2753ea9dbe4dd4fe20d2c6eacb309345bc4e1bcc68246c7efa075070f8a400e3

Analysis

max time kernel
35s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 17:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ConsoleApp9.exe
Size

277KB
MD5

2f3cf381f89d48ed3c3c3aff30d56bd2
SHA1

55a294d35ce65f4910e9d93148a60aab12ab2c00
SHA256

2753ea9dbe4dd4fe20d2c6eacb309345bc4e1bcc68246c7efa075070f8a400e3
SHA512

ea40f8bcd839870961304ca1dffae3d4f09c21148b8fa11c468f3962fe186787b269efd80fe14022c82d99975c27ec4f8ab60db2a2296bc6ebc8dfe06dc2ecac
SSDEEP

6144:UsLqdufVUNDaHiS4ompB9S3BZi0a1G78IVhclctEqn:PFUNDaHyB0aI78IVrn

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 6 IoCs

pid	Process
3656	consoleapp9.exe
2920	icsys.icn.exe
956	explorer.exe
2948	spoolsv.exe
3916	svchost.exe
2332	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	ConsoleApp9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
2920	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
956	explorer.exe
3916	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3364	ConsoleApp9.exe
3364	ConsoleApp9.exe
2920	icsys.icn.exe
2920	icsys.icn.exe
956	explorer.exe
956	explorer.exe
2948	spoolsv.exe
2948	spoolsv.exe
3916	svchost.exe
3916	svchost.exe
2332	spoolsv.exe
2332	spoolsv.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 3656	3364	ConsoleApp9.exe	83
PID 3364 wrote to memory of 3656	3364	ConsoleApp9.exe	83
PID 3364 wrote to memory of 2920	3364	ConsoleApp9.exe	85
PID 3364 wrote to memory of 2920	3364	ConsoleApp9.exe	85
PID 3364 wrote to memory of 2920	3364	ConsoleApp9.exe	85
PID 2920 wrote to memory of 956	2920	icsys.icn.exe	86
PID 2920 wrote to memory of 956	2920	icsys.icn.exe	86
PID 2920 wrote to memory of 956	2920	icsys.icn.exe	86
PID 956 wrote to memory of 2948	956	explorer.exe	87
PID 956 wrote to memory of 2948	956	explorer.exe	87
PID 956 wrote to memory of 2948	956	explorer.exe	87
PID 2948 wrote to memory of 3916	2948	spoolsv.exe	88
PID 2948 wrote to memory of 3916	2948	spoolsv.exe	88
PID 2948 wrote to memory of 3916	2948	spoolsv.exe	88
PID 3916 wrote to memory of 2332	3916	svchost.exe	89
PID 3916 wrote to memory of 2332	3916	svchost.exe	89
PID 3916 wrote to memory of 2332	3916	svchost.exe	89

C:\Users\Admin\AppData\Local\Temp\ConsoleApp9.exe
"C:\Users\Admin\AppData\Local\Temp\ConsoleApp9.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3364
- \??\c:\users\admin\appdata\local\temp\consoleapp9.exe
  c:\users\admin\appdata\local\temp\consoleapp9.exe
  2⤵
  - Executes dropped EXE
  PID:3656
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2920
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:956
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2948
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3916
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\consoleapp9.exe

Filesize
142KB

MD5
57f936c53b864311295b7ad3848c820d

SHA1
bba93dc75f074f7bb963034958e760277e565e74

SHA256
6aa8304018801a86c35bf7c2d3be3c25e500ea3b50b1b19f8691b2861b260c4e

SHA512
fa772a2c98c385fb9ab703f2f23ee7114216aae8e1c7ad1b0b2c7b4c3de98c0ddf440f6eb06eba0c2522589364bdfc28b7536e368b15339269599ef15b8fc7fa

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
19725e9a74e25363fdacbe845add488e

SHA1
44137f005420ce10ce50398757cd4f02ab6d3ce2

SHA256
010b6f15b9e7ce2f8cfbff0c06fe6ea4274912e8283b74624807c75ca90810c7

SHA512
ed530a55260fee1f7b8a953c98c1bfc83ffe8177add7b937c2258b99dae870c311a7aaac4d9261f861117c555874c21687087da414cae2ca8151351c6cb1fe66

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
da4f2005fb79182d309f1ad3dd00fb71

SHA1
c5dd972c9494d924a2e8e33f28044fa5fc925900

SHA256
3643e4e95cacd04d101630038ac2f9077d7a65c85ca17bf8eb172ed58c90b233

SHA512
aa2e89298846fd3b3dc4c972019a6c18b3bfb37204a2a45849b15a400de257b86c6c676be0beaf13a712727d81a7f1241ca719c5bfcec6375b7ab85960cb6e77

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
58160ebe9163bbb3bc5655532851f6c6

SHA1
309f36c0b6c5efd957d0174cbf7647026868a196

SHA256
638b574e5410834d12331a1a62713196d7d5cb8fb33548531726e47827153385

SHA512
5f805ed3c322574669b1fcb49a41d63b05130c594fa15c2f71c2c2ba6d2a9282f52a930797a84e0813ee4983927f5f6483aa5b1b34542c66305b2a4c1a46250d

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
fb8e99bedd42b2f3194cbee19506e644

SHA1
bb36a4e9974337ca15cdb49178220f9d7242fd90

SHA256
5537d1161e33aeedc01bf36773641c2e60a47670f0f7ad9af631778819d14dbf

SHA512
15c65da68ecaaee379db09c4014227b4ce5a36b95c62ebf14fa57e391520fec2eaee204a95cc41dc3f761032fe9608e328d34fd0a72c1be5e1a78c016098ae03

Download Submit
memory/956-18-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2332-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2920-46-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2948-45-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3364-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3364-47-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download