0359e89e0cff0d5537c3e4cf032b1e66f2f49b969a20737563e6ba72d06f1512

Resubmissions

20/06/2024, 02:28

240620-cx37zstekh 10

20/06/2024, 02:15

240620-cpmv2axfkl 10

20/06/2024, 02:12

240620-cmvg4axemm 10

20/06/2024, 02:08

240620-ckswgsshla 10

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 02:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

DemonWare.exe
Size

25.0MB
MD5

40f76deda9228388017c91aca9621de5
SHA1

f45e55b76725263883a9e40cefcd3a9d88ab89c0
SHA256

0359e89e0cff0d5537c3e4cf032b1e66f2f49b969a20737563e6ba72d06f1512
SHA512

1ad3ee7759aea345f29352ee29fa68193a0c2234b9e92f59f060b7361d6f2ac6cf89f6522c8772f67794a8ef3622cace5152a062630c5627010fe2412f6c345d
SSDEEP

393216:SqPnLFXlr4b7n0jcwQ4yRTDOETgs77cGQrVgm8dIYpM/EdUvEFUkPQLsq:XPLFXNEicwQ4yAE7yBfkI1oodkBq

Score

10^/10

evasion persistence pyinstaller upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 8 IoCs

pid	Process
2988	demonware.exe
852	demonware.exe
1064	Process not Found
2704	icsys.icn.exe
3000	explorer.exe
2468	spoolsv.exe
2536	svchost.exe
2644	spoolsv.exe

Loads dropped DLL 14 IoCs

pid	Process
2672	DemonWare.exe
2988	demonware.exe
852	demonware.exe
852	demonware.exe
852	demonware.exe
852	demonware.exe
852	demonware.exe
852	demonware.exe
852	demonware.exe
2672	DemonWare.exe
2704	icsys.icn.exe
3000	explorer.exe
2468	spoolsv.exe
2536	svchost.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001a4e7-207.dat	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	DemonWare.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000014b1c-6.dat	pyinstaller

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2636	schtasks.exe
1768	schtasks.exe
996	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2672	DemonWare.exe
2672	DemonWare.exe
2672	DemonWare.exe
2672	DemonWare.exe
2672	DemonWare.exe
2672	DemonWare.exe
2672	DemonWare.exe
2672	DemonWare.exe
2672	DemonWare.exe
2672	DemonWare.exe
2672	DemonWare.exe
2672	DemonWare.exe
2672	DemonWare.exe
2672	DemonWare.exe
2672	DemonWare.exe
2672	DemonWare.exe
2704	icsys.icn.exe
2704	icsys.icn.exe
2704	icsys.icn.exe
2704	icsys.icn.exe
2704	icsys.icn.exe
2704	icsys.icn.exe
2704	icsys.icn.exe
2704	icsys.icn.exe
2704	icsys.icn.exe
2704	icsys.icn.exe
2704	icsys.icn.exe
2704	icsys.icn.exe
2704	icsys.icn.exe
2704	icsys.icn.exe
2704	icsys.icn.exe
2704	icsys.icn.exe
2704	icsys.icn.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3000	explorer.exe
2536	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2672	DemonWare.exe
2672	DemonWare.exe
2704	icsys.icn.exe
2704	icsys.icn.exe
3000	explorer.exe
3000	explorer.exe
2468	spoolsv.exe
2468	spoolsv.exe
2536	svchost.exe
2536	svchost.exe
2644	spoolsv.exe
2644	spoolsv.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2988	2672	DemonWare.exe	28
PID 2672 wrote to memory of 2988	2672	DemonWare.exe	28
PID 2672 wrote to memory of 2988	2672	DemonWare.exe	28
PID 2672 wrote to memory of 2988	2672	DemonWare.exe	28
PID 2988 wrote to memory of 852	2988	demonware.exe	29
PID 2988 wrote to memory of 852	2988	demonware.exe	29
PID 2988 wrote to memory of 852	2988	demonware.exe	29
PID 2672 wrote to memory of 2704	2672	DemonWare.exe	30
PID 2672 wrote to memory of 2704	2672	DemonWare.exe	30
PID 2672 wrote to memory of 2704	2672	DemonWare.exe	30
PID 2672 wrote to memory of 2704	2672	DemonWare.exe	30
PID 2704 wrote to memory of 3000	2704	icsys.icn.exe	31
PID 2704 wrote to memory of 3000	2704	icsys.icn.exe	31
PID 2704 wrote to memory of 3000	2704	icsys.icn.exe	31
PID 2704 wrote to memory of 3000	2704	icsys.icn.exe	31
PID 3000 wrote to memory of 2468	3000	explorer.exe	32
PID 3000 wrote to memory of 2468	3000	explorer.exe	32
PID 3000 wrote to memory of 2468	3000	explorer.exe	32
PID 3000 wrote to memory of 2468	3000	explorer.exe	32
PID 2468 wrote to memory of 2536	2468	spoolsv.exe	33
PID 2468 wrote to memory of 2536	2468	spoolsv.exe	33
PID 2468 wrote to memory of 2536	2468	spoolsv.exe	33
PID 2468 wrote to memory of 2536	2468	spoolsv.exe	33
PID 2536 wrote to memory of 2644	2536	svchost.exe	34
PID 2536 wrote to memory of 2644	2536	svchost.exe	34
PID 2536 wrote to memory of 2644	2536	svchost.exe	34
PID 2536 wrote to memory of 2644	2536	svchost.exe	34
PID 3000 wrote to memory of 2576	3000	explorer.exe	35
PID 3000 wrote to memory of 2576	3000	explorer.exe	35
PID 3000 wrote to memory of 2576	3000	explorer.exe	35
PID 3000 wrote to memory of 2576	3000	explorer.exe	35
PID 2536 wrote to memory of 2636	2536	svchost.exe	36
PID 2536 wrote to memory of 2636	2536	svchost.exe	36
PID 2536 wrote to memory of 2636	2536	svchost.exe	36
PID 2536 wrote to memory of 2636	2536	svchost.exe	36
PID 2536 wrote to memory of 1768	2536	svchost.exe	41
PID 2536 wrote to memory of 1768	2536	svchost.exe	41
PID 2536 wrote to memory of 1768	2536	svchost.exe	41
PID 2536 wrote to memory of 1768	2536	svchost.exe	41
PID 2536 wrote to memory of 996	2536	svchost.exe	43
PID 2536 wrote to memory of 996	2536	svchost.exe	43
PID 2536 wrote to memory of 996	2536	svchost.exe	43
PID 2536 wrote to memory of 996	2536	svchost.exe	43

C:\Users\Admin\AppData\Local\Temp\DemonWare.exe
"C:\Users\Admin\AppData\Local\Temp\DemonWare.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672
- \??\c:\users\admin\appdata\local\temp\demonware.exe
  c:\users\admin\appdata\local\temp\demonware.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2988
- - \??\c:\users\admin\appdata\local\temp\demonware.exe
    c:\users\admin\appdata\local\temp\demonware.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:852
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2704
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2468
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2536
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2644
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:17 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2636
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:18 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1768
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:19 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:996
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI29882\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29882\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29882\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29882\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29882\python310.dll

Filesize
1.4MB

MD5
69d4f13fbaeee9b551c2d9a4a94d4458

SHA1
69540d8dfc0ee299a7ff6585018c7db0662aa629

SHA256
801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

SHA512
8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29882\setuptools-65.5.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29882\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
413KB

MD5
844d2a82f491dcdb371a149b9a2d4ab0

SHA1
427d98500273d0f81b700ca0920594a5d723169c

SHA256
a43f7b3b1c2071927f8449ef5da1d8e31ef8199549b5fa1930f77c22a0d9a18d

SHA512
c362c7c9cd587e91bc00289e723121eedf86ee6920e9d819fbafcadbfbad87343dea8dacb4812c9235db5c2c72ed610b8321c7229171e7f65ceb16896bc9cc9d

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
413KB

MD5
f5d6ceb101de6aab33fffae687bf1781

SHA1
0dd4c067b3944e3b0f3ef747692319fd51c11309

SHA256
8cfbbafc221abc8079f8a6b6e11aeabd36b2e58c46e8e63a8438fcc64ca78758

SHA512
80c8409e4720e01c3cb187577f9bf5a4b6969b089f49beb710564491267fca1228379a2a7cfd878966fddca35ea93f634a08acb09af95d520620d7ded4b98eb8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29882\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
\Users\Admin\AppData\Local\Temp\demonware.exe

Filesize
24.6MB

MD5
46baf83fb95e22e34ae73658e40583fd

SHA1
8b5c3072ede486f392dbe9d1d08326d6baa1c851

SHA256
bccca4526fc6c918057f568611a258a665c7184e808f49c1d792f67bdbb6adc0

SHA512
f9f7f80a0abeb5ebfa4d5154af17101a01bc558b2f646ccf5e72759cdcafe4a8a6a75c50af7a5d5be36e1ba46cad25634ab526e420718007c1704140e852c781

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
383KB

MD5
470d580f994cd1bd50edcbb4527473eb

SHA1
356a9fa5811377bb84eeb921b304658d06d1803c

SHA256
48493d4a9a2163d189357d44ffdc1a5f4478289a283c8d044ca6a2558a81f0fd

SHA512
fd78bb448cdeb94378a58e8fb7eda80a744bc264b5fdf862ddf25fbc3b6bff35fd713780bc300f955bc3ac8d8de2190e6df928189ecbb726ecf454ed9397d11c

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
413KB

MD5
6bfaa0d13f1679e428818f8b90630497

SHA1
0abd8cf252bd11ae0bd23fa089ec5da38e3005fd

SHA256
eb82ffd0c64a917ea15676111c140a36bafd829c8443cdc4365ac31348804541

SHA512
bbe89a26a69de153d8e2b85f33a4628e5c6dfca151ad619181318da1685eed63d5f767c2875b25f57938a4cdb14238724779e1a4e3ea267695b07fd8c2ed739f

Download Submit
memory/852-210-0x000007FEF5AF0000-0x000007FEF5F5E000-memory.dmp

Filesize
4.4MB

Download
memory/2468-422-0x0000000000460000-0x00000000004BD000-memory.dmp

Filesize
372KB

Download
memory/2468-433-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2644-432-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2672-0-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2672-435-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2704-400-0x0000000001FD0000-0x000000000202D000-memory.dmp

Filesize
372KB

Download
memory/2704-434-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download