Overview

overview

10

Static

static

3

fee73420c6...e6.exe

windows7-x64

10

fee73420c6...e6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    113s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/06/2024, 14:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fee73420c6e42d686d96bbf461d312bb999d1f916c9b33d9a85bd6d83870d2e6.exe

  • Size

    97KB

  • MD5

    e611c15ff5e7b99b01ebf31a59b6fe1a

  • SHA1

    f4ae04eebbd22b0db92d996c86845bf623972587

  • SHA256

    fee73420c6e42d686d96bbf461d312bb999d1f916c9b33d9a85bd6d83870d2e6

  • SHA512

    91f79d875f0122aa8285445ede8ba978a727747e7ba0b65d316fe6a39ba88fe8214e54c64e1996411772a2f961f727a3d7b82784abbecc0bf19b441f996a9ae1

  • SSDEEP

    1536:4a3+ddygX7y9v7Z+NoykJHBOAFRfBjG3YdoIc:J8dfX7y9DZ+N7eB+tIc

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 29 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 23 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fee73420c6e42d686d96bbf461d312bb999d1f916c9b33d9a85bd6d83870d2e6.exe
    "C:\Users\Admin\AppData\Local\Temp\fee73420c6e42d686d96bbf461d312bb999d1f916c9b33d9a85bd6d83870d2e6.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3372
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:724
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2704
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4056
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:3452
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2068
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1864
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3504
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2268
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:900
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4288
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2476
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3080
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4176
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3436
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2376
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fee73420c6e42d686d96bbf461d312bb999d1f916c9b33d9a85bd6d83870d2e6.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:4244
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4632

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recycled\SPOOLSV.EXE
      Filesize

      97KB

      MD5

      004342f67ee9a78d8474dbfae0d3cdac

      SHA1

      1b3b53a18e60775c120465caf906d35ad09a3ad5

      SHA256

      358986039fd476afad9ec492bffa60e2169a4c2b6be8da9c3fc611ac2a8fb70c

      SHA512

      f46059f7b616b44bf13a124579d319dcff41e78d459fb0198f688550ecde860559871a38353d4baa93130151f5170fd73d68fba24bada2840913d1cf9fd09086

      Download Submit

    • C:\Recycled\SVCHOST.EXE
      Filesize

      97KB

      MD5

      ac0727ac5974c0a161abf8ef966498f4

      SHA1

      8317e26f2b1ed75828a2b76d3fcc944a414101ed

      SHA256

      1e3eb0e2dde98dcbaaf8e1a11f296eb7ad4d65817b8606445f929cd600e3e25e

      SHA512

      d8bb8c05c34eb5854dfee1d7c721c745401aac05fcb2a860e4a0ff185741b8dab2bc061f07faf01e97b2de8f16843ff635e2cdcdb4d3d07cbc7c12498174125a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
      Filesize

      2KB

      MD5

      1a1dce35d60d2c70ca8894954fd5d384

      SHA1

      58547dd65d506c892290755010d0232da34ee000

      SHA256

      2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

      SHA512

      4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

      Download Submit

    • C:\Windows\Fonts\ Explorer.exe
      Filesize

      97KB

      MD5

      44b3fe5f304e3c4bea4d1d309b71ca0f

      SHA1

      acfa346c4eb8a7760d0cbffee4be58a7e8edd6df

      SHA256

      a917a1401d4238607c2c349a21b4300419494ed677b227d7efb869ddaf0a48b1

      SHA512

      53f891766405afc4459bff0a86c6b89bbe9d1e97b99c781ab9c8f026e97d22dec816eb04b960c1ac0f85be38a39b526825e637cfc0334e42951c2e22a0b30958

      Download Submit

    • C:\Windows\Fonts\ Explorer.exe
      Filesize

      97KB

      MD5

      a36df884ef08697835b984b9d552c8e3

      SHA1

      d5737ec12f5dd416260cb78513fd23c5596d21f5

      SHA256

      f637a3d0e7d4a182d0ef28b756a0f8b8b4ed09122f41b0dd6bee959aac224339

      SHA512

      187741bccd9f8a524842991cd6cbc48a63ad5a58ed2229e1916c7945003d29686faf0bd1afd7575e60641eb78f244e531a88e75e42e57fb5c48f654d504650f0

      Download Submit

    • C:\Windows\Fonts\ Explorer.exe
      Filesize

      97KB

      MD5

      313449aaa285c8c9df39a36c23188737

      SHA1

      8a33a5de840103919e8fc4d08a14f21a0a7913dd

      SHA256

      2c399b97aa06dc8b9d79fd287927b6eff1b263a09efc6206377d2b7a5e2778e9

      SHA512

      7d669b8d469a2025766caab0a115836f3a9a29a95ce640e7e76d3b0c76321b05c7a8fb9b87122c4dc5b72abb74dbfa263e9b08bc458b905be663c1eccd3feaff

      Download Submit

    • C:\begolu.txt
      Filesize

      2B

      MD5

      2b9d4fa85c8e82132bde46b143040142

      SHA1

      a02431cf7c501a5b368c91e41283419d8fa9fb03

      SHA256

      4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

      SHA512

      c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

      Download Submit

    • F:\Recycled\SVCHOST.EXE
      Filesize

      97KB

      MD5

      0a816783852504a9a03eca89a391fb3c

      SHA1

      43660c9218258379cb3171e282e9089929fdc7f0

      SHA256

      67c4bcd437dbe877382f15898e7a556f646653b840ad529ac2971066a6cfabab

      SHA512

      f858c7e6fca1c58018db6b0b9e2a6ac66c534efae15937ec237765e4da004f7f37226a93528e83772b24655bfe01a2ec06b61546c2f7515d5c227a930589e392

      Download Submit

    • memory/724-19-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/900-70-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/900-66-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1864-51-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2068-46-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2268-65-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2376-98-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2476-76-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2476-80-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2704-32-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3080-86-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3372-100-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3372-0-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3436-95-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3452-43-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3504-61-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/4056-30-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/4176-87-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/4176-91-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/4244-105-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4244-103-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4244-102-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4244-104-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4244-101-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4244-106-0x00007FFC6A870000-0x00007FFC6A880000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4244-108-0x00007FFC6A870000-0x00007FFC6A880000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4288-73-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download