b7a756b6463ed0d5075235eec7a0d5ce6da846e667bf7147e40ba6364943c3b1

Analysis

max time kernel
33s
max time network
34s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 13:09

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

a39f5085af8e3f4ffeb9510de4c31710N.exe
Size

549KB
MD5

a39f5085af8e3f4ffeb9510de4c31710
SHA1

125530aa0554ead5d97f889e88f8e98e3725e641
SHA256

b7a756b6463ed0d5075235eec7a0d5ce6da846e667bf7147e40ba6364943c3b1
SHA512

01db7cad723bd8d89ee5a9fe6d3230ac2267521cba649bc9591df0baf5eaf02b0fe769e9e92ed18f6216d29fd38ad10494a22d009c1aa95c201593ce0dad11d2
SSDEEP

6144:bGC43NaVuhhhhhhhhhhhhhhhhhhhhhhhhhh0:bAS

Score

10^/10

discovery evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	svchost.eXe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	msmsgs.eXe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	svchost.eXe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	angle.eXe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	a39f5085af8e3f4ffeb9510de4c31710N.exe

Disables RegEdit via registry modification 4 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "2"	svchost.eXe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "2"	angle.eXe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "2"	svchost.eXe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "2"	msmsgs.eXe

Executes dropped EXE 4 IoCs

pid	Process
1064	svchost.eXe
1472	svchost.eXe
2376	msmsgs.eXe
1448	angle.eXe

Loads dropped DLL 8 IoCs

pid	Process
2656	a39f5085af8e3f4ffeb9510de4c31710N.exe
2656	a39f5085af8e3f4ffeb9510de4c31710N.exe
2656	a39f5085af8e3f4ffeb9510de4c31710N.exe
2656	a39f5085af8e3f4ffeb9510de4c31710N.exe
2656	a39f5085af8e3f4ffeb9510de4c31710N.exe
2656	a39f5085af8e3f4ffeb9510de4c31710N.exe
2656	a39f5085af8e3f4ffeb9510de4c31710N.exe
2656	a39f5085af8e3f4ffeb9510de4c31710N.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\angle.eXe	msmsgs.eXe
File created	C:\Windows\SysWOW64\angle.eXe	svchost.eXe
File created	C:\Windows\SysWOW64\angle.eXe	angle.eXe
File created	C:\Windows\SysWOW64\angle.eXe	a39f5085af8e3f4ffeb9510de4c31710N.exe
File opened for modification	C:\Windows\SysWOW64\angle.eXe	a39f5085af8e3f4ffeb9510de4c31710N.exe
File opened for modification	C:\Windows\SysWOW64\RCXF22F.tmp	a39f5085af8e3f4ffeb9510de4c31710N.exe
File opened for modification	C:\Windows\SysWOW64\angle.eXe	svchost.eXe
File opened for modification	C:\Windows\SysWOW64\RCX2686.tmp	svchost.eXe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office\WINWORD.exe	a39f5085af8e3f4ffeb9510de4c31710N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office11\WINWORD.exe	a39f5085af8e3f4ffeb9510de4c31710N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office\EXCEL.exe	a39f5085af8e3f4ffeb9510de4c31710N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office11\EXCEL.exe	a39f5085af8e3f4ffeb9510de4c31710N.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\RCX280A.tmp	angle.eXe
File opened for modification	C:\Windows\svchost.eXe	a39f5085af8e3f4ffeb9510de4c31710N.exe
File opened for modification	C:\Windows\RCXFE80.tmp	a39f5085af8e3f4ffeb9510de4c31710N.exe
File created	C:\Windows\svchost.eXe	msmsgs.eXe
File opened for modification	C:\Windows\svchost.eXe	svchost.eXe
File created	C:\Windows\svchost.eXe	a39f5085af8e3f4ffeb9510de4c31710N.exe
File opened for modification	C:\Windows\svchost.eXe	svchost.eXe
File opened for modification	C:\Windows\RCX27BC.tmp	svchost.eXe
File opened for modification	C:\Windows\RCXF22E.tmp	a39f5085af8e3f4ffeb9510de4c31710N.exe
File opened for modification	C:\Windows\ziprar.eXe	a39f5085af8e3f4ffeb9510de4c31710N.exe
File opened for modification	C:\Windows\RCX2685.tmp	svchost.eXe
File created	C:\Windows\ziprar.eXe	a39f5085af8e3f4ffeb9510de4c31710N.exe
File opened for modification	C:\Windows\svchost.eXe	angle.eXe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.eXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	angle.eXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.eXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msmsgs.eXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a39f5085af8e3f4ffeb9510de4c31710N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2376	msmsgs.eXe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	msmsgs.eXe
