Malware Analysis Report

2024-10-10 08:08

Sample ID 240611-d46r5asfnf
Target bf3f5123a1a71b1f9f235cbc325d1c70.bin
SHA256 4a8f10759984f27edaed60d418d231f564c406817b6398f462daa3deb8a05867
Tags
themida evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a8f10759984f27edaed60d418d231f564c406817b6398f462daa3deb8a05867

Threat Level: Known bad

The file bf3f5123a1a71b1f9f235cbc325d1c70.bin was found to be: Known bad.

Malicious Activity Summary

themida evasion persistence trojan

Modifies visiblity of hidden/system files in Explorer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Themida packer

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 03:34

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 03:34

Reported

2024-06-11 03:37

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\Resources\Themes\icsys.icn.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\Resources\Themes\icsys.icn.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\Resources\Themes\icsys.icn.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Resources\Themes\icsys.icn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Windows\Resources\Themes\icsys.icn.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe  N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe  N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe \??\c:\users\admin\appdata\local\temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe 
PID 2400 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe \??\c:\users\admin\appdata\local\temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe 
PID 2400 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe \??\c:\users\admin\appdata\local\temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe 
PID 2400 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe \??\c:\users\admin\appdata\local\temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe 
PID 2400 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2400 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2400 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2400 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2600 wrote to memory of 2880 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2600 wrote to memory of 2880 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2600 wrote to memory of 2880 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2600 wrote to memory of 2880 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2880 wrote to memory of 1676 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2880 wrote to memory of 1676 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2880 wrote to memory of 1676 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2880 wrote to memory of 1676 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1676 wrote to memory of 828 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1676 wrote to memory of 828 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1676 wrote to memory of 828 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1676 wrote to memory of 828 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 828 wrote to memory of 2360 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 828 wrote to memory of 2360 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 828 wrote to memory of 2360 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 828 wrote to memory of 2360 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2880 wrote to memory of 2508 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2880 wrote to memory of 2508 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2880 wrote to memory of 2508 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2880 wrote to memory of 2508 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 828 wrote to memory of 2152 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 828 wrote to memory of 2152 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 828 wrote to memory of 2152 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 828 wrote to memory of 2152 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 828 wrote to memory of 600 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 828 wrote to memory of 600 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 828 wrote to memory of 600 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 828 wrote to memory of 600 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 828 wrote to memory of 1584 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 828 wrote to memory of 1584 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 828 wrote to memory of 1584 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 828 wrote to memory of 1584 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe

"C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe"

\??\c:\users\admin\appdata\local\temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe 

c:\users\admin\appdata\local\temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe 

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:36 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:37 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:38 /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp

Files

memory/2400-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2400-1-0x0000000077170000-0x0000000077172000-memory.dmp

\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe 

MD5 6557bd5240397f026e675afb78544a26
SHA1 839e683bf68703d373b6eac246f19386bb181713
SHA256 a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239
SHA512 f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97

\Windows\Resources\Themes\icsys.icn.exe

MD5 95f9ad7a3c0d5efccb69d1f73865e9bb
SHA1 5f37f0bab11636ac69178f6d55be82215db722fa
SHA256 27ec9335413985ca8abdc8552096b95e73eb784e773eeda5b577db864871d99a
SHA512 709ba17de1626e596c965e4a0b1144d68e4423df7fc55e5011a74be74117f0a6a7ec29ef25ad696ad39b8fa94887a2d13036139f78c58dee116bab0b46a94f25

memory/2728-19-0x0000000000D90000-0x0000000000D9A000-memory.dmp

memory/2600-18-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2728-17-0x0000000073E7E000-0x0000000073E7F000-memory.dmp

memory/2400-16-0x0000000003460000-0x0000000003A6E000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 705efc00603c0b4c57116e1fdc70fab6
SHA1 67bd0bc8670654e113c5a825d613ce6c070d00ae
SHA256 62427ce925cb97c01d49ef8280e817dbd4b52dd5144f0885b4116acd66a87b31
SHA512 5ca0ff74062b1229eb5eb42106d1f8941dfbb238f5630970917fb549867b970daf5c1a0f4394e22e583062d113b2e87eaa2aad9d671b97a8fa78e02ee988c7ec

memory/2600-29-0x0000000003760000-0x0000000003D6E000-memory.dmp

memory/2728-32-0x0000000004910000-0x0000000004950000-memory.dmp

memory/2880-31-0x0000000000400000-0x0000000000A0E000-memory.dmp

\Windows\Resources\spoolsv.exe

MD5 2fd70a0bc1d41536fcc6f7bf12531cf3
SHA1 c95817624252bd2e20f6cfe17285b8d99d2c3f06
SHA256 a1d41716a93e973d77b8573ec01d01667f39e534c9e642352193f0816840754d
SHA512 688651e715bf82773a8b2585c81bb44650555470528956135e3615ba788f0e210090c233c78f3dabc42f2b2330cd8cc94761b2eb59534a53b1a0729f7161888f

memory/2880-42-0x0000000003770000-0x0000000003D7E000-memory.dmp

memory/1676-45-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2400-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

\Windows\Resources\svchost.exe

MD5 1da8c5cdddcf2d054da6af08a74328cd
SHA1 b1bf290ade68657d7c415c5cbc761a595a84158b
SHA256 d7e1235a89af8f642758ccea38d8fbf53301f8f1b2107810613e178455b047b3
SHA512 c56f21aa8f2a0a331868af38741cf90d352a240a228fab5105aea366e619f5b4aca668f969fd48bffb8dc9a4511c5774471b514469096388a06aa9a732f85f31

memory/2400-57-0x0000000003460000-0x0000000003A6E000-memory.dmp

memory/1676-56-0x0000000003600000-0x0000000003C0E000-memory.dmp

memory/2728-64-0x0000000073E7E000-0x0000000073E7F000-memory.dmp

memory/2600-67-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2360-68-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/828-65-0x0000000003390000-0x000000000399E000-memory.dmp

memory/828-58-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2360-74-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1676-75-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2600-77-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2400-79-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2880-80-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/828-82-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2880-93-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2880-99-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2880-103-0x0000000000400000-0x0000000000A0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 03:34

Reported

2024-06-11 03:37

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\Resources\Themes\icsys.icn.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\Resources\Themes\icsys.icn.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\Resources\Themes\icsys.icn.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation \??\c:\users\admin\appdata\local\temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe  N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Resources\Themes\icsys.icn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Windows\Resources\Themes\icsys.icn.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe  N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe  N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2144 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe \??\c:\users\admin\appdata\local\temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe 
PID 2144 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe \??\c:\users\admin\appdata\local\temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe 
PID 2144 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe \??\c:\users\admin\appdata\local\temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe 
PID 2144 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2144 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2144 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 4708 wrote to memory of 4136 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 4708 wrote to memory of 4136 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 4708 wrote to memory of 4136 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 4136 wrote to memory of 3328 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4136 wrote to memory of 3328 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4136 wrote to memory of 3328 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3328 wrote to memory of 4080 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3328 wrote to memory of 4080 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3328 wrote to memory of 4080 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4080 wrote to memory of 1628 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4080 wrote to memory of 1628 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4080 wrote to memory of 1628 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 3004 wrote to memory of 2348 N/A \??\c:\users\admin\appdata\local\temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe  C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
PID 3004 wrote to memory of 2348 N/A \??\c:\users\admin\appdata\local\temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe  C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe

"C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe"

\??\c:\users\admin\appdata\local\temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe 

c:\users\admin\appdata\local\temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe 

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe

"C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 48.110.63.41.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
N/A 127.0.0.1:56439 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 6.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

memory/2144-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2144-1-0x0000000076F04000-0x0000000076F06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe 

MD5 6557bd5240397f026e675afb78544a26
SHA1 839e683bf68703d373b6eac246f19386bb181713
SHA256 a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239
SHA512 f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97

C:\Windows\Resources\Themes\icsys.icn.exe

MD5 95f9ad7a3c0d5efccb69d1f73865e9bb
SHA1 5f37f0bab11636ac69178f6d55be82215db722fa
SHA256 27ec9335413985ca8abdc8552096b95e73eb784e773eeda5b577db864871d99a
SHA512 709ba17de1626e596c965e4a0b1144d68e4423df7fc55e5011a74be74117f0a6a7ec29ef25ad696ad39b8fa94887a2d13036139f78c58dee116bab0b46a94f25

memory/4708-12-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3004-16-0x0000000073F7E000-0x0000000073F7F000-memory.dmp

memory/3004-18-0x00000000002A0000-0x00000000002AA000-memory.dmp

memory/3004-19-0x0000000002620000-0x000000000262A000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 72d6ba3ab57c45dd98dbb41a70eeb1cf
SHA1 83bda03ff4b72d1e97519b0ef1bf852d442de465
SHA256 86269e1fcfe3b262318357a5cb35eaf9c71a7b0405ddebb83c23a427c26d86f8
SHA512 e8f4f248c57011aebea9741b026759d72627194b9de698c298e8fd1cd286d107972ffa09ca2a73480f781d18ecfe2dc1d3f5b9676b839877aae37d9f491b0983

memory/3004-25-0x0000000073F70000-0x0000000074720000-memory.dmp

memory/4136-26-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3328-35-0x0000000000400000-0x0000000000A0E000-memory.dmp

\??\c:\windows\resources\spoolsv.exe

MD5 43c591ead0589c76f62108a6ccdf51c8
SHA1 efe2b962df20737c52d867773d2caa92246698ea
SHA256 c275b12f9c90bfb39704b5a17bf92b30cd9c81907d6c97b40dd0420bc6ce952e
SHA512 c5321c7db62c7bbcb852e6e26c0c17f84e1f611cb152a26617fb5bb03714d8223a6c364e966bb109ee61962e41919fd342e020b6c7991e8801c21a35d810fbea

C:\Windows\Resources\svchost.exe

MD5 36b4592cbcd2d130d32aef00d18a4de6
SHA1 91fc27917833ea62811a90db75c9e204675c354c
SHA256 cfe2dca29e7da29e2e98f9a2ca37b97e10a871ab145b80251295097b904047fd
SHA512 344860af53885b9301685e59e72e123bf28ef99a9d394ebab96e78e56d2cf2e89930f90595b6511bfb8cab622038b1b8091e13ca0b1b246b558ceb33e023feca

memory/4080-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3004-50-0x0000000005670000-0x0000000005682000-memory.dmp

memory/1628-287-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4708-427-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3328-410-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2144-435-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\get-intrinsic\.nycrc

MD5 d0104f79f0b4f03bbcd3b287fa04cf8c
SHA1 54f9d7adf8943cb07f821435bb269eb4ba40ccc2
SHA256 997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a
SHA512 daf9b5445cfc02397f398adfa0258f2489b70699dfec6ca7e5b85afe5671fdcabe59edee332f718f5e5778feb1e301778dffe93bb28c1c0914f669659bad39c6

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\hasown\.nycrc

MD5 c2ab942102236f987048d0d84d73d960
SHA1 95462172699187ac02eaec6074024b26e6d71cff
SHA256 948366fea3b423a46366326d0bb2e54b08abd1cf0b243678ba6625740c40da5a
SHA512 e36b20c16ceeb090750f3865efc8d7fd983ae4e8b41c30cc3865d2fd4925bf5902627e1f1ed46c0ff2453f076ef9de34be899ef57754b29cd158440071318479

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\has-proto\.eslintrc

MD5 c28b0fe9be6e306cc2ad30fe00e3db10
SHA1 af79c81bd61c9a937fca18425dd84cdf8317c8b9
SHA256 0694050195fc694c5846b0a2a66b437ac775da988f0a779c55fb892597f7f641
SHA512 e3eca17804522ffa4f41e836e76e397a310a20e8261a38115b67e8b644444153039d04198fb470f45be2997d2c7a72b15bd4771a02c741b3cbc072ea6ef432e9

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\vary\LICENSE

MD5 13babc4f212ce635d68da544339c962b
SHA1 4881ad2ec8eb2470a7049421047c6d076f48f1de
SHA256 bd47ce7b88c7759630d1e2b9fcfa170a0f1fde522be09e13fb1581a79d090400
SHA512 40e30174433408e0e2ed46d24373b12def47f545d9183b7bce28d4ddd8c8bb528075c7f20e118f37661db9f1bba358999d81a14425eb3e0a4a20865dfcb53182

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe

MD5 15cdabcecc4ae0ec3253b1625156b0a7
SHA1 fa1b2c6a2be53578ef278706cdee6f725e00b003
SHA256 6dbcc562d627628e45187afbd2421be88797e20e36910393a883e361973da553
SHA512 c9a1740bf5fed7cbc6d91ab92222b178fe4a8ab2d75dd8f18d827046bab88d7632b0751e953e77e29aaf9a9bf390697e94f23e172cfe034a4263bcf7c7149106

memory/2348-1528-0x000001A2741D0000-0x000001A2741EA000-memory.dmp

memory/3004-1527-0x0000000073F70000-0x0000000074720000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Wpf.Ui.dll

MD5 aead90ab96e2853f59be27c4ec1e4853
SHA1 43cdedde26488d3209e17efff9a51e1f944eb35f
SHA256 46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed
SHA512 f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

memory/2348-1530-0x000001A2783E0000-0x000001A27891C000-memory.dmp

memory/2348-1531-0x000001A278150000-0x000001A27820A000-memory.dmp

memory/2348-1533-0x000001A276620000-0x000001A27662E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.Wpf.dll

MD5 34ec990ed346ec6a4f14841b12280c20
SHA1 6587164274a1ae7f47bdb9d71d066b83241576f0
SHA256 1e987b22cd011e4396a0805c73539586b67df172df75e3dded16a77d31850409
SHA512 b565015ca4b11b79ecbc8127f1fd40c986948050f1caefdd371d34ed2136af0aabf100863dc6fd16d67e3751d44ee13835ea9bf981ac0238165749c4987d1ae0

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.Core.dll

MD5 851fee9a41856b588847cf8272645f58
SHA1 ee185a1ff257c86eb19d30a191bf0695d5ac72a1
SHA256 5e7faee6b8230ca3b97ce9542b914db3abbbd1cb14fd95a39497aaad4c1094ca
SHA512 cf5c70984cf33e12cf57116da1f282a5bd6433c570831c185253d13463b0b9a0b9387d4d1bf4dddab3292a5d9ba96d66b6812e9d7ebc5eb35cb96eea2741348f

memory/2348-1535-0x000001A2766E0000-0x000001A27675E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\WebView2Loader.dll

MD5 a0bd0d1a66e7c7f1d97aedecdafb933f
SHA1 dd109ac34beb8289030e4ec0a026297b793f64a3
SHA256 79d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36
SHA512 2a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.dll

MD5 8518e81caa4b5a961656b687300b64f3
SHA1 3079b0a84cca1f8b270a331c68cf0c134f42aedf
SHA256 4179c99032b9698a74a0b395541b8a7124531ecc053428fae0916a02b78364e1
SHA512 20a99e88e1657ca41ba7ecf31e4a1fff56b721dfa55b7a10531715bb674ab11abfa08c5e7d53ce9cef78cf63bcc3248e8131ca5674d8169d7ac4ac8f0a1385bf

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\libcurl.dll

MD5 e31f5136d91bad0fcbce053aac798a30
SHA1 ee785d2546aec4803bcae08cdebfd5d168c42337
SHA256 ee94e2201870536522047e6d7fe7b903a63cd2e13e20c8fffc86d0e95361e671
SHA512 a1543eb1d10d25efb44f9eaa0673c82bfac5173055d04c0f3be4792984635a7c774df57a8e289f840627754a4e595b855d299070d469e0f1e637c3f35274abe6

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\zlib1.dll

MD5 75365924730b0b2c1a6ee9028ef07685
SHA1 a10687c37deb2ce5422140b541a64ac15534250f
SHA256 945e7f5d09938b7769a4e68f4ef01406e5af9f40db952cba05ddb3431dd1911b
SHA512 c1e31c18903e657203ae847c9af601b1eb38efa95cb5fa7c1b75f84a2cba9023d08f1315c9bb2d59b53256dfdb3bac89930252138475491b21749471adc129a1

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\vcruntime140.dll

MD5 7a2b8cfcd543f6e4ebca43162b67d610
SHA1 c1c45a326249bf0ccd2be2fbd412f1a62fb67024
SHA256 7d7ca28235fba5603a7f40514a552ac7efaa67a5d5792bb06273916aa8565c5f
SHA512 e38304fb9c5af855c1134f542adf72cde159fab64385533eafa5bb6e374f19b5a29c0cb5516fc5da5c0b5ac47c2f6420792e0ac8ddff11e749832a7b7f3eb5c8

memory/2348-1546-0x0000000180000000-0x0000000180B19000-memory.dmp

memory/2348-1547-0x0000000180000000-0x0000000180B19000-memory.dmp

memory/2348-1549-0x0000000180000000-0x0000000180B19000-memory.dmp

memory/2348-1548-0x0000000180000000-0x0000000180B19000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\bin\path.txt

MD5 90ab85df5911788b1854471ea0ec089b
SHA1 200d9344a10cb3db22c57702aab70c2b4bc82441
SHA256 101a4b9ca4726507d6c0b588ffef0fab838ddbafb01f222bd5bba86438b5da99
SHA512 14f62770a168439476a8013edc3ce075ffab116266ef456a4dab75ac00b1f15daa4feacba07276113988a491bcc62ef97d6c33a360169d1e252b9bc6d6cf01a1

memory/2348-1551-0x000001A278110000-0x000001A278118000-memory.dmp

memory/2348-1553-0x000001A278350000-0x000001A27835E000-memory.dmp

memory/2348-1552-0x000001A278380000-0x000001A2783B8000-memory.dmp

memory/4136-1554-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4080-1555-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2348-1557-0x00007FFA34D20000-0x00007FFA34D44000-memory.dmp

memory/2348-1556-0x0000000180000000-0x0000000180B19000-memory.dmp

memory/4136-1558-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2348-1561-0x0000000180000000-0x0000000180B19000-memory.dmp

memory/2348-1564-0x0000000180000000-0x0000000180B19000-memory.dmp

memory/2348-1566-0x0000000180000000-0x0000000180B19000-memory.dmp

memory/2348-1570-0x0000000180000000-0x0000000180B19000-memory.dmp

memory/2348-1574-0x0000000180000000-0x0000000180B19000-memory.dmp

memory/2348-1578-0x0000000180000000-0x0000000180B19000-memory.dmp

memory/4136-1580-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2348-1582-0x0000000180000000-0x0000000180B19000-memory.dmp

memory/2348-1586-0x0000000180000000-0x0000000180B19000-memory.dmp

memory/2348-1590-0x0000000180000000-0x0000000180B19000-memory.dmp

memory/2348-1594-0x0000000180000000-0x0000000180B19000-memory.dmp

memory/2348-1598-0x0000000180000000-0x0000000180B19000-memory.dmp

memory/2348-1602-0x0000000180000000-0x0000000180B19000-memory.dmp

memory/4136-1604-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2348-1606-0x0000000180000000-0x0000000180B19000-memory.dmp

memory/2348-1610-0x0000000180000000-0x0000000180B19000-memory.dmp