Analysis
-
max time kernel
150s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
19-04-2021 17:58
Static task
static1
Behavioral task
behavioral1
Sample
c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
Resource
win10v20210408
General
-
Target
c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
-
Size
438KB
-
MD5
c82d1d8b8fc5cbbf8ee05bee229a3a76
-
SHA1
eeaba79a2d490544ccf4c75f93e6456ab474f800
-
SHA256
f8abb401812eafff1ca24fbafc67d5cdb34ba384da284b55d5350a5300fb7757
-
SHA512
01bd7148e3befa03dd6e548c2c0784849f730165b43dec14f18262b1ee0e592b0e4132f0acf01f9b4d9d46074f0c2b26b5e626cd54d39f88113d10bd684387dc
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
Guloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3152-153-0x00000000020E0000-0x00000000020EF000-memory.dmp family_guloader -
Executes dropped EXE 6 IoCs
Processes:
c82d1d8b8fc5cbbf8ee05bee229a3a76.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 3152 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe 2300 icsys.icn.exe 972 explorer.exe 4028 spoolsv.exe 2196 svchost.exe 3584 spoolsv.exe -
Modifies Installed Components in the registry 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
icsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription ioc process File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
icsys.icn.exeexplorer.exesvchost.exepid process 2300 icsys.icn.exe 2300 icsys.icn.exe 972 explorer.exe 972 explorer.exe 972 explorer.exe 972 explorer.exe 972 explorer.exe 972 explorer.exe 972 explorer.exe 972 explorer.exe 972 explorer.exe 972 explorer.exe 972 explorer.exe 972 explorer.exe 972 explorer.exe 2196 svchost.exe 972 explorer.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 972 explorer.exe 2196 svchost.exe 2196 svchost.exe 972 explorer.exe 2196 svchost.exe 972 explorer.exe 2196 svchost.exe 972 explorer.exe 972 explorer.exe 2196 svchost.exe 2196 svchost.exe 972 explorer.exe 2196 svchost.exe 972 explorer.exe 2196 svchost.exe 972 explorer.exe 972 explorer.exe 2196 svchost.exe 972 explorer.exe 2196 svchost.exe 972 explorer.exe 2196 svchost.exe 972 explorer.exe 2196 svchost.exe 972 explorer.exe 2196 svchost.exe 972 explorer.exe 2196 svchost.exe 972 explorer.exe 2196 svchost.exe 972 explorer.exe 2196 svchost.exe 972 explorer.exe 2196 svchost.exe 972 explorer.exe 2196 svchost.exe 972 explorer.exe 2196 svchost.exe 972 explorer.exe 2196 svchost.exe 972 explorer.exe 2196 svchost.exe 972 explorer.exe 2196 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 972 explorer.exe 2196 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
c82d1d8b8fc5cbbf8ee05bee229a3a76.exedescription pid process Token: SeShutdownPrivilege 3152 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe Token: SeCreatePagefilePrivilege 3152 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
c82d1d8b8fc5cbbf8ee05bee229a3a76.exec82d1d8b8fc5cbbf8ee05bee229a3a76.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 804 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe 804 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe 3152 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe 2300 icsys.icn.exe 2300 icsys.icn.exe 972 explorer.exe 972 explorer.exe 4028 spoolsv.exe 4028 spoolsv.exe 2196 svchost.exe 2196 svchost.exe 3584 spoolsv.exe 3584 spoolsv.exe 972 explorer.exe 972 explorer.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
c82d1d8b8fc5cbbf8ee05bee229a3a76.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 804 wrote to memory of 3152 804 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe c82d1d8b8fc5cbbf8ee05bee229a3a76.exe PID 804 wrote to memory of 3152 804 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe c82d1d8b8fc5cbbf8ee05bee229a3a76.exe PID 804 wrote to memory of 3152 804 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe c82d1d8b8fc5cbbf8ee05bee229a3a76.exe PID 804 wrote to memory of 2300 804 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe icsys.icn.exe PID 804 wrote to memory of 2300 804 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe icsys.icn.exe PID 804 wrote to memory of 2300 804 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe icsys.icn.exe PID 2300 wrote to memory of 972 2300 icsys.icn.exe explorer.exe PID 2300 wrote to memory of 972 2300 icsys.icn.exe explorer.exe PID 2300 wrote to memory of 972 2300 icsys.icn.exe explorer.exe PID 972 wrote to memory of 4028 972 explorer.exe spoolsv.exe PID 972 wrote to memory of 4028 972 explorer.exe spoolsv.exe PID 972 wrote to memory of 4028 972 explorer.exe spoolsv.exe PID 4028 wrote to memory of 2196 4028 spoolsv.exe svchost.exe PID 4028 wrote to memory of 2196 4028 spoolsv.exe svchost.exe PID 4028 wrote to memory of 2196 4028 spoolsv.exe svchost.exe PID 2196 wrote to memory of 3584 2196 svchost.exe spoolsv.exe PID 2196 wrote to memory of 3584 2196 svchost.exe spoolsv.exe PID 2196 wrote to memory of 3584 2196 svchost.exe spoolsv.exe PID 2196 wrote to memory of 2808 2196 svchost.exe at.exe PID 2196 wrote to memory of 2808 2196 svchost.exe at.exe PID 2196 wrote to memory of 2808 2196 svchost.exe at.exe PID 2196 wrote to memory of 2192 2196 svchost.exe at.exe PID 2196 wrote to memory of 2192 2196 svchost.exe at.exe PID 2196 wrote to memory of 2192 2196 svchost.exe at.exe PID 2196 wrote to memory of 1648 2196 svchost.exe at.exe PID 2196 wrote to memory of 1648 2196 svchost.exe at.exe PID 2196 wrote to memory of 1648 2196 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exe"C:\Users\Admin\AppData\Local\Temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exec:\users\admin\appdata\local\temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 20:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 20:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 20:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exeMD5
81f33af36aa74b241608c2f1ae494ab9
SHA1057a50d03af170a3137ba1a94db45dcc1898e708
SHA256ec7f08251e8c211eeb82ae9f8e7fb044b1797a05aca2367aa6a82ca10ba24b90
SHA512c0639cc171f5e84975e46de8675ebe6d4200ba6ea7bc269ad8c5ca8c4e14eb8b47da89f12c4b4ce2972acc61970fff309e8f4cd4d267a8c7a7759c486b8d4e6f
-
C:\Users\Admin\AppData\Local\icsys.icn.exeMD5
455c155a23342f28b1cdbfd5d620f129
SHA189b1c98e97e29e178cb7433f801dc4fb7b2d4e03
SHA25686c97c81d0b34a4fdf188047505cea3d48f4586c8cc8ae3860e1e3adbcb59c15
SHA51200bd563eb6fbc64e9bd94b22491213375163823c3842bed35d177f8a9fd7580ca12af5edc5b476af6b1facec4b2b50df8f427a679ccb00281a35ff2fbd8c27e8
-
C:\Users\Admin\AppData\Local\icsys.icn.exeMD5
455c155a23342f28b1cdbfd5d620f129
SHA189b1c98e97e29e178cb7433f801dc4fb7b2d4e03
SHA25686c97c81d0b34a4fdf188047505cea3d48f4586c8cc8ae3860e1e3adbcb59c15
SHA51200bd563eb6fbc64e9bd94b22491213375163823c3842bed35d177f8a9fd7580ca12af5edc5b476af6b1facec4b2b50df8f427a679ccb00281a35ff2fbd8c27e8
-
C:\Users\Admin\AppData\Roaming\mrsys.exeMD5
0f960b71b449d7d4f123e52e26f25f87
SHA17bf7f13fe82fdb8ef26b2ec2d8a3bbd410f62e81
SHA256cd5ccf88e9762f1ab6feec282dbe82955e7fd501f0a9f77a9b67754915533f5d
SHA512727e08242883163d2b9c9e4e20abfb957d60cd0268bc81a2fbecf3b880102705f0948a67a519e0c6d346729df1d4fe520d0f449d2458f6d77a452bc8a111eacf
-
C:\Windows\System\explorer.exeMD5
d72f8a971f7c82bc80e9d4ed49e2acc7
SHA17af7c4580add78ce7352b0256e182155125bee48
SHA256594b3740a2df142bd50c20ed4ba90cb32df82ed9caade67651ff523163f47a55
SHA5121183bebaefb470203b009fa64d8cf3458295e2ced5ac6c73025adddc0bf60a632ad33c94b267026243e5e61f0281f88bc1cbacc78abe8b7d47c6afa63d5f2ff6
-
C:\Windows\System\spoolsv.exeMD5
ce1b9ade04721c8dc5e994e71db68545
SHA1a44e1d16089d06e4841ee5c3f1315d255f1650c0
SHA25647335d4e7554c76f67449c1b8d24fafee8e8a004cac5bdf7d9ea301fb4c1435f
SHA512810b7c8609dcbfc349858d2e8b54d392119205113c2939f7b9959d1eed054748f12da9e7d87429d169da8aa52374b5b1493506a1a094b2f296d134a3176e3e0a
-
C:\Windows\System\spoolsv.exeMD5
ce1b9ade04721c8dc5e994e71db68545
SHA1a44e1d16089d06e4841ee5c3f1315d255f1650c0
SHA25647335d4e7554c76f67449c1b8d24fafee8e8a004cac5bdf7d9ea301fb4c1435f
SHA512810b7c8609dcbfc349858d2e8b54d392119205113c2939f7b9959d1eed054748f12da9e7d87429d169da8aa52374b5b1493506a1a094b2f296d134a3176e3e0a
-
C:\Windows\System\svchost.exeMD5
d62968130c1dfba07918b7a45b02d20e
SHA1bb7f5c720bd8324aad2b3670f9ed669dfab1e96b
SHA256af493442327ffcbc7fa19a935ed18c5eaca6a51ab2b1ab92531a0c8b0fcad759
SHA51276d419ce0407a2d2fc2501dda8604d34f9eae6c64203bf8d1a79330520fd0649ddd25579dfe7fe22de905d2b7f79b8cabc81ff5bca48147d75ef9a453e7bbb58
-
\??\c:\users\admin\appdata\local\temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exeMD5
81f33af36aa74b241608c2f1ae494ab9
SHA1057a50d03af170a3137ba1a94db45dcc1898e708
SHA256ec7f08251e8c211eeb82ae9f8e7fb044b1797a05aca2367aa6a82ca10ba24b90
SHA512c0639cc171f5e84975e46de8675ebe6d4200ba6ea7bc269ad8c5ca8c4e14eb8b47da89f12c4b4ce2972acc61970fff309e8f4cd4d267a8c7a7759c486b8d4e6f
-
\??\c:\windows\system\explorer.exeMD5
d72f8a971f7c82bc80e9d4ed49e2acc7
SHA17af7c4580add78ce7352b0256e182155125bee48
SHA256594b3740a2df142bd50c20ed4ba90cb32df82ed9caade67651ff523163f47a55
SHA5121183bebaefb470203b009fa64d8cf3458295e2ced5ac6c73025adddc0bf60a632ad33c94b267026243e5e61f0281f88bc1cbacc78abe8b7d47c6afa63d5f2ff6
-
\??\c:\windows\system\spoolsv.exeMD5
ce1b9ade04721c8dc5e994e71db68545
SHA1a44e1d16089d06e4841ee5c3f1315d255f1650c0
SHA25647335d4e7554c76f67449c1b8d24fafee8e8a004cac5bdf7d9ea301fb4c1435f
SHA512810b7c8609dcbfc349858d2e8b54d392119205113c2939f7b9959d1eed054748f12da9e7d87429d169da8aa52374b5b1493506a1a094b2f296d134a3176e3e0a
-
\??\c:\windows\system\svchost.exeMD5
d62968130c1dfba07918b7a45b02d20e
SHA1bb7f5c720bd8324aad2b3670f9ed669dfab1e96b
SHA256af493442327ffcbc7fa19a935ed18c5eaca6a51ab2b1ab92531a0c8b0fcad759
SHA51276d419ce0407a2d2fc2501dda8604d34f9eae6c64203bf8d1a79330520fd0649ddd25579dfe7fe22de905d2b7f79b8cabc81ff5bca48147d75ef9a453e7bbb58
-
memory/972-128-0x0000000000000000-mapping.dmp
-
memory/1648-155-0x0000000000000000-mapping.dmp
-
memory/2192-154-0x0000000000000000-mapping.dmp
-
memory/2196-140-0x0000000000000000-mapping.dmp
-
memory/2300-122-0x0000000000000000-mapping.dmp
-
memory/2808-151-0x0000000000000000-mapping.dmp
-
memory/3152-117-0x0000000000000000-mapping.dmp
-
memory/3152-153-0x00000000020E0000-0x00000000020EF000-memory.dmpFilesize
60KB
-
memory/3584-146-0x0000000000000000-mapping.dmp
-
memory/4028-134-0x0000000000000000-mapping.dmp