xmrig | 61660ffe382430717fccd0bc8b33e8e498665c72cf7b7f974fda9ec728ead713

Analysis

max time kernel
150s
max time network
113s
platform
windows10_x64
resource
win10v20210408
submitted
22-04-2021 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Agent WindowsR1.5.561.exe
Size

3.7MB
MD5

c01e9e0697a5fe89ea95010aef1ec9a0
SHA1

12c50eea01bfaf061bb1ed2daecdbe49bc1e2972
SHA256

61660ffe382430717fccd0bc8b33e8e498665c72cf7b7f974fda9ec728ead713
SHA512

58dcc3b5b5e60fdb2ce2407255f433ff4bc06827349f0c3b405750ab393a59061fcbef6735c8c287fef980ad57df4c2a439a2505ca0cc7fbb4115d971121353e

Score

10^/10

xmrig discovery evasion miner persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 10 IoCs

Processes:

agent windowsr1.5.561.exe agent windowsr1.5.561.tmpicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeAutoConvInstallPath.exeEMSAgentInstall.exeNNPOption.exe

pid	process
4276	agent windowsr1.5.561.exe
2212	agent windowsr1.5.561.tmp
3220	icsys.icn.exe
4180	explorer.exe
3188	spoolsv.exe
852	svchost.exe
1084	spoolsv.exe
2824	AutoConvInstallPath.exe
3304	EMSAgentInstall.exe
4660	NNPOption.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Loads dropped DLL 1 IoCs

Processes:

NNPOption.exe

pid process

4660 NNPOption.exe

pid	process
4660	NNPOption.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

agent windowsr1.5.561.tmpEMSAgentInstall.exeAutoConvInstallPath.exe

description	ioc	process
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\ProcessLabor.dll	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-S53FH.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-G63KT.tmp	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\PCILabor.dll	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\MAgent\ScriptDLabor.dll	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-T6RFC.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-G7O48.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\utils\NNPOption\is-54VUB.tmp	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\MemoryLeakChk.exe	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-MF5LL.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-67P8F.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\aproc\shell\is-P0VTE.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\utils\NNPOption\is-TD50I.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\MAgent\conf\is-VM1SP.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-SDCAA.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-CU1JF.tmp	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\utils\NNPOption\EMSAgentInstall.log	EMSAgentInstall.exe
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\othread2.dll	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-O4LOP.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-S9SMS.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-BEG57.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-2FR7B.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\conf\SMSAgent.conf_lock	EMSAgentInstall.exe
File opened for modification	C:\Program Files\NKIA\NNPAgent\MAgent\psapi.dll	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\ConnectTimeLabor.dll	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\SchedLabor.dll	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\utils\NNPOption\EnglishRc.dll	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\MAgent\conf\MasterAgent.conf_lock	EMSAgentInstall.exe
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\SystemLogLabor.dll	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\utils\AutoUpdate\NNPAutoUpdate.exe	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-9LVQJ.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\utils\AutoUpdate\is-2F10C.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-RQ2G4.tmp	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\MAgent\OsLabor.dll	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\PageFileLabor.dll	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-48GUH.tmp	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\mfc42.dll	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\ServerLabor.dll	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\aproc\inv\is-300Q0.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\MAgent\conf\MasterAgent.conf_tmp	AutoConvInstallPath.exe
File opened for modification	C:\Program Files\NKIA\NNPAgent\utils\AutoUpdate\NNPAutoBackup.exe	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-9E0JM.tmp	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\RemoteLabor.dll	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-I0OC3.tmp	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\EventLogLabor.dll	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\utils\etc\is-LTH10.tmp	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\PageLabor.dll	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\V-RAC.exe	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\MAgent\is-ATAKJ.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\conf\SMSAgent.conf_lock	AutoConvInstallPath.exe
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\LogLabor.dll	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\utils\etc\plog.exe	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\utils\NNPOption\ChineseRc.dll	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\utils\NNPOption\KoreanRc.dll	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\MAgent\is-6TJTQ.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-P2B13.tmp	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\psapiw2k.dll	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\utils\AutoUpdate\is-CMD8V.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\utils\NNPOption\is-6SNQ6.tmp	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\PerfCounterCheck.exe	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\UserEventLabor.dll	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\MAgent\is-878AS.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-TOC4C.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-MBO48.tmp	agent windowsr1.5.561.tmp

