Analysis
-
max time kernel
150s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 05:24
Behavioral task
behavioral1
Sample
main.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
main.exe
Resource
win10v2004-20240419-en
General
-
Target
main.exe
-
Size
5.9MB
-
MD5
3354496085a148bf84e4b9249d8ab9b2
-
SHA1
7f5a53faa73edac8a2999bc8624b8c8ce943f06a
-
SHA256
43cf51ea2ac2ea60017c077d196d9719c6217548510619aa8ac18c6657163c55
-
SHA512
66c9f316002593745d1b7e141c5c0cc70695f50f140ac2b9b32753a89ac3c482a3ca57afa825a2bd6c6e72855ac4367eb0ea1b933974fc3592739b63a93c71df
-
SSDEEP
98304:TXzhW148Pd+Tf1mpcOldJQ3/V5s18HdDo45ow3ONp2MTJs9wplordZNum6vukIP0:zFK4s0TfLOdo/bs1moU2N8AMmofNum6z
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
main.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ main.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ icsys.icn.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe -
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svchost.exemain.exeicsys.icn.exespoolsv.exeexplorer.exespoolsv.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion main.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion main.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe -
Executes dropped EXE 6 IoCs
Processes:
main.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1504 main.exe 5148 icsys.icn.exe 372 explorer.exe 948 spoolsv.exe 4260 svchost.exe 6040 spoolsv.exe -
Processes:
resource yara_rule behavioral2/memory/4976-0-0x0000000000400000-0x0000000000A16000-memory.dmp themida C:\Windows\Resources\Themes\icsys.icn.exe themida behavioral2/memory/5148-12-0x0000000000400000-0x0000000000A16000-memory.dmp themida C:\Windows\Resources\Themes\explorer.exe themida behavioral2/memory/372-22-0x0000000000400000-0x0000000000A16000-memory.dmp themida C:\Windows\Resources\spoolsv.exe themida behavioral2/memory/948-31-0x0000000000400000-0x0000000000A16000-memory.dmp themida C:\Windows\Resources\svchost.exe themida behavioral2/memory/4260-40-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/6040-49-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/948-52-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/5148-53-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/4976-55-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/372-56-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/4260-57-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/372-68-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/372-74-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/372-78-0x0000000000400000-0x0000000000A16000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Processes:
svchost.exespoolsv.exemain.exeicsys.icn.exeexplorer.exespoolsv.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA main.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA icsys.icn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
main.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 4976 main.exe 5148 icsys.icn.exe 372 explorer.exe 948 spoolsv.exe 4260 svchost.exe 6040 spoolsv.exe -
Drops file in Windows directory 5 IoCs
Processes:
explorer.exemain.exeicsys.icn.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe main.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\main.exe pyinstaller -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
main.exeicsys.icn.exepid process 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 4976 main.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 5148 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 372 explorer.exe 4260 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
main.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 4976 main.exe 4976 main.exe 5148 icsys.icn.exe 5148 icsys.icn.exe 372 explorer.exe 372 explorer.exe 948 spoolsv.exe 948 spoolsv.exe 4260 svchost.exe 4260 svchost.exe 6040 spoolsv.exe 6040 spoolsv.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
main.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 4976 wrote to memory of 1504 4976 main.exe main.exe PID 4976 wrote to memory of 1504 4976 main.exe main.exe PID 4976 wrote to memory of 5148 4976 main.exe icsys.icn.exe PID 4976 wrote to memory of 5148 4976 main.exe icsys.icn.exe PID 4976 wrote to memory of 5148 4976 main.exe icsys.icn.exe PID 5148 wrote to memory of 372 5148 icsys.icn.exe explorer.exe PID 5148 wrote to memory of 372 5148 icsys.icn.exe explorer.exe PID 5148 wrote to memory of 372 5148 icsys.icn.exe explorer.exe PID 372 wrote to memory of 948 372 explorer.exe spoolsv.exe PID 372 wrote to memory of 948 372 explorer.exe spoolsv.exe PID 372 wrote to memory of 948 372 explorer.exe spoolsv.exe PID 948 wrote to memory of 4260 948 spoolsv.exe svchost.exe PID 948 wrote to memory of 4260 948 spoolsv.exe svchost.exe PID 948 wrote to memory of 4260 948 spoolsv.exe svchost.exe PID 4260 wrote to memory of 6040 4260 svchost.exe spoolsv.exe PID 4260 wrote to memory of 6040 4260 svchost.exe spoolsv.exe PID 4260 wrote to memory of 6040 4260 svchost.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\main.exe"C:\Users\Admin\AppData\Local\Temp\main.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\main.exec:\users\admin\appdata\local\temp\main.exe2⤵
- Executes dropped EXE
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\main.exeFilesize
3.3MB
MD5e168624c9f4fad11c86c25d583cefb04
SHA1a556c2fdfad5c51aba45adc409eaf7338d23a428
SHA256d0047a3ee6b59e8818d228ed777ca9b89d24704a434d27b81684024a413f3fbe
SHA5124b4b96e7db991280e9bcf882ad5d693d7347343ebdf100f6710e034b7c0f410c6e67b19646b0904571eb0bc852e0137ee4d236af23463c89f1cbc48b419c404d
-
C:\Windows\Resources\Themes\explorer.exeFilesize
2.6MB
MD5f5bdc0f31c9c63eebad2b9d73131c6e6
SHA1c2aec1b45a89247dac379bba6fdb0d068f55af7b
SHA256edc6fe56c1c59f15f5012f45ff126f02303397e7abb512d7fb3a4f73f9c9979b
SHA5123bbbe2ae5864c6c55b4d9f7d652f0de75900dff8490c03ff1992466be4337a242e23f332ea6d6ba0dc6278da0830cbf9108749fac0cc79896524e6ecfde2c6a7
-
C:\Windows\Resources\Themes\icsys.icn.exeFilesize
2.6MB
MD58fae25504ebef94f673e3c80794aebf2
SHA141c47bbb0df508aa7df176b341de0def27753bb5
SHA256be5266e372e2a0a51e96f68b0d63399ec215b47424333846fa178dbfcf4c423f
SHA51262ef06081c7f3bf5e1d197f804976479ce983203eb1001b5d9aaeb342d86b041711ad9075ef88952d37051bd2f3a22a391534543d9dd1340db801bde4b1c7aaa
-
C:\Windows\Resources\spoolsv.exeFilesize
2.6MB
MD50998013c8deab23ce6988c8218e60b5b
SHA13c7f549fc9e4fa1ce47d36959225207e7b270db6
SHA2560c2fcd81abb7ca27e471a7243467bd5f867880f82dfb5ac2c4e766bfcc7f6777
SHA5120a8a1d13bd8d601817105ef43eab4a692a669eae8f36e9c33773d5153699c1a66d9a6998da0a0f5fb4adeda043819b36c5cc3af6e5bb8d09f029ecfb78699234
-
C:\Windows\Resources\svchost.exeFilesize
2.6MB
MD5beb74e679b08af1a99412a0b1a76996e
SHA154b4b093b74239a35fe8d71f81d2bfed9b4b6b91
SHA25653bef16ecbe4d4a1ddef442d26aa781c36343445ef4a65cc712feec11d216cee
SHA512fdfee6f2b50803a0a99bd91447b470a4b7b9e89e759438c7bcb82cfb73610713c669310bbc34a7f2a76151df48e99eaa38636bbd87d5af71615f3ee2dab04d74
-
memory/372-56-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/372-78-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/372-22-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/372-74-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/372-68-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/948-31-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/948-52-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4260-57-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4260-40-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4976-1-0x00000000777D4000-0x00000000777D6000-memory.dmpFilesize
8KB
-
memory/4976-0-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4976-55-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/5148-53-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/5148-12-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/6040-49-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB