Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 05:25
Behavioral task
behavioral1
Sample
main.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
main.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
main.pyc
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
main.pyc
Resource
win10v2004-20240419-en
General
-
Target
main.exe
-
Size
5.9MB
-
MD5
3354496085a148bf84e4b9249d8ab9b2
-
SHA1
7f5a53faa73edac8a2999bc8624b8c8ce943f06a
-
SHA256
43cf51ea2ac2ea60017c077d196d9719c6217548510619aa8ac18c6657163c55
-
SHA512
66c9f316002593745d1b7e141c5c0cc70695f50f140ac2b9b32753a89ac3c482a3ca57afa825a2bd6c6e72855ac4367eb0ea1b933974fc3592739b63a93c71df
-
SSDEEP
98304:TXzhW148Pd+Tf1mpcOldJQ3/V5s18HdDo45ow3ONp2MTJs9wplordZNum6vukIP0:zFK4s0TfLOdo/bs1moU2N8AMmofNum6z
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
main.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ main.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ icsys.icn.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe -
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
spoolsv.exesvchost.exespoolsv.exemain.exeexplorer.exeicsys.icn.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion main.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion main.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion icsys.icn.exe -
Executes dropped EXE 6 IoCs
Processes:
main.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2212 main.exe 3972 icsys.icn.exe 4808 explorer.exe 1396 spoolsv.exe 3364 svchost.exe 4560 spoolsv.exe -
Processes:
resource yara_rule behavioral2/memory/3384-0-0x0000000000400000-0x0000000000A16000-memory.dmp themida C:\Windows\Resources\Themes\icsys.icn.exe themida behavioral2/memory/3972-12-0x0000000000400000-0x0000000000A16000-memory.dmp themida C:\Windows\Resources\Themes\explorer.exe themida behavioral2/memory/4808-22-0x0000000000400000-0x0000000000A16000-memory.dmp themida C:\Windows\Resources\spoolsv.exe themida behavioral2/memory/1396-31-0x0000000000400000-0x0000000000A16000-memory.dmp themida C:\Windows\Resources\svchost.exe themida behavioral2/memory/3364-40-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/4560-45-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/4560-50-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/1396-52-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/3972-54-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/3384-56-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/4808-57-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/3364-58-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/4808-69-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/4808-77-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/4808-81-0x0000000000400000-0x0000000000A16000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
Processes:
spoolsv.exemain.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA main.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA icsys.icn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
main.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 3384 main.exe 3972 icsys.icn.exe 4808 explorer.exe 1396 spoolsv.exe 3364 svchost.exe 4560 spoolsv.exe -
Drops file in Windows directory 5 IoCs
Processes:
explorer.exemain.exeicsys.icn.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe main.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\main.exe pyinstaller -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
main.exeicsys.icn.exepid process 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3384 main.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 4808 explorer.exe 3364 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
main.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 3384 main.exe 3384 main.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 4808 explorer.exe 4808 explorer.exe 1396 spoolsv.exe 1396 spoolsv.exe 3364 svchost.exe 3364 svchost.exe 4560 spoolsv.exe 4560 spoolsv.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
