Overview

overview

10

Static

static

3

52a8098611...53.exe

windows7-x64

10

52a8098611...53.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/05/2024, 21:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe

  • Size

    97KB

  • MD5

    480412c2c0d22dc5b03edcfe75dc1b5c

  • SHA1

    5e476973313e9fbeab892d3d6101093f3b42bf1a

  • SHA256

    52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53

  • SHA512

    33e4f2e9c74a26cde8301063e370d5bec63f844037b01b382ab87a668c77262c5471103f48083aee72401e2fd752ab10f87040457c7ff0b1f0b30786a5e3273a

  • SSDEEP

    1536:4a3+ddygX7y9v7Z+NoykJHBOAFRfBjG3YdoIn:J8dfX7y9DZ+N7eB+tIn

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 29 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe
    "C:\Users\Admin\AppData\Local\Temp\52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4736
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4820
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3076
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:408
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1364
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:3060
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2984
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4608
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3660
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4840
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2852
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:640
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1788
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\52a80986112c040597d3f1960d4d2624f4186dcc09bcb6c6f6fce143eb512c53.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2164

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recycled\SPOOLSV.EXE
    Filesize

    97KB

    MD5

    e5fdf142d8ddafee37c1fa80037352e9

    SHA1

    37dc22874eb028f40da4768577f024110c3cae1f

    SHA256

    ae41c66c96936b0acced6453e2399e1b2725a6760d366f5eced8b8820455b87e

    SHA512

    c7f633832ea9c865ebc526e74aed4bf772db3fc837ba1e4ad01a74ec5a73f8b0f2f09885fdd998e0df08a344f80342033bfdc7bc254ab997f3113aa8f928a7c3

    Download Submit

  • C:\Recycled\SVCHOST.EXE
    Filesize

    97KB

    MD5

    59d59302cf8640ab857da831a7fd21cf

    SHA1

    521019006d02653ce25b76504dc94034615712d9

    SHA256

    34a40f3b5cecf9c4142f8134004809cec1c583d9a31555377a6f2bfbb703c115

    SHA512

    da033e1107532276476d629761a9489e293c773404ec3d41a23acd912ec0aedaae28673fa8771fb2fd172a01fb70bd7caa2705f9b8ab913e6e7b92ace2b0c699

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
    Filesize

    2KB

    MD5

    1a1dce35d60d2c70ca8894954fd5d384

    SHA1

    58547dd65d506c892290755010d0232da34ee000

    SHA256

    2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

    SHA512

    4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCD8C2D.tmp\gb.xsl
    Filesize

    262KB

    MD5

    51d32ee5bc7ab811041f799652d26e04

    SHA1

    412193006aa3ef19e0a57e16acf86b830993024a

    SHA256

    6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

    SHA512

    5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

    Download Submit

  • C:\Windows\Fonts\ Explorer.exe
    Filesize

    97KB

    MD5

    5fbef1174710f43a49243acae9c6d3bc

    SHA1

    ea2b7970957dace4a3bac5b4915e17fc75f38d99

    SHA256

    c831987fd2f9b6a86207ec40df83e25c0a06613eb5e7cc32bdcced3c03aceb92

    SHA512

    08e91b92e446674e80fc672092ef16d7aecb39169a34d19d34e4590ff15a9ef52c8e93bff49bcf3067e506f5d3f9e4bfbcdc3d574ccba6171c32265f9acaac34

    Download Submit

  • C:\Windows\Fonts\ Explorer.exe
    Filesize

    97KB

    MD5

    21fe872f7ed03747be54e6c9178c052a

    SHA1

    22225eb7d2f496b8aba2310988bf1ce795503069

    SHA256

    5668af258d5706397e4b07755f3b32dfd25de91faa26639e91f4995875e86ceb

    SHA512

    7e2d1d1425660bf5425cc8beeb6b9d7bac76f79b0cbb5baf6d660d7240e049fb1dec22ddc833965f5bbd466eb53efacee5419f0e3d18cd8a6366084ec743c539

    Download Submit

  • C:\Windows\Fonts\ Explorer.exe
    Filesize

    97KB

    MD5

    837c626e71aef5e6f5b7191fab99666b

    SHA1

    9512164505bdbc9653b1f90b7a47e860ad564649

    SHA256

    9d4e4b12c8c937657006f8113c0f2482c426b8858639a2750de1571d1942dcff

    SHA512

    df4e386e063207f8e026c780ec31283e43d919626ccfc7b51019e84f8c4d4804eb836085586f65618efb0d151a4d80536c0b671c2d8e27a4e723c031a4c97036

    Download Submit

  • C:\begolu.txt
    Filesize

    2B

    MD5

    2b9d4fa85c8e82132bde46b143040142

    SHA1

    a02431cf7c501a5b368c91e41283419d8fa9fb03

    SHA256

    4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

    SHA512

    c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

    Download Submit

  • F:\Recycled\SVCHOST.EXE
    Filesize

    97KB

    MD5

    ee362dfbf53fd7cafa105035107d85f4

    SHA1

    153a334e6e630c0cb25276fd2c6ddc55f9c575b6

    SHA256

    2ff67a1a9e0f616b44f359f3f134c7fa740c64cf874458c73ee8facb2f2be2ca

    SHA512

    c5a4bc2afcb961559c979b24f446ad3ceff6dfab8820c5827c46a22f0ee2c5e477206e3d7ac0b96c0af2e8c15f4e80322c037fea3626d760bb447f92f39f8efd

    Download Submit

  • memory/408-33-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/640-80-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1364-44-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1788-83-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1788-81-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2164-87-0x00007FFAFC930000-0x00007FFAFC940000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2164-90-0x00007FFAFC930000-0x00007FFAFC940000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2164-92-0x00007FFAFA730000-0x00007FFAFA740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2164-91-0x00007FFAFA730000-0x00007FFAFA740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2164-89-0x00007FFAFC930000-0x00007FFAFC940000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2164-88-0x00007FFAFC930000-0x00007FFAFC940000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2164-86-0x00007FFAFC930000-0x00007FFAFC940000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-74-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2984-51-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3060-47-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3076-29-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3660-64-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3660-67-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4608-62-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4736-85-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4736-0-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4820-19-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4840-70-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download