Analysis
-
max time kernel
120s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2024 00:58
Behavioral task
behavioral1
Sample
983feeba8559708cdf24ccfe95e6b500N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
983feeba8559708cdf24ccfe95e6b500N.exe
Resource
win10v2004-20240802-en
General
-
Target
983feeba8559708cdf24ccfe95e6b500N.exe
-
Size
1.4MB
-
MD5
983feeba8559708cdf24ccfe95e6b500
-
SHA1
0284cd93330c39a56517c0524b58f99bae212e05
-
SHA256
f2c407fd5807bfef519782f4a1ddb692e517253458038af8cb95afa1c9d12867
-
SHA512
f69524363cd51da69ca2cc46f83b8cfb743aa3db1eff0041a0e3106ac2a1f40e7886a21813bb23f45fef46777c490dacfc20cce76ca6b76738786785045884a1
-
SSDEEP
24576:cFOa8YUyYp231mT6lq7UM4nM2dNR0iTgk22FyDbJ7wDS+eUZ:smwmTSWUMIM2p0iTgkf4V7rUZ
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
r77 rootkit payload 1 IoCs
Detects the payload of the r77 rootkit.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\983feeba8559708cdf24ccfe95e6b500n.exe r77_payload -
Executes dropped EXE 6 IoCs
Processes:
983feeba8559708cdf24ccfe95e6b500n.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2796 983feeba8559708cdf24ccfe95e6b500n.exe 5096 icsys.icn.exe 3284 explorer.exe 2684 spoolsv.exe 348 svchost.exe 3556 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 5 IoCs
Processes:
explorer.exespoolsv.exe983feeba8559708cdf24ccfe95e6b500N.exeicsys.icn.exedescription ioc process File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe 983feeba8559708cdf24ccfe95e6b500N.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exe983feeba8559708cdf24ccfe95e6b500N.exeicsys.icn.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 983feeba8559708cdf24ccfe95e6b500N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
983feeba8559708cdf24ccfe95e6b500N.exeicsys.icn.exepid process 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 5096 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 3284 explorer.exe 348 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
983feeba8559708cdf24ccfe95e6b500n.exedescription pid process Token: SeDebugPrivilege 2796 983feeba8559708cdf24ccfe95e6b500n.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
983feeba8559708cdf24ccfe95e6b500N.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 3056 983feeba8559708cdf24ccfe95e6b500N.exe 3056 983feeba8559708cdf24ccfe95e6b500N.exe 5096 icsys.icn.exe 5096 icsys.icn.exe 3284 explorer.exe 3284 explorer.exe 2684 spoolsv.exe 2684 spoolsv.exe 348 svchost.exe 348 svchost.exe 3556 spoolsv.exe 3556 spoolsv.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
983feeba8559708cdf24ccfe95e6b500N.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 3056 wrote to memory of 2796 3056 983feeba8559708cdf24ccfe95e6b500N.exe 983feeba8559708cdf24ccfe95e6b500n.exe PID 3056 wrote to memory of 2796 3056 983feeba8559708cdf24ccfe95e6b500N.exe 983feeba8559708cdf24ccfe95e6b500n.exe PID 3056 wrote to memory of 5096 3056 983feeba8559708cdf24ccfe95e6b500N.exe icsys.icn.exe PID 3056 wrote to memory of 5096 3056 983feeba8559708cdf24ccfe95e6b500N.exe icsys.icn.exe PID 3056 wrote to memory of 5096 3056 983feeba8559708cdf24ccfe95e6b500N.exe icsys.icn.exe PID 5096 wrote to memory of 3284 5096 icsys.icn.exe explorer.exe PID 5096 wrote to memory of 3284 5096 icsys.icn.exe explorer.exe PID 5096 wrote to memory of 3284 5096 icsys.icn.exe explorer.exe PID 3284 wrote to memory of 2684 3284 explorer.exe spoolsv.exe PID 3284 wrote to memory of 2684 3284 explorer.exe spoolsv.exe PID 3284 wrote to memory of 2684 3284 explorer.exe spoolsv.exe PID 2684 wrote to memory of 348 2684 spoolsv.exe svchost.exe PID 2684 wrote to memory of 348 2684 spoolsv.exe svchost.exe PID 2684 wrote to memory of 348 2684 spoolsv.exe svchost.exe PID 348 wrote to memory of 3556 348 svchost.exe spoolsv.exe PID 348 wrote to memory of 3556 348 svchost.exe spoolsv.exe PID 348 wrote to memory of 3556 348 svchost.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\983feeba8559708cdf24ccfe95e6b500N.exe"C:\Users\Admin\AppData\Local\Temp\983feeba8559708cdf24ccfe95e6b500N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\users\admin\appdata\local\temp\983feeba8559708cdf24ccfe95e6b500n.exec:\users\admin\appdata\local\temp\983feeba8559708cdf24ccfe95e6b500n.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3284 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:348 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3556
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD52619a95b7823ba7d7061723fb24899ff
SHA1a0f8509a84b80e740e9010f2caebdb366d765026
SHA2562f7d0647c2643ebed6a9c84b7bf5f22e8daf38f53376428c82993a2438abe4ec
SHA51283c7f59860ea57379f6f114cfbc671f8a7d8d7495ab0c74d6cf0b73b4449c213305d19a9f6a68090774511254f1e314038fcc0c1a4f14427c1b258b282396fb6
-
Filesize
135KB
MD53622ddde7c96b8117a84547fddd5032f
SHA1a74fee6c50ddf71745f2b208e7c7db1ad66841ca
SHA2561dd25d200de965098a7420078c7748d99397a104ad91ee763205eda6f5638fb4
SHA512940bfe09e17d6612652e03a5881dc961a42ef14e9039dc12626265ffa6a21f2fc16851f776da04d83085aa045c59cd24c8dfec44ae14b6e45e6498ab00912f45
-
Filesize
135KB
MD5eb26863ba35c122485365deb42a871d7
SHA1a60c83d2744059df05d8706c55a10e09861357ce
SHA2568df9bfbe2e8c53f196fdb0d9a43d117a54a89a6d3dffb41140973fe78e8b8bee
SHA512c872c1bde7408cfe2f8e3f80a173a1d0a74fbb1a2de81d889b354fc7f06cb129d92a0087c415e94f1621324f2d5795a15adfcc02e1244200e0dd5d20aba7781d
-
Filesize
135KB
MD57cdbd6eab4c515a5741f0eb1bd4279d9
SHA11b755d0807a5d2f04325000b23083011d7abd811
SHA25693b37b86ed6249418d0ddd256ec2d0648ef30a8b7ad2c5b9dbe2eaa76a4a12ce
SHA512b31e2e7b097b59438478c49467444fcb73c30df61c066bdd050b9d801399bbfa3ecc01293bcd9486e80ca915c825ed23fe23ff2303aaa3a2b6f0fae250a9c9b7
-
Filesize
135KB
MD527e57f9dda22ef60cb121d57aa5a32ec
SHA17b4203a88a9eceb22412e7844f8e7e16372bd8fe
SHA256390030cc666f7026fd31e3dccf7aa4e8add46630a16d6f363bf0b915eab2c11b
SHA512d03f7e9b85ee21ef2e14c4bc1b76c5e6dd106213e9b1655b1e51a102bbda866157584ac0ba133c2d3489f6860c2c4d18047218080dabbdd21c5da98523a0f9ba