Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-11-2024 01:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Resource
win7-20240903-en
windows7-x64
26 signatures
120 seconds
Behavioral task
behavioral2
Sample
b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
25 signatures
120 seconds
General
-
Target
b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
-
Size
440KB
-
MD5
e12692f81e2dc5fcf33913cb764cd2f0
-
SHA1
d063cc9c3e075df64b575d22ca52aacf8234a01c
-
SHA256
b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ce
-
SHA512
073e088817ffc5391108a7699081d2e31b41902bc70cad7346873db60152b40326cd6e827af70dd53315890e5dd83c84d65b297755a44485fb05d56d8b2b0d5b
-
SSDEEP
6144:Kba8SfiircLRB/c1BALaHd1LRBXrAkSc5C8SkH8OHNDZIlu0kxtWdks:KZZiT1G/kSc5Cw8OtDZI40krs
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 18 IoCs
Processes:
b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeLubang Hitam.exeWINLOGON.EXESMSS.EXEBlack Hole.exeLSASS.EXECSRSS.EXESERVICES.EXEBlack Hole.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" Black Hole.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 9 IoCs
Processes:
Lubang Hitam.exeWINLOGON.EXEBlack Hole.exeSERVICES.EXELSASS.EXESMSS.EXEb3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeBlack Hole.exeCSRSS.EXEdescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Lubang Hitam.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" CSRSS.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 9 IoCs
Processes:
SERVICES.EXESMSS.EXEBlack Hole.exeb3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeLubang Hitam.exeWINLOGON.EXEBlack Hole.exeCSRSS.EXELSASS.EXEdescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Lubang Hitam.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" LSASS.EXE -
Processes:
b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeWINLOGON.EXELSASS.EXEBlack Hole.exeCSRSS.EXESERVICES.EXESMSS.EXEBlack Hole.exeLubang Hitam.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" LSASS.EXE -
Disables RegEdit via registry modification 18 IoCs
Processes:
Lubang Hitam.exeWINLOGON.EXESMSS.EXEb3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeLSASS.EXEBlack Hole.exeBlack Hole.exeCSRSS.EXESERVICES.EXEdescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Lubang Hitam.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 15 IoCs
Processes:
Black Hole.exeLubang Hitam.exeWINLOGON.EXECSRSS.EXESERVICES.EXELSASS.EXESMSS.EXEBlack Hole.exeBlack Hole.exeBlack Hole.exeLubang Hitam.exeBlack Hole.exeBlack Hole.exeBlack Hole.exeLubang Hitam.exepid Process 1200 Black Hole.exe 2156 Lubang Hitam.exe 2960 WINLOGON.EXE 2416 CSRSS.EXE 1936 SERVICES.EXE 2272 LSASS.EXE 676 SMSS.EXE 2484 Black Hole.exe 1956 Black Hole.exe 2244 Black Hole.exe 2676 Lubang Hitam.exe 2624 Black Hole.exe 2656 Black Hole.exe 1676 Black Hole.exe 1460 Lubang Hitam.exe -
Loads dropped DLL 16 IoCs
Processes:
b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeWINLOGON.EXECSRSS.EXEpid Process 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 2960 WINLOGON.EXE 2960 WINLOGON.EXE 2416 CSRSS.EXE 2416 CSRSS.EXE -
Modifies system executable filetype association 2 TTPs 64 IoCs
Processes:
b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeBlack Hole.exeWINLOGON.EXESERVICES.EXESMSS.EXELubang Hitam.exeCSRSS.EXELSASS.EXEBlack Hole.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE -
Processes:
Lubang Hitam.exeSMSS.EXEBlack Hole.exeb3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeWINLOGON.EXESERVICES.EXELSASS.EXEBlack Hole.exeCSRSS.EXEdescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Black Hole.exe -
Adds Run key to start application 2 TTPs 45 IoCs
Processes:
Lubang Hitam.exeSERVICES.EXELSASS.EXEBlack Hole.exeb3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeBlack Hole.exeCSRSS.EXEWINLOGON.EXESMSS.EXEdescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SMSS.EXE -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
