f2dab847da09febd3441e4da6211bb4563f5d0bd05da1635bdc32497b154c18c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 03:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dd97e957fd12fc45e42350baef3f8dee.exe
Size

4.2MB
MD5

dd97e957fd12fc45e42350baef3f8dee
SHA1

e436552001dae94263ed14a9813765fc2b8603ce
SHA256

f2dab847da09febd3441e4da6211bb4563f5d0bd05da1635bdc32497b154c18c
SHA512

3f8a71a98ab3bbb68a2cba2482813a96e4489a93994310031ff0e4160a07f193e776a3b25cdcca470240ae862f49e5eeca0cea319631055a3ae997b390749746
SSDEEP

98304:TI35qQuudI35qQuu9V04FRvR2HjvOYwZ1E:MauOau924J2TOpZ1E

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
3364	dd97e957fd12fc45e42350baef3f8dee.exe
448	icsys.icn.exe
5092	explorer.exe
4044	spoolsv.exe
5012	svchost.exe
4064	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	dd97e957fd12fc45e42350baef3f8dee.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe
448	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5092	explorer.exe
5012	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
392	dd97e957fd12fc45e42350baef3f8dee.exe
392	dd97e957fd12fc45e42350baef3f8dee.exe
448	icsys.icn.exe
448	icsys.icn.exe
5092	explorer.exe
5092	explorer.exe
4044	spoolsv.exe
4044	spoolsv.exe
5012	svchost.exe
5012	svchost.exe
4064	spoolsv.exe
4064	spoolsv.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 3364	392	dd97e957fd12fc45e42350baef3f8dee.exe	81
PID 392 wrote to memory of 3364	392	dd97e957fd12fc45e42350baef3f8dee.exe	81
PID 392 wrote to memory of 448	392	dd97e957fd12fc45e42350baef3f8dee.exe	85
PID 392 wrote to memory of 448	392	dd97e957fd12fc45e42350baef3f8dee.exe	85
PID 392 wrote to memory of 448	392	dd97e957fd12fc45e42350baef3f8dee.exe	85
PID 448 wrote to memory of 5092	448	icsys.icn.exe	86
PID 448 wrote to memory of 5092	448	icsys.icn.exe	86
PID 448 wrote to memory of 5092	448	icsys.icn.exe	86
PID 5092 wrote to memory of 4044	5092	explorer.exe	87
PID 5092 wrote to memory of 4044	5092	explorer.exe	87
PID 5092 wrote to memory of 4044	5092	explorer.exe	87
PID 4044 wrote to memory of 5012	4044	spoolsv.exe	88
PID 4044 wrote to memory of 5012	4044	spoolsv.exe	88
PID 4044 wrote to memory of 5012	4044	spoolsv.exe	88
PID 5012 wrote to memory of 4064	5012	svchost.exe	89
PID 5012 wrote to memory of 4064	5012	svchost.exe	89
PID 5012 wrote to memory of 4064	5012	svchost.exe	89

C:\Users\Admin\AppData\Local\Temp\dd97e957fd12fc45e42350baef3f8dee.exe
"C:\Users\Admin\AppData\Local\Temp\dd97e957fd12fc45e42350baef3f8dee.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:392
- \??\c:\users\admin\appdata\local\temp\dd97e957fd12fc45e42350baef3f8dee.exe
  c:\users\admin\appdata\local\temp\dd97e957fd12fc45e42350baef3f8dee.exe
  2⤵
  - Executes dropped EXE
  PID:3364
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:448
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4044
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5012
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dd97e957fd12fc45e42350baef3f8dee.exe

Filesize
4.1MB

MD5
8927dda8d012da4efdb8330dafd13d2f

SHA1
b9d620feb5642fd75dea14f37c7ba8a0dc0eca05

SHA256
5500ad3bee634d30151a53ee7578a212a8f30840fcf370d8b8b69a6c7979f8ee

SHA512
1b851cc417c899adb6d2e7c2d341e5ca762a90fff0926a3381f435390f996df7496acc7a1f3944c62e2acf6710f8efb0a306f11e994c48d9c993fa95722eeddc

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
f6e399675270b69926648e9fa94b94ac

SHA1
1fdc582756a7ae2c3788f4e691042ec906e54a85

SHA256
60341dfece0356e1d5331ec21ba0317acd51a7aa96df7f09246ecd28748f3567

SHA512
ce569a42f90c8339fc369400c480ff7e8e652f551ee86cc8c5573450b1b81ce3108e94906b76778d293f5a115738d8a7dc5cfab3b775263e6d012e1c9a34ec62

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
13f9629c67ecd4b989a1213c15a7a949

SHA1
a29cbabe156d0b5580c6b849e2dc529a18e21c18

SHA256
30e6e1c648f8980eeb57698f1f62e63519dfaabec27e66033ac9246afecabf6f

SHA512
fd98fbc98faca1526f7ab1f8f44e68a9a751fe9011745f5de3a3bc086e3733a30ed90fed165e8495577aaa111eb7310381369442cc354f274a01e516eff1ff62

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
cb1a43cca1c0b86b05e071bdf94c79a1

SHA1
bf3a5b404212081263cf85a2867024f9144659d5

SHA256
5403272ab0c8fb2e406288b3feb0725b62abc6de3247adf1b08a1700b43b4f9d

SHA512
4db9ea30c5b64e430d3b53603440cb3fd2c93d1210e1710e4d3890776447516a1c3e8c02a679e720abefb6eb90e345c20889a9b073ae132464221b337c36e28a

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
d7fa1da40bc3ae4fc3901f87ba4f939e

SHA1
59f0b0628451e8f3e397bca95209a2a85f8c31fd

SHA256
67fd6b8836202f84eb4199a3a509a7da3f4dedbe1ff33701f0ab129c0fbf44de

SHA512
003bc8de8dfab3ea30ab63a22bca2a1a823c8ca641703c266c2d7f19501c69dde67f35d6ae88121debc4e9a441137f1fc7cd1e6358bb73c26d9210b91acf5cd4

Download Submit
memory/392-51-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/392-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/448-14-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/448-50-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3364-16-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

Filesize
10.8MB

Download
memory/3364-11-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

Filesize
10.8MB

Download
memory/3364-10-0x00000258B8690000-0x00000258B8AB0000-memory.dmp

Filesize
4.1MB

Download
memory/3364-9-0x00007FFB552B3000-0x00007FFB552B5000-memory.dmp

Filesize
8KB

Download
memory/4044-49-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4064-48-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download