Analysis
-
max time kernel
153s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 03:17
Static task
static1
Behavioral task
behavioral1
Sample
auto kick + tav/AutoClick.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
auto kick + tav/AutoClick.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
auto kick + tav/auto tab.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
auto kick + tav/auto tab.exe
Resource
win10v2004-20220414-en
General
-
Target
auto kick + tav/auto tab.exe
-
Size
658KB
-
MD5
21ffdf539c05ca2c05172763d3334ebc
-
SHA1
5bec96d4311fd14b21debf26f4127072169cfa4e
-
SHA256
f562be835e7367f8a73271b34b5d4d583237ab2933a4ef3703f6fcdca1b849e1
-
SHA512
73812ddd1d72bb4f4d7adf54ee00589b4b3cac5cff3d5f12657a6eb946165cd8c269074664fc70aeeefb6633f54c1a41c98df5991da580b024ed9e9388063205
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
Executes dropped EXE 6 IoCs
Processes:
auto tab.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 5048 auto tab.exe 4300 icsys.icn.exe 4576 explorer.exe 4088 spoolsv.exe 1720 svchost.exe 2372 spoolsv.exe -
Modifies Installed Components in the registry 2 TTPs
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\auto kick + tav\auto tab.exe upx \??\c:\users\admin\appdata\local\temp\auto kick + tav\auto tab.exe upx -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
icsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription ioc process File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
icsys.icn.exeexplorer.exesvchost.exepid process 4300 icsys.icn.exe 4300 icsys.icn.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 4576 explorer.exe 1720 svchost.exe 4576 explorer.exe 1720 svchost.exe 1720 svchost.exe 1720 svchost.exe 4576 explorer.exe 4576 explorer.exe 1720 svchost.exe 1720 svchost.exe 4576 explorer.exe 4576 explorer.exe 1720 svchost.exe 1720 svchost.exe 4576 explorer.exe 4576 explorer.exe 1720 svchost.exe 1720 svchost.exe 4576 explorer.exe 4576 explorer.exe 1720 svchost.exe 1720 svchost.exe 4576 explorer.exe 4576 explorer.exe 1720 svchost.exe 1720 svchost.exe 4576 explorer.exe 4576 explorer.exe 1720 svchost.exe 1720 svchost.exe 4576 explorer.exe 4576 explorer.exe 1720 svchost.exe 1720 svchost.exe 4576 explorer.exe 4576 explorer.exe 1720 svchost.exe 1720 svchost.exe 4576 explorer.exe 4576 explorer.exe 1720 svchost.exe 1720 svchost.exe 4576 explorer.exe 4576 explorer.exe 1720 svchost.exe 1720 svchost.exe 4576 explorer.exe 4576 explorer.exe 1720 svchost.exe 1720 svchost.exe 4576 explorer.exe 4576 explorer.exe 1720 svchost.exe 1720 svchost.exe 4576 explorer.exe 4576 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
auto tab.exe explorer.exesvchost.exepid process 5048 auto tab.exe 4576 explorer.exe 1720 svchost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
auto tab.exepid process 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
auto tab.exepid process 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe 5048 auto tab.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
auto tab.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 3364 auto tab.exe 3364 auto tab.exe 4300 icsys.icn.exe 4300 icsys.icn.exe 4576 explorer.exe 4576 explorer.exe 4088 spoolsv.exe 4088 spoolsv.exe 1720 svchost.exe 1720 svchost.exe 2372 spoolsv.exe 2372 spoolsv.exe 4576 explorer.exe 4576 explorer.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
auto tab.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 3364 wrote to memory of 5048 3364 auto tab.exe auto tab.exe PID 3364 wrote to memory of 5048 3364 auto tab.exe auto tab.exe PID 3364 wrote to memory of 5048 3364 auto tab.exe auto tab.exe PID 3364 wrote to memory of 4300 3364 auto tab.exe icsys.icn.exe PID 3364 wrote to memory of 4300 3364 auto tab.exe icsys.icn.exe PID 3364 wrote to memory of 4300 3364 auto tab.exe icsys.icn.exe PID 4300 wrote to memory of 4576 4300 icsys.icn.exe explorer.exe PID 4300 wrote to memory of 4576 4300 icsys.icn.exe explorer.exe PID 4300 wrote to memory of 4576 4300 icsys.icn.exe explorer.exe PID 4576 wrote to memory of 4088 4576 explorer.exe spoolsv.exe PID 4576 wrote to memory of 4088 4576 explorer.exe spoolsv.exe PID 4576 wrote to memory of 4088 4576 explorer.exe spoolsv.exe PID 4088 wrote to memory of 1720 4088 spoolsv.exe svchost.exe PID 4088 wrote to memory of 1720 4088 spoolsv.exe svchost.exe PID 4088 wrote to memory of 1720 4088 spoolsv.exe svchost.exe PID 1720 wrote to memory of 2372 1720 svchost.exe spoolsv.exe PID 1720 wrote to memory of 2372 1720 svchost.exe spoolsv.exe PID 1720 wrote to memory of 2372 1720 svchost.exe spoolsv.exe PID 1720 wrote to memory of 4832 1720 svchost.exe at.exe PID 1720 wrote to memory of 4832 1720 svchost.exe at.exe PID 1720 wrote to memory of 4832 1720 svchost.exe at.exe PID 1720 wrote to memory of 4012 1720 svchost.exe at.exe PID 1720 wrote to memory of 4012 1720 svchost.exe at.exe PID 1720 wrote to memory of 4012 1720 svchost.exe at.exe PID 1720 wrote to memory of 1616 1720 svchost.exe at.exe PID 1720 wrote to memory of 1616 1720 svchost.exe at.exe PID 1720 wrote to memory of 1616 1720 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\auto kick + tav\auto tab.exe"C:\Users\Admin\AppData\Local\Temp\auto kick + tav\auto tab.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\auto kick + tav\auto tab.exe"c:\users\admin\appdata\local\temp\auto kick + tav\auto tab.exe "2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 05:25 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 05:26 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 05:27 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\auto kick + tav\auto tab.exeFilesize
452KB
MD52bf50c8203fa55fef54b6e07694f7a38
SHA19b8fead795158a995d213c0d9cb161b4f590a956
SHA256f531dd4dd7696c94fbd3a8963d0846a55c3d71ce4288d1c19b35bc6691561aef
SHA51260c0746e7f1f2e720ca02b3d6551430fa00f8511652ff58ee9d73b064852130a3bb765805bed5a1f3a86dc9255207e373740eaf23465dce50b239a5ff75b6468
-
C:\Users\Admin\AppData\Local\icsys.icn.exeFilesize
206KB
MD53ef59349c24f04405d45f339cd72ec87
SHA1cecc4c87668dd58e76123c10deceaefdcb400295
SHA25616c9459454c1e1ee0d76b39a6b82dd6b56b0efd0b8afe4818e2cb26489196460
SHA51251dee956aa7c2671e47e86f557e83c6fab79e6a4367e4f6d12acc42cd37421ec3d4e0f3d9c8966f2958bd01f895ddfd3ba103bad5aaee25023cc50b5b40f91cf
-
C:\Users\Admin\AppData\Local\icsys.icn.exeFilesize
206KB
MD53ef59349c24f04405d45f339cd72ec87
SHA1cecc4c87668dd58e76123c10deceaefdcb400295
SHA25616c9459454c1e1ee0d76b39a6b82dd6b56b0efd0b8afe4818e2cb26489196460
SHA51251dee956aa7c2671e47e86f557e83c6fab79e6a4367e4f6d12acc42cd37421ec3d4e0f3d9c8966f2958bd01f895ddfd3ba103bad5aaee25023cc50b5b40f91cf
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
206KB
MD5243902f026633034842734be6e8a5445
SHA1b29ca7b5c27b386b907a0fd239ab090a66b89b0e
SHA2561d6ca62149385f190f95bb86f161ff5c3f050265e5a9b6e32892f732f85d1b61
SHA512fccf347e840bf2e92aa11ba5998b99362ef33416385939742a557aadf71a05dd288911e05608100167d7440c09b23a8ef4fd89091acaff16a81efe033da67365
-
C:\Windows\System\explorer.exeFilesize
207KB
MD5770efaf7013579b67c0e92ce90e1f13f
SHA150c210fa9fa1f7dbe0aeee70f52ace3bd9d27f44
SHA25668c0f10ac3ac1592e34df0bf6f61ce33307a7a35cce919c72fd9a1202ec2b977
SHA512d46c11a11b6d483a9f8119a90ae11b15c3952a2530295473a3cea359216f0735acdd9e957644f1a24f24c2dbf76c3a0425f8c7c286f564e3acadf0260c28a9c1
-
C:\Windows\System\spoolsv.exeFilesize
206KB
MD50d79a7f4258a80827c03b397a968f9f6
SHA13e67bed0800551e5d4ed0a552998545610a07485
SHA2562d68b9febc5d62721188e659bda0e05e272609592cc5c60c97567d8e70a3112f
SHA512f0a06ba152cac8259d4afcae44cd7ec16f8fab45cecdf493732bc8bc221ba626ad16e8b20b8e718d3adf5b3e43524027e7ced4a6862ae59d2e5ef0474e31dceb
-
C:\Windows\System\spoolsv.exeFilesize
206KB
MD50d79a7f4258a80827c03b397a968f9f6
SHA13e67bed0800551e5d4ed0a552998545610a07485
SHA2562d68b9febc5d62721188e659bda0e05e272609592cc5c60c97567d8e70a3112f
SHA512f0a06ba152cac8259d4afcae44cd7ec16f8fab45cecdf493732bc8bc221ba626ad16e8b20b8e718d3adf5b3e43524027e7ced4a6862ae59d2e5ef0474e31dceb
-
C:\Windows\System\svchost.exeFilesize
206KB
MD52ba2cadc9dfa2888ec5578abfce29142
SHA108c69b624ab6e2c1d985223db57264b425e02b37
SHA256c5a0a9adcb95d8a6e9788022f6b90f75ac72c757e13d38fc2682e04921f99502
SHA51254f1ab44a874499ab05997acb28f6a3b70b51a8ab9e085e31bd554ce63c88eb43b57518e50e4d0ec4d25c5fd53937d74e2a7003a2e8248d3a70d4823d106a29b
-
\??\c:\users\admin\appdata\local\temp\auto kick + tav\auto tab.exeFilesize
452KB
MD52bf50c8203fa55fef54b6e07694f7a38
SHA19b8fead795158a995d213c0d9cb161b4f590a956
SHA256f531dd4dd7696c94fbd3a8963d0846a55c3d71ce4288d1c19b35bc6691561aef
SHA51260c0746e7f1f2e720ca02b3d6551430fa00f8511652ff58ee9d73b064852130a3bb765805bed5a1f3a86dc9255207e373740eaf23465dce50b239a5ff75b6468
-
\??\c:\windows\system\explorer.exeFilesize
207KB
MD5770efaf7013579b67c0e92ce90e1f13f
SHA150c210fa9fa1f7dbe0aeee70f52ace3bd9d27f44
SHA25668c0f10ac3ac1592e34df0bf6f61ce33307a7a35cce919c72fd9a1202ec2b977
SHA512d46c11a11b6d483a9f8119a90ae11b15c3952a2530295473a3cea359216f0735acdd9e957644f1a24f24c2dbf76c3a0425f8c7c286f564e3acadf0260c28a9c1
-
\??\c:\windows\system\spoolsv.exeFilesize
206KB
MD50d79a7f4258a80827c03b397a968f9f6
SHA13e67bed0800551e5d4ed0a552998545610a07485
SHA2562d68b9febc5d62721188e659bda0e05e272609592cc5c60c97567d8e70a3112f
SHA512f0a06ba152cac8259d4afcae44cd7ec16f8fab45cecdf493732bc8bc221ba626ad16e8b20b8e718d3adf5b3e43524027e7ced4a6862ae59d2e5ef0474e31dceb
-
\??\c:\windows\system\svchost.exeFilesize
206KB
MD52ba2cadc9dfa2888ec5578abfce29142
SHA108c69b624ab6e2c1d985223db57264b425e02b37
SHA256c5a0a9adcb95d8a6e9788022f6b90f75ac72c757e13d38fc2682e04921f99502
SHA51254f1ab44a874499ab05997acb28f6a3b70b51a8ab9e085e31bd554ce63c88eb43b57518e50e4d0ec4d25c5fd53937d74e2a7003a2e8248d3a70d4823d106a29b
-
memory/1616-168-0x0000000000000000-mapping.dmp
-
memory/1720-154-0x0000000000000000-mapping.dmp
-
memory/2372-160-0x0000000000000000-mapping.dmp
-
memory/4012-167-0x0000000000000000-mapping.dmp
-
memory/4088-148-0x0000000000000000-mapping.dmp
-
memory/4300-136-0x0000000000000000-mapping.dmp
-
memory/4576-142-0x0000000000000000-mapping.dmp
-
memory/4832-165-0x0000000000000000-mapping.dmp
-
memory/5048-133-0x0000000000000000-mapping.dmp