c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772

Analysis

max time kernel
150s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
Size

503KB
MD5

f472d08a30316eced723fe9ffaf938cd
SHA1

6dc63019eff3c4b5d9f37e8fb840fef9369accd6
SHA256

c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772
SHA512

78468b885c1bdfadd8b6e8b58fd211c8171508993a44b14c2fbc9e0bf401707f548d49dda994de07634dd3c5a1f3f4e6d44db0ee0541a70c8868665a36d66f1e
SSDEEP

6144:UsLqdufVUNDa5/fwHNPcEWbiFBEk0Hnb5veyj/j7RX1Cg8bpD9g1bMw5DqxQA:PFUNDa5+Nl/7Ek07/HDsD257hqxd

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
3840	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
3120	icsys.icn.exe
4092	explorer.exe
4796	spoolsv.exe
3036	svchost.exe
748	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
3840	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
3840	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
3120	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4092	explorer.exe
3036	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3312	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3312	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
3120	icsys.icn.exe
3120	icsys.icn.exe
4092	explorer.exe
4092	explorer.exe
4796	spoolsv.exe
4796	spoolsv.exe
3036	svchost.exe
3036	svchost.exe
748	spoolsv.exe
748	spoolsv.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 3840	4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe	83
PID 4264 wrote to memory of 3840	4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe	83
PID 4264 wrote to memory of 3840	4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe	83
PID 4264 wrote to memory of 3120	4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe	87
PID 4264 wrote to memory of 3120	4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe	87
PID 4264 wrote to memory of 3120	4264	c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe	87
PID 3120 wrote to memory of 4092	3120	icsys.icn.exe	88
PID 3120 wrote to memory of 4092	3120	icsys.icn.exe	88
PID 3120 wrote to memory of 4092	3120	icsys.icn.exe	88
PID 4092 wrote to memory of 4796	4092	explorer.exe	89
PID 4092 wrote to memory of 4796	4092	explorer.exe	89
PID 4092 wrote to memory of 4796	4092	explorer.exe	89
PID 4796 wrote to memory of 3036	4796	spoolsv.exe	90
PID 4796 wrote to memory of 3036	4796	spoolsv.exe	90
PID 4796 wrote to memory of 3036	4796	spoolsv.exe	90
PID 3036 wrote to memory of 748	3036	svchost.exe	91
PID 3036 wrote to memory of 748	3036	svchost.exe	91
PID 3036 wrote to memory of 748	3036	svchost.exe	91

C:\Users\Admin\AppData\Local\Temp\c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
"C:\Users\Admin\AppData\Local\Temp\c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4264
- \??\c:\users\admin\appdata\local\temp\c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
  c:\users\admin\appdata\local\temp\c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3840
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3120
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4092
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4796
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3036
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:748

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x328 0x46c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bassmod.dll

Filesize
9KB

MD5
780d14604d49e3c634200c523def8351

SHA1
e208ef6f421d2260070a9222f1f918f1de0a8eeb

SHA256
844eb66a10b848d3a71a8c63c35f0a01550a46d2ff8503e2ca8947978b03b4d2

SHA512
a49c030f11da8f0cdc4205c86bec00653ec2f8899983cad9d7195fd23255439291aaec5a7e128e1a103efd93b8566e86f15af89eba4efebf9debce14a7a5564b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2bb6cdf2b90110883cd414c0b51939e2716626ae24c85b5d4dc69f271993772.exe

Filesize
368KB

MD5
4dc3e880af57f2a3d0e873cf9966b89e

SHA1
936eb5ddfe6e1ce56fb1681f5ded04432dae6bf9

SHA256
e4853f7a9087da9f0ce384b6ecf264840fbe5d910ac709c30498942bc2b8d866

SHA512
bad39ff391a4e8e4cad22747b44f39ec84e2678189fc7844c0c1c750a96c35bdb8aa7e999b1ba7ee34faceaa1c2a5566004fe1c934cc201698bbbd5e509fa453

Download Submit
C:\Users\Admin\AppData\Local\Temp\dup2patcher.dll

Filesize
334KB

MD5
5f8cf6021fd5fee84723af71a9bac53d

SHA1
3c0ed8d3a82bfda9a36256f53af1a9149cc09046

SHA256
a704aabc15b67d08c69d805ed8b0846dcda9f9532734e0c7baadd351fab3e1c1

SHA512
5b6e98da7c42dbbf093c041b95c4857396e4b8c88d647fe854b6def86ee24594e08afd63f5da7af28ae1d0199606a0e5510c1bb86188172c20f54f3cc3caaec6

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
03085b7d3d8828684595ae1381fa7c52

SHA1
8251b4be461342054bbacfa58dae6fb67a30e0d3

SHA256
1a6d8d673b177424f537320283016417a7d54c41811519c4afc06440f0ce20fa

SHA512
5dd58f07898451e1b1bbb4ec42e44ec1955f8fa24f6f986c028c7bc91165ae9f1da4f21d170412f0d6566f82be2f878c5f55262238f44d28cf7435ab50fd0db2

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
084f467db09297f00849ad670e162002

SHA1
9173173cdd668cb81c6978d48c1f544705013725

SHA256
dd649995efcccafa39a90cf660cbc7cd8f4f5b054eaf8edb5af7352a7f1beb54

SHA512
baee71489d5550e73c6df241e1cae92089cdb5ea44621c1e260747c78d0feca5b5d639b81c285870fef0ba47036bea7a0557f07ec6697422586fd4f94065af7f

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
2ab556205b95c9e0f79ffe7cc95ffa9b

SHA1
e7127b6ccc25fcf43dd5795a304e1900ad3097e1

SHA256
950062a2400f0b175a0acb850a8e26f719e6a4aef02676bd2565e0c99491b771

SHA512
24935e09afa7e5381719189c4e72a94f870105019660c8eb8d0359509e4b5abd2a144c3ef8d0939ceaba3e5b267ff846fa5370a4e43607da228da5c6b6a02e43

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
e9deb475dad5398c9ad0b27a758a14b5

SHA1
77e02bba9c2c7c0b719c92633f27faf76d5862e4

SHA256
1ae32509912511f7ed5d61c36676474b17cc6c68dceed4af0bccfae355799d60

SHA512
dccf1b9eb82dd5b7a7cc868ba315443da85bd2801b8a2209f4cdaa8d2895d9d8e990a126296d3d39f326c3b34b20aada2d9ca4729eb34c36aab70fcd6c688651

Download Submit
memory/748-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3120-24-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3120-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3840-14-0x0000000000C10000-0x0000000000C13000-memory.dmp

Filesize
12KB

Download
memory/3840-15-0x000000007496D000-0x000000007496E000-memory.dmp

Filesize
4KB

Download
memory/3840-13-0x0000000074860000-0x0000000074970000-memory.dmp

Filesize
1.1MB

Download
memory/3840-60-0x0000000074860000-0x0000000074970000-memory.dmp

Filesize
1.1MB

Download
memory/3840-61-0x0000000000C10000-0x0000000000C13000-memory.dmp

Filesize
12KB

Download
memory/4264-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4264-59-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4796-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download