01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
Size

87KB
MD5

debe698c3b33ab7a6c2081e6545249c2
SHA1

257377217fabf3778cb267cd8a744da0b7e76b96
SHA256

01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605
SHA512

dfac6ef6ed14693281319fd67d2b20479a1d081914c17caf08cc519ad04b2868c42fbeab062d1863b3df21c9da6201f6dfd051c1dc4e3a006ed4c9eb19bf0e2d
SSDEEP

1536:1a3+ddygX7y9v7Z+NoykJHBOAFRfBjG3ldoIH:08dfX7y9DZ+N7eB+IIH

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\Fonts\\\u00a0Explorer.exe\""	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\""	SVCHOST.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SPOOLSV.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE

Executes dropped EXE 12 IoCs

pid	Process
1900	SVCHOST.EXE
1912	SVCHOST.EXE
2864	SVCHOST.EXE
2716	SVCHOST.EXE
2876	SVCHOST.EXE
2628	SPOOLSV.EXE
2648	SVCHOST.EXE
2624	SVCHOST.EXE
2156	SPOOLSV.EXE
1556	SPOOLSV.EXE
2412	SVCHOST.EXE
376	SPOOLSV.EXE

Loads dropped DLL 21 IoCs

pid	Process
2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
1900	SVCHOST.EXE
1900	SVCHOST.EXE
1900	SVCHOST.EXE
2864	SVCHOST.EXE
2864	SVCHOST.EXE
2864	SVCHOST.EXE
2864	SVCHOST.EXE
2864	SVCHOST.EXE
2628	SPOOLSV.EXE
2628	SPOOLSV.EXE
2628	SPOOLSV.EXE
2628	SPOOLSV.EXE
2628	SPOOLSV.EXE
1900	SVCHOST.EXE
1900	SVCHOST.EXE
2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Recycled\desktop.ini	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
File opened for modification	F:\Recycled\desktop.ini	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
File opened (read-only)	\??\O:	SVCHOST.EXE
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\E:	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
File opened (read-only)	\??\J:	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
File opened (read-only)	\??\M:	SVCHOST.EXE
File opened (read-only)	\??\V:	SPOOLSV.EXE
File opened (read-only)	\??\Z:	SPOOLSV.EXE
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\I:	SVCHOST.EXE
File opened (read-only)	\??\G:	SPOOLSV.EXE
File opened (read-only)	\??\L:	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
File opened (read-only)	\??\M:	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
File opened (read-only)	\??\T:	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
File opened (read-only)	\??\Y:	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
File opened (read-only)	\??\H:	SVCHOST.EXE
File opened (read-only)	\??\R:	SVCHOST.EXE
File opened (read-only)	\??\W:	SVCHOST.EXE
File opened (read-only)	\??\M:	SPOOLSV.EXE
File opened (read-only)	\??\Q:	SPOOLSV.EXE
File opened (read-only)	\??\Q:	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
File opened (read-only)	\??\I:	SVCHOST.EXE
File opened (read-only)	\??\O:	SVCHOST.EXE
File opened (read-only)	\??\Z:	SVCHOST.EXE
File opened (read-only)	\??\K:	SPOOLSV.EXE
File opened (read-only)	\??\R:	SPOOLSV.EXE
File opened (read-only)	\??\U:	SPOOLSV.EXE
File opened (read-only)	\??\I:	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
File opened (read-only)	\??\R:	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
File opened (read-only)	\??\X:	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\L:	SPOOLSV.EXE
File opened (read-only)	\??\T:	SPOOLSV.EXE
File opened (read-only)	\??\N:	SPOOLSV.EXE
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\U:	SVCHOST.EXE
File opened (read-only)	\??\V:	SVCHOST.EXE
File opened (read-only)	\??\Y:	SVCHOST.EXE
File opened (read-only)	\??\Q:	SVCHOST.EXE
File opened (read-only)	\??\J:	SPOOLSV.EXE
File opened (read-only)	\??\S:	SPOOLSV.EXE
File opened (read-only)	\??\H:	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
File opened (read-only)	\??\V:	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
File opened (read-only)	\??\K:	SVCHOST.EXE
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\G:	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
File opened (read-only)	\??\E:	SPOOLSV.EXE
File opened (read-only)	\??\X:	SPOOLSV.EXE
File opened (read-only)	\??\O:	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
File opened (read-only)	\??\N:	SVCHOST.EXE
File opened (read-only)	\??\W:	SVCHOST.EXE
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\L:	SVCHOST.EXE
File opened (read-only)	\??\M:	SVCHOST.EXE
File opened (read-only)	\??\N:	SVCHOST.EXE
File opened (read-only)	\??\L:	SVCHOST.EXE
File opened (read-only)	\??\Q:	SVCHOST.EXE
File opened (read-only)	\??\R:	SVCHOST.EXE
File opened (read-only)	\??\T:	SVCHOST.EXE
File opened (read-only)	\??\N:	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
File opened (read-only)	\??\P:	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
File opened (read-only)	\??\Z:	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\ Explorer.exe	SVCHOST.EXE
File opened for modification	C:\Windows\Fonts\ Explorer.exe	SVCHOST.EXE
File opened for modification	C:\Windows\Fonts\ Explorer.exe	SPOOLSV.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\Fonts\ Explorer.exe	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SVCHOST.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL\COMMAND	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SPOOLSV.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG\COMMAND	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SPOOLSV.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SPOOLSV.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2148	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1900	SVCHOST.EXE
1900	SVCHOST.EXE
1900	SVCHOST.EXE
1900	SVCHOST.EXE
1900	SVCHOST.EXE
1900	SVCHOST.EXE
1900	SVCHOST.EXE
1900	SVCHOST.EXE
1900	SVCHOST.EXE
1900	SVCHOST.EXE
2864	SVCHOST.EXE
2864	SVCHOST.EXE
2864	SVCHOST.EXE
2864	SVCHOST.EXE
2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
2864	SVCHOST.EXE
2864	SVCHOST.EXE
2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
2864	SVCHOST.EXE
2864	SVCHOST.EXE
2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
2864	SVCHOST.EXE
2864	SVCHOST.EXE
2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
2628	SPOOLSV.EXE
2628	SPOOLSV.EXE
2628	SPOOLSV.EXE
2628	SPOOLSV.EXE
2628	SPOOLSV.EXE
2628	SPOOLSV.EXE
2628	SPOOLSV.EXE
2628	SPOOLSV.EXE
2628	SPOOLSV.EXE
2628	SPOOLSV.EXE
1900	SVCHOST.EXE
1900	SVCHOST.EXE
1900	SVCHOST.EXE
1900	SVCHOST.EXE
1900	SVCHOST.EXE
1900	SVCHOST.EXE
1900	SVCHOST.EXE
1900	SVCHOST.EXE
1900	SVCHOST.EXE
1900	SVCHOST.EXE
2864	SVCHOST.EXE
2864	SVCHOST.EXE
2864	SVCHOST.EXE
2864	SVCHOST.EXE
2864	SVCHOST.EXE
2864	SVCHOST.EXE
2864	SVCHOST.EXE
2864	SVCHOST.EXE
2864	SVCHOST.EXE
2864	SVCHOST.EXE
2628	SPOOLSV.EXE
2628	SPOOLSV.EXE
2628	SPOOLSV.EXE
2628	SPOOLSV.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
1900	SVCHOST.EXE
1912	SVCHOST.EXE
2864	SVCHOST.EXE
2716	SVCHOST.EXE
2876	SVCHOST.EXE
2628	SPOOLSV.EXE
2648	SVCHOST.EXE
2624	SVCHOST.EXE
2156	SPOOLSV.EXE
1556	SPOOLSV.EXE
2412	SVCHOST.EXE
376	SPOOLSV.EXE
2148	WINWORD.EXE
2148	WINWORD.EXE

