7aef3228929bccd0715778c0eae7948f2fa233c5720d3b941e9dac152043a9ff

General

Target

TempSpoofer.exe
Size

625KB
MD5

e6b6c975e5b591288cc32e5459e823d8
SHA1

d234a345f28aa66adf2357b9a3253b12b204ed46
SHA256

7aef3228929bccd0715778c0eae7948f2fa233c5720d3b941e9dac152043a9ff
SHA512

203f4efb422c5fd6dbe5e4cb00cbee5e13920699d638fafc0d77b9d8be20b10213d3dc55d1c074e74c1f1b7d5089df7cf07ea4feb23e971d531e0d9563626f11
SSDEEP

12288:PFUNDakMcWUUysz/NhKjJPhM4/5bV/rvgE3:PFOakMcUDz/NEjlzxbVDvb

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

Processes:

tempspoofer.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2000 tempspoofer.exe
1764 icsys.icn.exe
2592 explorer.exe
2236 spoolsv.exe
2480 svchost.exe
2504 spoolsv.exe

pid	process
2000	tempspoofer.exe
1764	icsys.icn.exe
2592	explorer.exe
2236	spoolsv.exe
2480	svchost.exe
2504	spoolsv.exe

Loads dropped DLL 10 IoCs

Processes:

TempSpoofer.exeicsys.icn.exeWerFault.exeexplorer.exespoolsv.exesvchost.exe

pid	process
1176	TempSpoofer.exe
1176	TempSpoofer.exe
1176	TempSpoofer.exe
1764	icsys.icn.exe
2856	WerFault.exe
2856	WerFault.exe
2592	explorer.exe
2236	spoolsv.exe
2856	WerFault.exe
2480	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

Processes:

TempSpoofer.exeicsys.icn.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	TempSpoofer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2856 2000 WerFault.exe tempspoofer.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2800 schtasks.exe
2708 schtasks.exe
2040 schtasks.exe

pid	pid_target	process	target process
2856	2000	WerFault.exe	tempspoofer.exe

pid	process
2800	schtasks.exe
2708	schtasks.exe
2040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

TempSpoofer.exeicsys.icn.exeexplorer.exesvchost.exe

pid	process
1176	TempSpoofer.exe
1176	TempSpoofer.exe
1176	TempSpoofer.exe
1176	TempSpoofer.exe
1176	TempSpoofer.exe
1176	TempSpoofer.exe
1176	TempSpoofer.exe
1176	TempSpoofer.exe
1176	TempSpoofer.exe
1176	TempSpoofer.exe
1176	TempSpoofer.exe
1176	TempSpoofer.exe
1176	TempSpoofer.exe
1176	TempSpoofer.exe
1176	TempSpoofer.exe
1176	TempSpoofer.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2592 explorer.exe
2480 svchost.exe

pid	process
2592	explorer.exe
2480	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

TempSpoofer.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1176	TempSpoofer.exe
1176	TempSpoofer.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
2592	explorer.exe
2592	explorer.exe
2236	spoolsv.exe
2236	spoolsv.exe
2480	svchost.exe
2480	svchost.exe
2504	spoolsv.exe
2504	spoolsv.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

TempSpoofer.exeicsys.icn.exetempspoofer.exe explorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 1176 wrote to memory of 2000	1176	TempSpoofer.exe	tempspoofer.exe
PID 1176 wrote to memory of 2000	1176	TempSpoofer.exe	tempspoofer.exe
PID 1176 wrote to memory of 2000	1176	TempSpoofer.exe	tempspoofer.exe
PID 1176 wrote to memory of 2000	1176	TempSpoofer.exe	tempspoofer.exe
PID 1176 wrote to memory of 1764	1176	TempSpoofer.exe	icsys.icn.exe
PID 1176 wrote to memory of 1764	1176	TempSpoofer.exe	icsys.icn.exe
PID 1176 wrote to memory of 1764	1176	TempSpoofer.exe	icsys.icn.exe
PID 1176 wrote to memory of 1764	1176	TempSpoofer.exe	icsys.icn.exe
PID 1764 wrote to memory of 2592	1764	icsys.icn.exe	explorer.exe
PID 1764 wrote to memory of 2592	1764	icsys.icn.exe	explorer.exe
PID 1764 wrote to memory of 2592	1764	icsys.icn.exe	explorer.exe
PID 1764 wrote to memory of 2592	1764	icsys.icn.exe	explorer.exe
PID 2000 wrote to memory of 2856	2000	tempspoofer.exe	WerFault.exe
PID 2000 wrote to memory of 2856	2000	tempspoofer.exe	WerFault.exe
PID 2000 wrote to memory of 2856	2000	tempspoofer.exe	WerFault.exe
PID 2000 wrote to memory of 2856	2000	tempspoofer.exe	WerFault.exe
PID 2592 wrote to memory of 2236	2592	explorer.exe	spoolsv.exe
PID 2592 wrote to memory of 2236	2592	explorer.exe	spoolsv.exe
PID 2592 wrote to memory of 2236	2592	explorer.exe	spoolsv.exe
PID 2592 wrote to memory of 2236	2592	explorer.exe	spoolsv.exe
PID 2236 wrote to memory of 2480	2236	spoolsv.exe	svchost.exe
PID 2236 wrote to memory of 2480	2236	spoolsv.exe	svchost.exe
PID 2236 wrote to memory of 2480	2236	spoolsv.exe	svchost.exe
PID 2236 wrote to memory of 2480	2236	spoolsv.exe	svchost.exe
PID 2480 wrote to memory of 2504	2480	svchost.exe	spoolsv.exe
PID 2480 wrote to memory of 2504	2480	svchost.exe	spoolsv.exe
PID 2480 wrote to memory of 2504	2480	svchost.exe	spoolsv.exe
PID 2480 wrote to memory of 2504	2480	svchost.exe	spoolsv.exe
PID 2592 wrote to memory of 3008	2592	explorer.exe	Explorer.exe
PID 2592 wrote to memory of 3008	2592	explorer.exe	Explorer.exe
PID 2592 wrote to memory of 3008	2592	explorer.exe	Explorer.exe
PID 2592 wrote to memory of 3008	2592	explorer.exe	Explorer.exe
PID 2480 wrote to memory of 2800	2480	svchost.exe	schtasks.exe
PID 2480 wrote to memory of 2800	2480	svchost.exe	schtasks.exe
PID 2480 wrote to memory of 2800	2480	svchost.exe	schtasks.exe
PID 2480 wrote to memory of 2800	2480	svchost.exe	schtasks.exe
PID 2480 wrote to memory of 2708	2480	svchost.exe	schtasks.exe
PID 2480 wrote to memory of 2708	2480	svchost.exe	schtasks.exe
PID 2480 wrote to memory of 2708	2480	svchost.exe	schtasks.exe
PID 2480 wrote to memory of 2708	2480	svchost.exe	schtasks.exe
PID 2480 wrote to memory of 2040	2480	svchost.exe	schtasks.exe
PID 2480 wrote to memory of 2040	2480	svchost.exe	schtasks.exe
PID 2480 wrote to memory of 2040	2480	svchost.exe	schtasks.exe
PID 2480 wrote to memory of 2040	2480	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\TempSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\TempSpoofer.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176
- \??\c:\users\admin\appdata\local\temp\tempspoofer.exe
  c:\users\admin\appdata\local\temp\tempspoofer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 128
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2856
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1764
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2236
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2480
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2504
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 13:47 /f
        6⤵
        Creates scheduled task(s)
        
