b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
Size

3.4MB
MD5

0f51ec7c96b3aea6bc92fccf6d35d33a
SHA1

23fbc7da031821c92a3b10d27af83659e2732bef
SHA256

b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0
SHA512

8093fabed75e1932a83d9ee6b26ac2d63d26ebc447cb4334727585a4b0c70689634317acb92ee9a090175cc56079b1babef5aa5969077d27e5ada5bf127b7f3f
SSDEEP

49152:t7Zi5hu7I/BzfK/ZHg1pHtOUYqP3CFOrtG/RR9sXafgkDFMVR9C1UhPJXMK701hi:NI5ht/BzfKW1t0xOouBiCV2Hw

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
2964	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
2144	icsys.icn.exe
2732	explorer.exe
2196	spoolsv.exe
2508	svchost.exe
2908	spoolsv.exe

Loads dropped DLL 9 IoCs

pid	Process
1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
2964	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
2144	icsys.icn.exe
2732	explorer.exe
2196	spoolsv.exe
2964	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
2964	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
2508	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Checks for any installed AV software in registry 1 TTPs 7 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Browser	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Browser	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Browser	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1372	schtasks.exe
2012	schtasks.exe
2680	schtasks.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
2144	icsys.icn.exe
2144	icsys.icn.exe
2144	icsys.icn.exe
2144	icsys.icn.exe
2144	icsys.icn.exe
2144	icsys.icn.exe
2144	icsys.icn.exe
2144	icsys.icn.exe
2144	icsys.icn.exe
2144	icsys.icn.exe
2144	icsys.icn.exe
2144	icsys.icn.exe
2144	icsys.icn.exe
2144	icsys.icn.exe
2144	icsys.icn.exe
2144	icsys.icn.exe
2144	icsys.icn.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2508	svchost.exe
2508	svchost.exe
2508	svchost.exe
2508	svchost.exe
2508	svchost.exe
2508	svchost.exe
2508	svchost.exe
2508	svchost.exe
2508	svchost.exe
2508	svchost.exe
2508	svchost.exe
2508	svchost.exe
2508	svchost.exe
2508	svchost.exe
2508	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2732	explorer.exe
2508	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
Token: SeShutdownPrivilege	2964	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
2144	icsys.icn.exe
2144	icsys.icn.exe
2732	explorer.exe
2732	explorer.exe
2196	spoolsv.exe
2196	spoolsv.exe
2508	svchost.exe
2508	svchost.exe
2908	spoolsv.exe
2908	spoolsv.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 2964	1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe	28
PID 1636 wrote to memory of 2964	1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe	28
PID 1636 wrote to memory of 2964	1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe	28
PID 1636 wrote to memory of 2964	1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe	28
PID 1636 wrote to memory of 2144	1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe	29
PID 1636 wrote to memory of 2144	1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe	29
PID 1636 wrote to memory of 2144	1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe	29
PID 1636 wrote to memory of 2144	1636	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe	29
PID 2144 wrote to memory of 2732	2144	icsys.icn.exe	30
PID 2144 wrote to memory of 2732	2144	icsys.icn.exe	30
PID 2144 wrote to memory of 2732	2144	icsys.icn.exe	30
PID 2144 wrote to memory of 2732	2144	icsys.icn.exe	30
PID 2732 wrote to memory of 2196	2732	explorer.exe	31
PID 2732 wrote to memory of 2196	2732	explorer.exe	31
PID 2732 wrote to memory of 2196	2732	explorer.exe	31
PID 2732 wrote to memory of 2196	2732	explorer.exe	31
PID 2196 wrote to memory of 2508	2196	spoolsv.exe	32
PID 2196 wrote to memory of 2508	2196	spoolsv.exe	32
PID 2196 wrote to memory of 2508	2196	spoolsv.exe	32
PID 2196 wrote to memory of 2508	2196	spoolsv.exe	32
PID 2508 wrote to memory of 2908	2508	svchost.exe	33
PID 2508 wrote to memory of 2908	2508	svchost.exe	33
PID 2508 wrote to memory of 2908	2508	svchost.exe	33
PID 2508 wrote to memory of 2908	2508	svchost.exe	33
PID 2732 wrote to memory of 296	2732	explorer.exe	34
PID 2732 wrote to memory of 296	2732	explorer.exe	34
PID 2732 wrote to memory of 296	2732	explorer.exe	34
PID 2732 wrote to memory of 296	2732	explorer.exe	34
PID 2508 wrote to memory of 1372	2508	svchost.exe	35
PID 2508 wrote to memory of 1372	2508	svchost.exe	35
PID 2508 wrote to memory of 1372	2508	svchost.exe	35
PID 2508 wrote to memory of 1372	2508	svchost.exe	35
PID 2508 wrote to memory of 2012	2508	svchost.exe	40
PID 2508 wrote to memory of 2012	2508	svchost.exe	40
PID 2508 wrote to memory of 2012	2508	svchost.exe	40
PID 2508 wrote to memory of 2012	2508	svchost.exe	40
PID 2508 wrote to memory of 2680	2508	svchost.exe	42
PID 2508 wrote to memory of 2680	2508	svchost.exe	42
PID 2508 wrote to memory of 2680	2508	svchost.exe	42
PID 2508 wrote to memory of 2680	2508	svchost.exe	42

C:\Users\Admin\AppData\Local\Temp\b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
"C:\Users\Admin\AppData\Local\Temp\b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636
- \??\c:\users\admin\appdata\local\temp\b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
  c:\users\admin\appdata\local\temp\b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2144
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2196
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2508
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2908
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:47 /f
        6⤵
        Creates scheduled task(s)
        
        PID:1372
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:48 /f
        6⤵
        Creates scheduled task(s)
        
        PID:2012
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:49 /f
        6⤵
        Creates scheduled task(s)
        
        PID:2680
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f5fdaa4df3a36023b18ba192f1ad22ab

SHA1
301ab1aa5c473ec3c1d1242312d7bc6cd9a4e7e1

SHA256
d803fa5c1eaa45c32a09c24cf4352e6088daff1c4b19d5abee2ebc330d478b38

SHA512
63ad71608059c1fe397abde4b6cdf50c7bb539041d46409ca566d734da064da962fcdd1f9389b4f44df628daf4f6e73970ce63a2b4132b92d781d9344251a84c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2DA7.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2DC9.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
ccccd9754ffc5e2f4bd1ce3955366f11

SHA1
1e57f92b0a24d8750b178d0cd9af686ed3b9f728

SHA256
2b9a23b4224db60e44b4f6670d01878ee8f4d6e69362794278fac60dbd520d2e

SHA512
d52c6d549e8017f8e615ef35555e036b4c779f47044ecbf260b2e19508a0bdf503ef87f128b25b5079027a6adf6a50b53b67b2347a81332a2282a371886a9332

Download Submit
\Users\Admin\AppData\Local\Temp\Setup\ds.dll

Filesize
67KB

MD5
7d5d3e2fcfa5ff53f5ae075ed4327b18

SHA1
3905104d8f7ba88b3b34f4997f3948b3183953f6

SHA256
e1fb95609f2757ce74cb531a5cf59674e411ea0a262b758371d7236c191910c4

SHA512
e67683331bb32ea4b2c38405be7f516db6935f883a1e4ae02a1700f5f36462c31b593e07c6fe06d8c0cb1c20c9f40a507c9eae245667c89f989e32765a89f589

Download Submit
\Users\Admin\AppData\Local\Temp\b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe

Filesize
3.3MB

MD5
7c2e5ef59e9589422bcd5bf3726fbcb1

SHA1
c4dac6966ac4cd3500d6a7fe44138a0db639d507

SHA256
6870e8dbcfaf543500add1d303de528c34e3b1f4d4424b0097c4ffb408a44fcd

SHA512
28870d9cb07f964ba0ecedfb25762cb4530bda869cc717dd4fffcd176085f03c05fd129b23e826dd6ac33ae6af8132bf9dc317ebffb52448b83236ad2349ca45

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
166f4152bd7ae24054f26a7c6f42bc55

SHA1
4853a1ffe4b68226038eefb0da4194553baa7a32

SHA256
8218bac4715775aacd67b699950e516ec7067cd2cba4f248572802639109f6eb

SHA512
cf73e62db1a4613fc58a401fc4d5c2fa98a193ccb2e1e788d839d5cee8cfda8c150bfd6f8c3a93f221dfee24c5a08962bf7b2b12796da7942db1223fb7cf7dbe

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
d16aacfed72e6f0d3d20d840e9de6000

SHA1
5fdc6183a041697cdd775132a03831b0ff318a02

SHA256
ef0650608a010dbee06b987c7ec0bf7f5c23339e3e67a848e64bc6c160b1cc79

SHA512
b8720355309f59926ac01d7ca15d75ef12631c0810120fd6fb7ed664519e517996eeae8b8dcd6adc127d15745e5c959819a06254e9282030a7254828c5deab69

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
eb136e4b74e04990b930439ad6cbb822

SHA1
2fb0dbbc5fa3c403b2dafbbe03e84251e1d82d67

SHA256
a73a70facc42ad44e97358c1755b99af4bc4ab61ad7d168d847755115eaa74d6

SHA512
abe734ecfa0b6a5401623d20690010006e295f50a321da5d462e7e45993ef902f72bc5cc4518981fadd3e4cbd636f88dfb1cd50da25e7126265e43c18e22ada2

Download Submit
memory/1636-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1636-16-0x00000000002F0000-0x000000000030F000-memory.dmp

Filesize
124KB

Download
memory/1636-77-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2144-31-0x00000000007A0000-0x00000000007BF000-memory.dmp

Filesize
124KB

Download
memory/2144-17-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2144-76-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2196-57-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/2196-75-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2908-74-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2964-63-0x0000000002A00000-0x0000000002A14000-memory.dmp

Filesize
80KB

Download
memory/2964-64-0x00000000746B0000-0x00000000746C4000-memory.dmp

Filesize
80KB

Download
memory/2964-38-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download
memory/2964-198-0x0000000003340000-0x0000000003384000-memory.dmp

Filesize
272KB

Download
memory/2964-200-0x0000000004310000-0x000000000432F000-memory.dmp

Filesize
124KB

Download
memory/2964-199-0x0000000004310000-0x000000000432F000-memory.dmp

Filesize
124KB

Download
memory/2964-201-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download