acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
Size

77KB
MD5

f4ec07ae9293761594c1562b9228b870
SHA1

c1f0ac8b4e77fe57f9c9bbaf2ca426f1ea606879
SHA256

acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9
SHA512

c82cf33a019ffdfd28ecbcc279d3cd8062b4f72e2df3ac03b2df8e6d3a87eb4a25292b62cea170c9fac8b39c30525ae6ebed1f17b1918f57eb22b6069cc36721
SSDEEP

1536:ekeK40T/mx7y9v7Z/Z2V/GSAFRfBhpVoKv:FD40Dmx7y9DZ/Z2hGVkKv

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SPOOLSV.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe

Executes dropped EXE 12 IoCs

pid	Process
2956	SVCHOST.EXE
2720	SVCHOST.EXE
2908	SVCHOST.EXE
2560	SVCHOST.EXE
2624	SVCHOST.EXE
2616	SPOOLSV.EXE
1832	SVCHOST.EXE
2832	SVCHOST.EXE
3044	SPOOLSV.EXE
736	SPOOLSV.EXE
1060	SVCHOST.EXE
1776	SPOOLSV.EXE

Loads dropped DLL 21 IoCs

pid	Process
2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
2956	SVCHOST.EXE
2956	SVCHOST.EXE
2956	SVCHOST.EXE
2908	SVCHOST.EXE
2908	SVCHOST.EXE
2908	SVCHOST.EXE
2908	SVCHOST.EXE
2908	SVCHOST.EXE
2616	SPOOLSV.EXE
2616	SPOOLSV.EXE
2616	SPOOLSV.EXE
2616	SPOOLSV.EXE
2616	SPOOLSV.EXE
2956	SVCHOST.EXE
2956	SVCHOST.EXE
2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Recycled\desktop.ini	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
File opened for modification	F:\Recycled\desktop.ini	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	SVCHOST.EXE
File opened (read-only)	\??\Q:	SVCHOST.EXE
File opened (read-only)	\??\U:	SVCHOST.EXE
File opened (read-only)	\??\T:	SPOOLSV.EXE
File opened (read-only)	\??\U:	SPOOLSV.EXE
File opened (read-only)	\??\Y:	SVCHOST.EXE
File opened (read-only)	\??\G:	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
File opened (read-only)	\??\T:	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
File opened (read-only)	\??\Y:	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\M:	SVCHOST.EXE
File opened (read-only)	\??\U:	SVCHOST.EXE
File opened (read-only)	\??\Q:	SPOOLSV.EXE
File opened (read-only)	\??\E:	SVCHOST.EXE
File opened (read-only)	\??\J:	SVCHOST.EXE
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\H:	SVCHOST.EXE
File opened (read-only)	\??\T:	SVCHOST.EXE
File opened (read-only)	\??\W:	SVCHOST.EXE
File opened (read-only)	\??\H:	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
File opened (read-only)	\??\R:	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
File opened (read-only)	\??\T:	SVCHOST.EXE
File opened (read-only)	\??\W:	SVCHOST.EXE
File opened (read-only)	\??\O:	SVCHOST.EXE
File opened (read-only)	\??\J:	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\O:	SVCHOST.EXE
File opened (read-only)	\??\N:	SPOOLSV.EXE
File opened (read-only)	\??\O:	SPOOLSV.EXE
File opened (read-only)	\??\N:	SVCHOST.EXE
File opened (read-only)	\??\Z:	SVCHOST.EXE
File opened (read-only)	\??\Z:	SVCHOST.EXE
File opened (read-only)	\??\P:	SPOOLSV.EXE
File opened (read-only)	\??\S:	SPOOLSV.EXE
File opened (read-only)	\??\I:	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
File opened (read-only)	\??\K:	SPOOLSV.EXE
File opened (read-only)	\??\R:	SPOOLSV.EXE
File opened (read-only)	\??\W:	SPOOLSV.EXE
File opened (read-only)	\??\Q:	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
File opened (read-only)	\??\S:	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\M:	SPOOLSV.EXE
File opened (read-only)	\??\L:	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\V:	SVCHOST.EXE
File opened (read-only)	\??\L:	SPOOLSV.EXE
File opened (read-only)	\??\V:	SPOOLSV.EXE
File opened (read-only)	\??\N:	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
File opened (read-only)	\??\V:	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
File opened (read-only)	\??\J:	SVCHOST.EXE
File opened (read-only)	\??\E:	SPOOLSV.EXE
File opened (read-only)	\??\X:	SPOOLSV.EXE
File opened (read-only)	\??\U:	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
File opened (read-only)	\??\W:	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
File opened (read-only)	\??\K:	SVCHOST.EXE
File opened (read-only)	\??\R:	SVCHOST.EXE
File opened (read-only)	\??\G:	SPOOLSV.EXE
File opened (read-only)	\??\I:	SPOOLSV.EXE
File opened (read-only)	\??\Z:	SPOOLSV.EXE
File opened (read-only)	\??\X:	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
File opened (read-only)	\??\V:	SVCHOST.EXE
File opened (read-only)	\??\L:	SVCHOST.EXE
File opened (read-only)	\??\N:	SVCHOST.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 28 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG\COMMAND	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SVCHOST.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL\COMMAND	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SVCHOST.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
580	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2616	SPOOLSV.EXE
2616	SPOOLSV.EXE
2616	SPOOLSV.EXE
2616	SPOOLSV.EXE
2616	SPOOLSV.EXE
2616	SPOOLSV.EXE
2616	SPOOLSV.EXE
2616	SPOOLSV.EXE
2616	SPOOLSV.EXE
2616	SPOOLSV.EXE
2908	SVCHOST.EXE
2908	SVCHOST.EXE
2908	SVCHOST.EXE
2908	SVCHOST.EXE
2908	SVCHOST.EXE
2908	SVCHOST.EXE
2908	SVCHOST.EXE
2908	SVCHOST.EXE
2908	SVCHOST.EXE
2908	SVCHOST.EXE
2956	SVCHOST.EXE
2956	SVCHOST.EXE
2956	SVCHOST.EXE
2956	SVCHOST.EXE
2956	SVCHOST.EXE
2956	SVCHOST.EXE
2956	SVCHOST.EXE
2956	SVCHOST.EXE
2956	SVCHOST.EXE
2956	SVCHOST.EXE
2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
2908	SVCHOST.EXE
2908	SVCHOST.EXE
2908	SVCHOST.EXE
2908	SVCHOST.EXE
2908	SVCHOST.EXE
2908	SVCHOST.EXE
2908	SVCHOST.EXE
2908	SVCHOST.EXE
2908	SVCHOST.EXE
2908	SVCHOST.EXE
2616	SPOOLSV.EXE
2616	SPOOLSV.EXE
2616	SPOOLSV.EXE
2616	SPOOLSV.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
2956	SVCHOST.EXE
2720	SVCHOST.EXE
2908	SVCHOST.EXE
2560	SVCHOST.EXE
2624	SVCHOST.EXE
2616	SPOOLSV.EXE
1832	SVCHOST.EXE
2832	SVCHOST.EXE
3044	SPOOLSV.EXE
736	SPOOLSV.EXE
1060	SVCHOST.EXE
1776	SPOOLSV.EXE
580	WINWORD.EXE
580	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2956	2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe	31
PID 2308 wrote to memory of 2956	2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe	31
PID 2308 wrote to memory of 2956	2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe	31
PID 2308 wrote to memory of 2956	2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe	31
PID 2956 wrote to memory of 2720	2956	SVCHOST.EXE	32
PID 2956 wrote to memory of 2720	2956	SVCHOST.EXE	32
PID 2956 wrote to memory of 2720	2956	SVCHOST.EXE	32
PID 2956 wrote to memory of 2720	2956	SVCHOST.EXE	32
PID 2956 wrote to memory of 2908	2956	SVCHOST.EXE	33
PID 2956 wrote to memory of 2908	2956	SVCHOST.EXE	33
