Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-09-2024 03:20
Static task
static1
Behavioral task
behavioral1
Sample
f40a6510b3f8dd3a21464be0132f8090N.exe
Resource
win7-20240903-en
General
-
Target
f40a6510b3f8dd3a21464be0132f8090N.exe
-
Size
3.1MB
-
MD5
f40a6510b3f8dd3a21464be0132f8090
-
SHA1
4d3b4d00296c53e08c8504a89434e74b807191ef
-
SHA256
7eb237e18ea11289f5266015dee0556bb3842bb02027c19bfab1bb32e203192a
-
SHA512
c88eac496864996dfce4b50bdac14e6345fd26daa12e684178f00fedc9791118e4f545d06abe7a0f27740e82090e52987c75b5776c3fb456498ed90224ccd458
-
SSDEEP
49152:tf7OE8I6oJK0uzgRTvnFjStQyfvE0Z3R0nxiIq2dseYGfXD:IE8Ij3uzgFt7KtQRq2VXD
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Detects Floxif payload 1 IoCs
Processes:
resource yara_rule behavioral2/files/0x000700000002342f-11.dat floxif -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule behavioral2/files/0x000700000002342f-11.dat acprotect -
Executes dropped EXE 8 IoCs
Processes:
f40a6510b3f8dd3a21464be0132f8090n.exe icsys.icn.exef40a6510b3f8dd3a21464be0132f8090n.exe explorer.exeicsys.icn.exespoolsv.exesvchost.exespoolsv.exepid Process 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 1504 icsys.icn.exe 400 f40a6510b3f8dd3a21464be0132f8090n.exe 4508 explorer.exe 3148 icsys.icn.exe 2776 spoolsv.exe 1416 svchost.exe 2220 spoolsv.exe -
Loads dropped DLL 2 IoCs
Processes:
f40a6510b3f8dd3a21464be0132f8090n.exe f40a6510b3f8dd3a21464be0132f8090n.exepid Process 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 400 f40a6510b3f8dd3a21464be0132f8090n.exe -
Processes:
resource yara_rule behavioral2/files/0x000700000002342f-11.dat upx behavioral2/memory/3192-14-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/400-29-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/3192-64-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/400-51-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exeexplorer.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe -
Drops file in Program Files directory 1 IoCs
Processes:
f40a6510b3f8dd3a21464be0132f8090n.exedescription ioc Process File created C:\Program Files\Common Files\System\symsrv.dll f40a6510b3f8dd3a21464be0132f8090n.exe -
Drops file in Windows directory 6 IoCs
Processes:
icsys.icn.exeexplorer.exespoolsv.exef40a6510b3f8dd3a21464be0132f8090N.exef40a6510b3f8dd3a21464be0132f8090n.exedescription ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe f40a6510b3f8dd3a21464be0132f8090N.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe f40a6510b3f8dd3a21464be0132f8090n.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
icsys.icn.exesvchost.exeicsys.icn.exef40a6510b3f8dd3a21464be0132f8090n.exe explorer.exespoolsv.exespoolsv.exef40a6510b3f8dd3a21464be0132f8090N.exef40a6510b3f8dd3a21464be0132f8090n.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f40a6510b3f8dd3a21464be0132f8090n.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f40a6510b3f8dd3a21464be0132f8090N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f40a6510b3f8dd3a21464be0132f8090n.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f40a6510b3f8dd3a21464be0132f8090N.exef40a6510b3f8dd3a21464be0132f8090n.exepid Process 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid Process 4508 explorer.exe 1416 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
f40a6510b3f8dd3a21464be0132f8090n.exe f40a6510b3f8dd3a21464be0132f8090n.exedescription pid Process Token: SeDebugPrivilege 3192 f40a6510b3f8dd3a21464be0132f8090n.exe Token: SeDebugPrivilege 400 f40a6510b3f8dd3a21464be0132f8090n.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
f40a6510b3f8dd3a21464be0132f8090N.exef40a6510b3f8dd3a21464be0132f8090n.exe icsys.icn.exef40a6510b3f8dd3a21464be0132f8090n.exe explorer.exeicsys.icn.exespoolsv.exesvchost.exespoolsv.exepid Process 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 1504 icsys.icn.exe 1504 icsys.icn.exe 400 f40a6510b3f8dd3a21464be0132f8090n.exe 4508 explorer.exe 400 f40a6510b3f8dd3a21464be0132f8090n.exe 4508 explorer.exe 3148 icsys.icn.exe 3148 icsys.icn.exe 2776 spoolsv.exe 2776 spoolsv.exe 1416 svchost.exe 1416 svchost.exe 2220 spoolsv.exe 2220 spoolsv.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
