Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 02:10
Static task
static1
Behavioral task
behavioral1
Sample
b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
Resource
win10v2004-20240508-en
General
-
Target
b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
-
Size
294KB
-
MD5
cabac23644ccbe7dc41b8d1e39795ccf
-
SHA1
402a79fea594fcc80eef6d4a0c8bbaa90ab68dce
-
SHA256
b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6
-
SHA512
3170710ac6985ebcf1d314e024ded943942128b314d4147d218eae49767a6a16efebfbc5d4a1604b81b2bccae25c87b45bb6371543b288e4ec25852e0f7dcda2
-
SSDEEP
6144:UsLqdufVUNDaB5TJj1ioqPJ34FEcO/+urWts:PFUNDaBzRacews
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 6 IoCs
Processes:
b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1136 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 4100 icsys.icn.exe 3124 explorer.exe 2812 spoolsv.exe 412 svchost.exe 540 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 5 IoCs
Processes:
b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exeicsys.icn.exeexplorer.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exeicsys.icn.exepid process 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 4100 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 3124 explorer.exe 412 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe 4100 icsys.icn.exe 4100 icsys.icn.exe 3124 explorer.exe 3124 explorer.exe 2812 spoolsv.exe 2812 spoolsv.exe 412 svchost.exe 412 svchost.exe 540 spoolsv.exe 540 spoolsv.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 2004 wrote to memory of 1136 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe PID 2004 wrote to memory of 1136 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe PID 2004 wrote to memory of 4100 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe icsys.icn.exe PID 2004 wrote to memory of 4100 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe icsys.icn.exe PID 2004 wrote to memory of 4100 2004 b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe icsys.icn.exe PID 4100 wrote to memory of 3124 4100 icsys.icn.exe explorer.exe PID 4100 wrote to memory of 3124 4100 icsys.icn.exe explorer.exe PID 4100 wrote to memory of 3124 4100 icsys.icn.exe explorer.exe PID 3124 wrote to memory of 2812 3124 explorer.exe spoolsv.exe PID 3124 wrote to memory of 2812 3124 explorer.exe spoolsv.exe PID 3124 wrote to memory of 2812 3124 explorer.exe spoolsv.exe PID 2812 wrote to memory of 412 2812 spoolsv.exe svchost.exe PID 2812 wrote to memory of 412 2812 spoolsv.exe svchost.exe PID 2812 wrote to memory of 412 2812 spoolsv.exe svchost.exe PID 412 wrote to memory of 540 412 svchost.exe spoolsv.exe PID 412 wrote to memory of 540 412 svchost.exe spoolsv.exe PID 412 wrote to memory of 540 412 svchost.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe"C:\Users\Admin\AppData\Local\Temp\b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exec:\users\admin\appdata\local\temp\b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe2⤵
- Executes dropped EXE
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exeFilesize
159KB
MD5f1351ac581ee291e3ae9310cb4604439
SHA13aa7dc2eb27bf4918795e99ac315fb1c8e3e439b
SHA256ff91c13ed79351c52376f817c94f3d8c5841edbd72b52e57eedb1df24099a0c4
SHA5128604b70579b73bcf97941835aa49b6e179cf54a716c9e72def4c13aa60119f6f7d0f982e29f94ebb1dd69cee35fb9d5146752f1a7bc432f632796379c7b7beb6
-
C:\Windows\Resources\Themes\explorer.exeFilesize
135KB
MD5f9b990b7e400ebfb592c0a4bc55bc444
SHA1b8cddef98c0a2c7b46141357ba92cbfaad876c26
SHA256d99d7b05cab3d5c784e18bc10bca7a31c97c558c7d167374b0eec8c665ace027
SHA51253cf3f01bbb7f8dadfdf4a217f1b918c396350398ab642c1884f3bc2e63d79b4588c56d50024cf19901079f4ac3b7bc0475c0f45745d35d5df54626cd403908f
-
C:\Windows\Resources\Themes\icsys.icn.exeFilesize
135KB
MD52fa914627523f73ce53296c6d976b494
SHA1df699726fffc54f7cdffa7fc88fa3a49199ca888
SHA256b686e215603989c2b76689cb88454531c8c3276ab9bad61d278d3889d2e1e9f3
SHA5122af98416fafad3bac1f3c6fb3d2d7f562c31ef8d37a07599504e42388af9d2054d3d104d26950de97b7eea203421ec4b9a50e3f310eaa6eef1afc48b61327880
-
C:\Windows\Resources\spoolsv.exeFilesize
135KB
MD5c0277fa2ca6277957bb02b580d53db80
SHA11b187d0618731342034839c70a7dd197b9d6de96
SHA256172366fec98f802d9986f66df54672266e2eeadc5fad552b41cfdec2b24c76fd
SHA512eb1cb8e7754ced8a94710acd665b9a637a23a6b6c8e6cf353f33306f764b2747a90939486db50f5ea527b4e6804bf517ed3d0a455db450b873edcf13c8c80443
-
C:\Windows\Resources\svchost.exeFilesize
135KB
MD50ef0a2f667bc2d5581f33c91da12d9e1
SHA110858628d97f2e8de078b059f6b41fcb7759ed42
SHA2560f1fd9e3fcf81370ad74a634551ecf989a53f31376d23c78971f56d050d0be46
SHA5124f836a5ae55adcfc28e0f2abe47009277289e6660e47c1e13c7b3bacf0249daf21d3ec14aa027b0a45d31b813406f49766d06cc0f40c6371cc6930d00926b5ef
-
memory/540-44-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2004-0-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2004-46-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2812-43-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4100-45-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB