Analysis
-
max time kernel
151s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:14
Static task
static1
Behavioral task
behavioral1
Sample
8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
Resource
win10v2004-20220414-en
General
-
Target
8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
-
Size
1016KB
-
MD5
bb80bec60840b8f1b3c8a9510fef4613
-
SHA1
370d906cbdf5a220ca57b19a33651c96c4cba16e
-
SHA256
8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed
-
SHA512
472d4002cb4b44dd264ddf3c1a3bccc7674eb430a3e73c401b7617a0a09597ce8d00a2a9bc9b35e459de075fa57938547a98aac6c5c5f26c591d362025113c87
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
Executes dropped EXE 6 IoCs
Processes:
8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 4616 8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe 1040 icsys.icn.exe 4964 explorer.exe 3584 spoolsv.exe 4648 svchost.exe 528 spoolsv.exe -
Modifies Installed Components in the registry 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
icsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription ioc process File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
icsys.icn.exeexplorer.exesvchost.exepid process 1040 icsys.icn.exe 1040 icsys.icn.exe 4964 explorer.exe 4964 explorer.exe 4964 explorer.exe 4964 explorer.exe 4964 explorer.exe 4964 explorer.exe 4648 svchost.exe 4648 svchost.exe 4648 svchost.exe 4648 svchost.exe 4964 explorer.exe 4964 explorer.exe 4648 svchost.exe 4648 svchost.exe 4964 explorer.exe 4964 explorer.exe 4648 svchost.exe 4648 svchost.exe 4964 explorer.exe 4964 explorer.exe 4648 svchost.exe 4648 svchost.exe 4964 explorer.exe 4964 explorer.exe 4648 svchost.exe 4648 svchost.exe 4964 explorer.exe 4964 explorer.exe 4648 svchost.exe 4648 svchost.exe 4964 explorer.exe 4964 explorer.exe 4648 svchost.exe 4648 svchost.exe 4964 explorer.exe 4964 explorer.exe 4648 svchost.exe 4648 svchost.exe 4964 explorer.exe 4964 explorer.exe 4648 svchost.exe 4648 svchost.exe 4964 explorer.exe 4964 explorer.exe 4648 svchost.exe 4648 svchost.exe 4964 explorer.exe 4964 explorer.exe 4648 svchost.exe 4648 svchost.exe 4964 explorer.exe 4964 explorer.exe 4648 svchost.exe 4648 svchost.exe 4964 explorer.exe 4964 explorer.exe 4648 svchost.exe 4648 svchost.exe 4964 explorer.exe 4964 explorer.exe 4648 svchost.exe 4648 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
explorer.exesvchost.exe8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exepid process 4964 explorer.exe 4648 svchost.exe 4616 8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exepid process 4616 8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exepid process 4616 8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 3864 8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe 3864 8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe 4616 8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe 1040 icsys.icn.exe 1040 icsys.icn.exe 4964 explorer.exe 4964 explorer.exe 3584 spoolsv.exe 3584 spoolsv.exe 4648 svchost.exe 4648 svchost.exe 528 spoolsv.exe 528 spoolsv.exe 4964 explorer.exe 4964 explorer.