Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
08-09-2024 00:58
Behavioral task
behavioral1
Sample
983feeba8559708cdf24ccfe95e6b500N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
983feeba8559708cdf24ccfe95e6b500N.exe
Resource
win10v2004-20240802-en
General
-
Target
983feeba8559708cdf24ccfe95e6b500N.exe
-
Size
1.4MB
-
MD5
983feeba8559708cdf24ccfe95e6b500
-
SHA1
0284cd93330c39a56517c0524b58f99bae212e05
-
SHA256
f2c407fd5807bfef519782f4a1ddb692e517253458038af8cb95afa1c9d12867
-
SHA512
f69524363cd51da69ca2cc46f83b8cfb743aa3db1eff0041a0e3106ac2a1f40e7886a21813bb23f45fef46777c490dacfc20cce76ca6b76738786785045884a1
-
SSDEEP
24576:cFOa8YUyYp231mT6lq7UM4nM2dNR0iTgk22FyDbJ7wDS+eUZ:smwmTSWUMIM2p0iTgkf4V7rUZ
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
r77 rootkit payload 1 IoCs
Detects the payload of the r77 rootkit.
resource yara_rule behavioral1/files/0x0007000000018712-6.dat r77_payload -
Executes dropped EXE 6 IoCs
pid Process 2296 983feeba8559708cdf24ccfe95e6b500n.exe 2572 icsys.icn.exe 2660 explorer.exe 2532 spoolsv.exe 2540 svchost.exe 1324 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2512 983feeba8559708cdf24ccfe95e6b500N.exe 2512 983feeba8559708cdf24ccfe95e6b500N.exe 2572 icsys.icn.exe 2660 explorer.exe 2532 spoolsv.exe 2540 svchost.exe 1196 Process not Found 1196 Process not Found -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe 983feeba8559708cdf24ccfe95e6b500N.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 983feeba8559708cdf24ccfe95e6b500N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2756 schtasks.exe 2312 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2512 983feeba8559708cdf24ccfe95e6b500N.exe 2512 983feeba8559708cdf24ccfe95e6b500N.exe 2512 983feeba8559708cdf24ccfe95e6b500N.exe 2512 983feeba8559708cdf24ccfe95e6b500N.exe 2512 983feeba8559708cdf24ccfe95e6b500N.exe 2512 983feeba8559708cdf24ccfe95e6b500N.exe 2512 983feeba8559708cdf24ccfe95e6b500N.exe 2512 983feeba8559708cdf24ccfe95e6b500N.exe 2512 983feeba8559708cdf24ccfe95e6b500N.exe 2512 983feeba8559708cdf24ccfe95e6b500N.exe 2512 983feeba8559708cdf24ccfe95e6b500N.exe 2512 983feeba8559708cdf24ccfe95e6b500N.exe 2512 983feeba8559708cdf24ccfe95e6b500N.exe 2512 983feeba8559708cdf24ccfe95e6b500N.exe 2512 983feeba8559708cdf24ccfe95e6b500N.exe 2512 983feeba8559708cdf24ccfe95e6b500N.exe 2572 icsys.icn.exe 2572 icsys.icn.exe 2572 icsys.icn.exe 2572 icsys.icn.exe 2572 icsys.icn.exe 2572 icsys.icn.exe 2572 icsys.icn.exe 2572 icsys.icn.exe 2572 icsys.icn.exe 2572 icsys.icn.exe 2572 icsys.icn.exe 2572 icsys.icn.exe 2572 icsys.icn.exe 2572 icsys.icn.exe 2572 icsys.icn.exe 2572 icsys.icn.exe 2572 icsys.icn.exe 2660 explorer.exe 2660 explorer.exe 2660 explorer.exe 2660 explorer.exe 2660 explorer.exe 2660 explorer.exe 2660 explorer.exe 2660 explorer.exe 2660 explorer.exe 2660 explorer.exe 2660 explorer.exe 2660 explorer.exe 2660 explorer.exe 2660 explorer.exe 2660 explorer.exe 2660 explorer.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2660 explorer.exe 2540 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2296 983feeba8559708cdf24ccfe95e6b500n.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2512 983feeba8559708cdf24ccfe95e6b500N.exe 2512 983feeba8559708cdf24ccfe95e6b500N.exe 2572 icsys.icn.exe 2572 icsys.icn.exe 2660 explorer.exe 2660 explorer.exe 2532 spoolsv.exe 2532 spoolsv.exe 2540 svchost.exe 2540 svchost.exe 1324 spoolsv.exe 1324 spoolsv.