b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6

General

Target

b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
Size

294KB
MD5

cabac23644ccbe7dc41b8d1e39795ccf
SHA1

402a79fea594fcc80eef6d4a0c8bbaa90ab68dce
SHA256

b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6
SHA512

3170710ac6985ebcf1d314e024ded943942128b314d4147d218eae49767a6a16efebfbc5d4a1604b81b2bccae25c87b45bb6371543b288e4ec25852e0f7dcda2
SSDEEP

6144:UsLqdufVUNDaB5TJj1ioqPJ34FEcO/+urWts:PFUNDaBzRacews

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 7 IoCs

Processes:

b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2904	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
1324
2544	icsys.icn.exe
2508	explorer.exe
2716	spoolsv.exe
2604	svchost.exe
2388	spoolsv.exe

Loads dropped DLL 6 IoCs

Processes:

b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

pid	process
2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2544	icsys.icn.exe
2508	explorer.exe
2716	spoolsv.exe
2604	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

Processes:

b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exeicsys.icn.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1068 schtasks.exe
2432 schtasks.exe
540 schtasks.exe

pid	process
1068	schtasks.exe
2432	schtasks.exe
540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exeicsys.icn.exeexplorer.exesvchost.exe

pid	process
2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2508 explorer.exe
2604 svchost.exe

pid	process
2508	explorer.exe
2604	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2508	explorer.exe
2508	explorer.exe
2716	spoolsv.exe
2716	spoolsv.exe
2604	svchost.exe
2604	svchost.exe
2388	spoolsv.exe
2388	spoolsv.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2648 wrote to memory of 2904	2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
PID 2648 wrote to memory of 2904	2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
PID 2648 wrote to memory of 2904	2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
PID 2648 wrote to memory of 2904	2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
PID 2648 wrote to memory of 2544	2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe	icsys.icn.exe
PID 2648 wrote to memory of 2544	2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe	icsys.icn.exe
PID 2648 wrote to memory of 2544	2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe	icsys.icn.exe
PID 2648 wrote to memory of 2544	2648	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe	icsys.icn.exe
PID 2544 wrote to memory of 2508	2544	icsys.icn.exe	explorer.exe
PID 2544 wrote to memory of 2508	2544	icsys.icn.exe	explorer.exe
PID 2544 wrote to memory of 2508	2544	icsys.icn.exe	explorer.exe
PID 2544 wrote to memory of 2508	2544	icsys.icn.exe	explorer.exe
PID 2508 wrote to memory of 2716	2508	explorer.exe	spoolsv.exe
PID 2508 wrote to memory of 2716	2508	explorer.exe	spoolsv.exe
PID 2508 wrote to memory of 2716	2508	explorer.exe	spoolsv.exe
PID 2508 wrote to memory of 2716	2508	explorer.exe	spoolsv.exe
PID 2716 wrote to memory of 2604	2716	spoolsv.exe	svchost.exe
PID 2716 wrote to memory of 2604	2716	spoolsv.exe	svchost.exe
PID 2716 wrote to memory of 2604	2716	spoolsv.exe	svchost.exe
PID 2716 wrote to memory of 2604	2716	spoolsv.exe	svchost.exe
PID 2604 wrote to memory of 2388	2604	svchost.exe	spoolsv.exe
PID 2604 wrote to memory of 2388	2604	svchost.exe	spoolsv.exe
PID 2604 wrote to memory of 2388	2604	svchost.exe	spoolsv.exe
PID 2604 wrote to memory of 2388	2604	svchost.exe	spoolsv.exe
PID 2508 wrote to memory of 2364	2508	explorer.exe	Explorer.exe
PID 2508 wrote to memory of 2364	2508	explorer.exe	Explorer.exe
PID 2508 wrote to memory of 2364	2508	explorer.exe	Explorer.exe
PID 2508 wrote to memory of 2364	2508	explorer.exe	Explorer.exe
PID 2604 wrote to memory of 2432	2604	svchost.exe	schtasks.exe
PID 2604 wrote to memory of 2432	2604	svchost.exe	schtasks.exe
PID 2604 wrote to memory of 2432	2604	svchost.exe	schtasks.exe
PID 2604 wrote to memory of 2432	2604	svchost.exe	schtasks.exe
PID 2604 wrote to memory of 540	2604	svchost.exe	schtasks.exe
PID 2604 wrote to memory of 540	2604	svchost.exe	schtasks.exe
PID 2604 wrote to memory of 540	2604	svchost.exe	schtasks.exe
PID 2604 wrote to memory of 540	2604	svchost.exe	schtasks.exe
PID 2604 wrote to memory of 1068	2604	svchost.exe	schtasks.exe
PID 2604 wrote to memory of 1068	2604	svchost.exe	schtasks.exe
PID 2604 wrote to memory of 1068	2604	svchost.exe	schtasks.exe
PID 2604 wrote to memory of 1068	2604	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
"C:\Users\Admin\AppData\Local\Temp\b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648

\??\c:\users\admin\appdata\local\temp\b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
c:\users\admin\appdata\local\temp\b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2⤵
- Executes dropped EXE
PID:2904

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2544

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2388

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:12 /f
6⤵
- Creates scheduled task(s)
PID:2432

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:13 /f
6⤵
- Creates scheduled task(s)
PID:540

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:14 /f
6⤵
- Creates scheduled task(s)
PID:1068

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
4⤵
PID:2364

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe
Filesize
135KB

MD5
e05befd8ecfc82e6170443f0498b76bc

SHA1
1248bae3a5b4a4557928115d626e83cf6a747818

SHA256
7971042b580d83fe9dcf71d232173b4336a10cd7677c8db5945ed2c4517d10bc

SHA512
776be9a32023cd93dfb97f6441991c9ed597b2532beb17747b4c6082fb5d3b08354b7cc9fb1fec8ad429f17143ef18459b77390818fb3a191e1782c961320de9

Download Submit
\Users\Admin\AppData\Local\Temp\b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
Filesize
159KB

MD5
f1351ac581ee291e3ae9310cb4604439

SHA1
3aa7dc2eb27bf4918795e99ac315fb1c8e3e439b

SHA256
ff91c13ed79351c52376f817c94f3d8c5841edbd72b52e57eedb1df24099a0c4

SHA512
8604b70579b73bcf97941835aa49b6e179cf54a716c9e72def4c13aa60119f6f7d0f982e29f94ebb1dd69cee35fb9d5146752f1a7bc432f632796379c7b7beb6

Download Submit
\Windows\Resources\Themes\icsys.icn.exe
Filesize
135KB

MD5
2fa914627523f73ce53296c6d976b494

SHA1
df699726fffc54f7cdffa7fc88fa3a49199ca888

SHA256
b686e215603989c2b76689cb88454531c8c3276ab9bad61d278d3889d2e1e9f3

SHA512
2af98416fafad3bac1f3c6fb3d2d7f562c31ef8d37a07599504e42388af9d2054d3d104d26950de97b7eea203421ec4b9a50e3f310eaa6eef1afc48b61327880

Download Submit
\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
b1b5c5112f7e57c4fa13a96615add04a

SHA1
95f372ca89e8679881f797ad3dab7b5d6f520011

SHA256
da40224202cfb06f906bebf3f8dc7772c6f70a683d66dd1cb7cd7ce0e68c53f7

SHA512
66a2b44dc922a7eb24cc769f2d4be77bd51d1621ba056844c46a75a5e890081c205454400d00633ff2599bebc4612cc4471704eea182ff50b3bea369f26f4cf0

Download Submit
\Windows\Resources\svchost.exe
Filesize
135KB

MD5
eb5a995639f49c6c8e72ecf8b7a29c1d

SHA1
3502c10cce55be501ac69755f37f0cbda29fe58e

SHA256
e426d23b7ea7ade54fec53ccb5e0f8778034ad41ae897032d5981b0b911bc968

SHA512
0ad6ab88bd73f33ef6fc7b55741756cc9d474899e1e74cedcfaa204da3618e8ffd9dafa3eb3c20fc36ee4f7d6df9f3ff2e643dcbf4e1b15174f6cd078dcd9423

Download Submit
memory/2388-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2508-33-0x0000000000300000-0x000000000031F000-memory.dmp

Filesize
124KB

Download
memory/2544-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2604-52-0x00000000002F0000-0x000000000030F000-memory.dmp

Filesize
124KB

Download
memory/2648-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2648-59-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2716-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads