1a21976839b8361a4d5b6f52685bf2fdee93f7b5c3299d2080cf42e58a012ba4

Analysis

max time kernel
153s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

auto kick + tav/auto tab.exe
Size

658KB
MD5

21ffdf539c05ca2c05172763d3334ebc
SHA1

5bec96d4311fd14b21debf26f4127072169cfa4e
SHA256

f562be835e7367f8a73271b34b5d4d583237ab2933a4ef3703f6fcdca1b849e1
SHA512

73812ddd1d72bb4f4d7adf54ee00589b4b3cac5cff3d5f12657a6eb946165cd8c269074664fc70aeeefb6633f54c1a41c98df5991da580b024ed9e9388063205

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
Executes dropped EXE 6 IoCs

Processes:

auto tab.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

5048 auto tab.exe
4300 icsys.icn.exe
4576 explorer.exe
4088 spoolsv.exe
1720 svchost.exe
2372 spoolsv.exe
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\auto kick + tav\auto tab.exe	upx
\??\c:\users\admin\appdata\local\temp\auto kick + tav\auto tab.exe	upx

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

icsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

icsys.icn.exeexplorer.exesvchost.exe

pid	process
4300	icsys.icn.exe
4300	icsys.icn.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
4576	explorer.exe
1720	svchost.exe
4576	explorer.exe
1720	svchost.exe
1720	svchost.exe
1720	svchost.exe
4576	explorer.exe
4576	explorer.exe
1720	svchost.exe
1720	svchost.exe
4576	explorer.exe
4576	explorer.exe
1720	svchost.exe
1720	svchost.exe
4576	explorer.exe
4576	explorer.exe
1720	svchost.exe
1720	svchost.exe
4576	explorer.exe
4576	explorer.exe
1720	svchost.exe
1720	svchost.exe
4576	explorer.exe
4576	explorer.exe
1720	svchost.exe
1720	svchost.exe
4576	explorer.exe
4576	explorer.exe
1720	svchost.exe
1720	svchost.exe
4576	explorer.exe
4576	explorer.exe
1720	svchost.exe
1720	svchost.exe
4576	explorer.exe
4576	explorer.exe
1720	svchost.exe
1720	svchost.exe
4576	explorer.exe
4576	explorer.exe
1720	svchost.exe
1720	svchost.exe
4576	explorer.exe
4576	explorer.exe
1720	svchost.exe
1720	svchost.exe
4576	explorer.exe
4576	explorer.exe
1720	svchost.exe
1720	svchost.exe
4576	explorer.exe
4576	explorer.exe
1720	svchost.exe
1720	svchost.exe
4576	explorer.exe
4576	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

auto tab.exe explorer.exesvchost.exe

pid process

5048 auto tab.exe
4576 explorer.exe
1720 svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

auto tab.exe

pid	process
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

auto tab.exe

pid	process
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe
5048	auto tab.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

auto tab.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
3364	auto tab.exe
3364	auto tab.exe
4300	icsys.icn.exe
4300	icsys.icn.exe
4576	explorer.exe
4576	explorer.exe
4088	spoolsv.exe
4088	spoolsv.exe
1720	svchost.exe
1720	svchost.exe
2372	spoolsv.exe
2372	spoolsv.exe
4576	explorer.exe
4576	explorer.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

auto tab.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 3364 wrote to memory of 5048	3364	auto tab.exe	auto tab.exe
PID 3364 wrote to memory of 5048	3364	auto tab.exe	auto tab.exe
PID 3364 wrote to memory of 5048	3364	auto tab.exe	auto tab.exe
PID 3364 wrote to memory of 4300	3364	auto tab.exe	icsys.icn.exe
PID 3364 wrote to memory of 4300	3364	auto tab.exe	icsys.icn.exe
PID 3364 wrote to memory of 4300	3364	auto tab.exe	icsys.icn.exe
PID 4300 wrote to memory of 4576	4300	icsys.icn.exe	explorer.exe
PID 4300 wrote to memory of 4576	4300	icsys.icn.exe	explorer.exe
PID 4300 wrote to memory of 4576	4300	icsys.icn.exe	explorer.exe
PID 4576 wrote to memory of 4088	4576	explorer.exe	spoolsv.exe
PID 4576 wrote to memory of 4088	4576	explorer.exe	spoolsv.exe
PID 4576 wrote to memory of 4088	4576	explorer.exe	spoolsv.exe
PID 4088 wrote to memory of 1720	4088	spoolsv.exe	svchost.exe
PID 4088 wrote to memory of 1720	4088	spoolsv.exe	svchost.exe
PID 4088 wrote to memory of 1720	4088	spoolsv.exe	svchost.exe
PID 1720 wrote to memory of 2372	1720	svchost.exe	spoolsv.exe
PID 1720 wrote to memory of 2372	1720	svchost.exe	spoolsv.exe
PID 1720 wrote to memory of 2372	1720	svchost.exe	spoolsv.exe
PID 1720 wrote to memory of 4832	1720	svchost.exe	at.exe
PID 1720 wrote to memory of 4832	1720	svchost.exe	at.exe
PID 1720 wrote to memory of 4832	1720	svchost.exe	at.exe
PID 1720 wrote to memory of 4012	1720	svchost.exe	at.exe
PID 1720 wrote to memory of 4012	1720	svchost.exe	at.exe
PID 1720 wrote to memory of 4012	1720	svchost.exe	at.exe
PID 1720 wrote to memory of 1616	1720	svchost.exe	at.exe
PID 1720 wrote to memory of 1616	1720	svchost.exe	at.exe
PID 1720 wrote to memory of 1616	1720	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\auto kick + tav\auto tab.exe
"C:\Users\Admin\AppData\Local\Temp\auto kick + tav\auto tab.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3364

