Overview

overview

10

Static

static

3

01dd2184eb...05.exe

windows7-x64

10

01dd2184eb...05.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 19:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe

  • Size

    87KB

  • MD5

    debe698c3b33ab7a6c2081e6545249c2

  • SHA1

    257377217fabf3778cb267cd8a744da0b7e76b96

  • SHA256

    01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605

  • SHA512

    dfac6ef6ed14693281319fd67d2b20479a1d081914c17caf08cc519ad04b2868c42fbeab062d1863b3df21c9da6201f6dfd051c1dc4e3a006ed4c9eb19bf0e2d

  • SSDEEP

    1536:1a3+ddygX7y9v7Z+NoykJHBOAFRfBjG3ldoIH:08dfX7y9DZ+N7eB+IIH

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 29 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe
    "C:\Users\Admin\AppData\Local\Temp\01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1512
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4272
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3680
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3872
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1732
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2848
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3940
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4944
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1600
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1572
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3492
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\01dd2184eb71969187a3291afe9c59e93c3c9b9a97a8416e33ed7660c1a62605.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2460

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recycled\SVCHOST.EXE
    Filesize

    87KB

    MD5

    8fff996bc4e522823c74c8ccc23d31a8

    SHA1

    2bdfaf88d16a1bacb5bdf1b1194a586acaeeb642

    SHA256

    fe2021b8df7c81690ffdf9a3b24c44cff637008db664f032b62358575d93e256

    SHA512

    123bb1e29a4891c3e400663c965e11363fe0c867b3450b9b44b30f7f45379298c1a21ab302c8acc3e77008d802988c4f61c8bfc58569b55b21a6c258c7ed29ac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
    Filesize

    2KB

    MD5

    1a1dce35d60d2c70ca8894954fd5d384

    SHA1

    58547dd65d506c892290755010d0232da34ee000

    SHA256

    2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

    SHA512

    4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCDE554.tmp\iso690.xsl
    Filesize

    263KB

    MD5

    ff0e07eff1333cdf9fc2523d323dd654

    SHA1

    77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

    SHA256

    3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

    SHA512

    b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    5515830dbbd29f7de99bc1d4ca144527

    SHA1

    d77c53c00074c5009069eb734f42677d3298ee23

    SHA256

    42d1a7d45582b84e5e4b0008fdfe50d2d060be1df72a0d4adc702a1510fcf9a7

    SHA512

    22484d191ff3ae91889321e000807df2ebed051d64c899768a395299c0c0c4d2843dad5e4caa5fc86612c78cdaf30e7aeaecfeb34d946a86712ec0a44b4b9375

    Download Submit

  • C:\Windows\Fonts\ Explorer.exe
    Filesize

    87KB

    MD5

    1bef08151c62037c76c22f887496bd4f

    SHA1

    345e151ce6442fa874d65bdb69cf3b60099de3b0

    SHA256

    15b69d67d84e32470c0c92a351b7ae2c95f1cb0a2f354038259263415cab04a0

    SHA512

    ed42acf83cfafca5843ec878023adb5dce3ad3ff76bfa3a93b8129a5e872793f7709cb60033ea079e86837822f0ab026d465c5614ddc62bb0e42ba41ae0ab857

    Download Submit

  • C:\Windows\Fonts\ Explorer.exe
    Filesize

    87KB

    MD5

    f9dc286af89fdccfd614498cde3d9285

    SHA1

    25e79c77dde20df5d75e8a4fae4b65255469fd78

    SHA256

    d11de5818d512a528262254d5dc89d754209afdb9872df4461ee15d2cddcb519

    SHA512

    b28ce1c3858d79a2deba60c0f09398870d6261f91b703b487521fe2e633ec410d5bfec215eeb46c9f9e9797d651de21ec4e59406efaa50b8bf837fde439cce8a

    Download Submit

  • C:\Windows\Fonts\ Explorer.exe
    Filesize

    87KB

    MD5

    7e6c946b9e8a84aaf3e4149a5d0d8992

    SHA1

    a0f8d8aaa26254f7440a6ade0bf1c2cc66f5d956

    SHA256

    c6591793f53cc2853589d7b4711ee7eac1cc82f53dcbf6e9fbd6435f6ca47543

    SHA512

    04c72e7420bbd1b6996d78990421d2d17c3e439ae50298cc9cf7fb56274e809fc8ef6ec0943a2b0531b65d0c7dfb21416d05c587b077db477cd853c52c85a0be

    Download Submit

  • C:\begolu.txt
    Filesize

    2B

    MD5

    2b9d4fa85c8e82132bde46b143040142

    SHA1

    a02431cf7c501a5b368c91e41283419d8fa9fb03

    SHA256

    4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

    SHA512

    c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

    Download Submit

  • C:\recycled\SPOOLSV.EXE
    Filesize

    87KB

    MD5

    b4f1b64e7538eb7d8aca479835e91cde

    SHA1

    b281f5d556205e6665ba2cb8847e983d1c3138de

    SHA256

    b374723e060d2a54cf6b027ad6d42cae48be2baefc902c73db55ef5add087423

    SHA512

    c5ce8bcf02f28dcd08b9ee12aea5c60833120497d0a820a139b57384148f63832bcb32ba76f243e9978d2fb2475038193946a4743c421dbfa28bb4e9a8f290c2

    Download Submit

  • F:\Recycled\SVCHOST.EXE
    Filesize

    87KB

    MD5

    3c632e96482b53b5ab2f8e39b8a34052

    SHA1

    ec865d90bd1bec76f57cffd447ae18a31f4e0308

    SHA256

    06a1d9f1fb51552f894ee4bcc382ccffd32235866fe343cb93b5e3af1c787c83

    SHA512

    ef08be7676984cafd5f1b205b3ba6ccf21b1fb9124831e0eb5b9d84c2732272c50167d0d6d64a1e8590f22b751a9db064ffefabd2a04a1e6becb5d2beddbf1a7

    Download Submit

  • memory/1512-29-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1572-79-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1600-75-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1732-305-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1732-52-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2364-0-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2364-84-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2460-90-0x00007FF8AA2F0000-0x00007FF8AA300000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2460-91-0x00007FF8AA2F0000-0x00007FF8AA300000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2460-85-0x00007FF8AC350000-0x00007FF8AC360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2460-87-0x00007FF8AC350000-0x00007FF8AC360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2460-86-0x00007FF8AC350000-0x00007FF8AC360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2460-88-0x00007FF8AC350000-0x00007FF8AC360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2460-89-0x00007FF8AC350000-0x00007FF8AC360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2740-18-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2740-297-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2848-63-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3492-82-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3680-45-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3872-49-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3872-44-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3940-67-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4272-33-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4272-298-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4944-70-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download