9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bf

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
Size

45KB
MD5

32b8d27e04dcdc6758fb2e5eb0abee60
SHA1

4939a642a0457a0f62356216a4d0348f01eef25c
SHA256

9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bf
SHA512

1fe56c6ff7afc361693d57ef631266c6e398fd7e5691f4fb84cdc0166dfbf6e4ac2721056d59e05d64dbf364e160006b0d53e9aee36acea996b8db7b629adcb7
SSDEEP

768:5qt/WXwCXV/aNOFi5XOCmg9TgEqxZihrWS9ybsvw+I9D88888888888JX9:5UWXaMU5Xvp3FrbCEn9

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SPOOLSV.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE

Executes dropped EXE 12 IoCs

pid	Process
2628	SVCHOST.EXE
2552	SVCHOST.EXE
2696	SVCHOST.EXE
2576	SVCHOST.EXE
2768	SVCHOST.EXE
1428	SPOOLSV.EXE
772	SVCHOST.EXE
1488	SVCHOST.EXE
2584	SPOOLSV.EXE
2820	SPOOLSV.EXE
2488	SVCHOST.EXE
2440	SPOOLSV.EXE

Loads dropped DLL 21 IoCs

pid	Process
2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
2628	SVCHOST.EXE
2628	SVCHOST.EXE
2628	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
1428	SPOOLSV.EXE
1428	SPOOLSV.EXE
1428	SPOOLSV.EXE
1428	SPOOLSV.EXE
1428	SPOOLSV.EXE
2628	SVCHOST.EXE
2628	SVCHOST.EXE
2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Recycled\desktop.ini	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
File opened for modification	F:\Recycled\desktop.ini	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
File opened (read-only)	\??\W:	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
File opened (read-only)	\??\J:	SVCHOST.EXE
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\I:	SPOOLSV.EXE
File opened (read-only)	\??\I:	SVCHOST.EXE
File opened (read-only)	\??\L:	SVCHOST.EXE
File opened (read-only)	\??\J:	SVCHOST.EXE
File opened (read-only)	\??\O:	SPOOLSV.EXE
File opened (read-only)	\??\H:	SVCHOST.EXE
File opened (read-only)	\??\Y:	SVCHOST.EXE
File opened (read-only)	\??\U:	SPOOLSV.EXE
File opened (read-only)	\??\Y:	SPOOLSV.EXE
File opened (read-only)	\??\O:	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\R:	SVCHOST.EXE
File opened (read-only)	\??\V:	SVCHOST.EXE
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\N:	SVCHOST.EXE
File opened (read-only)	\??\O:	SVCHOST.EXE
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\H:	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
File opened (read-only)	\??\M:	SVCHOST.EXE
File opened (read-only)	\??\Z:	SVCHOST.EXE
File opened (read-only)	\??\G:	SPOOLSV.EXE
File opened (read-only)	\??\N:	SPOOLSV.EXE
File opened (read-only)	\??\U:	SVCHOST.EXE
File opened (read-only)	\??\P:	SPOOLSV.EXE
File opened (read-only)	\??\I:	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
File opened (read-only)	\??\Q:	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
File opened (read-only)	\??\Y:	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
File opened (read-only)	\??\Z:	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
File opened (read-only)	\??\E:	SVCHOST.EXE
File opened (read-only)	\??\M:	SVCHOST.EXE
File opened (read-only)	\??\R:	SVCHOST.EXE
File opened (read-only)	\??\Q:	SPOOLSV.EXE
File opened (read-only)	\??\X:	SPOOLSV.EXE
File opened (read-only)	\??\V:	SVCHOST.EXE
File opened (read-only)	\??\K:	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\Q:	SVCHOST.EXE
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\L:	SVCHOST.EXE
File opened (read-only)	\??\J:	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
File opened (read-only)	\??\M:	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
File opened (read-only)	\??\R:	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
File opened (read-only)	\??\Q:	SVCHOST.EXE
File opened (read-only)	\??\E:	SPOOLSV.EXE
File opened (read-only)	\??\R:	SPOOLSV.EXE
File opened (read-only)	\??\V:	SPOOLSV.EXE
File opened (read-only)	\??\T:	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
File opened (read-only)	\??\U:	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
File opened (read-only)	\??\K:	SVCHOST.EXE
File opened (read-only)	\??\N:	SVCHOST.EXE
File opened (read-only)	\??\T:	SVCHOST.EXE
File opened (read-only)	\??\H:	SPOOLSV.EXE
File opened (read-only)	\??\M:	SPOOLSV.EXE
File opened (read-only)	\??\W:	SPOOLSV.EXE
File opened (read-only)	\??\E:	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
File opened (read-only)	\??\P:	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\U:	SVCHOST.EXE
File opened (read-only)	\??\Z:	SVCHOST.EXE
File opened (read-only)	\??\Y:	SVCHOST.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 28 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SPOOLSV.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL\COMMAND	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SPOOLSV.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG\COMMAND	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
632	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1428	SPOOLSV.EXE
1428	SPOOLSV.EXE
