f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66de

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe
Size

1.2MB
MD5

a4446a4f5250b97f4f00a7ec9a0e3d10
SHA1

4fd7c2b72a30009d9eddb7c877fa0db86d552f2e
SHA256

f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66de
SHA512

31f2805e9f90c8bd5bbb609b5e7778077c184ee7134a4032c13da739f0a68a14c56e9107e8c75d58e97eb7cdf3ad9f8bcbf45488a0b2f922af4872709da6c951
SSDEEP

24576:cFOavduSvY3TDxcQq/1vezu72ssMCKBqSulC8wWQ2ie5mZ/l4Fz5Uw0i:sTd1Y3TDxcf1vR72kqSkJXwW56wd

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 6 IoCs

pid	Process
2652	icsys.icn.exe
2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe
2836	explorer.exe
2256	spoolsv.exe
2828	svchost.exe
2780	spoolsv.exe

Loads dropped DLL 6 IoCs

pid	Process
3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe
3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe
2652	icsys.icn.exe
2836	explorer.exe
2256	spoolsv.exe
2828	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mode.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1628	schtasks.exe
556	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe
3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe
3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe
3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe
3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe
3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe
3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe
3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe
3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe
3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe
3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe
3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe
3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe
3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe
3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe
3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
2828	svchost.exe
2828	svchost.exe
2828	svchost.exe
2828	svchost.exe
2828	svchost.exe
2828	svchost.exe
2828	svchost.exe
2828	svchost.exe
2828	svchost.exe
2828	svchost.exe
2828	svchost.exe
2828	svchost.exe
2828	svchost.exe
2828	svchost.exe
2828	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2836	explorer.exe
2828	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe
3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2836	explorer.exe
2836	explorer.exe
2256	spoolsv.exe
2256	spoolsv.exe
2828	svchost.exe
2828	svchost.exe
2780	spoolsv.exe
2780	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2812	3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe	30
PID 3016 wrote to memory of 2812	3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe	30
PID 3016 wrote to memory of 2812	3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe	30
PID 3016 wrote to memory of 2812	3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe	30
PID 3016 wrote to memory of 2652	3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe	31
PID 3016 wrote to memory of 2652	3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe	31
PID 3016 wrote to memory of 2652	3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe	31
PID 3016 wrote to memory of 2652	3016	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe	31
PID 2652 wrote to memory of 2836	2652	icsys.icn.exe	33
PID 2652 wrote to memory of 2836	2652	icsys.icn.exe	33
PID 2652 wrote to memory of 2836	2652	icsys.icn.exe	33
PID 2652 wrote to memory of 2836	2652	icsys.icn.exe	33
PID 2836 wrote to memory of 2256	2836	explorer.exe	34
PID 2836 wrote to memory of 2256	2836	explorer.exe	34
PID 2836 wrote to memory of 2256	2836	explorer.exe	34
PID 2836 wrote to memory of 2256	2836	explorer.exe	34
PID 2256 wrote to memory of 2828	2256	spoolsv.exe	35
PID 2256 wrote to memory of 2828	2256	spoolsv.exe	35
PID 2256 wrote to memory of 2828	2256	spoolsv.exe	35
PID 2256 wrote to memory of 2828	2256	spoolsv.exe	35
PID 2828 wrote to memory of 2780	2828	svchost.exe	36
PID 2828 wrote to memory of 2780	2828	svchost.exe	36
PID 2828 wrote to memory of 2780	2828	svchost.exe	36
PID 2828 wrote to memory of 2780	2828	svchost.exe	36
PID 2812 wrote to memory of 2980	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	37
PID 2812 wrote to memory of 2980	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	37
PID 2812 wrote to memory of 2980	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	37
PID 2812 wrote to memory of 2980	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	37
PID 2836 wrote to memory of 2728	2836	explorer.exe	38
PID 2836 wrote to memory of 2728	2836	explorer.exe	38
PID 2836 wrote to memory of 2728	2836	explorer.exe	38
PID 2836 wrote to memory of 2728	2836	explorer.exe	38
PID 2828 wrote to memory of 556	2828	svchost.exe	39
PID 2828 wrote to memory of 556	2828	svchost.exe	39
PID 2828 wrote to memory of 556	2828	svchost.exe	39
PID 2828 wrote to memory of 556	2828	svchost.exe	39
PID 2980 wrote to memory of 1832	2980	cmd.exe	41
PID 2980 wrote to memory of 1832	2980	cmd.exe	41
PID 2980 wrote to memory of 1832	2980	cmd.exe	41
PID 2980 wrote to memory of 1832	2980	cmd.exe	41
PID 2812 wrote to memory of 1052	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	43
PID 2812 wrote to memory of 1052	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	43
PID 2812 wrote to memory of 1052	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	43
PID 2812 wrote to memory of 1052	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	43
PID 2812 wrote to memory of 2032	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	44
PID 2812 wrote to memory of 2032	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	44
PID 2812 wrote to memory of 2032	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	44
PID 2812 wrote to memory of 2032	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	44
PID 2812 wrote to memory of 2016	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	45
PID 2812 wrote to memory of 2016	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	45
PID 2812 wrote to memory of 2016	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	45
PID 2812 wrote to memory of 2016	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	45
PID 2812 wrote to memory of 2112	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	46
PID 2812 wrote to memory of 2112	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	46
PID 2812 wrote to memory of 2112	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	46
PID 2812 wrote to memory of 2112	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	46
PID 2812 wrote to memory of 1244	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	47
PID 2812 wrote to memory of 1244	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	47
PID 2812 wrote to memory of 1244	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	47
PID 2812 wrote to memory of 1244	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	47
PID 2812 wrote to memory of 1232	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	48
PID 2812 wrote to memory of 1232	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	48
PID 2812 wrote to memory of 1232	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	48
PID 2812 wrote to memory of 1232	2812	f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe	48

