Overview

overview

10

Static

static

3

b90f3d8d11...c9.exe

windows7-x64

10

b90f3d8d11...c9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/08/2024, 04:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b90f3d8d11cee6ae47b5fad00488c840f687eeb7c33d69f8fb93508bb5b3cec9.exe

  • Size

    76KB

  • MD5

    ed2bc548b81b2b21dd3a9be25fecd67d

  • SHA1

    11bb4216d570a40f58967e0ffcb2af83b3095e65

  • SHA256

    b90f3d8d11cee6ae47b5fad00488c840f687eeb7c33d69f8fb93508bb5b3cec9

  • SHA512

    0b77bf9542d77724f4c504b1676a4b75d47972ace5122d9266ef934597c4c4efbefc6a92611169e97a3e80a6d62d11cbe8abca91310d2b424f8d2ecdc856734c

  • SSDEEP

    1536:v70ak+ddygXAyy9v7Z+NoykJHBOAFRfBjG3ldoID:T0aXdfXAyy9DZ+N7eB+IID

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 29 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b90f3d8d11cee6ae47b5fad00488c840f687eeb7c33d69f8fb93508bb5b3cec9.exe
    "C:\Users\Admin\AppData\Local\Temp\b90f3d8d11cee6ae47b5fad00488c840f687eeb7c33d69f8fb93508bb5b3cec9.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1080
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4252
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2728
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1096
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3308
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4964
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1244
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4648
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2556
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3208
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5048
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1176
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:112
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b90f3d8d11cee6ae47b5fad00488c840f687eeb7c33d69f8fb93508bb5b3cec9.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3412

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recycled\SPOOLSV.EXE
    Filesize

    76KB

    MD5

    44a65adef1da82eb4c269d632c061fdd

    SHA1

    d06e5fb73ecc01e503c5cdbb934bf60c28b6e18d

    SHA256

    eebdaed8292e763ce7517dc893c26b92b07e536f6e8bd93f78ce6d77f11e722e

    SHA512

    af1d938421440bbdd16020a4145da9394cbcd93531ce3bf1f39217beee7a6990b540a09e3ce0de426119d17d0792b090d4446e55c59a9558c0ca6dc6a39606f5

    Download Submit

  • C:\Recycled\SVCHOST.EXE
    Filesize

    76KB

    MD5

    3b702e7f9200af7cff5fef35dc0ffd40

    SHA1

    c0acee89dfb85abfef860903f9df7a898906712c

    SHA256

    cef564f81e1ffeb1e6323ec832d831ca015e4b88955d3b96231b146adf898e97

    SHA512

    d15a90767d8e3dd942c32302445e59067f7d1785dc8023a927566f742fb34f18c9162617d4c72bb89a56686d8abb44b063c0ff387db2feecb89e4f0df67de69d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
    Filesize

    2KB

    MD5

    1a1dce35d60d2c70ca8894954fd5d384

    SHA1

    58547dd65d506c892290755010d0232da34ee000

    SHA256

    2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

    SHA512

    4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCD189F.tmp\gb.xsl
    Filesize

    262KB

    MD5

    51d32ee5bc7ab811041f799652d26e04

    SHA1

    412193006aa3ef19e0a57e16acf86b830993024a

    SHA256

    6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

    SHA512

    5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
    Filesize

    16B

    MD5

    d29962abc88624befc0135579ae485ec

    SHA1

    e40a6458296ec6a2427bcb280572d023a9862b31

    SHA256

    a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

    SHA512

    4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    1KB

    MD5

    6673a8357096e215b00cbed987cdf575

    SHA1

    74b9f4edf525ec923b3052f2d162ea898f8d036d

    SHA256

    64d963f390223bdc319bcbfa27452bae8a3632df3c687ed941434e3a4eeda56f

    SHA512

    f4fa142b6ca96b5537d30f45e1eb92ca391930722e12bf32a44ffe0863bc47989384c16a5c7161d0127eb0294acbdecf2b2b8252bbd3eadea365e66c6bc8718d

    Download Submit

  • C:\Windows\Fonts\ Explorer.exe
    Filesize

    76KB

    MD5

    3df1a6af24f6abda90da6a6b126f6554

    SHA1

    f53f4bd828449a38d44837c132b13d1aafcfa8e5

    SHA256

    affaad5b2501767d4adc06d5bcedf7d09d6780d51d541cd9af54d3491aedd80b

    SHA512

    452f029720212a8953ed29d9fe6bc155c7fcf9411f9e0e15805d3f8da3765dec59639803836be1199d61b53a80c0b99afcfb9bc8fbdf1014fd5ed3915a67f9e8

    Download Submit

  • C:\Windows\Fonts\ Explorer.exe
    Filesize

    76KB

    MD5

    0a7b88efc6ddda93d33857d5ce60fc61

    SHA1

    ca6cdacff535dde17450b675d211312ae30b0d56

    SHA256

    92594ec2a8bcb9aa89d497460f4bb79731a18951215247c88d7f3ec5d9bc6230

    SHA512

    72697ffd9445915e081416243fa0a0cf0df8cf4d890bb29d151cf7a8c62be0b7c28a3f055eefa3a64dc56b14c1e3d9c6dd10a65c8ee63b464f94f414fa2292a2

    Download Submit

  • C:\Windows\Fonts\ Explorer.exe
    Filesize

    76KB

    MD5

    c96b57be0f49c0ae6d09a2be764cac32

    SHA1

    2fc701bc8aa64cda6fd00c0f285b0eb283689211

    SHA256

    a62d65e7ff61e161cd5a0a0e7ae4c718124eabc1c10c12083c31568596075b1f

    SHA512

    fd10382ea179a14f7cecf1f2a0c7e267ba9f3321c119c7ebb03e69425f65b4273434d1a189adf7488e418496627b18aa075b9dfa62d110d40a4a8e7065cf0817

    Download Submit

  • C:\begolu.txt
    Filesize

    2B

    MD5

    2b9d4fa85c8e82132bde46b143040142

    SHA1

    a02431cf7c501a5b368c91e41283419d8fa9fb03

    SHA256

    4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

    SHA512

    c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

    Download Submit

  • F:\Recycled\SVCHOST.EXE
    Filesize

    76KB

    MD5

    dd33f8f28b87a90ceb355160e2d243b6

    SHA1

    e796a4431f7f42352c252d36de89013fd4ac1f29

    SHA256

    65fd5ebe0a3b222d67e7769ba04e27c074148fc58fd7e6c626729ff421dcdea6

    SHA512

    c5208fa4d86ae593049ee44826df88bb873ecff0c8c7e5994c37182e7a00e88105c85a4f606fce58bcc334d139e40bf740ffaf859e22c81923ee8898131e22cf

    Download Submit

  • memory/112-84-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/112-82-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1080-86-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1080-0-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1096-34-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1176-81-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1244-52-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2556-68-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2728-27-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2728-31-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3208-71-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3308-46-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3412-87-0x00007FFB0D0D0000-0x00007FFB0D0E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3412-89-0x00007FFB0D0D0000-0x00007FFB0D0E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3412-88-0x00007FFB0D0D0000-0x00007FFB0D0E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3412-90-0x00007FFB0D0D0000-0x00007FFB0D0E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3412-91-0x00007FFB0D0D0000-0x00007FFB0D0E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3412-92-0x00007FFB0B040000-0x00007FFB0B050000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3412-93-0x00007FFB0B040000-0x00007FFB0B050000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4252-19-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4648-64-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4964-49-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4964-47-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/5048-75-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download