49dc6ce2205d41add463a360510abe01658f9b80cba062746c56f3328a996d49

Analysis

max time kernel
150s
max time network
147s
platform
windows10-1703_x64
resource
win10-20230621-en
resource tags

arch:x64arch:x86image:win10-20230621-enlocale:en-usos:windows10-1703-x64system
submitted
01/07/2023, 12:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2pKPn8W8KA.exe
Size

10.3MB
MD5

050f6c582f98b5f1a5ea694d0f954b84
SHA1

c7e8b387bd37441f810e234b198bdfa0313e918b
SHA256

49dc6ce2205d41add463a360510abe01658f9b80cba062746c56f3328a996d49
SHA512

868a80bf8ff0f505d65c48aa40ac81e692bfcf5cccb118dea0350c0af3120bac8ff7d534ae02f744a51ba05aac7695ade703c85f02c248c3814416545ade963f
SSDEEP

196608:mk0m8ebS5PHmjvlnNXwLrtrP3Ur6ufqBj9VH3ZU40:mk0m8ebWPH6xwLrtD32vqB0

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3592352177-2971570228-3741369827-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3592352177-2971570228-3741369827-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2pkpn8w8ka.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2pkpn8w8ka.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2pkpn8w8ka.exe

Executes dropped EXE 6 IoCs

pid	Process
4112	2pkpn8w8ka.exe
532	icsys.icn.exe
4680	explorer.exe
988	spoolsv.exe
2912	svchost.exe
1384	spoolsv.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2pkpn8w8ka.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4112	2pkpn8w8ka.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	2pKPn8W8KA.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe
532	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4680	explorer.exe
2912	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4112	2pkpn8w8ka.exe
Token: SeDebugPrivilege	4112	2pkpn8w8ka.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
5004	2pKPn8W8KA.exe
5004	2pKPn8W8KA.exe
532	icsys.icn.exe
532	icsys.icn.exe
4680	explorer.exe
4680	explorer.exe
988	spoolsv.exe
988	spoolsv.exe
2912	svchost.exe
2912	svchost.exe
1384	spoolsv.exe
1384	spoolsv.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 4112	5004	2pKPn8W8KA.exe	66
PID 5004 wrote to memory of 4112	5004	2pKPn8W8KA.exe	66
PID 5004 wrote to memory of 532	5004	2pKPn8W8KA.exe	68
PID 5004 wrote to memory of 532	5004	2pKPn8W8KA.exe	68
PID 5004 wrote to memory of 532	5004	2pKPn8W8KA.exe	68
PID 532 wrote to memory of 4680	532	icsys.icn.exe	69
PID 532 wrote to memory of 4680	532	icsys.icn.exe	69
PID 532 wrote to memory of 4680	532	icsys.icn.exe	69
PID 4680 wrote to memory of 988	4680	explorer.exe	70
PID 4680 wrote to memory of 988	4680	explorer.exe	70
PID 4680 wrote to memory of 988	4680	explorer.exe	70
PID 988 wrote to memory of 2912	988	spoolsv.exe	71
PID 988 wrote to memory of 2912	988	spoolsv.exe	71
PID 988 wrote to memory of 2912	988	spoolsv.exe	71
PID 2912 wrote to memory of 1384	2912	svchost.exe	72
PID 2912 wrote to memory of 1384	2912	svchost.exe	72
PID 2912 wrote to memory of 1384	2912	svchost.exe	72

C:\Users\Admin\AppData\Local\Temp\2pKPn8W8KA.exe
"C:\Users\Admin\AppData\Local\Temp\2pKPn8W8KA.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5004
- \??\c:\users\admin\appdata\local\temp\2pkpn8w8ka.exe
  c:\users\admin\appdata\local\temp\2pkpn8w8ka.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:4112
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:532
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4680
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:988
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2912
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2pkpn8w8ka.exe

Filesize
10.2MB

MD5
77a2bf6e8153502ff8b2c5e6cfe2020d

SHA1
b2c3a5aa1172137113185deabbaf18a1150fd365

SHA256
7cef10a5bd4232b27df8e1b648b37ecfd5efcc7d35f674827ef5b45abc01f595

SHA512
3ea780b1f784caf466083cc660a74ff971643b391c10b8d8d82eefaa9c8fde72999f64b7f17ab1d8b249098b71a52912941fbd9f3a9a0dc04bb9431136492d25

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
92dbfeeebde8aa95e3a56c53a61583ee

SHA1
2061c43cee0d7d163ac8c3c5db36dc7d19095fcb

SHA256
0a324534e85b21f85c01779ef30163230e013cea04d594716145f010182872fc

SHA512
b9be4d64334edb6c79fbeba66b075c2c168ab718efbca1b5c04baa826708919002560ba31d97ae2956418ce11e8a7a127fea5c9292b1364acdb78f9fdb7e8b79

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
92dbfeeebde8aa95e3a56c53a61583ee

SHA1
2061c43cee0d7d163ac8c3c5db36dc7d19095fcb

SHA256
0a324534e85b21f85c01779ef30163230e013cea04d594716145f010182872fc

SHA512
b9be4d64334edb6c79fbeba66b075c2c168ab718efbca1b5c04baa826708919002560ba31d97ae2956418ce11e8a7a127fea5c9292b1364acdb78f9fdb7e8b79

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
cccd7148a8d529a77f4e7ae5599b7fad

SHA1
6bd75fe9266cafd429d2eb77a860fd24e29681ee

SHA256
41f83b73b9c418d744cde618e4cab7fa7d7212ef5b5465d82925260a3a71d1db

SHA512
428c5c64fdf15e32c5739ef473e59cec517aa995986f480df736e0ddb5d2191f8a0c51f839bf5f7387fbebeadc82cdaa4e3cd366e70af5e5e3ace3633e4889c8

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
cccd7148a8d529a77f4e7ae5599b7fad

SHA1
6bd75fe9266cafd429d2eb77a860fd24e29681ee

SHA256
41f83b73b9c418d744cde618e4cab7fa7d7212ef5b5465d82925260a3a71d1db

SHA512
428c5c64fdf15e32c5739ef473e59cec517aa995986f480df736e0ddb5d2191f8a0c51f839bf5f7387fbebeadc82cdaa4e3cd366e70af5e5e3ace3633e4889c8

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
7febf336099c0647b20be3b49a97aa7e

SHA1
92dc71d259029f153091c42bda0c4527af1df0af

SHA256
ed2a67957b1d3cf5f94610ff35d0d14de4c86c7c7f32b04721e43875f52e1ef4

SHA512
ca09ae904f1c2affaae08ba013c2d0c02be512345b9e9316c03cfa54a0ea4e2c30e83027c9ea17fef8b35700405aed56a39dc6c4524b62e4dd23017c31734928

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
7febf336099c0647b20be3b49a97aa7e

SHA1
92dc71d259029f153091c42bda0c4527af1df0af

SHA256
ed2a67957b1d3cf5f94610ff35d0d14de4c86c7c7f32b04721e43875f52e1ef4

SHA512
ca09ae904f1c2affaae08ba013c2d0c02be512345b9e9316c03cfa54a0ea4e2c30e83027c9ea17fef8b35700405aed56a39dc6c4524b62e4dd23017c31734928

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
384055eab50b2a2c1325628875028c13

SHA1
bb8eeb25cb6e605dab78b9ce2d38baabc7eedf76

SHA256
8d85e434b6b6001e327a07b84dc3b288a189656ae6b8127ae8b2725f8dca2044

SHA512
5dfb2f7f5ec3dd08044e155f84d57f3e5ed8ee1e54efaa8142bc7bd4905d2985be9d6c39b8e28dc2abf9c146ec5063b49002a24f2a5ce5dc40d227d0179cf126

Download Submit
\??\c:\users\admin\appdata\local\temp\2pkpn8w8ka.exe

Filesize
10.2MB

MD5
77a2bf6e8153502ff8b2c5e6cfe2020d

SHA1
b2c3a5aa1172137113185deabbaf18a1150fd365

SHA256
7cef10a5bd4232b27df8e1b648b37ecfd5efcc7d35f674827ef5b45abc01f595

SHA512
3ea780b1f784caf466083cc660a74ff971643b391c10b8d8d82eefaa9c8fde72999f64b7f17ab1d8b249098b71a52912941fbd9f3a9a0dc04bb9431136492d25

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
135KB

MD5
7febf336099c0647b20be3b49a97aa7e

SHA1
92dc71d259029f153091c42bda0c4527af1df0af

SHA256
ed2a67957b1d3cf5f94610ff35d0d14de4c86c7c7f32b04721e43875f52e1ef4

SHA512
ca09ae904f1c2affaae08ba013c2d0c02be512345b9e9316c03cfa54a0ea4e2c30e83027c9ea17fef8b35700405aed56a39dc6c4524b62e4dd23017c31734928

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
384055eab50b2a2c1325628875028c13

SHA1
bb8eeb25cb6e605dab78b9ce2d38baabc7eedf76

SHA256
8d85e434b6b6001e327a07b84dc3b288a189656ae6b8127ae8b2725f8dca2044

SHA512
5dfb2f7f5ec3dd08044e155f84d57f3e5ed8ee1e54efaa8142bc7bd4905d2985be9d6c39b8e28dc2abf9c146ec5063b49002a24f2a5ce5dc40d227d0179cf126

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
135KB

MD5
92dbfeeebde8aa95e3a56c53a61583ee

SHA1
2061c43cee0d7d163ac8c3c5db36dc7d19095fcb

SHA256
0a324534e85b21f85c01779ef30163230e013cea04d594716145f010182872fc

SHA512
b9be4d64334edb6c79fbeba66b075c2c168ab718efbca1b5c04baa826708919002560ba31d97ae2956418ce11e8a7a127fea5c9292b1364acdb78f9fdb7e8b79

Download Submit
memory/532-135-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/532-169-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/988-168-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1384-167-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2912-171-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4112-127-0x00007FF60C080000-0x00007FF60D394000-memory.dmp

Filesize
19.1MB

Download
memory/4112-126-0x00007FF60C080000-0x00007FF60D394000-memory.dmp

Filesize
19.1MB

Download
memory/4112-128-0x00007FF60C080000-0x00007FF60D394000-memory.dmp

Filesize
19.1MB

Download
memory/4112-129-0x00007FF60C080000-0x00007FF60D394000-memory.dmp

Filesize
19.1MB

Download
memory/4112-130-0x00007FF60C080000-0x00007FF60D394000-memory.dmp

Filesize
19.1MB

Download
memory/4680-148-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4680-180-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5004-119-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5004-170-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download