f40a6510b3f8dd3a21464be0132f8090N.exef40a6510b3f8dd3a21464be0132f8090n.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription pid Process procid_target PID 2992 wrote to memory of 3192 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 84 PID 2992 wrote to memory of 3192 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 84 PID 2992 wrote to memory of 3192 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 84 PID 2992 wrote to memory of 1504 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 86 PID 2992 wrote to memory of 1504 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 86 PID 2992 wrote to memory of 1504 2992 f40a6510b3f8dd3a21464be0132f8090N.exe 86 PID 3192 wrote to memory of 400 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 87 PID 3192 wrote to memory of 400 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 87 PID 3192 wrote to memory of 400 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 87 PID 1504 wrote to memory of 4508 1504 icsys.icn.exe 88 PID 1504 wrote to memory of 4508 1504 icsys.icn.exe 88 PID 1504 wrote to memory of 4508 1504 icsys.icn.exe 88 PID 3192 wrote to memory of 3148 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 89 PID 3192 wrote to memory of 3148 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 89 PID 3192 wrote to memory of 3148 3192 f40a6510b3f8dd3a21464be0132f8090n.exe 89 PID 4508 wrote to memory of 2776 4508 explorer.exe 90 PID 4508 wrote to memory of 2776 4508 explorer.exe 90 PID 4508 wrote to memory of 2776 4508 explorer.exe 90 PID 2776 wrote to memory of 1416 2776 spoolsv.exe 91 PID 2776 wrote to memory of 1416 2776 spoolsv.exe 91 PID 2776 wrote to memory of 1416 2776 spoolsv.exe 91 PID 1416 wrote to memory of 2220 1416 svchost.exe 92 PID 1416 wrote to memory of 2220 1416 svchost.exe 92 PID 1416 wrote to memory of 2220 1416 svchost.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\f40a6510b3f8dd3a21464be0132f8090N.exe"C:\Users\Admin\AppData\Local\Temp\f40a6510b3f8dd3a21464be0132f8090N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\users\admin\appdata\local\temp\f40a6510b3f8dd3a21464be0132f8090n.exec:\users\admin\appdata\local\temp\f40a6510b3f8dd3a21464be0132f8090n.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\users\admin\appdata\local\temp\f40a6510b3f8dd3a21464be0132f8090n.exec:\users\admin\appdata\local\temp\f40a6510b3f8dd3a21464be0132f8090n.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:400
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3148
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2220
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
Filesize
2.9MB
MD597c3a84fbdbda15c953b8ec31d0b35da
SHA1e0e7c2ffa7c05c06349511a1147435c5215e02e9
SHA2560ce150732f511567362779a52f4f12160ae1dfad49ab3a620be49647b3af0771
SHA512ac8624e13d952ace856e08dcbe4a245093f151cabf395b5fdcf521ec350060de012fa4754e3f9e3b0ab0a971743e4e8c6909857c29d78be5734a7bb92fd319d4
-
Filesize
3.0MB
MD543c41ff496c9ebfaec5c9bfac304324e
SHA19cee50003c114869ffa5f5e24cd27afb3f5f3d2d
SHA2562cd0788a40dde4e8090d8e6ec286e7ffd2fec66a20aeab860c5c3aba9a98c87e
SHA512156f62c749b6a1488193812117eeeeb517d63b7b95788b73697aea9d4b43acd7c82d3d578d474b8f92ac9a9606c73efe8c8eb393c89c47a914ca70b0870c9b74
-
Filesize
135KB
MD51295033f461a655b1a062a5781c96278
SHA170289b020bebcb5b4f8be934b4284d7b65658ac2
SHA2568dd39e59eff0f8881d68b51f6cd8ead530acc66c77aef6c53cec05a0f3d572ff
SHA512d4008cc66e327f47323c114b12ad43babac8fce0db436e3d08434b3bf51cc349d8a60b724ae869f447d07ab2bb31bba1e00e3a5269bd4948e04216e92aa8ff9b
-
Filesize
135KB
MD54a06019836eaa91dd3a90042ab9d0e60
SHA1392c7985f7007e4908f6ceefbe39ae014d5e57a1
SHA2565af76d57c9573c0e242c8897898280c4fe325d5dd557bf9a90e093d015154112
SHA51223151d58f6a9f1743af801352cbfa130f4ffcaea03637eaeef51f785f2ac1ea1dbf923734defa983f091bb69b13a869ff22b35dcfd82e5865a892678db6ece57
-
Filesize
135KB
MD56c47b7fb0d910928176d8d6a72b8e32a
SHA12d5041a18a5af3cbe73167f534fb93143d262852
SHA2562ac7d3ca4053a3b0990d7a66eb5c86a58fa692409ec8d46aea91a29f581516d8
SHA512fc34b68ecdd02446ed4186e81f6a5f9a9392d54dea075db826fd6c7014b3a844be11ef00291112a49388ff83a6d4b2ecf7a2eee15292b6c6f6bce059ae30d10a
-
Filesize
135KB
MD52170d1f3a8c0776348bcf5663ef02115
SHA17c59ede4f9e56fcb7c77c805aab2b12ab68d11f1
SHA2567259b18fa7b501b2e160b836baff4c036102116313b247fbf9502d4e07a3d130
SHA5120849daad4dcf473838445bad7fdb5c667fc3857739ab38d8c222db961cd88afa56d273234f72785b8809b1bdda6d82079598def3d7eb922dfcdc72d08dac47fe