floxif | 627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-02-2025 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
Size

3.6MB
MD5

924b46ba7e7fd48fc3b89a10f62e3d6f
SHA1

4ea9a6cc382ddfd1a7e5fa0bd1ac79edf4350839
SHA256

627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691
SHA512

60d8843a4246e15972fd3eb9466930474d0c8a679dcf71b2d3afc01067a8cb26e4b5eac71669f32ecc2a8aace59fdaa198a2e1897374e7f87430b5fd8280d193
SSDEEP

49152:sH2XX9nMhH9HpVYZ0CSf1pHtOUYqP3CFOrtG/JR9sXafgkDFMVR9C1UhPJXMK70D:A2XX96HhpVYZo1t0xOoGBiCV2HmdI

Score

10^/10

floxif backdoor defense_evasion discovery persistence privilege_escalation trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x0007000000018683-12.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000018683-12.dat	acprotect

Executes dropped EXE 6 IoCs

pid	Process
2216	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
2572	icsys.icn.exe
2596	explorer.exe
1820	spoolsv.exe
768	svchost.exe
2300	spoolsv.exe

Loads dropped DLL 18 IoCs

pid	Process
2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
2216	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
2572	icsys.icn.exe
2216	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
2572	icsys.icn.exe
2596	explorer.exe
2596	explorer.exe
1820	spoolsv.exe
1820	spoolsv.exe
2216	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
2216	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
768	svchost.exe
768	svchost.exe
2300	spoolsv.exe
1248	schtasks.exe
2784	schtasks.exe
2296	schtasks.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2216-14-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/files/0x0007000000018683-12.dat	upx
behavioral1/memory/2572-23-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2596-46-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1820-62-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2216-75-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/768-78-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2300-88-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/768-85-0x0000000000590000-0x00000000005AF000-memory.dmp	upx
behavioral1/memory/2572-84-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2300-92-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1820-95-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2572-98-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1248-102-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2596-103-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1248-117-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/768-233-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2216-236-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2596-237-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/768-238-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2216-242-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2216-248-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2216-254-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2216-262-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2216-266-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2784-270-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2784-271-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2216-298-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2296-302-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2296-303-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Modifies system certificate store 2 TTPs 10 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2784	schtasks.exe
2296	schtasks.exe
1248	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
2596	explorer.exe
768	svchost.exe
768	svchost.exe
768	svchost.exe
768	svchost.exe
768	svchost.exe
768	svchost.exe
768	svchost.exe
768	svchost.exe
768	svchost.exe
768	svchost.exe
768	svchost.exe
768	svchost.exe
768	svchost.exe
768	svchost.exe
768	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
768	svchost.exe
2596	explorer.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
Token: SeDebugPrivilege	2572	icsys.icn.exe
Token: SeDebugPrivilege	2596	explorer.exe
Token: SeDebugPrivilege	1820	spoolsv.exe
Token: SeDebugPrivilege	768	svchost.exe
Token: SeDebugPrivilege	2300	spoolsv.exe
Token: SeDebugPrivilege	1248	schtasks.exe
Token: SeDebugPrivilege	2216	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
Token: SeShutdownPrivilege	2216	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
Token: SeDebugPrivilege	2784	schtasks.exe
Token: SeDebugPrivilege	2296	schtasks.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
2572	icsys.icn.exe
2572	icsys.icn.exe
2596	explorer.exe
2596	explorer.exe
1820	spoolsv.exe
1820	spoolsv.exe
768	svchost.exe
768	svchost.exe
2300	spoolsv.exe
2300	spoolsv.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2216	2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe	30
PID 2420 wrote to memory of 2216	2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe	30
PID 2420 wrote to memory of 2216	2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe	30
PID 2420 wrote to memory of 2216	2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe	30
PID 2420 wrote to memory of 2572	2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe	31
PID 2420 wrote to memory of 2572	2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe	31
PID 2420 wrote to memory of 2572	2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe	31
PID 2420 wrote to memory of 2572	2420	627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe	31
PID 2572 wrote to memory of 2596	2572	icsys.icn.exe	32
PID 2572 wrote to memory of 2596	2572	icsys.icn.exe	32
PID 2572 wrote to memory of 2596	2572	icsys.icn.exe	32
PID 2572 wrote to memory of 2596	2572	icsys.icn.exe	32
PID 2596 wrote to memory of 1820	2596	explorer.exe	33
PID 2596 wrote to memory of 1820	2596	explorer.exe	33
PID 2596 wrote to memory of 1820	2596	explorer.exe	33
PID 2596 wrote to memory of 1820	2596	explorer.exe	33
PID 1820 wrote to memory of 768	1820	spoolsv.exe	34
PID 1820 wrote to memory of 768	1820	spoolsv.exe	34
PID 1820 wrote to memory of 768	1820	spoolsv.exe	34
PID 1820 wrote to memory of 768	1820	spoolsv.exe	34
PID 768 wrote to memory of 2300	768	svchost.exe	35
PID 768 wrote to memory of 2300	768	svchost.exe	35
PID 768 wrote to memory of 2300	768	svchost.exe	35
PID 768 wrote to memory of 2300	768	svchost.exe	35
PID 2596 wrote to memory of 2072	2596	explorer.exe	36
PID 2596 wrote to memory of 2072	2596	explorer.exe	36
PID 2596 wrote to memory of 2072	2596	explorer.exe	36
PID 2596 wrote to memory of 2072	2596	explorer.exe	36
PID 768 wrote to memory of 1248	768	svchost.exe	37
PID 768 wrote to memory of 1248	768	svchost.exe	37
PID 768 wrote to memory of 1248	768	svchost.exe	37
PID 768 wrote to memory of 1248	768	svchost.exe	37
PID 768 wrote to memory of 2784	768	svchost.exe	41
PID 768 wrote to memory of 2784	768	svchost.exe	41
PID 768 wrote to memory of 2784	768	svchost.exe	41
PID 768 wrote to memory of 2784	768	svchost.exe	41
PID 768 wrote to memory of 2296	768	svchost.exe	44
PID 768 wrote to memory of 2296	768	svchost.exe	44
PID 768 wrote to memory of 2296	768	svchost.exe	44
PID 768 wrote to memory of 2296	768	svchost.exe	44