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 3864 wrote to memory of 4616 3864 8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe 8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe PID 3864 wrote to memory of 4616 3864 8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe 8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe PID 3864 wrote to memory of 4616 3864 8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe 8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe PID 3864 wrote to memory of 1040 3864 8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe icsys.icn.exe PID 3864 wrote to memory of 1040 3864 8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe icsys.icn.exe PID 3864 wrote to memory of 1040 3864 8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe icsys.icn.exe PID 1040 wrote to memory of 4964 1040 icsys.icn.exe explorer.exe PID 1040 wrote to memory of 4964 1040 icsys.icn.exe explorer.exe PID 1040 wrote to memory of 4964 1040 icsys.icn.exe explorer.exe PID 4964 wrote to memory of 3584 4964 explorer.exe spoolsv.exe PID 4964 wrote to memory of 3584 4964 explorer.exe spoolsv.exe PID 4964 wrote to memory of 3584 4964 explorer.exe spoolsv.exe PID 3584 wrote to memory of 4648 3584 spoolsv.exe svchost.exe PID 3584 wrote to memory of 4648 3584 spoolsv.exe svchost.exe PID 3584 wrote to memory of 4648 3584 spoolsv.exe svchost.exe PID 4648 wrote to memory of 528 4648 svchost.exe spoolsv.exe PID 4648 wrote to memory of 528 4648 svchost.exe spoolsv.exe PID 4648 wrote to memory of 528 4648 svchost.exe spoolsv.exe PID 4648 wrote to memory of 4640 4648 svchost.exe at.exe PID 4648 wrote to memory of 4640 4648 svchost.exe at.exe PID 4648 wrote to memory of 4640 4648 svchost.exe at.exe PID 4648 wrote to memory of 408 4648 svchost.exe at.exe PID 4648 wrote to memory of 408 4648 svchost.exe at.exe PID 4648 wrote to memory of 408 4648 svchost.exe at.exe PID 4648 wrote to memory of 2932 4648 svchost.exe at.exe PID 4648 wrote to memory of 2932 4648 svchost.exe at.exe PID 4648 wrote to memory of 2932 4648 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe"C:\Users\Admin\AppData\Local\Temp\8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exec:\users\admin\appdata\local\temp\8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 22:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 22:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 22:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exeFilesize
809KB
MD528a6e4b12a94d3e766626a5a3546ca67
SHA1fe8cd64f503452fe9c00c47f26f4e4f98425dcfb
SHA256cf965fa2f4f18d3aba24c692565507a41836aa0508906a5ee8f9612a5b2bfc16
SHA5121d8175942db1ff1aa049ceffe0a2e1f257f38b396eb557b0ebe20197c0d92818d498853fc7d177a2d0bdc496ff99c9de8bb09a18ecd005e0dc29328f2cb7109e
-
C:\Users\Admin\AppData\Local\icsys.icn.exeFilesize
207KB
MD5eaacda946e481850c7b876ccdb8b8868
SHA1e8d1a667d951c96d3d397e1ffa249f1af543faf0
SHA256a2cc43959de842eb8c6ec85271058aa154ce317025e62626d0f80fd8dced8a01
SHA5126dd67ff9349e1c181e0b83120c65e66479be2ba47fcba23cffaa67d215432c0c9b1b4e5de0938aca88f3aa275a158625b352a881dbe36a9ca3f259a06e7e6780
-
C:\Users\Admin\AppData\Local\icsys.icn.exeFilesize
207KB
MD5eaacda946e481850c7b876ccdb8b8868
SHA1e8d1a667d951c96d3d397e1ffa249f1af543faf0
SHA256a2cc43959de842eb8c6ec85271058aa154ce317025e62626d0f80fd8dced8a01
