42ab95d17a36ae09abb41d9304a160d9ad1a3481fae8daf473caa8593be6794d

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 19:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

305b8ddf35919e7b25d3a1f3907410f0N.exe
Size

76KB
MD5

305b8ddf35919e7b25d3a1f3907410f0
SHA1

da9d6cce7d73fbc55ae21d0448143b65dcd5a3a8
SHA256

42ab95d17a36ae09abb41d9304a160d9ad1a3481fae8daf473caa8593be6794d
SHA512

b718715c800a923c9cbe1379e8ec002063016851af2dcfdf0e270f3093df2568c20f554a9bdba6f60a6f660c3e92d32d7701b0e6075827a76164661812c2b3ec
SSDEEP

1536:v70ak+ddygXAyy9v7Z+NoykJHBOAFRfBjG3ldoI9:T0aXdfXAyy9DZ+N7eB+II9

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	305b8ddf35919e7b25d3a1f3907410f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	305b8ddf35919e7b25d3a1f3907410f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	SPOOLSV.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SPOOLSV.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	305b8ddf35919e7b25d3a1f3907410f0N.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	305b8ddf35919e7b25d3a1f3907410f0N.exe

Executes dropped EXE 12 IoCs

pid	Process
2696	SVCHOST.EXE
2960	SVCHOST.EXE
2608	SVCHOST.EXE
2648	SVCHOST.EXE
2080	SVCHOST.EXE
1660	SPOOLSV.EXE
3024	SVCHOST.EXE
1608	SVCHOST.EXE
272	SPOOLSV.EXE
2272	SPOOLSV.EXE
1476	SVCHOST.EXE
436	SPOOLSV.EXE

Loads dropped DLL 18 IoCs

pid	Process
1056	305b8ddf35919e7b25d3a1f3907410f0N.exe
1056	305b8ddf35919e7b25d3a1f3907410f0N.exe
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2608	SVCHOST.EXE
2608	SVCHOST.EXE
2608	SVCHOST.EXE
2608	SVCHOST.EXE
2608	SVCHOST.EXE
1660	SPOOLSV.EXE
1660	SPOOLSV.EXE
1660	SPOOLSV.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
1056	305b8ddf35919e7b25d3a1f3907410f0N.exe
1056	305b8ddf35919e7b25d3a1f3907410f0N.exe
1056	305b8ddf35919e7b25d3a1f3907410f0N.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Recycled\desktop.ini	305b8ddf35919e7b25d3a1f3907410f0N.exe
File opened for modification	F:\Recycled\desktop.ini	305b8ddf35919e7b25d3a1f3907410f0N.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	SPOOLSV.EXE
File opened (read-only)	\??\N:	SPOOLSV.EXE
File opened (read-only)	\??\O:	SPOOLSV.EXE
File opened (read-only)	\??\R:	305b8ddf35919e7b25d3a1f3907410f0N.exe
File opened (read-only)	\??\E:	SVCHOST.EXE
File opened (read-only)	\??\U:	SVCHOST.EXE
File opened (read-only)	\??\V:	SVCHOST.EXE
File opened (read-only)	\??\L:	SVCHOST.EXE
File opened (read-only)	\??\Q:	SPOOLSV.EXE
File opened (read-only)	\??\T:	SPOOLSV.EXE
File opened (read-only)	\??\Y:	SPOOLSV.EXE
File opened (read-only)	\??\K:	305b8ddf35919e7b25d3a1f3907410f0N.exe
File opened (read-only)	\??\L:	305b8ddf35919e7b25d3a1f3907410f0N.exe
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\S:	SPOOLSV.EXE
File opened (read-only)	\??\Z:	SPOOLSV.EXE
File opened (read-only)	\??\M:	SPOOLSV.EXE
File opened (read-only)	\??\Q:	305b8ddf35919e7b25d3a1f3907410f0N.exe
File opened (read-only)	\??\J:	SVCHOST.EXE
File opened (read-only)	\??\R:	SVCHOST.EXE
File opened (read-only)	\??\T:	SVCHOST.EXE
File opened (read-only)	\??\E:	SPOOLSV.EXE
File opened (read-only)	\??\U:	305b8ddf35919e7b25d3a1f3907410f0N.exe
File opened (read-only)	\??\Y:	305b8ddf35919e7b25d3a1f3907410f0N.exe
File opened (read-only)	\??\W:	SVCHOST.EXE
File opened (read-only)	\??\I:	SVCHOST.EXE
File opened (read-only)	\??\R:	SPOOLSV.EXE
File opened (read-only)	\??\Y:	SVCHOST.EXE
File opened (read-only)	\??\P:	305b8ddf35919e7b25d3a1f3907410f0N.exe
File opened (read-only)	\??\T:	305b8ddf35919e7b25d3a1f3907410f0N.exe
File opened (read-only)	\??\T:	SVCHOST.EXE
File opened (read-only)	\??\Z:	SVCHOST.EXE
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\M:	SVCHOST.EXE
File opened (read-only)	\??\O:	SVCHOST.EXE
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\P:	SPOOLSV.EXE
File opened (read-only)	\??\J:	305b8ddf35919e7b25d3a1f3907410f0N.exe
File opened (read-only)	\??\M:	305b8ddf35919e7b25d3a1f3907410f0N.exe
File opened (read-only)	\??\M:	SVCHOST.EXE
File opened (read-only)	\??\E:	SVCHOST.EXE
File opened (read-only)	\??\H:	SVCHOST.EXE
File opened (read-only)	\??\O:	305b8ddf35919e7b25d3a1f3907410f0N.exe
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\Q:	SVCHOST.EXE
File opened (read-only)	\??\J:	SPOOLSV.EXE
File opened (read-only)	\??\H:	305b8ddf35919e7b25d3a1f3907410f0N.exe
File opened (read-only)	\??\L:	SVCHOST.EXE
File opened (read-only)	\??\U:	SVCHOST.EXE
File opened (read-only)	\??\K:	SPOOLSV.EXE
File opened (read-only)	\??\S:	305b8ddf35919e7b25d3a1f3907410f0N.exe
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\I:	SVCHOST.EXE
File opened (read-only)	\??\J:	SVCHOST.EXE
File opened (read-only)	\??\K:	SVCHOST.EXE
File opened (read-only)	\??\X:	305b8ddf35919e7b25d3a1f3907410f0N.exe
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\N:	SVCHOST.EXE
File opened (read-only)	\??\K:	SVCHOST.EXE
File opened (read-only)	\??\O:	SVCHOST.EXE
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\G:	SPOOLSV.EXE
File opened (read-only)	\??\I:	SPOOLSV.EXE
File opened (read-only)	\??\X:	SPOOLSV.EXE