C:\Users\Admin\AppData\Local\Temp\627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
"C:\Users\Admin\AppData\Local\Temp\627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420
- \??\c:\users\admin\appdata\local\temp\627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
  c:\users\admin\appdata\local\temp\627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:2216
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2572
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1820
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:768
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2300
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:44 /f
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:45 /f
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:46 /f
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1146ace772e3a11ca7e4887aca408fe

SHA1
82368705f82565842ea3d2cd66d0746658df2281

SHA256
097884ec6f24d5b9d9a64cf98f0a3469eb38cb199e9dd4129762f24fc89a68ba

SHA512
0ae2f32528be6f253a2913e7697674bb42de030f3722dd699d4c499ee6e2ff89b23d44568caf6dfc1688428a02c49c7eb53fbee6687d6ec999a14965ffda09b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1325.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1386.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
b8c7168537ea2d2eb67a6761f5961995

SHA1
872e6c964174e5ba1a7a1d3d9968afa9936548d0

SHA256
c3a303a6942ea0836adf6398df31465f7942e9db7feed809b1f36a5850982b6b

SHA512
9b1205f43ced633be946873863f4ac9f7aba746d2d2241ae60096fbb9c9e9422b0b5cc27a89902eec7b8fc3ca6e787b7c20a0ee565eec54359348c7c9cba6cfe

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
f9861e4a86b842dfafd7bb5bc28c7e95

SHA1
80f0a72711906b572c09b1b29050dcb81cea9aff

SHA256
68a570b021f8e146e8e9bdc0f45fddbd8c26fb8158ea55329b52f929ddc90e96

SHA512
6d08995aabd88468557a5a6d4237be91e5a941ac74e12391983e87c30bd7340ab9487179514ab49d41a740144a8e3c8cd03bf6282e880742d253a291989152b3

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Users\Admin\AppData\Local\Temp\627d78d9ec3da2ab672efd2c4b9ea424ace0cbd98ea2ca3729ab8d3582ee7691.exe