1428	SPOOLSV.EXE
1428	SPOOLSV.EXE
1428	SPOOLSV.EXE
1428	SPOOLSV.EXE
1428	SPOOLSV.EXE
1428	SPOOLSV.EXE
1428	SPOOLSV.EXE
1428	SPOOLSV.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2628	SVCHOST.EXE
2628	SVCHOST.EXE
2628	SVCHOST.EXE
2628	SVCHOST.EXE
2628	SVCHOST.EXE
2628	SVCHOST.EXE
2628	SVCHOST.EXE
2628	SVCHOST.EXE
2628	SVCHOST.EXE
2628	SVCHOST.EXE
2628	SVCHOST.EXE
2628	SVCHOST.EXE
2628	SVCHOST.EXE
2628	SVCHOST.EXE
2628	SVCHOST.EXE
2628	SVCHOST.EXE
2628	SVCHOST.EXE
2628	SVCHOST.EXE
2628	SVCHOST.EXE
2628	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2696	SVCHOST.EXE
2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
2628	SVCHOST.EXE
2552	SVCHOST.EXE
2696	SVCHOST.EXE
2576	SVCHOST.EXE
2768	SVCHOST.EXE
1428	SPOOLSV.EXE
772	SVCHOST.EXE
1488	SVCHOST.EXE
2584	SPOOLSV.EXE
2820	SPOOLSV.EXE
2488	SVCHOST.EXE
2440	SPOOLSV.EXE
632	WINWORD.EXE
632	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2628	2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe	30
PID 2104 wrote to memory of 2628	2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe	30
PID 2104 wrote to memory of 2628	2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe	30
PID 2104 wrote to memory of 2628	2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe	30
PID 2628 wrote to memory of 2552	2628	SVCHOST.EXE	31
PID 2628 wrote to memory of 2552	2628	SVCHOST.EXE	31
PID 2628 wrote to memory of 2552	2628	SVCHOST.EXE	31
PID 2628 wrote to memory of 2552	2628	SVCHOST.EXE	31
PID 2628 wrote to memory of 2696	2628	SVCHOST.EXE	32
PID 2628 wrote to memory of 2696	2628	SVCHOST.EXE	32
PID 2628 wrote to memory of 2696	2628	SVCHOST.EXE	32
PID 2628 wrote to memory of 2696	2628	SVCHOST.EXE	32
PID 2696 wrote to memory of 2576	2696	SVCHOST.EXE	33
PID 2696 wrote to memory of 2576	2696	SVCHOST.EXE	33
PID 2696 wrote to memory of 2576	2696	SVCHOST.EXE	33
PID 2696 wrote to memory of 2576	2696	SVCHOST.EXE	33
PID 2696 wrote to memory of 2768	2696	SVCHOST.EXE	34
PID 2696 wrote to memory of 2768	2696	SVCHOST.EXE	34
PID 2696 wrote to memory of 2768	2696	SVCHOST.EXE	34
PID 2696 wrote to memory of 2768	2696	SVCHOST.EXE	34
PID 2696 wrote to memory of 1428	2696	SVCHOST.EXE	35
PID 2696 wrote to memory of 1428	2696	SVCHOST.EXE	35
PID 2696 wrote to memory of 1428	2696	SVCHOST.EXE	35
PID 2696 wrote to memory of 1428	2696	SVCHOST.EXE	35
PID 1428 wrote to memory of 772	1428	SPOOLSV.EXE	36
PID 1428 wrote to memory of 772	1428	SPOOLSV.EXE	36
PID 1428 wrote to memory of 772	1428	SPOOLSV.EXE	36
PID 1428 wrote to memory of 772	1428	SPOOLSV.EXE	36
PID 1428 wrote to memory of 1488	1428	SPOOLSV.EXE	37
PID 1428 wrote to memory of 1488	1428	SPOOLSV.EXE	37
PID 1428 wrote to memory of 1488	1428	SPOOLSV.EXE	37
PID 1428 wrote to memory of 1488	1428	SPOOLSV.EXE	37
PID 1428 wrote to memory of 2584	1428	SPOOLSV.EXE	38
PID 1428 wrote to memory of 2584	1428	SPOOLSV.EXE	38
PID 1428 wrote to memory of 2584	1428	SPOOLSV.EXE	38
PID 1428 wrote to memory of 2584	1428	SPOOLSV.EXE	38
PID 2628 wrote to memory of 2820	2628	SVCHOST.EXE	39
PID 2628 wrote to memory of 2820	2628	SVCHOST.EXE	39
PID 2628 wrote to memory of 2820	2628	SVCHOST.EXE	39
PID 2628 wrote to memory of 2820	2628	SVCHOST.EXE	39
PID 2104 wrote to memory of 2488	2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe	40
PID 2104 wrote to memory of 2488	2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe	40
PID 2104 wrote to memory of 2488	2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe	40
PID 2104 wrote to memory of 2488	2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe	40
PID 2628 wrote to memory of 2280	2628	SVCHOST.EXE	41
PID 2628 wrote to memory of 2280	2628	SVCHOST.EXE	41
PID 2628 wrote to memory of 2280	2628	SVCHOST.EXE	41
PID 2628 wrote to memory of 2280	2628	SVCHOST.EXE	41
PID 2104 wrote to memory of 2440	2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe	42
PID 2104 wrote to memory of 2440	2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe	42
PID 2104 wrote to memory of 2440	2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe	42
PID 2104 wrote to memory of 2440	2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe	42
PID 2280 wrote to memory of 2000	2280	userinit.exe	43
PID 2280 wrote to memory of 2000	2280	userinit.exe	43
PID 2280 wrote to memory of 2000	2280	userinit.exe	43
PID 2280 wrote to memory of 2000	2280	userinit.exe	43
PID 2104 wrote to memory of 632	2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe	44
PID 2104 wrote to memory of 632	2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe	44
PID 2104 wrote to memory of 632	2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe	44
PID 2104 wrote to memory of 632	2104	9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe	44
PID 632 wrote to memory of 1344	632	WINWORD.EXE	47
PID 632 wrote to memory of 1344	632	WINWORD.EXE	47
PID 632 wrote to memory of 1344	632	WINWORD.EXE	47
PID 632 wrote to memory of 1344	632	WINWORD.EXE	47