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2512 wrote to memory of 2296 2512 983feeba8559708cdf24ccfe95e6b500N.exe 30 PID 2512 wrote to memory of 2296 2512 983feeba8559708cdf24ccfe95e6b500N.exe 30 PID 2512 wrote to memory of 2296 2512 983feeba8559708cdf24ccfe95e6b500N.exe 30 PID 2512 wrote to memory of 2296 2512 983feeba8559708cdf24ccfe95e6b500N.exe 30 PID 2512 wrote to memory of 2572 2512 983feeba8559708cdf24ccfe95e6b500N.exe 31 PID 2512 wrote to memory of 2572 2512 983feeba8559708cdf24ccfe95e6b500N.exe 31 PID 2512 wrote to memory of 2572 2512 983feeba8559708cdf24ccfe95e6b500N.exe 31 PID 2512 wrote to memory of 2572 2512 983feeba8559708cdf24ccfe95e6b500N.exe 31 PID 2572 wrote to memory of 2660 2572 icsys.icn.exe 32 PID 2572 wrote to memory of 2660 2572 icsys.icn.exe 32 PID 2572 wrote to memory of 2660 2572 icsys.icn.exe 32 PID 2572 wrote to memory of 2660 2572 icsys.icn.exe 32 PID 2660 wrote to memory of 2532 2660 explorer.exe 33 PID 2660 wrote to memory of 2532 2660 explorer.exe 33 PID 2660 wrote to memory of 2532 2660 explorer.exe 33 PID 2660 wrote to memory of 2532 2660 explorer.exe 33 PID 2532 wrote to memory of 2540 2532 spoolsv.exe 34 PID 2532 wrote to memory of 2540 2532 spoolsv.exe 34 PID 2532 wrote to memory of 2540 2532 spoolsv.exe 34 PID 2532 wrote to memory of 2540 2532 spoolsv.exe 34 PID 2540 wrote to memory of 1324 2540 svchost.exe 35 PID 2540 wrote to memory of 1324 2540 svchost.exe 35 PID 2540 wrote to memory of 1324 2540 svchost.exe 35 PID 2540 wrote to memory of 1324 2540 svchost.exe 35 PID 2660 wrote to memory of 2608 2660 explorer.exe 36 PID 2660 wrote to memory of 2608 2660 explorer.exe 36 PID 2660 wrote to memory of 2608 2660 explorer.exe 36 PID 2660 wrote to memory of 2608 2660 explorer.exe 36 PID 2540 wrote to memory of 2756 2540 svchost.exe 37 PID 2540 wrote to memory of 2756 2540 svchost.exe 37 PID 2540 wrote to memory of 2756 2540 svchost.exe 37 PID 2540 wrote to memory of 2756 2540 svchost.exe 37 PID 2540 wrote to memory of 2312 2540 svchost.exe 41 PID 2540 wrote to memory of 2312 2540 svchost.exe 41 PID 2540 wrote to memory of 2312 2540 svchost.exe 41 PID 2540 wrote to memory of 2312 2540 svchost.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\983feeba8559708cdf24ccfe95e6b500N.exe"C:\Users\Admin\AppData\Local\Temp\983feeba8559708cdf24ccfe95e6b500N.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\users\admin\appdata\local\temp\983feeba8559708cdf24ccfe95e6b500n.exec:\users\admin\appdata\local\temp\983feeba8559708cdf24ccfe95e6b500n.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1324
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:00 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2756
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:01 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2312
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵PID:2608
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5eb26863ba35c122485365deb42a871d7
SHA1a60c83d2744059df05d8706c55a10e09861357ce
SHA2568df9bfbe2e8c53f196fdb0d9a43d117a54a89a6d3dffb41140973fe78e8b8bee
SHA512c872c1bde7408cfe2f8e3f80a173a1d0a74fbb1a2de81d889b354fc7f06cb129d92a0087c415e94f1621324f2d5795a15adfcc02e1244200e0dd5d20aba7781d
-
Filesize
1.3MB
MD52619a95b7823ba7d7061723fb24899ff
SHA1a0f8509a84b80e740e9010f2caebdb366d765026
SHA2562f7d0647c2643ebed6a9c84b7bf5f22e8daf38f53376428c82993a2438abe4ec
SHA51283c7f59860ea57379f6f114cfbc671f8a7d8d7495ab0c74d6cf0b73b4449c213305d19a9f6a68090774511254f1e314038fcc0c1a4f14427c1b258b282396fb6
-
Filesize
135KB
MD518412770e2afbffdccb35c05c5c274b1
SHA1ad3357d08a36ddd14928b070d2d1ab581abae24c
SHA2562f7bcad93e0e9cf4dc7f1cfb66b0ac261f21822085bcc2cc7d50d09918aa0a2b
SHA512f2a578947d09fcd72b236f5491d6db73242f7eba0ad00d84ef7fbbbaa358c6cf3500695e15329bafc31cc9504e1fd1b4930e6c259bb86e7a4698074ec4869f0d
-
Filesize
135KB
MD51c2da7710fb4a7aa5bed865f89191e0d
SHA1f58ee8dc6334c25148bfda6491f6b374d8da5191
SHA2568acf292cc838607425d65dc64df2e2e990f7fa9af5abf90e12ffa57361364dbc
SHA512b164d0b1ffdcd86371d4fd1d9e898fcefc4613bc4a2f5206b60080bf4aaa42406daa3db54b93d89ac193bf2916b930739d95e847183f36765860a75751080d7e
-
Filesize
135KB
MD5e0f489c643e8ebd1fcf978cbf8dc6116
SHA11f347dbde59329b7ed587aafc6df992fa04ace73
SHA2566c86e7c4069e2d133220f946be1b706a4fa6515955372b6e3d32e35ba39906dc
SHA5122181bc49212e3775bbc4ceab4d7a449be87c67d005d299d348fe192663a90b4594c8a69adca81b077f5340af9fa13dfcb4657b272ce1b3e7219095fd11c1f947