b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6

General

Target

b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
Size

294KB
MD5

cabac23644ccbe7dc41b8d1e39795ccf
SHA1

402a79fea594fcc80eef6d4a0c8bbaa90ab68dce
SHA256

b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6
SHA512

3170710ac6985ebcf1d314e024ded943942128b314d4147d218eae49767a6a16efebfbc5d4a1604b81b2bccae25c87b45bb6371543b288e4ec25852e0f7dcda2
SSDEEP

6144:UsLqdufVUNDaB5TJj1ioqPJ34FEcO/+urWts:PFUNDaBzRacews

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

Processes:

b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1136	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
4100	icsys.icn.exe
3124	explorer.exe
2812	spoolsv.exe
412	svchost.exe
540	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

Processes:

b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exeicsys.icn.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exeicsys.icn.exe

pid	process
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
4100	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

3124 explorer.exe
412 svchost.exe

pid	process
3124	explorer.exe
412	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
4100	icsys.icn.exe
4100	icsys.icn.exe
3124	explorer.exe
3124	explorer.exe
2812	spoolsv.exe
2812	spoolsv.exe
412	svchost.exe
412	svchost.exe
540	spoolsv.exe
540	spoolsv.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2004 wrote to memory of 1136	2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
PID 2004 wrote to memory of 1136	2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
PID 2004 wrote to memory of 4100	2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe	icsys.icn.exe
PID 2004 wrote to memory of 4100	2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe	icsys.icn.exe
PID 2004 wrote to memory of 4100	2004	b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe	icsys.icn.exe
PID 4100 wrote to memory of 3124	4100	icsys.icn.exe	explorer.exe
PID 4100 wrote to memory of 3124	4100	icsys.icn.exe	explorer.exe
PID 4100 wrote to memory of 3124	4100	icsys.icn.exe	explorer.exe
PID 3124 wrote to memory of 2812	3124	explorer.exe	spoolsv.exe
PID 3124 wrote to memory of 2812	3124	explorer.exe	spoolsv.exe
PID 3124 wrote to memory of 2812	3124	explorer.exe	spoolsv.exe
PID 2812 wrote to memory of 412	2812	spoolsv.exe	svchost.exe
PID 2812 wrote to memory of 412	2812	spoolsv.exe	svchost.exe
PID 2812 wrote to memory of 412	2812	spoolsv.exe	svchost.exe
PID 412 wrote to memory of 540	412	svchost.exe	spoolsv.exe
PID 412 wrote to memory of 540	412	svchost.exe	spoolsv.exe
PID 412 wrote to memory of 540	412	svchost.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
"C:\Users\Admin\AppData\Local\Temp\b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004

\??\c:\users\admin\appdata\local\temp\b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
c:\users\admin\appdata\local\temp\b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
2⤵
- Executes dropped EXE
PID:1136

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4100

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3124

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2812

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:412

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:540

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b526c3253bc03acdf4156f9cce895ad0aceaf4d4640e0303a4bfd408e257d3b6.exe
Filesize
159KB

MD5
f1351ac581ee291e3ae9310cb4604439

SHA1
3aa7dc2eb27bf4918795e99ac315fb1c8e3e439b

SHA256
ff91c13ed79351c52376f817c94f3d8c5841edbd72b52e57eedb1df24099a0c4

SHA512
8604b70579b73bcf97941835aa49b6e179cf54a716c9e72def4c13aa60119f6f7d0f982e29f94ebb1dd69cee35fb9d5146752f1a7bc432f632796379c7b7beb6

Download Submit
C:\Windows\Resources\Themes\explorer.exe
Filesize
135KB

MD5
f9b990b7e400ebfb592c0a4bc55bc444

SHA1
b8cddef98c0a2c7b46141357ba92cbfaad876c26

SHA256
d99d7b05cab3d5c784e18bc10bca7a31c97c558c7d167374b0eec8c665ace027

SHA512
53cf3f01bbb7f8dadfdf4a217f1b918c396350398ab642c1884f3bc2e63d79b4588c56d50024cf19901079f4ac3b7bc0475c0f45745d35d5df54626cd403908f

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
135KB

MD5
2fa914627523f73ce53296c6d976b494

SHA1
df699726fffc54f7cdffa7fc88fa3a49199ca888

SHA256
b686e215603989c2b76689cb88454531c8c3276ab9bad61d278d3889d2e1e9f3

SHA512
2af98416fafad3bac1f3c6fb3d2d7f562c31ef8d37a07599504e42388af9d2054d3d104d26950de97b7eea203421ec4b9a50e3f310eaa6eef1afc48b61327880

Download Submit
C:\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
c0277fa2ca6277957bb02b580d53db80

SHA1
1b187d0618731342034839c70a7dd197b9d6de96

SHA256
172366fec98f802d9986f66df54672266e2eeadc5fad552b41cfdec2b24c76fd

SHA512
eb1cb8e7754ced8a94710acd665b9a637a23a6b6c8e6cf353f33306f764b2747a90939486db50f5ea527b4e6804bf517ed3d0a455db450b873edcf13c8c80443

Download Submit
C:\Windows\Resources\svchost.exe
Filesize
135KB

MD5
0ef0a2f667bc2d5581f33c91da12d9e1

SHA1
10858628d97f2e8de078b059f6b41fcb7759ed42

SHA256
0f1fd9e3fcf81370ad74a634551ecf989a53f31376d23c78971f56d050d0be46

SHA512
4f836a5ae55adcfc28e0f2abe47009277289e6660e47c1e13c7b3bacf0249daf21d3ec14aa027b0a45d31b813406f49766d06cc0f40c6371cc6930d00926b5ef

Download Submit
memory/540-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2004-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2004-46-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2812-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4100-45-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads