4df4e0d574fffdc2a01c8586ecd229f57fb6473180c19f41b40f5dccc42e61a2

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

109015d4b83faedd67d948a633094240N.exe
Size

2.3MB
MD5

109015d4b83faedd67d948a633094240
SHA1

08756d3aee790ebd76a716722274b7e73a8e4434
SHA256

4df4e0d574fffdc2a01c8586ecd229f57fb6473180c19f41b40f5dccc42e61a2
SHA512

c7212e87f16ad3c6c365da72c866cd240a137e212201df9dc7e260a6b138128f344609f61af9be5eb3a37157eea65ff9973c362ac5c2436a2d7adab723d9f7ee
SSDEEP

24576:PFOa7wf1O8JPPdc9o5KIc8x88eJfeJB4SbE9HppkDw9Bmpwy855sM40YtQ2qlBP0:tAU8ARQ6SCppkDw9BmpZ3aTPIsY9

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
772	109015d4b83faedd67d948a633094240n.exe
1304	icsys.icn.exe
3244	explorer.exe
4612	spoolsv.exe
5100	svchost.exe
3552	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	109015d4b83faedd67d948a633094240N.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	109015d4b83faedd67d948a633094240N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	109015d4b83faedd67d948a633094240n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
1304	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3244	explorer.exe
5100	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3296	109015d4b83faedd67d948a633094240N.exe
3296	109015d4b83faedd67d948a633094240N.exe
1304	icsys.icn.exe
1304	icsys.icn.exe
3244	explorer.exe
3244	explorer.exe
4612	spoolsv.exe
4612	spoolsv.exe
5100	svchost.exe
5100	svchost.exe
3552	spoolsv.exe
3552	spoolsv.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3296 wrote to memory of 772	3296	109015d4b83faedd67d948a633094240N.exe	84
PID 3296 wrote to memory of 772	3296	109015d4b83faedd67d948a633094240N.exe	84
PID 3296 wrote to memory of 772	3296	109015d4b83faedd67d948a633094240N.exe	84
PID 3296 wrote to memory of 1304	3296	109015d4b83faedd67d948a633094240N.exe	85
PID 3296 wrote to memory of 1304	3296	109015d4b83faedd67d948a633094240N.exe	85
PID 3296 wrote to memory of 1304	3296	109015d4b83faedd67d948a633094240N.exe	85
PID 1304 wrote to memory of 3244	1304	icsys.icn.exe	87
PID 1304 wrote to memory of 3244	1304	icsys.icn.exe	87
PID 1304 wrote to memory of 3244	1304	icsys.icn.exe	87
PID 3244 wrote to memory of 4612	3244	explorer.exe	89
PID 3244 wrote to memory of 4612	3244	explorer.exe	89
PID 3244 wrote to memory of 4612	3244	explorer.exe	89
PID 4612 wrote to memory of 5100	4612	spoolsv.exe	91
PID 4612 wrote to memory of 5100	4612	spoolsv.exe	91
PID 4612 wrote to memory of 5100	4612	spoolsv.exe	91
PID 5100 wrote to memory of 3552	5100	svchost.exe	92
PID 5100 wrote to memory of 3552	5100	svchost.exe	92
PID 5100 wrote to memory of 3552	5100	svchost.exe	92

C:\Users\Admin\AppData\Local\Temp\109015d4b83faedd67d948a633094240N.exe
"C:\Users\Admin\AppData\Local\Temp\109015d4b83faedd67d948a633094240N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3296
- \??\c:\users\admin\appdata\local\temp\109015d4b83faedd67d948a633094240n.exe
  c:\users\admin\appdata\local\temp\109015d4b83faedd67d948a633094240n.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:772
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1304
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3244
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4612
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5100
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\109015d4b83faedd67d948a633094240n.exe

Filesize
2.2MB

MD5
65b954468b068ebdf457c67c452c18e6

SHA1
644391b8f2741603a6942bd456f23c46c8b9df7a

SHA256
485006f4264d3835374c99820acbad6e9e409fda3aa78bcff98adfc9f62e8598

SHA512
0327461d01b7bce4a6275ca4a5d0eca2fbcfcedf8b1620856f707def22ea89136e98a7bc3f7d74190ace47949a46617221777b1a5f8a6501adbb25d0fc8df373

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
e84a1ae9d8cc8955bd8dc5bdd48c1bbd

SHA1
cef552e3075dbafba6b82e2c533626d87657fe76

SHA256
f3e4a04e6694d064d4c04fbe496ca10d15a731b1971f64c20c73b4478c0f174a

SHA512
6c5d8fbe1508104665e24ed10e5f107713e857636473e6f95d5305ccac253ade7907df94e85baa77eaf5b1e05f4d90879db2e44b85865a6892b31476e30f9dd2

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
6708ad26c1e3b978054f905b140c6f1c

SHA1
104b00286aab9f93390af03d344da4fee5064ecc

SHA256
0f90b1ceed4aa000d4049696c2673f6c98685e5b6184b894bf5c4ddd9948a415

SHA512
408fbae7f92eea3d38045ce89da02b6c1cba3feb0e0700cdfd87e0b4ea7a63470dca6a03d6dd04152c02b90d98dcb8813742bf883b1dd7f31fbd2883755183ed

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
f856a83d22258cc80d072264ab61138e

SHA1
5aef3c538816702317a495498f5bf0ba90cbb588

SHA256
e78f63e2241e21e11aeb929bbce0b29113e4b600391900752c83c428860a936e

SHA512
15c243aeaecba87206ec58579d90bc4ae3a96685b4e9e77cd75f021f1b2058c8681d40f4ca29057a84ea742fa3d3d29683d3a36da127860c0f10921e5531c162

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
4e2e4dc1fca40470ac5dab00e50aa8c5

SHA1
c3091b2def0c3b1f2cad798ed326f426fec8fcff

SHA256
6c4a00dfd610fdcdf5418e33042fa04ce42e798491514aaf59a1e4966fc8b38e

SHA512
981a85f842f47f143f8d86d594ca94ae5572503a2f64486571dee2bdbc13c836aa6e02b63b4ccc621a51b42fc80be68022e3ff9c800ad4f68d71912c9f23f0b8

Download Submit
memory/772-52-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/772-54-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/772-58-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/772-57-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/772-9-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/772-56-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/772-48-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/772-49-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/772-50-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/772-51-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/772-55-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1304-46-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3296-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3296-47-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3552-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4612-45-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download