c8e9d09ad447ee95b879b7a55829d94a1aac2ecc6546942b9e08f7e3e5709088

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
Size

398KB
MD5

3265873dd9d9c29a8b14f69efb8df4d0
SHA1

2c27d280d1b104deaf861a2801477719faa5dc82
SHA256

14d9335a629e2e50d998c7f4c5862f7dec22ac63ec183f190d243b4b20bf4838
SHA512

83502b9f428402c89ffc759aa7337a0779da48c4c72f1271d510cd22657e89ff5aab55b24cb226dba99cc6f7fa7b6b6ad7babbe1c7dd98072be616eaba17142d
SSDEEP

6144:5sLqdufVUNDanfz/LLvmpjE3EaICePt2lcx0vCuV61lhJrNGx39PIW:2FUNDabPupjbaNcx0vCSaZJsd

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

Processes:

[demonarchives]3265873dd9d9c29a8b14f69efb8df4d0.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

1928 [demonarchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
2676 icsys.icn.exe
2700 explorer.exe
2744 spoolsv.exe
2980 svchost.exe
2492 spoolsv.exe

pid	process
1928	[demonarchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
2676	icsys.icn.exe
2700	explorer.exe
2744	spoolsv.exe
2980	svchost.exe
2492	spoolsv.exe

Loads dropped DLL 16 IoCs

Processes:

[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exeWerFault.exe

pid	process
2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
2676	icsys.icn.exe
2676	icsys.icn.exe
2700	explorer.exe
2700	explorer.exe
2744	spoolsv.exe
2744	spoolsv.exe
2980	svchost.exe
2980	svchost.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

Processes:

[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exeicsys.icn.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

2832 1928 WerFault.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

672 schtasks.exe
2040 schtasks.exe
2804 schtasks.exe

pid	pid_target	process
2832	1928	WerFault.exe

pid	process
672	schtasks.exe
2040	schtasks.exe
2804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exeicsys.icn.exeexplorer.exesvchost.exe

pid	process
2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
2676	icsys.icn.exe
2676	icsys.icn.exe
2676	icsys.icn.exe
2676	icsys.icn.exe
2676	icsys.icn.exe
2676	icsys.icn.exe
2676	icsys.icn.exe
2676	icsys.icn.exe
2676	icsys.icn.exe
2676	icsys.icn.exe
2676	icsys.icn.exe
2676	icsys.icn.exe
2676	icsys.icn.exe
2676	icsys.icn.exe
2676	icsys.icn.exe
2676	icsys.icn.exe
2676	icsys.icn.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2980	svchost.exe
2980	svchost.exe
2980	svchost.exe
2980	svchost.exe
2980	svchost.exe
2980	svchost.exe
2980	svchost.exe
2980	svchost.exe
2980	svchost.exe
2980	svchost.exe
2980	svchost.exe
2980	svchost.exe
2980	svchost.exe
2980	svchost.exe
2980	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2700 explorer.exe
2980 svchost.exe

pid	process
2700	explorer.exe
2980	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
2676	icsys.icn.exe
2676	icsys.icn.exe
2700	explorer.exe
2700	explorer.exe
2744	spoolsv.exe
2744	spoolsv.exe
2980	svchost.exe
2980	svchost.exe
2492	spoolsv.exe
2492	spoolsv.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe[demonarchives]3265873dd9d9c29a8b14f69efb8df4d0.exe

description	pid	process	target process
PID 2396 wrote to memory of 1928	2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe	[demonarchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
PID 2396 wrote to memory of 1928	2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe	[demonarchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
PID 2396 wrote to memory of 1928	2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe	[demonarchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
PID 2396 wrote to memory of 1928	2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe	[demonarchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
PID 2396 wrote to memory of 2676	2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe	icsys.icn.exe
PID 2396 wrote to memory of 2676	2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe	icsys.icn.exe
PID 2396 wrote to memory of 2676	2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe	icsys.icn.exe
PID 2396 wrote to memory of 2676	2396	[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe	icsys.icn.exe
PID 2676 wrote to memory of 2700	2676	icsys.icn.exe	explorer.exe
PID 2676 wrote to memory of 2700	2676	icsys.icn.exe	explorer.exe
PID 2676 wrote to memory of 2700	2676	icsys.icn.exe	explorer.exe
PID 2676 wrote to memory of 2700	2676	icsys.icn.exe	explorer.exe
PID 2700 wrote to memory of 2744	2700	explorer.exe	spoolsv.exe
PID 2700 wrote to memory of 2744	2700	explorer.exe	spoolsv.exe
PID 2700 wrote to memory of 2744	2700	explorer.exe	spoolsv.exe
PID 2700 wrote to memory of 2744	2700	explorer.exe	spoolsv.exe
PID 2744 wrote to memory of 2980	2744	spoolsv.exe	svchost.exe
PID 2744 wrote to memory of 2980	2744	spoolsv.exe	svchost.exe
PID 2744 wrote to memory of 2980	2744	spoolsv.exe	svchost.exe
PID 2744 wrote to memory of 2980	2744	spoolsv.exe	svchost.exe
PID 2980 wrote to memory of 2492	2980	svchost.exe	spoolsv.exe
PID 2980 wrote to memory of 2492	2980	svchost.exe	spoolsv.exe
PID 2980 wrote to memory of 2492	2980	svchost.exe	spoolsv.exe
PID 2980 wrote to memory of 2492	2980	svchost.exe	spoolsv.exe
PID 2700 wrote to memory of 2984	2700	explorer.exe	Explorer.exe
PID 2700 wrote to memory of 2984	2700	explorer.exe	Explorer.exe
PID 2700 wrote to memory of 2984	2700	explorer.exe	Explorer.exe
PID 2700 wrote to memory of 2984	2700	explorer.exe	Explorer.exe
PID 2980 wrote to memory of 2804	2980	svchost.exe	schtasks.exe
PID 2980 wrote to memory of 2804	2980	svchost.exe	schtasks.exe
PID 2980 wrote to memory of 2804	2980	svchost.exe	schtasks.exe
PID 2980 wrote to memory of 2804	2980	svchost.exe	schtasks.exe
PID 1928 wrote to memory of 2832	1928	[demonarchives]3265873dd9d9c29a8b14f69efb8df4d0.exe	WerFault.exe
PID 1928 wrote to memory of 2832	1928	[demonarchives]3265873dd9d9c29a8b14f69efb8df4d0.exe	WerFault.exe
PID 1928 wrote to memory of 2832	1928	[demonarchives]3265873dd9d9c29a8b14f69efb8df4d0.exe	WerFault.exe
PID 1928 wrote to memory of 2832	1928	[demonarchives]3265873dd9d9c29a8b14f69efb8df4d0.exe	WerFault.exe
PID 2980 wrote to memory of 672	2980	svchost.exe	schtasks.exe
PID 2980 wrote to memory of 672	2980	svchost.exe	schtasks.exe
PID 2980 wrote to memory of 672	2980	svchost.exe	schtasks.exe
PID 2980 wrote to memory of 672	2980	svchost.exe	schtasks.exe
PID 2980 wrote to memory of 2040	2980	svchost.exe	schtasks.exe
PID 2980 wrote to memory of 2040	2980	svchost.exe	schtasks.exe
PID 2980 wrote to memory of 2040	2980	svchost.exe	schtasks.exe
PID 2980 wrote to memory of 2040	2980	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
"C:\Users\Admin\AppData\Local\Temp\[DemonArchives]3265873dd9d9c29a8b14f69efb8df4d0.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396

