3adf1083a226edbed5f1cec20e6b8b0949f860133f8f0e06a8e8556333d8e460

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/03/2024, 17:43

Target

de962cd58ac94f3b0aab60677684fddd.exe
Size

745KB
MD5

de962cd58ac94f3b0aab60677684fddd
SHA1

8d025019829cf199abf2c67360257640f2b1c8d8
SHA256

3adf1083a226edbed5f1cec20e6b8b0949f860133f8f0e06a8e8556333d8e460
SHA512

be7aadad139c47e85458650c0a7817193a1c6a9f379f80de063f9aa0327cbb0ecc0bbcb58f5216ca7d8a70c417301bad8c93a2194d2e71054019cef5081cda7a
SSDEEP

12288:xeghj4TGsJnHRsUHVKADrVkP+xnXOBI+AM06MMnMMMMMw1H:xd0GWn2UHV9/VkP+x6IS06MMnMMMMM2H

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
2828	de962cd58ac94f3b0aab60677684fddd.exe
2936	icsys.icn.exe

Loads dropped DLL 4 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\explorer.exe	icsys.icn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of SetWindowsHookEx 4 IoCs

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2828	2788	de962cd58ac94f3b0aab60677684fddd.exe	28
PID 2788 wrote to memory of 2828	2788	de962cd58ac94f3b0aab60677684fddd.exe	28
PID 2788 wrote to memory of 2828	2788	de962cd58ac94f3b0aab60677684fddd.exe	28
PID 2788 wrote to memory of 2828	2788	de962cd58ac94f3b0aab60677684fddd.exe	28
PID 2788 wrote to memory of 2936	2788	de962cd58ac94f3b0aab60677684fddd.exe	29
PID 2788 wrote to memory of 2936	2788	de962cd58ac94f3b0aab60677684fddd.exe	29
PID 2788 wrote to memory of 2936	2788	de962cd58ac94f3b0aab60677684fddd.exe	29
PID 2788 wrote to memory of 2936	2788	de962cd58ac94f3b0aab60677684fddd.exe	29
PID 2936 wrote to memory of 2376	2936	icsys.icn.exe	30
PID 2936 wrote to memory of 2376	2936	icsys.icn.exe	30
PID 2936 wrote to memory of 2376	2936	icsys.icn.exe	30
PID 2936 wrote to memory of 2376	2936	icsys.icn.exe	30

C:\Users\Admin\AppData\Local\Temp\de962cd58ac94f3b0aab60677684fddd.exe
"C:\Users\Admin\AppData\Local\Temp\de962cd58ac94f3b0aab60677684fddd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788
- \??\c:\users\admin\appdata\local\temp\de962cd58ac94f3b0aab60677684fddd.exe
  c:\users\admin\appdata\local\temp\de962cd58ac94f3b0aab60677684fddd.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Users\Admin\AppData\Roaming\icsys.icn.exe
  C:\Users\Admin\AppData\Roaming\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2936
- - \??\c:\windows\SysWOW64\explorer.exe
    c:\windows\system32\explorer.exe
    3⤵
    PID:2376

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

\Users\Admin\AppData\Local\Temp\de962cd58ac94f3b0aab60677684fddd.exe

Filesize
206KB

MD5
200ea506b86f7e9e6c37820d2bb5f39b

SHA1
76249dc9e4b5e862b6d1877fc98bf0cea38ff4be

SHA256
0291e9f571e4fe3cae9ecac8c5268b127e8e252cdc6ca3140c74ec0b042ec2d0

SHA512
893cb644caa6f9ed80fb4e51bed020c6e6d4bc9b3019e15f7f869eb7e3361cc0c18761c8e53e1e8f332bf5062293957f662020349b43f584660695105e3099b9

Download Submit
\Users\Admin\AppData\Roaming\icsys.icn.exe

Filesize
539KB

MD5
bb3b6e12ff0e74cd7edbfa43ad317aba

SHA1
7fb70a418333b558d5e12ba6422af56a37f94beb

SHA256
86902c881c3932fafb556584b3ccc489505954e60ef47bbdd43a07a61ea57301

SHA512
ae36c834fb7c8f8cee4be21307ac4393271b224c01e3c3238b63cb352fc4472d345cdf49b6ed9bb46871ce056df11099552fdc80cc32430570a7bdd5ce8f6599

Download Submit