Analysis

  • max time kernel
    120s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 10:06

General

  • Target

    e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe

  • Size

    76KB

  • MD5

    1b4ef5b81501f757d751a986c6fbc4f0

  • SHA1

    2c52e7cebe085f8576498aeee0d69b4d4e109647

  • SHA256

    e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374e

  • SHA512

    3a86d87718c5e67e9981804c26d4f0dfd55a2d94b8d34d6de7df0ece8f03bdf79d8a84d21ffe0a7c1ace1f7915402ac1e2f2720af6ffa335d15db63ae6255df0

  • SSDEEP

    1536:v70ak+ddygXAyy9v7Z+NoykJHBOAFRfBjG3ldoIW:T0aXdfXAyy9DZ+N7eB+IIW

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 29 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe
    "C:\Users\Admin\AppData\Local\Temp\e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:416
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1032
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1036
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3504
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4944
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2208
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:636
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3096
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4216
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3128
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4164
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3824
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3260
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e62d50b62dc3aa4b5fa49f7f5b96c93f3d8021c41b2d8806776876df6df4374eN.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4960

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recycled\SPOOLSV.EXE

    Filesize

    76KB

    MD5

    88d4bf976836212fb4638ae9beeb5c8a

    SHA1

    21a50bedbdc4fba5ad88c03a2f79a5f96fbaf601

    SHA256

    7d263d66085110aaca5a303c1253cfcca886619b08dee6a0a60ff42c9d2a6bf1

    SHA512

    52c890bcf7212a745296d130c5e4e84258882b074829c7fa63d84f1145a57c155a43ac572d1de1941277b9800780fcb757839294a5c65289cdb45cf5768c82d3

  • C:\Recycled\SVCHOST.EXE

    Filesize

    76KB

    MD5

    8cc25461a147bfa1853e5d682730365f

    SHA1

    8cac90573d4119ed6ef2bae86bd152e5142f77d3

    SHA256

    457cd473c0e147f69c196228c7dcd359d0e62da9cadd8b4250eef0f9c0982a85

    SHA512

    81bb50754bc92444f60da8df206f1331c7f8aa957cdee9ee7e3af4afc85f58ca006bf15a3bc9e06891d8a4fad97ac147569c813f57c5ce6846e9abccea5d4066

  • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

    Filesize

    2KB

    MD5

    1a1dce35d60d2c70ca8894954fd5d384

    SHA1

    58547dd65d506c892290755010d0232da34ee000

    SHA256

    2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

    SHA512

    4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

  • C:\Users\Admin\AppData\Local\Temp\TCDC5DD.tmp\gb.xsl

    Filesize

    262KB

    MD5

    51d32ee5bc7ab811041f799652d26e04

    SHA1

    412193006aa3ef19e0a57e16acf86b830993024a

    SHA256

    6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

    SHA512

    5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

  • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

    Filesize

    16B

    MD5

    d29962abc88624befc0135579ae485ec

    SHA1

    e40a6458296ec6a2427bcb280572d023a9862b31

    SHA256

    a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

    SHA512

    4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

  • C:\Windows\Fonts\ Explorer.exe

    Filesize

    76KB

    MD5

    1b43e83b317b915154f414aa6d07b2a7

    SHA1

    70b9aeaa9c96b74fa09fe7ac3ba1dff5fe5c3390

    SHA256

    6241df3c4d5078e3ac21751973a9e6c3ea6762dc9498add052554cd47c634344

    SHA512

    1ba38dcd1d47d1147457ea14017b636ba4b7080d1c2aa0c64fcb12e0082d05f7a3d08c32f95290baf338a2b47e83a96f2abc24e63de86d602fdc469c369119db

  • C:\Windows\Fonts\ Explorer.exe

    Filesize

    76KB

    MD5

    bd8532662d792a94ae0343dcf44f5247

    SHA1

    34c8fd182c61364521505f5d1f2962f3ab785825

    SHA256

    0a508d0cbfbd7d02eeb975713057c0ce3ef91e143c8a595e5b602c0546f52dc3

    SHA512

    1ebce5f823abe91de164271509a00d46fb9d0cf0e9fa4302aebd01292c0b303d6277a06b95ff7599aedc2fd5277f3c2ce000e34e84ba0752293eead28231e277

  • C:\Windows\Fonts\ Explorer.exe

    Filesize

    76KB

    MD5

    a06333b9b6ca3505c62bef750838189b

    SHA1

    8b091f0fb87e8854334df5d83c4a2c2118e966da

    SHA256

    db086e49c19a74e4be83db82ac578579d0a6adc7d884a1cb46c3754b4c660d39

    SHA512

    f1b6447fdcc5d12a46af21e9bd78e17ba2a73d7bc9b3d43574ca98ab7fc4546673fdee5a5fb19768aa30540eb46238dbb96822007aa8f7e16bea6ad5d1f3f69a

  • C:\begolu.txt

    Filesize

    2B

    MD5

    2b9d4fa85c8e82132bde46b143040142

    SHA1

    a02431cf7c501a5b368c91e41283419d8fa9fb03

    SHA256

    4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

    SHA512

    c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

  • F:\Recycled\SVCHOST.EXE

    Filesize

    76KB

    MD5

    d02717285294436093f4d7e660e4b366

    SHA1

    34d0429343478f7996ea980729b7c86f248c8885

    SHA256

    ce4106d4603b45655cbb808f10367fff0c087352dd4aa9c3b21c6b1b6fd511fd

    SHA512

    7d6a37f56bd800cde6b30795d8e44bfce4e2d73ed227717ca6079b5f413d511186123550ddc6fbf8acf348705714f87de75796910f0f5124ccf3e207cc16ce45

  • memory/416-88-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/416-0-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/636-677-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/636-50-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/1032-669-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/1032-18-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/1036-29-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/2208-47-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/3096-61-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/3128-69-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/3260-81-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/3504-32-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/3504-676-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/3824-78-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/4164-73-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/4216-66-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/4944-44-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/4960-86-0x00007FFE2AED0000-0x00007FFE2AEE0000-memory.dmp

    Filesize

    64KB

  • memory/4960-90-0x00007FFE28620000-0x00007FFE28630000-memory.dmp

    Filesize

    64KB

  • memory/4960-89-0x00007FFE28620000-0x00007FFE28630000-memory.dmp

    Filesize

    64KB

  • memory/4960-83-0x00007FFE2AED0000-0x00007FFE2AEE0000-memory.dmp

    Filesize

    64KB

  • memory/4960-87-0x00007FFE2AED0000-0x00007FFE2AEE0000-memory.dmp

    Filesize

    64KB

  • memory/4960-85-0x00007FFE2AED0000-0x00007FFE2AEE0000-memory.dmp

    Filesize

    64KB

  • memory/4960-84-0x00007FFE2AED0000-0x00007FFE2AEE0000-memory.dmp

    Filesize

    64KB