Analysis

  • max time kernel
    149s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 05:41

General

  • Target

    fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe

  • Size

    89KB

  • MD5

    4dd695aa2695ec57cd9998536790b010

  • SHA1

    03a04922b652da53fa3fbdfd4588922b1896b2d4

  • SHA256

    fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c

  • SHA512

    1ac4b7f217d5aef7d946a488c3e547b097ed9f54ed1025c015853e47c9c8ad8a96fda821701c09914a49a02adb7ffc4461dc14817cc7ee9942ee134d5e313cfd

  • SSDEEP

    1536:71sMveb4lR0daHy9v7Zc86y9U4AFRfBWAEnV:BDeb4T0daHy9DZc86yGUtnV

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
  • Detects executables packed with ASPack 23 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe
    "C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4244
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2788
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Enumerates connected drives
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2028
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:3576
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:5100
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Enumerates connected drives
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2232
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1192
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2024
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4780
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3104
      • C:\Windows\SysWOW64\userinit.exe
        C:\Windows\system32\userinit.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4940
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          4⤵
          • Modifies registry class
          PID:1104
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3028
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1264
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fedf910a57f7c18215a0d93fb0347f5b99168d03c82bc1843127c571016add5c.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recycled\SPOOLSV.EXE

    Filesize

    89KB

    MD5

    ced0ce2a797c70ecda4d6ef101831fdd

    SHA1

    0f8d92e4e7d9ed454c9913050c5523094cb6574b

    SHA256

    89de7d4bb5ac99754f1f4ec44505773d0939ae8d1bb03d1dda81fc52af6b2102

    SHA512

    8ee458e9f95f95b5a436c4bcfb6bd17ec50c8f9a2e76633a5485c0787e6d6c29251c581ac5034b66f4acf7eb4df3b2b045b87890db374a57ee37c2773dca203c

  • C:\Recycled\SVCHOST.EXE

    Filesize

    89KB

    MD5

    f1551f244c0b734ae4ecfb8752d3a404

    SHA1

    e49bd54b4385dc68fc3bd6adba47961eee0c0e26

    SHA256

    8e77d830fe73e31dab5aca0e247d01e135ce73e782777ba1fe8ba5104f587e93

    SHA512

    a5c9fd40a685893b675d5fc1fcc181b1d107d5a711824030e35262b8136b13b17af8999caa4117e022b25bedd7c76fd19d056aa9e3afd2b41fef9307a2545207

  • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

    Filesize

    1KB

    MD5

    0269b6347e473980c5378044ac67aa1f

    SHA1

    c3334de50e320ad8bce8398acff95c363d039245

    SHA256

    68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

    SHA512

    e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl

    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

  • C:\begolu.txt

    Filesize

    2B

    MD5

    2b9d4fa85c8e82132bde46b143040142

    SHA1

    a02431cf7c501a5b368c91e41283419d8fa9fb03

    SHA256

    4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

    SHA512

    c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

  • F:\Recycled\SVCHOST.EXE

    Filesize

    89KB

    MD5

    1cd2737f081571cd162070c70d0564af

    SHA1

    d5bcb147edb8b9530a5312cf72fe186b0c5e13fd

    SHA256

    7d7c9e71930dd68439ee58adf1cb3f56a02238b73dc5e854de1a957b31eaa500

    SHA512

    37cf4fd84eb4bee4bb2133ad5fd2873914f45e69ca13d9a09c0590f0efc9411d1b96c94a2756225badb021de2056a2b8694d220780f148180cab230430e64d5a

  • memory/1192-57-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/1264-80-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/1620-85-0x00007FFD7C790000-0x00007FFD7C7A0000-memory.dmp

    Filesize

    64KB

  • memory/1620-84-0x00007FFD7C790000-0x00007FFD7C7A0000-memory.dmp

    Filesize

    64KB

  • memory/1620-86-0x00007FFD7C790000-0x00007FFD7C7A0000-memory.dmp

    Filesize

    64KB

  • memory/1620-88-0x00007FFD7A570000-0x00007FFD7A580000-memory.dmp

    Filesize

    64KB

  • memory/1620-82-0x00007FFD7C790000-0x00007FFD7C7A0000-memory.dmp

    Filesize

    64KB

  • memory/1620-87-0x00007FFD7A570000-0x00007FFD7A580000-memory.dmp

    Filesize

    64KB

  • memory/1620-83-0x00007FFD7C790000-0x00007FFD7C7A0000-memory.dmp

    Filesize

    64KB

  • memory/2024-58-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/2024-64-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/2028-30-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/2232-48-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/2788-26-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/2792-17-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/3028-75-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/3028-77-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/3104-68-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/3104-71-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/3576-41-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/3576-36-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/4244-81-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/4244-0-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/4780-66-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/4780-65-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/5100-50-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/5100-43-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB