23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85

General

Target

23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
Size

45KB
MD5

d60407179c6134a465383bc6bbf6a2dd
SHA1

ad21182f3d32f5b6b14b5343d7b0ade9e4cdd234
SHA256

23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85
SHA512

d0ee8941be9652677db799d6888b73f320246b6e0050b153db9b0b3fd32df2f748d7483c97b00df8decff004799e4c722ee55a03d8c1738cdf9d92c70b680261
SSDEEP

768:5qt/WXwCXV/aNOFi5XOCmg9TgEqxZihrWS9ybsvw+I9D88888888888JXn:5UWXaMU5Xvp3FrbCEnn

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

SVCHOST.EXESVCHOST.EXE23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exeSPOOLSV.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SPOOLSV.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

SPOOLSV.EXESVCHOST.EXESVCHOST.EXE23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SPOOLSV.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

SPOOLSV.EXESVCHOST.EXESVCHOST.EXE23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe

Executes dropped EXE 12 IoCs

Processes:

SVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESVCHOST.EXESPOOLSV.EXESPOOLSV.EXESVCHOST.EXESPOOLSV.EXE

pid	process
2688	SVCHOST.EXE
2844	SVCHOST.EXE
2992	SVCHOST.EXE
2784	SVCHOST.EXE
2604	SVCHOST.EXE
2572	SPOOLSV.EXE
2196	SVCHOST.EXE
1656	SVCHOST.EXE
2628	SPOOLSV.EXE
3052	SPOOLSV.EXE
1860	SVCHOST.EXE
1600	SPOOLSV.EXE

Loads dropped DLL 21 IoCs

Processes:

23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exeSVCHOST.EXESVCHOST.EXESPOOLSV.EXE

pid	process
1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2992	SVCHOST.EXE
2992	SVCHOST.EXE
2992	SVCHOST.EXE
2992	SVCHOST.EXE
2992	SVCHOST.EXE
2572	SPOOLSV.EXE
2572	SPOOLSV.EXE
2572	SPOOLSV.EXE
2572	SPOOLSV.EXE
2572	SPOOLSV.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe

description	ioc	process
File opened for modification	C:\Recycled\desktop.ini	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
File opened for modification	F:\Recycled\desktop.ini	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SVCHOST.EXESVCHOST.EXESPOOLSV.EXE23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe

description	ioc	process
File opened (read-only)	\??\J:	SVCHOST.EXE
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\H:	SPOOLSV.EXE
File opened (read-only)	\??\K:	SPOOLSV.EXE
File opened (read-only)	\??\X:	SPOOLSV.EXE
File opened (read-only)	\??\G:	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
File opened (read-only)	\??\S:	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
File opened (read-only)	\??\Z:	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
File opened (read-only)	\??\U:	SVCHOST.EXE
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\W:	SVCHOST.EXE
File opened (read-only)	\??\R:	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
File opened (read-only)	\??\J:	SPOOLSV.EXE
File opened (read-only)	\??\V:	SPOOLSV.EXE
File opened (read-only)	\??\Y:	SPOOLSV.EXE
File opened (read-only)	\??\H:	SVCHOST.EXE
File opened (read-only)	\??\N:	SVCHOST.EXE
File opened (read-only)	\??\P:	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\T:	SVCHOST.EXE
File opened (read-only)	\??\T:	SPOOLSV.EXE
File opened (read-only)	\??\L:	SVCHOST.EXE
File opened (read-only)	\??\W:	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
File opened (read-only)	\??\Z:	SVCHOST.EXE
File opened (read-only)	\??\G:	SPOOLSV.EXE
File opened (read-only)	\??\S:	SPOOLSV.EXE
File opened (read-only)	\??\H:	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
File opened (read-only)	\??\V:	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
File opened (read-only)	\??\V:	SVCHOST.EXE
File opened (read-only)	\??\E:	SVCHOST.EXE
File opened (read-only)	\??\R:	SVCHOST.EXE
File opened (read-only)	\??\L:	SPOOLSV.EXE
File opened (read-only)	\??\O:	SPOOLSV.EXE
File opened (read-only)	\??\Q:	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
File opened (read-only)	\??\I:	SVCHOST.EXE
File opened (read-only)	\??\K:	SVCHOST.EXE
File opened (read-only)	\??\Q:	SVCHOST.EXE
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\I:	SVCHOST.EXE
File opened (read-only)	\??\Y:	SVCHOST.EXE
File opened (read-only)	\??\L:	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
File opened (read-only)	\??\M:	SVCHOST.EXE
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\W:	SVCHOST.EXE
File opened (read-only)	\??\Y:	SVCHOST.EXE
File opened (read-only)	\??\R:	SPOOLSV.EXE
File opened (read-only)	\??\N:	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
File opened (read-only)	\??\O:	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
File opened (read-only)	\??\T:	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
File opened (read-only)	\??\T:	SVCHOST.EXE
File opened (read-only)	\??\K:	SVCHOST.EXE
File opened (read-only)	\??\M:	SVCHOST.EXE
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\I:	SPOOLSV.EXE
File opened (read-only)	\??\J:	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
File opened (read-only)	\??\P:	SPOOLSV.EXE
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\O:	SVCHOST.EXE
File opened (read-only)	\??\Z:	SVCHOST.EXE
File opened (read-only)	\??\E:	SPOOLSV.EXE
File opened (read-only)	\??\M:	SPOOLSV.EXE
File opened (read-only)	\??\U:	SPOOLSV.EXE
File opened (read-only)	\??\Y:	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
File opened (read-only)	\??\I:	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe

Drops file in Windows directory 2 IoCs

Processes:

23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exeWINWORD.EXE

description	ioc	process
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exeSVCHOST.EXEuserinit.exeSVCHOST.EXESPOOLSV.EXEWINWORD.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESVCHOST.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPOOLSV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 28 IoCs

Processes:

SVCHOST.EXESPOOLSV.EXE23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exeSVCHOST.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL\COMMAND	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG\COMMAND	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\CONFIG	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SVCHOST.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe"	SPOOLSV.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1368 WINWORD.EXE

pid	process
1368	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SPOOLSV.EXESVCHOST.EXESVCHOST.EXE23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe

pid	process
2572	SPOOLSV.EXE
2572	SPOOLSV.EXE
2572	SPOOLSV.EXE
2572	SPOOLSV.EXE
2572	SPOOLSV.EXE
2572	SPOOLSV.EXE
2572	SPOOLSV.EXE
2572	SPOOLSV.EXE
2572	SPOOLSV.EXE
2572	SPOOLSV.EXE
2992	SVCHOST.EXE
2992	SVCHOST.EXE
2992	SVCHOST.EXE
2992	SVCHOST.EXE
2992	SVCHOST.EXE
2992	SVCHOST.EXE
2992	SVCHOST.EXE
2992	SVCHOST.EXE
2992	SVCHOST.EXE
2992	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2688	SVCHOST.EXE
2992	SVCHOST.EXE
2992	SVCHOST.EXE
2992	SVCHOST.EXE
2992	SVCHOST.EXE
2992	SVCHOST.EXE
2992	SVCHOST.EXE
2992	SVCHOST.EXE
2992	SVCHOST.EXE
2992	SVCHOST.EXE
2992	SVCHOST.EXE
1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESVCHOST.EXESPOOLSV.EXESPOOLSV.EXESVCHOST.EXESPOOLSV.EXEWINWORD.EXE

pid	process
1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
2688	SVCHOST.EXE
2844	SVCHOST.EXE
2992	SVCHOST.EXE
2784	SVCHOST.EXE
2604	SVCHOST.EXE
2572	SPOOLSV.EXE
2196	SVCHOST.EXE
1656	SVCHOST.EXE
2628	SPOOLSV.EXE
3052	SPOOLSV.EXE
1860	SVCHOST.EXE
1600	SPOOLSV.EXE
1368	WINWORD.EXE
1368	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exeSVCHOST.EXESVCHOST.EXESPOOLSV.EXEuserinit.exeWINWORD.EXE

