Overview

overview

10

Static

static

3

801c68fc04...28.exe

windows7-x64

10

801c68fc04...28.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/06/2024, 01:52

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    801c68fc043e9ea7547682612ee170e2f4276a6596c10d734266b530d0d38f28.exe

  • Size

    97KB

  • MD5

    8add2719a4f69adf37cf4443c7fea3d7

  • SHA1

    a7f95d95e98e3e0688cc5e17d61e0457a087f7d9

  • SHA256

    801c68fc043e9ea7547682612ee170e2f4276a6596c10d734266b530d0d38f28

  • SHA512

    3daf9294d8edb18a4278f252cfa0e2aa4ea1257f58021a0f1242e85e12cb912a8a12b95be6c19c1ed730ba3ad56b4eca207d2b586091067b7021238ba3dd7640

  • SSDEEP

    1536:4a3+ddygX7y9v7Z+NoykJHBOAFRfBjG3YdoIz:J8dfX7y9DZ+N7eB+tIz

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 16 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\801c68fc043e9ea7547682612ee170e2f4276a6596c10d734266b530d0d38f28.exe
    "C:\Users\Admin\AppData\Local\Temp\801c68fc043e9ea7547682612ee170e2f4276a6596c10d734266b530d0d38f28.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1796
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2724
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates connected drives
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2596
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2352
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2500
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Enumerates connected drives
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2464
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2032
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1904
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2696
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2692
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2864
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2484
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\801c68fc043e9ea7547682612ee170e2f4276a6596c10d734266b530d0d38f28.doc"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1268

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
          Filesize

          2KB

          MD5

          1a1dce35d60d2c70ca8894954fd5d384

          SHA1

          58547dd65d506c892290755010d0232da34ee000

          SHA256

          2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

          SHA512

          4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

          Download Submit

        • C:\Windows\Fonts\ Explorer.exe
          Filesize

          97KB

          MD5

          13ca183b95698365bc5fb9248e7ca1a7

          SHA1

          66395668d85edfabcf3a5bd56ad88cf61f93f4b4

          SHA256

          02fb95b9ff1a9a732132acd7863bd9c22f42e8c155010063377c05c7ee0bbab3

          SHA512

          0359b47c735a5db735406f6a516af9e339a7d7d41015cdf13ebb7eafb18a4800bcf6c5345c64994a724309593fb60d48ed771bf77dad454629c43d068ccedd6c

          Download Submit

        • C:\Windows\Fonts\ Explorer.exe
          Filesize

          97KB

          MD5

          41afccada2f06aa5d1d54bf63607172e

          SHA1

          5830c137403531a0466c556cdb7f1d5bcccee8b8

          SHA256

          8be71f79cf860d008a2bb17c227b98451308ce5a5681d55a5fcc9479fdd2472e

          SHA512

          6bcb23ffa69716a054d5bff1d37301249814dfb55e270273e66d3ebfbaf588c21793cb9d9c62e8b2df80949cea483f63da4691253725a290d76cfbed6c99607a

          Download Submit

        • C:\Windows\Fonts\ Explorer.exe
          Filesize

          97KB

          MD5

          ae4e3f2e43714430b7d9d0fc0f52b7c8

          SHA1

          9ff8abe15e84d2bcbe7d3305309450da1b91743b

          SHA256

          6b91fe59c4a934ea7c5633bf64195bf379efd488fbb17a32db8e73a3e8fbdcfe

          SHA512

          8b004014916bd2e04db3da099a0349061ab0c615a1e6ef53044d546190160f1c010e6a80baae8555c8dddf5fcaede4bc40f08173b70fe3cc5b8556b34db6b408

          Download Submit

        • C:\begolu.txt
          Filesize

          2B

          MD5

          2b9d4fa85c8e82132bde46b143040142

          SHA1

          a02431cf7c501a5b368c91e41283419d8fa9fb03

          SHA256

          4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

          SHA512

          c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

          Download Submit

        • F:\Recycled\SVCHOST.EXE
          Filesize

          97KB

          MD5

          22e412ad2245b9b21aae70de729de8d6

          SHA1

          f83279ef4ec020808f282dcbec82d029a8f91519

          SHA256

          037632a9d630f8ac5cfcdfca4c1495aee8ccd525605ab219f30fde47a9d7673a

          SHA512

          32c289fd0899a7c01134491aed9aba585cbe0dda526120197fef5e17875dc1bf9ddec64d864fcd852bfb494a34e30b775bec7b98302ab18eec1c19a03b911a04

          Download Submit

        • \Recycled\SPOOLSV.EXE
          Filesize

          97KB

          MD5

          d1cb71a9b465c31e5fa9ac2750b0eb99

          SHA1

          aa1b9af3f509f9db60f89ae23cde2e4912263164

          SHA256

          037fa38a8d7497392936635d82e95ebe6679f88d0c38ce3bb096d0551c4bbcd1

          SHA512

          c393d5256a2f766b25ebe5958b40c6f575116c4765f8301153e86ae4ea4b5898e2eb310802d666a5fb7b56be3272f7eb766a27836fa10d6860789bc62ee61e3f

          Download Submit

        • \Recycled\SVCHOST.EXE
          Filesize

          97KB

          MD5

          b64e5578f21423b2e50d87f6ab8f7ccb

          SHA1

          a71bc270b17e8dbe939d53d2053a150cbd1baef8

          SHA256

          edbf56becc5f83445394d14e45d4e0632c531899afa7f076041d73af21aa94c1

          SHA512

          c148e6223c347bc7adf9c1f2622072c97bb9f39b2cac4ea756ea901f72eeb84da6455e6e031d649e939f57cf3653af36696b8c7cff138e0ef58938b4b5c5ae5d

          Download Submit

        • memory/1268-110-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1796-0-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/1796-24-0x0000000002700000-0x0000000002721000-memory.dmp

          Filesize

          132KB

          Download

        • memory/1796-109-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/1796-107-0x00000000049C0000-0x00000000049D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1796-18-0x0000000002700000-0x0000000002721000-memory.dmp

          Filesize

          132KB

          Download

        • memory/1904-83-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2032-73-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2032-77-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2352-56-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2464-64-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2464-79-0x0000000002680000-0x00000000026A1000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2484-103-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2484-106-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2500-59-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2500-55-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2596-41-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2596-51-0x0000000001BD0000-0x0000000001BF1000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2692-93-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2696-87-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2724-42-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2864-98-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2864-102-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2968-38-0x00000000007F0000-0x0000000000811000-memory.dmp

          Filesize

          132KB

          Download