f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
Size

1.0MB
MD5

83b1a127f807255e01aff7d24928c6b5
SHA1

ac8ca2d017626803af66fd050cbd184b3d69a85a
SHA256

f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47
SHA512

c7827db81ca17f664356f8755be0292bff156b36f88197ed7a57217d07d3439f8e6c831dc4ca2a94dbb34f275ed27d7ce3d880fa2af146b4368a4ae30fe295ad
SSDEEP

24576:PFOaJGzl9+a4Ne1nEFI56xU+0IdY2Zv952uetfbFEzP4UFhO5L:tN+tOWnEFZR0El0JEzQAh8

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
4504	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
1780	icsys.icn.exe
3416	explorer.exe
3412	spoolsv.exe
4812	svchost.exe
3896	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
1780	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3416	explorer.exe
4812	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4504	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4504	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
4504	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
1780	icsys.icn.exe
1780	icsys.icn.exe
3416	explorer.exe
3416	explorer.exe
3412	spoolsv.exe
3412	spoolsv.exe
4812	svchost.exe
4812	svchost.exe
3896	spoolsv.exe
3896	spoolsv.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 4504	3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe	82
PID 3936 wrote to memory of 4504	3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe	82
PID 3936 wrote to memory of 4504	3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe	82
PID 3936 wrote to memory of 1780	3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe	83
PID 3936 wrote to memory of 1780	3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe	83
PID 3936 wrote to memory of 1780	3936	f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe	83
PID 1780 wrote to memory of 3416	1780	icsys.icn.exe	84
PID 1780 wrote to memory of 3416	1780	icsys.icn.exe	84
PID 1780 wrote to memory of 3416	1780	icsys.icn.exe	84
PID 3416 wrote to memory of 3412	3416	explorer.exe	85
PID 3416 wrote to memory of 3412	3416	explorer.exe	85
PID 3416 wrote to memory of 3412	3416	explorer.exe	85
PID 3412 wrote to memory of 4812	3412	spoolsv.exe	86
PID 3412 wrote to memory of 4812	3412	spoolsv.exe	86
PID 3412 wrote to memory of 4812	3412	spoolsv.exe	86
PID 4812 wrote to memory of 3896	4812	svchost.exe	87
PID 4812 wrote to memory of 3896	4812	svchost.exe	87
PID 4812 wrote to memory of 3896	4812	svchost.exe	87

C:\Users\Admin\AppData\Local\Temp\f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
"C:\Users\Admin\AppData\Local\Temp\f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3936
- \??\c:\users\admin\appdata\local\temp\f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
  c:\users\admin\appdata\local\temp\f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4504
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1780
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3416
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3412
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4812
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f2fdaaf6c00ff28f3ce238048a3f52ac72cc241c23c14e0d69ab5ff4d4ff0b47.exe

Filesize
892KB

MD5
90ecaa0418237a2b6566842a36fd76d8

SHA1
a9f746b5c6fadfd031e07a0041576358f79d1a4b

SHA256
fb1e8402ed0d7b2f5dde71a0ff1cb3a3468ca35e8081f3c246f7a2128fd68c64

SHA512
8927fdb7123ccd2d120f187939474d383bc10a8be5fa86c479882b1951b8b5aef95c519fc9eef35109380c7425aa2524a38c53e2af2016d9baeeeec1a2416d17

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
b3f57bd2b6bebf25110469ce2e2c19e4

SHA1
107b9896a9bc99c80df0d8834321b11dc397551f

SHA256
d774b9d229e7326110d11fe874b4a6ac5a043d1281842b99ad2c808affbad503

SHA512
439f4167a8f0ff616c52c25d2c8db221ae19e5ec2c433840cbb21d475505c77d2c2cfba147401de6b0186a0f13f4a762675385a48fe899b4a278a196121bc6ed

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
812cd3bea56ef98b1cc92c9098973fba

SHA1
44fdf6af12e75a6962aaa8b8e5a6593de5d402bf

SHA256
4c592109c967104b1584762476301dc94cb18bd3e00a4a839cc775bb9f16e1fa

SHA512
df5fd5aca51b7852a2c773d1e588c3177e86e710c947a8aa7d0cbdbb3ab5e5dcc6b6a714569eafc57336cd604e9138329a371cd071bad9171f215e1b990a84d9

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
db05f34d06377f0a6bb3e84a47ec4d08

SHA1
f5dbb28ca243f7eb2103794db86e89abe778c12e

SHA256
9ae7af96df725817b0f663578fbc61de23f0ca9a5c52b9227c76891917cd502b

SHA512
6fd41fe1d8f1169663fd286cd849edb2991bcfe12f315fe0a94bb4a9c24083017b78e89e352cc2a9196216c3d65973e3fc99462b2a9ef1d615b28f2f75c6a441

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
5f7b88fa82c29512fb41850b3c3adc6a

SHA1
08a075a84928b7d71942429f8f30672cd301d3d3

SHA256
d501d58f1fd5e8b284780115ee24b56998f095c00d5bdca6097940a725a4ed09

SHA512
ab893819f77963a7cc5faa4cdecc31e9811ad0539d044e32b3d7c2c5830a12823319a7f17440a5f9291ac1c67904fc474aeee4d8323f3d3e69e4334b4aa7b518

Download Submit
memory/1780-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3412-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3416-46-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3896-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3936-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3936-45-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4812-47-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download