LSASS.EXELubang Hitam.exeWINLOGON.EXECSRSS.EXESMSS.EXEb3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeSERVICES.EXEdescription ioc Process File opened (read-only) \??\S: LSASS.EXE File opened (read-only) \??\E: Lubang Hitam.exe File opened (read-only) \??\Z: Lubang Hitam.exe File opened (read-only) \??\O: WINLOGON.EXE File opened (read-only) \??\S: CSRSS.EXE File opened (read-only) \??\G: SMSS.EXE File opened (read-only) \??\H: SMSS.EXE File opened (read-only) \??\Y: SMSS.EXE File opened (read-only) \??\L: b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File opened (read-only) \??\M: b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File opened (read-only) \??\Q: b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File opened (read-only) \??\J: Lubang Hitam.exe File opened (read-only) \??\Y: CSRSS.EXE File opened (read-only) \??\I: SERVICES.EXE File opened (read-only) \??\S: WINLOGON.EXE File opened (read-only) \??\Y: WINLOGON.EXE File opened (read-only) \??\K: b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File opened (read-only) \??\U: b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File opened (read-only) \??\Q: CSRSS.EXE File opened (read-only) \??\P: b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File opened (read-only) \??\W: WINLOGON.EXE File opened (read-only) \??\B: CSRSS.EXE File opened (read-only) \??\N: LSASS.EXE File opened (read-only) \??\J: b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File opened (read-only) \??\G: WINLOGON.EXE File opened (read-only) \??\W: CSRSS.EXE File opened (read-only) \??\U: SERVICES.EXE File opened (read-only) \??\B: LSASS.EXE File opened (read-only) \??\I: b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File opened (read-only) \??\H: WINLOGON.EXE File opened (read-only) \??\K: LSASS.EXE File opened (read-only) \??\M: Lubang Hitam.exe File opened (read-only) \??\P: Lubang Hitam.exe File opened (read-only) \??\T: Lubang Hitam.exe File opened (read-only) \??\M: CSRSS.EXE File opened (read-only) \??\O: SERVICES.EXE File opened (read-only) \??\K: SERVICES.EXE File opened (read-only) \??\V: SERVICES.EXE File opened (read-only) \??\S: SMSS.EXE File opened (read-only) \??\W: SMSS.EXE File opened (read-only) \??\O: LSASS.EXE File opened (read-only) \??\B: b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File opened (read-only) \??\G: b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File opened (read-only) \??\B: Lubang Hitam.exe File opened (read-only) \??\B: SERVICES.EXE File opened (read-only) \??\R: SERVICES.EXE File opened (read-only) \??\J: LSASS.EXE File opened (read-only) \??\W: LSASS.EXE File opened (read-only) \??\X: b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File opened (read-only) \??\O: SMSS.EXE File opened (read-only) \??\Z: LSASS.EXE File opened (read-only) \??\Q: SMSS.EXE File opened (read-only) \??\T: SMSS.EXE File opened (read-only) \??\E: LSASS.EXE File opened (read-only) \??\V: LSASS.EXE File opened (read-only) \??\M: LSASS.EXE File opened (read-only) \??\E: b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File opened (read-only) \??\S: b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File opened (read-only) \??\N: Lubang Hitam.exe File opened (read-only) \??\P: WINLOGON.EXE File opened (read-only) \??\T: WINLOGON.EXE File opened (read-only) \??\L: CSRSS.EXE File opened (read-only) \??\X: SMSS.EXE File opened (read-only) \??\U: LSASS.EXE -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exedescription ioc Process File created C:\Autorun.inf b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File opened for modification C:\Autorun.inf b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File created F:\Autorun.inf b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File opened for modification F:\Autorun.inf b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe -
Drops file in System32 directory 36 IoCs
Processes:
Lubang Hitam.exeCSRSS.EXESERVICES.EXEb3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeSMSS.EXELubang Hitam.exeLSASS.EXEWINLOGON.EXELubang Hitam.exedescription ioc Process File created C:\Windows\SysWOW64\Lubang Hitam.exe Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Shell.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\Destruction.scr CSRSS.EXE File opened for modification C:\Windows\SysWOW64\Destruction.scr SERVICES.EXE File created C:\Windows\SysWOW64\Shell.exe b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File created C:\Windows\SysWOW64\Lubang Hitam.exe b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File opened for modification C:\Windows\SysWOW64\Shell.exe SMSS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\SysWOW64\Destruction.scr b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File opened for modification C:\Windows\SysWOW64\Shell.exe LSASS.EXE File created C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Shell.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe LSASS.EXE File created C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Shell.exe SERVICES.EXE File created C:\Windows\SysWOW64\Lubang Hitam.exe SERVICES.EXE File created C:\Windows\SysWOW64\Lubang Hitam.exe LSASS.EXE File opened for modification C:\Windows\SysWOW64\Destruction.scr b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File opened for modification C:\Windows\SysWOW64\Shell.exe Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Destruction.scr WINLOGON.EXE File created C:\Windows\SysWOW64\Lubang Hitam.exe SMSS.EXE File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File created C:\Windows\SysWOW64\Lubang Hitam.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe SERVICES.EXE File created C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\SysWOW64\Lubang Hitam.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\Destruction.scr SMSS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Shell.exe b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File opened for modification C:\Windows\SysWOW64\Destruction.scr Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe SMSS.EXE File opened for modification C:\Windows\SysWOW64\Destruction.scr LSASS.EXE -
Drops file in Windows directory 35 IoCs
Processes:
Lubang Hitam.exeCSRSS.EXESMSS.EXESERVICES.EXELSASS.EXELubang Hitam.exeb3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeWINLOGON.EXELubang Hitam.exedescription ioc Process File created C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\Black Hole.exe CSRSS.EXE File created C:\Windows\Black Hole.exe SMSS.EXE File opened for modification C:\WINDOWS\Hacked By Gerry.txt SERVICES.EXE File opened for modification C:\WINDOWS\Black Hole.txt LSASS.EXE File created C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\WINDOWS\Black Hole.txt b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File opened for modification C:\Windows\Black Hole.exe SMSS.EXE File opened for modification C:\WINDOWS\Black Hole.txt WINLOGON.EXE File created C:\Windows\Black Hole.exe CSRSS.EXE File opened for modification C:\Windows\Black Hole.exe SERVICES.EXE File opened for modification C:\Windows\Black Hole.exe WINLOGON.EXE File opened for modification C:\WINDOWS\Black Hole.txt CSRSS.EXE File opened for modification C:\WINDOWS\Hacked By Gerry.txt CSRSS.EXE File opened for modification C:\WINDOWS\Hacked By Gerry.txt b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File created C:\Windows\Black Hole.exe WINLOGON.EXE File opened for modification C:\WINDOWS\Hacked By Gerry.txt WINLOGON.EXE File opened for modification C:\Windows\Black Hole.exe b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File created C:\WINDOWS\Hacked By