Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:19
Static task
static1
Behavioral task
behavioral1
Sample
deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
Resource
win10v2004-20220414-en
General
-
Target
deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
-
Size
2.6MB
-
MD5
b12aeed252db94f858037957b35f7997
-
SHA1
2dffcaf75338359cd039fd827556835ac9d1e212
-
SHA256
deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d
-
SHA512
d012897bd4beba65a8c65ede1a4679f671713f448305c9606de57265fad34a7bb523859fe2778216c82583cd0af7f3c8e0a892ece68b69a56651933c1e5db97a
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
Executes dropped EXE 6 IoCs
Processes:
deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2120 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 556 icsys.icn.exe 3472 explorer.exe 5056 spoolsv.exe 4764 svchost.exe 4648 spoolsv.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 5 IoCs
Processes:
spoolsv.exeexplorer.exedeb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exeicsys.icn.exedescription ioc process File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2184 2120 WerFault.exe deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exeicsys.icn.exepid process 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe 556 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 3472 explorer.exe 4764 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe 556 icsys.icn.exe 556 icsys.icn.exe 3472 explorer.exe 3472 explorer.exe 5056 spoolsv.exe 5056 spoolsv.exe 4764 svchost.exe 4764 svchost.exe 4648 spoolsv.exe 4648 spoolsv.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 1084 wrote to memory of 2120 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe PID 1084 wrote to memory of 2120 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe PID 1084 wrote to memory of 556 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe icsys.icn.exe PID 1084 wrote to memory of 556 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe icsys.icn.exe PID 1084 wrote to memory of 556 1084 deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe icsys.icn.exe PID 556 wrote to memory of 3472 556 icsys.icn.exe explorer.exe PID 556 wrote to memory of 3472 556 icsys.icn.exe explorer.exe PID 556 wrote to memory of 3472 556 icsys.icn.exe explorer.exe PID 3472 wrote to memory of 5056 3472 explorer.exe spoolsv.exe PID 3472 wrote to memory of 5056 3472 explorer.exe spoolsv.exe PID 3472 wrote to memory of 5056 3472 explorer.exe spoolsv.exe PID 5056 wrote to memory of 4764 5056 spoolsv.exe svchost.exe PID 5056 wrote to memory of 4764 5056 spoolsv.exe svchost.exe PID 5056 wrote to memory of 4764 5056 spoolsv.exe svchost.exe PID 4764 wrote to memory of 4648 4764 svchost.exe spoolsv.exe PID 4764 wrote to memory of 4648 4764 svchost.exe spoolsv.exe PID 4764 wrote to memory of 4648 4764 svchost.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe"C:\Users\Admin\AppData\Local\Temp\deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exec:\users\admin\appdata\local\temp\deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2120 -s 8563⤵
- Program crash
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 440 -p 2120 -ip 21201⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exeFilesize
2.5MB
MD55a4dd8a44bbef9445e749826b3168667
SHA16d5e73a99449214f13d8c8a496b14f6c03110d08
SHA256c52681b18b095ab61bbc23c52ade012327af1a44ce04e9c3bbf915a27125f2b3
SHA5125977319acbc8e6e470795099b8e1ccf8c85eda826b4d10141e615dbb721c67e4d00d93bfe56b76a23c30d5dd2da2bf5800429f1a8943702bccb0b0d2318f18f1
-
C:\Windows\Resources\Themes\explorer.exeFilesize
135KB
MD58bb7d94bf62dcc4d775376577ad2cce0
SHA1a9217ed2d5b26745f36349e983c51fdc4725d0bb
SHA256dbb9fb249cef988795211bd3c6f90197100f128e8b6892cf0e735412f5b39298
SHA512e4d1ca9df81d7c67fd915247855a96ac80cdcb4b2edf41b6c3312c3e508c28a7e8b76a49cf710d2493668277b1bd06b4d75e3eef951a71f516a7d2cdd4f23344
-
C:\Windows\Resources\Themes\icsys.icn.exeFilesize
135KB
MD562f0894675df2c1cae6ce7f5ff18c293
SHA1732019678b70d04996917130a013d1ac85f7149d
SHA25613fa150b0713a5d892aebac9acb0859a1a31784b857a9e74dabc694d7d74e72f
SHA512f3de087c63bca724eaead933d15410ad69bbfc418bbae78f771152ea5dbda9dd155e3068be1d9447d2959f4615f3908d34ffe1906845c9111e3c9531efd3c0b3
-
C:\Windows\Resources\Themes\icsys.icn.exeFilesize
135KB
MD562f0894675df2c1cae6ce7f5ff18c293
SHA1732019678b70d04996917130a013d1ac85f7149d
SHA25613fa150b0713a5d892aebac9acb0859a1a31784b857a9e74dabc694d7d74e72f
SHA512f3de087c63bca724eaead933d15410ad69bbfc418bbae78f771152ea5dbda9dd155e3068be1d9447d2959f4615f3908d34ffe1906845c9111e3c9531efd3c0b3
-
C:\Windows\Resources\spoolsv.exeFilesize
135KB
MD5d0a1b5fb979b6a92959def605ecba8b0
SHA1ff9558c52ce4de861ed8965e31ca2909f4c09266
SHA2569e2072452669ce73d795161951b0cd2248fde9e110a72c2aeee0a9f1a570963e
SHA5120d98cb533f6429e9a33fd9f50e4b541f50ff2f72c29abc628c055f22e1aeb53cd133d7594c775ee5c5887fc9f730bf038da22a332aa14b732e77aff084847234
-
C:\Windows\Resources\spoolsv.exeFilesize
135KB
MD5d0a1b5fb979b6a92959def605ecba8b0
SHA1ff9558c52ce4de861ed8965e31ca2909f4c09266
SHA2569e2072452669ce73d795161951b0cd2248fde9e110a72c2aeee0a9f1a570963e
SHA5120d98cb533f6429e9a33fd9f50e4b541f50ff2f72c29abc628c055f22e1aeb53cd133d7594c775ee5c5887fc9f730bf038da22a332aa14b732e77aff084847234
-
C:\Windows\Resources\svchost.exeFilesize
135KB
MD58f995bfa3f23b8b2dc1df10a78499c2f
SHA1c38b2e9e908e8d8f1d559df653c6cfd603c37747
SHA256e66fed260ffad30079cba189c587bcfece8072697675e3322c8d54002cceeac1
SHA512756c0683efa7c789f04b1b434af5ace02087d8f3d2e69e805b98a8cb237e2361d684b2cd4b1861503f6c759984260d7756a662f51864c7f7324d0d5bbc6b6ca2
-
\??\c:\users\admin\appdata\local\temp\deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exeFilesize
2.5MB
MD55a4dd8a44bbef9445e749826b3168667
SHA16d5e73a99449214f13d8c8a496b14f6c03110d08
SHA256c52681b18b095ab61bbc23c52ade012327af1a44ce04e9c3bbf915a27125f2b3
SHA5125977319acbc8e6e470795099b8e1ccf8c85eda826b4d10141e615dbb721c67e4d00d93bfe56b76a23c30d5dd2da2bf5800429f1a8943702bccb0b0d2318f18f1
-
\??\c:\windows\resources\spoolsv.exeFilesize
135KB
MD5d0a1b5fb979b6a92959def605ecba8b0
SHA1ff9558c52ce4de861ed8965e31ca2909f4c09266
SHA2569e2072452669ce73d795161951b0cd2248fde9e110a72c2aeee0a9f1a570963e
SHA5120d98cb533f6429e9a33fd9f50e4b541f50ff2f72c29abc628c055f22e1aeb53cd133d7594c775ee5c5887fc9f730bf038da22a332aa14b732e77aff084847234
-
\??\c:\windows\resources\svchost.exeFilesize
135KB
MD58f995bfa3f23b8b2dc1df10a78499c2f
SHA1c38b2e9e908e8d8f1d559df653c6cfd603c37747
SHA256e66fed260ffad30079cba189c587bcfece8072697675e3322c8d54002cceeac1
SHA512756c0683efa7c789f04b1b434af5ace02087d8f3d2e69e805b98a8cb237e2361d684b2cd4b1861503f6c759984260d7756a662f51864c7f7324d0d5bbc6b6ca2
-
\??\c:\windows\resources\themes\explorer.exeFilesize
135KB
MD58bb7d94bf62dcc4d775376577ad2cce0
SHA1a9217ed2d5b26745f36349e983c51fdc4725d0bb
SHA256dbb9fb249cef988795211bd3c6f90197100f128e8b6892cf0e735412f5b39298
SHA512e4d1ca9df81d7c67fd915247855a96ac80cdcb4b2edf41b6c3312c3e508c28a7e8b76a49cf710d2493668277b1bd06b4d75e3eef951a71f516a7d2cdd4f23344
-
memory/556-136-0x0000000000000000-mapping.dmp
-
memory/556-167-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1084-168-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2120-133-0x0000000000000000-mapping.dmp
-
memory/3472-142-0x0000000000000000-mapping.dmp
-
memory/3472-169-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4648-165-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4648-160-0x0000000000000000-mapping.dmp
-
memory/4764-154-0x0000000000000000-mapping.dmp
-
memory/5056-166-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/5056-148-0x0000000000000000-mapping.dmp