SHA5126dd67ff9349e1c181e0b83120c65e66479be2ba47fcba23cffaa67d215432c0c9b1b4e5de0938aca88f3aa275a158625b352a881dbe36a9ca3f259a06e7e6780
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
206KB
MD58c03cf6c5e98341785234ecf493e19a4
SHA1f6497a4f4982ef17a4c82f8a9e5a4d791b0a4431
SHA2560dafd3f4252d5be44772f42f4b16d67662f092b7f95a4dc6b9727f0a37fb5a06
SHA5120f0e209e3a5ab45771311ea6f578352fa8fc28a5c40f5d15ea6f15900d54341793ecd192c1e48193425568d90d67ebcadc4dda1188a54aa1abf314839b020d7e
-
C:\Windows\System\explorer.exeFilesize
206KB
MD522f81e63d64d5e446462f417d498bb94
SHA19df3324bcc1aa4dddc9d0a29ad9bf03ccf9eb5a6
SHA2560e8f725ba25fb5d186d06bbb903c03e80a804d8a83283825a0015569f3bcaa9a
SHA5126438138ca6afc0c7fc35d72e1112df398b6b4210193f6e50783e420209f063c398a350e8d82e6a1bbabb463311be0016ec0bf7f56bb6a8e8e5ed9b3404364b38
-
C:\Windows\System\spoolsv.exeFilesize
206KB
MD56c556cee9b7c7a2abef032379c3eacce
SHA116ca1f47e82aa5dc61181e6dd9702cbf7694e577
SHA256df88a594433964d2340116593d68de732a112bdb6525310110b8408a0d2ca5df
SHA512379e215f785ac7cc79c0f03fecce1b657d2270bdf9d136811df54150f73f5529edde327092ec7f30504a2371b0a144a2b409c9a47bad04e7a180a9d2dae98a07
-
C:\Windows\System\spoolsv.exeFilesize
206KB
MD56c556cee9b7c7a2abef032379c3eacce
SHA116ca1f47e82aa5dc61181e6dd9702cbf7694e577
SHA256df88a594433964d2340116593d68de732a112bdb6525310110b8408a0d2ca5df
SHA512379e215f785ac7cc79c0f03fecce1b657d2270bdf9d136811df54150f73f5529edde327092ec7f30504a2371b0a144a2b409c9a47bad04e7a180a9d2dae98a07
-
C:\Windows\System\svchost.exeFilesize
206KB
MD58ae99cd97a618603610e0c64bbd7041a
SHA161251433e5c9f805f2815d04c803080e204fd919
SHA256415a56f5c8e57292bcc8d1115430bfe6d8a1af8f8a8409b5dbef52608514702f
SHA512be4086fdad1b4a3752bf996e5ad8b37459da0e83e00d94072f842f4f90242135dbd4914129376bd377f3b34559ae21d4ca6fef1d184e62e7b7c1091f2b118a10
-
\??\c:\windows\system\explorer.exeFilesize
206KB
MD522f81e63d64d5e446462f417d498bb94
SHA19df3324bcc1aa4dddc9d0a29ad9bf03ccf9eb5a6
SHA2560e8f725ba25fb5d186d06bbb903c03e80a804d8a83283825a0015569f3bcaa9a
SHA5126438138ca6afc0c7fc35d72e1112df398b6b4210193f6e50783e420209f063c398a350e8d82e6a1bbabb463311be0016ec0bf7f56bb6a8e8e5ed9b3404364b38
-
\??\c:\windows\system\spoolsv.exeFilesize
206KB
MD56c556cee9b7c7a2abef032379c3eacce
SHA116ca1f47e82aa5dc61181e6dd9702cbf7694e577
SHA256df88a594433964d2340116593d68de732a112bdb6525310110b8408a0d2ca5df
SHA512379e215f785ac7cc79c0f03fecce1b657d2270bdf9d136811df54150f73f5529edde327092ec7f30504a2371b0a144a2b409c9a47bad04e7a180a9d2dae98a07
-
\??\c:\windows\system\svchost.exeFilesize
206KB
MD58ae99cd97a618603610e0c64bbd7041a
SHA161251433e5c9f805f2815d04c803080e204fd919
SHA256415a56f5c8e57292bcc8d1115430bfe6d8a1af8f8a8409b5dbef52608514702f
SHA512be4086fdad1b4a3752bf996e5ad8b37459da0e83e00d94072f842f4f90242135dbd4914129376bd377f3b34559ae21d4ca6fef1d184e62e7b7c1091f2b118a10
-
memory/408-166-0x0000000000000000-mapping.dmp
-
memory/528-159-0x0000000000000000-mapping.dmp
-
memory/1040-135-0x0000000000000000-mapping.dmp
-
memory/2932-167-0x0000000000000000-mapping.dmp
-
memory/3584-147-0x0000000000000000-mapping.dmp
-
memory/4616-133-0x0000000000000000-mapping.dmp
-
memory/4640-164-0x0000000000000000-mapping.dmp
-
memory/4648-153-0x0000000000000000-mapping.dmp
-
memory/4964-141-0x0000000000000000-mapping.dmp