feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb

Analysis

max time kernel
188s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe
Size

841KB
MD5

f3723316ea9e9ca580f47c7c66d0bbac
SHA1

046519fe23523cb7e5b1c78b9088aa26fe39cbb4
SHA256

feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb
SHA512

359604062b283162a1434ab91fb2e5dfee9d7ae99bf34aa3ed1bd47c7d6fa3e67097d7568cbf96eaa976c992ee417821fb59f72c6ad0707ce8e16a94d792b438
SSDEEP

12288:zENN+T5xYrllrU7QY6dM7VLbToNzkTW8nsWHd5u8etTH1Z7KconCG/z+lq:Z5xolYQY6aVnsWHHyfZ7KcoCG/z+lq

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

Processes:

feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
364	feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe
1176	icsys.icn.exe
1676	explorer.exe
1848	spoolsv.exe
1080	svchost.exe
1768	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Loads dropped DLL 12 IoCs

Processes:

feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

pid	process
940	feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe
940	feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe
940	feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe
940	feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe
1176	icsys.icn.exe
1176	icsys.icn.exe
1676	explorer.exe
1676	explorer.exe
1848	spoolsv.exe
1848	spoolsv.exe
1080	svchost.exe
1080	svchost.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

icsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

icsys.icn.exeexplorer.exesvchost.exe

pid	process
1176	icsys.icn.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1080	svchost.exe
1080	svchost.exe
1080	svchost.exe
1676	explorer.exe
1080	svchost.exe
1676	explorer.exe
1676	explorer.exe
1080	svchost.exe
1676	explorer.exe
1080	svchost.exe
1080	svchost.exe
1676	explorer.exe
1676	explorer.exe
1080	svchost.exe
1080	svchost.exe
1676	explorer.exe
1676	explorer.exe
1080	svchost.exe
1080	svchost.exe
1676	explorer.exe
1080	svchost.exe
1676	explorer.exe
1676	explorer.exe
1080	svchost.exe
1676	explorer.exe
1080	svchost.exe
1676	explorer.exe
1080	svchost.exe
1676	explorer.exe
1080	svchost.exe
1676	explorer.exe
1080	svchost.exe
1676	explorer.exe
1080	svchost.exe
1080	svchost.exe
1676	explorer.exe
1676	explorer.exe
1080	svchost.exe
1676	explorer.exe
1080	svchost.exe
1080	svchost.exe
1676	explorer.exe
1080	svchost.exe
1676	explorer.exe
1080	svchost.exe
1676	explorer.exe
1080	svchost.exe
1676	explorer.exe
1676	explorer.exe
1080	svchost.exe
1676	explorer.exe
1080	svchost.exe
1676	explorer.exe
1080	svchost.exe
1676	explorer.exe
1080	svchost.exe
1080	svchost.exe
1676	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

1676 explorer.exe
1080 svchost.exe

pid	process
1676	explorer.exe
1080	svchost.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exefeff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
940	feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe
940	feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe
364	feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe
364	feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe
1176	icsys.icn.exe
1176	icsys.icn.exe
1676	explorer.exe
1676	explorer.exe
1848	spoolsv.exe
1848	spoolsv.exe
1080	svchost.exe
1080	svchost.exe
1768	spoolsv.exe
1768	spoolsv.exe
1676	explorer.exe
1676	explorer.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 940 wrote to memory of 364	940	feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe	feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe
PID 940 wrote to memory of 364	940	feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe	feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe
PID 940 wrote to memory of 364	940	feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe	feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe
PID 940 wrote to memory of 364	940	feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe	feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe
PID 940 wrote to memory of 1176	940	feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe	icsys.icn.exe
PID 940 wrote to memory of 1176	940	feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe	icsys.icn.exe
PID 940 wrote to memory of 1176	940	feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe	icsys.icn.exe
PID 940 wrote to memory of 1176	940	feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe	icsys.icn.exe
PID 1176 wrote to memory of 1676	1176	icsys.icn.exe	explorer.exe
PID 1176 wrote to memory of 1676	1176	icsys.icn.exe	explorer.exe
PID 1176 wrote to memory of 1676	1176	icsys.icn.exe	explorer.exe
PID 1176 wrote to memory of 1676	1176	icsys.icn.exe	explorer.exe
PID 1676 wrote to memory of 1848	1676	explorer.exe	spoolsv.exe
PID 1676 wrote to memory of 1848	1676	explorer.exe	spoolsv.exe
PID 1676 wrote to memory of 1848	1676	explorer.exe	spoolsv.exe
PID 1676 wrote to memory of 1848	1676	explorer.exe	spoolsv.exe
PID 1848 wrote to memory of 1080	1848	spoolsv.exe	svchost.exe
PID 1848 wrote to memory of 1080	1848	spoolsv.exe	svchost.exe
PID 1848 wrote to memory of 1080	1848	spoolsv.exe	svchost.exe
PID 1848 wrote to memory of 1080	1848	spoolsv.exe	svchost.exe
PID 1080 wrote to memory of 1768	1080	svchost.exe	spoolsv.exe
PID 1080 wrote to memory of 1768	1080	svchost.exe	spoolsv.exe
PID 1080 wrote to memory of 1768	1080	svchost.exe	spoolsv.exe
PID 1080 wrote to memory of 1768	1080	svchost.exe	spoolsv.exe
PID 1080 wrote to memory of 1996	1080	svchost.exe	at.exe
PID 1080 wrote to memory of 1996	1080	svchost.exe	at.exe
PID 1080 wrote to memory of 1996	1080	svchost.exe	at.exe
PID 1080 wrote to memory of 1996	1080	svchost.exe	at.exe
PID 1080 wrote to memory of 1780	1080	svchost.exe	at.exe
PID 1080 wrote to memory of 1780	1080	svchost.exe	at.exe
PID 1080 wrote to memory of 1780	1080	svchost.exe	at.exe
PID 1080 wrote to memory of 1780	1080	svchost.exe	at.exe
PID 1080 wrote to memory of 520	1080	svchost.exe	at.exe
PID 1080 wrote to memory of 520	1080	svchost.exe	at.exe
PID 1080 wrote to memory of 520	1080	svchost.exe	at.exe
PID 1080 wrote to memory of 520	1080	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe
"C:\Users\Admin\AppData\Local\Temp\feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:940

