Analysis
-
max time kernel
150s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 03:52
Static task
static1
Behavioral task
behavioral1
Sample
d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exe
Resource
win10v2004-20240426-en
General
-
Target
d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exe
-
Size
1.2MB
-
MD5
4cdc7aced2193e8bccaa734b2b0f3e1a
-
SHA1
b7b934a4d5c380f529ec82f3edbe974e2db6aef9
-
SHA256
d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d
-
SHA512
6a5409ef065a0b411a9872134b39beb69fe9c19e302e06e1115c1355fc9a8c9fd9f0133cd4c991ce18bcc1a31b0561c0410b01a66dc31626e7197bc2ab340090
-
SSDEEP
24576:N5xolYQY6elrLMeYSiGTpTLDxxwqQcqOj5eyHox6ZGmAuXE7ZBlbo:oYBtPbVvwqQpoLHontDrlbo
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Executes dropped EXE 6 IoCs
Processes:
d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1384 d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exe 2212 icsys.icn.exe 932 explorer.exe 3732 spoolsv.exe 872 svchost.exe 4608 spoolsv.exe -
Loads dropped DLL 5 IoCs
Processes:
d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exepid process 1384 d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exe 1384 d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exe 1384 d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exe 1384 d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exe 1384 d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exeexplorer.exeicsys.icn.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exe nsis_installer_2 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
icsys.icn.exeexplorer.exesvchost.exepid process 2212 icsys.icn.exe 2212 icsys.icn.exe 932 explorer.exe 932 explorer.exe 932 explorer.exe 932 explorer.exe 932 explorer.exe 932 explorer.exe 932 explorer.exe 932 explorer.exe 872 svchost.exe 872 svchost.exe 872 svchost.exe 872 svchost.exe 932 explorer.exe 932 explorer.exe 872 svchost.exe 872 svchost.exe 932 explorer.exe 932 explorer.exe 872 svchost.exe 872 svchost.exe 932 explorer.exe 932 explorer.exe 872 svchost.exe 872 svchost.exe 932 explorer.exe 932 explorer.exe 872 svchost.exe 872 svchost.exe 932 explorer.exe 872 svchost.exe 932 explorer.exe 872 svchost.exe 932 explorer.exe 872 svchost.exe 932 explorer.exe 872 svchost.exe 932 explorer.exe 872 svchost.exe 932 explorer.exe 872 svchost.exe 872 svchost.exe 872 svchost.exe 932 explorer.exe 932 explorer.exe 932 explorer.exe 872 svchost.exe 932 explorer.exe 872 svchost.exe 872 svchost.exe 932 explorer.exe 932 explorer.exe 872 svchost.exe 872 svchost.exe 932 explorer.exe 932 explorer.exe 872 svchost.exe 932 explorer.exe 872 svchost.exe 932 explorer.exe 872 svchost.exe 932 explorer.exe 872 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 932 explorer.exe 872 svchost.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1248 d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exe 1248 d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exe 2212 icsys.icn.exe 2212 icsys.icn.exe 932 explorer.exe 932 explorer.exe 3732 spoolsv.exe 3732 spoolsv.exe 872 svchost.exe 872 svchost.exe 4608 spoolsv.exe 4608 spoolsv.exe 932 explorer.exe 932 explorer.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 1248 wrote to memory of 1384 1248 d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exe d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exe PID 1248 wrote to memory of 1384 1248 d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exe d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exe PID 1248 wrote to memory of 1384 1248 d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exe d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exe PID 1248 wrote to memory of 2212 1248 d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exe icsys.icn.exe PID 1248 wrote to memory of 2212 1248 d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exe icsys.icn.exe PID 1248 wrote to memory of 2212 1248 d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exe icsys.icn.exe PID 2212 wrote to memory of 932 2212 icsys.icn.exe explorer.exe PID 2212 wrote to memory of 932 2212 icsys.icn.exe explorer.exe PID 2212 wrote to memory of 932 2212 icsys.icn.exe explorer.exe PID 932 wrote to memory of 3732 932 explorer.exe spoolsv.exe PID 932 wrote to memory of 3732 932 explorer.exe spoolsv.exe PID 932 wrote to memory of 3732 932 explorer.exe spoolsv.exe PID 3732 wrote to memory of 872 3732 spoolsv.exe svchost.exe PID 3732 wrote to memory of 872 3732 spoolsv.exe svchost.exe PID 3732 wrote to memory of 872 3732 spoolsv.exe svchost.exe PID 872 