\??\c:\users\admin\appdata\local\temp\[demonarchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
c:\users\admin\appdata\local\temp\[demonarchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 564
3⤵
- Loads dropped DLL
- Program crash
PID:2832

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2492

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 17:18 /f
6⤵
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 17:19 /f
6⤵
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 17:20 /f
6⤵
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
4⤵
PID:2984

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
233KB

MD5
35f407bc092ea2b9516dabee797a15b9

SHA1
a4ad77a7d1940cb03dd93ddae711e60da846a5e0

SHA256
a902c376d991a5a51bbeb181687bc5b9a2d502e92990c0bdd034d8f21e07ec30

SHA512
0b52bacf32bb6651516b947367d40494cefc3242f7e0f8c84c93a16ca0236f314c84b40bf63f1532e57380ecfa4bccaeaeadcc65852fbe4a947bafec733ef79b

Download Submit
C:\Windows\Resources\spoolsv.exe
Filesize
233KB

MD5
48c10de492a03db49dcf35cc29381c14

SHA1
953f11bb10ef9aa29e57f1eb44d1b8d1abca006a

SHA256
97fb71a191bf15710159abb3f8e5c3dfa363200ffcf0959cad26283090e39545

SHA512
139316fedfb60c64798f92c4aaeafb9aa50df52119b797173b05b37dc60a92d61f274b61130d95f28674bf4bb7e05a613d0b9bd04db9dd6bfd4ddddca08b0130

Download Submit
\??\c:\windows\resources\themes\explorer.exe
Filesize
233KB

MD5
77715c87b9c0729ca52111a3d2008f51

SHA1
035ada73935d537fe71949c6fa6115b80a4db3d3

SHA256
1be06f191d470167a77d128e8d0b57a60f0e44e68b9377d3ddfa7aa444e11fb1

SHA512
3ba2886eb1f209b8174afea8a675b5421f30525c7122c537ad8db8ce216908a0c05105a4f15ac74c96cb5843d467df591d3d0fee2b64c57c70b0c6fe5cb1c056

Download Submit
\Users\Admin\AppData\Local\Temp\[demonarchives]3265873dd9d9c29a8b14f69efb8df4d0.exe
Filesize
165KB

MD5
282e381f71c9f5e538f4b8fd2402a770

SHA1
665fcfc8f295b84f2a1e5051f6012d31bd19b0f2

SHA256
3d88742cea5a3f4c8d61fc89e3cba98fe239d945f86039a45f9fabbdb816db52

SHA512
f4af710b467bbb47d738226e1cdbc32245abc5bb6107d69fc8ccd69d42500d2c08b201df47b7f9d737f8480ea863152237989efdf734f09f5ba149c30feabd5f

Download Submit
\Windows\Resources\svchost.exe
Filesize
233KB

MD5
6f0e2f552eda3891480a13f104fa33fe

SHA1
b8c98f3037cac55228896a2c5bc4043ae2ccd614

SHA256
c50b88e6b944a522fbb98ecd9e0b3a6f6f3e38a2ab4c4e487d30de5b81a881fb

SHA512
a2b9d8b98652dd4b864b0ac740d082659418cdae89538f39e0ad8a7eb262f66a6bc2941ec5259d59af22b7b99498438040db54bc0a7415a8a40a2bf19c7d71f6

Download Submit
memory/1928-39-0x00000000002B0000-0x00000000002DE000-memory.dmp

Filesize
184KB

Download
memory/1928-25-0x000000007427E000-0x000000007427F000-memory.dmp

Filesize
4KB

Download
memory/1928-97-0x000000007427E000-0x000000007427F000-memory.dmp

Filesize
4KB

Download
memory/2396-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2396-91-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2396-17-0x0000000000240000-0x0000000000275000-memory.dmp

Filesize
212KB

Download
memory/2492-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2492-70-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2676-90-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2980-62-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads