Overview

overview

10

Static

static

3

b14ae1dd5d...f3.exe

windows7-x64

10

b14ae1dd5d...f3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 05:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b14ae1dd5d9e275f4206cc8eefc1f15130f3981aef3b9035b76f9a6559a233f3.exe

  • Size

    205KB

  • MD5

    b6ac49d55c1a26bd29fd8306257b512f

  • SHA1

    23cccc09b0b56b5c4119ce8833c3b629cc38e1c5

  • SHA256

    b14ae1dd5d9e275f4206cc8eefc1f15130f3981aef3b9035b76f9a6559a233f3

  • SHA512

    bc730922cf76cf76ac18b4860a26db2f8792073ac7fd0c4f794949930708630f0ba528cac2f0605a09fd8ee0f69edf6df8f777ad541862b57d7914aa6631af79

  • SSDEEP

    768:NHP/0gh1VgRDfqkLOpONM+EoiKv35BMCD:FTBiuPONM+R5f

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
    evasion
  • Disables RegEdit via registry modification 12 IoCs
    evasion
  • Disables cmd.exe use via registry modification 6 IoCs
    evasion
  • Drops file in Drivers directory 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b14ae1dd5d9e275f4206cc8eefc1f15130f3981aef3b9035b76f9a6559a233f3.exe
    "C:\Users\Admin\AppData\Local\Temp\b14ae1dd5d9e275f4206cc8eefc1f15130f3981aef3b9035b76f9a6559a233f3.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2964
    • C:\Users\Admin\AppData\Local\smss.exe
      C:\Users\Admin\AppData\Local\smss.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4892
      • C:\Users\Admin\AppData\Local\winlogon.exe
        C:\Users\Admin\AppData\Local\winlogon.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3632
      • C:\Windows\SysWOW64\at.exe
        at /delete /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4488
      • C:\Windows\SysWOW64\at.exe
        at 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Brengkolang.com"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:856
      • C:\Users\Admin\AppData\Local\services.exe
        C:\Users\Admin\AppData\Local\services.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4688
      • C:\Users\Admin\AppData\Local\lsass.exe
        C:\Users\Admin\AppData\Local\lsass.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4900
      • C:\Users\Admin\AppData\Local\inetinfo.exe
        C:\Users\Admin\AppData\Local\inetinfo.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3940

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\smss.exe
    Filesize

    205KB

    MD5

    b6ac49d55c1a26bd29fd8306257b512f

    SHA1

    23cccc09b0b56b5c4119ce8833c3b629cc38e1c5

    SHA256

    b14ae1dd5d9e275f4206cc8eefc1f15130f3981aef3b9035b76f9a6559a233f3

    SHA512

    bc730922cf76cf76ac18b4860a26db2f8792073ac7fd0c4f794949930708630f0ba528cac2f0605a09fd8ee0f69edf6df8f777ad541862b57d7914aa6631af79

    Download Submit

  • C:\Windows\ShellNew\sempalong.exe
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • C:\Windows\eksplorasi.exe
    Filesize

    128KB

    MD5

    e7bac13933ef47dd517a6ec75a446277

    SHA1

    4dbce8fb05ddb524f64e98c24acbfb5362aa8647

    SHA256

    0a192f7d2dccdf6e42eaf689b0e92efa76c350a2084bbb20e9384b218d952514

    SHA512

    9571bf85da731efefab7a7c7c245b5f3efdc2024fa7891a187f6049ad2aebd323426e200c7d4c8f2e354357ff4a8249fe96a0bd6a369a7798c2f87026ba91ff8

    Download Submit

  • memory/1684-0-0x0000000000400000-0x000000000045AE00-memory.dmp

    Filesize

    363KB

    Download

  • memory/1684-102-0x0000000000400000-0x000000000045AE00-memory.dmp

    Filesize

    363KB

    Download

  • memory/1684-137-0x0000000000400000-0x000000000045AE00-memory.dmp

    Filesize

    363KB

    Download

  • memory/3632-138-0x0000000000400000-0x000000000045AE00-memory.dmp

    Filesize

    363KB

    Download

  • memory/3940-141-0x0000000000400000-0x000000000045AE00-memory.dmp

    Filesize

    363KB

    Download

  • memory/3940-150-0x0000000000400000-0x000000000045AE00-memory.dmp

    Filesize

    363KB

    Download

  • memory/4688-139-0x0000000000400000-0x000000000045AE00-memory.dmp

    Filesize

    363KB

    Download

  • memory/4892-136-0x0000000000400000-0x000000000045AE00-memory.dmp

    Filesize

    363KB

    Download

  • memory/4900-140-0x0000000000400000-0x000000000045AE00-memory.dmp

    Filesize

    363KB

    Download