Overview

overview

10

Static

static

3

9797c5b39a...3e.exe

windows7-x64

10

9797c5b39a...3e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 23:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe

  • Size

    77KB

  • MD5

    5d1e9fd2c6d0cdfd4475db0543a2fd65

  • SHA1

    02edf540a529aab62afbc44a6f660dae50a100a4

  • SHA256

    9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e

  • SHA512

    c4556835841c8181db29d7648fee0d5e17e78fa1d660bd611f1d216975c953a95711e5717d6d30453dc99ea8f3d230a1ce2a10edadf70cda5b71bc56ad815d16

  • SSDEEP

    1536:ekeK40T/mx7y9v7Z/Z2V/GSAFRfBhpVoKE:FD40Dmx7y9DZ/Z2hGVkKE

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 29 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 33 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe
    "C:\Users\Admin\AppData\Local\Temp\9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4984
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2244
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1300
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:644
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4728
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2912
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2216
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2036
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:5084
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4716
      • C:\Windows\SysWOW64\userinit.exe
        C:\Windows\system32\userinit.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2148
        • C:\Windows\SysWOW64\Explorer.exe
          Explorer.exe "C:\recycled\SVCHOST.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1976
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4696
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2608
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2688
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
      PID:2740

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recycled\SVCHOST.EXE
      Filesize

      77KB

      MD5

      bcb73bcf9990e92d6b5c2297726eda0f

      SHA1

      f189e12435b5448d60e1a174642b98c5d2b06354

      SHA256

      57cc6b136ba12d54d8ea323c13d704b33a99a273b4652c385b72071e3c7b65bb

      SHA512

      58232f23d1a9d926445f718d5b7356d80db62d2c68fd1b3ce689949655e13efaaf7b18e824ff735707eeceb2384bda315a68ca839d3eb904958b18e3ecd3963a

      Download Submit

    • C:\Recycled\desktop.ini
      Filesize

      65B

      MD5

      ad0b0b4416f06af436328a3c12dc491b

      SHA1

      743c7ad130780de78ccbf75aa6f84298720ad3fa

      SHA256

      23521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416

      SHA512

      884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\9797c5b39af031703e0e9c5f8f02f0a2dc253e5f9a95598556de52a39b98403e.doc
      Filesize

      40B

      MD5

      3b9be4bfa75882ca69caaac3cb3de38f

      SHA1

      fe9643e89464087e3e813c79d060318a2ba5ad6e

      SHA256

      4cb8eae72aa9daba25df3fb27e5a106215375cbdf2f830b770bec3e526df5048

      SHA512

      5eb64c50ede5d7f8f89f7cae025e5835fe79ede3e24473241d5e2bcc459722ea66d561a538a5d8d01c5ca48634d1506f55e5d71e1cd01787c0e9ce07bad1afb8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
      Filesize

      1KB

      MD5

      0269b6347e473980c5378044ac67aa1f

      SHA1

      c3334de50e320ad8bce8398acff95c363d039245

      SHA256

      68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

      SHA512

      e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

      Download Submit

    • C:\begolu.txt
      Filesize

      2B

      MD5

      2b9d4fa85c8e82132bde46b143040142

      SHA1

      a02431cf7c501a5b368c91e41283419d8fa9fb03

      SHA256

      4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

      SHA512

      c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

      Download Submit

    • C:\recycled\SPOOLSV.EXE
      Filesize

      77KB

      MD5

      928522e5c333bd48409d33acdb4a2dee

      SHA1

      152e8e62896960faf4b3a08faa2a854945a9ef0b

      SHA256

      360ef178b469ee57c3502faf7bc293def836a2ccaa2e7779b82907d91ecc3c0a

      SHA512

      7b093394d7c26cde991a43be0a074530547e4385f3d7d176e865bea6cea9664ca154996986ce1e5ededfbf5738cff18642eba905026428e20fddf10368284526

      Download Submit

    • F:\Recycled\SVCHOST.EXE
      Filesize

      77KB

      MD5

      06b274c38b88da413db38f4d38f49230

      SHA1

      b27a2be14bccdf8958654cb9e953734d57a49b5d

      SHA256

      53f66de4cab88fbbee65dd37401035c2be47f56d0a2aad2d5f3640b5a7f583e0

      SHA512

      7babd970600fd0e52a8cf3448ef0f25c2b9314283a5402dbe0da9aa0ee1489f696a295eaf68a54e31f9143b72229b41f71983f28090d6407d333a0281b073a11

      Download Submit

    • memory/644-42-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1300-30-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1300-196-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2036-60-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2216-56-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2244-28-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2352-0-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2352-100-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2608-75-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2688-97-0x00007FF9EE690000-0x00007FF9EE6A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2688-102-0x00007FF9EE690000-0x00007FF9EE6A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2688-104-0x00007FF9EC280000-0x00007FF9EC290000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2688-103-0x00007FF9EC280000-0x00007FF9EC290000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2688-99-0x00007FF9EE690000-0x00007FF9EE6A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2688-98-0x00007FF9EE690000-0x00007FF9EE6A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2688-101-0x00007FF9EE690000-0x00007FF9EE6A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2912-45-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2912-203-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4696-72-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4716-67-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4728-46-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4728-41-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4984-195-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4984-17-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/5084-63-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download