Token: SeShutdownPrivilege	2376	msmsgs.eXe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2656	a39f5085af8e3f4ffeb9510de4c31710N.exe
2656	a39f5085af8e3f4ffeb9510de4c31710N.exe
1064	svchost.eXe
1064	svchost.eXe
1472	svchost.eXe
1472	svchost.eXe
2376	msmsgs.eXe
2376	msmsgs.eXe
1448	angle.eXe
1448	angle.eXe
2376	msmsgs.eXe
1064	svchost.eXe
1472	svchost.eXe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2584	2656	a39f5085af8e3f4ffeb9510de4c31710N.exe	30
PID 2656 wrote to memory of 2584	2656	a39f5085af8e3f4ffeb9510de4c31710N.exe	30
PID 2656 wrote to memory of 2584	2656	a39f5085af8e3f4ffeb9510de4c31710N.exe	30
PID 2656 wrote to memory of 2584	2656	a39f5085af8e3f4ffeb9510de4c31710N.exe	30
PID 2656 wrote to memory of 1560	2656	a39f5085af8e3f4ffeb9510de4c31710N.exe	32
PID 2656 wrote to memory of 1560	2656	a39f5085af8e3f4ffeb9510de4c31710N.exe	32
PID 2656 wrote to memory of 1560	2656	a39f5085af8e3f4ffeb9510de4c31710N.exe	32
PID 2656 wrote to memory of 1560	2656	a39f5085af8e3f4ffeb9510de4c31710N.exe	32
PID 2656 wrote to memory of 1064	2656	a39f5085af8e3f4ffeb9510de4c31710N.exe	34
PID 2656 wrote to memory of 1064	2656	a39f5085af8e3f4ffeb9510de4c31710N.exe	34
PID 2656 wrote to memory of 1064	2656	a39f5085af8e3f4ffeb9510de4c31710N.exe	34
PID 2656 wrote to memory of 1064	2656	a39f5085af8e3f4ffeb9510de4c31710N.exe	34
PID 1064 wrote to memory of 2868	1064	svchost.eXe	35
PID 1064 wrote to memory of 2868	1064	svchost.eXe	35
PID 1064 wrote to memory of 2868	1064	svchost.eXe	35
PID 1064 wrote to memory of 2868	1064	svchost.eXe	35
PID 2656 wrote to memory of 1472	2656	a39f5085af8e3f4ffeb9510de4c31710N.exe	37
PID 2656 wrote to memory of 1472	2656	a39f5085af8e3f4ffeb9510de4c31710N.exe	37
PID 2656 wrote to memory of 1472	2656	a39f5085af8e3f4ffeb9510de4c31710N.exe	37
PID 2656 wrote to memory of 1472	2656	a39f5085af8e3f4ffeb9510de4c31710N.exe	37
PID 2656 wrote to memory of 2376	2656	a39f5085af8e3f4ffeb9510de4c31710N.exe	38
PID 2656 wrote to memory of 2376	2656	a39f5085af8e3f4ffeb9510de4c31710N.exe	38
PID 2656 wrote to memory of 2376	2656	a39f5085af8e3f4ffeb9510de4c31710N.exe	38
PID 2656 wrote to memory of 2376	2656	a39f5085af8e3f4ffeb9510de4c31710N.exe	38
PID 2376 wrote to memory of 668	2376	msmsgs.eXe	40
PID 2376 wrote to memory of 668	2376	msmsgs.eXe	40
PID 2376 wrote to memory of 668	2376	msmsgs.eXe	40
PID 2376 wrote to memory of 668	2376	msmsgs.eXe	40
PID 2656 wrote to memory of 1448	2656	a39f5085af8e3f4ffeb9510de4c31710N.exe	39
PID 2656 wrote to memory of 1448	2656	a39f5085af8e3f4ffeb9510de4c31710N.exe	39
PID 2656 wrote to memory of 1448	2656	a39f5085af8e3f4ffeb9510de4c31710N.exe	39
PID 2656 wrote to memory of 1448	2656	a39f5085af8e3f4ffeb9510de4c31710N.exe	39
PID 1472 wrote to memory of 2348	1472	svchost.eXe	42
PID 1472 wrote to memory of 2348	1472	svchost.eXe	42
PID 1472 wrote to memory of 2348	1472	svchost.eXe	42
PID 1472 wrote to memory of 2348	1472	svchost.eXe	42
PID 1448 wrote to memory of 1312	1448	angle.eXe	44
PID 1448 wrote to memory of 1312	1448	angle.eXe	44
PID 1448 wrote to memory of 1312	1448	angle.eXe	44
PID 1448 wrote to memory of 1312	1448	angle.eXe	44
PID 1064 wrote to memory of 2496	1064	svchost.eXe	46
PID 1064 wrote to memory of 2496	1064	svchost.eXe	46
PID 1064 wrote to memory of 2496	1064	svchost.eXe	46
PID 1064 wrote to memory of 2496	1064	svchost.eXe	46
PID 2376 wrote to memory of 856	2376	msmsgs.eXe	48
PID 2376 wrote to memory of 856	2376	msmsgs.eXe	48
PID 2376 wrote to memory of 856	2376	msmsgs.eXe	48
PID 2376 wrote to memory of 856	2376	msmsgs.eXe	48
PID 1472 wrote to memory of 1640	1472	svchost.eXe	50
PID 1472 wrote to memory of 1640	1472	svchost.eXe	50
PID 1472 wrote to memory of 1640	1472	svchost.eXe	50
PID 1472 wrote to memory of 1640	1472	svchost.eXe	50
PID 1448 wrote to memory of 1468	1448	angle.eXe	52
PID 1448 wrote to memory of 1468	1448	angle.eXe	52
PID 1448 wrote to memory of 1468	1448	angle.eXe	52
PID 1448 wrote to memory of 1468	1448	angle.eXe	52
PID 2376 wrote to memory of 1708	2376	msmsgs.eXe	54
PID 2376 wrote to memory of 1708	2376	msmsgs.eXe	54
PID 2376 wrote to memory of 1708	2376	msmsgs.eXe	54
PID 2376 wrote to memory of 1708	2376	msmsgs.eXe	54