description	pid	process	target process
PID 1868 wrote to memory of 2688	1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe	SVCHOST.EXE
PID 1868 wrote to memory of 2688	1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe	SVCHOST.EXE
PID 1868 wrote to memory of 2688	1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe	SVCHOST.EXE
PID 1868 wrote to memory of 2688	1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe	SVCHOST.EXE
PID 2688 wrote to memory of 2844	2688	SVCHOST.EXE	SVCHOST.EXE
PID 2688 wrote to memory of 2844	2688	SVCHOST.EXE	SVCHOST.EXE
PID 2688 wrote to memory of 2844	2688	SVCHOST.EXE	SVCHOST.EXE
PID 2688 wrote to memory of 2844	2688	SVCHOST.EXE	SVCHOST.EXE
PID 2688 wrote to memory of 2992	2688	SVCHOST.EXE	SVCHOST.EXE
PID 2688 wrote to memory of 2992	2688	SVCHOST.EXE	SVCHOST.EXE
PID 2688 wrote to memory of 2992	2688	SVCHOST.EXE	SVCHOST.EXE
PID 2688 wrote to memory of 2992	2688	SVCHOST.EXE	SVCHOST.EXE
PID 2992 wrote to memory of 2784	2992	SVCHOST.EXE	SVCHOST.EXE
PID 2992 wrote to memory of 2784	2992	SVCHOST.EXE	SVCHOST.EXE
PID 2992 wrote to memory of 2784	2992	SVCHOST.EXE	SVCHOST.EXE
PID 2992 wrote to memory of 2784	2992	SVCHOST.EXE	SVCHOST.EXE
PID 2992 wrote to memory of 2604	2992	SVCHOST.EXE	SVCHOST.EXE
PID 2992 wrote to memory of 2604	2992	SVCHOST.EXE	SVCHOST.EXE
PID 2992 wrote to memory of 2604	2992	SVCHOST.EXE	SVCHOST.EXE
PID 2992 wrote to memory of 2604	2992	SVCHOST.EXE	SVCHOST.EXE
PID 2992 wrote to memory of 2572	2992	SVCHOST.EXE	SPOOLSV.EXE
PID 2992 wrote to memory of 2572	2992	SVCHOST.EXE	SPOOLSV.EXE
PID 2992 wrote to memory of 2572	2992	SVCHOST.EXE	SPOOLSV.EXE
PID 2992 wrote to memory of 2572	2992	SVCHOST.EXE	SPOOLSV.EXE
PID 2572 wrote to memory of 2196	2572	SPOOLSV.EXE	SVCHOST.EXE
PID 2572 wrote to memory of 2196	2572	SPOOLSV.EXE	SVCHOST.EXE
PID 2572 wrote to memory of 2196	2572	SPOOLSV.EXE	SVCHOST.EXE
PID 2572 wrote to memory of 2196	2572	SPOOLSV.EXE	SVCHOST.EXE
PID 2572 wrote to memory of 1656	2572	SPOOLSV.EXE	SVCHOST.EXE
PID 2572 wrote to memory of 1656	2572	SPOOLSV.EXE	SVCHOST.EXE
PID 2572 wrote to memory of 1656	2572	SPOOLSV.EXE	SVCHOST.EXE
PID 2572 wrote to memory of 1656	2572	SPOOLSV.EXE	SVCHOST.EXE
PID 2572 wrote to memory of 2628	2572	SPOOLSV.EXE	SPOOLSV.EXE
PID 2572 wrote to memory of 2628	2572	SPOOLSV.EXE	SPOOLSV.EXE
PID 2572 wrote to memory of 2628	2572	SPOOLSV.EXE	SPOOLSV.EXE
PID 2572 wrote to memory of 2628	2572	SPOOLSV.EXE	SPOOLSV.EXE
PID 2688 wrote to memory of 3052	2688	SVCHOST.EXE	SPOOLSV.EXE
PID 2688 wrote to memory of 3052	2688	SVCHOST.EXE	SPOOLSV.EXE
PID 2688 wrote to memory of 3052	2688	SVCHOST.EXE	SPOOLSV.EXE
PID 2688 wrote to memory of 3052	2688	SVCHOST.EXE	SPOOLSV.EXE
PID 1868 wrote to memory of 1860	1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe	SVCHOST.EXE
PID 1868 wrote to memory of 1860	1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe	SVCHOST.EXE
PID 1868 wrote to memory of 1860	1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe	SVCHOST.EXE
PID 1868 wrote to memory of 1860	1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe	SVCHOST.EXE
PID 2688 wrote to memory of 1508	2688	SVCHOST.EXE	userinit.exe
PID 2688 wrote to memory of 1508	2688	SVCHOST.EXE	userinit.exe
PID 2688 wrote to memory of 1508	2688	SVCHOST.EXE	userinit.exe
PID 2688 wrote to memory of 1508	2688	SVCHOST.EXE	userinit.exe
PID 1868 wrote to memory of 1600	1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe	SPOOLSV.EXE
PID 1868 wrote to memory of 1600	1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe	SPOOLSV.EXE
PID 1868 wrote to memory of 1600	1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe	SPOOLSV.EXE
PID 1868 wrote to memory of 1600	1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe	SPOOLSV.EXE
PID 1508 wrote to memory of 2952	1508	userinit.exe	Explorer.EXE
PID 1508 wrote to memory of 2952	1508	userinit.exe	Explorer.EXE
PID 1508 wrote to memory of 2952	1508	userinit.exe	Explorer.EXE
PID 1508 wrote to memory of 2952	1508	userinit.exe	Explorer.EXE
PID 1868 wrote to memory of 1368	1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe	WINWORD.EXE
PID 1868 wrote to memory of 1368	1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe	WINWORD.EXE
PID 1868 wrote to memory of 1368	1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe	WINWORD.EXE
PID 1868 wrote to memory of 1368	1868	23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe	WINWORD.EXE
PID 1368 wrote to memory of 2044	1368	WINWORD.EXE	splwow64.exe
PID 1368 wrote to memory of 2044	1368	WINWORD.EXE	splwow64.exe
PID 1368 wrote to memory of 2044	1368	WINWORD.EXE	splwow64.exe
PID 1368 wrote to memory of 2044	1368	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe
"C:\Users\Admin\AppData\Local\Temp\23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868
- C:\recycled\SVCHOST.EXE
  C:\recycled\SVCHOST.EXE :agent
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\recycled\SVCHOST.EXE
    C:\recycled\SVCHOST.EXE :agent
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2844
- - F:\recycled\SVCHOST.EXE
    F:\recycled\SVCHOST.EXE :agent
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2784
  - - F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2604
  - - C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\recycled\SVCHOST.EXE
        
