d1322936eef9707b3aae7c71f2e5a81b0190710ba5ac4b7c3a845f2a7f4fafdc

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1322936eef9707b3aae7c71f2e5a81b0190710ba5ac4b7c3a845f2a7f4fafdc.exe
Size

255KB
MD5

d298e59c984f1814754b040cedc857a0
SHA1

c6b5bf48d5ef8152e838927957ba215b0c5f223d
SHA256

d1322936eef9707b3aae7c71f2e5a81b0190710ba5ac4b7c3a845f2a7f4fafdc
SHA512

2dae71bc19d2a9f1c15639f9e96b3bcae6e832b08777591413622d1059e28225e13cfef07b28df6f9a4bdc8d45c81ef43fcf357248a6ee6073be896d72f13a0e
SSDEEP

6144:zvEN2U+T6i5LirrllHy4HUcMQY6A7290/5:zENN+T5xYrllrU7QY6WB

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 7 IoCs

pid	Process
1708	d1322936eef9707b3aae7c71f2e5a81b0190710ba5ac4b7c3a845f2a7f4fafdc.exe
2380	icsys.icn.exe
1192	Process not Found
2748	explorer.exe
2828	spoolsv.exe
2912	svchost.exe
2660	spoolsv.exe

Loads dropped DLL 12 IoCs

pid	Process
3044	d1322936eef9707b3aae7c71f2e5a81b0190710ba5ac4b7c3a845f2a7f4fafdc.exe
3044	d1322936eef9707b3aae7c71f2e5a81b0190710ba5ac4b7c3a845f2a7f4fafdc.exe
3044	d1322936eef9707b3aae7c71f2e5a81b0190710ba5ac4b7c3a845f2a7f4fafdc.exe
2688	Process not Found
2380	icsys.icn.exe
2380	icsys.icn.exe
2748	explorer.exe
2748	explorer.exe
2828	spoolsv.exe
2828	spoolsv.exe
2912	svchost.exe
2912	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1322936eef9707b3aae7c71f2e5a81b0190710ba5ac4b7c3a845f2a7f4fafdc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2380	icsys.icn.exe
2748	explorer.exe
2748	explorer.exe
2748	explorer.exe
2912	svchost.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe
2748	explorer.exe
2912	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2748	explorer.exe
2912	svchost.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3044	d1322936eef9707b3aae7c71f2e5a81b0190710ba5ac4b7c3a845f2a7f4fafdc.exe
3044	d1322936eef9707b3aae7c71f2e5a81b0190710ba5ac4b7c3a845f2a7f4fafdc.exe
2380	icsys.icn.exe
2380	icsys.icn.exe
2748	explorer.exe
2748	explorer.exe
2828	spoolsv.exe
2828	spoolsv.exe
2912	svchost.exe
2912	svchost.exe
2660	spoolsv.exe
2660	spoolsv.exe
2748	explorer.exe
2748	explorer.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 1708	3044	d1322936eef9707b3aae7c71f2e5a81b0190710ba5ac4b7c3a845f2a7f4fafdc.exe	30
PID 3044 wrote to memory of 1708	3044	d1322936eef9707b3aae7c71f2e5a81b0190710ba5ac4b7c3a845f2a7f4fafdc.exe	30
PID 3044 wrote to memory of 1708	3044	d1322936eef9707b3aae7c71f2e5a81b0190710ba5ac4b7c3a845f2a7f4fafdc.exe	30
PID 3044 wrote to memory of 1708	3044	d1322936eef9707b3aae7c71f2e5a81b0190710ba5ac4b7c3a845f2a7f4fafdc.exe	30
PID 3044 wrote to memory of 2380	3044	d1322936eef9707b3aae7c71f2e5a81b0190710ba5ac4b7c3a845f2a7f4fafdc.exe	33
PID 3044 wrote to memory of 2380	3044	d1322936eef9707b3aae7c71f2e5a81b0190710ba5ac4b7c3a845f2a7f4fafdc.exe	33
PID 3044 wrote to memory of 2380	3044	d1322936eef9707b3aae7c71f2e5a81b0190710ba5ac4b7c3a845f2a7f4fafdc.exe	33
PID 3044 wrote to memory of 2380	3044	d1322936eef9707b3aae7c71f2e5a81b0190710ba5ac4b7c3a845f2a7f4fafdc.exe	33
PID 2380 wrote to memory of 2748	2380	icsys.icn.exe	34
PID 2380 wrote to memory of 2748	2380	icsys.icn.exe	34
PID 2380 wrote to memory of 2748	2380	icsys.icn.exe	34
PID 2380 wrote to memory of 2748	2380	icsys.icn.exe	34
PID 2748 wrote to memory of 2828	2748	explorer.exe	35
PID 2748 wrote to memory of 2828	2748	explorer.exe	35
PID 2748 wrote to memory of 2828	2748	explorer.exe	35
PID 2748 wrote to memory of 2828	2748	explorer.exe	35
PID 2828 wrote to memory of 2912	2828	spoolsv.exe	36
PID 2828 wrote to memory of 2912	2828	spoolsv.exe	36
PID 2828 wrote to memory of 2912	2828	spoolsv.exe	36
PID 2828 wrote to memory of 2912	2828	spoolsv.exe	36
PID 2912 wrote to memory of 2660	2912	svchost.exe	37
PID 2912 wrote to memory of 2660	2912	svchost.exe	37
PID 2912 wrote to memory of 2660	2912	svchost.exe	37
PID 2912 wrote to memory of 2660	2912	svchost.exe	37
PID 2912 wrote to memory of 1716	2912	svchost.exe	38
PID 2912 wrote to memory of 1716	2912	svchost.exe	38
PID 2912 wrote to memory of 1716	2912	svchost.exe	38
PID 2912 wrote to memory of 1716	2912	svchost.exe	38
PID 2912 wrote to memory of 676	2912	svchost.exe	40
PID 2912 wrote to memory of 676	2912	svchost.exe	40
PID 2912 wrote to memory of 676	2912	svchost.exe	40
PID 2912 wrote to memory of 676	2912	svchost.exe	40
PID 2912 wrote to memory of 1264	2912	svchost.exe	42
PID 2912 wrote to memory of 1264	2912	svchost.exe	42
PID 2912 wrote to memory of 1264	2912	svchost.exe	42
PID 2912 wrote to memory of 1264	2912	svchost.exe	42

C:\Users\Admin\AppData\Local\Temp\d1322936eef9707b3aae7c71f2e5a81b0190710ba5ac4b7c3a845f2a7f4fafdc.exe
"C:\Users\Admin\AppData\Local\Temp\d1322936eef9707b3aae7c71f2e5a81b0190710ba5ac4b7c3a845f2a7f4fafdc.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044
- \??\c:\users\admin\appdata\local\temp\d1322936eef9707b3aae7c71f2e5a81b0190710ba5ac4b7c3a845f2a7f4fafdc.exe
  c:\users\admin\appdata\local\temp\d1322936eef9707b3aae7c71f2e5a81b0190710ba5ac4b7c3a845f2a7f4fafdc.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Users\Admin\AppData\Local\icsys.icn.exe
  C:\Users\Admin\AppData\Local\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2380
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visiblity of hidden/system files in Explorer
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - \??\c:\windows\system\spoolsv.exe
      c:\windows\system\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2828
    - - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2912
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2660
      - C:\Windows\SysWOW64\at.exe
        
        at 04:08 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
      - C:\Windows\SysWOW64\at.exe
        
        at 04:09 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:676
      - C:\Windows\SysWOW64\at.exe
        
        at 04:10 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
207KB

MD5
b5a1254295268c1f39a08baa63300df0

SHA1
93f3961647b9a7d07d761467217f5f847a0f3619

SHA256
1f816824de8726b0be8f2de63562d6c8daa92204091677ec71f5917b3e7dd3f2

SHA512
e9a2ec81f948a477ff45038db88aab2ce86dfab0d153b89f938ec2cb4708b47bc256c03d98a1f72b2eb2456632dada0d096297d442e9d92d726ca76ca90278dc

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
5b83d24eacced0d7afa75e5d9a586178

SHA1
5f37d602c981267a55cd6dd780e93c0e1ae04a85

SHA256
0df28763e0bfda39243afdd5ac59e83c31bad5f912af0d09f5578236d8b2f18d

SHA512
e08395c749f7616c482ebe8d0343b2ce9e93c8ce1face9ceb957c39b15b90d3fcb056ebdd8be74531560b56c8ef355557bb084de7e8962d5323c2c16154ccfed

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
206KB

MD5
5c050ccabb9a71ad7eb0708f42c6137f

SHA1
a690a887d45e8d0d177b62cf5f5087f20d9a5414

SHA256
d9b216459989fe5cc769c716f595435e27b0bcfbd43202340b86461182eb08a2

SHA512
56cb89e28a77cb6e81350add83a883b3a3afacad58ddd7d08316fa1332eaaf7e25309c56f0d15768b981ea060b8f8508be08a88e6febf39b0164796c5f258cca

Download Submit
\Users\Admin\AppData\Local\Temp\d1322936eef9707b3aae7c71f2e5a81b0190710ba5ac4b7c3a845f2a7f4fafdc.exe

Filesize
47KB

MD5
1192935bc75a50e8af4c6ea7ede378f4

SHA1
4398f671efcaa8b36451a7eb65c925a8c0e4fc93

SHA256
2c03c4f91ce923039be8c7756bd68668e7eb72341ff18b2daeabe4ce84787624

SHA512
95b49334cb12012c398484604bb64bcf8be82844cf74cb449f024868a817a9649f6075eab9d15232fae2606448184426ac8459f48eac7596339cf83b1fe317ce

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
f401b85770f6a5987c712b5c32c9f289

SHA1
89619176ffef1924ad6f9b2cdda3e6d495681032

SHA256
2cbbc4dae05d7a5c4002551a321d8e3abea67307cee813f31387fdf68611ea53

SHA512
972cf1b31236d7b19366f5eabbd62ea692eb89b444942876f61ad988727d367b5ffb219edf60c68d28f68067f2a8a5d2e6e14b889e866fc900d2247e32fc88e0

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
6e3902635bc9548eabc6e72df8acee6e

SHA1
1cb52a65d49b4553582d3be799500f884630503f

SHA256
f8514f6f9c6855ae78c34b46f809d2e5177205dcfb8f38607f740338d84e9ab1

SHA512
30ae6f9e93d7fadc4201bd31456bcf016a7c67b714a1c71d1f3e0bc5fcbd55e27ba55ef4ccaff85fc72f47b5552c9ad9d845c496f5c69c2c62c73c4b696e7e5a

Download Submit