9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-10-2024 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe
Size

178KB
MD5

08b1f8aec0de311805bb1f6321333c40
SHA1

579949260d73ea7d118196408dcff51dc07d4098
SHA256

9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261
SHA512

113f71560d66b7e7922e8b6a9fa8ffb0ae6696daa6b4f5cf2939fdb957e5e660bde7675fe6fe85b0550419e264214221df6aa4e34d0d6603535c9356e81c3cc8
SSDEEP

3072:UVqoCl/YgjxEufVU0TbTyDDalRmQ9yLrPgY34gv6nQt:UsLqdufVUNDayQ9WPgM6k

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
2644	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261n.exe
3040	icsys.icn.exe
2608	explorer.exe
2176	spoolsv.exe
2488	svchost.exe
2956	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe
2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe
2500	Process not Found
2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe
3040	icsys.icn.exe
2608	explorer.exe
2176	spoolsv.exe
2488	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1900	schtasks.exe
2340	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe
2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe
2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe
2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe
2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe
2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe
2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe
2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe
2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe
2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe
2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe
2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe
2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe
2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe
2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe
2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe
3040	icsys.icn.exe
3040	icsys.icn.exe
3040	icsys.icn.exe
3040	icsys.icn.exe
3040	icsys.icn.exe
3040	icsys.icn.exe
3040	icsys.icn.exe
3040	icsys.icn.exe
3040	icsys.icn.exe
3040	icsys.icn.exe
3040	icsys.icn.exe
3040	icsys.icn.exe
3040	icsys.icn.exe
3040	icsys.icn.exe
3040	icsys.icn.exe
3040	icsys.icn.exe
3040	icsys.icn.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe
2488	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2608	explorer.exe
2488	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe
2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe
3040	icsys.icn.exe
3040	icsys.icn.exe
2608	explorer.exe
2608	explorer.exe
2176	spoolsv.exe
2176	spoolsv.exe
2488	svchost.exe
2488	svchost.exe
2956	spoolsv.exe
2956	spoolsv.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2644	2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe	30
PID 2732 wrote to memory of 2644	2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe	30
PID 2732 wrote to memory of 2644	2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe	30
PID 2732 wrote to memory of 2644	2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe	30
PID 2732 wrote to memory of 3040	2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe	32
PID 2732 wrote to memory of 3040	2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe	32
PID 2732 wrote to memory of 3040	2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe	32
PID 2732 wrote to memory of 3040	2732	9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe	32
PID 3040 wrote to memory of 2608	3040	icsys.icn.exe	33
PID 3040 wrote to memory of 2608	3040	icsys.icn.exe	33
PID 3040 wrote to memory of 2608	3040	icsys.icn.exe	33
PID 3040 wrote to memory of 2608	3040	icsys.icn.exe	33
PID 2608 wrote to memory of 2176	2608	explorer.exe	34
PID 2608 wrote to memory of 2176	2608	explorer.exe	34
PID 2608 wrote to memory of 2176	2608	explorer.exe	34
PID 2608 wrote to memory of 2176	2608	explorer.exe	34
PID 2176 wrote to memory of 2488	2176	spoolsv.exe	35
PID 2176 wrote to memory of 2488	2176	spoolsv.exe	35
PID 2176 wrote to memory of 2488	2176	spoolsv.exe	35
PID 2176 wrote to memory of 2488	2176	spoolsv.exe	35
PID 2488 wrote to memory of 2956	2488	svchost.exe	36
PID 2488 wrote to memory of 2956	2488	svchost.exe	36
PID 2488 wrote to memory of 2956	2488	svchost.exe	36
PID 2488 wrote to memory of 2956	2488	svchost.exe	36
PID 2608 wrote to memory of 2476	2608	explorer.exe	37
PID 2608 wrote to memory of 2476	2608	explorer.exe	37
PID 2608 wrote to memory of 2476	2608	explorer.exe	37
PID 2608 wrote to memory of 2476	2608	explorer.exe	37
PID 2488 wrote to memory of 1900	2488	svchost.exe	38
PID 2488 wrote to memory of 1900	2488	svchost.exe	38
PID 2488 wrote to memory of 1900	2488	svchost.exe	38
PID 2488 wrote to memory of 1900	2488	svchost.exe	38
PID 2488 wrote to memory of 2340	2488	svchost.exe	41
PID 2488 wrote to memory of 2340	2488	svchost.exe	41
PID 2488 wrote to memory of 2340	2488	svchost.exe	41
PID 2488 wrote to memory of 2340	2488	svchost.exe	41

