c83490a5e3eaccd318f250575b2358f8fe9f8a0ed59c20966c93dafef8cf4b9d

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0ba0362861766daa30cf3d7424c52a0N.exe
Size

3.6MB
MD5

d0ba0362861766daa30cf3d7424c52a0
SHA1

29b6adec19da3929577715875683ed388b0c3f19
SHA256

c83490a5e3eaccd318f250575b2358f8fe9f8a0ed59c20966c93dafef8cf4b9d
SHA512

6e41cba4e8f42f851a2ad0ab8071371960f4c43d8dd4528e323d5103de264bd57d945e08ae7d3ecb7fe19484caf9ef14b6a2d8a304c160f4e648c120eb0b2ee0
SSDEEP

98304:BzBOBfKMpHGqcfsLyQecNEqCNCjRqGy5XYBHOhN2qlxz:Bz/MpmJ0LdDLCAyiHOvP

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 7 IoCs

pid	Process
2368	d0ba0362861766daa30cf3d7424c52a0n.exe
1920	icsys.icn.exe
2820	explorer.exe
1192	Process not Found
2784	spoolsv.exe
2756	svchost.exe
2956	spoolsv.exe

Loads dropped DLL 7 IoCs

pid	Process
1744	d0ba0362861766daa30cf3d7424c52a0N.exe
1744	d0ba0362861766daa30cf3d7424c52a0N.exe
1920	icsys.icn.exe
1192	Process not Found
2820	explorer.exe
2784	spoolsv.exe
2756	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	d0ba0362861766daa30cf3d7424c52a0N.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0ba0362861766daa30cf3d7424c52a0N.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	d0ba0362861766daa30cf3d7424c52a0n.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1864	schtasks.exe
2596	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1744	d0ba0362861766daa30cf3d7424c52a0N.exe
1744	d0ba0362861766daa30cf3d7424c52a0N.exe
1744	d0ba0362861766daa30cf3d7424c52a0N.exe
1744	d0ba0362861766daa30cf3d7424c52a0N.exe
1744	d0ba0362861766daa30cf3d7424c52a0N.exe
1744	d0ba0362861766daa30cf3d7424c52a0N.exe
1744	d0ba0362861766daa30cf3d7424c52a0N.exe
1744	d0ba0362861766daa30cf3d7424c52a0N.exe
1744	d0ba0362861766daa30cf3d7424c52a0N.exe
1744	d0ba0362861766daa30cf3d7424c52a0N.exe
1744	d0ba0362861766daa30cf3d7424c52a0N.exe
1744	d0ba0362861766daa30cf3d7424c52a0N.exe
1744	d0ba0362861766daa30cf3d7424c52a0N.exe
1744	d0ba0362861766daa30cf3d7424c52a0N.exe
1744	d0ba0362861766daa30cf3d7424c52a0N.exe
1744	d0ba0362861766daa30cf3d7424c52a0N.exe
1920	icsys.icn.exe
1920	icsys.icn.exe
1920	icsys.icn.exe
1920	icsys.icn.exe
1920	icsys.icn.exe
1920	icsys.icn.exe
1920	icsys.icn.exe
1920	icsys.icn.exe
1920	icsys.icn.exe
1920	icsys.icn.exe
1920	icsys.icn.exe
1920	icsys.icn.exe
1920	icsys.icn.exe
1920	icsys.icn.exe
1920	icsys.icn.exe
1920	icsys.icn.exe
1920	icsys.icn.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe
2756	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2756	svchost.exe
2820	explorer.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1744	d0ba0362861766daa30cf3d7424c52a0N.exe
1744	d0ba0362861766daa30cf3d7424c52a0N.exe
1920	icsys.icn.exe
2368	d0ba0362861766daa30cf3d7424c52a0n.exe
2368	d0ba0362861766daa30cf3d7424c52a0n.exe
1920	icsys.icn.exe
2820	explorer.exe
2820	explorer.exe
2784	spoolsv.exe
2784	spoolsv.exe
2756	svchost.exe
2756	svchost.exe
2956	spoolsv.exe
2956	spoolsv.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2368	1744	d0ba0362861766daa30cf3d7424c52a0N.exe	31
PID 1744 wrote to memory of 2368	1744	d0ba0362861766daa30cf3d7424c52a0N.exe	31
PID 1744 wrote to memory of 2368	1744	d0ba0362861766daa30cf3d7424c52a0N.exe	31
PID 1744 wrote to memory of 2368	1744	d0ba0362861766daa30cf3d7424c52a0N.exe	31
PID 1744 wrote to memory of 1920	1744	d0ba0362861766daa30cf3d7424c52a0N.exe	32
PID 1744 wrote to memory of 1920	1744	d0ba0362861766daa30cf3d7424c52a0N.exe	32
PID 1744 wrote to memory of 1920	1744	d0ba0362861766daa30cf3d7424c52a0N.exe	32
PID 1744 wrote to memory of 1920	1744	d0ba0362861766daa30cf3d7424c52a0N.exe	32
PID 1920 wrote to memory of 2820	1920	icsys.icn.exe	33
PID 1920 wrote to memory of 2820	1920	icsys.icn.exe	33
PID 1920 wrote to memory of 2820	1920	icsys.icn.exe	33
PID 1920 wrote to memory of 2820	1920	icsys.icn.exe	33
PID 2820 wrote to memory of 2784	2820	explorer.exe	34
PID 2820 wrote to memory of 2784	2820	explorer.exe	34
PID 2820 wrote to memory of 2784	2820	explorer.exe	34
PID 2820 wrote to memory of 2784	2820	explorer.exe	34
PID 2784 wrote to memory of 2756	2784	spoolsv.exe	35
PID 2784 wrote to memory of 2756	2784	spoolsv.exe	35
PID 2784 wrote to memory of 2756	2784	spoolsv.exe	35
PID 2784 wrote to memory of 2756	2784	spoolsv.exe	35
PID 2756 wrote to memory of 2956	2756	svchost.exe	36
PID 2756 wrote to memory of 2956	2756	svchost.exe	36
PID 2756 wrote to memory of 2956	2756	svchost.exe	36
PID 2756 wrote to memory of 2956	2756	svchost.exe	36
PID 2820 wrote to memory of 2668	2820	explorer.exe	37
PID 2820 wrote to memory of 2668	2820	explorer.exe	37
PID 2820 wrote to memory of 2668	2820	explorer.exe	37
PID 2820 wrote to memory of 2668	2820	explorer.exe	37
PID 2756 wrote to memory of 1864	2756	svchost.exe	38
PID 2756 wrote to memory of 1864	2756	svchost.exe	38
PID 2756 wrote to memory of 1864	2756	svchost.exe	38
PID 2756 wrote to memory of 1864	2756	svchost.exe	38
PID 2756 wrote to memory of 2596	2756	svchost.exe	41
PID 2756 wrote to memory of 2596	2756	svchost.exe	41
PID 2756 wrote to memory of 2596	2756	svchost.exe	41
PID 2756 wrote to memory of 2596	2756	svchost.exe	41

C:\Users\Admin\AppData\Local\Temp\d0ba0362861766daa30cf3d7424c52a0N.exe
"C:\Users\Admin\AppData\Local\Temp\d0ba0362861766daa30cf3d7424c52a0N.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744
- \??\c:\users\admin\appdata\local\temp\d0ba0362861766daa30cf3d7424c52a0n.exe
  c:\users\admin\appdata\local\temp\d0ba0362861766daa30cf3d7424c52a0n.exe
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2368
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1920
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2784
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2956
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:04 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1864
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:05 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2596
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
6245eab8d3b1e12ce2460922b54a6b5c

SHA1
c8cd97f620e05c8b138258dc72828ab5e73e4d61

SHA256
0a4a2a5e35c0d75684e4541194e3239a508c439fc768914afc3787cc0cb7f10c

SHA512
15af90601fc6af23edc71b2b1caa3c1114b05b802a8d6dba15eca78650ef1bd80fd115ad47634363213c161908a501a30698e47acc76c04577d246a7c65b6307

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
c291f732becbbfecbbcb81a568928c6a

SHA1
99970fe669b1084fae6c7d779579fc3dc50d1419

SHA256
0c89ab2c561c0743eaf5130b62cad92f5ba7e2ceac65ff8e3fca2404521a49e2

SHA512
dcf6a023081f6ac60a442d4d8bd6766194d7b92fb5058f72ce7ff5461debe304eeeccafb26cdde77cf5798ee289fb9e50b01b64d0a8203b2f67a68e15c9411c1

Download Submit
\Users\Admin\AppData\Local\Temp\d0ba0362861766daa30cf3d7424c52a0n.exe

Filesize
3.4MB

MD5
7a647af3c112ad805296a22b2a276e7c

SHA1
9cdf137e3f2493c9e141d5ec05f890e32b9b4e87

SHA256
20739e8fc050187af013e2499718895e4c980699ccaf046b2f96b12497e61959

SHA512
71d86d8dc598aafa91da8e0d971d1bbb87135832b848547c5c611bc828d165625c7a19af2cd300373190cf3eb782c714ac73d84ada53b37b6d8c1ee8508bcd86

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
e1cf86c16488e27ba84c3a12691fd543

SHA1
8e778950e1063c20ff879a03baa87b81768bc2d1

SHA256
93b1c538a3cc507b790e1a1008cfc70b980c64bd52e1bdccf2bc57aba2c69064

SHA512
de7ed0180f9b62cdd588e4d2aa621817df095e6f330857212aa7bacc189759c66bb17e2c27f22b17e82a65a0548980481976b00b8b1f57717223c9e1cddd8467

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
fcd72b0a0a79a03896ff2f5810878ba1

SHA1
34bb269dc5190f43c26ad5792a56099e048863bb

SHA256
54f19a23d5d9ddf2ee12a9fe3a011a610b1579b55f45abd6b4440aae8483b028

SHA512
71772d29a7ec25fcf2120497665f9fc92090b9157f0545b8d1612a75f8641dacc076c47b372d8fc947e968f169c3ade517c91587cb9de51c0f51185bb73a1528

Download Submit
memory/1744-69-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1744-14-0x0000000000850000-0x000000000086F000-memory.dmp

Filesize
124KB

Download
memory/1744-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1920-68-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-53-0x0000000000310000-0x000000000032F000-memory.dmp

Filesize
124KB

Download
memory/2756-71-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-72-0x0000000000310000-0x000000000032F000-memory.dmp

Filesize
124KB

Download
memory/2784-59-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2784-45-0x0000000000360000-0x000000000037F000-memory.dmp

Filesize
124KB

Download
memory/2820-70-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2956-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download