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\ Explorer.exe	SVCHOST.EXE
File opened for modification	C:\Windows\Fonts\ Explorer.exe	SPOOLSV.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\Fonts\ Explorer.exe	305b8ddf35919e7b25d3a1f3907410f0N.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe	305b8ddf35919e7b25d3a1f3907410f0N.exe
File opened for modification	C:\Windows\Fonts\ Explorer.exe	SVCHOST.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	305b8ddf35919e7b25d3a1f3907410f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	305b8ddf35919e7b25d3a1f3907410f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	305b8ddf35919e7b25d3a1f3907410f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	305b8ddf35919e7b25d3a1f3907410f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	305b8ddf35919e7b25d3a1f3907410f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SVCHOST.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL	305b8ddf35919e7b25d3a1f3907410f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SPOOLSV.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG	305b8ddf35919e7b25d3a1f3907410f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SVCHOST.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG\COMMAND	305b8ddf35919e7b25d3a1f3907410f0N.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL\COMMAND	305b8ddf35919e7b25d3a1f3907410f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	305b8ddf35919e7b25d3a1f3907410f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	305b8ddf35919e7b25d3a1f3907410f0N.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1084	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2608	SVCHOST.EXE
2608	SVCHOST.EXE
2608	SVCHOST.EXE
2608	SVCHOST.EXE
2608	SVCHOST.EXE
2608	SVCHOST.EXE
2608	SVCHOST.EXE
2608	SVCHOST.EXE
2608	SVCHOST.EXE
2608	SVCHOST.EXE
1660	SPOOLSV.EXE
1660	SPOOLSV.EXE
1660	SPOOLSV.EXE
1660	SPOOLSV.EXE
1660	SPOOLSV.EXE
1660	SPOOLSV.EXE
1660	SPOOLSV.EXE
1660	SPOOLSV.EXE
1660	SPOOLSV.EXE
1660	SPOOLSV.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
1056	305b8ddf35919e7b25d3a1f3907410f0N.exe
1056	305b8ddf35919e7b25d3a1f3907410f0N.exe
1056	305b8ddf35919e7b25d3a1f3907410f0N.exe
1056	305b8ddf35919e7b25d3a1f3907410f0N.exe
1056	305b8ddf35919e7b25d3a1f3907410f0N.exe
1056	305b8ddf35919e7b25d3a1f3907410f0N.exe
1056	305b8ddf35919e7b25d3a1f3907410f0N.exe
1056	305b8ddf35919e7b25d3a1f3907410f0N.exe
1056	305b8ddf35919e7b25d3a1f3907410f0N.exe
1056	305b8ddf35919e7b25d3a1f3907410f0N.exe
2608	SVCHOST.EXE
2608	SVCHOST.EXE
2608	SVCHOST.EXE
2608	SVCHOST.EXE
2608	SVCHOST.EXE
2608	SVCHOST.EXE
2608	SVCHOST.EXE
2608	SVCHOST.EXE
2608	SVCHOST.EXE
2608	SVCHOST.EXE
1660	SPOOLSV.EXE
1660	SPOOLSV.EXE
1660	SPOOLSV.EXE
1660	SPOOLSV.EXE
1660	SPOOLSV.EXE
1660	SPOOLSV.EXE
1660	SPOOLSV.EXE
1660	SPOOLSV.EXE
1660	SPOOLSV.EXE
1660	SPOOLSV.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1056	305b8ddf35919e7b25d3a1f3907410f0N.exe
2696	SVCHOST.EXE
2960	SVCHOST.EXE
2608	SVCHOST.EXE
2648	SVCHOST.EXE
2080	SVCHOST.EXE
1660	SPOOLSV.EXE
3024	SVCHOST.EXE
1608	SVCHOST.EXE
272	SPOOLSV.EXE
2272	SPOOLSV.EXE
1476	SVCHOST.EXE
436	SPOOLSV.EXE
1084	WINWORD.EXE
1084	WINWORD.EXE