        C:\recycled\SVCHOST.EXE :agent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2196
    - - F:\recycled\SVCHOST.EXE
        
        F:\recycled\SVCHOST.EXE :agent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1656
    - - C:\recycled\SPOOLSV.EXE
        
        C:\recycled\SPOOLSV.EXE :agent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2628
- - C:\recycled\SPOOLSV.EXE
    C:\recycled\SPOOLSV.EXE :agent
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3052
- - C:\Windows\SysWOW64\userinit.exe
    C:\Windows\system32\userinit.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      4⤵
      PID:2952
- F:\recycled\SVCHOST.EXE
  F:\recycled\SVCHOST.EXE :agent
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1860
- C:\recycled\SPOOLSV.EXE
  C:\recycled\SPOOLSV.EXE :agent
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1600
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\23c866ca628a16ddd4c3a0497ab76cb1413a0f09b8839b453b8556d86b204b85.doc"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
1KB

MD5
0269b6347e473980c5378044ac67aa1f

SHA1
c3334de50e320ad8bce8398acff95c363d039245

SHA256
68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

SHA512
e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

Download Submit
C:\begolu.txt

Filesize
2B

MD5
2b9d4fa85c8e82132bde46b143040142

SHA1
a02431cf7c501a5b368c91e41283419d8fa9fb03

SHA256
4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

SHA512
c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

Download Submit
C:\recycled\SPOOLSV.EXE

Filesize
45KB

MD5
f04bc97acc4ee949b4e8bc02dfe9c5f2

SHA1
ee23794c660a9de549489d3205fd747ea884d12f

SHA256
eb29acdee1df7793a593f5810a58622d8b7f1c1ad487afe880eddcfd7e036dfc

SHA512
6b2750e2e29630bacb44eedd7f2cbb805109cf119e831a3f5e671fe539f3d48068205346f96dd57eb16cc59a9a7ad43ec50f9934acb74dbf2f34c235d3bed9a7

Download Submit
F:\Recycled\SVCHOST.EXE

Filesize
45KB

MD5
440d7e4897b63c60d2202ac1cd372340

SHA1
b1701cbadc0e7f0ea9439374b8de92b9f76fdadf

SHA256
caf75980ccc32e0836df8c632517f10a2bacd31563a8e7cc8fa0067b099ba2c4

SHA512
45c360ecce20fd8af79ea5d133e8748cb7b388071a1f41aa4cad3f1406b83aae88eef9cd99ab547ede004d2e5c950fcf9f1b5331765bd52345a96a466dcdf627

Download Submit
\Recycled\SVCHOST.EXE

Filesize
45KB

MD5
f9f8c85dee7e24d1c1072ce88334a46c

SHA1
7f0e48f6a30b0cfb9fbf67df2660c2585aa63a46

SHA256
1f22dd9a2776d61f0a0da73784d1a4ba7564d4cf7afa49f0539b499f352a00dc

SHA512
6685342cbfdb6fa1f4755460206b021f869259dcccf8e6aa3cd39cd457abc7378281afd3f71ec202474fb8e5d40df27c6d608ae87644c66898ba521f2e274b52

Download Submit
memory/1368-110-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1600-107-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1656-78-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1656-82-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1860-104-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1868-23-0x0000000002550000-0x000000000256A000-memory.dmp

Filesize
104KB

Download
memory/1868-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1868-108-0x0000000004860000-0x000000000486C000-memory.dmp

Filesize
48KB

Download
memory/1868-22-0x0000000002550000-0x000000000256A000-memory.dmp

Filesize
104KB

Download
memory/1868-102-0x0000000002550000-0x000000000256A000-memory.dmp

Filesize
104KB

Download
memory/1868-97-0x0000000002550000-0x000000000256A000-memory.dmp

Filesize
104KB

Download
memory/1868-109-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2196-75-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2196-71-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2572-181-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/2572-177-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2604-57-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2628-86-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2688-185-0x0000000001E10000-0x0000000001E2A000-memory.dmp

Filesize
104KB

Download
memory/2688-24-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2688-163-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2688-169-0x0000000001E10000-0x0000000001E2A000-memory.dmp

Filesize
104KB

Download
memory/2688-39-0x0000000001E10000-0x0000000001E2A000-memory.dmp

Filesize
104KB

Download
memory/2784-52-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2844-33-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2844-35-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2992-62-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/2992-173-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2992-60-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/2992-47-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/2992-41-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3052-93-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3052-90-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads