ebabb4b85b8ffba0b9d80e689c5faff1edcc667b001beee3e90b731ad87c5f9d

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07/07/2024, 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29325e9434dcbd5e040d96212d416c30N.exe
Size

764KB
MD5

29325e9434dcbd5e040d96212d416c30
SHA1

9b2ff47f8009bc0e33570ec8fe883f1755b9b9b4
SHA256

ebabb4b85b8ffba0b9d80e689c5faff1edcc667b001beee3e90b731ad87c5f9d
SHA512

289009e843884b0ef5748fa282aa43471b9d416e501c23627575aba11ac3f09d456cac555f95040435bc32272ef70f9333bcc10ffb5ef63677757bb5132fbb77
SSDEEP

12288:cFUNDa8ZVB0oc0jf7d8ujeaVSobEcBZy1fm5cVsF:cFOa8ZVB0oc0jf2sSodyxmisF

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
2596	29325e9434dcbd5e040d96212d416c30n.exe
2312	icsys.icn.exe
1956	explorer.exe
2248	spoolsv.exe
2624	svchost.exe
2720	spoolsv.exe

Loads dropped DLL 7 IoCs

pid	Process
2224	29325e9434dcbd5e040d96212d416c30N.exe
2224	29325e9434dcbd5e040d96212d416c30N.exe
2224	29325e9434dcbd5e040d96212d416c30N.exe
2312	icsys.icn.exe
1956	explorer.exe
2248	spoolsv.exe
2624	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	29325e9434dcbd5e040d96212d416c30N.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2700	schtasks.exe
2756	schtasks.exe
3024	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2224	29325e9434dcbd5e040d96212d416c30N.exe
2224	29325e9434dcbd5e040d96212d416c30N.exe
2224	29325e9434dcbd5e040d96212d416c30N.exe
2224	29325e9434dcbd5e040d96212d416c30N.exe
2224	29325e9434dcbd5e040d96212d416c30N.exe
2224	29325e9434dcbd5e040d96212d416c30N.exe
2224	29325e9434dcbd5e040d96212d416c30N.exe
2224	29325e9434dcbd5e040d96212d416c30N.exe
2224	29325e9434dcbd5e040d96212d416c30N.exe
2224	29325e9434dcbd5e040d96212d416c30N.exe
2224	29325e9434dcbd5e040d96212d416c30N.exe
2224	29325e9434dcbd5e040d96212d416c30N.exe
2224	29325e9434dcbd5e040d96212d416c30N.exe
2224	29325e9434dcbd5e040d96212d416c30N.exe
2224	29325e9434dcbd5e040d96212d416c30N.exe
2224	29325e9434dcbd5e040d96212d416c30N.exe
2312	icsys.icn.exe
2312	icsys.icn.exe
2312	icsys.icn.exe
2312	icsys.icn.exe
2312	icsys.icn.exe
2312	icsys.icn.exe
2312	icsys.icn.exe
2312	icsys.icn.exe
2312	icsys.icn.exe
2312	icsys.icn.exe
2312	icsys.icn.exe
2312	icsys.icn.exe
2312	icsys.icn.exe
2312	icsys.icn.exe
2312	icsys.icn.exe
2312	icsys.icn.exe
2312	icsys.icn.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe
2624	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1956	explorer.exe
2624	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2224	29325e9434dcbd5e040d96212d416c30N.exe
2224	29325e9434dcbd5e040d96212d416c30N.exe
2312	icsys.icn.exe
2312	icsys.icn.exe
1956	explorer.exe
1956	explorer.exe
2248	spoolsv.exe
2248	spoolsv.exe
2624	svchost.exe
2624	svchost.exe
2720	spoolsv.exe
2720	spoolsv.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2596	2224	29325e9434dcbd5e040d96212d416c30N.exe	30
PID 2224 wrote to memory of 2596	2224	29325e9434dcbd5e040d96212d416c30N.exe	30
PID 2224 wrote to memory of 2596	2224	29325e9434dcbd5e040d96212d416c30N.exe	30
PID 2224 wrote to memory of 2596	2224	29325e9434dcbd5e040d96212d416c30N.exe	30
PID 2224 wrote to memory of 2312	2224	29325e9434dcbd5e040d96212d416c30N.exe	32
PID 2224 wrote to memory of 2312	2224	29325e9434dcbd5e040d96212d416c30N.exe	32
PID 2224 wrote to memory of 2312	2224	29325e9434dcbd5e040d96212d416c30N.exe	32
PID 2224 wrote to memory of 2312	2224	29325e9434dcbd5e040d96212d416c30N.exe	32
PID 2312 wrote to memory of 1956	2312	icsys.icn.exe	33
PID 2312 wrote to memory of 1956	2312	icsys.icn.exe	33
PID 2312 wrote to memory of 1956	2312	icsys.icn.exe	33
PID 2312 wrote to memory of 1956	2312	icsys.icn.exe	33
PID 1956 wrote to memory of 2248	1956	explorer.exe	34
PID 1956 wrote to memory of 2248	1956	explorer.exe	34
PID 1956 wrote to memory of 2248	1956	explorer.exe	34
PID 1956 wrote to memory of 2248	1956	explorer.exe	34
PID 2248 wrote to memory of 2624	2248	spoolsv.exe	35
PID 2248 wrote to memory of 2624	2248	spoolsv.exe	35
PID 2248 wrote to memory of 2624	2248	spoolsv.exe	35
PID 2248 wrote to memory of 2624	2248	spoolsv.exe	35
PID 2624 wrote to memory of 2720	2624	svchost.exe	36
PID 2624 wrote to memory of 2720	2624	svchost.exe	36
PID 2624 wrote to memory of 2720	2624	svchost.exe	36
PID 2624 wrote to memory of 2720	2624	svchost.exe	36
PID 1956 wrote to memory of 2524	1956	explorer.exe	37
PID 1956 wrote to memory of 2524	1956	explorer.exe	37
PID 1956 wrote to memory of 2524	1956	explorer.exe	37
PID 1956 wrote to memory of 2524	1956	explorer.exe	37
PID 2624 wrote to memory of 2700	2624	svchost.exe	38
PID 2624 wrote to memory of 2700	2624	svchost.exe	38
PID 2624 wrote to memory of 2700	2624	svchost.exe	38
PID 2624 wrote to memory of 2700	2624	svchost.exe	38
PID 2624 wrote to memory of 2756	2624	svchost.exe	41
PID 2624 wrote to memory of 2756	2624	svchost.exe	41
PID 2624 wrote to memory of 2756	2624	svchost.exe	41
PID 2624 wrote to memory of 2756	2624	svchost.exe	41
PID 2624 wrote to memory of 3024	2624	svchost.exe	43
PID 2624 wrote to memory of 3024	2624	svchost.exe	43
PID 2624 wrote to memory of 3024	2624	svchost.exe	43
PID 2624 wrote to memory of 3024	2624	svchost.exe	43

