3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
Size

767KB
MD5

27cd44d454364f2d822eaace466fed38
SHA1

3019af2f3dd3d2de1c101be8d92c27fd25c40e5b
SHA256

3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d
SHA512

2ff8c1e56e3dc0f2e576af34b0ebb1041563b5f12d19a38c112f107090d6051deed5d35f42189858cae4d5140cf062e99c9ce3defc0997a9ff71afff140446d2
SSDEEP

12288:uFUNDat1JSgyPzsB7kmIFZUUvHqnuFT+wUV5/ZhReTr6dARuYKpQZ8gZ5NOij:uFOa/0BG9gGUvH+uwwsqtOij

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 7 IoCs

pid	Process
2064	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
2528	icsys.icn.exe
2224	Activator.exe
2320	explorer.exe
2856	spoolsv.exe
2764	svchost.exe
3032	spoolsv.exe

Loads dropped DLL 16 IoCs

pid	Process
2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
2064	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
2064	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
2064	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
2064	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
2528	icsys.icn.exe
2528	icsys.icn.exe
2320	explorer.exe
2320	explorer.exe
2856	spoolsv.exe
2856	spoolsv.exe
2764	svchost.exe
2764	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	Activator.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Activator.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	Activator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	Activator.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Activator.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Activator.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Activator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	Activator.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	Activator.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Activator.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Activator.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	Activator.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Activator.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Activator.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	Activator.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings	Activator.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Activator.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Activator.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Activator.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Activator.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	Activator.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3020	schtasks.exe
2120	schtasks.exe
2588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
2528	icsys.icn.exe
2528	icsys.icn.exe
2528	icsys.icn.exe
2528	icsys.icn.exe
2528	icsys.icn.exe
2528	icsys.icn.exe
2528	icsys.icn.exe
2528	icsys.icn.exe
2528	icsys.icn.exe
2528	icsys.icn.exe
2528	icsys.icn.exe
2528	icsys.icn.exe
2528	icsys.icn.exe
2528	icsys.icn.exe
2528	icsys.icn.exe
2528	icsys.icn.exe
2528	icsys.icn.exe
2320	explorer.exe
2320	explorer.exe
2320	explorer.exe
2320	explorer.exe
2320	explorer.exe
2320	explorer.exe
2320	explorer.exe
2320	explorer.exe
2320	explorer.exe
2320	explorer.exe
2320	explorer.exe
2320	explorer.exe
2320	explorer.exe
2320	explorer.exe
2320	explorer.exe
2320	explorer.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2320	explorer.exe
2764	svchost.exe
2224	Activator.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
2528	icsys.icn.exe
2528	icsys.icn.exe
2320	explorer.exe
2320	explorer.exe
2856	spoolsv.exe
2856	spoolsv.exe
2764	svchost.exe
2764	svchost.exe
3032	spoolsv.exe
3032	spoolsv.exe
2224	Activator.exe
2224	Activator.exe
2224	Activator.exe
2224	Activator.exe
2224	Activator.exe
2224	Activator.exe
2224	Activator.exe
2224	Activator.exe
2224	Activator.exe
2224	Activator.exe
2224	Activator.exe
2224	Activator.exe
2224	Activator.exe
2224	Activator.exe
2224	Activator.exe
2224	Activator.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2064	2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe	30
PID 2500 wrote to memory of 2064	2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe	30
PID 2500 wrote to memory of 2064	2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe	30
PID 2500 wrote to memory of 2064	2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe	30
PID 2500 wrote to memory of 2528	2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe	31
PID 2500 wrote to memory of 2528	2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe	31
PID 2500 wrote to memory of 2528	2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe	31
PID 2500 wrote to memory of 2528	2500	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe	31
PID 2064 wrote to memory of 2224	2064	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe	32
PID 2064 wrote to memory of 2224	2064	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe	32
PID 2064 wrote to memory of 2224	2064	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe	32
PID 2064 wrote to memory of 2224	2064	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe	32
PID 2528 wrote to memory of 2320	2528	icsys.icn.exe	33
PID 2528 wrote to memory of 2320	2528	icsys.icn.exe	33
PID 2528 wrote to memory of 2320	2528	icsys.icn.exe	33
PID 2528 wrote to memory of 2320	2528	icsys.icn.exe	33
PID 2320 wrote to memory of 2856	2320	explorer.exe	34
PID 2320 wrote to memory of 2856	2320	explorer.exe	34
PID 2320 wrote to memory of 2856	2320	explorer.exe	34
PID 2320 wrote to memory of 2856	2320	explorer.exe	34
PID 2856 wrote to memory of 2764	2856	spoolsv.exe	35
PID 2856 wrote to memory of 2764	2856	spoolsv.exe	35
PID 2856 wrote to memory of 2764	2856	spoolsv.exe	35
PID 2856 wrote to memory of 2764	2856	spoolsv.exe	35
PID 2764 wrote to memory of 3032	2764	svchost.exe	36
PID 2764 wrote to memory of 3032	2764	svchost.exe	36
PID 2764 wrote to memory of 3032	2764	svchost.exe	36
PID 2764 wrote to memory of 3032	2764	svchost.exe	36
PID 2320 wrote to memory of 2584	2320	explorer.exe	37
PID 2320 wrote to memory of 2584	2320	explorer.exe	37
PID 2320 wrote to memory of 2584	2320	explorer.exe	37
PID 2320 wrote to memory of 2584	2320	explorer.exe	37
PID 2764 wrote to memory of 3020	2764	svchost.exe	38
PID 2764 wrote to memory of 3020	2764	svchost.exe	38
PID 2764 wrote to memory of 3020	2764	svchost.exe	38
PID 2764 wrote to memory of 3020	2764	svchost.exe	38
PID 2764 wrote to memory of 2120	2764	svchost.exe	42
PID 2764 wrote to memory of 2120	2764	svchost.exe	42
PID 2764 wrote to memory of 2120	2764	svchost.exe	42
PID 2764 wrote to memory of 2120	2764	svchost.exe	42
PID 2764 wrote to memory of 2588	2764	svchost.exe	44
PID 2764 wrote to memory of 2588	2764	svchost.exe	44
PID 2764 wrote to memory of 2588	2764	svchost.exe	44
PID 2764 wrote to memory of 2588	2764	svchost.exe	44

