Overview

overview

10

Static

static

3

b14ae1dd5d...f3.exe

windows7-x64

10

b14ae1dd5d...f3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2024, 05:11

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b14ae1dd5d9e275f4206cc8eefc1f15130f3981aef3b9035b76f9a6559a233f3.exe

  • Size

    205KB

  • MD5

    b6ac49d55c1a26bd29fd8306257b512f

  • SHA1

    23cccc09b0b56b5c4119ce8833c3b629cc38e1c5

  • SHA256

    b14ae1dd5d9e275f4206cc8eefc1f15130f3981aef3b9035b76f9a6559a233f3

  • SHA512

    bc730922cf76cf76ac18b4860a26db2f8792073ac7fd0c4f794949930708630f0ba528cac2f0605a09fd8ee0f69edf6df8f777ad541862b57d7914aa6631af79

  • SSDEEP

    768:NHP/0gh1VgRDfqkLOpONM+EoiKv35BMCD:FTBiuPONM+R5f

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
    evasion
  • Disables RegEdit via registry modification 12 IoCs
    evasion
  • Disables cmd.exe use via registry modification 6 IoCs
    evasion
  • Drops file in Drivers directory 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b14ae1dd5d9e275f4206cc8eefc1f15130f3981aef3b9035b76f9a6559a233f3.exe
    "C:\Users\Admin\AppData\Local\Temp\b14ae1dd5d9e275f4206cc8eefc1f15130f3981aef3b9035b76f9a6559a233f3.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:32
    • C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2956
    • C:\Users\Admin\AppData\Local\smss.exe
      C:\Users\Admin\AppData\Local\smss.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1044
      • C:\Users\Admin\AppData\Local\winlogon.exe
        C:\Users\Admin\AppData\Local\winlogon.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2848
      • C:\Windows\SysWOW64\at.exe
        at /delete /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3120
      • C:\Windows\SysWOW64\at.exe
        at 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Brengkolang.com"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3540
      • C:\Users\Admin\AppData\Local\services.exe
        C:\Users\Admin\AppData\Local\services.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4796
      • C:\Users\Admin\AppData\Local\lsass.exe
        C:\Users\Admin\AppData\Local\lsass.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3116
      • C:\Users\Admin\AppData\Local\inetinfo.exe
        C:\Users\Admin\AppData\Local\inetinfo.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1836

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\inetinfo.exe
          Filesize

          190KB

          MD5

          adeaeafb9d86b5f483ffb8702c5a9948

          SHA1

          a3190bb9693e6b1e0331907d9152dfd4bfe7c8be

          SHA256

          79fd548345f6cc08d3b04d87893ecf0297a5b8d496af86bdea38de80ba27126b

          SHA512

          22685760720efd629844921fee4ff59df9c7e0e3c2f56f028bb99dcfdee1934328438fab9197d5215c4a70748625baf9936fb27b253758020ccf63f84d710b56

          Download Submit

        • C:\Users\Admin\AppData\Local\smss.exe
          Filesize

          205KB

          MD5

          b6ac49d55c1a26bd29fd8306257b512f

          SHA1

          23cccc09b0b56b5c4119ce8833c3b629cc38e1c5

          SHA256

          b14ae1dd5d9e275f4206cc8eefc1f15130f3981aef3b9035b76f9a6559a233f3

          SHA512

          bc730922cf76cf76ac18b4860a26db2f8792073ac7fd0c4f794949930708630f0ba528cac2f0605a09fd8ee0f69edf6df8f777ad541862b57d7914aa6631af79

          Download Submit

        • C:\Windows\ShellNew\sempalong.exe
          Filesize

          128KB

          MD5

          e7bac13933ef47dd517a6ec75a446277

          SHA1

          4dbce8fb05ddb524f64e98c24acbfb5362aa8647

          SHA256

          0a192f7d2dccdf6e42eaf689b0e92efa76c350a2084bbb20e9384b218d952514

          SHA512

          9571bf85da731efefab7a7c7c245b5f3efdc2024fa7891a187f6049ad2aebd323426e200c7d4c8f2e354357ff4a8249fe96a0bd6a369a7798c2f87026ba91ff8

          Download Submit

        • C:\Windows\eksplorasi.exe
          Filesize

          64KB

          MD5

          9b120ca419e3e900adae497eaf299826

          SHA1

          8279b2e61131733059ed97db384164f467086806

          SHA256

          9b3ce4cf7f1fab1878ce2735d43b05cdeca4da2b9224eb393124ddb343811a5f

          SHA512

          6724ac61ed3b68fe5fd21c7ecb2e6fc9256d8798b175fe8098511d5c27ea25564af0dc9068c548637db43297f173e191761bc7940e97bd661f1729535949c278

          Download Submit

        • memory/32-138-0x0000000000400000-0x000000000045AE00-memory.dmp

          Filesize

          363KB

          Download

        • memory/32-103-0x0000000000400000-0x000000000045AE00-memory.dmp

          Filesize

          363KB

          Download

        • memory/32-0-0x0000000000400000-0x000000000045AE00-memory.dmp

          Filesize

          363KB

          Download

        • memory/1044-137-0x0000000000400000-0x000000000045AE00-memory.dmp

          Filesize

          363KB

          Download

        • memory/1836-142-0x0000000000400000-0x000000000045AE00-memory.dmp

          Filesize

          363KB

          Download

        • memory/1836-151-0x0000000000400000-0x000000000045AE00-memory.dmp

          Filesize

          363KB

          Download

        • memory/2848-139-0x0000000000400000-0x000000000045AE00-memory.dmp

          Filesize

          363KB

          Download

        • memory/3116-104-0x0000000000400000-0x000000000045AE00-memory.dmp

          Filesize

          363KB

          Download

        • memory/3116-141-0x0000000000400000-0x000000000045AE00-memory.dmp

          Filesize

          363KB

          Download

        • memory/4796-140-0x0000000000400000-0x000000000045AE00-memory.dmp

          Filesize

          363KB

          Download