Gerry.txt b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File opened for modification C:\Windows\Black Hole.exe LSASS.EXE File opened for modification C:\WINDOWS\Black Hole.txt SMSS.EXE File opened for modification C:\WINDOWS\Hacked By Gerry.txt LSASS.EXE File opened for modification C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\WINDOWS\Black Hole.txt Lubang Hitam.exe File created C:\Windows\Black Hole.exe SERVICES.EXE File opened for modification C:\WINDOWS\Black Hole.txt SERVICES.EXE File created C:\Windows\Black Hole.exe LSASS.EXE File opened for modification C:\WINDOWS\Hacked By Gerry.txt SMSS.EXE File opened for modification C:\Windows\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\Black Hole.exe b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File created C:\WINDOWS\Black Hole.txt b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe File opened for modification C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\Black Hole.exe Lubang Hitam.exe File opened for modification C:\WINDOWS\Hacked By Gerry.txt Lubang Hitam.exe File created C:\Windows\msvbvm60.dll Lubang Hitam.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 32 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
SMSS.EXEBlack Hole.exeb3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeBlack Hole.exeCSRSS.EXEshutdown.exeWINLOGON.EXEshutdown.exeshutdown.exeshutdown.exeLubang Hitam.exeshutdown.exeLSASS.EXELubang Hitam.exeshutdown.exeBlack Hole.exeSERVICES.EXELubang Hitam.exeBlack Hole.exeshutdown.exeshutdown.exeBlack Hole.exeshutdown.exeshutdown.exeBlack Hole.exeshutdown.exeshutdown.exeshutdown.exeshutdown.exeshutdown.exeshutdown.exeBlack Hole.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Black Hole.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Black Hole.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lubang Hitam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lubang Hitam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Black Hole.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lubang Hitam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Black Hole.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Black Hole.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Black Hole.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Black Hole.exe -
Modifies Control Panel 54 IoCs
Processes:
WINLOGON.EXELSASS.EXESMSS.EXEBlack Hole.exeLubang Hitam.exeSERVICES.EXEb3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeCSRSS.EXEBlack Hole.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\SwapMouseButtons = "1" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Black Hole.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\SwapMouseButtons = "1" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\SwapMouseButtons = "1" Lubang Hitam.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\ Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ LSASS.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\ Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" CSRSS.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\ LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" Black Hole.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\ SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\SwapMouseButtons = "1" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\SwapMouseButtons = "1" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" CSRSS.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Black Hole.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\SwapMouseButtons = "1" Black Hole.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ Black Hole.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\SwapMouseButtons = "1" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\SwapMouseButtons = "1" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Lubang Hitam.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\ CSRSS.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\ b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Lubang Hitam.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\ Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\SwapMouseButtons = "1" SERVICES.EXE -
Modifies registry class 64 IoCs
Processes:
b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeBlack Hole.exeWINLOGON.EXEBlack Hole.exeSMSS.EXESERVICES.EXELubang Hitam.exeLSASS.EXECSRSS.EXEdescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile CSRSS.EXE -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
Black Hole.exeBlack Hole.exepid Process 1200 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe 2484 Black Hole.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exepid Process 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
shutdown.exeshutdown.exeshutdown.exeshutdown.exeshutdown.exeshutdown.exeshutdown.exeshutdown.exeshutdown.exeshutdown.exeshutdown.exeshutdown.exeshutdown.exeshutdown.exeshutdown.exeshutdown.exedescription pid Process Token: SeShutdownPrivilege 2992 shutdown.exe Token: SeRemoteShutdownPrivilege 2992 shutdown.exe Token: SeShutdownPrivilege 2584 shutdown.exe Token: SeRemoteShutdownPrivilege 2584 shutdown.exe Token: SeShutdownPrivilege 1144 shutdown.exe Token: SeRemoteShutdownPrivilege 1144 shutdown.exe Token: SeShutdownPrivilege 1972 shutdown.exe Token: SeRemoteShutdownPrivilege 1972 shutdown.exe Token: SeShutdownPrivilege 536 shutdown.exe Token: SeRemoteShutdownPrivilege 536 shutdown.exe Token: SeShutdownPrivilege 2916 shutdown.exe Token: SeRemoteShutdownPrivilege 2916 shutdown.exe Token: SeShutdownPrivilege 112 shutdown.exe Token: SeRemoteShutdownPrivilege 112 shutdown.exe Token: SeShutdownPrivilege 1104 shutdown.exe Token: SeRemoteShutdownPrivilege 1104 shutdown.exe Token: SeShutdownPrivilege 1704 shutdown.exe Token: SeRemoteShutdownPrivilege 1704 shutdown.exe Token: SeShutdownPrivilege 2668 shutdown.exe Token: SeRemoteShutdownPrivilege 2668 shutdown.exe Token: SeShutdownPrivilege 2700 shutdown.exe Token: SeRemoteShutdownPrivilege 2700 shutdown.exe Token: SeShutdownPrivilege 2792 shutdown.exe Token: SeRemoteShutdownPrivilege 2792 shutdown.exe Token: SeShutdownPrivilege 2708 shutdown.exe Token: SeRemoteShutdownPrivilege 2708 shutdown.exe Token: SeShutdownPrivilege 2736 shutdown.exe Token: SeRemoteShutdownPrivilege 2736 shutdown.exe Token: SeShutdownPrivilege 2868 shutdown.exe Token: SeRemoteShutdownPrivilege 2868 shutdown.exe Token: SeShutdownPrivilege 2812 shutdown.exe Token: SeRemoteShutdownPrivilege 2812 shutdown.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeBlack Hole.exeLubang Hitam.exeWINLOGON.EXECSRSS.EXESERVICES.EXELSASS.EXESMSS.EXEBlack Hole.exeBlack Hole.exeBlack Hole.exeLubang Hitam.exeBlack Hole.exeBlack Hole.exeBlack Hole.exeLubang Hitam.exepid Process 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 1200 Black Hole.exe 2156 Lubang Hitam.exe 2960 WINLOGON.EXE 2416 CSRSS.EXE 1936 SERVICES.EXE 2272 LSASS.EXE 676 SMSS.EXE 1956 Black Hole.exe 2484 Black Hole.exe 2244 Black Hole.exe 2676 Lubang Hitam.exe 2624 Black Hole.exe 2656 Black Hole.exe 1676 Black Hole.exe 1460 Lubang Hitam.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeBlack Hole.exeLubang Hitam.exeWINLOGON.EXECSRSS.EXESERVICES.EXELSASS.EXESMSS.EXEdescription pid Process procid_target PID 2524 wrote to memory of 2992 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 31 PID 2524 wrote to memory of 2992 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 31 PID 2524 wrote to memory of 2992 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 31 PID 2524 wrote to memory of 2992 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 31 PID 2524 wrote to memory of 1200 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 