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 2696	1056	305b8ddf35919e7b25d3a1f3907410f0N.exe	30
PID 1056 wrote to memory of 2696	1056	305b8ddf35919e7b25d3a1f3907410f0N.exe	30
PID 1056 wrote to memory of 2696	1056	305b8ddf35919e7b25d3a1f3907410f0N.exe	30
PID 1056 wrote to memory of 2696	1056	305b8ddf35919e7b25d3a1f3907410f0N.exe	30
PID 2696 wrote to memory of 2960	2696	SVCHOST.EXE	31
PID 2696 wrote to memory of 2960	2696	SVCHOST.EXE	31
PID 2696 wrote to memory of 2960	2696	SVCHOST.EXE	31
PID 2696 wrote to memory of 2960	2696	SVCHOST.EXE	31
PID 2696 wrote to memory of 2608	2696	SVCHOST.EXE	32
PID 2696 wrote to memory of 2608	2696	SVCHOST.EXE	32
PID 2696 wrote to memory of 2608	2696	SVCHOST.EXE	32
PID 2696 wrote to memory of 2608	2696	SVCHOST.EXE	32
PID 2608 wrote to memory of 2648	2608	SVCHOST.EXE	33
PID 2608 wrote to memory of 2648	2608	SVCHOST.EXE	33
PID 2608 wrote to memory of 2648	2608	SVCHOST.EXE	33
PID 2608 wrote to memory of 2648	2608	SVCHOST.EXE	33
PID 2608 wrote to memory of 2080	2608	SVCHOST.EXE	34
PID 2608 wrote to memory of 2080	2608	SVCHOST.EXE	34
PID 2608 wrote to memory of 2080	2608	SVCHOST.EXE	34
PID 2608 wrote to memory of 2080	2608	SVCHOST.EXE	34
PID 2608 wrote to memory of 1660	2608	SVCHOST.EXE	35
PID 2608 wrote to memory of 1660	2608	SVCHOST.EXE	35
PID 2608 wrote to memory of 1660	2608	SVCHOST.EXE	35
PID 2608 wrote to memory of 1660	2608	SVCHOST.EXE	35
PID 1660 wrote to memory of 3024	1660	SPOOLSV.EXE	36
PID 1660 wrote to memory of 3024	1660	SPOOLSV.EXE	36
PID 1660 wrote to memory of 3024	1660	SPOOLSV.EXE	36
PID 1660 wrote to memory of 3024	1660	SPOOLSV.EXE	36
PID 1660 wrote to memory of 1608	1660	SPOOLSV.EXE	37
PID 1660 wrote to memory of 1608	1660	SPOOLSV.EXE	37
PID 1660 wrote to memory of 1608	1660	SPOOLSV.EXE	37
PID 1660 wrote to memory of 1608	1660	SPOOLSV.EXE	37
PID 1660 wrote to memory of 272	1660	SPOOLSV.EXE	38
PID 1660 wrote to memory of 272	1660	SPOOLSV.EXE	38
PID 1660 wrote to memory of 272	1660	SPOOLSV.EXE	38
PID 1660 wrote to memory of 272	1660	SPOOLSV.EXE	38
PID 2696 wrote to memory of 2272	2696	SVCHOST.EXE	39
PID 2696 wrote to memory of 2272	2696	SVCHOST.EXE	39
PID 2696 wrote to memory of 2272	2696	SVCHOST.EXE	39
PID 2696 wrote to memory of 2272	2696	SVCHOST.EXE	39
PID 1056 wrote to memory of 1476	1056	305b8ddf35919e7b25d3a1f3907410f0N.exe	40
PID 1056 wrote to memory of 1476	1056	305b8ddf35919e7b25d3a1f3907410f0N.exe	40
PID 1056 wrote to memory of 1476	1056	305b8ddf35919e7b25d3a1f3907410f0N.exe	40
PID 1056 wrote to memory of 1476	1056	305b8ddf35919e7b25d3a1f3907410f0N.exe	40
PID 1056 wrote to memory of 436	1056	305b8ddf35919e7b25d3a1f3907410f0N.exe	41
PID 1056 wrote to memory of 436	1056	305b8ddf35919e7b25d3a1f3907410f0N.exe	41
PID 1056 wrote to memory of 436	1056	305b8ddf35919e7b25d3a1f3907410f0N.exe	41
PID 1056 wrote to memory of 436	1056	305b8ddf35919e7b25d3a1f3907410f0N.exe	41
PID 1056 wrote to memory of 1084	1056	305b8ddf35919e7b25d3a1f3907410f0N.exe	42
PID 1056 wrote to memory of 1084	1056	305b8ddf35919e7b25d3a1f3907410f0N.exe	42
PID 1056 wrote to memory of 1084	1056	305b8ddf35919e7b25d3a1f3907410f0N.exe	42
PID 1056 wrote to memory of 1084	1056	305b8ddf35919e7b25d3a1f3907410f0N.exe	42
PID 1084 wrote to memory of 2184	1084	WINWORD.EXE	44
PID 1084 wrote to memory of 2184	1084	WINWORD.EXE	44
PID 1084 wrote to memory of 2184	1084	WINWORD.EXE	44
PID 1084 wrote to memory of 2184	1084	WINWORD.EXE	44

