8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed

Analysis

max time kernel
151s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
Size

1016KB
MD5

bb80bec60840b8f1b3c8a9510fef4613
SHA1

370d906cbdf5a220ca57b19a33651c96c4cba16e
SHA256

8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed
SHA512

472d4002cb4b44dd264ddf3c1a3bccc7674eb430a3e73c401b7617a0a09597ce8d00a2a9bc9b35e459de075fa57938547a98aac6c5c5f26c591d362025113c87

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112

Executes dropped EXE 6 IoCs

Processes:

8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
4616	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
1040	icsys.icn.exe
4964	explorer.exe
3584	spoolsv.exe
4648	svchost.exe
528	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

icsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

icsys.icn.exeexplorer.exesvchost.exe

pid	process
1040	icsys.icn.exe
1040	icsys.icn.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4648	svchost.exe
4648	svchost.exe
4648	svchost.exe
4648	svchost.exe
4964	explorer.exe
4964	explorer.exe
4648	svchost.exe
4648	svchost.exe
4964	explorer.exe
4964	explorer.exe
4648	svchost.exe
4648	svchost.exe
4964	explorer.exe
4964	explorer.exe
4648	svchost.exe
4648	svchost.exe
4964	explorer.exe
4964	explorer.exe
4648	svchost.exe
4648	svchost.exe
4964	explorer.exe
4964	explorer.exe
4648	svchost.exe
4648	svchost.exe
4964	explorer.exe
4964	explorer.exe
4648	svchost.exe
4648	svchost.exe
4964	explorer.exe
4964	explorer.exe
4648	svchost.exe
4648	svchost.exe
4964	explorer.exe
4964	explorer.exe
4648	svchost.exe
4648	svchost.exe
4964	explorer.exe
4964	explorer.exe
4648	svchost.exe
4648	svchost.exe
4964	explorer.exe
4964	explorer.exe
4648	svchost.exe
4648	svchost.exe
4964	explorer.exe
4964	explorer.exe
4648	svchost.exe
4648	svchost.exe
4964	explorer.exe
4964	explorer.exe
4648	svchost.exe
4648	svchost.exe
4964	explorer.exe
4964	explorer.exe
4648	svchost.exe
4648	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

explorer.exesvchost.exe8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe

pid process

4964 explorer.exe
4648 svchost.exe
4616 8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe

pid process

4616 8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe

pid process

4616 8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe

pid	process
4964	explorer.exe
4648	svchost.exe
4616	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
3864	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
3864	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
4616	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
1040	icsys.icn.exe
1040	icsys.icn.exe
4964	explorer.exe
4964	explorer.exe
3584	spoolsv.exe
3584	spoolsv.exe
4648	svchost.exe
4648	svchost.exe
528	spoolsv.exe
528	spoolsv.exe
4964	explorer.exe
4964	explorer.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 3864 wrote to memory of 4616	3864	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
PID 3864 wrote to memory of 4616	3864	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
PID 3864 wrote to memory of 4616	3864	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
PID 3864 wrote to memory of 1040	3864	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe	icsys.icn.exe
PID 3864 wrote to memory of 1040	3864	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe	icsys.icn.exe
PID 3864 wrote to memory of 1040	3864	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe	icsys.icn.exe
PID 1040 wrote to memory of 4964	1040	icsys.icn.exe	explorer.exe
PID 1040 wrote to memory of 4964	1040	icsys.icn.exe	explorer.exe
PID 1040 wrote to memory of 4964	1040	icsys.icn.exe	explorer.exe
PID 4964 wrote to memory of 3584	4964	explorer.exe	spoolsv.exe
PID 4964 wrote to memory of 3584	4964	explorer.exe	spoolsv.exe
PID 4964 wrote to memory of 3584	4964	explorer.exe	spoolsv.exe
PID 3584 wrote to memory of 4648	3584	spoolsv.exe	svchost.exe
PID 3584 wrote to memory of 4648	3584	spoolsv.exe	svchost.exe
PID 3584 wrote to memory of 4648	3584	spoolsv.exe	svchost.exe
PID 4648 wrote to memory of 528	4648	svchost.exe	spoolsv.exe
PID 4648 wrote to memory of 528	4648	svchost.exe	spoolsv.exe
PID 4648 wrote to memory of 528	4648	svchost.exe	spoolsv.exe
PID 4648 wrote to memory of 4640	4648	svchost.exe	at.exe
PID 4648 wrote to memory of 4640	4648	svchost.exe	at.exe
PID 4648 wrote to memory of 4640	4648	svchost.exe	at.exe
PID 4648 wrote to memory of 408	4648	svchost.exe	at.exe
PID 4648 wrote to memory of 408	4648	svchost.exe	at.exe
PID 4648 wrote to memory of 408	4648	svchost.exe	at.exe
PID 4648 wrote to memory of 2932	4648	svchost.exe	at.exe
PID 4648 wrote to memory of 2932	4648	svchost.exe	at.exe
PID 4648 wrote to memory of 2932	4648	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
"C:\Users\Admin\AppData\Local\Temp\8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3864