Drops file in Windows directory 6 IoCs

Processes:

icsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

icsys.icn.exeexplorer.exesvchost.exe

pid	process
3220	icsys.icn.exe
3220	icsys.icn.exe
4180	explorer.exe
4180	explorer.exe
4180	explorer.exe
4180	explorer.exe
4180	explorer.exe
4180	explorer.exe
4180	explorer.exe
4180	explorer.exe
4180	explorer.exe
4180	explorer.exe
852	svchost.exe
852	svchost.exe
852	svchost.exe
852	svchost.exe
4180	explorer.exe
4180	explorer.exe
852	svchost.exe
852	svchost.exe
4180	explorer.exe
4180	explorer.exe
852	svchost.exe
852	svchost.exe
4180	explorer.exe
4180	explorer.exe
852	svchost.exe
852	svchost.exe
4180	explorer.exe
4180	explorer.exe
852	svchost.exe
852	svchost.exe
4180	explorer.exe
4180	explorer.exe
852	svchost.exe
852	svchost.exe
4180	explorer.exe
4180	explorer.exe
852	svchost.exe
852	svchost.exe
4180	explorer.exe
4180	explorer.exe
852	svchost.exe
852	svchost.exe
4180	explorer.exe
4180	explorer.exe
852	svchost.exe
852	svchost.exe
4180	explorer.exe
4180	explorer.exe
852	svchost.exe
852	svchost.exe
4180	explorer.exe
4180	explorer.exe
852	svchost.exe
852	svchost.exe
4180	explorer.exe
4180	explorer.exe
852	svchost.exe
852	svchost.exe
4180	explorer.exe
4180	explorer.exe
852	svchost.exe
852	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

4180 explorer.exe
852 svchost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

agent windowsr1.5.561.tmp

pid process

2212 agent windowsr1.5.561.tmp

pid	process
4180	explorer.exe
852	svchost.exe

pid	process
2212	agent windowsr1.5.561.tmp

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

Agent WindowsR1.5.561.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeNNPOption.exe

pid	process
4808	Agent WindowsR1.5.561.exe
4808	Agent WindowsR1.5.561.exe
3220	icsys.icn.exe
3220	icsys.icn.exe
4180	explorer.exe
4180	explorer.exe
3188	spoolsv.exe
3188	spoolsv.exe
852	svchost.exe
852	svchost.exe
1084	spoolsv.exe
1084	spoolsv.exe
4180	explorer.exe
4180	explorer.exe
4660	NNPOption.exe
4660	NNPOption.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

Agent WindowsR1.5.561.exeagent windowsr1.5.561.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exeagent windowsr1.5.561.tmp

