Overview

overview

10

Static

static

10

0663610695...6c.exe

windows7-x64

10

0663610695...6c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/05/2024, 18:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0663610695c856638c9832f75ffc61b37a68ffb6c0ee702cc58f3b91fb124c6c.exe

  • Size

    89KB

  • MD5

    65191e0dc05876a36f10d70c851e81a4

  • SHA1

    042cbb5b36e36955470b9494a07cc9b816de33bd

  • SHA256

    0663610695c856638c9832f75ffc61b37a68ffb6c0ee702cc58f3b91fb124c6c

  • SHA512

    6ca2205b4281ffd21f49522952fdfffca80c89e7b88cf6f89277c11ab43bbb5133e18722062581e47df4452337496ad534343e79c0e1c799670d4675ec131976

  • SSDEEP

    1536:71sMveb4lR0daHy9v7Zc86y9U4AFRfBWAEn9:BDeb4T0daHy9DZc86yGUtn9

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
    evasion
  • Detects executables packed with ASPack 19 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0663610695c856638c9832f75ffc61b37a68ffb6c0ee702cc58f3b91fb124c6c.exe
    "C:\Users\Admin\AppData\Local\Temp\0663610695c856638c9832f75ffc61b37a68ffb6c0ee702cc58f3b91fb124c6c.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3584
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Enumerates connected drives
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3188
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2240
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2388
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Enumerates connected drives
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1948
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4588
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:540
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2396
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:508
      • C:\Windows\SysWOW64\userinit.exe
        C:\Windows\system32\userinit.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4024
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          4⤵
          • Modifies registry class
          PID:832
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4928
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1484
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0663610695c856638c9832f75ffc61b37a68ffb6c0ee702cc58f3b91fb124c6c.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1888

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recycled\SPOOLSV.EXE
    Filesize

    89KB

    MD5

    282e8ec44e3e4ec0e64972557644ee08

    SHA1

    18256a0c7c03e658e085470ba42a8e574a6f89f5

    SHA256

    78cdcee6b37f7a02836c3886391f32753decc0cfedb6e831676a2d0d0b755ce4

    SHA512

    fc50259b979b98c77fff38ced4ec2a39b2ea50b8f00379521e4e020b3b32c494686097e3796ff02a26298797576563491530a17a3b53c41e426df7c5756b9f23

    Download Submit

  • C:\Recycled\SVCHOST.EXE
    Filesize

    89KB

    MD5

    16798291c9820b01331d4ce72550e5c8

    SHA1

    8ccb128bd63bd772c7b820a9874d67908c97c422

    SHA256

    1c2a933d491e26bd9954ea8e9ab51b2286a4d95449870fd581e530e2862d6228

    SHA512

    9e59c6d19d962b56fae9cc5704d503056e79c4a64f614b0f0f5b60aef1834be3b597e869c9673e5ddec2826d8d3174fa9cfbed0d63c89eef3a95e92ca7b1b98e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
    Filesize

    1KB

    MD5

    0269b6347e473980c5378044ac67aa1f

    SHA1

    c3334de50e320ad8bce8398acff95c363d039245

    SHA256

    68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

    SHA512

    e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCDA008.tmp\iso690.xsl
    Filesize

    263KB

    MD5

    ff0e07eff1333cdf9fc2523d323dd654

    SHA1

    77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

    SHA256

    3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

    SHA512

    b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

    Download Submit

  • C:\begolu.txt
    Filesize

    2B

    MD5

    2b9d4fa85c8e82132bde46b143040142

    SHA1

    a02431cf7c501a5b368c91e41283419d8fa9fb03

    SHA256

    4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

    SHA512

    c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

    Download Submit

  • F:\Recycled\SVCHOST.EXE
    Filesize

    89KB

    MD5

    67f00ffdf0ccbbe73a950e6d37609e70

    SHA1

    5828149963746b16cb22f0844e85ac017eeeb411

    SHA256

    a1a43d34f6e8c0d81dd9a529e44853d1172cde21745cb52b671b7544d80821f8

    SHA512

    6374af0355f3e1e64e20ca7e02cb47288ce0335fc2e3c0a8b9eae8327993aad1c7efe05f840c41f736680540209b0053fd60adb5e8271844a543a9592fbe269d

    Download Submit

  • memory/508-69-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/508-65-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/540-61-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1484-76-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1888-78-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1888-79-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1888-82-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1888-81-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1888-83-0x00007FF7CF6E0000-0x00007FF7CF6F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1888-84-0x00007FF7CF6E0000-0x00007FF7CF6F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1888-80-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1948-45-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2240-39-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2388-42-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2396-63-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2848-17-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3188-31-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3584-28-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4588-56-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4588-52-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4724-77-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4724-0-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4928-73-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download