C:\Users\Admin\AppData\Local\Temp\305b8ddf35919e7b25d3a1f3907410f0N.exe
"C:\Users\Admin\AppData\Local\Temp\305b8ddf35919e7b25d3a1f3907410f0N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056
- C:\recycled\SVCHOST.EXE
  C:\recycled\SVCHOST.EXE :agent
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\recycled\SVCHOST.EXE
    C:\recycled\SVCHOST.EXE :agent
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2960
- - F:\recycled\SVCHOST.EXE
    F:\recycled\SVCHOST.EXE :agent
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2648
  - - F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2080
  - - C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1660
    - - C:\recycled\SVCHOST.EXE
        
        C:\recycled\SVCHOST.EXE :agent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3024
    - - F:\recycled\SVCHOST.EXE
        
        F:\recycled\SVCHOST.EXE :agent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1608
    - - C:\recycled\SPOOLSV.EXE
        
        C:\recycled\SPOOLSV.EXE :agent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:272
- - C:\recycled\SPOOLSV.EXE
    C:\recycled\SPOOLSV.EXE :agent
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2272
- F:\recycled\SVCHOST.EXE
  F:\recycled\SVCHOST.EXE :agent
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1476
- C:\recycled\SPOOLSV.EXE
  C:\recycled\SPOOLSV.EXE :agent
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:436
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\305b8ddf35919e7b25d3a1f3907410f0N.doc"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
2KB

MD5
1a1dce35d60d2c70ca8894954fd5d384

SHA1
58547dd65d506c892290755010d0232da34ee000

SHA256
2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

SHA512
4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

Download Submit
C:\Windows\Fonts\ Explorer.exe

Filesize
76KB

MD5
9017e78f3439f5bed74160389d0460ed

SHA1
43009654bc71999b6b9600c0a368a131898ea5f8

SHA256
2627c915d5382ce2df91452e3ea031352a6f3532de07b86e7464b1b185867441

SHA512
a1ef6bb0dac83cbc65f866339ccf57b6d6e7349da6ed62c15dc86474865533c3c7e0bb6c9a204fb907919ac0d9a8fbea536ea1566f493a25a4136e8190d21c92

