Analysis
-
max time kernel
151s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
03/07/2024, 04:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe
Resource
win7-20240611-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe
-
Size
8.2MB
-
MD5
12709d6a2c5978d51846af191ac31738
-
SHA1
8138730f33c7c44bab8ae478dc33f7b30edbaa60
-
SHA256
f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f
-
SHA512
0e8e41f400256f6f38b2271d0968a78968828564687d8adf98f323a2a9b87d7b4ab7fdf4d90602aa79314d012233b5648f43bf67f09f3622824114a66506346b
-
SSDEEP
196608:y+tPHwBW3gYrtIXgWfJqOFdv5Wr/lDuvsivd7uA0yPi9x0rgG9Vba8cTfqVVoV9J:y8HqXBf4JZKka7WyiCWLq0N/
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
pid Process 2344 bcdedit.exe -
Executes dropped EXE 17 IoCs
pid Process 2160 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 2412 ISBEW64.exe 2516 ISBEW64.exe 2936 ISBEW64.exe 948 ISBEW64.exe 920 ISBEW64.exe 2672 ISBEW64.exe 2884 ISBEW64.exe 1788 ISBEW64.exe 1832 ISBEW64.exe 2424 ISBEW64.exe 2384 ISBEW64.exe 828 icsys.icn.exe 1292 explorer.exe 2300 spoolsv.exe 320 svchost.exe 2844 spoolsv.exe -
Loads dropped DLL 20 IoCs
pid Process 1916 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 2812 MsiExec.exe 2812 MsiExec.exe 2812 MsiExec.exe 2812 MsiExec.exe 2812 MsiExec.exe 2812 MsiExec.exe 2812 MsiExec.exe 2812 MsiExec.exe 2812 MsiExec.exe 2812 MsiExec.exe 2812 MsiExec.exe 2812 MsiExec.exe 2812 MsiExec.exe 2812 MsiExec.exe 1916 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 828 icsys.icn.exe 1292 explorer.exe 2300 spoolsv.exe 320 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1300 schtasks.exe 1556 schtasks.exe 2332 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1916 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 1916 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 1916 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 1916 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 1916 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 1916 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 1916 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 1916 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 1916 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 1916 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 1916 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 1916 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 1916 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 1916 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 1916 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 1916 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 828 icsys.icn.exe 828 icsys.icn.exe 828 icsys.icn.exe 828 icsys.icn.exe 828 icsys.icn.exe 828 icsys.icn.exe 828 icsys.icn.exe 828 icsys.icn.exe 828 icsys.icn.exe 828 icsys.icn.exe 828 icsys.icn.exe 828 icsys.icn.exe 828 icsys.icn.exe 828 icsys.icn.exe 828 icsys.icn.exe 828 icsys.icn.exe 828 icsys.icn.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe 320 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
pid Process 1292 explorer.exe 320 svchost.exe 2584 msiexec.exe 2812 MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2584 msiexec.exe Token: SeIncreaseQuotaPrivilege 2584 msiexec.exe Token: SeRestorePrivilege 2628 msiexec.exe Token: SeTakeOwnershipPrivilege 2628 msiexec.exe Token: SeSecurityPrivilege 2628 msiexec.exe Token: SeCreateTokenPrivilege 2584 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2584 msiexec.exe Token: SeLockMemoryPrivilege 2584 msiexec.exe Token: SeIncreaseQuotaPrivilege 2584 msiexec.exe Token: SeMachineAccountPrivilege 2584 msiexec.exe Token: SeTcbPrivilege 2584 msiexec.exe Token: SeSecurityPrivilege 2584 msiexec.exe Token: SeTakeOwnershipPrivilege 2584 msiexec.exe Token: SeLoadDriverPrivilege 2584 msiexec.exe Token: SeSystemProfilePrivilege 2584 msiexec.exe Token: SeSystemtimePrivilege 2584 msiexec.exe Token: SeProfSingleProcessPrivilege 2584 msiexec.exe Token: SeIncBasePriorityPrivilege 2584 msiexec.exe Token: SeCreatePagefilePrivilege 2584 msiexec.exe Token: SeCreatePermanentPrivilege 2584 msiexec.exe Token: SeBackupPrivilege 2584 msiexec.exe Token: SeRestorePrivilege 2584 msiexec.exe Token: SeShutdownPrivilege 2584 msiexec.exe Token: SeDebugPrivilege 2584 msiexec.exe Token: SeAuditPrivilege 2584 msiexec.exe Token: SeSystemEnvironmentPrivilege 2584 msiexec.exe Token: SeChangeNotifyPrivilege 2584 msiexec.exe Token: SeRemoteShutdownPrivilege 2584 msiexec.exe Token: SeUndockPrivilege 2584 msiexec.exe Token: SeSyncAgentPrivilege 2584 msiexec.exe Token: SeEnableDelegationPrivilege 2584 msiexec.exe Token: SeManageVolumePrivilege 2584 msiexec.exe Token: SeImpersonatePrivilege 2584 msiexec.exe Token: SeCreateGlobalPrivilege 2584 msiexec.exe Token: SeCreateTokenPrivilege 2584 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2584 msiexec.exe Token: SeLockMemoryPrivilege 2584 msiexec.exe Token: SeIncreaseQuotaPrivilege 2584 msiexec.exe Token: SeMachineAccountPrivilege 2584 msiexec.exe Token: SeTcbPrivilege 2584 msiexec.exe Token: SeSecurityPrivilege 2584 msiexec.exe Token: SeTakeOwnershipPrivilege 2584 msiexec.exe Token: SeLoadDriverPrivilege 2584 msiexec.exe Token: SeSystemProfilePrivilege 2584 msiexec.exe Token: SeSystemtimePrivilege 2584 msiexec.exe Token: SeProfSingleProcessPrivilege 2584 msiexec.exe Token: SeIncBasePriorityPrivilege 2584 msiexec.exe Token: SeCreatePagefilePrivilege 2584 msiexec.exe Token: SeCreatePermanentPrivilege 2584 msiexec.exe Token: SeBackupPrivilege 2584 msiexec.exe Token: SeRestorePrivilege 2584 msiexec.exe Token: SeShutdownPrivilege 2584 msiexec.exe Token: SeDebugPrivilege 2584 msiexec.exe Token: SeAuditPrivilege 2584 msiexec.exe Token: SeSystemEnvironmentPrivilege 2584 msiexec.exe Token: SeChangeNotifyPrivilege 2584 msiexec.exe Token: SeRemoteShutdownPrivilege 2584 msiexec.exe Token: SeUndockPrivilege 2584 msiexec.exe Token: SeSyncAgentPrivilege 2584 msiexec.exe Token: SeEnableDelegationPrivilege 2584 msiexec.exe Token: SeManageVolumePrivilege 2584 msiexec.exe Token: SeImpersonatePrivilege 2584 msiexec.exe Token: SeCreateGlobalPrivilege 2584 msiexec.exe Token: SeCreateTokenPrivilege 2584 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2584 msiexec.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 1916 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 1916 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 2160 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 828 icsys.icn.exe 828 icsys.icn.exe 1292 explorer.exe 1292 explorer.exe 2300 spoolsv.exe 2300 spoolsv.exe 320 svchost.exe 320 svchost.exe 2844 spoolsv.exe 2844 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1916 wrote to memory of 2160 1916 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 28 PID 1916 wrote to memory of 2160 1916 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 28 PID 1916 wrote to memory of 2160 1916 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 28 PID 1916 wrote to memory of 2160 1916 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 28 PID 1916 wrote to memory of 2160 1916 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 28 PID 1916 wrote to memory of 2160 1916 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 28 PID 1916 wrote to memory of 2160 1916 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 28 PID 2160 wrote to memory of 2400 2160 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 29 PID 2160 wrote to memory of 2400 2160 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 29 PID 2160 wrote to memory of 2400 2160 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 29 PID 2160 wrote to memory of 2400 2160 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 29 PID 2400 wrote to memory of 2960 2400 cmd.exe 31 PID 2400 wrote to memory of 2960 2400 cmd.exe 31 PID 2400 wrote to memory of 2960 2400 cmd.exe 31 PID 2160 wrote to memory of 2344 2160 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 32 PID 2160 wrote to memory of 2344 2160 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 32 PID 2160 wrote to memory of 2344 2160 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 32 PID 2160 wrote to memory of 2344 2160 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 32 PID 2160 wrote to memory of 2584 2160 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 34 PID 2160 wrote to memory of 2584 2160 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 34 PID 2160 wrote to memory of 2584 2160 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 34 PID 2160 wrote to memory of 2584 2160 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 34 PID 2160 wrote to memory of 2584 2160 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 34 PID 2160 wrote to memory of 2584 2160 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 34 PID 2160 wrote to memory of 2584 2160 f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe 34 PID 2628 wrote to memory of 2812 2628 msiexec.exe 36 PID 2628 wrote to memory of 2812 2628 msiexec.exe 36 PID 2628 wrote to memory of 2812 2628 msiexec.exe 36 PID 2628 wrote to memory of 2812 2628 msiexec.exe 36 PID 2628 wrote to memory of 2812 2628 msiexec.exe 36 PID 2628 wrote to memory of 2812 2628 msiexec.exe 36 PID 2628 wrote to memory of 2812 2628 msiexec.exe 36 PID 2812 wrote to memory of 2412 2812 MsiExec.exe 37 PID 2812 wrote to memory of 2412 2812 MsiExec.exe 37 PID 2812 wrote to memory of 2412 2812 MsiExec.exe 37 PID 2812 wrote to memory of 2412 2812 MsiExec.exe 37 PID 2812 wrote to memory of 2516 2812 MsiExec.exe 38 PID 2812 wrote to memory of 2516 2812 MsiExec.exe 38 PID 2812 wrote to memory of 2516 2812 MsiExec.exe 38 PID 2812 wrote to memory of 2516 2812 MsiExec.exe 38 PID 2812 wrote to memory of 2936 2812 MsiExec.exe 39 PID 2812 wrote to memory of 2936 2812 MsiExec.exe 39 PID 2812 wrote to memory of 2936 2812 MsiExec.exe 39 PID 2812 wrote to memory of 2936 2812 MsiExec.exe 39 PID 2812 wrote to memory of 948 2812 MsiExec.exe 40 PID 2812 wrote to memory of 948 2812 MsiExec.exe 40 PID 2812 wrote to memory of 948 2812 MsiExec.exe 40 PID 2812 wrote to memory of 948 2812 MsiExec.exe 40 PID 2812 wrote to memory of 920 2812 MsiExec.exe 41 PID 2812 wrote to memory of 920 2812 MsiExec.exe 41 PID 2812 wrote to memory of 920 2812 MsiExec.exe 41 PID 2812 wrote to memory of 920 2812 MsiExec.exe 41 PID 2812 wrote to memory of 2672 2812 MsiExec.exe 42 PID 2812 wrote to memory of 2672 2812 MsiExec.exe 42 PID 2812 wrote to memory of 2672 2812 MsiExec.exe 42 PID 2812 wrote to memory of 2672 2812 MsiExec.exe 42 PID 2812 wrote to memory of 2884 2812 MsiExec.exe 43 PID 2812 wrote to memory of 2884 2812 MsiExec.exe 43 PID 2812 wrote to memory of 2884 2812 MsiExec.exe 43 PID 2812 wrote to memory of 2884 2812 MsiExec.exe 43 PID 2812 wrote to memory of 1788 2812 MsiExec.exe 44 PID 2812 wrote to memory of 1788 2812 MsiExec.exe 44 PID 2812 wrote to memory of 1788 2812 MsiExec.exe 44 PID 2812 wrote to memory of 1788 2812 MsiExec.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe"C:\Users\Admin\AppData\Local\Temp\f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\users\admin\appdata\local\temp\f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exec:\users\admin\appdata\local\temp\f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\system32\cmd.execmd.exe /c bcdedit.exe > "C:\Users\Admin\AppData\Local\Temp\usb9F2C.tmp"3⤵
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\system32\bcdedit.exebcdedit.exe4⤵PID:2960
-
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set testsigning on3⤵
- Modifies boot configuration data using bcdedit
PID:2344
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi" REBOOTNEEDED=13⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2584
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:828 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1292 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2300 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:320 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2844
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:49 /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:1300
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:50 /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:1556
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:51 /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:2332
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵PID:2136
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B1BA5F1527A570175732B651F8E9D9F3 C2⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\{29E0939C-D0C1-4E94-8375-40339BC24AC3}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{29E0939C-D0C1-4E94-8375-40339BC24AC3}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4188ACA5-E65A-4E5B-9F95-A41147F332C3}3⤵
- Executes dropped EXE
PID:2412
-
-
C:\Users\Admin\AppData\Local\Temp\{29E0939C-D0C1-4E94-8375-40339BC24AC3}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{29E0939C-D0C1-4E94-8375-40339BC24AC3}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6741F594-8EF4-4EEE-8E0F-C5ECA45A3FB1}3⤵
- Executes dropped EXE
PID:2516
-
-
C:\Users\Admin\AppData\Local\Temp\{29E0939C-D0C1-4E94-8375-40339BC24AC3}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{29E0939C-D0C1-4E94-8375-40339BC24AC3}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1034372C-DAC2-4A13-B446-E8105F4A2D86}3⤵
- Executes dropped EXE
PID:2936
-
-
C:\Users\Admin\AppData\Local\Temp\{29E0939C-D0C1-4E94-8375-40339BC24AC3}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{29E0939C-D0C1-4E94-8375-40339BC24AC3}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9866A2FB-607F-44A1-A871-0F466DC5EF81}3⤵
- Executes dropped EXE
PID:948
-
-
C:\Users\Admin\AppData\Local\Temp\{29E0939C-D0C1-4E94-8375-40339BC24AC3}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{29E0939C-D0C1-4E94-8375-40339BC24AC3}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B0691198-E632-45E8-8AD8-6DD606AFE8FA}3⤵
- Executes dropped EXE
PID:920
-
-
C:\Users\Admin\AppData\Local\Temp\{29E0939C-D0C1-4E94-8375-40339BC24AC3}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{29E0939C-D0C1-4E94-8375-40339BC24AC3}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{41CB839E-1C47-41E1-BBAD-A11828E7120A}3⤵
- Executes dropped EXE
PID:2672
-
-
C:\Users\Admin\AppData\Local\Temp\{29E0939C-D0C1-4E94-8375-40339BC24AC3}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{29E0939C-D0C1-4E94-8375-40339BC24AC3}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C5E5D6BB-613B-4551-987C-DF7AFE823C6F}3⤵
- Executes dropped EXE
PID:2884
-
-
C:\Users\Admin\AppData\Local\Temp\{29E0939C-D0C1-4E94-8375-40339BC24AC3}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{29E0939C-D0C1-4E94-8375-40339BC24AC3}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0B6582AC-7357-4247-A2BF-FD97C59AAE13}3⤵
- Executes dropped EXE
PID:1788
-
-
C:\Users\Admin\AppData\Local\Temp\{29E0939C-D0C1-4E94-8375-40339BC24AC3}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{29E0939C-D0C1-4E94-8375-40339BC24AC3}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0A8BBBCD-0890-4A4D-A492-15A0E30C854F}3⤵
- Executes dropped EXE
PID:1832
-
-
C:\Users\Admin\AppData\Local\Temp\{29E0939C-D0C1-4E94-8375-40339BC24AC3}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{29E0939C-D0C1-4E94-8375-40339BC24AC3}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F8999679-41D6-49DC-AA7C-C4DC1869E790}3⤵
- Executes dropped EXE
PID:2424
-
-
C:\Users\Admin\AppData\Local\Temp\{29E0939C-D0C1-4E94-8375-40339BC24AC3}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{29E0939C-D0C1-4E94-8375-40339BC24AC3}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{334228D1-65AF-4FB9-9B4F-0A6A2F7858E3}3⤵
- Executes dropped EXE
PID:2384
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5f8d473c8b3462675be9ce9f98b8b3d6f
SHA1d5b76d31d534a0c223fa01511d944218c4f6af6f
SHA2562cbe8b514547da632f32f41e6ab14612c32c34f487330bc4e6ea53454b50a55c
SHA512cb5b8ed674a296554423b4c568f4a16e0a8bee6529925e1e4276bbf79976d64c1fe50c8bcc5cea5366fa4bf6898fd8b59435200e98a50340a6e1cf8095818c50
-
Filesize
6.6MB
MD581cd67ba3a17801105670379d9105dca
SHA1b1fefdfdb4981bae8f014e09a2dfe796b779de17
SHA256cdaf03bb4c995b89f0397ff57f6332aab96093681215d4915dcf3a1627687158
SHA512b84a1770b5757d56ae650482ced65601ae56023cc08dad6906e098c65da40d1003170404afb3461e18f03df679ca53537abceef156e16f0cc5680ded567326ff
-
Filesize
1KB
MD5450c1aaf7744e4125870a52fa6429c22
SHA1df9f7d6c906c5954119545d88fcae9a1929322a0
SHA2562135c5cf4928156e82f83e1a12b03542d32b374ed51356d7a83ebf6811074863
SHA51283954950f1cc93dbac5414490e5853c7efc38e2e8f3d8501fb8fd2a2aa3991fbf9107216467189612902f85ec0c42552181f8401cfefaf946420855fefeac037
-
Filesize
146KB
MD5c3b2acc07bb0610405fc786e3432bef9
SHA1333d5f2b55bd00ad4311ba104af7db984f953924
SHA2569acc6cb5d01a4e4dbc92c8774c6999fab5f0e49f097e83098ba740842f5a2894
SHA5122438e5dd11c8322101d9dc2d0f89ed0b1fc3cb5a65f644a1cf07f4c5a7f353c648e715fb910e09a444b623b3384eecd628e312608bcec63aa3b0107630df32bd
-
Filesize
135KB
MD598605e8a1bd69949a95562164aae9c16
SHA10cebb708ad273be7e8c6824fd42b9968fc47338f
SHA2565a5deaa33d9e24384c9d7437d72064b952d21b667ed7c8e6e34d742f3f3b3282
SHA512ba0830bf547f71aa3c67c895af6fa088729a5f8a92bf8f81e280b311ce77f2b92030dac2f42b29b2437abcff35620aaa579fa604d149f6e793798515d1d9cb0f
-
\Users\Admin\AppData\Local\Temp\f4775d5940150df404131bed0f0dfa135805defa67302c6bf446ed3055bd940f.exe
Filesize8.1MB
MD56099dff4878f020abb85a520235941d5
SHA1aa9956c9756a42abb2e35b6bbbb7cafe4efaa74c
SHA256a8567a50adfb307cdc979a8627045d33b42c18350e50191f7052241e7bdafc8e
SHA512e2e2956eb9fc181a439f93f3ee7b2c63a665903a571a1687ad40cd731d3167f3b12e4937a4a3a1267cd1d51f2b6c0ab377fc48a0f519ee30d0db18a4f764b697
-
Filesize
260KB
MD5a93f625ef42b54c2b0f4d38201e67606
SHA1cbfebc1f736ccfc65562ede79a5ae1a8afb116a1
SHA256e91a865c3d60d9d0bce5d5a0a2f551c5e032d5bc13bc40f85091ce46d38064e0
SHA512805f0d535022de3d03aa191239fd90c54f2f6745bf02e0ce9cbe59ea34eecac7f9ebb600864c7cbcad5d011fa61bdb5b65889136617edc44178f87bd3970b198
-
Filesize
540KB
MD5d6bbf7ff6984213c7f1f0f8f07c51e6a
SHA1cfe933fc3b634f7333adec7ec124c14e9d19ac21
SHA2566366e18a8cbf609c9573f341004e5c2725c23a12973affa90ee7bcc7934ae1b2
SHA512a1364c96848f54b241c8e92ed1887ca599255c8046e31af11cd4b0b23d97c00243808dff9086a536c0084d6815223685283844a9e27f2c20c4d3b85a794a9e9d
-
Filesize
135KB
MD5a41692d5d80086e9a668f9ae50a506fb
SHA1ab59f7c1862f99bd0a225e2c98fabf5c34745ec5
SHA256703c40e078c648529622b1706119870e48fe0a9b5bd51cf30e0ffbeb13bf4cc2
SHA512787f928576901fc59c901fa0ebf7b28fcadee40e1fa4a8a49d00d1e71b10603b83aee21457c3939be99e0660d8ef87d721386c2498f38c4289d19bbc0145ea23
-
Filesize
135KB
MD5b52c11727e41d2ce2a33d2ea650d8346
SHA10a94b551497d6c7f5ba33c9e726feb7e7fadc654
SHA2569bd0accfa6f0bcd44f9580532fc54526b0afc8fddde2956fafc1634226e386f5
SHA512ecda92ef233b692defef7a33034d805534b435d0d4e18bd51a75e9fd1fb1422be8baa79bbde07e395e14d2b1d99730e67a948b12d8c88dfc580f94ce43246cab
-
Filesize
135KB
MD5660e4f4b1f1ed00c5fe1f40da376cd38
SHA143892bd669fdd327f11424ed327a04a1b51999e1
SHA2563d138baa2ed35ae8d3fe9350d3580a9b00d2e66d04904f340c242f5b51ea5d1a
SHA512073ed282ae36ce178f5169f4c5d7afb1880ba9358f485e2b6723fb8e9db777a3b1a60e457b242a5eb503e04be222092f203661974515f44ae620918d1831b239