64be767713553d9381add65aa62e302691a86257c087ddbaccdf56f7b905cb31

General

Target

temp.exe
Size

2.7MB
MD5

80e3cf78b36403d94dc167fb157241a7
SHA1

990c00b029bb0006968d5ff970257793a94e5429
SHA256

64be767713553d9381add65aa62e302691a86257c087ddbaccdf56f7b905cb31
SHA512

7eaf50cd1a18a77737522d85084f7bca394ac7f2e6afdef96a0fbc47ba33c3d7d543d12ce8cc106203ffeb3c20bee63f099f7ca2817d9ba2ff821ae342c023ad
SSDEEP

49152:smuk6Flic1CcPANlX7c8TuQsRVg+HIbHczjzXThtYJtkE:+XCKfDNlsCE

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 6 IoCs

Processes:

temp.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2708 temp.exe
1136 icsys.icn.exe
2512 explorer.exe
3144 spoolsv.exe
3208 svchost.exe
3256 spoolsv.exe
Loads dropped DLL 7 IoCs

Processes:

temp.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

pid process

1924 temp.exe
1808
1924 temp.exe
1136 icsys.icn.exe
2512 explorer.exe
3144 spoolsv.exe
3208 svchost.exe

pid	process
2708	temp.exe
1136	icsys.icn.exe
2512	explorer.exe
3144	spoolsv.exe
3208	svchost.exe
3256	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

Processes:

temp.exeicsys.icn.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	temp.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

temp.exeicsys.icn.exeexplorer.exesvchost.exeschtasks.exespoolsv.exespoolsv.exeschtasks.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	temp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3336 schtasks.exe
3700 schtasks.exe
4000 schtasks.exe

pid	process
3336	schtasks.exe
3700	schtasks.exe
4000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

temp.exeicsys.icn.exeexplorer.exesvchost.exe

pid	process
1924	temp.exe
1924	temp.exe
1924	temp.exe
1924	temp.exe
1924	temp.exe
1924	temp.exe
1924	temp.exe
1924	temp.exe
1924	temp.exe
1924	temp.exe
1924	temp.exe
1924	temp.exe
1924	temp.exe
1924	temp.exe
1924	temp.exe
1924	temp.exe
1136	icsys.icn.exe
1136	icsys.icn.exe
1136	icsys.icn.exe
1136	icsys.icn.exe
1136	icsys.icn.exe
1136	icsys.icn.exe
1136	icsys.icn.exe
1136	icsys.icn.exe
1136	icsys.icn.exe
1136	icsys.icn.exe
1136	icsys.icn.exe
1136	icsys.icn.exe
1136	icsys.icn.exe
1136	icsys.icn.exe
1136	icsys.icn.exe
1136	icsys.icn.exe
1136	icsys.icn.exe
2512	explorer.exe
2512	explorer.exe
2512	explorer.exe
2512	explorer.exe
2512	explorer.exe
2512	explorer.exe
2512	explorer.exe
2512	explorer.exe
2512	explorer.exe
2512	explorer.exe
2512	explorer.exe
2512	explorer.exe
2512	explorer.exe
2512	explorer.exe
2512	explorer.exe
2512	explorer.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe
3208	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exeexplorer.exe

pid process

3208 svchost.exe
2512 explorer.exe

pid	process
3208	svchost.exe
2512	explorer.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

temp.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1924	temp.exe
1924	temp.exe
1136	icsys.icn.exe
1136	icsys.icn.exe
2512	explorer.exe
2512	explorer.exe
3144	spoolsv.exe
3144	spoolsv.exe
3208	svchost.exe
3208	svchost.exe
3256	spoolsv.exe
3256	spoolsv.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

temp.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 1924 wrote to memory of 2708	1924	temp.exe	temp.exe
PID 1924 wrote to memory of 2708	1924	temp.exe	temp.exe
PID 1924 wrote to memory of 2708	1924	temp.exe	temp.exe
PID 1924 wrote to memory of 2708	1924	temp.exe	temp.exe
PID 1924 wrote to memory of 1136	1924	temp.exe	icsys.icn.exe
PID 1924 wrote to memory of 1136	1924	temp.exe	icsys.icn.exe
PID 1924 wrote to memory of 1136	1924	temp.exe	icsys.icn.exe
PID 1924 wrote to memory of 1136	1924	temp.exe	icsys.icn.exe
PID 1136 wrote to memory of 2512	1136	icsys.icn.exe	explorer.exe
PID 1136 wrote to memory of 2512	1136	icsys.icn.exe	explorer.exe
PID 1136 wrote to memory of 2512	1136	icsys.icn.exe	explorer.exe
PID 1136 wrote to memory of 2512	1136	icsys.icn.exe	explorer.exe
PID 2512 wrote to memory of 3144	2512	explorer.exe	spoolsv.exe
PID 2512 wrote to memory of 3144	2512	explorer.exe	spoolsv.exe
PID 2512 wrote to memory of 3144	2512	explorer.exe	spoolsv.exe
PID 2512 wrote to memory of 3144	2512	explorer.exe	spoolsv.exe
PID 3144 wrote to memory of 3208	3144	spoolsv.exe	svchost.exe
PID 3144 wrote to memory of 3208	3144	spoolsv.exe	svchost.exe
PID 3144 wrote to memory of 3208	3144	spoolsv.exe	svchost.exe
PID 3144 wrote to memory of 3208	3144	spoolsv.exe	svchost.exe
PID 3208 wrote to memory of 3256	3208	svchost.exe	spoolsv.exe
PID 3208 wrote to memory of 3256	3208	svchost.exe	spoolsv.exe
PID 3208 wrote to memory of 3256	3208	svchost.exe	spoolsv.exe
PID 3208 wrote to memory of 3256	3208	svchost.exe	spoolsv.exe
PID 2512 wrote to memory of 3308	2512	explorer.exe	Explorer.exe
PID 2512 wrote to memory of 3308	2512	explorer.exe	Explorer.exe
PID 2512 wrote to memory of 3308	2512	explorer.exe	Explorer.exe
PID 2512 wrote to memory of 3308	2512	explorer.exe	Explorer.exe
PID 3208 wrote to memory of 3336	3208	svchost.exe	schtasks.exe
PID 3208 wrote to memory of 3336	3208	svchost.exe	schtasks.exe
PID 3208 wrote to memory of 3336	3208	svchost.exe	schtasks.exe
PID 3208 wrote to memory of 3336	3208	svchost.exe	schtasks.exe
PID 3208 wrote to memory of 3700	3208	svchost.exe	schtasks.exe
PID 3208 wrote to memory of 3700	3208	svchost.exe	schtasks.exe
PID 3208 wrote to memory of 3700	3208	svchost.exe	schtasks.exe
PID 3208 wrote to memory of 3700	3208	svchost.exe	schtasks.exe
PID 3208 wrote to memory of 4000	3208	svchost.exe	schtasks.exe
PID 3208 wrote to memory of 4000	3208	svchost.exe	schtasks.exe
PID 3208 wrote to memory of 4000	3208	svchost.exe	schtasks.exe
PID 3208 wrote to memory of 4000	3208	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\temp.exe
"C:\Users\Admin\AppData\Local\Temp\temp.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1924
- \??\c:\users\admin\appdata\local\temp\temp.exe
  c:\users\admin\appdata\local\temp\temp.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1136
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3144
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3208
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3256
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:14 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3336
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:15 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3700
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:16 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4000
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
746d5a9026109f6e55de137ec0c3e731

SHA1
d943efaf52372e62e392bba0b375e949a948cbda

SHA256
9fb5accf27dd353ae897291d0f92d5212208f67e2d247dddc9ac53bd89d5dbab

SHA512
c7ef50d1353cbb4d7da2973207d8fafd8d12668bf655a754e208b72bfbe09610931dbd6f9e9937b4d23101481a16619add9f0f91070769ff4374706c6bb62510

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
dea807cb23a4111b0a5cd7215830cbf0

SHA1
19cf149987ab29ae35c5fdc1026c0b04dce5315a

SHA256
70fede1616f383bbcc02b6e0ac624f51770ef9fe601fbaaee40c2bb521f3bd13

SHA512
5217e1912e6a05b05fac7f9aa5f65ea40ce0d4fb42416828fea28f0b93c555e38955ec2123333b34763e6bd73bdc6c71d4b4c21a646429869ad470ca94247ebc

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
0eb17afa59aedf31ac4ce0968747a106

SHA1
9c69cf53dca9e85cdd4c63fd2af1888df757cdcb

SHA256
fb45ac0faec574199b287fa6c9a36448270308ca616120a4d901f9b5e554c2c8

SHA512
71c9dc481585758a42e34809b9f73d1a1ac49e3958e36a61671e06e46bba4c3e3c0adafaa8e3e9acd07a9aa0a362d2fb2c7bcf3122bcd0779ffd67e21d71f2a2

Download Submit
\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
2.6MB

MD5
f19e882a33d21b592907a8866d5a5ccc

SHA1
cdf3496e95505e93011d75832d756f679150fd87

SHA256
1b0843d77be37f4e6c54e8e0940bfe44bdd4c084c08f432b3cd4fc716f19f82a

SHA512
569971c96c8540d59a9cd2c472355ca2cca6be8c7cf25be531663e309ba24234b8aac4a1c8da0f631f2a785240618633c012ec87552768ccf6fe0612008cd30a

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
0df007d4164b36b476945aa3ee23b740

SHA1
8b8e30289b3d6878665196fdd4e5f69756323b6d

SHA256
54f4d8ea7768f201590f3532d6dcf1ad2d3bb0e8416a03a473dc94730db8223c

SHA512
c253c92e3ceec8929a7fc488df1f5f43e43aefb01febfa4aec88bd0a589bcc59690c81b5238d3e25226121eb2affab8056ecef99dd4a00de42a4a13e3eb794c9

Download Submit
memory/1136-427-0x0000000000320000-0x000000000033F000-memory.dmp

Filesize
124KB

Download
memory/1136-465-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1924-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1924-12-0x00000000005B0000-0x00000000005CF000-memory.dmp

Filesize
124KB

Download
memory/1924-466-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2512-468-0x0000000000420000-0x000000000043F000-memory.dmp

Filesize
124KB

Download
memory/2512-467-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2512-441-0x0000000000420000-0x000000000043F000-memory.dmp

Filesize
124KB

Download
memory/2708-23-0x00000000770D1000-0x00000000771D2000-memory.dmp

Filesize
1.0MB

Download
memory/2708-29-0x00000000770D0000-0x0000000077279000-memory.dmp

Filesize
1.7MB

Download
memory/2708-426-0x00000000770D0000-0x0000000077279000-memory.dmp

Filesize
1.7MB

Download
memory/3144-464-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3144-450-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/3144-442-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3208-460-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/3208-469-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3208-470-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/3256-463-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3256-461-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

pid	process
1924	temp.exe
1808
1924	temp.exe
1136	icsys.icn.exe
2512	explorer.exe
3144	spoolsv.exe
3208	svchost.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads