deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d

Analysis

max time kernel
152s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
Size

2.6MB
MD5

b12aeed252db94f858037957b35f7997
SHA1

2dffcaf75338359cd039fd827556835ac9d1e212
SHA256

deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d
SHA512

d012897bd4beba65a8c65ede1a4679f671713f448305c9606de57265fad34a7bb523859fe2778216c82583cd0af7f3c8e0a892ece68b69a56651933c1e5db97a

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112

Executes dropped EXE 6 IoCs

Processes:

deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2120	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
556	icsys.icn.exe
3472	explorer.exe
5056	spoolsv.exe
4764	svchost.exe
4648	spoolsv.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

Processes:

spoolsv.exeexplorer.exedeb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exeicsys.icn.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2184 2120 WerFault.exe deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe

pid	pid_target	process	target process
2184	2120	WerFault.exe	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exeicsys.icn.exe

pid	process
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe
556	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

3472 explorer.exe
4764 svchost.exe

pid	process
3472	explorer.exe
4764	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
556	icsys.icn.exe
556	icsys.icn.exe
3472	explorer.exe
3472	explorer.exe
5056	spoolsv.exe
5056	spoolsv.exe
4764	svchost.exe
4764	svchost.exe
4648	spoolsv.exe
4648	spoolsv.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 1084 wrote to memory of 2120	1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
PID 1084 wrote to memory of 2120	1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
PID 1084 wrote to memory of 556	1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe	icsys.icn.exe
PID 1084 wrote to memory of 556	1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe	icsys.icn.exe
PID 1084 wrote to memory of 556	1084	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe	icsys.icn.exe
PID 556 wrote to memory of 3472	556	icsys.icn.exe	explorer.exe
PID 556 wrote to memory of 3472	556	icsys.icn.exe	explorer.exe
PID 556 wrote to memory of 3472	556	icsys.icn.exe	explorer.exe
PID 3472 wrote to memory of 5056	3472	explorer.exe	spoolsv.exe
PID 3472 wrote to memory of 5056	3472	explorer.exe	spoolsv.exe
PID 3472 wrote to memory of 5056	3472	explorer.exe	spoolsv.exe
PID 5056 wrote to memory of 4764	5056	spoolsv.exe	svchost.exe
PID 5056 wrote to memory of 4764	5056	spoolsv.exe	svchost.exe
PID 5056 wrote to memory of 4764	5056	spoolsv.exe	svchost.exe
PID 4764 wrote to memory of 4648	4764	svchost.exe	spoolsv.exe
PID 4764 wrote to memory of 4648	4764	svchost.exe	spoolsv.exe
PID 4764 wrote to memory of 4648	4764	svchost.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
"C:\Users\Admin\AppData\Local\Temp\deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1084

\??\c:\users\admin\appdata\local\temp\deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
c:\users\admin\appdata\local\temp\deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
PID:2120

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2120 -s 856
3⤵
- Program crash
PID:2184

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:556

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3472

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5056

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4764

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4648

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 2120 -ip 2120
1⤵
PID:2704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
Filesize
2.5MB

MD5
5a4dd8a44bbef9445e749826b3168667

SHA1
6d5e73a99449214f13d8c8a496b14f6c03110d08

SHA256
c52681b18b095ab61bbc23c52ade012327af1a44ce04e9c3bbf915a27125f2b3

SHA512
5977319acbc8e6e470795099b8e1ccf8c85eda826b4d10141e615dbb721c67e4d00d93bfe56b76a23c30d5dd2da2bf5800429f1a8943702bccb0b0d2318f18f1

Download Submit
C:\Windows\Resources\Themes\explorer.exe
Filesize
135KB

MD5
8bb7d94bf62dcc4d775376577ad2cce0

SHA1
a9217ed2d5b26745f36349e983c51fdc4725d0bb

SHA256
dbb9fb249cef988795211bd3c6f90197100f128e8b6892cf0e735412f5b39298

SHA512
e4d1ca9df81d7c67fd915247855a96ac80cdcb4b2edf41b6c3312c3e508c28a7e8b76a49cf710d2493668277b1bd06b4d75e3eef951a71f516a7d2cdd4f23344

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
135KB

MD5
62f0894675df2c1cae6ce7f5ff18c293

SHA1
732019678b70d04996917130a013d1ac85f7149d

SHA256
13fa150b0713a5d892aebac9acb0859a1a31784b857a9e74dabc694d7d74e72f

SHA512
f3de087c63bca724eaead933d15410ad69bbfc418bbae78f771152ea5dbda9dd155e3068be1d9447d2959f4615f3908d34ffe1906845c9111e3c9531efd3c0b3

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
135KB

MD5
62f0894675df2c1cae6ce7f5ff18c293

SHA1
732019678b70d04996917130a013d1ac85f7149d

SHA256
13fa150b0713a5d892aebac9acb0859a1a31784b857a9e74dabc694d7d74e72f

SHA512
f3de087c63bca724eaead933d15410ad69bbfc418bbae78f771152ea5dbda9dd155e3068be1d9447d2959f4615f3908d34ffe1906845c9111e3c9531efd3c0b3

Download Submit
C:\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
d0a1b5fb979b6a92959def605ecba8b0

SHA1
ff9558c52ce4de861ed8965e31ca2909f4c09266

SHA256
9e2072452669ce73d795161951b0cd2248fde9e110a72c2aeee0a9f1a570963e

SHA512
0d98cb533f6429e9a33fd9f50e4b541f50ff2f72c29abc628c055f22e1aeb53cd133d7594c775ee5c5887fc9f730bf038da22a332aa14b732e77aff084847234

Download Submit
C:\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
d0a1b5fb979b6a92959def605ecba8b0

SHA1
ff9558c52ce4de861ed8965e31ca2909f4c09266

SHA256
9e2072452669ce73d795161951b0cd2248fde9e110a72c2aeee0a9f1a570963e

SHA512
0d98cb533f6429e9a33fd9f50e4b541f50ff2f72c29abc628c055f22e1aeb53cd133d7594c775ee5c5887fc9f730bf038da22a332aa14b732e77aff084847234

Download Submit
C:\Windows\Resources\svchost.exe
Filesize
135KB

MD5
8f995bfa3f23b8b2dc1df10a78499c2f

SHA1
c38b2e9e908e8d8f1d559df653c6cfd603c37747

SHA256
e66fed260ffad30079cba189c587bcfece8072697675e3322c8d54002cceeac1

SHA512
756c0683efa7c789f04b1b434af5ace02087d8f3d2e69e805b98a8cb237e2361d684b2cd4b1861503f6c759984260d7756a662f51864c7f7324d0d5bbc6b6ca2

Download Submit
\??\c:\users\admin\appdata\local\temp\deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
Filesize
2.5MB

MD5
5a4dd8a44bbef9445e749826b3168667

SHA1
6d5e73a99449214f13d8c8a496b14f6c03110d08

SHA256
c52681b18b095ab61bbc23c52ade012327af1a44ce04e9c3bbf915a27125f2b3

SHA512
5977319acbc8e6e470795099b8e1ccf8c85eda826b4d10141e615dbb721c67e4d00d93bfe56b76a23c30d5dd2da2bf5800429f1a8943702bccb0b0d2318f18f1

Download Submit
\??\c:\windows\resources\spoolsv.exe
Filesize
135KB

MD5
d0a1b5fb979b6a92959def605ecba8b0

SHA1
ff9558c52ce4de861ed8965e31ca2909f4c09266

SHA256
9e2072452669ce73d795161951b0cd2248fde9e110a72c2aeee0a9f1a570963e

SHA512
0d98cb533f6429e9a33fd9f50e4b541f50ff2f72c29abc628c055f22e1aeb53cd133d7594c775ee5c5887fc9f730bf038da22a332aa14b732e77aff084847234

Download Submit
\??\c:\windows\resources\svchost.exe
Filesize
135KB

MD5
8f995bfa3f23b8b2dc1df10a78499c2f

SHA1
c38b2e9e908e8d8f1d559df653c6cfd603c37747

SHA256
e66fed260ffad30079cba189c587bcfece8072697675e3322c8d54002cceeac1

SHA512
756c0683efa7c789f04b1b434af5ace02087d8f3d2e69e805b98a8cb237e2361d684b2cd4b1861503f6c759984260d7756a662f51864c7f7324d0d5bbc6b6ca2

Download Submit
\??\c:\windows\resources\themes\explorer.exe
Filesize
135KB

MD5
8bb7d94bf62dcc4d775376577ad2cce0

SHA1
a9217ed2d5b26745f36349e983c51fdc4725d0bb

SHA256
dbb9fb249cef988795211bd3c6f90197100f128e8b6892cf0e735412f5b39298

SHA512
e4d1ca9df81d7c67fd915247855a96ac80cdcb4b2edf41b6c3312c3e508c28a7e8b76a49cf710d2493668277b1bd06b4d75e3eef951a71f516a7d2cdd4f23344

Download Submit
memory/556-136-0x0000000000000000-mapping.dmp

Download
memory/556-167-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1084-168-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2120-133-0x0000000000000000-mapping.dmp

Download
memory/3472-142-0x0000000000000000-mapping.dmp

Download
memory/3472-169-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4648-165-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4648-160-0x0000000000000000-mapping.dmp

Download
memory/4764-154-0x0000000000000000-mapping.dmp

Download
memory/5056-166-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5056-148-0x0000000000000000-mapping.dmp

Download