f0c7a98e2dd66f881e4d0a21029f792801c98f5484fe1b61b64816bcc3313ab1

Analysis

max time kernel
30s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce4d925085b8ee3ac8d0a2b9.exe
Size

35.1MB
MD5

f4a475680175eebab6bf2f27791c72c6
SHA1

f0296bace10541878c87af116c2e16c2a30107e7
SHA256

f0c7a98e2dd66f881e4d0a21029f792801c98f5484fe1b61b64816bcc3313ab1
SHA512

049cac95aeb23b1a27c9c8c6b35424e3dc6c5e9ca98eae5ef254f6c79ee6263e2172cb5c7b49d3a35438169892d0dc805ed7fe3a79d483d25472a8cc10c6cc99
SSDEEP

786432:pgxUHZJz7EzohbhFMBGVKvz9MmsFq/2XCppwm:9Zd6ghCfhwFq/6Cppwm

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 8 IoCs

pid	Process
5128	ce4d925085b8ee3ac8d0a2b9.exe
4868	icsys.icn.exe
2244	ce4d925085b8ee3ac8d0a2b9.exe
2744	icsys.icn.exe
1324	explorer.exe
5584	spoolsv.exe
3332	svchost.exe
6000	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	ce4d925085b8ee3ac8d0a2b9.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	ce4d925085b8ee3ac8d0a2b9.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce4d925085b8ee3ac8d0a2b9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce4d925085b8ee3ac8d0a2b9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce4d925085b8ee3ac8d0a2b9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1324	explorer.exe
3332	svchost.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
972	ce4d925085b8ee3ac8d0a2b9.exe
972	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
5128	ce4d925085b8ee3ac8d0a2b9.exe
2244	ce4d925085b8ee3ac8d0a2b9.exe
4868	icsys.icn.exe
2244	ce4d925085b8ee3ac8d0a2b9.exe
4868	icsys.icn.exe
2744	icsys.icn.exe
2744	icsys.icn.exe
1324	explorer.exe
1324	explorer.exe
5584	spoolsv.exe
5584	spoolsv.exe
3332	svchost.exe
3332	svchost.exe
6000	spoolsv.exe
6000	spoolsv.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 972 wrote to memory of 5128	972	ce4d925085b8ee3ac8d0a2b9.exe	84
PID 972 wrote to memory of 5128	972	ce4d925085b8ee3ac8d0a2b9.exe	84
PID 972 wrote to memory of 5128	972	ce4d925085b8ee3ac8d0a2b9.exe	84
PID 972 wrote to memory of 4868	972	ce4d925085b8ee3ac8d0a2b9.exe	86
PID 972 wrote to memory of 4868	972	ce4d925085b8ee3ac8d0a2b9.exe	86
PID 972 wrote to memory of 4868	972	ce4d925085b8ee3ac8d0a2b9.exe	86
PID 5128 wrote to memory of 2244	5128	ce4d925085b8ee3ac8d0a2b9.exe	87
PID 5128 wrote to memory of 2244	5128	ce4d925085b8ee3ac8d0a2b9.exe	87
PID 5128 wrote to memory of 2244	5128	ce4d925085b8ee3ac8d0a2b9.exe	87
PID 5128 wrote to memory of 2744	5128	ce4d925085b8ee3ac8d0a2b9.exe	88
PID 5128 wrote to memory of 2744	5128	ce4d925085b8ee3ac8d0a2b9.exe	88
PID 5128 wrote to memory of 2744	5128	ce4d925085b8ee3ac8d0a2b9.exe	88
PID 4868 wrote to memory of 1324	4868	icsys.icn.exe	89
PID 4868 wrote to memory of 1324	4868	icsys.icn.exe	89
PID 4868 wrote to memory of 1324	4868	icsys.icn.exe	89
PID 1324 wrote to memory of 5584	1324	explorer.exe	90
PID 1324 wrote to memory of 5584	1324	explorer.exe	90
PID 1324 wrote to memory of 5584	1324	explorer.exe	90
PID 5584 wrote to memory of 3332	5584	spoolsv.exe	91
PID 5584 wrote to memory of 3332	5584	spoolsv.exe	91
PID 5584 wrote to memory of 3332	5584	spoolsv.exe	91
PID 3332 wrote to memory of 6000	3332	svchost.exe	92
PID 3332 wrote to memory of 6000	3332	svchost.exe	92
PID 3332 wrote to memory of 6000	3332	svchost.exe	92

C:\Users\Admin\AppData\Local\Temp\ce4d925085b8ee3ac8d0a2b9.exe
"C:\Users\Admin\AppData\Local\Temp\ce4d925085b8ee3ac8d0a2b9.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:972
- \??\c:\users\admin\appdata\local\temp\ce4d925085b8ee3ac8d0a2b9.exe
  c:\users\admin\appdata\local\temp\ce4d925085b8ee3ac8d0a2b9.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5128
- - \??\c:\users\admin\appdata\local\temp\ce4d925085b8ee3ac8d0a2b9.exe
    c:\users\admin\appdata\local\temp\ce4d925085b8ee3ac8d0a2b9.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2244
- - C:\Windows\Resources\Themes\icsys.icn.exe
    C:\Windows\Resources\Themes\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2744
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4868
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5584
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3332
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ce4d925085b8ee3ac8d0a2b9.exe

Filesize
35.0MB

MD5
d854082bdab41528d5b07ce3896588d0

SHA1
fddfef138e7310816c4eca5d4939fd47b77efae3

SHA256
741f1d0f1ea2d4e0ce33195cf521f21ef05589db78a323820bf4c3673f7d2eef

SHA512
1f6d9d8649617e9b494568a6382439cfcf5cc67aa0c4bcc87dcd7a8fe5a5bd1be966664a010efffd03b50dfc208d55249daa0e2442476615266c4dce5cc216bd

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
9316b3cb19e7b967dc871b8b9ded4e75

SHA1
a73527af85bffaf2224a85bc433abd1d67b7a8aa

SHA256
be31490bf5903aae4a51dcdd1cb3e855644f43354b6b39d5b8e34739acf22592

SHA512
f14bd1dbb7f05b1cb2ebfcd05220a3eb94753a15303513d2fe73915e3f85ab2332f022d30169a051f0113698aed43ead029d7e02dd63b8386141a85ebc364b57

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
4a78518ea65e2462d788f893fbafc506

SHA1
c13ca416b926e7055d1dffa589d0235e8f9df1e9

SHA256
7a19dde4498c1efd4cb41dca783524eba0750af1307a8c5e5a2b4580444c05fc

SHA512
eda791572a13eb9109a26ca0d3f16defc95cc81c8bfe9bca67a6a62a7bb77fd9437a6ab660643ebc1a4e6a1e474d7777980707d3ae2cca05c71f92d5f81abbee

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
135KB

MD5
4c10e1a4e6d804946a18e6a7127d9a2b

SHA1
6d29380a95ee791b77669bd9cd1ff66f6c335569

SHA256
14e637d126d101de0574f776aeea83048c743275bbe92a1e540cb54ea4661047

SHA512
772a3ca34a916944f0c03e902b1b530c621b1a4c12ac8e390885809b38ee9994e3c47a7f1e6e460d5ded97cca4bdfff257e06577558ad24798b59f5defe9277e

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
135KB

MD5
59d78da4c62ba56e5b9c97ec71bdffe5

SHA1
7d8eab8b14e1fd426dee3f751f795dcd8bd8c570

SHA256
c26566c6e62d4d1da1f683e84c7065e0c6dfa7165f9127527123741239821fcc

SHA512
8857cad3e27812fc7a55c780c0c7fbfa4f0fb721388f19cbd7150edfbb34c3d325e67b515e5bdee36da4ad2145579ff76191769a747d8c76ca282ae78a95b3ac

Download Submit
memory/972-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/972-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2244-28-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2744-26-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2744-37-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4868-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5128-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5128-8-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5584-62-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6000-61-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download