PID 2956 wrote to memory of 2908	2956	SVCHOST.EXE	33
PID 2956 wrote to memory of 2908	2956	SVCHOST.EXE	33
PID 2908 wrote to memory of 2560	2908	SVCHOST.EXE	34
PID 2908 wrote to memory of 2560	2908	SVCHOST.EXE	34
PID 2908 wrote to memory of 2560	2908	SVCHOST.EXE	34
PID 2908 wrote to memory of 2560	2908	SVCHOST.EXE	34
PID 2908 wrote to memory of 2624	2908	SVCHOST.EXE	35
PID 2908 wrote to memory of 2624	2908	SVCHOST.EXE	35
PID 2908 wrote to memory of 2624	2908	SVCHOST.EXE	35
PID 2908 wrote to memory of 2624	2908	SVCHOST.EXE	35
PID 2908 wrote to memory of 2616	2908	SVCHOST.EXE	36
PID 2908 wrote to memory of 2616	2908	SVCHOST.EXE	36
PID 2908 wrote to memory of 2616	2908	SVCHOST.EXE	36
PID 2908 wrote to memory of 2616	2908	SVCHOST.EXE	36
PID 2616 wrote to memory of 1832	2616	SPOOLSV.EXE	37
PID 2616 wrote to memory of 1832	2616	SPOOLSV.EXE	37
PID 2616 wrote to memory of 1832	2616	SPOOLSV.EXE	37
PID 2616 wrote to memory of 1832	2616	SPOOLSV.EXE	37
PID 2616 wrote to memory of 2832	2616	SPOOLSV.EXE	38
PID 2616 wrote to memory of 2832	2616	SPOOLSV.EXE	38
PID 2616 wrote to memory of 2832	2616	SPOOLSV.EXE	38
PID 2616 wrote to memory of 2832	2616	SPOOLSV.EXE	38
PID 2616 wrote to memory of 3044	2616	SPOOLSV.EXE	39
PID 2616 wrote to memory of 3044	2616	SPOOLSV.EXE	39
PID 2616 wrote to memory of 3044	2616	SPOOLSV.EXE	39
PID 2616 wrote to memory of 3044	2616	SPOOLSV.EXE	39
PID 2956 wrote to memory of 736	2956	SVCHOST.EXE	40
PID 2956 wrote to memory of 736	2956	SVCHOST.EXE	40
PID 2956 wrote to memory of 736	2956	SVCHOST.EXE	40
PID 2956 wrote to memory of 736	2956	SVCHOST.EXE	40
PID 2956 wrote to memory of 2656	2956	SVCHOST.EXE	41
PID 2956 wrote to memory of 2656	2956	SVCHOST.EXE	41
PID 2956 wrote to memory of 2656	2956	SVCHOST.EXE	41
PID 2956 wrote to memory of 2656	2956	SVCHOST.EXE	41
PID 2308 wrote to memory of 1060	2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe	42
PID 2308 wrote to memory of 1060	2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe	42
PID 2308 wrote to memory of 1060	2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe	42
PID 2308 wrote to memory of 1060	2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe	42
PID 2308 wrote to memory of 1776	2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe	43
PID 2308 wrote to memory of 1776	2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe	43
PID 2308 wrote to memory of 1776	2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe	43
PID 2308 wrote to memory of 1776	2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe	43
PID 2308 wrote to memory of 580	2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe	44
PID 2308 wrote to memory of 580	2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe	44
PID 2308 wrote to memory of 580	2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe	44
PID 2308 wrote to memory of 580	2308	acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe	44
PID 2656 wrote to memory of 1636	2656	userinit.exe	45
PID 2656 wrote to memory of 1636	2656	userinit.exe	45
PID 2656 wrote to memory of 1636	2656	userinit.exe	45
PID 2656 wrote to memory of 1636	2656	userinit.exe	45
PID 580 wrote to memory of 1288	580	WINWORD.EXE	48
PID 580 wrote to memory of 1288	580	WINWORD.EXE	48
PID 580 wrote to memory of 1288	580	WINWORD.EXE	48
PID 580 wrote to memory of 1288	580	WINWORD.EXE	48