35 PID 2524 wrote to memory of 1200 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 35 PID 2524 wrote to memory of 1200 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 35 PID 2524 wrote to memory of 1200 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 35 PID 1200 wrote to memory of 2584 1200 Black Hole.exe 36 PID 1200 wrote to memory of 2584 1200 Black Hole.exe 36 PID 1200 wrote to memory of 2584 1200 Black Hole.exe 36 PID 1200 wrote to memory of 2584 1200 Black Hole.exe 36 PID 2524 wrote to memory of 2156 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 38 PID 2524 wrote to memory of 2156 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 38 PID 2524 wrote to memory of 2156 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 38 PID 2524 wrote to memory of 2156 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 38 PID 2156 wrote to memory of 1144 2156 Lubang Hitam.exe 39 PID 2156 wrote to memory of 1144 2156 Lubang Hitam.exe 39 PID 2156 wrote to memory of 1144 2156 Lubang Hitam.exe 39 PID 2156 wrote to memory of 1144 2156 Lubang Hitam.exe 39 PID 2524 wrote to memory of 2960 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 41 PID 2524 wrote to memory of 2960 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 41 PID 2524 wrote to memory of 2960 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 41 PID 2524 wrote to memory of 2960 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 41 PID 2960 wrote to memory of 1972 2960 WINLOGON.EXE 42 PID 2960 wrote to memory of 1972 2960 WINLOGON.EXE 42 PID 2960 wrote to memory of 1972 2960 WINLOGON.EXE 42 PID 2960 wrote to memory of 1972 2960 WINLOGON.EXE 42 PID 2524 wrote to memory of 2416 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 44 PID 2524 wrote to memory of 2416 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 44 PID 2524 wrote to memory of 2416 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 44 PID 2524 wrote to memory of 2416 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 44 PID 2416 wrote to memory of 536 2416 CSRSS.EXE 45 PID 2416 wrote to memory of 536 2416 CSRSS.EXE 45 PID 2416 wrote to memory of 536 2416 CSRSS.EXE 45 PID 2416 wrote to memory of 536 2416 CSRSS.EXE 45 PID 2524 wrote to memory of 1936 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 47 PID 2524 wrote to memory of 1936 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 47 PID 2524 wrote to memory of 1936 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 47 PID 2524 wrote to memory of 1936 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 47 PID 1936 wrote to memory of 2916 1936 SERVICES.EXE 48 PID 1936 wrote to memory of 2916 1936 SERVICES.EXE 48 PID 1936 wrote to memory of 2916 1936 SERVICES.EXE 48 PID 1936 wrote to memory of 2916 1936 SERVICES.EXE 48 PID 2524 wrote to memory of 2272 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 50 PID 2524 wrote to memory of 2272 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 50 PID 2524 wrote to memory of 2272 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 50 PID 2524 wrote to memory of 2272 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 50 PID 2272 wrote to memory of 112 2272 LSASS.EXE 51 PID 2272 wrote to memory of 112 2272 LSASS.EXE 51 PID 2272 wrote to memory of 112 2272 LSASS.EXE 51 PID 2272 wrote to memory of 112 2272 LSASS.EXE 51 PID 2524 wrote to memory of 676 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 53 PID 2524 wrote to memory of 676 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 53 PID 2524 wrote to memory of 676 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 53 PID 2524 wrote to memory of 676 2524 b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe 53 PID 676 wrote to memory of 1104 676 SMSS.EXE 54 PID 676 wrote to memory of 1104 676 SMSS.EXE 54 PID 676 wrote to memory of 1104 676 SMSS.EXE 54 PID 676 wrote to memory of 1104 676 SMSS.EXE 54 PID 2156 wrote to memory of 2484 2156 Lubang Hitam.exe 56 PID 2156 wrote to memory of 2484 2156 Lubang Hitam.exe 56 PID 2156 wrote to memory of 2484 2156 Lubang Hitam.exe 56 PID 2156 wrote to memory of 2484 2156 Lubang Hitam.exe 56 -