C:\Users\Admin\AppData\Local\Temp\9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
"C:\Users\Admin\AppData\Local\Temp\9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104
- C:\recycled\SVCHOST.EXE
  C:\recycled\SVCHOST.EXE :agent
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\recycled\SVCHOST.EXE
    C:\recycled\SVCHOST.EXE :agent
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2552
- - F:\recycled\SVCHOST.EXE
    F:\recycled\SVCHOST.EXE :agent
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2576
  - - F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2768
  - - C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1428
    - - C:\recycled\SVCHOST.EXE
        
        C:\recycled\SVCHOST.EXE :agent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:772
    - - F:\recycled\SVCHOST.EXE
        
        F:\recycled\SVCHOST.EXE :agent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1488
    - - C:\recycled\SPOOLSV.EXE
        
        C:\recycled\SPOOLSV.EXE :agent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2584
- - C:\recycled\SPOOLSV.EXE
    C:\recycled\SPOOLSV.EXE :agent
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2820
- - C:\Windows\SysWOW64\userinit.exe
    C:\Windows\system32\userinit.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      4⤵
      PID:2000
- F:\recycled\SVCHOST.EXE
  F:\recycled\SVCHOST.EXE :agent
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2488
- C:\recycled\SPOOLSV.EXE
  C:\recycled\SPOOLSV.EXE :agent
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2440
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.doc"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
1KB

