b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0

Analysis

max time kernel
150s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
Size

3.4MB
MD5

0f51ec7c96b3aea6bc92fccf6d35d33a
SHA1

23fbc7da031821c92a3b10d27af83659e2732bef
SHA256

b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0
SHA512

8093fabed75e1932a83d9ee6b26ac2d63d26ebc447cb4334727585a4b0c70689634317acb92ee9a090175cc56079b1babef5aa5969077d27e5ada5bf127b7f3f
SSDEEP

49152:t7Zi5hu7I/BzfK/ZHg1pHtOUYqP3CFOrtG/RR9sXafgkDFMVR9C1UhPJXMK701hi:NI5ht/BzfKW1t0xOouBiCV2Hw

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
1440	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
1624	icsys.icn.exe
4536	explorer.exe
2224	spoolsv.exe
3908	svchost.exe
4620	spoolsv.exe

Loads dropped DLL 3 IoCs

pid	Process
1440	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
1440	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
1440	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
1624	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4536	explorer.exe
3908	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1440	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
Token: SeShutdownPrivilege	1440	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
Token: SeCreatePagefilePrivilege	1440	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
1624	icsys.icn.exe
1624	icsys.icn.exe
4536	explorer.exe
4536	explorer.exe
2224	spoolsv.exe
2224	spoolsv.exe
3908	svchost.exe
3908	svchost.exe
4620	spoolsv.exe
4620	spoolsv.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 1440	224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe	83
PID 224 wrote to memory of 1440	224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe	83
PID 224 wrote to memory of 1440	224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe	83
PID 224 wrote to memory of 1624	224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe	84
PID 224 wrote to memory of 1624	224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe	84
PID 224 wrote to memory of 1624	224	b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe	84
PID 1624 wrote to memory of 4536	1624	icsys.icn.exe	86
PID 1624 wrote to memory of 4536	1624	icsys.icn.exe	86
PID 1624 wrote to memory of 4536	1624	icsys.icn.exe	86
PID 4536 wrote to memory of 2224	4536	explorer.exe	88
PID 4536 wrote to memory of 2224	4536	explorer.exe	88
PID 4536 wrote to memory of 2224	4536	explorer.exe	88
PID 2224 wrote to memory of 3908	2224	spoolsv.exe	89
PID 2224 wrote to memory of 3908	2224	spoolsv.exe	89
PID 2224 wrote to memory of 3908	2224	spoolsv.exe	89
PID 3908 wrote to memory of 4620	3908	svchost.exe	90
PID 3908 wrote to memory of 4620	3908	svchost.exe	90
PID 3908 wrote to memory of 4620	3908	svchost.exe	90

C:\Users\Admin\AppData\Local\Temp\b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
"C:\Users\Admin\AppData\Local\Temp\b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:224
- \??\c:\users\admin\appdata\local\temp\b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
  c:\users\admin\appdata\local\temp\b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1440
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1624
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2224
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3908
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll

Filesize
67KB

MD5
7d5d3e2fcfa5ff53f5ae075ed4327b18

SHA1
3905104d8f7ba88b3b34f4997f3948b3183953f6

SHA256
e1fb95609f2757ce74cb531a5cf59674e411ea0a262b758371d7236c191910c4

SHA512
e67683331bb32ea4b2c38405be7f516db6935f883a1e4ae02a1700f5f36462c31b593e07c6fe06d8c0cb1c20c9f40a507c9eae245667c89f989e32765a89f589

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe

Filesize
3.3MB

MD5
7c2e5ef59e9589422bcd5bf3726fbcb1

SHA1
c4dac6966ac4cd3500d6a7fe44138a0db639d507

SHA256
6870e8dbcfaf543500add1d303de528c34e3b1f4d4424b0097c4ffb408a44fcd

SHA512
28870d9cb07f964ba0ecedfb25762cb4530bda869cc717dd4fffcd176085f03c05fd129b23e826dd6ac33ae6af8132bf9dc317ebffb52448b83236ad2349ca45

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
a24ed172be22109145a691a811244db9

SHA1
77df5a4892b2e31d5e06c99f206dd65042866b22

SHA256
6ad8d49632a52c43c667189447f17f9a81c19cad63c4cbfa76499709eecd31d1

SHA512
6c629b403d23eea6867dfc166015c01ba69422cc399c3d8b254a354e9e09d691420910eeb022cebe73661c4c8c829a4c55460c39a3311c99e1c07d1f01bfb49a

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
166f4152bd7ae24054f26a7c6f42bc55

SHA1
4853a1ffe4b68226038eefb0da4194553baa7a32

SHA256
8218bac4715775aacd67b699950e516ec7067cd2cba4f248572802639109f6eb

SHA512
cf73e62db1a4613fc58a401fc4d5c2fa98a193ccb2e1e788d839d5cee8cfda8c150bfd6f8c3a93f221dfee24c5a08962bf7b2b12796da7942db1223fb7cf7dbe

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
d6b710bd9cf858ebc3f6870e334b2d3b

SHA1
531a8a2de7c8f03eca7678799c4b6c52f47dac20

SHA256
fc5f99eb790883d70ddade3b73c20b01b62ff5ece5484de470d7892db16f0c68

SHA512
c3104dffbfa6e3d4fd12bc802d723cbd1d3d2651a4e901b53bea67dc3fccb84ab12e0db680210b11be2655925d52ba89d2b300ebe975e8c731f44f74563996be

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
135KB

MD5
3338de1eb0ae5227018ff9fcdf339c5c

SHA1
f9135be2608f904e28a0f81791f3919907b6791c

SHA256
479f8c2f8dc1b41bf644f29473a4bd098eaa8be922f01a6c86368e868cec7873

SHA512
afd1007bb8671e0e6d7e6cd034aaa632130e3f6ff8cf239259766e74f2537180815bb2fdf716523f4a00c854a796977cc2545ba41a90c78a0592b7289d43c71f

Download Submit
memory/224-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/224-69-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1440-75-0x0000000072B2E000-0x0000000072B2F000-memory.dmp

Filesize
4KB

Download
memory/1440-71-0x000000000A270000-0x000000000A30C000-memory.dmp

Filesize
624KB

Download
memory/1440-39-0x00000000090B0000-0x0000000009654000-memory.dmp

Filesize
5.6MB

Download
memory/1440-42-0x0000000008CE0000-0x0000000008D72000-memory.dmp

Filesize
584KB

Download
memory/1440-34-0x0000000006240000-0x0000000006254000-memory.dmp

Filesize
80KB

Download
memory/1440-27-0x00000000063A0000-0x00000000063B0000-memory.dmp

Filesize
64KB

Download
memory/1440-74-0x00000000063A0000-0x00000000063B0000-memory.dmp

Filesize
64KB

Download
memory/1440-73-0x000000000A8B0000-0x000000000ADDC000-memory.dmp

Filesize
5.2MB

Download
memory/1440-72-0x000000000A310000-0x000000000A376000-memory.dmp

Filesize
408KB

Download
memory/1440-35-0x00000000733D0000-0x00000000733E4000-memory.dmp

Filesize
80KB

Download
memory/1440-28-0x0000000072B2E000-0x0000000072B2F000-memory.dmp

Filesize
4KB

Download
memory/1440-70-0x000000000A190000-0x000000000A1D4000-memory.dmp

Filesize
272KB

Download
memory/1624-68-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2224-67-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4536-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4620-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4620-66-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download