description	pid	process	target process
PID 4808 wrote to memory of 4276	4808	Agent WindowsR1.5.561.exe	agent windowsr1.5.561.exe
PID 4808 wrote to memory of 4276	4808	Agent WindowsR1.5.561.exe	agent windowsr1.5.561.exe
PID 4808 wrote to memory of 4276	4808	Agent WindowsR1.5.561.exe	agent windowsr1.5.561.exe
PID 4276 wrote to memory of 2212	4276	agent windowsr1.5.561.exe	agent windowsr1.5.561.tmp
PID 4276 wrote to memory of 2212	4276	agent windowsr1.5.561.exe	agent windowsr1.5.561.tmp
PID 4276 wrote to memory of 2212	4276	agent windowsr1.5.561.exe	agent windowsr1.5.561.tmp
PID 4808 wrote to memory of 3220	4808	Agent WindowsR1.5.561.exe	icsys.icn.exe
PID 4808 wrote to memory of 3220	4808	Agent WindowsR1.5.561.exe	icsys.icn.exe
PID 4808 wrote to memory of 3220	4808	Agent WindowsR1.5.561.exe	icsys.icn.exe
PID 3220 wrote to memory of 4180	3220	icsys.icn.exe	explorer.exe
PID 3220 wrote to memory of 4180	3220	icsys.icn.exe	explorer.exe
PID 3220 wrote to memory of 4180	3220	icsys.icn.exe	explorer.exe
PID 4180 wrote to memory of 3188	4180	explorer.exe	spoolsv.exe
PID 4180 wrote to memory of 3188	4180	explorer.exe	spoolsv.exe
PID 4180 wrote to memory of 3188	4180	explorer.exe	spoolsv.exe
PID 3188 wrote to memory of 852	3188	spoolsv.exe	svchost.exe
PID 3188 wrote to memory of 852	3188	spoolsv.exe	svchost.exe
PID 3188 wrote to memory of 852	3188	spoolsv.exe	svchost.exe
PID 852 wrote to memory of 1084	852	svchost.exe	spoolsv.exe
PID 852 wrote to memory of 1084	852	svchost.exe	spoolsv.exe
PID 852 wrote to memory of 1084	852	svchost.exe	spoolsv.exe
PID 852 wrote to memory of 1392	852	svchost.exe	at.exe
PID 852 wrote to memory of 1392	852	svchost.exe	at.exe
PID 852 wrote to memory of 1392	852	svchost.exe	at.exe
PID 2212 wrote to memory of 2824	2212	agent windowsr1.5.561.tmp	AutoConvInstallPath.exe
PID 2212 wrote to memory of 2824	2212	agent windowsr1.5.561.tmp	AutoConvInstallPath.exe
PID 2212 wrote to memory of 2824	2212	agent windowsr1.5.561.tmp	AutoConvInstallPath.exe
PID 2212 wrote to memory of 3304	2212	agent windowsr1.5.561.tmp	EMSAgentInstall.exe
PID 2212 wrote to memory of 3304	2212	agent windowsr1.5.561.tmp	EMSAgentInstall.exe
PID 2212 wrote to memory of 3304	2212	agent windowsr1.5.561.tmp	EMSAgentInstall.exe
PID 2212 wrote to memory of 4348	2212	agent windowsr1.5.561.tmp	netsh.exe
PID 2212 wrote to memory of 4348	2212	agent windowsr1.5.561.tmp	netsh.exe
PID 2212 wrote to memory of 4348	2212	agent windowsr1.5.561.tmp	netsh.exe
PID 2212 wrote to memory of 3480	2212	agent windowsr1.5.561.tmp	netsh.exe
PID 2212 wrote to memory of 3480	2212	agent windowsr1.5.561.tmp	netsh.exe
PID 2212 wrote to memory of 3480	2212	agent windowsr1.5.561.tmp	netsh.exe
PID 852 wrote to memory of 4516	852	svchost.exe	at.exe
PID 852 wrote to memory of 4516	852	svchost.exe	at.exe
PID 852 wrote to memory of 4516	852	svchost.exe	at.exe
PID 2212 wrote to memory of 4660	2212	agent windowsr1.5.561.tmp	NNPOption.exe
PID 2212 wrote to memory of 4660	2212	agent windowsr1.5.561.tmp	NNPOption.exe
PID 2212 wrote to memory of 4660	2212	agent windowsr1.5.561.tmp	NNPOption.exe
PID 852 wrote to memory of 4672	852	svchost.exe	at.exe
PID 852 wrote to memory of 4672	852	svchost.exe	at.exe
PID 852 wrote to memory of 4672	852	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\Agent WindowsR1.5.561.exe
"C:\Users\Admin\AppData\Local\Temp\Agent WindowsR1.5.561.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4808
- \??\c:\users\admin\appdata\local\temp\agent windowsr1.5.561.exe
  "c:\users\admin\appdata\local\temp\agent windowsr1.5.561.exe "
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Users\Admin\AppData\Local\Temp\is-6QGC0.tmp\agent windowsr1.5.561.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-6QGC0.tmp\agent windowsr1.5.561.tmp" /SL5="$5007C,3391113,54272,c:\users\admin\appdata\local\temp\agent windowsr1.5.561.exe "
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Program Files\NKIA\NNPAgent\utils\NNPOption\AutoConvInstallPath.exe
      "C:\Program Files\NKIA\NNPAgent\utils\NNPOption\AutoConvInstallPath.exe" /path C:\Program Files\NKIA\NNPAgent
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:2824
  - - C:\Program Files\NKIA\NNPAgent\utils\NNPOption\EMSAgentInstall.exe
      "C:\Program Files\NKIA\NNPAgent\utils\NNPOption\EMSAgentInstall.exe" /path C:\Program Files\NKIA\NNPAgent /c 0|127.0.0.1
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:3304
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name= "SMS Agent Service Port" dir=in action=allow protocol=tcp localport=21003
      4⤵
      PID:4348
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name= "SMS Agent Update Port" dir=out action=allow protocol=tcp localport=21080,21002
      4⤵
      PID:3480
  - - C:\Program Files\NKIA\NNPAgent\utils\NNPOption\NNPOption.exe
      "C:\Program Files\NKIA\NNPAgent\utils\NNPOption\NNPOption.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:4660
- C:\Users\Admin\AppData\Local\icsys.icn.exe
  C:\Users\Admin\AppData\Local\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3220
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4180
  - - \??\c:\windows\system\spoolsv.exe
      c:\windows\system\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3188
    - - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:852
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1084
      - C:\Windows\SysWOW64\at.exe
        
        at 09:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:1392
      - C:\Windows\SysWOW64\at.exe
        
        at 09:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:4516
      - C:\Windows\SysWOW64\at.exe
        
        at 09:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:4672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\NKIA\NNPAgent\MAgent\conf\MasterAgent.conf

MD5
44778483f655eae5e904ae33f968a107

SHA1
3b4202318c3d26aef2d5738b9d86407cc3234566

SHA256
5ba912a94c4d32dbed15ea235f987104cb0503af4745836d960cd08a60039462

SHA512
7ef382c521366cecd0b103bdec389cc2f608d1aad67ef7692f4a8a269e5dff47a4cf1f2d62362d353de97c23181cf34430a98ddea06d6fc418e9c4aa827e02f0

Download Submit
C:\Program Files\NKIA\NNPAgent\MAgent\conf\MasterAgent.conf

MD5
44778483f655eae5e904ae33f968a107

SHA1
3b4202318c3d26aef2d5738b9d86407cc3234566

SHA256
5ba912a94c4d32dbed15ea235f987104cb0503af4745836d960cd08a60039462

SHA512
7ef382c521366cecd0b103bdec389cc2f608d1aad67ef7692f4a8a269e5dff47a4cf1f2d62362d353de97c23181cf34430a98ddea06d6fc418e9c4aa827e02f0

Download Submit
C:\Program Files\NKIA\NNPAgent\SMSAgent\conf\SMSAgent.conf

MD5
08bdd47ed2195ff1e2c01fa3540d0a7a

SHA1
54e2cca82d3e69dde64fdf3ff5c64d3b44a7363e

SHA256
9619e7b2dcec54f4ff372460d45b9412a97227345223a7ffb318dc54b80b7d0c

SHA512
8050bc96141dad00b47193b19392dd624ab10a7c71583e64751bbd83acf45d68a1fef47c2528d91e494e13e5972ceaa183160ae419bfed0e2efedbb30e9508b1

Download Submit
C:\Program Files\NKIA\NNPAgent\SMSAgent\conf\SMSAgent.conf

MD5
08bdd47ed2195ff1e2c01fa3540d0a7a

SHA1
54e2cca82d3e69dde64fdf3ff5c64d3b44a7363e

SHA256
9619e7b2dcec54f4ff372460d45b9412a97227345223a7ffb318dc54b80b7d0c

SHA512
8050bc96141dad00b47193b19392dd624ab10a7c71583e64751bbd83acf45d68a1fef47c2528d91e494e13e5972ceaa183160ae419bfed0e2efedbb30e9508b1

Download Submit
C:\Program Files\NKIA\NNPAgent\utils\NNPOption\AutoConvInstallPath.exe

MD5
fb4885dab976eb40753046c5bc3b1cec

SHA1
2fee806f7574efd2003dcea3b3b56ef5cc9ecaf3

SHA256
c3ae0e21731bdbf510aa4db899253ed31e2f31eebbfe1a0e293231b4cfaedf0a

SHA512
798139783c31c3660a6b0f67329c99d84b402d954a9f33f04d9666ded6933e6dfba47b0d8e2f1379c76004882dc175ad572b0d87dfe263c6d76080957b68f18b

Download Submit
C:\Program Files\NKIA\NNPAgent\utils\NNPOption\AutoConvInstallPath.exe

MD5
fb4885dab976eb40753046c5bc3b1cec

SHA1
2fee806f7574efd2003dcea3b3b56ef5cc9ecaf3

SHA256
c3ae0e21731bdbf510aa4db899253ed31e2f31eebbfe1a0e293231b4cfaedf0a

SHA512
798139783c31c3660a6b0f67329c99d84b402d954a9f33f04d9666ded6933e6dfba47b0d8e2f1379c76004882dc175ad572b0d87dfe263c6d76080957b68f18b

Download Submit
C:\Program Files\NKIA\NNPAgent\utils\NNPOption\EMSAgentInstall.exe

MD5
5db50c05c4089b64cfc5093e0856b31c

SHA1
d56ba87b6f6052fa647b6fba1ce5f96ba47618bd

SHA256
d45361122b711e35b56dcab60fb9bb800263e8f78476a94e1a133367decb3ec4

SHA512
9e8b9f61d157afe74e5814cddeaf1f809647f7f4f852076467f8ec5f8b934c24a95fed31e62821d2d5dc0119ddc736554a6290699edf804808db0f606bb31d06

Download Submit
C:\Program Files\NKIA\NNPAgent\utils\NNPOption\EMSAgentInstall.exe

MD5
5db50c05c4089b64cfc5093e0856b31c

SHA1
d56ba87b6f6052fa647b6fba1ce5f96ba47618bd

SHA256
d45361122b711e35b56dcab60fb9bb800263e8f78476a94e1a133367decb3ec4

SHA512
9e8b9f61d157afe74e5814cddeaf1f809647f7f4f852076467f8ec5f8b934c24a95fed31e62821d2d5dc0119ddc736554a6290699edf804808db0f606bb31d06

Download Submit
C:\Program Files\NKIA\NNPAgent\utils\NNPOption\EnglishRc.dll

MD5
ef5ae434ec7d7048c17ab9d7cde7d124

SHA1
8238b8d9efa1db742e5f8f1214c17c7f71bc23b7

SHA256
fe88362b458e2a12b2a775415e4f13efe2d1f053a2717755cf6e706f57a346c5

SHA512
63febd1b1c2fe6547c9aefc6e2c895ac81b5a3a58839efa32aa0f106b1c1741de4666edca68203e7ab2b82613c1e186accb13c58a6ec9b9318e4a3b72485b30a

Download Submit
C:\Program Files\NKIA\NNPAgent\utils\NNPOption\ModuleInfo.dat

MD5
369042d94faeb4507339d5ccd1978053

SHA1
2eb03bc074a09bd8c09a3da0dd2759b1c980de88

SHA256
410b889967ddf7b778544d95cd20e933f15e6220066e5c13cf8c61a3ebb26b25

SHA512
bdb6543db4b01ab938441008eba381300b1ad420f32a075533cc763a240eb3381ef6e9cd5ce440b96f187de1880f761c3fbfc726a799a2e808eb4253db08eacc

Download Submit
C:\Program Files\NKIA\NNPAgent\utils\NNPOption\NNPOption.exe

MD5
411af7e042e16a421e4842fdfec59fc9

SHA1
1dc03ef6104f462b8d50677054c60d722a801d51

SHA256
098b678360c46020cdeac05faea508f3e97d8d8f2962d949589ea455315ed376

SHA512
53d27628ae01d4dfc8eedf517364c91db369afaa63683851875ae3bb9fa636189fc7d32cb2be8bdf42101a057fd9b41ea97cd92778cb31355b62ccefeb62cd9a

Download Submit
C:\Program Files\NKIA\NNPAgent\utils\NNPOption\NNPOption.exe

MD5
411af7e042e16a421e4842fdfec59fc9

SHA1
1dc03ef6104f462b8d50677054c60d722a801d51

SHA256
098b678360c46020cdeac05faea508f3e97d8d8f2962d949589ea455315ed376

SHA512
53d27628ae01d4dfc8eedf517364c91db369afaa63683851875ae3bb9fa636189fc7d32cb2be8bdf42101a057fd9b41ea97cd92778cb31355b62ccefeb62cd9a

Download Submit
C:\Program Files\NKIA\NNPAgent\utils\NNPOption\language.dat

MD5
9cfefed8fb9497baa5cd519d7d2bb5d7

SHA1
094b0fe0e302854af1311afab85b5203ba457a3b

SHA256
dbd3a49d0d906b4ed9216b73330d2fb080ef2f758c12f3885068222e5e17151c

SHA512
41dd75307a2e7c49caf53fff15aada688275ef4d7950bedf028612b73f343ed45cf51fe1d4d27f58ed12e93e0fd0ae7f69428db169211554d1b380c91aa5cd01

Download Submit
C:\Users\Admin\AppData\Local\Temp\agent windowsr1.5.561.exe

MD5
d3d52995d9e6b41bd5d4a4e307881e74

SHA1
de7cbf8e1fb8261bffd18acb8d6eb282416f1446

SHA256
077455ead959ce3cb558a90dadf6ecb12dd3c8042b274a27006b4a9368f3c73d

SHA512
dfe2403d7fbcb1ba36036c8f6b168be1769a770a67ccddec8c30da5a4faeba890f98f308d4366bf1b68ecc480f9e6a6ec2c0b84c20659ec438ef7e3c7a750f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6QGC0.tmp\agent windowsr1.5.561.tmp

MD5
15430669556c2062ceadd5b125e8cea7

SHA1
276c5f36876a783a01ef10b9df39fa0efe3e296a

SHA256
64db719c67988b106bf2d1a5b842445e8ff9b6436be28bcaa0b8876d330f8168

SHA512
2c2a87d34922d747827a2c77813ebfe9923bdd80cd4be909f8da3c8a4dc3a079c049db74c8bc36edd38663ee4635cdd0fda4f9cd2adc3b40d426066611206f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6QGC0.tmp\agent windowsr1.5.561.tmp

MD5
15430669556c2062ceadd5b125e8cea7

SHA1
276c5f36876a783a01ef10b9df39fa0efe3e296a

SHA256
64db719c67988b106bf2d1a5b842445e8ff9b6436be28bcaa0b8876d330f8168

SHA512
2c2a87d34922d747827a2c77813ebfe9923bdd80cd4be909f8da3c8a4dc3a079c049db74c8bc36edd38663ee4635cdd0fda4f9cd2adc3b40d426066611206f39

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

MD5
d62d7d5e9d93770ae8e1d01945cce086

SHA1
ccb899a2e929db969f994b3de124834dff761d28

SHA256
cc69a8dde123fc8223f8c97fec4806afd2485ec9ba2baa65e79f3f71558b0b4a

SHA512
543d086f788eeb382087d98220cb6fc7e7042763d7b65ce874d23b4e1b26633421ae3fa17093d3541100c000218e1560beb5f605c904d95b4d89d10f63771bf0

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

MD5
d62d7d5e9d93770ae8e1d01945cce086

SHA1
ccb899a2e929db969f994b3de124834dff761d28

SHA256
cc69a8dde123fc8223f8c97fec4806afd2485ec9ba2baa65e79f3f71558b0b4a

SHA512
543d086f788eeb382087d98220cb6fc7e7042763d7b65ce874d23b4e1b26633421ae3fa17093d3541100c000218e1560beb5f605c904d95b4d89d10f63771bf0

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5
00e49415b6fc5fb2486f61659fd5bd59

SHA1
24410c6479948115f1f48ad8b1cd87ad890d2504

SHA256
859858ff86fac62d0840c495aaafa23c1c8f5cd9ed24284743db3e273032ba0e

SHA512
9e6d518b45b3ebd206c6d3a84be85fae2e9417ff2c8fdd4cfd218aed04feb47c04d45e9c45668fe0fefe518c0bfeaa496c2425fd01dc252023e41bdf25c16dd8

Download Submit
C:\Windows\System\explorer.exe

MD5
892c5ede1cd31ec48249f350d152ef92

SHA1
97656e0bf0d6e63e1b6bfd1c8f53b25a7149bad4

SHA256
4735947ab2893238fd6f5f9681ea74cad1b06e73862d8301b4f7e06b46e3548a

SHA512
88c813f76e8ba46b3cbd3723b8f9e4080d7ba6b9bd52d1af8423770d40a176a6643b7c028e4036c01a248dbd3e9707eb2e3ea38acce877224ea047fe0ce17337

Download Submit
C:\Windows\System\spoolsv.exe

MD5
7b19cb43db4a3da01c493d4816199ad6

SHA1
ed99e66f9013bec8d44238bd5aeefe33bccff210

SHA256
a3b430bc946e0c282215a70361a20c35ede0a988eb5aa8710ca0a9f724e920c2

SHA512
c19141efca53b343bbe52b6b29bfdb7d65d4d26cab5ffe7555fe58d2d40f4da077fd0453b1075b78a77e3c646f577c4f472b087d9e56a9ce7427c4671f0ae14d

Download Submit
C:\Windows\System\spoolsv.exe

MD5
7b19cb43db4a3da01c493d4816199ad6

SHA1
ed99e66f9013bec8d44238bd5aeefe33bccff210

SHA256
a3b430bc946e0c282215a70361a20c35ede0a988eb5aa8710ca0a9f724e920c2

SHA512
c19141efca53b343bbe52b6b29bfdb7d65d4d26cab5ffe7555fe58d2d40f4da077fd0453b1075b78a77e3c646f577c4f472b087d9e56a9ce7427c4671f0ae14d

Download Submit
C:\Windows\System\svchost.exe

MD5
0d22e14076f9bfb29ab18e1bb27d1814

SHA1
fbb5f04bf2110c7bc4e79d10b6b46bd9d8bd4e3e

SHA256
83d4f30637d34763ca07e5927763723c9707c59a5390800099b267c25f617b8e

SHA512
c561d8f56bcffd27bbd84e27716ffa1634fffb50bcad304f97765faa5ace850328477d1c57c06b704aa4e20f23b6b4a21ddc893a8bf375769c336fee751c9ad3

Download Submit
\??\c:\users\admin\appdata\local\temp\agent windowsr1.5.561.exe

MD5
d3d52995d9e6b41bd5d4a4e307881e74

SHA1
de7cbf8e1fb8261bffd18acb8d6eb282416f1446

SHA256
077455ead959ce3cb558a90dadf6ecb12dd3c8042b274a27006b4a9368f3c73d

SHA512
dfe2403d7fbcb1ba36036c8f6b168be1769a770a67ccddec8c30da5a4faeba890f98f308d4366bf1b68ecc480f9e6a6ec2c0b84c20659ec438ef7e3c7a750f7a

Download Submit
\??\c:\windows\system\explorer.exe

MD5
892c5ede1cd31ec48249f350d152ef92

SHA1
97656e0bf0d6e63e1b6bfd1c8f53b25a7149bad4

SHA256
4735947ab2893238fd6f5f9681ea74cad1b06e73862d8301b4f7e06b46e3548a

SHA512
88c813f76e8ba46b3cbd3723b8f9e4080d7ba6b9bd52d1af8423770d40a176a6643b7c028e4036c01a248dbd3e9707eb2e3ea38acce877224ea047fe0ce17337

Download Submit
\??\c:\windows\system\spoolsv.exe

MD5
7b19cb43db4a3da01c493d4816199ad6

SHA1
ed99e66f9013bec8d44238bd5aeefe33bccff210

SHA256
a3b430bc946e0c282215a70361a20c35ede0a988eb5aa8710ca0a9f724e920c2

SHA512
c19141efca53b343bbe52b6b29bfdb7d65d4d26cab5ffe7555fe58d2d40f4da077fd0453b1075b78a77e3c646f577c4f472b087d9e56a9ce7427c4671f0ae14d

Download Submit
\??\c:\windows\system\svchost.exe

MD5
0d22e14076f9bfb29ab18e1bb27d1814

SHA1
fbb5f04bf2110c7bc4e79d10b6b46bd9d8bd4e3e

SHA256
83d4f30637d34763ca07e5927763723c9707c59a5390800099b267c25f617b8e

SHA512
c561d8f56bcffd27bbd84e27716ffa1634fffb50bcad304f97765faa5ace850328477d1c57c06b704aa4e20f23b6b4a21ddc893a8bf375769c336fee751c9ad3

Download Submit
\Program Files\NKIA\NNPAgent\utils\NNPOption\EnglishRc.dll

MD5
ef5ae434ec7d7048c17ab9d7cde7d124

SHA1
8238b8d9efa1db742e5f8f1214c17c7f71bc23b7

SHA256
fe88362b458e2a12b2a775415e4f13efe2d1f053a2717755cf6e706f57a346c5

SHA512
63febd1b1c2fe6547c9aefc6e2c895ac81b5a3a58839efa32aa0f106b1c1741de4666edca68203e7ab2b82613c1e186accb13c58a6ec9b9318e4a3b72485b30a

Download Submit
memory/852-143-0x0000000000000000-mapping.dmp

Download
memory/1084-149-0x0000000000000000-mapping.dmp

Download
memory/1392-155-0x0000000000000000-mapping.dmp

Download
memory/2212-154-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2212-121-0x0000000000000000-mapping.dmp

Download
memory/2824-157-0x0000000000000000-mapping.dmp

Download
memory/3188-137-0x0000000000000000-mapping.dmp

Download
memory/3220-124-0x0000000000000000-mapping.dmp

Download
memory/3304-163-0x0000000000000000-mapping.dmp

Download
memory/3480-169-0x0000000000000000-mapping.dmp

Download
memory/4180-131-0x0000000000000000-mapping.dmp

Download
memory/4276-120-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4276-117-0x0000000000000000-mapping.dmp

Download
memory/4348-168-0x0000000000000000-mapping.dmp

Download
memory/4516-170-0x0000000000000000-mapping.dmp

Download
memory/4660-171-0x0000000000000000-mapping.dmp

Download
memory/4672-177-0x0000000000000000-mapping.dmp

Download