Overview

overview

10

Static

static

3

1e7c0d0add...3N.exe

windows7-x64

10

1e7c0d0add...3N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2024 19:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e7c0d0add11107cda939242c1403eedd5a96492fad83b9b481a1a0862c39953N.exe

  • Size

    45KB

  • MD5

    e6a97d00044176bf7454c1cd05012890

  • SHA1

    1e00cc418b681951b6aaa497cca458d11102d94e

  • SHA256

    1e7c0d0add11107cda939242c1403eedd5a96492fad83b9b481a1a0862c39953

  • SHA512

    17a3d1b15f18811af36ac1f46a35013062821a43f0c37b2fe411ae49c2348300047d84badff4e23545bce7c7f7236f23d6584faf0d63490e4d9ae94dc38044f2

  • SSDEEP

    768:z1AuwHyeFo6NPIFAoslbf8eRYLGXdoIFbb5omuKWcbsvwnoT9D88888888888JXC:zOxyeFo6NPCAosxYyXdF5oy3VoKC

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 21 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 28 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e7c0d0add11107cda939242c1403eedd5a96492fad83b9b481a1a0862c39953N.exe
    "C:\Users\Admin\AppData\Local\Temp\1e7c0d0add11107cda939242c1403eedd5a96492fad83b9b481a1a0862c39953N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2148
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2296
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2828
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2772
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:332
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2964
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2732
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2632
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2788
      • C:\Windows\SysWOW64\userinit.exe
        C:\Windows\system32\userinit.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2180
        • C:\Windows\SysWOW64\Explorer.exe
          Explorer.exe "C:\recycled\SVCHOST.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1956
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2116
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:972
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1e7c0d0add11107cda939242c1403eedd5a96492fad83b9b481a1a0862c39953N.doc"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:984
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
        PID:1700

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Recycled\desktop.ini
        Filesize

        65B

        MD5

        ad0b0b4416f06af436328a3c12dc491b

        SHA1

        743c7ad130780de78ccbf75aa6f84298720ad3fa

        SHA256

        23521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416

        SHA512

        884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
        Filesize

        1KB

        MD5

        0269b6347e473980c5378044ac67aa1f

        SHA1

        c3334de50e320ad8bce8398acff95c363d039245

        SHA256

        68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

        SHA512

        e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

        Download Submit

      • C:\begolu.txt
        Filesize

        2B

        MD5

        2b9d4fa85c8e82132bde46b143040142

        SHA1

        a02431cf7c501a5b368c91e41283419d8fa9fb03

        SHA256

        4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

        SHA512

        c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

        Download Submit

      • C:\recycled\SPOOLSV.EXE
        Filesize

        45KB

        MD5

        f921796d7c8db7a37981f04b4e408b0f

        SHA1

        fd7b7e36f6131d878e9406d3fb8b956f8c5b1960

        SHA256

        97954a9c4086942d8d339cc690238fad7d283de3a9f4779222280a645171529d

        SHA512

        6bdaac8c77e28adb39220c96bb9fe6f7e8b9fd06ae368f4c9ed051793dfc4b3b3a8fff1cfe261b7a40a695986ef29dcb062d38de4b9d66d732740f9ca25bbb98

        Download Submit

      • F:\Recycled\SVCHOST.EXE
        Filesize

        45KB

        MD5

        aad3d5a958a5060603566df937bd3d6e

        SHA1

        52a7607a9d9d92b997b60347801a9f94619c5535

        SHA256

        80d88c632dc568822430262f4331fd3ff7cf537d7184e812df9eb1cc2ffa5f35

        SHA512

        a96d2ac73944377cf526543b66a48aac8487b9dafe68e4129c493d237445115d9d7c7e5658d6a4dcb49da202c9dceb9712c368ccf65661092a1996220d98f567

        Download Submit

      • \Recycled\SVCHOST.EXE
        Filesize

        45KB

        MD5

        1b488946dc4a17f84b3b9adf1f3532a2

        SHA1

        581becfc273d83888a0a7e08e67ef69ad7af2d78

        SHA256

        03e92d258b5a62c80ba25f0c82c3d019c760b1138c1517759027bf47601f64a8

        SHA512

        86884fc7f376c7abe0d05b96eb393513233e18fe47970489bc2b044a3659c3e644595137a752a3fd5bab6a2f9883179c4fdb915f83a47b2299ebed868c08ed76

        Download Submit

      • memory/332-80-0x0000000000460000-0x000000000047A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/332-64-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/332-84-0x0000000000460000-0x000000000047A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/332-136-0x0000000000460000-0x000000000047A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/332-134-0x0000000000420000-0x000000000043A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/332-133-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/332-72-0x0000000000420000-0x000000000043A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1148-113-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2116-106-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2116-103-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2148-34-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2148-35-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2296-62-0x00000000003D0000-0x00000000003EA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2296-132-0x00000000003D0000-0x00000000003EA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2296-60-0x00000000003D0000-0x00000000003EA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2296-129-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2296-52-0x00000000003D0000-0x00000000003EA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2296-47-0x00000000003D0000-0x00000000003EA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2552-22-0x0000000000510000-0x000000000052A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2552-0-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2552-102-0x0000000000510000-0x000000000052A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2552-23-0x0000000000510000-0x000000000052A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2552-112-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2552-111-0x0000000004760000-0x000000000476C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2632-91-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2732-85-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2772-57-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2788-96-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2828-53-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2964-78-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2964-73-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3048-127-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3048-24-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3048-92-0x00000000003D0000-0x00000000003EA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3048-38-0x00000000003D0000-0x00000000003EA000-memory.dmp

        Filesize

        104KB

        Download