System policy modification 1 TTPs 64 IoCs
Processes:
SERVICES.EXELSASS.EXELubang Hitam.exeWINLOGON.EXECSRSS.EXEBlack Hole.exeBlack Hole.exeb3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeSMSS.EXEdescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLowDiskSpaceChecks = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoPwdPage = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoPwdPage = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLowDiskSpaceChecks = "1" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLowDiskSpaceChecks = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLowDiskSpaceChecks = "1" b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoPwdPage = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" CSRSS.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe"C:\Users\Admin\AppData\Local\Temp\b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2524 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1200 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2156 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2484 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2960 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1956 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2676 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2416 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:536
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2244 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1460 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1936 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2656 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2272 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:112
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1676 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:676 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2624 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
440KB
MD56ccc87ca25005ac3733631da8bbb491c
SHA1dca739322c5bff1f233b44d365272747681ded8f
SHA25656ec808e9603da8b5b1f4d9f8f3123d345161b641a6c3ef91271903eb6fa45fd
SHA512492541d7954319303fefac7d8a94ab113da59bd98a7a8a9960ea0f41b862e0f3ae17a7ea441a3df00e8d90f57490614f42148b7f3d714b5d659fdf237824c2a2
-
Filesize
2.6MB
MD533d83c1f59622ad9aa5ffbb5906554f0
SHA15cc56f17adbd0f10c61aee85264496943c33ba5b
SHA256c2f16aeceee0f1429264d7633f4d87208f022730428a5ddb2fa512a033fbf73e
SHA512e421464139687d60f910b7263a9d41dc207072d00f67cede504d359cebe80e703dd6d8c249f96d3b8271006f0bdcbffabffc7ff6ad67c046298381e5f99d7a9c
-
Filesize
2.6MB
MD577b206eb828b146fe7bc038b70fd6f6e
SHA1971569b4b1aee926debfd10928dfdd4aa379d603
SHA2562184badfee75367a375544d1998de92ce29ae9db00ea1ebeffc77fa8293f0d3c
SHA512d7818e9cb5efce429ffe7bff67d4452ad05e7e1db4fdf649c050e1df2a2d0499c0d6a8884c241c5e16929ff831f7b1344e99269c930edb337be029a424d0ac79
-
Filesize
440KB
MD5d7c7220a7d75e04d2b80b90296f66e27
SHA1834e708e66b76edfa10c02e45dc5fe7537e99aca
SHA2567d24c2a690383eac1d4e74d165e5d312257f4310c0d56c324d83bf54b5ee6ede
SHA5120322e83d5e7742951758dac9ec45d50426ddef35490bf711d57d9e90f0adb938d274c74eba2c47756cdf0b51f9f4ae4d0699f4b81bdfcf215ab729085f69d16a
-
Filesize
1KB
MD56635e047c242e6d64b2716d81095bf5f
SHA15def5300f894e58bbb0caaa94680f7735ccd248d
SHA2569757b4f406657c44fcbd40757d1ae06e833a8e1542ca976e6ae63578031b32bf
SHA512c9bae9bf090e7c67fac53d061bb43c2091e991c8f568889463d0c1af8f48652c79c51785c0906705098b418b2d7a4b200580fb44091ecf8bf24d8b1b45a258c0
-
Filesize
1KB
MD5e067dafcbe64a95f5045a281397732db
SHA11af7095f98c486ca247449980000d06b04ffc50c