\??\c:\users\admin\appdata\local\temp\auto kick + tav\auto tab.exe
"c:\users\admin\appdata\local\temp\auto kick + tav\auto tab.exe "
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5048

C:\Users\Admin\AppData\Local\icsys.icn.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4300

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4088

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2372

C:\Windows\SysWOW64\at.exe
at 05:25 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:4832

C:\Windows\SysWOW64\at.exe
at 05:26 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:4012

C:\Windows\SysWOW64\at.exe
at 05:27 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:1616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\auto kick + tav\auto tab.exe
Filesize
452KB

MD5
2bf50c8203fa55fef54b6e07694f7a38

SHA1
9b8fead795158a995d213c0d9cb161b4f590a956

SHA256
f531dd4dd7696c94fbd3a8963d0846a55c3d71ce4288d1c19b35bc6691561aef

SHA512
60c0746e7f1f2e720ca02b3d6551430fa00f8511652ff58ee9d73b064852130a3bb765805bed5a1f3a86dc9255207e373740eaf23465dce50b239a5ff75b6468

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe
Filesize
206KB

MD5
3ef59349c24f04405d45f339cd72ec87

SHA1
cecc4c87668dd58e76123c10deceaefdcb400295

SHA256
16c9459454c1e1ee0d76b39a6b82dd6b56b0efd0b8afe4818e2cb26489196460

SHA512
51dee956aa7c2671e47e86f557e83c6fab79e6a4367e4f6d12acc42cd37421ec3d4e0f3d9c8966f2958bd01f895ddfd3ba103bad5aaee25023cc50b5b40f91cf

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe
Filesize
206KB

MD5
3ef59349c24f04405d45f339cd72ec87

SHA1
cecc4c87668dd58e76123c10deceaefdcb400295

SHA256
16c9459454c1e1ee0d76b39a6b82dd6b56b0efd0b8afe4818e2cb26489196460

SHA512
51dee956aa7c2671e47e86f557e83c6fab79e6a4367e4f6d12acc42cd37421ec3d4e0f3d9c8966f2958bd01f895ddfd3ba103bad5aaee25023cc50b5b40f91cf

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe
Filesize
206KB

MD5
243902f026633034842734be6e8a5445

SHA1
b29ca7b5c27b386b907a0fd239ab090a66b89b0e

SHA256
1d6ca62149385f190f95bb86f161ff5c3f050265e5a9b6e32892f732f85d1b61

SHA512
fccf347e840bf2e92aa11ba5998b99362ef33416385939742a557aadf71a05dd288911e05608100167d7440c09b23a8ef4fd89091acaff16a81efe033da67365

Download Submit
C:\Windows\System\explorer.exe
Filesize
207KB

MD5
770efaf7013579b67c0e92ce90e1f13f

SHA1
50c210fa9fa1f7dbe0aeee70f52ace3bd9d27f44

SHA256
68c0f10ac3ac1592e34df0bf6f61ce33307a7a35cce919c72fd9a1202ec2b977

SHA512
d46c11a11b6d483a9f8119a90ae11b15c3952a2530295473a3cea359216f0735acdd9e957644f1a24f24c2dbf76c3a0425f8c7c286f564e3acadf0260c28a9c1