Download Submit
C:\Windows\Fonts\ Explorer.exe

Filesize
76KB

MD5
c4e534a9d8a6ec44c6b5502ce4eeccf2

SHA1
9ae47c5827075016ae52f2e99bb0d3372cc10113

SHA256
7dd5caef94295a2d880f6cc5b5b8e22a3ae23f3457ec6fe8499f45d453305219

SHA512
d960aa53ad689ee772b158f6b7458a4cd039f5aa02ecf4e98d2fb8201d58ea8fbe50cdbf9022fe6508ca44daf97734f9d0473f0cc049d2527565fbc7c7ab5e72

Download Submit
C:\begolu.txt

Filesize
2B

MD5
2b9d4fa85c8e82132bde46b143040142

SHA1
a02431cf7c501a5b368c91e41283419d8fa9fb03

SHA256
4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

SHA512
c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

Download Submit
C:\recycled\SPOOLSV.EXE

Filesize
76KB

MD5
94043c3800432d42e7bc73f746ef1520

SHA1
f7e5126db69c636f2d41edebf10e1d2b03ed1dea

SHA256
652b3aedeb65a26a4170fb8630c9f8bd38d93a803d6248a28c7441e3fcbc4009

SHA512
fb436d3106bcd2d8f5fa5d43a3870ddac74c71ab18a56d617c74ca01c0903e7a070a8b5ec8af02ca6f978d13a31c33cb4cd32628eb2c134f0452a5db003c77b9

Download Submit
F:\Recycled\SVCHOST.EXE

Filesize
76KB

MD5
46a79445018a0b22c8654a5523b9a60a

SHA1
1d01e8d27d29562387baca8db338ace997dec032

SHA256
bd5c61bf103b768155c3d79a126d6e498331865a9732d07bcde5918384113052

SHA512
a5ad1a67ed712da9bf51bd7e6dffa7c4e07a4527632367e424e607d1f61dac5f54edcfe1d63cd31b29b858fecdf2ccfa0829b3d4a34911982b718196212b6651

Download Submit
\Recycled\SVCHOST.EXE

Filesize
76KB

MD5
77b1a8888410d1b7b7cb0a4ce9c39249

SHA1
d7c2a4294c1a9df1c9c94ba1fbc2edad930553ec

SHA256
29473ff3d798c1f5f9fd00d672bc8c3f248035b6da285f6896e51570bcfef265

SHA512
2dec2b97bc1c8a4d6d01f61b4e39250d8dca8a176648a52f970610cc8f9a0f9237cb1215b4b7ee89b40677c03f0bae58c150833720d617fed7a7eba09e0c649a

Download Submit
memory/272-93-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/436-111-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1056-112-0x00000000042E0000-0x00000000042F0000-memory.dmp

Filesize
64KB

Download
memory/1056-24-0x00000000026A0000-0x00000000026BA000-memory.dmp

Filesize
104KB

Download
memory/1056-23-0x00000000026A0000-0x00000000026BA000-memory.dmp

Filesize
104KB

Download
memory/1056-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1056-108-0x00000000026A0000-0x00000000026BA000-memory.dmp

Filesize
104KB

Download
memory/1056-114-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1084-115-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1476-107-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1608-86-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1608-90-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1660-132-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1660-70-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1660-78-0x00000000004A0000-0x00000000004BA000-memory.dmp

Filesize
104KB

Download
memory/1660-134-0x00000000004A0000-0x00000000004BA000-memory.dmp

Filesize
104KB

Download
memory/1660-133-0x00000000004A0000-0x00000000004BA000-memory.dmp

Filesize
104KB

Download
memory/2080-62-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2080-65-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2272-99-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2608-68-0x0000000000860000-0x000000000087A000-memory.dmp

Filesize
104KB

Download
memory/2608-66-0x0000000000860000-0x000000000087A000-memory.dmp

Filesize
104KB

Download
memory/2608-58-0x0000000000860000-0x000000000087A000-memory.dmp

Filesize
104KB

Download
memory/2608-128-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2608-131-0x0000000000860000-0x000000000087A000-memory.dmp

Filesize
104KB

Download
memory/2608-44-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2648-56-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2696-41-0x0000000000520000-0x000000000053A000-memory.dmp

Filesize
104KB

Download
memory/2696-42-0x0000000000520000-0x000000000053A000-memory.dmp

Filesize
104KB

Download
memory/2696-127-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2696-25-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2960-39-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3024-82-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download