246a0fec1e0c201fd407a74231a70ce7f5345ab376029db4e79bea4ba27acd46

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2.exe
Size

1.9MB
MD5

211d67cb160ae80cd5b8f51e768ecf03
SHA1

7bc311419bbd63b5d9f11e31676b23916dd92a73
SHA256

d9a91d7519b16a30328c22ad2be0b6c31a0c169fd8333567c389f66057d95902
SHA512

42e800ab0285507d1329df885de52398511ae8a73e8b90eac0590eddccebd5335375e6e409e1541459ebf2bd9751bf8f1327790fc7a764f2ac2c5957212b4cbb
SSDEEP

24576:PFOatRpLVFPbthieraHDowhhk70Trcfdq+rw24kM1p2yvCVlnU9zJkGIAYhbljgK:txRpL/bC/9jkQTAfdWVLCVyKn2K1

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
2560	2.exe
2976	icsys.icn.exe
2632	explorer.exe
2980	spoolsv.exe
2724	svchost.exe
2488	spoolsv.exe

Loads dropped DLL 7 IoCs

pid	Process
2000	2.exe
2000	2.exe
2000	2.exe
2976	icsys.icn.exe
2632	explorer.exe
2980	spoolsv.exe
2724	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	2.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1992	schtasks.exe
2728	schtasks.exe
600	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2000	2.exe
2000	2.exe
2000	2.exe
2000	2.exe
2000	2.exe
2000	2.exe
2000	2.exe
2000	2.exe
2000	2.exe
2000	2.exe
2000	2.exe
2000	2.exe
2000	2.exe
2000	2.exe
2000	2.exe
2000	2.exe
2560	2.exe
2976	icsys.icn.exe
2976	icsys.icn.exe
2976	icsys.icn.exe
2976	icsys.icn.exe
2976	icsys.icn.exe
2976	icsys.icn.exe
2976	icsys.icn.exe
2976	icsys.icn.exe
2976	icsys.icn.exe
2976	icsys.icn.exe
2976	icsys.icn.exe
2976	icsys.icn.exe
2976	icsys.icn.exe
2976	icsys.icn.exe
2976	icsys.icn.exe
2976	icsys.icn.exe
2976	icsys.icn.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe
2724	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2632	explorer.exe
2724	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2000	2.exe
2000	2.exe
2976	icsys.icn.exe
2976	icsys.icn.exe
2632	explorer.exe
2632	explorer.exe
2980	spoolsv.exe
2980	spoolsv.exe
2724	svchost.exe
2724	svchost.exe
2488	spoolsv.exe
2488	spoolsv.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2560	2000	2.exe	28
PID 2000 wrote to memory of 2560	2000	2.exe	28
PID 2000 wrote to memory of 2560	2000	2.exe	28
PID 2000 wrote to memory of 2560	2000	2.exe	28
PID 2000 wrote to memory of 2976	2000	2.exe	29
PID 2000 wrote to memory of 2976	2000	2.exe	29
PID 2000 wrote to memory of 2976	2000	2.exe	29
PID 2000 wrote to memory of 2976	2000	2.exe	29
PID 2976 wrote to memory of 2632	2976	icsys.icn.exe	30
PID 2976 wrote to memory of 2632	2976	icsys.icn.exe	30
PID 2976 wrote to memory of 2632	2976	icsys.icn.exe	30
PID 2976 wrote to memory of 2632	2976	icsys.icn.exe	30
PID 2632 wrote to memory of 2980	2632	explorer.exe	31
PID 2632 wrote to memory of 2980	2632	explorer.exe	31
PID 2632 wrote to memory of 2980	2632	explorer.exe	31
PID 2632 wrote to memory of 2980	2632	explorer.exe	31
PID 2980 wrote to memory of 2724	2980	spoolsv.exe	32
PID 2980 wrote to memory of 2724	2980	spoolsv.exe	32
PID 2980 wrote to memory of 2724	2980	spoolsv.exe	32
PID 2980 wrote to memory of 2724	2980	spoolsv.exe	32
PID 2724 wrote to memory of 2488	2724	svchost.exe	33
PID 2724 wrote to memory of 2488	2724	svchost.exe	33
PID 2724 wrote to memory of 2488	2724	svchost.exe	33
PID 2724 wrote to memory of 2488	2724	svchost.exe	33
PID 2632 wrote to memory of 2440	2632	explorer.exe	34
PID 2632 wrote to memory of 2440	2632	explorer.exe	34
PID 2632 wrote to memory of 2440	2632	explorer.exe	34
PID 2632 wrote to memory of 2440	2632	explorer.exe	34
PID 2724 wrote to memory of 1992	2724	svchost.exe	35
PID 2724 wrote to memory of 1992	2724	svchost.exe	35
PID 2724 wrote to memory of 1992	2724	svchost.exe	35
PID 2724 wrote to memory of 1992	2724	svchost.exe	35
PID 2724 wrote to memory of 2728	2724	svchost.exe	40
PID 2724 wrote to memory of 2728	2724	svchost.exe	40
PID 2724 wrote to memory of 2728	2724	svchost.exe	40
PID 2724 wrote to memory of 2728	2724	svchost.exe	40
PID 2724 wrote to memory of 600	2724	svchost.exe	42
PID 2724 wrote to memory of 600	2724	svchost.exe	42
PID 2724 wrote to memory of 600	2724	svchost.exe	42
PID 2724 wrote to memory of 600	2724	svchost.exe	42

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000
- \??\c:\users\admin\appdata\local\temp\2.exe
  c:\users\admin\appdata\local\temp\2.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2560
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2976
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2980
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2488
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 17:58 /f
        6⤵
        Creates scheduled task(s)
        
        PID:1992
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 17:59 /f
        6⤵
        Creates scheduled task(s)
        
        PID:2728
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 18:00 /f
        6⤵
        Creates scheduled task(s)
        
        PID:600
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
c6a9caecda16ff84f543e4f00673d795

SHA1
171d5e7d8dbe9abc92a4573356cdded0d5d975e4

SHA256
8522547faa488adca7e4fe619831e57e63c6ce524ab3742548b2fcaff646c082

SHA512
aa88462e16f0fd534754eac19eaee092c4cc11515c4c689e3d8aa57e423233298c6733f00339a0d24f66dd5faca2298389813abf758f19a9ec85624d221aa144

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe

Filesize
1.8MB

MD5
f434acf8284d1018f7f5f669e0ff3811

SHA1
33e6d6e152ade16f89f7d16cebe5fff0aac14906

SHA256
dcb30771b6b0be73068b3ad774336e25c84ad8e5a8691da5525265f9159bf654

SHA512
60cd1f56f89426d244dd610ca52605092466c0f5b8b47cf58a3b1378dc931b9125b4f23c4ceb6cd2206b2d868dab3e1a19f9dfe4c88d30c7432fe8fca721073a

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
40d722b56fe299558fdc4822923440bd

SHA1
3a898e04f2c46db5a64541897aa0dcb1dc4ca126

SHA256
e6965494331849d9cd156fe0e7f9655115207a0460f5eff6f12515ed03983ffa

SHA512
c157c9cca7d605313f6d29c91660418d77515eb4147ff5bfb218af4767bf93d8883af54608c318251f1e40e6d0fb868c2d6971df482e862022572dcb6aad0cbd

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
ad49d3adfe7025ebd3f81ac73e679d90

SHA1
a26a0a3bb76eb34f358d554880ebd7aa2f2ad46c

SHA256
39422e935ecb3ad95b90bd1fb72e839ca2e1027b17b65eeb7503fc66af6d6a63

SHA512
660f2439501ac6e31e231e35e304af2d7e11c55a6ed93dec92392684fe32f1cfb4a9c6da28927f8caf9cbb49525bc13655b786565bb79e6acc1a8b54a70c4236

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
f86eda3f6fa5095eea625e9fb1568367

SHA1
b7dae9299a76d70f46faa6bb2a828383cb3d0154

SHA256
83ef1308a969f8e38bba399e1d91931c28c5be40ca30942302f528770d590d10

SHA512
ba25c549e71c979cc1f8530cbcecfd3ca4ebf45686d60c02c8ba7f07ad08272b1777d0b731bfc0062f38c194fc2229cca0ff98fe86ff17779c577151a83e9861

Download Submit
memory/2000-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-17-0x0000000000300000-0x000000000031F000-memory.dmp

Filesize
124KB

Download
memory/2000-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2488-61-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2560-14-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2560-13-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2976-30-0x0000000002560000-0x000000000257F000-memory.dmp

Filesize
124KB

Download
memory/2976-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2980-51-0x0000000000360000-0x000000000037F000-memory.dmp

Filesize
124KB

Download
memory/2980-62-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download