9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
Size

77KB
MD5

5d1e9fd2c6d0cdfd4475db0543a2fd65
SHA1

02edf540a529aab62afbc44a6f660dae50a100a4
SHA256

9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e
SHA512

c4556835841c8181db29d7648fee0d5e17e78fa1d660bd611f1d216975c953a95711e5717d6d30453dc99ea8f3d230a1ce2a10edadf70cda5b71bc56ad815d16
SSDEEP

1536:ekeK40T/mx7y9v7Z/Z2V/GSAFRfBhpVoKE:FD40Dmx7y9DZ/Z2hGVkKE

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SPOOLSV.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe

Executes dropped EXE 12 IoCs

pid	Process
2188	SVCHOST.EXE
2896	SVCHOST.EXE
2824	SVCHOST.EXE
2768	SVCHOST.EXE
536	SVCHOST.EXE
2796	SPOOLSV.EXE
1184	SVCHOST.EXE
336	SVCHOST.EXE
1168	SPOOLSV.EXE
564	SPOOLSV.EXE
2348	SVCHOST.EXE
2044	SPOOLSV.EXE

Loads dropped DLL 16 IoCs

pid	Process
2060	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
2060	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
2188	SVCHOST.EXE
2188	SVCHOST.EXE
2188	SVCHOST.EXE
2824	SVCHOST.EXE
2824	SVCHOST.EXE
2824	SVCHOST.EXE
2796	SPOOLSV.EXE
2796	SPOOLSV.EXE
2796	SPOOLSV.EXE
2188	SVCHOST.EXE
2188	SVCHOST.EXE
2060	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
2060	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
2060	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Recycled\desktop.ini	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
File opened for modification	F:\Recycled\desktop.ini	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
File opened (read-only)	\??\U:	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
File opened (read-only)	\??\M:	SVCHOST.EXE
File opened (read-only)	\??\T:	SVCHOST.EXE
File opened (read-only)	\??\J:	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
File opened (read-only)	\??\T:	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
File opened (read-only)	\??\L:	SVCHOST.EXE
File opened (read-only)	\??\E:	SVCHOST.EXE
File opened (read-only)	\??\L:	SPOOLSV.EXE
File opened (read-only)	\??\U:	SPOOLSV.EXE
File opened (read-only)	\??\Z:	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\U:	SVCHOST.EXE
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\S:	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
File opened (read-only)	\??\M:	SVCHOST.EXE
File opened (read-only)	\??\O:	SVCHOST.EXE
File opened (read-only)	\??\U:	SVCHOST.EXE
File opened (read-only)	\??\M:	SPOOLSV.EXE
File opened (read-only)	\??\N:	SPOOLSV.EXE
File opened (read-only)	\??\Q:	SPOOLSV.EXE
File opened (read-only)	\??\V:	SVCHOST.EXE
File opened (read-only)	\??\W:	SVCHOST.EXE
File opened (read-only)	\??\O:	SPOOLSV.EXE
File opened (read-only)	\??\E:	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
File opened (read-only)	\??\G:	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
File opened (read-only)	\??\O:	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
File opened (read-only)	\??\W:	SVCHOST.EXE
File opened (read-only)	\??\Z:	SVCHOST.EXE
File opened (read-only)	\??\Z:	SPOOLSV.EXE
File opened (read-only)	\??\H:	SVCHOST.EXE
File opened (read-only)	\??\R:	SVCHOST.EXE
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\N:	SVCHOST.EXE
File opened (read-only)	\??\R:	SVCHOST.EXE
File opened (read-only)	\??\X:	SPOOLSV.EXE
File opened (read-only)	\??\N:	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
File opened (read-only)	\??\X:	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\Q:	SVCHOST.EXE
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\T:	SPOOLSV.EXE
File opened (read-only)	\??\V:	SPOOLSV.EXE
File opened (read-only)	\??\I:	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
File opened (read-only)	\??\M:	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
File opened (read-only)	\??\K:	SVCHOST.EXE
File opened (read-only)	\??\Z:	SVCHOST.EXE
File opened (read-only)	\??\L:	SVCHOST.EXE
File opened (read-only)	\??\G:	SPOOLSV.EXE
File opened (read-only)	\??\I:	SPOOLSV.EXE
File opened (read-only)	\??\P:	SPOOLSV.EXE
File opened (read-only)	\??\Q:	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\Q:	SVCHOST.EXE
File opened (read-only)	\??\Y:	SVCHOST.EXE
File opened (read-only)	\??\J:	SVCHOST.EXE
File opened (read-only)	\??\Y:	SVCHOST.EXE
File opened (read-only)	\??\K:	SPOOLSV.EXE
File opened (read-only)	\??\L:	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
File opened (read-only)	\??\I:	SVCHOST.EXE
File opened (read-only)	\??\N:	SVCHOST.EXE
File opened (read-only)	\??\I:	SVCHOST.EXE
File opened (read-only)	\??\W:	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SPOOLSV.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG\COMMAND	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL\COMMAND	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SPOOLSV.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1140	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2796	SPOOLSV.EXE
2796	SPOOLSV.EXE
2796	SPOOLSV.EXE
2796	SPOOLSV.EXE
2796	SPOOLSV.EXE
2796	SPOOLSV.EXE
2796	SPOOLSV.EXE
2796	SPOOLSV.EXE
2796	SPOOLSV.EXE
2796	SPOOLSV.EXE
2824	SVCHOST.EXE
2824	SVCHOST.EXE
2824	SVCHOST.EXE
2824	SVCHOST.EXE
2824	SVCHOST.EXE
2824	SVCHOST.EXE
2824	SVCHOST.EXE
2824	SVCHOST.EXE
2824	SVCHOST.EXE
2824	SVCHOST.EXE
2824	SVCHOST.EXE
2824	SVCHOST.EXE
2824	SVCHOST.EXE
2824	SVCHOST.EXE
2824	SVCHOST.EXE
2824	SVCHOST.EXE
2824	SVCHOST.EXE
2824	SVCHOST.EXE
2824	SVCHOST.EXE
2824	SVCHOST.EXE
2796	SPOOLSV.EXE
2796	SPOOLSV.EXE
2796	SPOOLSV.EXE
2796	SPOOLSV.EXE
2796	SPOOLSV.EXE
2796	SPOOLSV.EXE
2796	SPOOLSV.EXE
2796	SPOOLSV.EXE
2796	SPOOLSV.EXE
2796	SPOOLSV.EXE
2188	SVCHOST.EXE
2188	SVCHOST.EXE
2188	SVCHOST.EXE
2188	SVCHOST.EXE
2188	SVCHOST.EXE
2188	SVCHOST.EXE
2188	SVCHOST.EXE
2188	SVCHOST.EXE
2188	SVCHOST.EXE
2188	SVCHOST.EXE
2188	SVCHOST.EXE
2188	SVCHOST.EXE
2188	SVCHOST.EXE
2188	SVCHOST.EXE
2188	SVCHOST.EXE
2188	SVCHOST.EXE
2188	SVCHOST.EXE
2188	SVCHOST.EXE
2188	SVCHOST.EXE
2188	SVCHOST.EXE
2060	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
2060	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
2060	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
2060	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe

Suspicious use of SetWindowsHookEx 33 IoCs

pid	Process
2060	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
2188	SVCHOST.EXE
2896	SVCHOST.EXE
2824	SVCHOST.EXE
2768	SVCHOST.EXE
536	SVCHOST.EXE
2796	SPOOLSV.EXE
1184	SVCHOST.EXE
336	SVCHOST.EXE
1168	SPOOLSV.EXE
564	SPOOLSV.EXE
2348	SVCHOST.EXE
2044	SPOOLSV.EXE
1140	WINWORD.EXE
1140	WINWORD.EXE
1140	WINWORD.EXE
1140	WINWORD.EXE
1140	WINWORD.EXE
1140	WINWORD.EXE
1140	WINWORD.EXE
1140	WINWORD.EXE
1140	WINWORD.EXE
1140	WINWORD.EXE
1140	WINWORD.EXE
1140	WINWORD.EXE
1140	WINWORD.EXE
1140	WINWORD.EXE
1140	WINWORD.EXE
1140	WINWORD.EXE
1140	WINWORD.EXE
1140	WINWORD.EXE
1140	WINWORD.EXE
1140	WINWORD.EXE

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2188	2060	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe	29
PID 2060 wrote to memory of 2188	2060	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe	29
PID 2060 wrote to memory of 2188	2060	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe	29
PID 2060 wrote to memory of 2188	2060	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe	29
PID 2188 wrote to memory of 2896	2188	SVCHOST.EXE	30
PID 2188 wrote to memory of 2896	2188	SVCHOST.EXE	30
PID 2188 wrote to memory of 2896	2188	SVCHOST.EXE	30
PID 2188 wrote to memory of 2896	2188	SVCHOST.EXE	30
PID 2188 wrote to memory of 2824	2188	SVCHOST.EXE	31
PID 2188 wrote to memory of 2824	2188	SVCHOST.EXE	31
PID 2188 wrote to memory of 2824	2188	SVCHOST.EXE	31
PID 2188 wrote to memory of 2824	2188	SVCHOST.EXE	31
PID 2824 wrote to memory of 2768	2824	SVCHOST.EXE	32
PID 2824 wrote to memory of 2768	2824	SVCHOST.EXE	32
PID 2824 wrote to memory of 2768	2824	SVCHOST.EXE	32
PID 2824 wrote to memory of 2768	2824	SVCHOST.EXE	32
PID 2824 wrote to memory of 536	2824	SVCHOST.EXE	33
PID 2824 wrote to memory of 536	2824	SVCHOST.EXE	33
PID 2824 wrote to memory of 536	2824	SVCHOST.EXE	33
PID 2824 wrote to memory of 536	2824	SVCHOST.EXE	33
PID 2824 wrote to memory of 2796	2824	SVCHOST.EXE	34
PID 2824 wrote to memory of 2796	2824	SVCHOST.EXE	34
PID 2824 wrote to memory of 2796	2824	SVCHOST.EXE	34
PID 2824 wrote to memory of 2796	2824	SVCHOST.EXE	34
PID 2796 wrote to memory of 1184	2796	SPOOLSV.EXE	35
PID 2796 wrote to memory of 1184	2796	SPOOLSV.EXE	35
PID 2796 wrote to memory of 1184	2796	SPOOLSV.EXE	35
PID 2796 wrote to memory of 1184	2796	SPOOLSV.EXE	35
PID 2796 wrote to memory of 336	2796	SPOOLSV.EXE	36
PID 2796 wrote to memory of 336	2796	SPOOLSV.EXE	36
PID 2796 wrote to memory of 336	2796	SPOOLSV.EXE	36
PID 2796 wrote to memory of 336	2796	SPOOLSV.EXE	36
PID 2796 wrote to memory of 1168	2796	SPOOLSV.EXE	37
PID 2796 wrote to memory of 1168	2796	SPOOLSV.EXE	37
PID 2796 wrote to memory of 1168	2796	SPOOLSV.EXE	37
PID 2796 wrote to memory of 1168	2796	SPOOLSV.EXE	37
PID 2188 wrote to memory of 564	2188	SVCHOST.EXE	38
PID 2188 wrote to memory of 564	2188	SVCHOST.EXE	38
PID 2188 wrote to memory of 564	2188	SVCHOST.EXE	38
PID 2188 wrote to memory of 564	2188	SVCHOST.EXE	38
PID 2060 wrote to memory of 2348	2060	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe	40
PID 2060 wrote to memory of 2348	2060	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe	40
PID 2060 wrote to memory of 2348	2060	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe	40
PID 2060 wrote to memory of 2348	2060	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe	40
PID 2188 wrote to memory of 2300	2188	SVCHOST.EXE	39
PID 2188 wrote to memory of 2300	2188	SVCHOST.EXE	39
PID 2188 wrote to memory of 2300	2188	SVCHOST.EXE	39
PID 2188 wrote to memory of 2300	2188	SVCHOST.EXE	39
PID 2060 wrote to memory of 2044	2060	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe	41
PID 2060 wrote to memory of 2044	2060	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe	41
PID 2060 wrote to memory of 2044	2060	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe	41
PID 2060 wrote to memory of 2044	2060	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe	41
PID 2300 wrote to memory of 2248	2300	userinit.exe	42
PID 2300 wrote to memory of 2248	2300	userinit.exe	42
PID 2300 wrote to memory of 2248	2300	userinit.exe	42
PID 2300 wrote to memory of 2248	2300	userinit.exe	42
PID 2060 wrote to memory of 1140	2060	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe	44
PID 2060 wrote to memory of 1140	2060	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe	44
PID 2060 wrote to memory of 1140	2060	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe	44
PID 2060 wrote to memory of 1140	2060	9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe	44

C:\Users\Admin\AppData\Local\Temp\9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
"C:\Users\Admin\AppData\Local\Temp\9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2060
- C:\recycled\SVCHOST.EXE
  C:\recycled\SVCHOST.EXE :agent
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\recycled\SVCHOST.EXE
    C:\recycled\SVCHOST.EXE :agent
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2896
- - F:\recycled\SVCHOST.EXE
    F:\recycled\SVCHOST.EXE :agent
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2768
  - - F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:536
  - - C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\recycled\SVCHOST.EXE
        
        C:\recycled\SVCHOST.EXE :agent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1184
    - - F:\recycled\SVCHOST.EXE
        
        F:\recycled\SVCHOST.EXE :agent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:336
    - - C:\recycled\SPOOLSV.EXE
        
        C:\recycled\SPOOLSV.EXE :agent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1168
- - C:\recycled\SPOOLSV.EXE
    C:\recycled\SPOOLSV.EXE :agent
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:564
- - C:\Windows\SysWOW64\userinit.exe
    C:\Windows\system32\userinit.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\SysWOW64\Explorer.exe
      Explorer.exe "C:\recycled\SVCHOST.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2248
- F:\recycled\SVCHOST.EXE
  F:\recycled\SVCHOST.EXE :agent
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2348
- C:\recycled\SPOOLSV.EXE
  C:\recycled\SPOOLSV.EXE :agent
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2044
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.doc"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1140

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recycled\SPOOLSV.EXE

Filesize
77KB

MD5
6162278ec3b8836e40e7280f6cd31821

SHA1
42481ec13538e1247fcea78976caa8117914d304

SHA256
a479c10fb76d75abc831e0f798268bc3619db85a7b9e56b4aab21fc7496b6a69

SHA512
7e73446d5e3c6ec28975653dacfb19dba0e4172faaf56be08d50316cf92fb5e0cdfc8c5562e5df5c576e612b7e39b9adc6d54f93e9b1449bf338d290812a2683

Download Submit
C:\Recycled\desktop.ini

Filesize
65B

MD5
ad0b0b4416f06af436328a3c12dc491b

SHA1
743c7ad130780de78ccbf75aa6f84298720ad3fa

SHA256
23521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416

SHA512
884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56

Download Submit
C:\Users\Admin\AppData\Local\Temp\9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.doc

Filesize
40B

MD5
3b9be4bfa75882ca69caaac3cb3de38f

SHA1
fe9643e89464087e3e813c79d060318a2ba5ad6e

SHA256
4cb8eae72aa9daba25df3fb27e5a106215375cbdf2f830b770bec3e526df5048

SHA512
5eb64c50ede5d7f8f89f7cae025e5835fe79ede3e24473241d5e2bcc459722ea66d561a538a5d8d01c5ca48634d1506f55e5d71e1cd01787c0e9ce07bad1afb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
1KB

MD5
0269b6347e473980c5378044ac67aa1f

SHA1
c3334de50e320ad8bce8398acff95c363d039245

SHA256
68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

SHA512
e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

Download Submit
C:\begolu.txt

Filesize
2B

MD5
2b9d4fa85c8e82132bde46b143040142

SHA1
a02431cf7c501a5b368c91e41283419d8fa9fb03

SHA256
4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

SHA512
c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

Download Submit
F:\Recycled\SVCHOST.EXE

Filesize
77KB

MD5
e90910c24bc4ef5f4ac9710f93b054cf

SHA1
ca0967466407b92ee90742e8fb11d1e72f447d55

SHA256
6102b023c0ae411bff52dedfd37d2ed6dd8b8f443f4b88b931483871fd385ac1

SHA512
51b5b22ea525761b7c6eff1bcad074cbc4d572250e3b55d6ff9966b7296344fc7715463e634b069f9b7d02a632ae1ef5c7caa2532527bef80f78d88b0037ea60

Download Submit
\Recycled\SVCHOST.EXE

Filesize
77KB

MD5
084b70be0380b61e5a7b102d7d094411

SHA1
2053c1e187923fbc47f4838d8d7666d8aace36e3

SHA256
4c99e2b1d3f987939630f4e86aa9b3ab5836da7c98d83d3fc2be261e6f326551

SHA512
856fb3a75991b133955ca0b9ebf0331795496fb9c200ecd6444264ac5099deb3a7829c46ac3915af9ae85132ce2828869de90ad7edb2b15447eb7f6f3d9a389b

Download Submit
memory/336-74-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/336-70-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/536-55-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/536-52-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/564-86-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1140-103-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1168-78-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1184-69-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2044-95-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2044-98-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2060-16-0x0000000001D50000-0x0000000001D6A000-memory.dmp

Filesize
104KB

Download
memory/2060-101-0x00000000042E0000-0x00000000042F0000-memory.dmp

Filesize
64KB

Download
memory/2060-88-0x0000000001D50000-0x0000000001D6A000-memory.dmp

Filesize
104KB

Download
memory/2060-102-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2060-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2188-31-0x0000000000740000-0x000000000075A000-memory.dmp

Filesize
104KB

Download
memory/2188-81-0x0000000000740000-0x000000000075A000-memory.dmp

Filesize
104KB

Download
memory/2188-23-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2188-167-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2348-92-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2768-49-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2796-174-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2824-39-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2824-58-0x0000000002470000-0x000000000248A000-memory.dmp

Filesize
104KB

Download
memory/2824-168-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2824-173-0x0000000002470000-0x000000000248A000-memory.dmp

Filesize
104KB

Download
memory/2896-34-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download