C:\Users\Admin\AppData\Local\Temp\acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
"C:\Users\Admin\AppData\Local\Temp\acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2308
- C:\recycled\SVCHOST.EXE
  C:\recycled\SVCHOST.EXE :agent
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\recycled\SVCHOST.EXE
    C:\recycled\SVCHOST.EXE :agent
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2720
- - F:\recycled\SVCHOST.EXE
    F:\recycled\SVCHOST.EXE :agent
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2560
  - - F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2624
  - - C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\recycled\SVCHOST.EXE
        
        C:\recycled\SVCHOST.EXE :agent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1832
    - - F:\recycled\SVCHOST.EXE
        
        F:\recycled\SVCHOST.EXE :agent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2832
    - - C:\recycled\SPOOLSV.EXE
        
        C:\recycled\SPOOLSV.EXE :agent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3044
- - C:\recycled\SPOOLSV.EXE
    C:\recycled\SPOOLSV.EXE :agent
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:736
- - C:\Windows\SysWOW64\userinit.exe
    C:\Windows\system32\userinit.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\Explorer.exe
      Explorer.exe "C:\recycled\SVCHOST.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1636
- F:\recycled\SVCHOST.EXE
  F:\recycled\SVCHOST.EXE :agent
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1060
- C:\recycled\SPOOLSV.EXE
  C:\recycled\SPOOLSV.EXE :agent
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1776
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.doc"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1288

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recycled\desktop.ini

Filesize
65B

MD5
ad0b0b4416f06af436328a3c12dc491b

SHA1
743c7ad130780de78ccbf75aa6f84298720ad3fa

SHA256
23521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416

SHA512
884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
1KB

MD5
0269b6347e473980c5378044ac67aa1f

SHA1
c3334de50e320ad8bce8398acff95c363d039245

SHA256
68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

SHA512
e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

Download Submit
C:\begolu.txt

Filesize
2B

MD5
2b9d4fa85c8e82132bde46b143040142

SHA1
a02431cf7c501a5b368c91e41283419d8fa9fb03

SHA256
4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

SHA512
c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

Download Submit
F:\Recycled\SVCHOST.EXE

Filesize
77KB

MD5
d677f82c84740a7410783ca244c9c74c

SHA1
6eca3c5b923b21efc5f92dab2fe9966eb0eb745b

SHA256
6633b5019a5a618d370c1770102714ef07cbbbd3d29186abac697af437a75ac1

SHA512
ad9ebe570b4413a8dfc2ceced35fce90cd15ab8e1da084b54d55441db09a0387c73b4337631a82f15f5a6e8d931eeb1c77285101d92286c4ae8c312d8e169905

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
77KB

MD5
e065124e29a29df928b5995de110ffb9

SHA1
f93d555cf634204ebbe0e790f4bf0da7158dbeff

SHA256
f7c05d19e76b59c15595e644c35f643cb3daae39e6bf6a0017f2ce603a3d4c12

SHA512
51ab69355cd41d2ef55f6b2be3df83639fd5c52a13dfcb254f17edaedeea62d96c234ff34465f2f8f44036eb65b45341b2f5ef3941175a3130dd24e0771c82e7

Download Submit
\Recycled\SVCHOST.EXE

Filesize
77KB

MD5
1d8d2a392e8e26e8bd216f2d5ae7d0ee

SHA1
2851634efc905d106697a7f6c766f98747809a93

SHA256
2c78911ef0b7f45c8d1f00dcbf526c15aa7083ffb0cce611f67ee249904fc8ca

SHA512
8e5824e42c64bd200f2a88df57ec2c3118b061d2fd4dd4d898cda211968ff2cb76e0aaa8dd672200343edc6bd17dfbfda759aee831f7cbb387e3e3f072fef12e

Download Submit
memory/580-108-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/736-92-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1060-101-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1776-104-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1832-76-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2308-106-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2308-105-0x0000000004760000-0x0000000004770000-memory.dmp

Filesize
64KB

Download
memory/2308-21-0x0000000002770000-0x000000000278A000-memory.dmp

Filesize
104KB

Download
memory/2308-22-0x0000000002770000-0x000000000278A000-memory.dmp

Filesize
104KB

Download
memory/2308-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2560-52-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2616-68-0x0000000001C10000-0x0000000001C2A000-memory.dmp

Filesize
104KB

Download
memory/2616-173-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2616-78-0x0000000001C10000-0x0000000001C2A000-memory.dmp

Filesize
104KB

Download
memory/2624-57-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2720-35-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2720-34-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2832-79-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2832-82-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2908-163-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2908-60-0x00000000004A0000-0x00000000004BA000-memory.dmp

Filesize
104KB

Download
memory/2908-53-0x00000000004A0000-0x00000000004BA000-memory.dmp

Filesize
104KB

Download
memory/2908-41-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2908-172-0x00000000004A0000-0x00000000004BA000-memory.dmp

Filesize
104KB

Download
memory/2956-39-0x00000000003D0000-0x00000000003EA000-memory.dmp

Filesize
104KB

Download
memory/2956-162-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2956-24-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2956-180-0x00000000003D0000-0x00000000003EA000-memory.dmp

Filesize
104KB

Download
memory/3044-86-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download