C:\Users\Admin\AppData\Local\Temp\3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
"C:\Users\Admin\AppData\Local\Temp\3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500
- \??\c:\users\admin\appdata\local\temp\3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
  c:\users\admin\appdata\local\temp\3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Users\Admin\AppData\Local\Temp\ckz_BHIT\Activator.exe
    "C:\Users\Admin\AppData\Local\Temp\ckz_BHIT\Activator.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2224
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2528
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2856
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2764
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3032
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:59 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3020
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:00 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2120
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:01 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2588
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
130KB

MD5
dad15a5174e93c68bf5c70f52e71ec2a

SHA1
85fd8c128690cfdb020a5fbe0a68ae09eaf2f0eb

SHA256
58bf5ce8ac5ba0eab06b94ae8193b0ed684373ec69fb13f8e7799dd6211a0fbe

SHA512
9a4a10eaa3028a5d6fb29017b7d3cc8f535f768323ec1d47bd6458b59b12695e95f07dc907620307f24df4b600e3f1d74d0f735425fffcaee52b38cc1c013ac8

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
121KB

MD5
c8481b583be0bdd69350f9e5a22eb22a

SHA1
47295aedb88e000cfb3048be15b7194fb69c8bfd

SHA256
6a502ed8a7760463483209d536ab740d0beff9b6c3c57dc0a62cb7be4ab8eaf9

SHA512
8bfcf2f8c01f12fed0f4848f05ae8cf71b68520fd5afe34c0626866f6b28c0c56069be0fb616df84b614ca48082e2cc58871933b64163da355479ec942ab7dfe

Download Submit
\Users\Admin\AppData\Local\Temp\3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe

Filesize
646KB

MD5
5dcf8b61cb54552f12ef76a8e9051049

SHA1
c4ad616c976e77d3ab7debc86983442d30fca158

SHA256
be77b0bcd4a4ca799b9dd768e931a747be97f9770edc87b5dd6bd5c0558a5af5

SHA512
4555a0a937f7f40fdc03a9d0ed680065ef10849d87ec64d4b2fc5061ff8d7745031502e702fc5a396090658a925f7e13ff775cf7c337ec61b2a635cf4c523f03

Download Submit
\Users\Admin\AppData\Local\Temp\ckz_BHIT\Activator.exe

Filesize
262KB

MD5
4b54c2c5ac3d82da68c2acf328dd1d24

SHA1
632ffbdf3a0257b83b009508c69a5ee4fe4b9781

SHA256
e35748b6ecd496f4c2aa26db894e1e7b61fbe44501aa2ee5d44103f87bf68420

SHA512
2ffc781347c468b11b18c91fcd49b48998f589bbb0add0939b448ba1dd5010fa24b299218dd09f5f00ae68a29782c9cbefa17a543453c8bf3272b233021e9e37

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
130KB

MD5
8e4f0c7657ef30334e9b7e6eac44cb83

SHA1
aeeb32b9dd83fff078430a9e871ef3a5126245cd

SHA256
520e566b1c48586bab5997337b2223ecf54c23ed40c410ace757abaa2072647d

SHA512
86eb1c95491452560df324979cb28d13568c2581cade6766ead1db06e344c77691c163daf1af33c85069a1f7707db689e0dec0cf862e50ece14e88099d7b9739

Download Submit
\Windows\Resources\svchost.exe

Filesize
130KB

MD5
02e2c7983bdadc37b544f1f9dfc53660

SHA1
5cfce25bf5ccea2620d51cda3a048dcfed0b4ad3

SHA256
eb3ca535b7ef302c340e6a8476a0e4bb77e6d0996976112adb9f7a9c94e876f7

SHA512
f2cb4f37f52bbfb62cc57cda311fdb326ab0cb7e9bf4f6ae4d772f849ecb935f960f8b134a99e30b984751a52fd3d6ee9a12667221dac4bbdabd394a2483037a

Download Submit
memory/2224-79-0x0000000000C30000-0x0000000000C78000-memory.dmp

Filesize
288KB

Download
memory/2224-90-0x0000000000460000-0x0000000000484000-memory.dmp

Filesize
144KB

Download
memory/2500-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download