C:\Users\Admin\AppData\Local\Temp\29325e9434dcbd5e040d96212d416c30N.exe
"C:\Users\Admin\AppData\Local\Temp\29325e9434dcbd5e040d96212d416c30N.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224
- \??\c:\users\admin\appdata\local\temp\29325e9434dcbd5e040d96212d416c30n.exe
  c:\users\admin\appdata\local\temp\29325e9434dcbd5e040d96212d416c30n.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2312
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2248
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2720
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:22 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2700
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:23 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2756
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:24 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3024
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
2ebccc48baa4b262d23def2de6403801

SHA1
c4565e8d5ef30a48ec5f3229dc8b09f9e84d256f

SHA256
0e3f1a9972633c8b8e4c59c33e898ae57c5ed394b51128d19081b48ed62a6209

SHA512
bc8a2cc1ea9399316bf342329ae285be914bd8b839a2280e8e4dabb16f76119837687c497ff247d4e68748b9aa08128ddd9049bdfe5929837392a237d6da6354

Download Submit
\Users\Admin\AppData\Local\Temp\29325e9434dcbd5e040d96212d416c30n.exe

Filesize
628KB

MD5
248ba3de6ee69e1b978fd3db1bb03a31

SHA1
4ab23c1273c22d07efb8c2c05cc9b4ac44dd8547

SHA256
b9adca32f5228e33eff2fcd141df3add44762759f024cfac8dbb32a9fbe8dd57

SHA512
a9219a5ff8c7c1e1ff0607c22bd9bb07a17cb1ffaf463f389a7849c59f92b8d48261c7b885b88b81473854db3191ad8630292576aec1cf1fff3b9cfa8e4cb8d8

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
893262b4db927cf970e81515b7bf1468

SHA1
ec4f7edc793476c16b942c5b6cfcc2e9a4bfb2eb

SHA256
72e3333ca5407518a3ae0bb0816c2cbd907751721fe57b5ae11dd79371881f64

SHA512
ade4676e59ee72f64dc6000c78ab8939c1c6d412af661b0a54771fb76b1fce64640754412b2dba4de4c6a5efa98c123a1d52f375225a33df33f0a621aafe9a68

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
8cbb4f4224be672e892af19becf2e5b4

SHA1
5ec50282fd5c24afda871c2893015a82b828a519

SHA256
6968413dff948a46e8687de7a7ae59c0551d9fc5220e44145db2f27c74375251

SHA512
78f3d39b1481a986ec188075450f7fd52d40b06e96de95216a43eaa8ba8f48c7e3101cce8d3ccf74260082c47c0e6ed3b13d04a01cd675993a7eb2b4203b60a6

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
a3939a942294835b3ab0c43498204ed9

SHA1
cb60db0b00a8cc9202920b3cc386bcce8e80e87b

SHA256
1ce68e5e6cf452b7e1340b2aa0b8de468bd851a68e07ecea87fbb9eac3722f24

SHA512
2b9dd93ac79fdc23a4774cb9871d404627d66f9c7f23834de1f26498e6cca10bb0c873482e19016dc496dd4187382a0669d102fc7f8b3a5fc047a1483dff5c02

Download Submit
memory/2224-15-0x0000000000380000-0x000000000039F000-memory.dmp

Filesize
124KB

Download
memory/2224-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2224-62-0x0000000000380000-0x0000000000382000-memory.dmp

Filesize
8KB

Download
memory/2224-61-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2248-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2312-60-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2624-54-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2720-59-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download