6daafaa8e6b1ff5931a6df7caa4da43f60d12bd11627dd4a1933454390afde4b

Analysis

max time kernel
39s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 16:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6daafaa8e6b1ff5931a6df7caa4da43f60d12bd11627dd4a1933454390afde4b.exe
Size

302KB
MD5

a12d6b3497b2bbe832d1feaff73618c8
SHA1

73bd5ebb5d0f9280d5ef2a35c7c25ee971621c26
SHA256

6daafaa8e6b1ff5931a6df7caa4da43f60d12bd11627dd4a1933454390afde4b
SHA512

2c4547a9a824e0bd66500ea9a68442b92aa1563e20dfdac29215580a84ef52373b155c02f2a742237551ae68303408771cf43d5eb41e9498523746eec51abae1
SSDEEP

6144:+/gfXwt85ZCZD0jLBAmyUxKcWY3FaNSDyDRO1thpk:+/6gts4ZD0yUxKtY3FCSDyo1tjk

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1320	6daafaa8e6b1ff5931a6df7caa4da43f60d12bd11627dd4a1933454390afde4b.exe
1800	icsys.icn.exe

Loads dropped DLL 4 IoCs

pid	Process
1488	6daafaa8e6b1ff5931a6df7caa4da43f60d12bd11627dd4a1933454390afde4b.exe
1488	6daafaa8e6b1ff5931a6df7caa4da43f60d12bd11627dd4a1933454390afde4b.exe
1488	6daafaa8e6b1ff5931a6df7caa4da43f60d12bd11627dd4a1933454390afde4b.exe
1488	6daafaa8e6b1ff5931a6df7caa4da43f60d12bd11627dd4a1933454390afde4b.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\explorer.exe	icsys.icn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe
1800	icsys.icn.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1488	6daafaa8e6b1ff5931a6df7caa4da43f60d12bd11627dd4a1933454390afde4b.exe
1488	6daafaa8e6b1ff5931a6df7caa4da43f60d12bd11627dd4a1933454390afde4b.exe
1800	icsys.icn.exe
1800	icsys.icn.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 1320	1488	6daafaa8e6b1ff5931a6df7caa4da43f60d12bd11627dd4a1933454390afde4b.exe	26
PID 1488 wrote to memory of 1320	1488	6daafaa8e6b1ff5931a6df7caa4da43f60d12bd11627dd4a1933454390afde4b.exe	26
PID 1488 wrote to memory of 1320	1488	6daafaa8e6b1ff5931a6df7caa4da43f60d12bd11627dd4a1933454390afde4b.exe	26
PID 1488 wrote to memory of 1320	1488	6daafaa8e6b1ff5931a6df7caa4da43f60d12bd11627dd4a1933454390afde4b.exe	26
PID 1488 wrote to memory of 1800	1488	6daafaa8e6b1ff5931a6df7caa4da43f60d12bd11627dd4a1933454390afde4b.exe	27
PID 1488 wrote to memory of 1800	1488	6daafaa8e6b1ff5931a6df7caa4da43f60d12bd11627dd4a1933454390afde4b.exe	27
PID 1488 wrote to memory of 1800	1488	6daafaa8e6b1ff5931a6df7caa4da43f60d12bd11627dd4a1933454390afde4b.exe	27
PID 1488 wrote to memory of 1800	1488	6daafaa8e6b1ff5931a6df7caa4da43f60d12bd11627dd4a1933454390afde4b.exe	27
PID 1800 wrote to memory of 1308	1800	icsys.icn.exe	28
PID 1800 wrote to memory of 1308	1800	icsys.icn.exe	28
PID 1800 wrote to memory of 1308	1800	icsys.icn.exe	28
PID 1800 wrote to memory of 1308	1800	icsys.icn.exe	28

C:\Users\Admin\AppData\Local\Temp\6daafaa8e6b1ff5931a6df7caa4da43f60d12bd11627dd4a1933454390afde4b.exe
"C:\Users\Admin\AppData\Local\Temp\6daafaa8e6b1ff5931a6df7caa4da43f60d12bd11627dd4a1933454390afde4b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488
- \??\c:\users\admin\appdata\local\temp\6daafaa8e6b1ff5931a6df7caa4da43f60d12bd11627dd4a1933454390afde4b.exe
  c:\users\admin\appdata\local\temp\6daafaa8e6b1ff5931a6df7caa4da43f60d12bd11627dd4a1933454390afde4b.exe
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Users\Admin\AppData\Roaming\icsys.icn.exe
  C:\Users\Admin\AppData\Roaming\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1800
- - \??\c:\windows\SysWOW64\explorer.exe
    c:\windows\system32\explorer.exe
    3⤵
    PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6daafaa8e6b1ff5931a6df7caa4da43f60d12bd11627dd4a1933454390afde4b.exe

Filesize
95KB

MD5
c182878d8545a827becf299c1832b1b7

SHA1
21e72728bc046b8ec16155c1aa5a715079c4faef

SHA256
bd7f620e336d7e945ccec9d05d7a8f34136269170e78e4828097f32146b89b00

SHA512
25e32e244a2d0bedb002c4f6110e6733a49f681104120f13dbb93bd883acf8afdf7ff29b16574c1ee6506634ba271b9fe0c82e1f3832eb011c41e53a6e506e89

Download Submit
C:\Users\Admin\AppData\Roaming\icsys.icn.exe

Filesize
206KB

MD5
5d2cfa91c0d6234fd399a6cf986609f8

SHA1
8fe8df69b1c69b17d23f1e5de42986a5c70b829b

SHA256
7547563751288d764916a83a9eca1ceb77653081d2609f4dbec00c15324ba9fd

SHA512
e2a14cf5c571c1b8f7695f8121cad44f54d2e64e84100637837495e1686f410a70349e4efc57d8c74ec2f67400079644dcead6ac66e1e985ab64867b62db3fcd

Download Submit
\??\c:\users\admin\appdata\roaming\icsys.icn.exe

Filesize
206KB

MD5
5d2cfa91c0d6234fd399a6cf986609f8

SHA1
8fe8df69b1c69b17d23f1e5de42986a5c70b829b

SHA256
7547563751288d764916a83a9eca1ceb77653081d2609f4dbec00c15324ba9fd

SHA512
e2a14cf5c571c1b8f7695f8121cad44f54d2e64e84100637837495e1686f410a70349e4efc57d8c74ec2f67400079644dcead6ac66e1e985ab64867b62db3fcd

Download Submit
\Users\Admin\AppData\Local\Temp\6daafaa8e6b1ff5931a6df7caa4da43f60d12bd11627dd4a1933454390afde4b.exe

Filesize
95KB

MD5
c182878d8545a827becf299c1832b1b7

SHA1
21e72728bc046b8ec16155c1aa5a715079c4faef

SHA256
bd7f620e336d7e945ccec9d05d7a8f34136269170e78e4828097f32146b89b00

SHA512
25e32e244a2d0bedb002c4f6110e6733a49f681104120f13dbb93bd883acf8afdf7ff29b16574c1ee6506634ba271b9fe0c82e1f3832eb011c41e53a6e506e89

Download Submit
\Users\Admin\AppData\Local\Temp\6daafaa8e6b1ff5931a6df7caa4da43f60d12bd11627dd4a1933454390afde4b.exe

Filesize
95KB

MD5
c182878d8545a827becf299c1832b1b7

SHA1
21e72728bc046b8ec16155c1aa5a715079c4faef

SHA256
bd7f620e336d7e945ccec9d05d7a8f34136269170e78e4828097f32146b89b00

SHA512
25e32e244a2d0bedb002c4f6110e6733a49f681104120f13dbb93bd883acf8afdf7ff29b16574c1ee6506634ba271b9fe0c82e1f3832eb011c41e53a6e506e89

Download Submit
\Users\Admin\AppData\Roaming\icsys.icn.exe

Filesize
206KB

MD5
5d2cfa91c0d6234fd399a6cf986609f8

SHA1
8fe8df69b1c69b17d23f1e5de42986a5c70b829b

SHA256
7547563751288d764916a83a9eca1ceb77653081d2609f4dbec00c15324ba9fd

SHA512
e2a14cf5c571c1b8f7695f8121cad44f54d2e64e84100637837495e1686f410a70349e4efc57d8c74ec2f67400079644dcead6ac66e1e985ab64867b62db3fcd

Download Submit
\Users\Admin\AppData\Roaming\icsys.icn.exe

Filesize
206KB

MD5
5d2cfa91c0d6234fd399a6cf986609f8

SHA1
8fe8df69b1c69b17d23f1e5de42986a5c70b829b

SHA256
7547563751288d764916a83a9eca1ceb77653081d2609f4dbec00c15324ba9fd

SHA512
e2a14cf5c571c1b8f7695f8121cad44f54d2e64e84100637837495e1686f410a70349e4efc57d8c74ec2f67400079644dcead6ac66e1e985ab64867b62db3fcd

Download Submit
memory/1308-77-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download
memory/1320-74-0x0000000001000000-0x0000000001014000-memory.dmp

Filesize
80KB

Download
memory/1488-57-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1488-72-0x00000000006E0000-0x00000000006F4000-memory.dmp

Filesize
80KB

Download
memory/1488-73-0x00000000006E0000-0x00000000006F4000-memory.dmp

Filesize
80KB

Download