ebabb4b85b8ffba0b9d80e689c5faff1edcc667b001beee3e90b731ad87c5f9d

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2024, 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29325e9434dcbd5e040d96212d416c30N.exe
Size

764KB
MD5

29325e9434dcbd5e040d96212d416c30
SHA1

9b2ff47f8009bc0e33570ec8fe883f1755b9b9b4
SHA256

ebabb4b85b8ffba0b9d80e689c5faff1edcc667b001beee3e90b731ad87c5f9d
SHA512

289009e843884b0ef5748fa282aa43471b9d416e501c23627575aba11ac3f09d456cac555f95040435bc32272ef70f9333bcc10ffb5ef63677757bb5132fbb77
SSDEEP

12288:cFUNDa8ZVB0oc0jf7d8ujeaVSobEcBZy1fm5cVsF:cFOa8ZVB0oc0jf2sSodyxmisF

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
2928	29325e9434dcbd5e040d96212d416c30n.exe
1192	icsys.icn.exe
772	explorer.exe
4076	spoolsv.exe
4124	svchost.exe
4432	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	29325e9434dcbd5e040d96212d416c30N.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
1192	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
772	explorer.exe
4124	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3060	29325e9434dcbd5e040d96212d416c30N.exe
3060	29325e9434dcbd5e040d96212d416c30N.exe
1192	icsys.icn.exe
1192	icsys.icn.exe
772	explorer.exe
772	explorer.exe
4076	spoolsv.exe
4076	spoolsv.exe
4124	svchost.exe
4124	svchost.exe
4432	spoolsv.exe
4432	spoolsv.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2928	3060	29325e9434dcbd5e040d96212d416c30N.exe	85
PID 3060 wrote to memory of 2928	3060	29325e9434dcbd5e040d96212d416c30N.exe	85
PID 3060 wrote to memory of 2928	3060	29325e9434dcbd5e040d96212d416c30N.exe	85
PID 3060 wrote to memory of 1192	3060	29325e9434dcbd5e040d96212d416c30N.exe	86
PID 3060 wrote to memory of 1192	3060	29325e9434dcbd5e040d96212d416c30N.exe	86
PID 3060 wrote to memory of 1192	3060	29325e9434dcbd5e040d96212d416c30N.exe	86
PID 1192 wrote to memory of 772	1192	icsys.icn.exe	88
PID 1192 wrote to memory of 772	1192	icsys.icn.exe	88
PID 1192 wrote to memory of 772	1192	icsys.icn.exe	88
PID 772 wrote to memory of 4076	772	explorer.exe	89
PID 772 wrote to memory of 4076	772	explorer.exe	89
PID 772 wrote to memory of 4076	772	explorer.exe	89
PID 4076 wrote to memory of 4124	4076	spoolsv.exe	90
PID 4076 wrote to memory of 4124	4076	spoolsv.exe	90
PID 4076 wrote to memory of 4124	4076	spoolsv.exe	90
PID 4124 wrote to memory of 4432	4124	svchost.exe	91
PID 4124 wrote to memory of 4432	4124	svchost.exe	91
PID 4124 wrote to memory of 4432	4124	svchost.exe	91

C:\Users\Admin\AppData\Local\Temp\29325e9434dcbd5e040d96212d416c30N.exe
"C:\Users\Admin\AppData\Local\Temp\29325e9434dcbd5e040d96212d416c30N.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060
- \??\c:\users\admin\appdata\local\temp\29325e9434dcbd5e040d96212d416c30n.exe
  c:\users\admin\appdata\local\temp\29325e9434dcbd5e040d96212d416c30n.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1192
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:772
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4076
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4124
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\29325e9434dcbd5e040d96212d416c30n.exe

Filesize
628KB

MD5
248ba3de6ee69e1b978fd3db1bb03a31

SHA1
4ab23c1273c22d07efb8c2c05cc9b4ac44dd8547

SHA256
b9adca32f5228e33eff2fcd141df3add44762759f024cfac8dbb32a9fbe8dd57

SHA512
a9219a5ff8c7c1e1ff0607c22bd9bb07a17cb1ffaf463f389a7849c59f92b8d48261c7b885b88b81473854db3191ad8630292576aec1cf1fff3b9cfa8e4cb8d8

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
893262b4db927cf970e81515b7bf1468

SHA1
ec4f7edc793476c16b942c5b6cfcc2e9a4bfb2eb

SHA256
72e3333ca5407518a3ae0bb0816c2cbd907751721fe57b5ae11dd79371881f64

SHA512
ade4676e59ee72f64dc6000c78ab8939c1c6d412af661b0a54771fb76b1fce64640754412b2dba4de4c6a5efa98c123a1d52f375225a33df33f0a621aafe9a68

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
946cb211498ec18a6c8d48acd475654c

SHA1
42ea2cb2146ebb8f2754620d71066a04655bd28d

SHA256
2c7226ed8f4b0d15dbfe110c73343345ae0e9037695f2aae71a7c5f2229c6ce4

SHA512
0bb436ee6154b7d4ec0156ec793cec7c3327f1150c625faf5cba66f72567634d00c88190a5eebed2b49e2414de7ce86799d452d1a1a8988431de4ee0fe9f5817

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
cc77a12eb6fb4400258ff73d3aaadcc8

SHA1
1d1d62729be4637a1941ea6b56adff31211183bc

SHA256
8de5670c2555757100954458f8b1b664c9a139f0b33342755188567c959f2e24

SHA512
8edc0a4e6853532c8704a38df85f07a8e38f6f7b5d4f9e7a4dade4cb5659988408b24ca2c7548b52b3e8dc5824f9047d02c446de125aa85f136e2cbb6546de6a

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
135KB

MD5
62de09d31cb366da74d3219bcb194c91

SHA1
b2a1caa161af9281a0b6122a0d78ed740a63a4a6

SHA256
5a132ff8ece4d8d6cdbde4bef4736ddeea83cdbaade89bbe99fc3e008b35a6f9

SHA512
148327196b0b715745944773b06c5e25a0a993e5a5d206ebf61176a4736a658e5014ffcf4e5a2de52aa0335aa74b4b19a86e191749f763cff80945597256d415

Download Submit
memory/1192-47-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3060-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3060-20-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4076-46-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4124-37-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4432-45-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download