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 1900	2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe	30
PID 2520 wrote to memory of 1900	2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe	30
PID 2520 wrote to memory of 1900	2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe	30
PID 2520 wrote to memory of 1900	2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe	30
PID 1900 wrote to memory of 1912	1900	SVCHOST.EXE	31
PID 1900 wrote to memory of 1912	1900	SVCHOST.EXE	31
PID 1900 wrote to memory of 1912	1900	SVCHOST.EXE	31
PID 1900 wrote to memory of 1912	1900	SVCHOST.EXE	31
PID 1900 wrote to memory of 2864	1900	SVCHOST.EXE	32
PID 1900 wrote to memory of 2864	1900	SVCHOST.EXE	32
PID 1900 wrote to memory of 2864	1900	SVCHOST.EXE	32
PID 1900 wrote to memory of 2864	1900	SVCHOST.EXE	32
PID 2864 wrote to memory of 2716	2864	SVCHOST.EXE	33
PID 2864 wrote to memory of 2716	2864	SVCHOST.EXE	33
PID 2864 wrote to memory of 2716	2864	SVCHOST.EXE	33
PID 2864 wrote to memory of 2716	2864	SVCHOST.EXE	33
PID 2864 wrote to memory of 2876	2864	SVCHOST.EXE	34
PID 2864 wrote to memory of 2876	2864	SVCHOST.EXE	34
PID 2864 wrote to memory of 2876	2864	SVCHOST.EXE	34
PID 2864 wrote to memory of 2876	2864	SVCHOST.EXE	34
PID 2864 wrote to memory of 2628	2864	SVCHOST.EXE	35
PID 2864 wrote to memory of 2628	2864	SVCHOST.EXE	35
PID 2864 wrote to memory of 2628	2864	SVCHOST.EXE	35
PID 2864 wrote to memory of 2628	2864	SVCHOST.EXE	35
PID 2628 wrote to memory of 2648	2628	SPOOLSV.EXE	36
PID 2628 wrote to memory of 2648	2628	SPOOLSV.EXE	36
PID 2628 wrote to memory of 2648	2628	SPOOLSV.EXE	36
PID 2628 wrote to memory of 2648	2628	SPOOLSV.EXE	36
PID 2628 wrote to memory of 2624	2628	SPOOLSV.EXE	37
PID 2628 wrote to memory of 2624	2628	SPOOLSV.EXE	37
PID 2628 wrote to memory of 2624	2628	SPOOLSV.EXE	37
PID 2628 wrote to memory of 2624	2628	SPOOLSV.EXE	37
PID 2628 wrote to memory of 2156	2628	SPOOLSV.EXE	38
PID 2628 wrote to memory of 2156	2628	SPOOLSV.EXE	38
PID 2628 wrote to memory of 2156	2628	SPOOLSV.EXE	38
PID 2628 wrote to memory of 2156	2628	SPOOLSV.EXE	38
PID 1900 wrote to memory of 1556	1900	SVCHOST.EXE	39
PID 1900 wrote to memory of 1556	1900	SVCHOST.EXE	39
PID 1900 wrote to memory of 1556	1900	SVCHOST.EXE	39
PID 1900 wrote to memory of 1556	1900	SVCHOST.EXE	39
PID 2520 wrote to memory of 2412	2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe	40
PID 2520 wrote to memory of 2412	2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe	40
PID 2520 wrote to memory of 2412	2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe	40
PID 2520 wrote to memory of 2412	2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe	40
PID 2520 wrote to memory of 376	2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe	41
PID 2520 wrote to memory of 376	2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe	41
PID 2520 wrote to memory of 376	2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe	41
PID 2520 wrote to memory of 376	2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe	41
PID 2520 wrote to memory of 2148	2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe	42
PID 2520 wrote to memory of 2148	2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe	42
PID 2520 wrote to memory of 2148	2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe	42
PID 2520 wrote to memory of 2148	2520	01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe	42
PID 2148 wrote to memory of 2984	2148	WINWORD.EXE	45
PID 2148 wrote to memory of 2984	2148	WINWORD.EXE	45
PID 2148 wrote to memory of 2984	2148	WINWORD.EXE	45
PID 2148 wrote to memory of 2984	2148	WINWORD.EXE	45

C:\Users\Admin\AppData\Local\Temp\01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
"C:\Users\Admin\AppData\Local\Temp\01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520
- C:\recycled\SVCHOST.EXE
  C:\recycled\SVCHOST.EXE :agent
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\recycled\SVCHOST.EXE
    C:\recycled\SVCHOST.EXE :agent
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1912
- - F:\recycled\SVCHOST.EXE
    F:\recycled\SVCHOST.EXE :agent
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2716
  - - F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2876
  - - C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\recycled\SVCHOST.EXE
        
        C:\recycled\SVCHOST.EXE :agent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2648
    - - F:\recycled\SVCHOST.EXE
        
        F:\recycled\SVCHOST.EXE :agent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2624
    - - C:\recycled\SPOOLSV.EXE
        
        C:\recycled\SPOOLSV.EXE :agent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2156
- - C:\recycled\SPOOLSV.EXE
    C:\recycled\SPOOLSV.EXE :agent
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1556
- F:\recycled\SVCHOST.EXE
  F:\recycled\SVCHOST.EXE :agent
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2412
- C:\recycled\SPOOLSV.EXE
  C:\recycled\SPOOLSV.EXE :agent
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:376
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.doc"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
2KB

MD5
1a1dce35d60d2c70ca8894954fd5d384

SHA1
58547dd65d506c892290755010d0232da34ee000

SHA256
2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

SHA512
4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

Download Submit
C:\Windows\Fonts\ Explorer.exe

Filesize
87KB

MD5
70abc6c0817983df0d8e6f5bcf36967b

SHA1
bb890981a5cb053edd911bd41146e8a247cd68cb

SHA256
00d5e2268a9f555e754b31c72fd99984da9562bbed335d4b202d038e65dce0be

SHA512
9b5b956155517e2da4ffeb3b218523fd2e1c1103e08b51af15345a17b4d68b416ea66bf97bc41c1d0feca56705e2ace00b1ae7f34262eca4d6d566f10d9b5716

