4fecbca7a9831f0daff57f512abecdd1e9a99813adc0de5a7ce150a485e8a98f

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wfc6setup.exe
Size

3.5MB
MD5

3d853bdadb5374a2787bbbbf7d9c77aa
SHA1

a2179b6c2dee1ff8dbf5a3b2d5dfb490c3677882
SHA256

4fecbca7a9831f0daff57f512abecdd1e9a99813adc0de5a7ce150a485e8a98f
SHA512

097b9d766dd2c3849b2f8ed6b8e8fd1769c7be625a44efb325bde41aeafc7ab2f1e13a31d1319bc40e79b2c960fbe6e7e57415c19d77e18838dc81ced0fdc662
SSDEEP

98304:sBoLHCWxrUBnsdmA/sR04TmVE4kqXf0Fyew7jJz11bB:sCLHCrBns/KPiV/kSIyeM1z7bB

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
2368	wfc6setup.exe
2076	icsys.icn.exe
3028	explorer.exe
2760	spoolsv.exe
2736	svchost.exe
2476	spoolsv.exe

Loads dropped DLL 6 IoCs

pid	Process
1992	wfc6setup.exe
1992	wfc6setup.exe
2076	icsys.icn.exe
3028	explorer.exe
2760	spoolsv.exe
2736	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	wfc6setup.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wfc6setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2484	schtasks.exe
2976	schtasks.exe
936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1992	wfc6setup.exe
1992	wfc6setup.exe
1992	wfc6setup.exe
1992	wfc6setup.exe
1992	wfc6setup.exe
1992	wfc6setup.exe
1992	wfc6setup.exe
1992	wfc6setup.exe
1992	wfc6setup.exe
1992	wfc6setup.exe
1992	wfc6setup.exe
1992	wfc6setup.exe
1992	wfc6setup.exe
1992	wfc6setup.exe
1992	wfc6setup.exe
1992	wfc6setup.exe
2368	wfc6setup.exe
2076	icsys.icn.exe
2076	icsys.icn.exe
2076	icsys.icn.exe
2076	icsys.icn.exe
2076	icsys.icn.exe
2076	icsys.icn.exe
2076	icsys.icn.exe
2076	icsys.icn.exe
2076	icsys.icn.exe
2076	icsys.icn.exe
2076	icsys.icn.exe
2076	icsys.icn.exe
2076	icsys.icn.exe
2076	icsys.icn.exe
2076	icsys.icn.exe
2076	icsys.icn.exe
2076	icsys.icn.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2736	svchost.exe
3028	explorer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	wfc6setup.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1992	wfc6setup.exe
1992	wfc6setup.exe
2076	icsys.icn.exe
2076	icsys.icn.exe
3028	explorer.exe
3028	explorer.exe
2760	spoolsv.exe
2760	spoolsv.exe
2736	svchost.exe
2736	svchost.exe
2476	spoolsv.exe
2476	spoolsv.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2368	1992	wfc6setup.exe	30
PID 1992 wrote to memory of 2368	1992	wfc6setup.exe	30
PID 1992 wrote to memory of 2368	1992	wfc6setup.exe	30
PID 1992 wrote to memory of 2368	1992	wfc6setup.exe	30
PID 1992 wrote to memory of 2076	1992	wfc6setup.exe	31
PID 1992 wrote to memory of 2076	1992	wfc6setup.exe	31
PID 1992 wrote to memory of 2076	1992	wfc6setup.exe	31
PID 1992 wrote to memory of 2076	1992	wfc6setup.exe	31
PID 2076 wrote to memory of 3028	2076	icsys.icn.exe	32
PID 2076 wrote to memory of 3028	2076	icsys.icn.exe	32
PID 2076 wrote to memory of 3028	2076	icsys.icn.exe	32
PID 2076 wrote to memory of 3028	2076	icsys.icn.exe	32
PID 3028 wrote to memory of 2760	3028	explorer.exe	33
PID 3028 wrote to memory of 2760	3028	explorer.exe	33
PID 3028 wrote to memory of 2760	3028	explorer.exe	33
PID 3028 wrote to memory of 2760	3028	explorer.exe	33
PID 2760 wrote to memory of 2736	2760	spoolsv.exe	34
PID 2760 wrote to memory of 2736	2760	spoolsv.exe	34
PID 2760 wrote to memory of 2736	2760	spoolsv.exe	34
PID 2760 wrote to memory of 2736	2760	spoolsv.exe	34
PID 2736 wrote to memory of 2476	2736	svchost.exe	35
PID 2736 wrote to memory of 2476	2736	svchost.exe	35
PID 2736 wrote to memory of 2476	2736	svchost.exe	35
PID 2736 wrote to memory of 2476	2736	svchost.exe	35
PID 3028 wrote to memory of 2612	3028	explorer.exe	36
PID 3028 wrote to memory of 2612	3028	explorer.exe	36
PID 3028 wrote to memory of 2612	3028	explorer.exe	36
PID 3028 wrote to memory of 2612	3028	explorer.exe	36
PID 2736 wrote to memory of 2484	2736	svchost.exe	37
PID 2736 wrote to memory of 2484	2736	svchost.exe	37
PID 2736 wrote to memory of 2484	2736	svchost.exe	37
PID 2736 wrote to memory of 2484	2736	svchost.exe	37
PID 2736 wrote to memory of 2976	2736	svchost.exe	41
PID 2736 wrote to memory of 2976	2736	svchost.exe	41
PID 2736 wrote to memory of 2976	2736	svchost.exe	41
PID 2736 wrote to memory of 2976	2736	svchost.exe	41
PID 2736 wrote to memory of 936	2736	svchost.exe	43
PID 2736 wrote to memory of 936	2736	svchost.exe	43
PID 2736 wrote to memory of 936	2736	svchost.exe	43
PID 2736 wrote to memory of 936	2736	svchost.exe	43

C:\Users\Admin\AppData\Local\Temp\wfc6setup.exe
"C:\Users\Admin\AppData\Local\Temp\wfc6setup.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992
- \??\c:\users\admin\appdata\local\temp\wfc6setup.exe
  c:\users\admin\appdata\local\temp\wfc6setup.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2076
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2760
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2476
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 08:16 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2484
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 08:17 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2976
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 08:18 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:936
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
f5a7b773e7dcf57c198c123224dabd02

SHA1
1dce63ddae6ee2708928a813634311f27521177f

SHA256
9eba6fd7b2bc96903dc4ce0827026479be6134dc277c122caf24fcf201a8281e

SHA512
e3565043150b7b2220ce35397417cb0652ca1bcddf5abf23499b4bfa50f6a9c304b30f70cacdbb3902673d07f52e1344da54c59168248f3d3ec4af4a9b7f8076

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
bed1f5fabaec1d483bdba2f31e77843c

SHA1
6f0e7524cfa120837666ba321368f91c6b043917

SHA256
d20a723f539fe1ba2a7a475f469e5a017498b4ebe7dd7874583851e6a9fad5ce

SHA512
48c393759920c06190dbcf11916903ae98acc6df0b6e39a368aba303edc46daf848de5bf851b3da799356e61d5c194998cf8148a6098140594ff9f76c4fc3afa

Download Submit
\Users\Admin\AppData\Local\Temp\wfc6setup.exe

Filesize
3.4MB

MD5
c987c099c664b77b1c6d4fe27c5a6ac0

SHA1
3c095da99fe50a9cedf626fe0b2cfb300235a6ef

SHA256
accb7d4ccd9e6c5c1988c1bfe8015b2e459e52b3f8a965bd086a4746000524e6

SHA512
bd0b3ca576e5984d63f7eec9f9283abe8c2eddaf637f934c8d9811ef301f7a1927a78a0ca548f22aa1aa78788f20334f0cb275fa4662935f3a1ddc58014ba6bf

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
f6d5b0eee8ca4ee830e8e8bbd1a8379b

SHA1
74a6796ffb8292076682962f053492748a51f2dc

SHA256
f608ec24e63c854633bdbc4502efdd4dd709c7582062f94454e3c07c529803c1

SHA512
15dee8a7f80df62cc48fd74684f69aa07b06b51ed41be2f8e678bc72c79430683b9bcd79b5bbe0f254a5e5826228195b5286b2131e437c62b741e3ed7ebf7bd7

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
c0a99ac90fbbec347c78d367771a9d42

SHA1
90eaf9a7e85f9c0bfce743e2d9f1e1d1cc834e70

SHA256
181e676f45ae1ba0dc4ed9cb9c3ed096b764cdb3cc6623230b07bbbc9242d411

SHA512
850c6e20e205608a5c0120899247a427b933a9feb89202bd649941a2b368d23f419d5b9fb909b02fb3a87b2d4d09333155a19f21163b7f5868a66d312c0d01d3

Download Submit
memory/1992-17-0x0000000000290000-0x00000000002AF000-memory.dmp

Filesize
124KB

Download
memory/1992-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1992-67-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2076-68-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2076-26-0x0000000000320000-0x000000000033F000-memory.dmp

Filesize
124KB

Download
memory/2368-43-0x0000000000410000-0x000000000041A000-memory.dmp

Filesize
40KB

Download
memory/2368-55-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp

Filesize
9.9MB

Download
memory/2368-10-0x000007FEF50A3000-0x000007FEF50A4000-memory.dmp

Filesize
4KB

Download
memory/2368-69-0x0000000000410000-0x000000000041A000-memory.dmp

Filesize
40KB

Download
memory/2368-57-0x000007FEF50A3000-0x000007FEF50A4000-memory.dmp

Filesize
4KB

Download
memory/2368-16-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp

Filesize
9.9MB

Download
memory/2368-11-0x0000000000A10000-0x0000000000D62000-memory.dmp

Filesize
3.3MB

Download
memory/2368-44-0x0000000000410000-0x000000000041A000-memory.dmp

Filesize
40KB

Download
memory/2476-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2736-60-0x0000000000290000-0x00000000002AF000-memory.dmp

Filesize
124KB

Download
memory/2736-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2736-71-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2736-72-0x0000000000290000-0x00000000002AF000-memory.dmp

Filesize
124KB

Download
memory/2760-66-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2760-56-0x00000000004A0000-0x00000000004BF000-memory.dmp

Filesize
124KB

Download
memory/3028-70-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download