Analysis
-
max time kernel
30s -
max time network
18s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
21-11-2024 12:02
Static task
static1
Behavioral task
behavioral1
Sample
temp.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
temp.exe
-
Size
2.7MB
-
MD5
80e3cf78b36403d94dc167fb157241a7
-
SHA1
990c00b029bb0006968d5ff970257793a94e5429
-
SHA256
64be767713553d9381add65aa62e302691a86257c087ddbaccdf56f7b905cb31
-
SHA512
7eaf50cd1a18a77737522d85084f7bca394ac7f2e6afdef96a0fbc47ba33c3d7d543d12ce8cc106203ffeb3c20bee63f099f7ca2817d9ba2ff821ae342c023ad
-
SSDEEP
49152:smuk6Flic1CcPANlX7c8TuQsRVg+HIbHczjzXThtYJtkE:+XCKfDNlsCE
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 6 IoCs
pid Process 5068 temp.exe 3468 icsys.icn.exe 1228 explorer.exe 4400 spoolsv.exe 5104 svchost.exe 4648 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe temp.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language temp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 4552 temp.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 3468 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1228 explorer.exe 5104 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3312 taskmgr.exe Token: SeSystemProfilePrivilege 3312 taskmgr.exe Token: SeCreateGlobalPrivilege 3312 taskmgr.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
pid Process 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe -
Suspicious use of SendNotifyMessage 37 IoCs
pid Process 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe 3312 taskmgr.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4552 temp.exe 4552 temp.exe 3468 icsys.icn.exe 3468 icsys.icn.exe 1228 explorer.exe 1228 explorer.exe 4400 spoolsv.exe 4400 spoolsv.exe 5104 svchost.exe 5104 svchost.exe 4648 spoolsv.exe 4648 spoolsv.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4552 wrote to memory of 5068 4552 temp.exe 82 PID 4552 wrote to memory of 5068 4552 temp.exe 82 PID 4552 wrote to memory of 3468 4552 temp.exe 83 PID 4552 wrote to memory of 3468 4552 temp.exe 83 PID 4552 wrote to memory of 3468 4552 temp.exe 83 PID 3468 wrote to memory of 1228 3468 icsys.icn.exe 85 PID 3468 wrote to memory of 1228 3468 icsys.icn.exe 85 PID 3468 wrote to memory of 1228 3468 icsys.icn.exe 85 PID 1228 wrote to memory of 4400 1228 explorer.exe 86 PID 1228 wrote to memory of 4400 1228 explorer.exe 86 PID 1228 wrote to memory of 4400 1228 explorer.exe 86 PID 4400 wrote to memory of 5104 4400 spoolsv.exe 87 PID 4400 wrote to memory of 5104 4400 spoolsv.exe 87 PID 4400 wrote to memory of 5104 4400 spoolsv.exe 87 PID 5104 wrote to memory of 4648 5104 svchost.exe 88 PID 5104 wrote to memory of 4648 5104 svchost.exe 88 PID 5104 wrote to memory of 4648 5104 svchost.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\temp.exe"C:\Users\Admin\AppData\Local\Temp\temp.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\users\admin\appdata\local\temp\temp.exec:\users\admin\appdata\local\temp\temp.exe2⤵
- Executes dropped EXE
PID:5068
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4648
-
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3312
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4372
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5f19e882a33d21b592907a8866d5a5ccc
SHA1cdf3496e95505e93011d75832d756f679150fd87
SHA2561b0843d77be37f4e6c54e8e0940bfe44bdd4c084c08f432b3cd4fc716f19f82a
SHA512569971c96c8540d59a9cd2c472355ca2cca6be8c7cf25be531663e309ba24234b8aac4a1c8da0f631f2a785240618633c012ec87552768ccf6fe0612008cd30a
-
Filesize
135KB
MD51d0e934c1cbb3d7e9ba1d2d0bba0a134
SHA1787194cc2330d0a4ae523a9502cd49cb6ebd3e69
SHA256fbc5c73a91ce0f6511a776cac2345ce35edf49524cd0e842960249cd7caf91ba
SHA512e7e1ce2060c4b0a07e06f58d619f2f8e587db845a5b32530915682b50863edd087a21a1198cb7691a3cab12051d57f569571ea45075d59addf52fbbe1e926f47
-
Filesize
135KB
MD50df007d4164b36b476945aa3ee23b740
SHA18b8e30289b3d6878665196fdd4e5f69756323b6d
SHA25654f4d8ea7768f201590f3532d6dcf1ad2d3bb0e8416a03a473dc94730db8223c
SHA512c253c92e3ceec8929a7fc488df1f5f43e43aefb01febfa4aec88bd0a589bcc59690c81b5238d3e25226121eb2affab8056ecef99dd4a00de42a4a13e3eb794c9
-
Filesize
135KB
MD59c60b1ef6f3cd4dc8a4e1c9cb709d3fa
SHA13ac391d4b5fdb38217e763c87381391819367060
SHA2567fecc45ad648202beafda47450b20165e55eb4745946497de4fbada896544b52
SHA5122004fd1bfc9075df9c184cb679db48d214f5c1bff14e68da11b897f3d65450e6e98a287f475dd632aa2992b38baa1ac3afda74b1f1488d7210424599778c3e1a
-
Filesize
135KB
MD5bbfa343be23483198f490cee9034a673
SHA1bd77041f56457545914b9cd79ff154df11aab51d
SHA2568bc23d79307a9c38345306e181097e8ea2a97f8f670eb586c00c2947f187d7c8
SHA51252aa41fe6490be42611193070512e3c705180927b5149e82cf1d016cd214d40adecc7751a21c0ccd6fcdc2d7032f542f256dbdabc51ad5a1294d7a42fd3c597a