Analysis
-
max time kernel
152s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
19-04-2021 17:23
Static task
static1
Behavioral task
behavioral1
Sample
c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
Resource
win10v20210408
General
-
Target
c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
-
Size
438KB
-
MD5
c82d1d8b8fc5cbbf8ee05bee229a3a76
-
SHA1
eeaba79a2d490544ccf4c75f93e6456ab474f800
-
SHA256
f8abb401812eafff1ca24fbafc67d5cdb34ba384da284b55d5350a5300fb7757
-
SHA512
01bd7148e3befa03dd6e548c2c0784849f730165b43dec14f18262b1ee0e592b0e4132f0acf01f9b4d9d46074f0c2b26b5e626cd54d39f88113d10bd684387dc
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
Guloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3568-153-0x0000000002910000-0x000000000291F000-memory.dmp family_guloader -
Executes dropped EXE 6 IoCs
Processes:
c82d1d8b8fc5cbbf8ee05bee229a3a76.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 3568 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe 2988 icsys.icn.exe 2100 explorer.exe 4032 spoolsv.exe 2308 svchost.exe 2656 spoolsv.exe -
Modifies Installed Components in the registry 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
explorer.exesvchost.exeicsys.icn.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
icsys.icn.exeexplorer.exesvchost.exepid process 2988 icsys.icn.exe 2988 icsys.icn.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2308 svchost.exe 2100 explorer.exe 2308 svchost.exe 2308 svchost.exe 2308 svchost.exe 2100 explorer.exe 2100 explorer.exe 2308 svchost.exe 2308 svchost.exe 2100 explorer.exe 2100 explorer.exe 2308 svchost.exe 2308 svchost.exe 2100 explorer.exe 2100 explorer.exe 2308 svchost.exe 2308 svchost.exe 2100 explorer.exe 2100 explorer.exe 2308 svchost.exe 2308 svchost.exe 2100 explorer.exe 2100 explorer.exe 2308 svchost.exe 2308 svchost.exe 2100 explorer.exe 2100 explorer.exe 2308 svchost.exe 2308 svchost.exe 2100 explorer.exe 2100 explorer.exe 2308 svchost.exe 2308 svchost.exe 2100 explorer.exe 2100 explorer.exe 2308 svchost.exe 2308 svchost.exe 2100 explorer.exe 2100 explorer.exe 2308 svchost.exe 2308 svchost.exe 2100 explorer.exe 2100 explorer.exe 2308 svchost.exe 2308 svchost.exe 2100 explorer.exe 2100 explorer.exe 2308 svchost.exe 2308 svchost.exe 2100 explorer.exe 2100 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2100 explorer.exe 2308 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
c82d1d8b8fc5cbbf8ee05bee229a3a76.exedescription pid process Token: SeShutdownPrivilege 3568 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe Token: SeCreatePagefilePrivilege 3568 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
c82d1d8b8fc5cbbf8ee05bee229a3a76.exec82d1d8b8fc5cbbf8ee05bee229a3a76.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 3492 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe 3492 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe 3568 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe 2988 icsys.icn.exe 2988 icsys.icn.exe 2100 explorer.exe 2100 explorer.exe 4032 spoolsv.exe 4032 spoolsv.exe 2308 svchost.exe 2308 svchost.exe 2656 spoolsv.exe 2656 spoolsv.exe 2100 explorer.exe 2100 explorer.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