C:\Users\Admin\AppData\Local\Temp\a39f5085af8e3f4ffeb9510de4c31710N.exe
"C:\Users\Admin\AppData\Local\Temp\a39f5085af8e3f4ffeb9510de4c31710N.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" import C:\Windows\regedit.reg
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2584
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" export HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srservice C:\Windows\regedit.reg
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1560
- C:\Users\Public\Pictures\svchost.eXe
  "C:\Users\Public\Pictures\svchost.eXe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" import C:\Windows\regedit.reg
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2868
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" export HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srservice C:\Windows\regedit.reg
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2496
- C:\Users\Public\Music\svchost.eXe
  "C:\Users\Public\Music\svchost.eXe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" import C:\Windows\regedit.reg
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" export HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srservice C:\Windows\regedit.reg
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1640
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\msmsgs.eXe
  "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\msmsgs.eXe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" import C:\Windows\regedit.reg
    3⤵
    - System Location Discovery: System Language Discovery
    PID:668
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" export HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srservice C:\Windows\regedit.reg
    3⤵
    - System Location Discovery: System Language Discovery
    PID:856
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" import C:\Windows\regedit.reg
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1708
- C:\Windows\SysWOW64\angle.eXe
  "C:\Windows\system32\angle.eXe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" import C:\Windows\regedit.reg
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1312
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" export HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srservice C:\Windows\regedit.reg
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1468

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2480

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Surat Buat Presiden.htm

Filesize
656B

MD5
e0722dddd4442be2d33a6948b7c8d04d

SHA1
1bc56ec2ca2d1ae3c0cbb2f66289945a32bb3d13

SHA256
ea7c34f49417b382ff9c872fccd1f5f58636f3001a2fe837ed195a4d239f66e6

SHA512
2236ab5c1547e58aee6da04f4fe5f44a1292cd026596b3766eb76d468e6b67a391982baaa5f4698ec1c719c0c89142e136b1c0f17aa1ea19e7c4963655823bec

Download Submit
C:\Users\Public\Music\RCX27CC.tmp

Filesize
471KB

MD5
801979560f5c5dcfb2b0ba55b9681466

SHA1
e2ff9df48230daccadf13f0a21fd83201fcb89e7

SHA256
570f9852fe22d9211a20862fad4b840b09e058764516a5457cf162010d82500c

SHA512
1b96db200c09b4d85e0040adcc9d4a32c9c8fede170abd04c007ebaf6bda594ec42e8937c61a07e89caab632bd8cc72c71f5c0cb89bac4acfaddd64452119b6f

Download Submit
C:\Users\Public\Music\svchost.eXe

Filesize
539KB

MD5
2036f514a2b9f5565e71bb1e28da7f6d

SHA1
030c519789b48783f4b626216f312a359573d1b5

SHA256
ec0a3a92e296c98336ca6c12755a5d8969fdfc1b77b019ac37369d44f0fde14e

SHA512
55f468c9d8207b2f086482e470a57095350a67d3d6f8db0c66ee6d41713cb9d628f5a201a6d8f0f159a7e1171bb0b7997a3eea2d36d22110f8199894eb7001ee

Download Submit
C:\Users\Public\Pictures\svchost.eXe

Filesize
549KB

MD5
a39f5085af8e3f4ffeb9510de4c31710

SHA1
125530aa0554ead5d97f889e88f8e98e3725e641

SHA256
b7a756b6463ed0d5075235eec7a0d5ce6da846e667bf7147e40ba6364943c3b1

SHA512
01db7cad723bd8d89ee5a9fe6d3230ac2267521cba649bc9591df0baf5eaf02b0fe769e9e92ed18f6216d29fd38ad10494a22d009c1aa95c201593ce0dad11d2

Download Submit