4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b

Analysis

max time kernel
150s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
Size

636KB
MD5

5a4624a300095f24a92f98bcf5592053
SHA1

244e911a5e463d79932d3396af38b73af90e55ec
SHA256

4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b
SHA512

406ac3714704865375ddea04f087f6c17609589e6a0e2feb659ebab53fecbe5ec717737a56efbbf2faf8a7191473d3614bc0a6a5f5fd164158af72b8380d1ef0
SSDEEP

6144:UsLqdufVUNDalaB5Ra5KjbaFmsb/IbPU2K5XYjP3slUvZZIU5OS:PFUNDalaB5M5KjGwUk0JAOS

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
4832	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
376	icsys.icn.exe
4564	explorer.exe
408	spoolsv.exe
4588	svchost.exe
1084	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe
376	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4564	explorer.exe
4588	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
376	icsys.icn.exe
376	icsys.icn.exe
4564	explorer.exe
4564	explorer.exe
408	spoolsv.exe
408	spoolsv.exe
4588	svchost.exe
4588	svchost.exe
1084	spoolsv.exe
1084	spoolsv.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 4832	3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe	85
PID 3512 wrote to memory of 4832	3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe	85
PID 3512 wrote to memory of 376	3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe	86
PID 3512 wrote to memory of 376	3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe	86
PID 3512 wrote to memory of 376	3512	4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe	86
PID 376 wrote to memory of 4564	376	icsys.icn.exe	87
PID 376 wrote to memory of 4564	376	icsys.icn.exe	87
PID 376 wrote to memory of 4564	376	icsys.icn.exe	87
PID 4564 wrote to memory of 408	4564	explorer.exe	88
PID 4564 wrote to memory of 408	4564	explorer.exe	88
PID 4564 wrote to memory of 408	4564	explorer.exe	88
PID 408 wrote to memory of 4588	408	spoolsv.exe	89
PID 408 wrote to memory of 4588	408	spoolsv.exe	89
PID 408 wrote to memory of 4588	408	spoolsv.exe	89
PID 4588 wrote to memory of 1084	4588	svchost.exe	91
PID 4588 wrote to memory of 1084	4588	svchost.exe	91
PID 4588 wrote to memory of 1084	4588	svchost.exe	91

C:\Users\Admin\AppData\Local\Temp\4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
"C:\Users\Admin\AppData\Local\Temp\4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3512
- \??\c:\users\admin\appdata\local\temp\4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
  c:\users\admin\appdata\local\temp\4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:376
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:408
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4588
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4f675ed468c929047177a9f6aa1b48ef72a407b55638b507c88c0776c880747b.exe

Filesize
501KB

MD5
92e18c9f1e6c9f4ad8f03c78f6437942

SHA1
40b8ec37f3a192074df7a68ce19ee1c3549a8e60

SHA256
e77d0af823e37c326222ad804b56da70c3dcb1fcf469dc4dc782a592ef4f6e0b

SHA512
ffef00b80c5cb99dc25e2ba3ab2935fd0fb380abf32d742b69090ca4539477e96bf408bc5477143233b8760b92119684f859106ed1ce860bb32b37cebe818df1

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
deec6d6b6eb85d8fcbff037b51622a34

SHA1
e7cde688a6c2b3ec3399129d9be0c1dc6c132529

SHA256
814804c280fd99c18283396c75d9850b0aa1b4b78c14fadf4e4b25b9ff9ed4a8

SHA512
041ff5e2c224a7b24c092415b7e1db6a027b55c208fbbcbfe84a049c65e49acc7da00c08e0aca245cb0f7fb51bef55eb29e8eeac287058cdd72a6514cdf54af8

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
59dc5e9d9e1f40eb87bda1eb09826327

SHA1
dfa6de35475afaa05de5efdc9251a169d3b1c39e

SHA256
9aacf57aa2ce957c8a613ff6c606f354d2b46ce35c1e0f1a9068fc32eb76ef4d

SHA512
1cf784c9e3d58b3be59e501918d5e3cbcf18200804e8cd834db23f8131f0840928984e89243ce110b9b47f4564b1a23f8ffb9baefc4f64f0dff1e3487b7f404f

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
36844ded0805ec71a7f9443fe1c50cd4

SHA1
94691059e9d62d667c2123587f2b44163a6dbd28

SHA256
db8fa42a7e62c70693d391823c4949916807b839712601e565cb650dc69ff0f3

SHA512
1c8e2375ebb4e48dad57c4e942d63e50154522288d75535a79c5d5d6cbd042fe1e59b1f3d84abd5fb7ef7c5776a07914c98ea7e852a5e9ab4b1b7dda6aa105af

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
72783f7c03e7c6a5c84bf4d39a65e10d

SHA1
ad4aeee5397a08fd65b715f1906f4ff27a69d0aa

SHA256
b9cd9cac1439d56b6773cffed8ad85abe2c150ece152d7fc4c0c59d446dada9b

SHA512
73074c6bb00c21c86c1c64773b13fbffc281fd886e00dc7bd5c494b4eb4d10cca53e30a438b5c43d1a5ff7b4266b715d3e7dc9102afb300b50f9b39dad3937b7

Download Submit
memory/376-46-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/408-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1084-45-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3512-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3512-47-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4564-20-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download