c7ae2db06123a6e87f95c4e9a782f7

    SHA1

    0cf34b0e061b56bb45640b9f47f34bf58edaf5c6

    SHA256

    b9d0356e31bff5967491528b70db0f1046c9355732244b6d740ae576de964efa

    SHA512

    fdebe4fefa27a4379f1799082a9d9300ebbd0a3f45e8727c3b1a94237b3ea5978ce422f88167177ca414ac12ae00d356abbf4876ed052d4549ef72180b85ed59

    Download Submit

  • C:\Windows\Fonts\ Explorer.exe
    Filesize

    97KB

    MD5

    92f66e87461c9a162c9533d7f1405fac

    SHA1

    405854fd34015bcbfe636895fc0979f007d63771

    SHA256

    aa43cb921412856b2e9c42b882ea51c5bd1fc7dd3bfc4c380e1408bbcea1f570

    SHA512

    21259b58b1c3ea3b1b67800303308b88ef8849118acf1290b5e10f4e7b82ee1b4ff4741f7081bb2d8215f2da32c3ff640ad535e268bace5c36e0dcd8f1adfd6f

    Download Submit

  • C:\Windows\Fonts\ Explorer.exe
    Filesize

    97KB

    MD5

    21549e412d0bf268157f427b0a32f720

    SHA1

    2a09b22f7e4fb15b16d83bc97e80bc9773ff1eb0

    SHA256

    fe33c0f1c8eef24500a3ebf995e42175ce2f881cbbbe3f67b011e28c1b4e23cc

    SHA512

    6f52601feed8ae237968e83d7290c991bb913cd45e7fb594a44f9c165d3e97c84d47c6cd041f3e4907936b3e38ec0b768af01467cb39e35671bfffc91d4746ce

    Download Submit

  • C:\begolu.txt
    Filesize

    2B

    MD5

    2b9d4fa85c8e82132bde46b143040142

    SHA1

    a02431cf7c501a5b368c91e41283419d8fa9fb03

    SHA256

    4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

    SHA512

    c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

    Download Submit

  • F:\Recycled\SVCHOST.EXE
    Filesize

    97KB

    MD5

    73b3ece49973c2bbf21a8c7adf029c90

    SHA1

    64ab0a7c5d1f4294810ff07c269c2f94c55cb68a

    SHA256

    ec3d372b97c08b5537ffefb01d56352457603387f0ab27714d27af36ee0ccbc0

    SHA512

    252460e05ecd400d49c97a3d93df9b8cdee011fc7674ca33c72f550119562613074d6034812766ce59674504cdab97fd459e218dea6a27f56af9136362fbe6d0

    Download Submit

  • memory/1764-64-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1860-19-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1988-34-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1988-27-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2412-85-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2724-45-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3428-78-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3488-82-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3952-89-0x00007FF9E1830000-0x00007FF9E1840000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3952-93-0x00007FF9DF7D0000-0x00007FF9DF7E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3952-94-0x00007FF9DF7D0000-0x00007FF9DF7E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3952-92-0x00007FF9E1830000-0x00007FF9E1840000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3952-91-0x00007FF9E1830000-0x00007FF9E1840000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3952-90-0x00007FF9E1830000-0x00007FF9E1840000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3952-88-0x00007FF9E1830000-0x00007FF9E1840000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4640-87-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4640-0-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4932-36-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4940-65-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4940-69-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/5384-73-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/5384-70-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/5612-49-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/5612-48-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/5660-54-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download