C:\Users\Admin\AppData\Local\Temp\9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe
"C:\Users\Admin\AppData\Local\Temp\9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261N.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732
- \??\c:\users\admin\appdata\local\temp\9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261n.exe
  c:\users\admin\appdata\local\temp\9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261n.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3040
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2176
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2488
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2956
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 13:05 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1900
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 13:06 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2340
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
5dcb981eccabb4d053b9e65a48a6c53b

SHA1
378c7ef0bbcf606d8414bb72e10ae25cf2e63de2

SHA256
0ef6c1ac2b4a4c97b1117f94b6db133daf1f30ad3d37dfc366ac5617d1defe7f

SHA512
0d5a13d22b9a1c164407606af1d8d80242cb18b6a08fcbe8322239bb3b43ff2339ada6f2124492d9ff4a5343647dcd85f85010692defbb05afea8e17906b79c0

Download Submit
\Users\Admin\AppData\Local\Temp\9d4f692b7e9b9655e1900d52f9477b5a71e29520be390b4eeede575f046af261n.exe

Filesize
43KB

MD5
a16f041c87529221c86e16124c7e9add

SHA1
e4933d7fc395b397db9aba78b05a2a490622c7e5

SHA256
df2abf387893332f28c4df68b10a6b176dc9706142055dccccf447f5a9cede2d

SHA512
972eb4a6cf96692ae0ad43b42a6d418406aad5539451b4e24e564b89a347a9fc8ee5572d9b876d9de7b72192ba70aa114e8de9d721b37af9c169503aaef611e9

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
dd4418238c7fdea254aed3eacd0f31bc

SHA1
16c82702ac7f9ec097946076e9da75b747e7b1bf

SHA256
a3fcf1bdb032cc813314bd389bd7562f32c45d80160f4f28e544f33a1a0e24ad

SHA512
aefbb89b8d06bd61722a6916d94e57be3e20dc9aead32519428755d895524ef198e51ae19d9c63b54f04b67f87043dc00d7371619658b389d4b27af347af9cae

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
ff3418b4b88f35c48dd981134c8ec917

SHA1
b4a432f05a248dd43c4d4f54b8495283e6c58a48

SHA256
d75aae07581c77445e8086ca8e9a1cdf702177a45366a6974d24d6e147753613

SHA512
f4039b5350ce7c4e25ad5e4faa3ee7b5546a92117e35d85b31fe6a6cf4632594cbb3b10fdaff91b3715b6d273e8ce540f460d59a2e7613332c25a90ceb43667e

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
291ad4479df7c64973403776add16b33

SHA1
05fb8a5b2c3b9ae490d9850dc0fdec831a08be7b

SHA256
2823f2d43f3e0444be3252fa82298f005600af2d3b32c0bb08196c0487258293

SHA512
759112308e7069039345a3adffabee390f7f3f930b6ab243b2453319823ee8757942d9843b0d9c642f50b32bf349f86c1826c05459c80acbfd05ee712906133b

Download Submit
memory/2176-47-0x0000000000280000-0x000000000029F000-memory.dmp

Filesize
124KB

Download
memory/2176-59-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2488-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2608-62-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2732-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2732-61-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2956-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3040-26-0x0000000000420000-0x000000000043F000-memory.dmp

Filesize
124KB

Download
memory/3040-60-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download