wrote to memory of 4608 872 svchost.exe spoolsv.exe PID 872 wrote to memory of 4608 872 svchost.exe spoolsv.exe PID 872 wrote to memory of 4608 872 svchost.exe spoolsv.exe PID 872 wrote to memory of 4648 872 svchost.exe at.exe PID 872 wrote to memory of 4648 872 svchost.exe at.exe PID 872 wrote to memory of 4648 872 svchost.exe at.exe PID 872 wrote to memory of 1916 872 svchost.exe at.exe PID 872 wrote to memory of 1916 872 svchost.exe at.exe PID 872 wrote to memory of 1916 872 svchost.exe at.exe PID 872 wrote to memory of 5100 872 svchost.exe at.exe PID 872 wrote to memory of 5100 872 svchost.exe at.exe PID 872 wrote to memory of 5100 872 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exe"C:\Users\Admin\AppData\Local\Temp\d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exec:\users\admin\appdata\local\temp\d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 03:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 03:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 03:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\d5a27e0aa98accd3eca2870d7f6807dd6d27a955e2fac249421d715f6d82f29d.exeFilesize
1.0MB
MD51e02d6aa4a199448719113ae3926afb2
SHA1f1eff6451ced129c0e5c0a510955f234a01158a0
SHA256fb6b1171776554a808c62f4045f5167603f70bf7611de64311ece0624b365397
SHA5127d0f1416beb8c141ee992fe594111042309690c00741dff8f9f31b4652ed6a96b57532780e3169391440076d7ace63966fab526a076adcdc7f7ab389b4d0ff98
-
C:\Users\Admin\AppData\Local\Temp\nsc3401.tmp\InstallOptions.dllFilesize
14KB
MD5325b008aec81e5aaa57096f05d4212b5
SHA127a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA51218362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf
-
C:\Users\Admin\AppData\Local\Temp\nsc3401.tmp\LangDLL.dllFilesize
5KB
MD59384f4007c492d4fa040924f31c00166
SHA1aba37faef30d7c445584c688a0b5638f5db31c7b
SHA25660a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA51268f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf
-
C:\Users\Admin\AppData\Local\Temp\nsc3401.tmp\System.dllFilesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
C:\Users\Admin\AppData\Local\Temp\nsc3401.tmp\ioSpecial.iniFilesize
696B
MD582d09010d0faa7350cfa0e596e9ff2a4
SHA19b4e9050b42c65319cd1829d3c0774d071406792
SHA256f16340a0bb2eba1a71faceb109cc40b069b6d6958edbfe1f8219e9c0f5bb71af
SHA51270593f88cb67a5f87b1739467e8154396639367a9e3973594d7ef7a8254e185b48b69a0c930a5527fdde875b6965dc6f00e927e81fb3efb6559dd95e34a82949
-
C:\Users\Admin\AppData\Local\icsys.icn.exeFilesize
224KB
MD5d0a463418d1db8f4b730a166dcba8bd4
SHA13c102509c90d65a6786fdc48a3bee2e42befceb0
SHA256723694473ab33f6a550a6083cc15f13ac0a7f93ff46d8ac51a9f2ca6996a89bf
SHA512d54accd2c5321236247a872dc9902ebc33770a2ecffe83eab7f43d614d4059ba8fe92bf5ca8dced34ed41cc933072c93de679c9153f87c6cb8778c7e53826dcc
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
225KB
MD5a9af0c17a7a4e1222a071d880c13f273
SHA15d46c115504353c3f38471a4f6a8cc409d69a79c
SHA2562910c9486cf54aa06796ea54f8aceaf87f09c75dcea057587ba1f1e718417953
SHA512f9ffe663d61b14376778baf9ee98f928607f174c8defd91c05034220a92aa0904d93bce9a6f0c3011703ae12c4c75d54af4e01cd504edb114bc85d10483f3003
-
C:\Windows\System\explorer.exeFilesize
224KB
MD5d66ee3b82da9e61b84b1d1f123bf9180
SHA169f5245ea221dd601f0593c2d3a7ced3a4576ded
SHA256bdcd22aac4c2fc7895ee23ed3e7871c484c5753e112f82f84b6fe2baa151156d
SHA51287582d6f03b42635ddcbf7aba871111278caedc8579dc3c72c9f226f865c600406f3fc81abe3b18d6cd3cfa4b0ad9b45fa87109d67747cdbb721f096daf3674f
-
C:\Windows\System\spoolsv.exeFilesize
224KB
MD5404b53ee57abdc3961ce89bb9d4d8057
SHA1cfd04ec037e4becf5bd3302a2fc3b48fb1d0fd21
SHA256a3cef8a3bb03ba0cbb5732cc0e1318e348c05b56f3c7fb20269b91281fc26318
SHA512a27141c1a8595963c178a55bec1d14f403fba0f148ae4c0e82427ba344451b9464d84d5a34ef0facb3f7e09759b5bb21beeff66e99f2ededa04548ed857c82f8
-
C:\Windows\System\svchost.exeFilesize
224KB
MD51b9e883d53b35c3f4fa970a8a008e128
SHA1a5fc0e8ee4027373b7689c663166f05acc70fa3d
SHA256a49f9d4e185aa7098ae323fb8863f5d844120a42e199832af2d6cd12485df22f
SHA5129468914a352902e47d1d3d80f0d15b7ea2396eade3ba5aba7e5ebb724d5a489462292ea65c6017db429f1c7e8c9675da60ea02f1d48b97247e714139b68abc2b
-
\??\PIPE\atsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1248-61-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1248-0-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2212-60-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3732-59-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4608-56-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4608-55-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB