4df4e0d574fffdc2a01c8586ecd229f57fb6473180c19f41b40f5dccc42e61a2

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

109015d4b83faedd67d948a633094240N.exe
Size

2.3MB
MD5

109015d4b83faedd67d948a633094240
SHA1

08756d3aee790ebd76a716722274b7e73a8e4434
SHA256

4df4e0d574fffdc2a01c8586ecd229f57fb6473180c19f41b40f5dccc42e61a2
SHA512

c7212e87f16ad3c6c365da72c866cd240a137e212201df9dc7e260a6b138128f344609f61af9be5eb3a37157eea65ff9973c362ac5c2436a2d7adab723d9f7ee
SSDEEP

24576:PFOa7wf1O8JPPdc9o5KIc8x88eJfeJB4SbE9HppkDw9Bmpwy855sM40YtQ2qlBP0:tAU8ARQ6SCppkDw9BmpZ3aTPIsY9

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
2540	109015d4b83faedd67d948a633094240n.exe
1764	icsys.icn.exe
2216	explorer.exe
2100	spoolsv.exe
2756	svchost.exe
2864	spoolsv.exe

Loads dropped DLL 6 IoCs

pid	Process
2548	109015d4b83faedd67d948a633094240N.exe
2548	109015d4b83faedd67d948a633094240N.exe
1764	icsys.icn.exe
2216	explorer.exe
2100	spoolsv.exe
2756	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	109015d4b83faedd67d948a633094240N.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	109015d4b83faedd67d948a633094240N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	109015d4b83faedd67d948a633094240n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2184	schtasks.exe
2944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2548	109015d4b83faedd67d948a633094240N.exe
2548	109015d4b83faedd67d948a633094240N.exe
2548	109015d4b83faedd67d948a633094240N.exe
2548	109015d4b83faedd67d948a633094240N.exe
2548	109015d4b83faedd67d948a633094240N.exe
2548	109015d4b83faedd67d948a633094240N.exe
2548	109015d4b83faedd67d948a633094240N.exe
2548	109015d4b83faedd67d948a633094240N.exe
2548	109015d4b83faedd67d948a633094240N.exe
2548	109015d4b83faedd67d948a633094240N.exe
2548	109015d4b83faedd67d948a633094240N.exe
2548	109015d4b83faedd67d948a633094240N.exe
2548	109015d4b83faedd67d948a633094240N.exe
2548	109015d4b83faedd67d948a633094240N.exe
2548	109015d4b83faedd67d948a633094240N.exe
2548	109015d4b83faedd67d948a633094240N.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2216	explorer.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2756	svchost.exe
2216	explorer.exe
2540	109015d4b83faedd67d948a633094240n.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2548	109015d4b83faedd67d948a633094240N.exe
2548	109015d4b83faedd67d948a633094240N.exe
1764	icsys.icn.exe
1764	icsys.icn.exe
2216	explorer.exe
2216	explorer.exe
2100	spoolsv.exe
2100	spoolsv.exe
2756	svchost.exe
2756	svchost.exe
2864	spoolsv.exe
2864	spoolsv.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2540	2548	109015d4b83faedd67d948a633094240N.exe	30
PID 2548 wrote to memory of 2540	2548	109015d4b83faedd67d948a633094240N.exe	30
PID 2548 wrote to memory of 2540	2548	109015d4b83faedd67d948a633094240N.exe	30
PID 2548 wrote to memory of 2540	2548	109015d4b83faedd67d948a633094240N.exe	30
PID 2548 wrote to memory of 1764	2548	109015d4b83faedd67d948a633094240N.exe	31
PID 2548 wrote to memory of 1764	2548	109015d4b83faedd67d948a633094240N.exe	31
PID 2548 wrote to memory of 1764	2548	109015d4b83faedd67d948a633094240N.exe	31
PID 2548 wrote to memory of 1764	2548	109015d4b83faedd67d948a633094240N.exe	31
PID 1764 wrote to memory of 2216	1764	icsys.icn.exe	32
PID 1764 wrote to memory of 2216	1764	icsys.icn.exe	32
PID 1764 wrote to memory of 2216	1764	icsys.icn.exe	32
PID 1764 wrote to memory of 2216	1764	icsys.icn.exe	32
PID 2216 wrote to memory of 2100	2216	explorer.exe	33
PID 2216 wrote to memory of 2100	2216	explorer.exe	33
PID 2216 wrote to memory of 2100	2216	explorer.exe	33
PID 2216 wrote to memory of 2100	2216	explorer.exe	33
PID 2100 wrote to memory of 2756	2100	spoolsv.exe	34
PID 2100 wrote to memory of 2756	2100	spoolsv.exe	34
PID 2100 wrote to memory of 2756	2100	spoolsv.exe	34
PID 2100 wrote to memory of 2756	2100	spoolsv.exe	34
PID 2756 wrote to memory of 2864	2756	svchost.exe	35
PID 2756 wrote to memory of 2864	2756	svchost.exe	35
PID 2756 wrote to memory of 2864	2756	svchost.exe	35
PID 2756 wrote to memory of 2864	2756	svchost.exe	35
PID 2216 wrote to memory of 2908	2216	explorer.exe	36
PID 2216 wrote to memory of 2908	2216	explorer.exe	36
PID 2216 wrote to memory of 2908	2216	explorer.exe	36
PID 2216 wrote to memory of 2908	2216	explorer.exe	36
PID 2756 wrote to memory of 2184	2756	svchost.exe	37
PID 2756 wrote to memory of 2184	2756	svchost.exe	37
PID 2756 wrote to memory of 2184	2756	svchost.exe	37
PID 2756 wrote to memory of 2184	2756	svchost.exe	37
PID 2756 wrote to memory of 2944	2756	svchost.exe	41
PID 2756 wrote to memory of 2944	2756	svchost.exe	41
PID 2756 wrote to memory of 2944	2756	svchost.exe	41
PID 2756 wrote to memory of 2944	2756	svchost.exe	41

C:\Users\Admin\AppData\Local\Temp\109015d4b83faedd67d948a633094240N.exe
"C:\Users\Admin\AppData\Local\Temp\109015d4b83faedd67d948a633094240N.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548
- \??\c:\users\admin\appdata\local\temp\109015d4b83faedd67d948a633094240n.exe
  c:\users\admin\appdata\local\temp\109015d4b83faedd67d948a633094240n.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2540
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1764
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2100
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2864
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:38 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2184
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:39 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2944
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\109015d4b83faedd67d948a633094240n.exe

Filesize
2.2MB

MD5
65b954468b068ebdf457c67c452c18e6

SHA1
644391b8f2741603a6942bd456f23c46c8b9df7a

SHA256
485006f4264d3835374c99820acbad6e9e409fda3aa78bcff98adfc9f62e8598

SHA512
0327461d01b7bce4a6275ca4a5d0eca2fbcfcedf8b1620856f707def22ea89136e98a7bc3f7d74190ace47949a46617221777b1a5f8a6501adbb25d0fc8df373

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
a9e1b19a3a2030e903b453a9f815208f

SHA1
337485fd0987704691c43734b9fd684c329dbdcb

SHA256
4636bbe9a3c297dbf4768b98b9e17c6c9a1284ea6104db1de5877db645301a8d

SHA512
6642c1311abbb9c6ac253e7ec47d7b268adbc240714db429279dbb6d905ed0e011c8ba34a94cd14130a91dad65117d0cb1e0b82bcdcb29453773f5ceb58f46f7

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
6708ad26c1e3b978054f905b140c6f1c

SHA1
104b00286aab9f93390af03d344da4fee5064ecc

SHA256
0f90b1ceed4aa000d4049696c2673f6c98685e5b6184b894bf5c4ddd9948a415

SHA512
408fbae7f92eea3d38045ce89da02b6c1cba3feb0e0700cdfd87e0b4ea7a63470dca6a03d6dd04152c02b90d98dcb8813742bf883b1dd7f31fbd2883755183ed

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
c81892ae7918e26130312efae38f9a58

SHA1
517a5b347366b89aa84eb574477ab946cda62358

SHA256
08cd00dfb13a7c5c3eee8fcbdeb34b63418a06a9dec5a9a92d067659eb629659

SHA512
54fb49f35f8b548634796eac6b611ed71cf10fe8fcc45e14f2c076ee4be2a3204d50d76da6f761292437b79bf706ad6af675c83829c160a65e53ed6184aa61e6

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
2a452828a16058d2086d4fd8d6aaebbf

SHA1
e81413a48a76390efb3666bebb7a001a6df822ce

SHA256
251d9a339a048c2e0fd2eabe91f31681436458c28488487415d7b24a39f0559b

SHA512
a05cadd3df06c952f88ef7b6951afa75fe5b0c6f607166b241e57d6bc9f3a57a24bce9cde54f873366c51200007d21ff4f0e56e41422991b07f944a716f27fda

Download Submit
memory/1764-61-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1764-26-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/2100-59-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2100-48-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/2100-39-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2540-67-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2540-69-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2540-72-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2540-10-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2540-71-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2540-62-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2540-63-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2540-64-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2540-65-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2540-66-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2540-70-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2548-60-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2548-13-0x0000000000310000-0x000000000032F000-memory.dmp

Filesize
124KB

Download
memory/2548-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2864-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download