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
206KB

MD5
0d79a7f4258a80827c03b397a968f9f6

SHA1
3e67bed0800551e5d4ed0a552998545610a07485

SHA256
2d68b9febc5d62721188e659bda0e05e272609592cc5c60c97567d8e70a3112f

SHA512
f0a06ba152cac8259d4afcae44cd7ec16f8fab45cecdf493732bc8bc221ba626ad16e8b20b8e718d3adf5b3e43524027e7ced4a6862ae59d2e5ef0474e31dceb

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
206KB

MD5
0d79a7f4258a80827c03b397a968f9f6

SHA1
3e67bed0800551e5d4ed0a552998545610a07485

SHA256
2d68b9febc5d62721188e659bda0e05e272609592cc5c60c97567d8e70a3112f

SHA512
f0a06ba152cac8259d4afcae44cd7ec16f8fab45cecdf493732bc8bc221ba626ad16e8b20b8e718d3adf5b3e43524027e7ced4a6862ae59d2e5ef0474e31dceb

Download Submit
C:\Windows\System\svchost.exe
Filesize
206KB

MD5
2ba2cadc9dfa2888ec5578abfce29142

SHA1
08c69b624ab6e2c1d985223db57264b425e02b37

SHA256
c5a0a9adcb95d8a6e9788022f6b90f75ac72c757e13d38fc2682e04921f99502

SHA512
54f1ab44a874499ab05997acb28f6a3b70b51a8ab9e085e31bd554ce63c88eb43b57518e50e4d0ec4d25c5fd53937d74e2a7003a2e8248d3a70d4823d106a29b

Download Submit
\??\c:\users\admin\appdata\local\temp\auto kick + tav\auto tab.exe
Filesize
452KB

MD5
2bf50c8203fa55fef54b6e07694f7a38

SHA1
9b8fead795158a995d213c0d9cb161b4f590a956

SHA256
f531dd4dd7696c94fbd3a8963d0846a55c3d71ce4288d1c19b35bc6691561aef

SHA512
60c0746e7f1f2e720ca02b3d6551430fa00f8511652ff58ee9d73b064852130a3bb765805bed5a1f3a86dc9255207e373740eaf23465dce50b239a5ff75b6468

Download Submit
\??\c:\windows\system\explorer.exe
Filesize
207KB

MD5
770efaf7013579b67c0e92ce90e1f13f

SHA1
50c210fa9fa1f7dbe0aeee70f52ace3bd9d27f44

SHA256
68c0f10ac3ac1592e34df0bf6f61ce33307a7a35cce919c72fd9a1202ec2b977

SHA512
d46c11a11b6d483a9f8119a90ae11b15c3952a2530295473a3cea359216f0735acdd9e957644f1a24f24c2dbf76c3a0425f8c7c286f564e3acadf0260c28a9c1

Download Submit
\??\c:\windows\system\spoolsv.exe
Filesize
206KB

MD5
0d79a7f4258a80827c03b397a968f9f6

SHA1
3e67bed0800551e5d4ed0a552998545610a07485

SHA256
2d68b9febc5d62721188e659bda0e05e272609592cc5c60c97567d8e70a3112f

SHA512
f0a06ba152cac8259d4afcae44cd7ec16f8fab45cecdf493732bc8bc221ba626ad16e8b20b8e718d3adf5b3e43524027e7ced4a6862ae59d2e5ef0474e31dceb

Download Submit
\??\c:\windows\system\svchost.exe
Filesize
206KB

MD5
2ba2cadc9dfa2888ec5578abfce29142

SHA1
08c69b624ab6e2c1d985223db57264b425e02b37

SHA256
c5a0a9adcb95d8a6e9788022f6b90f75ac72c757e13d38fc2682e04921f99502

SHA512
54f1ab44a874499ab05997acb28f6a3b70b51a8ab9e085e31bd554ce63c88eb43b57518e50e4d0ec4d25c5fd53937d74e2a7003a2e8248d3a70d4823d106a29b

Download Submit
memory/1616-168-0x0000000000000000-mapping.dmp

Download
memory/1720-154-0x0000000000000000-mapping.dmp

Download
memory/2372-160-0x0000000000000000-mapping.dmp

Download
memory/4012-167-0x0000000000000000-mapping.dmp

Download
memory/4088-148-0x0000000000000000-mapping.dmp

Download
memory/4300-136-0x0000000000000000-mapping.dmp

Download
memory/4576-142-0x0000000000000000-mapping.dmp

Download
memory/4832-165-0x0000000000000000-mapping.dmp

Download
memory/5048-133-0x0000000000000000-mapping.dmp

Download