Overview

overview

10

Static

static

3

16e5d77011...0N.exe

windows7-x64

10

16e5d77011...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/08/2024, 23:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16e5d77011e767f42c46d1278ad83ce0N.exe

  • Size

    87KB

  • MD5

    16e5d77011e767f42c46d1278ad83ce0

  • SHA1

    2207eb4ba1d933941f7176fbfcd0136912dd4756

  • SHA256

    e5726a2dac6befbca69345e5413d93464ec8f52162d045e195327d49b41a6192

  • SHA512

    0be937a66f08c05f6218100d172a34d92d86e4910adffca216581ea6c545a4683ff474397e5af55a967703f1f875166e92ff5fbc64e6fb11ccd801a263a558a2

  • SSDEEP

    1536:1a3+ddygX7y9v7Z+NoykJHBOAFRfBjG3ldoI2:08dfX7y9DZ+N7eB+II2

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 29 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\16e5d77011e767f42c46d1278ad83ce0N.exe
    "C:\Users\Admin\AppData\Local\Temp\16e5d77011e767f42c46d1278ad83ce0N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2488
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:676
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1168
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4504
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1960
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2832
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3876
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4832
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1596
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:232
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4420
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\16e5d77011e767f42c46d1278ad83ce0N.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2748
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4128,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4076 /prefetch:8
    1⤵
      PID:2456

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recycled\SPOOLSV.EXE
      Filesize

      87KB

      MD5

      bf71d5eca5ba3e688028561c7ad29163

      SHA1

      c5c52ece08b938f6a96601b48420476a3a61d42a

      SHA256

      59ed763b5922bfacdb355f0003d927230e6f1e8ffee948a25c47a8910af513f4

      SHA512

      963e9fd1011e48a7b1b2d4c7946ccfd8dd6d150eab191fcc35995af5508850a77f9db328455351bba59235d50fcafbce8fd7864cff42604045e35ec38a57206d

      Download Submit

    • C:\Recycled\SVCHOST.EXE
      Filesize

      87KB

      MD5

      69d4285b64a6ba27eb49aa1008ca1290

      SHA1

      63315d4b5211974f406916e0562499e1e257c618

      SHA256

      1588bcceeab15df4a87659d74f6ed44eaf253d8c9b1d8a8678ca9feb75b663b7

      SHA512

      ed3a5acc0178821962f8a1d4e22d7b090d4be3e79da13e2e2edf2a5ce3e07af6ccefc7ad1d49c9baba215aa28d06fdb19acb37dd1f7994993a434182c84ce61b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
      Filesize

      2KB

      MD5

      1a1dce35d60d2c70ca8894954fd5d384

      SHA1

      58547dd65d506c892290755010d0232da34ee000

      SHA256

      2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

      SHA512

      4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TCDB574.tmp\sist02.xsl
      Filesize

      245KB

      MD5

      f883b260a8d67082ea895c14bf56dd56

      SHA1

      7954565c1f243d46ad3b1e2f1baf3281451fc14b

      SHA256

      ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

      SHA512

      d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
      Filesize

      3KB

      MD5

      6564c2541904a41ca3f3733ee3f3234f

      SHA1

      768632b28e33d44a2797cd7515b7b7529c0b40c8

      SHA256

      dfeb626e39710d773650e2c2a657d04c21d92c2c8ef16d65b7920770bfd7a586

      SHA512

      def9bd155fd89f8e6ddc756c762da019cfa94b0d52148c6d39ef8d08936d6a43eb79fa56c2c9288cf5f697b1b76c61f4cd0fa56105080edc5be4530574f682eb

      Download Submit

    • C:\Windows\Fonts\ Explorer.exe
      Filesize

      87KB

      MD5

      c8896e79f72ad59a322b71c125932af0

      SHA1

      878344f75d700d97cd63544c73f0dcf49af3fec5

      SHA256

      2c641cb7a84d6e12334ba162a236038aba972aeb35cfc67aa510935ed61ce0a5

      SHA512

      b5021a717521578b478510c4460d022c1906e110971e443794661134fae478511630f64cd363a690356f502156c2197361c526ee989437b6dd530b95b834467a

      Download Submit

    • C:\Windows\Fonts\ Explorer.exe
      Filesize

      87KB

      MD5

      9c5a89a4018c208725d966e135266525

      SHA1

      96d8aa3832e67b61656f8487b106646512e99374

      SHA256

      71892a67166b4cb80fa59f448ab34a892fcc6e579b7be21634bd8af02517845b

      SHA512

      13961d98836cbe6fae0ef171b683d1f9aa20eec4cb8d2405210cd58103da8c7bccf17c2078ea4c15d49c4b7323e1e820d7f98ccb49b706888b8147b45fc45448

      Download Submit

    • C:\Windows\Fonts\ Explorer.exe
      Filesize

      87KB

      MD5

      54f97dfc9f6281ce1bae6a61b45872fa

      SHA1

      ba086995adda8f42ee0ffcd636e6adaeedadc8dd

      SHA256

      98f38ad2d5a88f923bcc798d0e6a1fd630e8cf19739140a385839a68f5d8e41f

      SHA512

      f50659b7ebf179dae029a3d13f186f52bc70d2e0e3c75fc6e13c72ebd1f2f018dad0a1f4ff6cc599ec556131a99d870aed5d1e4161559867d8fe719cb575ed36

      Download Submit

    • C:\begolu.txt
      Filesize

      2B

      MD5

      2b9d4fa85c8e82132bde46b143040142

      SHA1

      a02431cf7c501a5b368c91e41283419d8fa9fb03

      SHA256

      4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

      SHA512

      c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

      Download Submit

    • F:\Recycled\SVCHOST.EXE
      Filesize

      87KB

      MD5

      757b123d2a48fa38ea6c308d4d80ee32

      SHA1

      cb6f0786d7b19fd85fde449c8e211e341521b1aa

      SHA256

      40f2204d421650e7628d9ca46aadb1f197bf74fa4293369f598baaa8673fdc93

      SHA512

      1220806e1a11f1cc040a33698a7b432db09e910c8a7ca7393cf00c8887f801c5d88bd8992e2b2b7f82932f2c5d52ab8fb6a8e7e208675bc3d957ac492ab8cc4b

      Download Submit

    • memory/232-81-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/676-239-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/676-32-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1168-44-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1584-238-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1584-18-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1596-73-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1960-241-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1960-50-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1988-0-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1988-84-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2488-31-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2748-86-0x00007FFA04130000-0x00007FFA04140000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2748-87-0x00007FFA04130000-0x00007FFA04140000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2748-85-0x00007FFA04130000-0x00007FFA04140000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2748-88-0x00007FFA04130000-0x00007FFA04140000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2748-89-0x00007FFA04130000-0x00007FFA04140000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2748-90-0x00007FFA01F80000-0x00007FFA01F90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2748-91-0x00007FFA01F80000-0x00007FFA01F90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2832-62-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3876-66-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/4420-82-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/4420-78-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/4504-49-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/4832-69-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download