SHA256b6085ee8c1f2de574973b9f3a7417257e25573c2b5228b5a8f87e3788e2733b6
SHA5121b575d62fee219538f8d624ab833cbce0aee431559a0adfa1e3ce9cd4f5ab8a2887b394843ebf164c884ccbed5687d644474328471b23c28edba8f99ccf08b58
-
Filesize
440KB
MD55c770c8ed3ec8803999b46f39de461e1
SHA1d5a3bb36b19ff15c62aabd08d5b41edc36e5df56
SHA256f1f4e0cedeaa482e08776e7cc7cd2688c644165bdace1d21cca72caa0b70d365
SHA5128e8781483a78df3f8c6cbb90d8e0a431f555f6db92bbaed81f86334647fb72fd767b870acb5508e5b7fe7045b4c0104c47c77254c2797ac05b1c159c9a3df371
-
Filesize
440KB
MD557cdac04e2173532c0da27d5eedc7696
SHA1467ea92ed73eae27dd6804367880e30fd0a1707f
SHA2563a5a135567133de5b072c25f77692faeae2882f8b278064ba30b138b7fd72c14
SHA512a19833a2978825145fa5c676b1a00b416a22849a4bd68d2d9ed23313eaa3feb7238b96a8d4848b58f4652cc03dca978cc454fbfc1a1b2335cdab9f25bd4da40e
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
440KB
MD5753ee33ee2ea0de32472e90bfdb99f69
SHA1efe70a9b21bf17f77ceec090969cab368740aeda
SHA256e2a879b71802d54a059c5cb6609088ac488beda42dbd52427c429590d397a6aa
SHA512a94e9eefef9d28a070c1e6ed9e9b5cda08ea6639754842386e77ee691a3220b24ed532f8b466fef1cf2be2419fb5b23a38f333af5ca3b187dae94c395d9443f4
-
Filesize
440KB
MD5e12692f81e2dc5fcf33913cb764cd2f0
SHA1d063cc9c3e075df64b575d22ca52aacf8234a01c
SHA256b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ce
SHA512073e088817ffc5391108a7699081d2e31b41902bc70cad7346873db60152b40326cd6e827af70dd53315890e5dd83c84d65b297755a44485fb05d56d8b2b0d5b
-
Filesize
93B
MD54809daf962803cad2b891b94c195d3dd
SHA1707bdd28edcf5e9e288959f62d4da8823777ec12
SHA2563468667630714eb86464ecfe903b59a843670ade55b49ac9d653421b91bcf139
SHA512c9c233b22a853ce17731cb3466f7e8234da4e3de0dec6cc48ed15232303d4f29c49770e20a7064ad9329f8d9d27f8d4b547443d837320f58ac230973bb7dd11f
-
Filesize
3KB
MD55c462f1ea2917c0b502ae0761c0f60d8
SHA1c1d15b093b2843528544d77dc0d9d4e3b8a85297
SHA25609c76898e4fa4174c53c2ad514274b5d2ca636ec6f223be5fda4c6135ec4ac10
SHA512e6219ccbabe77a4999ade79c7074753495da9c61d6451c53be34219cc19746ca9a0dadef3b47cd8859cd59604064af5e9fc2a5044780bcfebaaa13dc08c36bbc
-
Filesize
440KB
MD539b4f47dc2e216f6dddc3d3c130548a9
SHA1bd60a7acf5fe2f2c542b6af57e7210dd190ecc53
SHA256323fc25b6448d47d3534a1a002b489e1fe40be580acb317b5b59046633489139
SHA512ec9709776328c85d5c87c56d86d332bfc708f290f84586aeaf369b5f22daaae19b90fcfa45fc7b77c315799fef166816448eea28238fc53dadad642aecb394be
-
Filesize
440KB
MD5190a82bf0a348b971deceeb9288c8eba
SHA108e3be439b92cac8489dc1efa57a642d2b4437bd
SHA256c3d1e37778fdb3f3807d9bf992e86e980444bcbb1ebc1337e5b0aaa1f788ada0
SHA512d8a5473ab7f4f0af393e89b67df50385ded8dfa293614ffaf7d6486121b0ec118fc1da70622718e2b3fa1c928cd6e1f1875a519db05b518f06d151acb8c545ed
-
Filesize
440KB
MD5ab9917aaa8df007247cd341fec4c32d4
SHA1b034838c18cd12bb1b565452ee14af48254ac4fc
SHA256151bb23bafadf37448a571c473cd70a631c329365cf8dc9a02aae5eb16d8c1c0
SHA51273ec6684f222b4138d7e3014046d7cc658e2b2ee00a251b89cfcc53574c56992a63228c1de706a179f6f5cc79fdb4b9c0306977a46564029cfa500c714640f27
-
Filesize
440KB
MD5544044413dbb26629d7865b99115b1b8
SHA1c5b991f889787f68187b9c27a9ec54ce75bb7a7c
SHA25647fa8c97b62d0aa9d92c4e55d5984bda203365ec0ec8af382411db6125a55b35
SHA51268a61187d672e9846731b129bf06da6f5f61c755fc89ad0c0c539961456a43705bcde3e082378eaf926419214a973d18a1da862b50fa09add62098385c7cc7f1
-
Filesize
440KB
MD5e251eabb29aff37dfdc216a048faec7e
SHA1523cb6ada2b1f7fce5c886179e4ff268b5196f39
SHA256218af1a1c13cf60894d4f753e91e4b7e0d3ce4b051e277930d5d161a71d77a43
SHA512753ace20d0882526b29039e5d5271705ef4a47efc93f156077ae4eee2d08c6e400387dab00534f1947bbf3ff2a72d2b2279f6ccaec1f6ba1aed0d2e63f4e79e6
-
Filesize
440KB
MD5dc3b4e59003b1a4a108778ef2995a236
SHA1fed9df98fcc2f033204acc969ee3652050951b0d
SHA256b5ecd23bb8cae9e38937fe085e158b83beec657955d2801d647d1869cdc26852
SHA51230fb563b75c6bd0a03565ebfbebb9f4e211dce906617b347d28960575340f4762e6870d8fed666a446d42676ce565f1eb8d180346945cc31365d27b1df8a5d11