main.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 3384 wrote to memory of 2212 3384 main.exe main.exe PID 3384 wrote to memory of 2212 3384 main.exe main.exe PID 3384 wrote to memory of 3972 3384 main.exe icsys.icn.exe PID 3384 wrote to memory of 3972 3384 main.exe icsys.icn.exe PID 3384 wrote to memory of 3972 3384 main.exe icsys.icn.exe PID 3972 wrote to memory of 4808 3972 icsys.icn.exe explorer.exe PID 3972 wrote to memory of 4808 3972 icsys.icn.exe explorer.exe PID 3972 wrote to memory of 4808 3972 icsys.icn.exe explorer.exe PID 4808 wrote to memory of 1396 4808 explorer.exe spoolsv.exe PID 4808 wrote to memory of 1396 4808 explorer.exe spoolsv.exe PID 4808 wrote to memory of 1396 4808 explorer.exe spoolsv.exe PID 1396 wrote to memory of 3364 1396 spoolsv.exe svchost.exe PID 1396 wrote to memory of 3364 1396 spoolsv.exe svchost.exe PID 1396 wrote to memory of 3364 1396 spoolsv.exe svchost.exe PID 3364 wrote to memory of 4560 3364 svchost.exe spoolsv.exe PID 3364 wrote to memory of 4560 3364 svchost.exe spoolsv.exe PID 3364 wrote to memory of 4560 3364 svchost.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\main.exe"C:\Users\Admin\AppData\Local\Temp\main.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\main.exec:\users\admin\appdata\local\temp\main.exe2⤵
- Executes dropped EXE
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\main.exeFilesize
3.3MB
MD5e168624c9f4fad11c86c25d583cefb04
SHA1a556c2fdfad5c51aba45adc409eaf7338d23a428
SHA256d0047a3ee6b59e8818d228ed777ca9b89d24704a434d27b81684024a413f3fbe
SHA5124b4b96e7db991280e9bcf882ad5d693d7347343ebdf100f6710e034b7c0f410c6e67b19646b0904571eb0bc852e0137ee4d236af23463c89f1cbc48b419c404d
-
C:\Windows\Resources\Themes\explorer.exeFilesize
2.6MB
MD556b40d5815b1c6673dc2dd3ada5200eb
SHA1b304c00046dbc812bd3e071546f4559ae4b71963
SHA256b4e72fc62a612a6bf816e2e65edc0bbecb15f19310bdd9ad807495ca94571163
SHA512591f95c7e4b234ec54a72af0c5742dfe23835acac4b3dbf542ae17cd1da35538c73976d1f732485b82937ebe558db985e54e6fe1a21d880d0899bbfd14bda598
-
C:\Windows\Resources\Themes\icsys.icn.exeFilesize
2.6MB
MD58fae25504ebef94f673e3c80794aebf2
SHA141c47bbb0df508aa7df176b341de0def27753bb5
SHA256be5266e372e2a0a51e96f68b0d63399ec215b47424333846fa178dbfcf4c423f
SHA51262ef06081c7f3bf5e1d197f804976479ce983203eb1001b5d9aaeb342d86b041711ad9075ef88952d37051bd2f3a22a391534543d9dd1340db801bde4b1c7aaa
-
C:\Windows\Resources\spoolsv.exeFilesize
2.6MB
MD56adeccb29342517f69e9e208d3fe40ba
SHA18812209e5d1f843279214fda7d1e6bfeefda29c2
SHA256e12081185625d6902b7813fe2b3ca94ec8263c6e1a1e9eb62c6c47e915fc19ae
SHA512196ba6486ec68f62dcf9fe1339cb652fa1c08e7f43b5b39a89d6c0d020b9efc693d84f79c21af03b45a1078383202d095abba65d35a2fcad9068d863ef1c3cf9
-
C:\Windows\Resources\svchost.exeFilesize
2.6MB
MD5cd57d04edf327014fe52ed4290e7de22
SHA149cb8f3bdfb760897f56e49e5922453fba7b797f
SHA256f61af3aeee7ed1ced1fcf7a527ee6078a3a7a9e7544469843e8c7cfe907004e7
SHA5124c614dbdaf07813989a01cb332457bcbc1f1b3f08ca8d1011802081ecf2b08d620058a4aecf2637fd812d47962cf7d3047586b61886a323edcbae2cbd7cd1dc2
-
memory/1396-52-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/1396-31-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/3364-40-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/3364-58-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/3384-1-0x0000000077D34000-0x0000000077D36000-memory.dmpFilesize
8KB
-
memory/3384-0-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/3384-56-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/3972-54-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/3972-12-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4560-50-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4560-45-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4808-22-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4808-57-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4808-69-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4808-77-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4808-81-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB