Overview

overview

10

Static

static

3

e5d0a7eaae...0N.exe

windows7-x64

10

e5d0a7eaae...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    21/07/2024, 16:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e5d0a7eaaee938675bc74adc0bcafae0N.exe

  • Size

    76KB

  • MD5

    e5d0a7eaaee938675bc74adc0bcafae0

  • SHA1

    a0dd1554e99f7939752db943e117c6237fcf09a4

  • SHA256

    c12043301daed2930a96f8cc2efd121ff661ceb2b047d274995a53cde101f431

  • SHA512

    8fda6cf34f628aba81762d56051c41bf1fc5d726100e7a7e30647c86277528f316f1b7488e23caa712096f548ab1a70d787ba03bedcbd9d44bf8259084b058df

  • SSDEEP

    1536:v70ak+ddygXAyy9v7Z+NoykJHBOAFRfBjG3ldoIq:T0aXdfXAyy9DZ+N7eB+IIq

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 20 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 28 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e5d0a7eaaee938675bc74adc0bcafae0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e5d0a7eaaee938675bc74adc0bcafae0N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1544
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1532
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates connected drives
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2380
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2608
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2652
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Enumerates connected drives
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2780
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2508
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2292
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2556
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2672
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1460
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:868
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e5d0a7eaaee938675bc74adc0bcafae0N.doc"
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:456

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
      Filesize

      2KB

      MD5

      1a1dce35d60d2c70ca8894954fd5d384

      SHA1

      58547dd65d506c892290755010d0232da34ee000

      SHA256

      2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

      SHA512

      4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

      Download Submit

    • C:\Windows\Fonts\ Explorer.exe
      Filesize

      76KB

      MD5

      952904ede203c04fff70772572e4d747

      SHA1

      76921ab23322c4a099871edc13639c996cc45b18

      SHA256

      c39d5e898f318711ceb63063d859f4d6ea4df75af1dd6021b7705d87b3e0e043

      SHA512

      f1831dae3667df2655a817429a75f05b3c8d0a2cbf2adb38d546a9d79760591ccfbb8f7298ab4b1b86ebaf762a5e206e673c2639363a8cdefd27af505c389ae2

      Download Submit

    • C:\Windows\Fonts\ Explorer.exe
      Filesize

      76KB

      MD5

      21f0d09f44fccf424fa3eeba0605325a

      SHA1

      22cd72c0945ead5feef81c63f8132e477cb30eab

      SHA256

      1d39f1905fedc8b5732a70706f503f7017d027a07d6e1e9008670047fb6ea879

      SHA512

      a37727a8a3eb107fa23d07ce9d2bab90c7ead7a523e1b4c9782598d85694529597ede35192584205e3317e31102b6f0f4a98e307141cd7ec745c1c55833ad516

      Download Submit

    • C:\Windows\Fonts\ Explorer.exe
      Filesize

      76KB

      MD5

      ed1b12f8f01f0d1a8b634ffc7610d87e

      SHA1

      11ac61e06cfd4f3dbf213dbc9f6360038dada91c

      SHA256

      2c8b50bf76d24bef9f4c115c5d5594d023951092b6c459c3ca92b326a8c43870

      SHA512

      d1021d07b6c00ccde85b4c13c1ede0428fe9d99c9e95146f29764002de1a14bfde69a5d5d1c97ce44d935370af3801511b39cc82f56d72b5e90008d76a557c07

      Download Submit

    • C:\begolu.txt
      Filesize

      2B

      MD5

      2b9d4fa85c8e82132bde46b143040142

      SHA1

      a02431cf7c501a5b368c91e41283419d8fa9fb03

      SHA256

      4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

      SHA512

      c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

      Download Submit

    • C:\recycled\SPOOLSV.EXE
      Filesize

      76KB

      MD5

      61c4e102d93e799614a743e2fbca0861

      SHA1

      bf952010e19795cbd517c97397a06c6c0b443493

      SHA256

      04bffa635cc603a3882314e2f9f809408ff82d7c34286f239431b55c62fce898

      SHA512

      1bf54235ce005b08115f8e17b07de61466d7c55f2b7989951431cbdcc40784434b6ace51acb3ce8ae3ff0a849b2f21c95f93c091d14f6d84a15e65e94376f895

      Download Submit

    • F:\Recycled\SVCHOST.EXE
      Filesize

      76KB

      MD5

      5d636d0238d0303795ea1323da0362f1

      SHA1

      7f1710a508b1ee0b0619fe3208fd8a8176464f68

      SHA256

      15b244b105aa7699507e13da567dc7fc3f5c711a0e2011d9accc1988279e4b15

      SHA512

      df3fb2e6003f280364d7bb5fa3121851b522eb5fa44d43a70b211ba97d409aaf6b2babfecb7868cd89ed5644936762ed00010261d1e8cd786c81c8d59a7fa49c

      Download Submit

    • \Recycled\SVCHOST.EXE
      Filesize

      76KB

      MD5

      f8c2975b0fc9863c383d394989b44017

      SHA1

      c1351a66efead34c5b6dd30a16d92a4e73e995a3

      SHA256

      0adb81be9818ef84795a407924e2ee7cde6c0af754fed0a315925ed8c2561796

      SHA512

      d9354fb858fb47c53aed220d87f3bd30ddfca25545fe6972e3f38c5f0f943f560babef55dc0574571dcfd380314bb08740dde77efe2dfaf690b06d4bc902081a

      Download Submit

    • memory/868-113-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1460-107-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1532-39-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1544-43-0x00000000003A0000-0x00000000003BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1544-42-0x00000000003A0000-0x00000000003BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1544-34-0x00000000003A0000-0x00000000003BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1544-97-0x00000000003A0000-0x00000000003BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1596-116-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1596-115-0x00000000048E0000-0x00000000048F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1596-0-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1596-109-0x0000000000540000-0x000000000055A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1596-23-0x0000000000540000-0x000000000055A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1596-20-0x0000000000540000-0x000000000055A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2200-117-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2292-90-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2292-86-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2380-69-0x0000000002420000-0x000000000243A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2380-67-0x0000000002420000-0x000000000243A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2380-58-0x0000000002420000-0x000000000243A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2380-54-0x00000000023E0000-0x00000000023FA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2380-44-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2508-82-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2556-98-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2608-63-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2652-64-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2652-62-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2672-101-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download