\??\c:\users\admin\appdata\local\temp\8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
c:\users\admin\appdata\local\temp\8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4616

C:\Users\Admin\AppData\Local\icsys.icn.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1040

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3584

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:528

C:\Windows\SysWOW64\at.exe
at 22:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:4640

C:\Windows\SysWOW64\at.exe
at 22:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:408

C:\Windows\SysWOW64\at.exe
at 22:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:2932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
Filesize
809KB

MD5
28a6e4b12a94d3e766626a5a3546ca67

SHA1
fe8cd64f503452fe9c00c47f26f4e4f98425dcfb

SHA256
cf965fa2f4f18d3aba24c692565507a41836aa0508906a5ee8f9612a5b2bfc16

SHA512
1d8175942db1ff1aa049ceffe0a2e1f257f38b396eb557b0ebe20197c0d92818d498853fc7d177a2d0bdc496ff99c9de8bb09a18ecd005e0dc29328f2cb7109e

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe
Filesize
207KB

MD5
eaacda946e481850c7b876ccdb8b8868

SHA1
e8d1a667d951c96d3d397e1ffa249f1af543faf0

SHA256
a2cc43959de842eb8c6ec85271058aa154ce317025e62626d0f80fd8dced8a01

SHA512
6dd67ff9349e1c181e0b83120c65e66479be2ba47fcba23cffaa67d215432c0c9b1b4e5de0938aca88f3aa275a158625b352a881dbe36a9ca3f259a06e7e6780

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe
Filesize
207KB

MD5
eaacda946e481850c7b876ccdb8b8868

SHA1
e8d1a667d951c96d3d397e1ffa249f1af543faf0

SHA256
a2cc43959de842eb8c6ec85271058aa154ce317025e62626d0f80fd8dced8a01

SHA512
6dd67ff9349e1c181e0b83120c65e66479be2ba47fcba23cffaa67d215432c0c9b1b4e5de0938aca88f3aa275a158625b352a881dbe36a9ca3f259a06e7e6780

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe
Filesize
206KB

MD5
8c03cf6c5e98341785234ecf493e19a4

SHA1
f6497a4f4982ef17a4c82f8a9e5a4d791b0a4431

SHA256
0dafd3f4252d5be44772f42f4b16d67662f092b7f95a4dc6b9727f0a37fb5a06

SHA512
0f0e209e3a5ab45771311ea6f578352fa8fc28a5c40f5d15ea6f15900d54341793ecd192c1e48193425568d90d67ebcadc4dda1188a54aa1abf314839b020d7e

Download Submit
C:\Windows\System\explorer.exe
Filesize
206KB

MD5
22f81e63d64d5e446462f417d498bb94

SHA1
9df3324bcc1aa4dddc9d0a29ad9bf03ccf9eb5a6

SHA256
0e8f725ba25fb5d186d06bbb903c03e80a804d8a83283825a0015569f3bcaa9a

SHA512
6438138ca6afc0c7fc35d72e1112df398b6b4210193f6e50783e420209f063c398a350e8d82e6a1bbabb463311be0016ec0bf7f56bb6a8e8e5ed9b3404364b38

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
206KB

MD5
6c556cee9b7c7a2abef032379c3eacce

SHA1
16ca1f47e82aa5dc61181e6dd9702cbf7694e577

SHA256
df88a594433964d2340116593d68de732a112bdb6525310110b8408a0d2ca5df

SHA512
379e215f785ac7cc79c0f03fecce1b657d2270bdf9d136811df54150f73f5529edde327092ec7f30504a2371b0a144a2b409c9a47bad04e7a180a9d2dae98a07

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
206KB

MD5
6c556cee9b7c7a2abef032379c3eacce

SHA1
16ca1f47e82aa5dc61181e6dd9702cbf7694e577

SHA256
df88a594433964d2340116593d68de732a112bdb6525310110b8408a0d2ca5df

SHA512
379e215f785ac7cc79c0f03fecce1b657d2270bdf9d136811df54150f73f5529edde327092ec7f30504a2371b0a144a2b409c9a47bad04e7a180a9d2dae98a07

Download Submit
C:\Windows\System\svchost.exe
Filesize
206KB

MD5
8ae99cd97a618603610e0c64bbd7041a

SHA1
61251433e5c9f805f2815d04c803080e204fd919

SHA256
415a56f5c8e57292bcc8d1115430bfe6d8a1af8f8a8409b5dbef52608514702f

SHA512
be4086fdad1b4a3752bf996e5ad8b37459da0e83e00d94072f842f4f90242135dbd4914129376bd377f3b34559ae21d4ca6fef1d184e62e7b7c1091f2b118a10

Download Submit
\??\c:\windows\system\explorer.exe
Filesize
206KB

MD5
22f81e63d64d5e446462f417d498bb94

SHA1
9df3324bcc1aa4dddc9d0a29ad9bf03ccf9eb5a6

SHA256
0e8f725ba25fb5d186d06bbb903c03e80a804d8a83283825a0015569f3bcaa9a

SHA512
6438138ca6afc0c7fc35d72e1112df398b6b4210193f6e50783e420209f063c398a350e8d82e6a1bbabb463311be0016ec0bf7f56bb6a8e8e5ed9b3404364b38

Download Submit
\??\c:\windows\system\spoolsv.exe
Filesize
206KB

MD5
6c556cee9b7c7a2abef032379c3eacce

SHA1
16ca1f47e82aa5dc61181e6dd9702cbf7694e577

SHA256
df88a594433964d2340116593d68de732a112bdb6525310110b8408a0d2ca5df

SHA512
379e215f785ac7cc79c0f03fecce1b657d2270bdf9d136811df54150f73f5529edde327092ec7f30504a2371b0a144a2b409c9a47bad04e7a180a9d2dae98a07

Download Submit
\??\c:\windows\system\svchost.exe
Filesize
206KB

MD5
8ae99cd97a618603610e0c64bbd7041a

SHA1
61251433e5c9f805f2815d04c803080e204fd919

SHA256
415a56f5c8e57292bcc8d1115430bfe6d8a1af8f8a8409b5dbef52608514702f

SHA512
be4086fdad1b4a3752bf996e5ad8b37459da0e83e00d94072f842f4f90242135dbd4914129376bd377f3b34559ae21d4ca6fef1d184e62e7b7c1091f2b118a10

Download Submit
memory/408-166-0x0000000000000000-mapping.dmp

Download
memory/528-159-0x0000000000000000-mapping.dmp

Download
memory/1040-135-0x0000000000000000-mapping.dmp

Download
memory/2932-167-0x0000000000000000-mapping.dmp

Download
memory/3584-147-0x0000000000000000-mapping.dmp

Download
memory/4616-133-0x0000000000000000-mapping.dmp

Download
memory/4640-164-0x0000000000000000-mapping.dmp

Download
memory/4648-153-0x0000000000000000-mapping.dmp

Download
memory/4964-141-0x0000000000000000-mapping.dmp

Download