dbc410a3ed9c9392f81e2f4d2b68de11b7ac79841a2ebf559c34aa538b6db8c3

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efa66175cf3367c181ac59a698149890N.exe
Size

3.2MB
MD5

efa66175cf3367c181ac59a698149890
SHA1

a0a62773b39dc7ea26a19663b1f98e2f8df76969
SHA256

dbc410a3ed9c9392f81e2f4d2b68de11b7ac79841a2ebf559c34aa538b6db8c3
SHA512

13f7c6f47d49ea362c4b7689bb42014edf7f2068b0eca1f02a1637cd1aaa47a9af0d65e585994de364c31553f70ffc4b244727599aff584f0c766da3dbb9ba02
SSDEEP

49152:tWdx4HDQNJL0VR6SgMt+k4RiP+RmXMjiINiMq95FoHVHNTQTEjT333TYe:9HDYsqiPRhINnq95FoHVBT333T1

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 6 IoCs

pid	Process
2000	efa66175cf3367c181ac59a698149890n.exe
2244	icsys.icn.exe
2272	explorer.exe
836	spoolsv.exe
2852	svchost.exe
3068	spoolsv.exe

Loads dropped DLL 6 IoCs

pid	Process
2292	efa66175cf3367c181ac59a698149890N.exe
2292	efa66175cf3367c181ac59a698149890N.exe
2244	icsys.icn.exe
2272	explorer.exe
836	spoolsv.exe
2852	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	efa66175cf3367c181ac59a698149890N.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efa66175cf3367c181ac59a698149890N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efa66175cf3367c181ac59a698149890n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2612	schtasks.exe
1408	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2292	efa66175cf3367c181ac59a698149890N.exe
2292	efa66175cf3367c181ac59a698149890N.exe
2292	efa66175cf3367c181ac59a698149890N.exe
2292	efa66175cf3367c181ac59a698149890N.exe
2292	efa66175cf3367c181ac59a698149890N.exe
2292	efa66175cf3367c181ac59a698149890N.exe
2292	efa66175cf3367c181ac59a698149890N.exe
2292	efa66175cf3367c181ac59a698149890N.exe
2292	efa66175cf3367c181ac59a698149890N.exe
2292	efa66175cf3367c181ac59a698149890N.exe
2292	efa66175cf3367c181ac59a698149890N.exe
2292	efa66175cf3367c181ac59a698149890N.exe
2292	efa66175cf3367c181ac59a698149890N.exe
2292	efa66175cf3367c181ac59a698149890N.exe
2292	efa66175cf3367c181ac59a698149890N.exe
2292	efa66175cf3367c181ac59a698149890N.exe
2244	icsys.icn.exe
2244	icsys.icn.exe
2244	icsys.icn.exe
2244	icsys.icn.exe
2244	icsys.icn.exe
2244	icsys.icn.exe
2244	icsys.icn.exe
2244	icsys.icn.exe
2244	icsys.icn.exe
2244	icsys.icn.exe
2244	icsys.icn.exe
2244	icsys.icn.exe
2244	icsys.icn.exe
2244	icsys.icn.exe
2244	icsys.icn.exe
2244	icsys.icn.exe
2244	icsys.icn.exe
2272	explorer.exe
2272	explorer.exe
2272	explorer.exe
2272	explorer.exe
2272	explorer.exe
2272	explorer.exe
2272	explorer.exe
2272	explorer.exe
2272	explorer.exe
2272	explorer.exe
2272	explorer.exe
2272	explorer.exe
2272	explorer.exe
2272	explorer.exe
2272	explorer.exe
2272	explorer.exe
2852	svchost.exe
2852	svchost.exe
2852	svchost.exe
2852	svchost.exe
2852	svchost.exe
2852	svchost.exe
2852	svchost.exe
2852	svchost.exe
2852	svchost.exe
2852	svchost.exe
2852	svchost.exe
2852	svchost.exe
2852	svchost.exe
2852	svchost.exe
2852	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2272	explorer.exe
2852	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2292	efa66175cf3367c181ac59a698149890N.exe
2292	efa66175cf3367c181ac59a698149890N.exe
2244	icsys.icn.exe
2244	icsys.icn.exe
2272	explorer.exe
2272	explorer.exe
836	spoolsv.exe
836	spoolsv.exe
2852	svchost.exe
2852	svchost.exe
3068	spoolsv.exe
3068	spoolsv.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2000	2292	efa66175cf3367c181ac59a698149890N.exe	28
PID 2292 wrote to memory of 2000	2292	efa66175cf3367c181ac59a698149890N.exe	28
PID 2292 wrote to memory of 2000	2292	efa66175cf3367c181ac59a698149890N.exe	28
PID 2292 wrote to memory of 2000	2292	efa66175cf3367c181ac59a698149890N.exe	28
PID 2292 wrote to memory of 2000	2292	efa66175cf3367c181ac59a698149890N.exe	28
PID 2292 wrote to memory of 2000	2292	efa66175cf3367c181ac59a698149890N.exe	28
PID 2292 wrote to memory of 2000	2292	efa66175cf3367c181ac59a698149890N.exe	28
PID 2292 wrote to memory of 2244	2292	efa66175cf3367c181ac59a698149890N.exe	29
PID 2292 wrote to memory of 2244	2292	efa66175cf3367c181ac59a698149890N.exe	29
PID 2292 wrote to memory of 2244	2292	efa66175cf3367c181ac59a698149890N.exe	29
PID 2292 wrote to memory of 2244	2292	efa66175cf3367c181ac59a698149890N.exe	29
PID 2244 wrote to memory of 2272	2244	icsys.icn.exe	30
PID 2244 wrote to memory of 2272	2244	icsys.icn.exe	30
PID 2244 wrote to memory of 2272	2244	icsys.icn.exe	30
PID 2244 wrote to memory of 2272	2244	icsys.icn.exe	30
PID 2272 wrote to memory of 836	2272	explorer.exe	31
PID 2272 wrote to memory of 836	2272	explorer.exe	31
PID 2272 wrote to memory of 836	2272	explorer.exe	31
PID 2272 wrote to memory of 836	2272	explorer.exe	31
PID 836 wrote to memory of 2852	836	spoolsv.exe	32
PID 836 wrote to memory of 2852	836	spoolsv.exe	32
PID 836 wrote to memory of 2852	836	spoolsv.exe	32
PID 836 wrote to memory of 2852	836	spoolsv.exe	32
PID 2852 wrote to memory of 3068	2852	svchost.exe	33
PID 2852 wrote to memory of 3068	2852	svchost.exe	33
PID 2852 wrote to memory of 3068	2852	svchost.exe	33
PID 2852 wrote to memory of 3068	2852	svchost.exe	33
PID 2272 wrote to memory of 2692	2272	explorer.exe	34
PID 2272 wrote to memory of 2692	2272	explorer.exe	34
PID 2272 wrote to memory of 2692	2272	explorer.exe	34
PID 2272 wrote to memory of 2692	2272	explorer.exe	34
PID 2852 wrote to memory of 2612	2852	svchost.exe	35
PID 2852 wrote to memory of 2612	2852	svchost.exe	35
PID 2852 wrote to memory of 2612	2852	svchost.exe	35
PID 2852 wrote to memory of 2612	2852	svchost.exe	35
PID 2852 wrote to memory of 1408	2852	svchost.exe	40
PID 2852 wrote to memory of 1408	2852	svchost.exe	40
PID 2852 wrote to memory of 1408	2852	svchost.exe	40
PID 2852 wrote to memory of 1408	2852	svchost.exe	40

C:\Users\Admin\AppData\Local\Temp\efa66175cf3367c181ac59a698149890N.exe
"C:\Users\Admin\AppData\Local\Temp\efa66175cf3367c181ac59a698149890N.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2292
- \??\c:\users\admin\appdata\local\temp\efa66175cf3367c181ac59a698149890n.exe
  c:\users\admin\appdata\local\temp\efa66175cf3367c181ac59a698149890n.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2000
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2244
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:836
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3068
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:06 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2612
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:07 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1408
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
df1229ba732462ebd3940fe2204c1428

SHA1
6625158cee4feac28cbb1b60eb7691a33d3b6806

SHA256
a928efcb51aee05e23bd0310e90edbdffd1d75d96853b143987174016c246571

SHA512
f03b449c278f4253e3becc9f752126e88e900f71625763a7ce0101bf86cda0af6fe13886bb33ac3ae267350cadade7ac852437d7a4e9fdda82c385e94c55537d

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
b84ed00fa629ac9dbe86463809581b52

SHA1
88726da9890a73b0dfb72e81b4919e365191b94d

SHA256
c52308aa1759d285db060c679b0bfc3b1e6096ba588319ea6707ea7b245672d3

SHA512
8878fd85722bc4e65556915c1c06817571b86b41d1846e651c77904e992d6dfb41b22ea30f438189c2cec6c70d2a1ababe06379329f3d93a4ef29eac383d4b0c

Download Submit
\Users\Admin\AppData\Local\Temp\efa66175cf3367c181ac59a698149890n.exe

Filesize
3.1MB

MD5
39c41ec190c34c174c78d9f4db91ff98

SHA1
33da26a7b9325109d1438cef20836c6cf4029710

SHA256
6027859fd47b7d875cb59fc26fa9bcf08b9e72cec9a00b49ebdd9dc2b7b889fe

SHA512
e31284baafce81a67a6e989bb4d2c459b1ffa3312591d03fd8674ad954bf8c7d7e5963d557447af4ed11e10389aba148251f809ba9963fccfad6ac62bc9b3b87

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
92c4021fe000dc4da40ccd5c777b5188

SHA1
b617b7ae8e47d842e6070732ba520f40ab922b50

SHA256
4a86100fcc22a932cf0ac245399827b27e0a723290d41e886feed66cf1dd0d02

SHA512
4ea636786b3e790c593a03fbda87ea34105876a346eb7dd22f6761c841d6fc89ff5fef761adea5faff70ede4ffd807b64ebb1a21f8f8be7a92f1594857e0b7af

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
596bcbdb211a745261e8a53a9d3f415c

SHA1
e33cecfca38720b1f27c212822f164f2f8fe49c1

SHA256
a20e21c790f548de12ac290a914c6210229cf594bb025ddd94c66124209c60fc

SHA512
818db3e5d55298409a025590f040e28ed93b85820f3760d7e51c6d7e0e418bc7d74a9d7dc6ef528bf1ba7884b25c704e845ec77d01b0cf78d50bc39f9790c91a

Download Submit
memory/836-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2000-62-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2000-61-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2244-59-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2272-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2292-15-0x00000000002C0000-0x00000000002DF000-memory.dmp

Filesize
124KB

Download
memory/2292-60-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2292-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2852-52-0x00000000005B0000-0x00000000005CF000-memory.dmp

Filesize
124KB

Download
memory/2852-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3068-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download