4abedfc82c0c36eff2a0a204c9489498d959baa91f5e15a52991adac75d6d64e

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 14:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1f77488f1d5b1ece97c2b1b18968f6d0N.exe
Size

204KB
MD5

1f77488f1d5b1ece97c2b1b18968f6d0
SHA1

16b7b4213dbf9e92dcf08b841a70e2f7ce3c6abc
SHA256

4abedfc82c0c36eff2a0a204c9489498d959baa91f5e15a52991adac75d6d64e
SHA512

3467d8dc0fefe66bdd53bdc250b2ec6e20ae2235319fdd3b6278e43fa9ca3662a108ddbedd2cc994453ddd40540599e68b73617be0138480ea7d00521c6e8bc0
SSDEEP

3072:UVqoCl/YgjxEufVU0TbTyDDalYHEre7GjyCaFvcCSudO:UsLqdufVUNDaMPXzjdO

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 7 IoCs

pid	Process
4344	1f77488f1d5b1ece97c2b1b18968f6d0n.exe
5020	Un_A.exe
752	icsys.icn.exe
3888	explorer.exe
3148	spoolsv.exe
3220	svchost.exe
3128	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f77488f1d5b1ece97c2b1b18968f6d0n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Un_A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000234af-7.dat	nsis_installer_1
behavioral2/files/0x00070000000234af-7.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe
752	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3888	explorer.exe
3220	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe
752	icsys.icn.exe
752	icsys.icn.exe
3888	explorer.exe
3888	explorer.exe
3148	spoolsv.exe
3148	spoolsv.exe
3220	svchost.exe
3220	svchost.exe
3128	spoolsv.exe
3128	spoolsv.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 4344	4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe	84
PID 4632 wrote to memory of 4344	4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe	84
PID 4632 wrote to memory of 4344	4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe	84
PID 4344 wrote to memory of 5020	4344	1f77488f1d5b1ece97c2b1b18968f6d0n.exe	85
PID 4344 wrote to memory of 5020	4344	1f77488f1d5b1ece97c2b1b18968f6d0n.exe	85
PID 4344 wrote to memory of 5020	4344	1f77488f1d5b1ece97c2b1b18968f6d0n.exe	85
PID 4632 wrote to memory of 752	4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe	86
PID 4632 wrote to memory of 752	4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe	86
PID 4632 wrote to memory of 752	4632	1f77488f1d5b1ece97c2b1b18968f6d0N.exe	86
PID 752 wrote to memory of 3888	752	icsys.icn.exe	88
PID 752 wrote to memory of 3888	752	icsys.icn.exe	88
PID 752 wrote to memory of 3888	752	icsys.icn.exe	88
PID 3888 wrote to memory of 3148	3888	explorer.exe	89
PID 3888 wrote to memory of 3148	3888	explorer.exe	89
PID 3888 wrote to memory of 3148	3888	explorer.exe	89
PID 3148 wrote to memory of 3220	3148	spoolsv.exe	91
PID 3148 wrote to memory of 3220	3148	spoolsv.exe	91
PID 3148 wrote to memory of 3220	3148	spoolsv.exe	91
PID 3220 wrote to memory of 3128	3220	svchost.exe	92
PID 3220 wrote to memory of 3128	3220	svchost.exe	92
PID 3220 wrote to memory of 3128	3220	svchost.exe	92

C:\Users\Admin\AppData\Local\Temp\1f77488f1d5b1ece97c2b1b18968f6d0N.exe
"C:\Users\Admin\AppData\Local\Temp\1f77488f1d5b1ece97c2b1b18968f6d0N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4632
- \??\c:\users\admin\appdata\local\temp\1f77488f1d5b1ece97c2b1b18968f6d0n.exe
  c:\users\admin\appdata\local\temp\1f77488f1d5b1ece97c2b1b18968f6d0n.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
    "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\admin\appdata\local\temp\
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5020
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:752
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3888
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3148
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3220
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1f77488f1d5b1ece97c2b1b18968f6d0n.exe

Filesize
69KB

MD5
52065a4839944c7f447207845d763a7a

SHA1
02bb6b13db6db466026ddbeafc7eb0573f90f0f5

SHA256
ac3fe86bf4bebc84b3c4897087ba05869d5fc8b5d60bf4a7dec2701391a46ca4

SHA512
466efdfccc991f39e2bd63d964b40c151b4b86d9ce19615e62466761445227d9df9b31e421d63d64ef88ae9d225e3699a135913e19203e6141c81add8cbbd320

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
5aaa0d67a95a2b9bb4a3b0d18f3bd741

SHA1
37df88abe7bbba7d83200e45f7afb453098ac921

SHA256
e02700ee63184f2a305ef1b3143de1c320e56bf8eff2f16c57a130664dc10169

SHA512
89627a4abed6ba4f28c97239fb675f65752ede42db3c25850621b7848e531efd015f3c8a6fb39c6edcd70c977b8b9d02b2bf0468fc8b220d04413e904c038812

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
f177dae1a7e57c947e0c491f1dc655d1

SHA1
616426db02759c3f53d62b2772820e4ce5a1a0fd

SHA256
1c4ca929dc41e5cf2426cc0d90e364e45de3558613d99307bddb8e824845d0cc

SHA512
c3a91fc92afeb7391424488e086156c0ec858eb3648330701e4b56e64da9d46004e4b5ae58c78c366810223e1f812987df50d58fca8dc84400031a4de61f1c9c

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
5289d74b4615c6a02c92eff332cb0622

SHA1
4d8ab8ccc53fd32eb020e5529a4fd4c1a8c35986

SHA256
9486d13b8b8aae9e2f94dd7a1658d7aad3b4bb39ae3f799b5386b68bd2c56094

SHA512
2a593ea60ecfad22a1bd13712911617a00e8a0bfd92ab5848fb2a410eb58f22a13d2a360ba1ad0db66fef292c858088d0cdfd5124df50545dd6be007c6d4fe56

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
1b10893775dcd27f1009ca7215baa12a

SHA1
9775614fc1f461dbf3cd941e21ed8dfd9d8824db

SHA256
09651dd5581058bd9def4eaf12bd7b2a7b8f0643dbfad101c3a0686be56ec4bd

SHA512
d68ecb7e93951d2ef1ae2dae242376d46140829adf63754d4a4e858f170297f3aaafc685b628a0041777b05e1d6fa67ae95688608e260311c3194c631195b8f0

Download Submit
memory/752-51-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3128-49-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3148-50-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4632-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4632-52-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download