        PID:2800
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 13:48 /f
        6⤵
        Creates scheduled task(s)
        
        PID:2708
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 13:49 /f
        6⤵
        Creates scheduled task(s)
        
        PID:2040
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
f960e1db3c7720fa15c6cf6dcbb5bff3

SHA1
d42676e1d52d234e080c97562b546fa37654c4cb

SHA256
07da1afc8d5ace7cf016b52b91a5bc26c3e931745232fa7ac60fcdb5b189916c

SHA512
353099b64ea02795c5a0d1b078abe2a7525ef61b441c7436e0b6034136d8e341c3a44fc743f347bdc8ec4d61ca7c92bc8b96ffe815090ddaf84b20cb0b0bf5ec

Download Submit
\Users\Admin\AppData\Local\Temp\tempspoofer.exe

Filesize
490KB

MD5
9c9245810bad661af3d6efec543d34fd

SHA1
93e4f301156d120a87fe2c4be3aaa28b9dfd1a8d

SHA256
f5f14b9073f86da926a8ed319b3289b893442414d1511e45177f6915fb4e5478

SHA512
90d9593595511e722b733a13c53d2e69a1adc9c79b3349350deead2c1cdfed615921fb503597950070e9055f6df74bb64ccd94a60d7716822aa632699c70b767

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
30cee1272f031af1f0ac832416173483

SHA1
a984dc6d301ac807068ec4e2684ad2002ccbe598

SHA256
788f85e902cd9b98cfd35c5ad5782ffd26499ab3f69fce6783a5ee902c17baad

SHA512
18812a5c75f7b871720c595f9af610f3a26ba5df6238320d06d9a09ae94a03c895c4811a35fb09d9f1dabbb7341f372c9d94a475c016e99c6422add50cc6bfdd

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
e6e43e4a8284b4c43fdf20c633b87513

SHA1
cb19fbb03273f6be3087eff98d82833e2fa5c93a

SHA256
f00d724d9f047cdf0f4860050e0e5b7b4ca364f36af3e58a015da7d5e57f66f0

SHA512
3397f1eeb98b40165a80c396f91fc08fccdb266b7c8329d67c5f58b54ca149bb560326b44ee307c7aeabfac447753f4985239a3ba3477c6152d148245ea0e1fa

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
e662584d52c5ca552bb9c57bad9ff263

SHA1
24f5c0ab5d1581c74cf2c8388915f076554031c1

SHA256
9e38019b6027ad65b4449ca7b3fdc7c054b0e7abeca78ec6e6f2534b23b93700

SHA512
43131507e73936c371041a6c0a1e655724769e7df08d62f2fccc566f0563f3d7f57dd9ae0499c91aaf6ffd2c4aee401240504d3e8c99c6bf98e4ae0beee058c6

Download Submit
memory/1176-18-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/1176-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1176-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1764-72-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1764-22-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-32-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2000-20-0x0000000000220000-0x000000000026B000-memory.dmp

Filesize
300KB

Download
memory/2000-73-0x0000000000220000-0x000000000026B000-memory.dmp

Filesize
300KB

Download
memory/2236-56-0x0000000000320000-0x000000000033F000-memory.dmp

Filesize
124KB

Download
memory/2236-71-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2480-66-0x0000000000390000-0x00000000003AF000-memory.dmp

Filesize
124KB

Download
memory/2504-70-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads