Overview

overview

10

Static

static

3

e94963b6aa...c0.exe

windows7-x64

10

e94963b6aa...c0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/07/2024, 06:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e94963b6aaade5d2d4238f763be8a843573dcb1f537522403bb13902576e2fc0.exe

  • Size

    77KB

  • MD5

    fb134b3fe401d18185680cbc63ff4a57

  • SHA1

    f9b9c5deb18ff0de87fd8d275299d1f89b0a389c

  • SHA256

    e94963b6aaade5d2d4238f763be8a843573dcb1f537522403bb13902576e2fc0

  • SHA512

    e55158ff21776f7234b36976c7f9d7823f5699d201b9fa01c8776d531ecaa634a6906d6b6e9c50f0cc0fddc42e6806262d1c23f60e08b3ae5a1deca8181f7e8e

  • SSDEEP

    1536:ekeK40T/mx7y9v7Z/Z2V/GSAFRfBhpVoK3:FD40Dmx7y9DZ/Z2hGVkK3

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 29 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e94963b6aaade5d2d4238f763be8a843573dcb1f537522403bb13902576e2fc0.exe
    "C:\Users\Admin\AppData\Local\Temp\e94963b6aaade5d2d4238f763be8a843573dcb1f537522403bb13902576e2fc0.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3336
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4376
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Enumerates connected drives
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:100
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:464
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:3888
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Enumerates connected drives
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1836
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3476
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3056
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4024
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1908
      • C:\Windows\SysWOW64\userinit.exe
        C:\Windows\system32\userinit.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3532
        • C:\Windows\SysWOW64\Explorer.exe
          Explorer.exe "C:\recycled\SVCHOST.exe"
          4⤵
            PID:828
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:940
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4468
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e94963b6aaade5d2d4238f763be8a843573dcb1f537522403bb13902576e2fc0.doc" /o ""
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:4644
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
        PID:2276

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Recycled\SPOOLSV.EXE
        Filesize

        77KB

        MD5

        d0fff0b62c64a38bbf82dce6b901837d

        SHA1

        f122b85c0968978ff89089b18635a753f48d3ff8

        SHA256

        eeb7b3c7abe771e261323b8f480fa68eb605a3b002b8482b8da775c2d674b519

        SHA512

        e5db5fc91a90a84f4c684927d5f4e1a8d64f4ac397f1378c2a9661edff3240aca4020a9ee9f4c9dcd0f6fa566dabef3e36e5669982a489e15730121363fc53f0

        Download Submit

      • C:\Recycled\SVCHOST.EXE
        Filesize

        77KB

        MD5

        35e559947bad683c8f7d8899afa0b31b

        SHA1

        6e343a0c8ff8fe8fcc58b52b470b62815c9ff67d

        SHA256

        874b3369d224bbebd25059a396c4b3e41053f7205634602f26de320209e846b1

        SHA512

        3f67992c11e3c190ca5cae510068e23f92ede41d654ac4f039e44a591d3169a51b309c49e64d08a8151803d0f2e82662fd3548871f89fe0d2e8b8e9241625a33

        Download Submit

      • C:\Recycled\desktop.ini
        Filesize

        65B

        MD5

        ad0b0b4416f06af436328a3c12dc491b

        SHA1

        743c7ad130780de78ccbf75aa6f84298720ad3fa

        SHA256

        23521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416

        SHA512

        884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
        Filesize

        1KB

        MD5

        0269b6347e473980c5378044ac67aa1f

        SHA1

        c3334de50e320ad8bce8398acff95c363d039245

        SHA256

        68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

        SHA512

        e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
        Filesize

        2B

        MD5

        f3b25701fe362ec84616a93a45ce9998

        SHA1

        d62636d8caec13f04e28442a0a6fa1afeb024bbb

        SHA256

        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

        SHA512

        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
        Filesize

        1KB

        MD5

        ff87babd9c76ccc68ac4e457c803d263

        SHA1

        68e829faed8a2b68b07662e80d51e871f92222ce

        SHA256

        a152a61ff54b2d73b2c340073ebd19c86eb4a59930980d2558a0fd845753d2dd

        SHA512

        fda8d61fecafe2b44d4340d05f37e097c55de343e38a7aa91de41fd027c8bbce35458dfa987e2d957bc8c1a53d8c7a4271536c2f1c4e903346ec4e682171cdba

        Download Submit

      • C:\begolu.txt
        Filesize

        2B

        MD5

        2b9d4fa85c8e82132bde46b143040142

        SHA1

        a02431cf7c501a5b368c91e41283419d8fa9fb03

        SHA256

        4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

        SHA512

        c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

        Download Submit

      • F:\Recycled\SVCHOST.EXE
        Filesize

        77KB

        MD5

        f9662baad2cee47fa07275fc1046ef7e

        SHA1

        ded72666c151063e6b9a62a371c19439c85151d0

        SHA256

        4cbb9d79a556b67a3e37d08a7736faccf7d4e3ca46cc7bae719e3c58b6dd53e6

        SHA512

        39f0821957577b44f33f3c5dd4d46a64fe177176aeb005b336e85cb358fedaa49ecd8e2360944c6fcd2b94d17775cef6af5bd881ffcd61743874815185d6fc87

        Download Submit

      • memory/100-29-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/464-39-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/940-73-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1836-47-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1908-69-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2660-18-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3056-60-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3336-0-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3336-78-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3476-56-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3888-43-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3888-40-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4024-61-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4024-64-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4376-26-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4468-76-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4644-79-0x00007FFACA6D0000-0x00007FFACA6E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4644-81-0x00007FFACA6D0000-0x00007FFACA6E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4644-80-0x00007FFACA6D0000-0x00007FFACA6E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4644-82-0x00007FFACA6D0000-0x00007FFACA6E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4644-83-0x00007FFACA6D0000-0x00007FFACA6E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4644-84-0x00007FFAC7D70000-0x00007FFAC7D80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4644-85-0x00007FFAC7D70000-0x00007FFAC7D80000-memory.dmp

        Filesize

        64KB

        Download