MD5
0269b6347e473980c5378044ac67aa1f

SHA1
c3334de50e320ad8bce8398acff95c363d039245

SHA256
68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

SHA512
e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

Download Submit
C:\begolu.txt

Filesize
2B

MD5
2b9d4fa85c8e82132bde46b143040142

SHA1
a02431cf7c501a5b368c91e41283419d8fa9fb03

SHA256
4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

SHA512
c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

Download Submit
F:\Recycled\SVCHOST.EXE

Filesize
45KB

MD5
cd616035a124c2e91c70fbfcc54a2c4d

SHA1
45944afcf3e14d5966a3f8ef035fde25e5995f3c

SHA256
be4288e29d28ee1e6f614b032551917179c404b179c5bb0f9f16127f2edc7bd6

SHA512
e8e79768b5a198bc81d13179fd13d9da82550338c9ca0b2b5b6dbbcbe7cdd8b3940e5c9d7eaa1c65ef486f12b1d69743240c1e41b744b3f7d7988ec205fecd38

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
45KB

MD5
7e047c749bcbc401dc1272cf95c9017d

SHA1
e47c710f72099b7dfc89b6c38da5b813afdb865f

SHA256
316f703742b40fc99a8cf5c1c9bc46f8d32d37139762da5a23e683c22918faea

SHA512
6d2b7523c8b6990d5fd5b196ad24df267c6cb2a9f13c9d5015da4974aafc980a79294888480cc5285959b12a260bd107026d88472cb1d72f7d7239ceeaea2579

Download Submit
\Recycled\SVCHOST.EXE

Filesize
45KB

MD5
712211e495ef75b72fa14476b468aefa

SHA1
e026ad0dedfda0fae2d139234d2a5af5e196391a

SHA256
52cfa303ded40d390c3ebbff5a4855874be95d2e574dbbcc8bcaa7ba5af668e3

SHA512
86de475d14407be265553ec655e4521f283259b0745bed04cf87637a5c814fb78d560bb440e33da156e2c1df7c57f0b0b2c93c8d080c51ab0ecd332427378f40

Download Submit
memory/632-110-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1428-183-0x00000000004A0000-0x00000000004BA000-memory.dmp

Filesize
104KB

Download
memory/1428-176-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1428-77-0x00000000004A0000-0x00000000004BA000-memory.dmp

Filesize
104KB

Download
memory/1428-82-0x00000000004A0000-0x00000000004BA000-memory.dmp

Filesize
104KB

Download
memory/1428-71-0x00000000003B0000-0x00000000003CA000-memory.dmp

Filesize
104KB

Download
memory/1428-70-0x00000000003B0000-0x00000000003CA000-memory.dmp

Filesize
104KB

Download
memory/1488-83-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2104-23-0x00000000024E0000-0x00000000024FA000-memory.dmp

Filesize
104KB

Download
memory/2104-109-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2104-108-0x0000000004720000-0x000000000472C000-memory.dmp

Filesize
48KB

Download
memory/2104-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2104-98-0x00000000024E0000-0x00000000024FA000-memory.dmp

Filesize
104KB

Download
memory/2104-19-0x00000000024E0000-0x00000000024FA000-memory.dmp

Filesize
104KB

Download
memory/2440-107-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2488-103-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2552-33-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2552-35-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2576-53-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2576-51-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2584-88-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2628-163-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2628-41-0x00000000025E0000-0x00000000025FA000-memory.dmp

Filesize
104KB

Download
memory/2628-38-0x00000000025E0000-0x00000000025FA000-memory.dmp

Filesize
104KB

Download
memory/2628-24-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2696-47-0x0000000002530000-0x000000000254A000-memory.dmp

Filesize
104KB

Download
memory/2696-60-0x0000000002530000-0x000000000254A000-memory.dmp

Filesize
104KB

Download
memory/2696-169-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2768-58-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2820-96-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2820-91-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download