Filesize
3.4MB

MD5
05dbee0d76e3cc943c1f4b86d94ee4f0

SHA1
0becbd2e4b6dcfe10e889b0afe30acd746b58e87

SHA256
cd6fa1dcd6e80e2f64692ff90b25c1add8f40d5468624a16f2b19e5ef739b571

SHA512
9f7646971c7ec5024780a2eebbfeda36871677377ded3746a03f16084c1e317f7d6174c13c39b167ce2a2c25e49c97b7937eb6554dd045684eba93af69a23e0c

Download Submit
\Users\Admin\AppData\Local\Temp\Setup\ds.dll

Filesize
79KB

MD5
d9cb0b4a66458d85470ccf9b3575c0e7

SHA1
1572092be5489725cffbabe2f59eba094ee1d8a1

SHA256
6ab3fdc4038a86124e6d698620acba3abf9e854702490e245c840c096ee41d05

SHA512
94937e77da89181903a260eac5120e8db165f2a3493086523bc5abbe87c4a9da39af3ba1874e3407c52df6ffda29e4947062ba6abe9f05b85c42379c4be2e5e6

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
a895cb6b0aad0e9747252b106c57675e

SHA1
9fccd0d83de1a44af9565270fccb69fa67513b9c

SHA256
25a857baeda27f8d85f03b3e8d9cf3735b3ca4a849b0b26df227effb955ce276

SHA512
01c9f582e75f6da738a3f56fc386f974c0594b17ccd0b03c44a5993d5c6c2797ac06831ca67dccd395b16286636cee01964e007e2e1bc138de74dbb030583b79

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
50f5d25f72cd02033f62df49a23f1228

SHA1
86216e199f3b342448399d47632c327af5e8b082

SHA256
df9ef3b44c1896dee948b73a16a8650b9d53d13dfe8a9915ee8cc4efe03452e8

SHA512
2e60620de7dc783627fd0ffbfef3986c3db030bed5fca566bdbdfc497a673e45d3f890e08984eb8bf7a726532994de5a21a991db7d1dbe81da760934761d6bea

Download Submit
memory/768-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/768-233-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/768-238-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/768-78-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/768-278-0x0000000000590000-0x00000000005AF000-memory.dmp

Filesize
124KB

Download
memory/768-85-0x0000000000590000-0x00000000005AF000-memory.dmp

Filesize
124KB

Download
memory/1248-117-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1248-102-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1820-62-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1820-73-0x00000000003A0000-0x00000000003BF000-memory.dmp

Filesize
124KB

Download
memory/1820-96-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1820-95-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2216-242-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2216-235-0x0000000000A80000-0x0000000000DE2000-memory.dmp

Filesize
3.4MB

Download
memory/2216-298-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2216-284-0x0000000003E70000-0x0000000003E8F000-memory.dmp

Filesize
124KB

Download
memory/2216-283-0x0000000003E70000-0x0000000003E8F000-memory.dmp

Filesize
124KB

Download
memory/2216-14-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2216-266-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2216-262-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2216-254-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2216-70-0x00000000035E0000-0x00000000035F6000-memory.dmp

Filesize
88KB

Download
memory/2216-74-0x0000000074280000-0x0000000074296000-memory.dmp

Filesize
88KB

Download
memory/2216-231-0x0000000003A80000-0x0000000003AC4000-memory.dmp

Filesize
272KB

Download
memory/2216-232-0x0000000003E70000-0x0000000003E8F000-memory.dmp

Filesize
124KB

Download
memory/2216-75-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2216-234-0x0000000003E70000-0x0000000003E8F000-memory.dmp

Filesize
124KB

Download
memory/2216-236-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2216-248-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2216-241-0x0000000000A80000-0x0000000000DE2000-memory.dmp

Filesize
3.4MB

Download
memory/2296-302-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2296-303-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2300-93-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2300-88-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2300-92-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2420-22-0x0000000000380000-0x000000000039F000-memory.dmp

Filesize
124KB

Download
memory/2420-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2420-100-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2572-98-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2572-84-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2572-99-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2572-23-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2596-46-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2596-237-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2596-272-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2596-103-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2784-271-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2784-270-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download