C:\Users\Admin\AppData\Local\Temp\f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe
"C:\Users\Admin\AppData\Local\Temp\f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66deN.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016
- \??\c:\users\admin\appdata\local\temp\f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe
  c:\users\admin\appdata\local\temp\f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c MODE CON COLS=19 LINES=2
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\SysWOW64\mode.com
      MODE CON COLS=19 LINES=2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Color A
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CLS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Color A
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CLS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Color A
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CLS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Color A
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CLS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Color A
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CLS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Color A
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CLS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1188
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2652
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2256
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2780
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:13 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:556
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:14 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1628
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f3c8b1744ca7e323797d6f87dec7528fdc5587c39f72897a60106e25e92f66den.exe

Filesize
1.1MB

MD5
97e0b85b9ca71655f83bc481798d6efa

SHA1
b8e2d7f0ea99fdd73a916a4c9f765e2d2aa44de4

SHA256
cb6915315cfc5c80f8527cdbe1b78ace0f6ecae43a70685ba8732f86968ba67d

SHA512
1e31c86867a98a902765a83bc01f72fc9d2e818ac59b4715ef9925181217bc21ea74cc382f1ef64b79d25c09468a2bee116fbb04125c41f932b646c9243cebbe

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
6f122a4dd29137760475fa7e0501cd8c

SHA1
5cb54489d31999991ea2b6134a9db5877ab80cac

SHA256
b4d54bac156ac2b8873fc994706e50b4bae8123d1a789db1429213a4447085fc

SHA512
081d94c87988ff33c1af79774dbe16d0ee36a1b62e30ef2b9368147cc17a6e64dca992040a131410f566931df0de4020c5f6a7258384f5c7ec0e4ad4b371630d

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
fa8cc67c4f0865b6e0beabeca8078a5a

SHA1
287d7e15639b6d86cfc0437fdfca69557ffc9c78

SHA256
4052493be37c4fdcb8f17f8b7998cebe5a74d74a3987460998a0696774d524f3

SHA512
266d2286a435dc0fecfb7c663d95b766f8e3aadc5ff21b64bbbb53a06d688b763550d03993abf6e5ee1e18342e4a1a246c2dcb6c6ef86d3183a526e84322a74b

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
6c33f228757808e4ec53fdf19ae5382b

SHA1
78ad74018dfc6a088336218d1d0e1c06bddb2c34

SHA256
7f04d731b06539a1379fed19f9b3f9d9fcd16d53afd18ed72659f59002066079

SHA512
bb0c091bae733b03338bb545f6d0c41c975a277e4b911aba9b5095aa1c580c7615ea3307a340878e0176ddb3f8834f75b48c6bb30908db244117cc537799fdb4

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
d9a1529f636eed43e246a490aa3c1cd6

SHA1
060ca7b50b6348fd6b2639175e7eb183dd3ca01f

SHA256
82199e52a63f6b0f95677e233f35837fdaf564a77c2ec9334ebd432889e2be43

SHA512
8e26b9b34cf8036cb39a7ff99636a8684715debdfa51682cca73a58b2f5a20be1e8278c26f7328eca01e164b19917664c796c3cf59774225d57a0bb8b13d96c4

Download Submit
memory/2256-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2256-49-0x00000000004A0000-0x00000000004BF000-memory.dmp

Filesize
124KB

Download
memory/2652-27-0x0000000000510000-0x000000000052F000-memory.dmp

Filesize
124KB

Download
memory/2652-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2780-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2780-61-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2812-16-0x0000000000920000-0x0000000000C06000-memory.dmp

Filesize
2.9MB

Download
memory/2812-67-0x0000000000920000-0x0000000000C06000-memory.dmp

Filesize
2.9MB

Download
memory/2812-60-0x0000000000920000-0x0000000000C06000-memory.dmp

Filesize
2.9MB

Download
memory/2828-70-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2828-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2836-69-0x00000000003A0000-0x00000000003BF000-memory.dmp

Filesize
124KB

Download
memory/2836-68-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2836-36-0x00000000003A0000-0x00000000003BF000-memory.dmp

Filesize
124KB

Download
memory/3016-53-0x0000000002D70000-0x0000000003056000-memory.dmp

Filesize
2.9MB

Download
memory/3016-66-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3016-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3016-12-0x0000000002D70000-0x0000000003056000-memory.dmp

Filesize
2.9MB

Download
memory/3016-13-0x0000000000290000-0x00000000002AF000-memory.dmp

Filesize
124KB

Download