Overview

overview

10

Static

static

3

9dcc01612a...fN.exe

windows7-x64

10

9dcc01612a...fN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/11/2024, 03:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe

  • Size

    45KB

  • MD5

    32b8d27e04dcdc6758fb2e5eb0abee60

  • SHA1

    4939a642a0457a0f62356216a4d0348f01eef25c

  • SHA256

    9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bf

  • SHA512

    1fe56c6ff7afc361693d57ef631266c6e398fd7e5691f4fb84cdc0166dfbf6e4ac2721056d59e05d64dbf364e160006b0d53e9aee36acea996b8db7b629adcb7

  • SSDEEP

    768:5qt/WXwCXV/aNOFi5XOCmg9TgEqxZihrWS9ybsvw+I9D88888888888JX9:5UWXaMU5Xvp3FrbCEn9

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe
    "C:\Users\Admin\AppData\Local\Temp\9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4432
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1172
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4008
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3216
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:5004
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3196
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4920
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4708
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2996
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1864
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3188
      • C:\Windows\SysWOW64\userinit.exe
        C:\Windows\system32\userinit.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:704
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          4⤵
          • Modifies registry class
          PID:4968
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4520
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4816
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9dcc01612a83a0622a72f47a70983d3a9cd5a5faab1b099d56ee17d6a39265bfN.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4480

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recycled\SPOOLSV.EXE
    Filesize

    45KB

    MD5

    d39acfadbf24e9c94c0704fa01f4cdb3

    SHA1

    5cd075722925caa110c93bfe52f6f2b574074c7c

    SHA256

    4ede60664960951c038d974a929c097f53e5deed9eb9ff5ddd1d628edbd67ebe

    SHA512

    e0c428afc82cf61f6d103067172ebfe4de44d0a91bf2f1c0bec79b31c830ca7bebd898f04f6e5c8a340d579f0f56e4d637acd347d09d03ffa30847e5c65c39fc

    Download Submit

  • C:\Recycled\SVCHOST.EXE
    Filesize

    45KB

    MD5

    1fe1906bcc70f6b5a85c1c44d6e81cbe

    SHA1

    5c49e28e235df9b839d866fd58cb3d4f99c0729b

    SHA256

    696393a3918726ec39f8750442ccf67b41e2f85672ec96e4a22596587ea7b3db

    SHA512

    e349e9f72134dafe0ceeffb960fb48f0a6ff031197cf38790121944091b6fb611872a4810a5955763072c856371ab322688ed755a1c9e4acdfe44cffb6d4b9ad

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
    Filesize

    1KB

    MD5

    0269b6347e473980c5378044ac67aa1f

    SHA1

    c3334de50e320ad8bce8398acff95c363d039245

    SHA256

    68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

    SHA512

    e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCD28E0.tmp\gb.xsl
    Filesize

    262KB

    MD5

    51d32ee5bc7ab811041f799652d26e04

    SHA1

    412193006aa3ef19e0a57e16acf86b830993024a

    SHA256

    6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

    SHA512

    5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    2KB

    MD5

    87cb0e4c4c506cc5a24db98f8268ae65

    SHA1

    9d0f55c18632960fb6a9d3aa42b2eca383b36ded

    SHA256

    3d648d784b9dc92ebfdda4f6bbca24992e4673e96f41ff9bc31bf90a897c0f26

    SHA512

    afce397dc66d9c9525a517d1693ef64e7cb8f2ceb906c720f8a0c7b666ca48ba78aa44ca5d9df32070b121b10e7f2559752280123aec399728bce81156a3d001

    Download Submit

  • C:\begolu.txt
    Filesize

    2B

    MD5

    2b9d4fa85c8e82132bde46b143040142

    SHA1

    a02431cf7c501a5b368c91e41283419d8fa9fb03

    SHA256

    4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

    SHA512

    c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

    Download Submit

  • F:\Recycled\SVCHOST.EXE
    Filesize

    45KB

    MD5

    4c2dead7e9b48c5d64a6ec87ccfce464

    SHA1

    d4601e23a8302309fb24c183a0e9848c1bbe89dd

    SHA256

    64dcdd1bda5d8767ee63f6673580874b9c521d1fd3bcd913fc73ec1c584296f5

    SHA512

    29a6cba627c70ee5683db739519a1a727f250764aae67462efa9877b7c5b01b55c0e42f2fce5c4a8ee1c50eefc2388dfb3dd396e91d1c13dc7775df4f4605a1c

    Download Submit

  • memory/1172-17-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1172-295-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1864-63-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1864-61-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2996-62-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3188-67-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3196-43-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3216-296-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3216-29-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4008-28-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4432-0-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4432-76-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4480-82-0x00007FFA3A950000-0x00007FFA3A960000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4480-79-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4480-78-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4480-81-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4480-80-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4480-77-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4480-83-0x00007FFA3A950000-0x00007FFA3A960000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4520-72-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4708-55-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4816-75-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4920-45-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4920-303-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/5004-39-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download