c82d1d8b8fc5cbbf8ee05bee229a3a76.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 3492 wrote to memory of 3568 3492 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe c82d1d8b8fc5cbbf8ee05bee229a3a76.exe PID 3492 wrote to memory of 3568 3492 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe c82d1d8b8fc5cbbf8ee05bee229a3a76.exe PID 3492 wrote to memory of 3568 3492 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe c82d1d8b8fc5cbbf8ee05bee229a3a76.exe PID 3492 wrote to memory of 2988 3492 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe icsys.icn.exe PID 3492 wrote to memory of 2988 3492 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe icsys.icn.exe PID 3492 wrote to memory of 2988 3492 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe icsys.icn.exe PID 2988 wrote to memory of 2100 2988 icsys.icn.exe explorer.exe PID 2988 wrote to memory of 2100 2988 icsys.icn.exe explorer.exe PID 2988 wrote to memory of 2100 2988 icsys.icn.exe explorer.exe PID 2100 wrote to memory of 4032 2100 explorer.exe spoolsv.exe PID 2100 wrote to memory of 4032 2100 explorer.exe spoolsv.exe PID 2100 wrote to memory of 4032 2100 explorer.exe spoolsv.exe PID 4032 wrote to memory of 2308 4032 spoolsv.exe svchost.exe PID 4032 wrote to memory of 2308 4032 spoolsv.exe svchost.exe PID 4032 wrote to memory of 2308 4032 spoolsv.exe svchost.exe PID 2308 wrote to memory of 2656 2308 svchost.exe spoolsv.exe PID 2308 wrote to memory of 2656 2308 svchost.exe spoolsv.exe PID 2308 wrote to memory of 2656 2308 svchost.exe spoolsv.exe PID 2308 wrote to memory of 3924 2308 svchost.exe at.exe PID 2308 wrote to memory of 3924 2308 svchost.exe at.exe PID 2308 wrote to memory of 3924 2308 svchost.exe at.exe PID 2308 wrote to memory of 2288 2308 svchost.exe at.exe PID 2308 wrote to memory of 2288 2308 svchost.exe at.exe PID 2308 wrote to memory of 2288 2308 svchost.exe at.exe PID 2308 wrote to memory of 2640 2308 svchost.exe at.exe PID 2308 wrote to memory of 2640 2308 svchost.exe at.exe PID 2308 wrote to memory of 2640 2308 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exe"C:\Users\Admin\AppData\Local\Temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exec:\users\admin\appdata\local\temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 19:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 19:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 19:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exeMD5
81f33af36aa74b241608c2f1ae494ab9
SHA1057a50d03af170a3137ba1a94db45dcc1898e708
SHA256ec7f08251e8c211eeb82ae9f8e7fb044b1797a05aca2367aa6a82ca10ba24b90
SHA512c0639cc171f5e84975e46de8675ebe6d4200ba6ea7bc269ad8c5ca8c4e14eb8b47da89f12c4b4ce2972acc61970fff309e8f4cd4d267a8c7a7759c486b8d4e6f
-
C:\Users\Admin\AppData\Local\icsys.icn.exeMD5
455c155a23342f28b1cdbfd5d620f129
SHA189b1c98e97e29e178cb7433f801dc4fb7b2d4e03
SHA25686c97c81d0b34a4fdf188047505cea3d48f4586c8cc8ae3860e1e3adbcb59c15
SHA51200bd563eb6fbc64e9bd94b22491213375163823c3842bed35d177f8a9fd7580ca12af5edc5b476af6b1facec4b2b50df8f427a679ccb00281a35ff2fbd8c27e8
-
C:\Users\Admin\AppData\Local\icsys.icn.exeMD5
455c155a23342f28b1cdbfd5d620f129
SHA189b1c98e97e29e178cb7433f801dc4fb7b2d4e03
SHA25686c97c81d0b34a4fdf188047505cea3d48f4586c8cc8ae3860e1e3adbcb59c15
SHA51200bd563eb6fbc64e9bd94b22491213375163823c3842bed35d177f8a9fd7580ca12af5edc5b476af6b1facec4b2b50df8f427a679ccb00281a35ff2fbd8c27e8
-
C:\Users\Admin\AppData\Roaming\mrsys.exeMD5
9209a2d03398f99c10701f44d71dc2bb
SHA16c0ad8e6bd42fe0b06e627092f1085c736bdc2e8