Download Submit
C:\Windows\Fonts\ Explorer.exe

Filesize
87KB

MD5
c63b77f4ade8ff139d1a8af70dbae2f9

SHA1
8e266a7346cb23544606a625718304420d2e6ef8

SHA256
06e0a6a5e108075fa6977fc70e5c0c019110f6baeaa7c7de02b3715784697831

SHA512
781b87ca98d83f4d2a93af14ce306bc71519751a82851341b4bf79b1bba90006394dcbdf5374824b796c7d8f4ce49e348f7460f3c0f0a46c71ecb069fdec9cc0

Download Submit
C:\Windows\Fonts\ Explorer.exe

Filesize
87KB

MD5
53dd3e21ab4739e928936efbd9bd487e

SHA1
bc54a9c20236e029e391983b947e7d974efdf5de

SHA256
b2fa2ec26d203edb79518d8dc71bfa5a602539bee42c4cf1d6e06e6cbf8540a0

SHA512
26d9910e02a5865009814f5cdfb9d50b60527974bf517aad564417ca815ae19ade79f2ca90d2fbf44a7012ea1949d94312f571b3617ee000df52fb8fc321417e

Download Submit
C:\begolu.txt

Filesize
2B

MD5
2b9d4fa85c8e82132bde46b143040142

SHA1
a02431cf7c501a5b368c91e41283419d8fa9fb03

SHA256
4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

SHA512
c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

Download Submit
F:\Recycled\SVCHOST.EXE

Filesize
87KB

MD5
0553004c312470d7eac707fd9cb6d687

SHA1
f6c33dc24b8f6f4d6689bbfdb0aff327b1c7af69

SHA256
e66c301a84d053db80468a6a67d39ef563785b0ada571ac538fd25e497bd723c

SHA512
8486d58c918ad19e0653b747a649f65bfe4f077f01cb345d17d51365a55d221442bfc742667f77a54cfb6fc988a77606b4cf55fa0d538ec8ccb903e38532cba3

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
87KB

MD5
985dcec035e0220fc24555fe0cb8dbb2

SHA1
ba94ecd79466c793e886a56594122cdc525bf9d1

SHA256
8b9b745888f4d611df219aabc3bcc095d33c742b812c99f3a1dfe268d0dd5f42

SHA512
236aa43d9cfc18df512a3015a5f37b017f99caa7d5de0e74d63d506b6b5b6bb275d9e90a8956bc17841025e97c85c784f98c06ee9f1abf8a70b486c1a2257c88

Download Submit
\Recycled\SVCHOST.EXE

Filesize
87KB

MD5
17242d36f19cdcdb47cc7bc01442596f

SHA1
c578dfcbe0fdcbe49a8752957b44484363dc37e1

SHA256
b3d573b5f23e4bc65ea6b01f00759bafaaf85fbf017439d4147c9cd821e050ef

SHA512
83187e970f23d08a78d36f5301e6cd37219d435723c554a198714b2475030d7fccdd6cc1892614c0a491c5c694ca2553ade253ca8c9f9f9119f788a6040bef77

Download Submit
memory/376-111-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1900-95-0x0000000001DF0000-0x0000000001E11000-memory.dmp

Filesize
132KB

Download
memory/1900-42-0x0000000001DF0000-0x0000000001E11000-memory.dmp

Filesize
132KB

Download
memory/1900-171-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1900-25-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1912-38-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1912-37-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2148-115-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2156-93-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2412-108-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2520-112-0x0000000004730000-0x0000000004740000-memory.dmp

Filesize
64KB

Download
memory/2520-107-0x00000000003D0000-0x00000000003F1000-memory.dmp

Filesize
132KB

Download
memory/2520-114-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2520-24-0x00000000003D0000-0x00000000003F1000-memory.dmp

Filesize
132KB

Download
memory/2520-23-0x00000000003D0000-0x00000000003F1000-memory.dmp

Filesize
132KB

Download
memory/2520-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2624-88-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2628-68-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2628-78-0x00000000003D0000-0x00000000003F1000-memory.dmp

Filesize
132KB

Download
memory/2628-182-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2648-82-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2716-57-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2864-65-0x0000000000510000-0x0000000000531000-memory.dmp

Filesize
132KB

Download
memory/2864-44-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2864-52-0x0000000000510000-0x0000000000531000-memory.dmp

Filesize
132KB

Download
memory/2864-178-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2876-62-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download