\??\c:\users\admin\appdata\local\temp\feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe
c:\users\admin\appdata\local\temp\feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:364

C:\Users\Admin\AppData\Local\icsys.icn.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1848

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1768

C:\Windows\SysWOW64\at.exe
at 22:40 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:1996

C:\Windows\SysWOW64\at.exe
at 22:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:1780

C:\Windows\SysWOW64\at.exe
at 22:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:520

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe
Filesize
634KB

MD5
2d4509d72478d600c9f6768509b39502

SHA1
0b0a88b574e9aeb95510c9217d0351603e63cea9

SHA256
e2a18c05183f1b7da8fe50a7863ac9cfa09a420d36f1c9c93a3c0a3e62a0dd1c

SHA512
7b67f2bf05b038177afe32397892d47c045598c97b1af7833ffb5a28a97f773b05f5c558d42f75df7d73bc75cf089b67c1da8de806944dd62cc8e545cce9c89a

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe
Filesize
206KB

MD5
05c34c66392f37d2ec52ab2b2ca018bc

SHA1
c605dc223d6bd543e535d27761f917857f3a40c4

SHA256
7115412de4c96d3080713d83618e8da75b1fede28c64a7cbffa44497d5ab3f9d

SHA512
475313f41996d12ade4b8ebfc22df5910fa4110c631adf27afbf665690d9729b98dd3b841530654f62604256d6b03cb98982b8d6610140f88e0e9b56d3ea79d3

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe
Filesize
206KB

MD5
ae2ede55e86a966dfc8b7d4cb576336b

SHA1
822811a7a7d3b52217e368905172543ff65349fa

SHA256
f8084e4b2fe406315b805bbe279a8bf7b4a05f489fc0f3bf174e7e33f2e18199

SHA512
83719b1bb42adc4975025ece3759737f39c7f6cc26f39781a5ebb2796d6e261127cfa7619c2aaaae661ebe44c5ddd177e5c91e0c26d0fd63a9cbd8ecd9bcfe1e

Download Submit
C:\Windows\system\explorer.exe
Filesize
206KB

MD5
b4618fdf56a4677e1991663730769698

SHA1
b9e5f172959365a8faeb6b0b0ce638440d0f9432

SHA256
b68ee10df2a7950ee117f8846328ecc1285b5bdece93d37ad251e48f8142d586

SHA512
85d32b2edd9bedfa638ec86cf973558f16cb4bd2ab58d724d896056df5ba3aaacd611fe3d78c490a42505f9a299cdcbbd0c7c1cd4c4153483a2941c72bb929f2

Download Submit
C:\Windows\system\spoolsv.exe
Filesize
206KB

MD5
81825ca2ce9e49eabfd38d6982cc82f7

SHA1
f5fb1e28bb243c08d5053c9636713dafb6f4cc5d

SHA256
35a47281d0302c2793ea2647f098f0e9d2b1c50399ea17dfdf7e2d7445927a67

SHA512
f4fda566faee0e62dfd1250ee5e881ab338b8dbe422011d1d697cfe315d1f3fe79ae46def0a0b69c6be97e9708660b387be276163822faad0c58d1eeee623a76

Download Submit
C:\Windows\system\spoolsv.exe
Filesize
206KB

MD5
81825ca2ce9e49eabfd38d6982cc82f7

SHA1
f5fb1e28bb243c08d5053c9636713dafb6f4cc5d

SHA256
35a47281d0302c2793ea2647f098f0e9d2b1c50399ea17dfdf7e2d7445927a67

SHA512
f4fda566faee0e62dfd1250ee5e881ab338b8dbe422011d1d697cfe315d1f3fe79ae46def0a0b69c6be97e9708660b387be276163822faad0c58d1eeee623a76

Download Submit
C:\Windows\system\svchost.exe
Filesize
206KB

MD5
1470e0fc41c7a289accc19a2eec99a9d

SHA1
2aaa8b9b362ff3672b71e45d1c9f728ce78e761a

SHA256
390762b9c914947d04100f40eb8a703fcc3752d9ce3d4b6eff452d75d64eb00a

SHA512
fc6940385e55969eed8febde0ec7cb5432357c6d1a0bd131dab27701e3dcee028ede2a439c8db4c5f8a17c263c4da2f43e45008ca87422d31b8ddb9996abf4be

Download Submit
\??\c:\users\admin\appdata\local\icsys.icn.exe
Filesize
206KB

MD5
05c34c66392f37d2ec52ab2b2ca018bc

SHA1
c605dc223d6bd543e535d27761f917857f3a40c4

SHA256
7115412de4c96d3080713d83618e8da75b1fede28c64a7cbffa44497d5ab3f9d

SHA512
475313f41996d12ade4b8ebfc22df5910fa4110c631adf27afbf665690d9729b98dd3b841530654f62604256d6b03cb98982b8d6610140f88e0e9b56d3ea79d3

Download Submit
\??\c:\users\admin\appdata\local\temp\feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe
Filesize
634KB

MD5
2d4509d72478d600c9f6768509b39502

SHA1
0b0a88b574e9aeb95510c9217d0351603e63cea9

SHA256
e2a18c05183f1b7da8fe50a7863ac9cfa09a420d36f1c9c93a3c0a3e62a0dd1c

SHA512
7b67f2bf05b038177afe32397892d47c045598c97b1af7833ffb5a28a97f773b05f5c558d42f75df7d73bc75cf089b67c1da8de806944dd62cc8e545cce9c89a

Download Submit
\??\c:\windows\system\explorer.exe
Filesize
206KB

MD5
b4618fdf56a4677e1991663730769698

SHA1
b9e5f172959365a8faeb6b0b0ce638440d0f9432

SHA256
b68ee10df2a7950ee117f8846328ecc1285b5bdece93d37ad251e48f8142d586

SHA512
85d32b2edd9bedfa638ec86cf973558f16cb4bd2ab58d724d896056df5ba3aaacd611fe3d78c490a42505f9a299cdcbbd0c7c1cd4c4153483a2941c72bb929f2

Download Submit
\??\c:\windows\system\spoolsv.exe
Filesize
206KB

MD5
81825ca2ce9e49eabfd38d6982cc82f7

SHA1
f5fb1e28bb243c08d5053c9636713dafb6f4cc5d

SHA256
35a47281d0302c2793ea2647f098f0e9d2b1c50399ea17dfdf7e2d7445927a67

SHA512
f4fda566faee0e62dfd1250ee5e881ab338b8dbe422011d1d697cfe315d1f3fe79ae46def0a0b69c6be97e9708660b387be276163822faad0c58d1eeee623a76

Download Submit
\??\c:\windows\system\svchost.exe
Filesize
206KB

MD5
1470e0fc41c7a289accc19a2eec99a9d

SHA1
2aaa8b9b362ff3672b71e45d1c9f728ce78e761a

SHA256
390762b9c914947d04100f40eb8a703fcc3752d9ce3d4b6eff452d75d64eb00a

SHA512
fc6940385e55969eed8febde0ec7cb5432357c6d1a0bd131dab27701e3dcee028ede2a439c8db4c5f8a17c263c4da2f43e45008ca87422d31b8ddb9996abf4be

Download Submit
\Users\Admin\AppData\Local\Temp\feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe
Filesize
634KB

MD5
2d4509d72478d600c9f6768509b39502

SHA1
0b0a88b574e9aeb95510c9217d0351603e63cea9

SHA256
e2a18c05183f1b7da8fe50a7863ac9cfa09a420d36f1c9c93a3c0a3e62a0dd1c

SHA512
7b67f2bf05b038177afe32397892d47c045598c97b1af7833ffb5a28a97f773b05f5c558d42f75df7d73bc75cf089b67c1da8de806944dd62cc8e545cce9c89a

Download Submit
\Users\Admin\AppData\Local\Temp\feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe
Filesize
634KB