SHA256a42fe328e3e434cf1d699d29060b1e1e8b3972a600cbfbf92326cbf58cd407ca
SHA51299db259aa1779c2215710716536eb48523e4e5a5f1bf84b0cc8d54ca17c5651f48bddabc3bedd7e7e83ec6e81942ca47aa4ddaa1d86b4c6dfeb249860adddfbc
-
C:\Windows\System\explorer.exeMD5
b491d8c7ae0d7ad20a0f4885d3033aa9
SHA14747ac69f50dcb3736a7c08461b144d667ab4c88
SHA2560bc00f14615b3ae9848e451500c261e4e28e87cbb96384091fc82df669853fad
SHA512846eebbb7a44cded43538627774eda5111262b0163688465344719ff365bc3078ef01f2748ca648dd56c2d62b3ea63b9ef916e29b59d84fcf6db2fffe36b443d
-
C:\Windows\System\spoolsv.exeMD5
ca294e3beb7c60fe1cf96afa2910afa4
SHA15965257b43a27a6a69281050fcc49cb1839bfd4e
SHA256d171701ee62bf59c2fb1fd57380d99978871e435251bacd7054cd4a585117727
SHA5124eb8c9655633d712cff646ce8b225747cd3e00cef6059db9ca899e333b5988c1f01628bfb8f69452a2ffdfd91d0f9cc851a0d96be9f69264aa38987511421df9
-
C:\Windows\System\spoolsv.exeMD5
ca294e3beb7c60fe1cf96afa2910afa4
SHA15965257b43a27a6a69281050fcc49cb1839bfd4e
SHA256d171701ee62bf59c2fb1fd57380d99978871e435251bacd7054cd4a585117727
SHA5124eb8c9655633d712cff646ce8b225747cd3e00cef6059db9ca899e333b5988c1f01628bfb8f69452a2ffdfd91d0f9cc851a0d96be9f69264aa38987511421df9
-
C:\Windows\System\svchost.exeMD5
723279bc246be813fd08d107fd060021
SHA198c4b1ec7e0495d4eace070dadc930d567c6dec8
SHA256aff72901c3d4231e799c8a68349197df887d059f3b875a5f08f726746069b345
SHA512f2c583aad6402d30e7663f781c325f70135131b7d98ce0043ab30180465ca940b2dffed37bb4601d12f2c328408dd3df253ebd7791ec5fbd3b93b09f6e3245d7
-
\??\c:\users\admin\appdata\local\temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exeMD5
81f33af36aa74b241608c2f1ae494ab9
SHA1057a50d03af170a3137ba1a94db45dcc1898e708
SHA256ec7f08251e8c211eeb82ae9f8e7fb044b1797a05aca2367aa6a82ca10ba24b90
SHA512c0639cc171f5e84975e46de8675ebe6d4200ba6ea7bc269ad8c5ca8c4e14eb8b47da89f12c4b4ce2972acc61970fff309e8f4cd4d267a8c7a7759c486b8d4e6f
-
\??\c:\windows\system\explorer.exeMD5
b491d8c7ae0d7ad20a0f4885d3033aa9
SHA14747ac69f50dcb3736a7c08461b144d667ab4c88
SHA2560bc00f14615b3ae9848e451500c261e4e28e87cbb96384091fc82df669853fad
SHA512846eebbb7a44cded43538627774eda5111262b0163688465344719ff365bc3078ef01f2748ca648dd56c2d62b3ea63b9ef916e29b59d84fcf6db2fffe36b443d
-
\??\c:\windows\system\spoolsv.exeMD5
ca294e3beb7c60fe1cf96afa2910afa4
SHA15965257b43a27a6a69281050fcc49cb1839bfd4e
SHA256d171701ee62bf59c2fb1fd57380d99978871e435251bacd7054cd4a585117727
SHA5124eb8c9655633d712cff646ce8b225747cd3e00cef6059db9ca899e333b5988c1f01628bfb8f69452a2ffdfd91d0f9cc851a0d96be9f69264aa38987511421df9
-
\??\c:\windows\system\svchost.exeMD5
723279bc246be813fd08d107fd060021
SHA198c4b1ec7e0495d4eace070dadc930d567c6dec8
SHA256aff72901c3d4231e799c8a68349197df887d059f3b875a5f08f726746069b345
SHA512f2c583aad6402d30e7663f781c325f70135131b7d98ce0043ab30180465ca940b2dffed37bb4601d12f2c328408dd3df253ebd7791ec5fbd3b93b09f6e3245d7
-
memory/2100-128-0x0000000000000000-mapping.dmp
-
memory/2288-154-0x0000000000000000-mapping.dmp
-
memory/2308-140-0x0000000000000000-mapping.dmp
-
memory/2640-155-0x0000000000000000-mapping.dmp
-
memory/2656-146-0x0000000000000000-mapping.dmp
-
memory/2988-122-0x0000000000000000-mapping.dmp
-
memory/3568-117-0x0000000000000000-mapping.dmp
-
memory/3568-153-0x0000000002910000-0x000000000291F000-memory.dmpFilesize
60KB
-
memory/3924-151-0x0000000000000000-mapping.dmp
-
memory/4032-134-0x0000000000000000-mapping.dmp