52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
Size

251KB
MD5

a4b625ffe0267c46efc1c64dcfdadfaa
SHA1

49b7b4635aca8633f5388c490b52855aca74b38f
SHA256

52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d
SHA512

63dca10828d8bb74b66ad37d07d6b3b4894aca15618feacbae43fc2c9c1f55c4fe60517782b7572937709e2d1b938c0d944d9ae1cb2cddd39222604d61b42f00
SSDEEP

3072:UVqoCl/YgjxEufVU0TbTyDDalkVdB4xloa4QCc:UsLqdufVUNDa84xlolM

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
3624	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
4836	icsys.icn.exe
4144	explorer.exe
2904	spoolsv.exe
3200	svchost.exe
3592	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4836	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4144	explorer.exe
3200	svchost.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
3624	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
4836	icsys.icn.exe
4836	icsys.icn.exe
4144	explorer.exe
4144	explorer.exe
2904	spoolsv.exe
2904	spoolsv.exe
3200	svchost.exe
3200	svchost.exe
3592	spoolsv.exe
3592	spoolsv.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 3624	3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe	86
PID 3664 wrote to memory of 3624	3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe	86
PID 3664 wrote to memory of 3624	3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe	86
PID 3664 wrote to memory of 4836	3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe	87
PID 3664 wrote to memory of 4836	3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe	87
PID 3664 wrote to memory of 4836	3664	52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe	87
PID 4836 wrote to memory of 4144	4836	icsys.icn.exe	88
PID 4836 wrote to memory of 4144	4836	icsys.icn.exe	88
PID 4836 wrote to memory of 4144	4836	icsys.icn.exe	88
PID 4144 wrote to memory of 2904	4144	explorer.exe	89
PID 4144 wrote to memory of 2904	4144	explorer.exe	89
PID 4144 wrote to memory of 2904	4144	explorer.exe	89
PID 2904 wrote to memory of 3200	2904	spoolsv.exe	91
PID 2904 wrote to memory of 3200	2904	spoolsv.exe	91
PID 2904 wrote to memory of 3200	2904	spoolsv.exe	91
PID 3200 wrote to memory of 3592	3200	svchost.exe	93
PID 3200 wrote to memory of 3592	3200	svchost.exe	93
PID 3200 wrote to memory of 3592	3200	svchost.exe	93

C:\Users\Admin\AppData\Local\Temp\52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
"C:\Users\Admin\AppData\Local\Temp\52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3664
- \??\c:\users\admin\appdata\local\temp\52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
  c:\users\admin\appdata\local\temp\52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3624
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4836
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2904
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3200
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\52d93d0950cf5f4914caa496f3346839dfabfc1fffbaabff2c846e45fafe7c8d.exe

Filesize
116KB

MD5
caa5cf56de756ca76ec5133b596dac4c

SHA1
c484d326bb4d5d506af637e2d0e324640ff6fba6

SHA256
ba318e1454f82548c3ee76a95c8d72b888e0f1b9945c7d93c6ad4a3ae2397078

SHA512
6744088a15e80850ecd77885b0ec860fc8f6b6109e5687c41703e93015f05c4616c6d37cfb72c695925e538281ed31f0134b40b9357347a696c4d1ed046754a2

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
53df3faaea606f5cf90ebc9d4b6a0aa8

SHA1
42140e20fd8ebf88dcc591ec449e27dd1e0261d8

SHA256
bd30aad7630e459b7355c9082ffb674f2307293d429007df88cfb9568d9130bc

SHA512
2358494084e116f4e73adc3d8a0a8eb9a135166bc2d41b35de3bcd0a84fdb2409ad7012168aa1463aea3b799064e48a6fd779452eba58ee40022ac651abc6b88

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
e3beb64f5d6af75c7fa6ea1a54f2b5d4

SHA1
67e5ffaa0996819269683fae9e962d7f24c565b7

SHA256
82ca0dac2bcd9d3728d96b42b088e6b8339e562b9e9639b02ec86e1cceb66e2e

SHA512
d67591cdd213f8636b0c23c2877f3ebe79c07b3a81ea8e042fa5deb357078ed5f548ff08d2726f5dd1827a55e234077e07069b60858f6053210e93f4fa60e281

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
d5397d0c5f4cc6bf1842aa7b07506da5

SHA1
b2ec055ccfc73a4334aa440fb332e3cfa26f1cdb

SHA256
14a08e3d9d2b5825eefef022f0d1cc71751f26b6c622b85951e175bb5d23329b

SHA512
5d4d421bd14107e680116ac63f5f046f9f7d49f542317e67a3aa4a2c97d370dc951060310cd23241f0ebb27981786ae13667afaa11ee080cbc84a0278c246c77

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
0e2a188934544406fb1e0957fa08a63d

SHA1
955f72b119c398ed3baf9d74ed7db08d2952bae8

SHA256
502cb13d3a2c9205ffef28976b42ac1956baf2d7d4a1439110539ee576379ed0

SHA512
4701f05c22ee95ce00a3c314f239234883b3ca283230b4dc90449c184ea37bac71b1d8321521fd77af56e8243d19a1965ba9888dfdc127bdf5a306f2ff88b6be

Download Submit
memory/2904-48-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3592-46-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3664-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3664-47-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4836-14-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4836-49-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download