6b7c4ce5419e7cde80856a85559203dca5219d05115cdd6c1598f2e789149c34

Analysis

max time kernel
15s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08-08-2024 13:44

Target

[INDONESIA] Counterdraft MoU on Rice Trade Indonesia-India 15052023.docx.exe
Size

1.8MB
MD5

ce33fc3c687d3c01159a8caea7f5482e
SHA1

1d392dc904b7127734a01c83a4cac03065b59897
SHA256

5d75d0ea8bbb5b652f7b72cf728c00322bd486d54a5c4978ceacdf70b4317ee6
SHA512

6406eb57457c06196a31c034e02ae594ad30878159880b78842328b8b9ebba1cdc17abdc2ab410511fa8b5d3546f27d327c694e3a3009dcfd3bbece74da7ef01
SSDEEP

3072:azyBWbuTpOeyp0uTpOMckAKckAGDpA5NlKrss1ywKrss1ySZDvYONDzVFdC5wFVK:azAxF23FukA1kAb0rEbrESZU8wFjNHKC

Score

10^/10

persistence

Modifies WinLogon for persistence 2 TTPs 1 IoCs

Winlogon Helper DLL

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, explorer.exe /e,/root,%PSH% -nop -w h \"Start-Process -N -F $env:SYSB -A $env:TPM\""	[INDONESIA] Counterdraft MoU on Rice Trade Indonesia-India 15052023.docx.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task

pid	Process
1052	SCHTASKS.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 1052	2276	[INDONESIA] Counterdraft MoU on Rice Trade Indonesia-India 15052023.docx.exe	30
PID 2276 wrote to memory of 1052	2276	[INDONESIA] Counterdraft MoU on Rice Trade Indonesia-India 15052023.docx.exe	30
PID 2276 wrote to memory of 1052	2276	[INDONESIA] Counterdraft MoU on Rice Trade Indonesia-India 15052023.docx.exe	30

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\[INDONESIA] Counterdraft MoU on Rice Trade Indonesia-India 15052023.docx.exe
"C:\Users\Admin\AppData\Local\Temp\[INDONESIA] Counterdraft MoU on Rice Trade Indonesia-India 15052023.docx.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\system32\SCHTASKS.exe
  SCHTASKS /CREATE /f /TN "OneDriver Reporting Task" /TR "shutdown /l /f" /SC WEEKLY /d TUE,FRI /ST 13:25
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1052