c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
Size

503KB
MD5

f472d08a30316eced723fe9ffaf938cd
SHA1

6dc63019eff3c4b5d9f37e8fb840fef9369accd6
SHA256

c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772
SHA512

78468b885c1bdfadd8b6e8b58fd211c8171508993a44b14c2fbc9e0bf401707f548d49dda994de07634dd3c5a1f3f4e6d44db0ee0541a70c8868665a36d66f1e
SSDEEP

6144:UsLqdufVUNDa5/fwHNPcEWbiFBEk0Hnb5veyj/j7RX1Cg8bpD9g1bMw5DqxQA:PFUNDa5+Nl/7Ek07/HDsD257hqxd

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
2380	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
2572	icsys.icn.exe
1232	explorer.exe
876	spoolsv.exe
2996	svchost.exe
2124	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
2380	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
2380	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
2572	icsys.icn.exe
1232	explorer.exe
876	spoolsv.exe
2996	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2752	schtasks.exe
2108	schtasks.exe
1700	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
1232	explorer.exe
1232	explorer.exe
1232	explorer.exe
1232	explorer.exe
1232	explorer.exe
1232	explorer.exe
1232	explorer.exe
1232	explorer.exe
1232	explorer.exe
1232	explorer.exe
1232	explorer.exe
1232	explorer.exe
1232	explorer.exe
1232	explorer.exe
1232	explorer.exe
1232	explorer.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1232	explorer.exe
2996	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
1232	explorer.exe
1232	explorer.exe
876	spoolsv.exe
876	spoolsv.exe
2996	svchost.exe
2996	svchost.exe
2124	spoolsv.exe
2124	spoolsv.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2380	2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe	31
PID 2796 wrote to memory of 2380	2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe	31
PID 2796 wrote to memory of 2380	2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe	31
PID 2796 wrote to memory of 2380	2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe	31
PID 2796 wrote to memory of 2572	2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe	32
PID 2796 wrote to memory of 2572	2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe	32
PID 2796 wrote to memory of 2572	2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe	32
PID 2796 wrote to memory of 2572	2796	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe	32
PID 2572 wrote to memory of 1232	2572	icsys.icn.exe	33
PID 2572 wrote to memory of 1232	2572	icsys.icn.exe	33
PID 2572 wrote to memory of 1232	2572	icsys.icn.exe	33
PID 2572 wrote to memory of 1232	2572	icsys.icn.exe	33
PID 1232 wrote to memory of 876	1232	explorer.exe	34
PID 1232 wrote to memory of 876	1232	explorer.exe	34
PID 1232 wrote to memory of 876	1232	explorer.exe	34
PID 1232 wrote to memory of 876	1232	explorer.exe	34
PID 876 wrote to memory of 2996	876	spoolsv.exe	35
PID 876 wrote to memory of 2996	876	spoolsv.exe	35
PID 876 wrote to memory of 2996	876	spoolsv.exe	35
PID 876 wrote to memory of 2996	876	spoolsv.exe	35
PID 2996 wrote to memory of 2124	2996	svchost.exe	36
PID 2996 wrote to memory of 2124	2996	svchost.exe	36
PID 2996 wrote to memory of 2124	2996	svchost.exe	36
PID 2996 wrote to memory of 2124	2996	svchost.exe	36
PID 1232 wrote to memory of 2664	1232	explorer.exe	37
PID 1232 wrote to memory of 2664	1232	explorer.exe	37
PID 1232 wrote to memory of 2664	1232	explorer.exe	37
PID 1232 wrote to memory of 2664	1232	explorer.exe	37
PID 2996 wrote to memory of 2752	2996	svchost.exe	38
PID 2996 wrote to memory of 2752	2996	svchost.exe	38
PID 2996 wrote to memory of 2752	2996	svchost.exe	38
PID 2996 wrote to memory of 2752	2996	svchost.exe	38
PID 2996 wrote to memory of 2108	2996	svchost.exe	41
PID 2996 wrote to memory of 2108	2996	svchost.exe	41
PID 2996 wrote to memory of 2108	2996	svchost.exe	41
PID 2996 wrote to memory of 2108	2996	svchost.exe	41
PID 2996 wrote to memory of 1700	2996	svchost.exe	43
PID 2996 wrote to memory of 1700	2996	svchost.exe	43
PID 2996 wrote to memory of 1700	2996	svchost.exe	43
PID 2996 wrote to memory of 1700	2996	svchost.exe	43

C:\Users\Admin\AppData\Local\Temp\c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
"C:\Users\Admin\AppData\Local\Temp\c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796
- \??\c:\users\admin\appdata\local\temp\c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
  c:\users\admin\appdata\local\temp\c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2380
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2572
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1232
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:876
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2996
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2124
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:44 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2752
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:45 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2108
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:46 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1700
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe

Filesize
368KB

MD5
4dc3e880af57f2a3d0e873cf9966b89e

SHA1
936eb5ddfe6e1ce56fb1681f5ded04432dae6bf9

SHA256
e4853f7a9087da9f0ce384b6ecf264840fbe5d910ac709c30498942bc2b8d866

SHA512
bad39ff391a4e8e4cad22747b44f39ec84e2678189fc7844c0c1c750a96c35bdb8aa7e999b1ba7ee34faceaa1c2a5566004fe1c934cc201698bbbd5e509fa453

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
cc8c07976c5953ed6bbbe3eda73cbf8a

SHA1
6e784b8c4d265aef01244b9ac41cecf7ef0b6600

SHA256
13297a7296a21000e347e23cf63c894267588a4aef5f02d29e18630713cc129f

SHA512
32520bc8bd85a4a4763493fd42447b7291b62a7e4c94412e596d42fd49b3e44c7a35d320714b0595a8fe9726717a48e3b41ba27000d5ae17ba01b04a1f7037e4

Download Submit
\Users\Admin\AppData\Local\Temp\bassmod.dll

Filesize
9KB

MD5
780d14604d49e3c634200c523def8351

SHA1
e208ef6f421d2260070a9222f1f918f1de0a8eeb

SHA256
844eb66a10b848d3a71a8c63c35f0a01550a46d2ff8503e2ca8947978b03b4d2

SHA512
a49c030f11da8f0cdc4205c86bec00653ec2f8899983cad9d7195fd23255439291aaec5a7e128e1a103efd93b8566e86f15af89eba4efebf9debce14a7a5564b

Download Submit
\Users\Admin\AppData\Local\Temp\dup2patcher.dll

Filesize
334KB

MD5
5f8cf6021fd5fee84723af71a9bac53d

SHA1
3c0ed8d3a82bfda9a36256f53af1a9149cc09046

SHA256
a704aabc15b67d08c69d805ed8b0846dcda9f9532734e0c7baadd351fab3e1c1

SHA512
5b6e98da7c42dbbf093c041b95c4857396e4b8c88d647fe854b6def86ee24594e08afd63f5da7af28ae1d0199606a0e5510c1bb86188172c20f54f3cc3caaec6

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
084f467db09297f00849ad670e162002

SHA1
9173173cdd668cb81c6978d48c1f544705013725

SHA256
dd649995efcccafa39a90cf660cbc7cd8f4f5b054eaf8edb5af7352a7f1beb54

SHA512
baee71489d5550e73c6df241e1cae92089cdb5ea44621c1e260747c78d0feca5b5d639b81c285870fef0ba47036bea7a0557f07ec6697422586fd4f94065af7f

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
afce40fcd592a2163717901a1ac4c142

SHA1
d2c6ddcaf79c56a1343577b2d9b723f301d6640b

SHA256
1fa573f5e58b13f1bb378930cef77a3a3b7dc269382160dea9a756a2a6b1d9a1

SHA512
d65da31e5a999ea444c4f74e4a9089c1e3ee0c8350106a89a678cd34fe474e0cfd58197fb4eacf78e0ba379e58a54a99cb5fff575ca62925295db8fa8d4296d4

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
47bacf36eba3a8af26cc3b495135878b

SHA1
8d1198645e1e1f4395d114b6dee4075fcc0f24e8

SHA256
dfea2dad6a1a8cd2f97ab4b92c82c859e0a86f76f8c1319e0564c2a9dc27a0a2

SHA512
8a1789a47198ece90f1ed7bc7a85726c4edad0d8c09e3bccd86e13f94aa013986e113df775564e839d536cc9f627ae41ee6e3214058cd1e47e319c448893eddf

Download Submit
memory/1232-44-0x0000000000300000-0x000000000031F000-memory.dmp

Filesize
124KB

Download
memory/1232-82-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2124-66-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2380-14-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/2380-70-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/2380-71-0x0000000074A00000-0x0000000074B10000-memory.dmp

Filesize
1.1MB

Download
memory/2380-13-0x0000000074A00000-0x0000000074B10000-memory.dmp

Filesize
1.1MB

Download
memory/2572-68-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2572-69-0x0000000000350000-0x000000000036F000-memory.dmp

Filesize
124KB

Download
memory/2796-20-0x0000000002320000-0x000000000233F000-memory.dmp

Filesize
124KB

Download
memory/2796-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2796-67-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2996-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2996-62-0x0000000000240000-0x000000000025F000-memory.dmp

Filesize
124KB

Download
memory/2996-83-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download