MD5
2d4509d72478d600c9f6768509b39502

SHA1
0b0a88b574e9aeb95510c9217d0351603e63cea9

SHA256
e2a18c05183f1b7da8fe50a7863ac9cfa09a420d36f1c9c93a3c0a3e62a0dd1c

SHA512
7b67f2bf05b038177afe32397892d47c045598c97b1af7833ffb5a28a97f773b05f5c558d42f75df7d73bc75cf089b67c1da8de806944dd62cc8e545cce9c89a

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe
Filesize
206KB

MD5
05c34c66392f37d2ec52ab2b2ca018bc

SHA1
c605dc223d6bd543e535d27761f917857f3a40c4

SHA256
7115412de4c96d3080713d83618e8da75b1fede28c64a7cbffa44497d5ab3f9d

SHA512
475313f41996d12ade4b8ebfc22df5910fa4110c631adf27afbf665690d9729b98dd3b841530654f62604256d6b03cb98982b8d6610140f88e0e9b56d3ea79d3

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe
Filesize
206KB

MD5
05c34c66392f37d2ec52ab2b2ca018bc

SHA1
c605dc223d6bd543e535d27761f917857f3a40c4

SHA256
7115412de4c96d3080713d83618e8da75b1fede28c64a7cbffa44497d5ab3f9d

SHA512
475313f41996d12ade4b8ebfc22df5910fa4110c631adf27afbf665690d9729b98dd3b841530654f62604256d6b03cb98982b8d6610140f88e0e9b56d3ea79d3

Download Submit
\Windows\system\explorer.exe
Filesize
206KB

MD5
b4618fdf56a4677e1991663730769698

SHA1
b9e5f172959365a8faeb6b0b0ce638440d0f9432

SHA256
b68ee10df2a7950ee117f8846328ecc1285b5bdece93d37ad251e48f8142d586

SHA512
85d32b2edd9bedfa638ec86cf973558f16cb4bd2ab58d724d896056df5ba3aaacd611fe3d78c490a42505f9a299cdcbbd0c7c1cd4c4153483a2941c72bb929f2

Download Submit
\Windows\system\explorer.exe
Filesize
206KB

MD5
b4618fdf56a4677e1991663730769698

SHA1
b9e5f172959365a8faeb6b0b0ce638440d0f9432

SHA256
b68ee10df2a7950ee117f8846328ecc1285b5bdece93d37ad251e48f8142d586

SHA512
85d32b2edd9bedfa638ec86cf973558f16cb4bd2ab58d724d896056df5ba3aaacd611fe3d78c490a42505f9a299cdcbbd0c7c1cd4c4153483a2941c72bb929f2

Download Submit
\Windows\system\spoolsv.exe
Filesize
206KB

MD5
81825ca2ce9e49eabfd38d6982cc82f7

SHA1
f5fb1e28bb243c08d5053c9636713dafb6f4cc5d

SHA256
35a47281d0302c2793ea2647f098f0e9d2b1c50399ea17dfdf7e2d7445927a67

SHA512
f4fda566faee0e62dfd1250ee5e881ab338b8dbe422011d1d697cfe315d1f3fe79ae46def0a0b69c6be97e9708660b387be276163822faad0c58d1eeee623a76

Download Submit
\Windows\system\spoolsv.exe
Filesize
206KB

MD5
81825ca2ce9e49eabfd38d6982cc82f7

SHA1
f5fb1e28bb243c08d5053c9636713dafb6f4cc5d

SHA256
35a47281d0302c2793ea2647f098f0e9d2b1c50399ea17dfdf7e2d7445927a67

SHA512
f4fda566faee0e62dfd1250ee5e881ab338b8dbe422011d1d697cfe315d1f3fe79ae46def0a0b69c6be97e9708660b387be276163822faad0c58d1eeee623a76

Download Submit
\Windows\system\spoolsv.exe
Filesize
206KB

MD5
81825ca2ce9e49eabfd38d6982cc82f7

SHA1
f5fb1e28bb243c08d5053c9636713dafb6f4cc5d

SHA256
35a47281d0302c2793ea2647f098f0e9d2b1c50399ea17dfdf7e2d7445927a67

SHA512
f4fda566faee0e62dfd1250ee5e881ab338b8dbe422011d1d697cfe315d1f3fe79ae46def0a0b69c6be97e9708660b387be276163822faad0c58d1eeee623a76

Download Submit
\Windows\system\spoolsv.exe
Filesize
206KB

MD5
81825ca2ce9e49eabfd38d6982cc82f7

SHA1
f5fb1e28bb243c08d5053c9636713dafb6f4cc5d

SHA256
35a47281d0302c2793ea2647f098f0e9d2b1c50399ea17dfdf7e2d7445927a67

SHA512
f4fda566faee0e62dfd1250ee5e881ab338b8dbe422011d1d697cfe315d1f3fe79ae46def0a0b69c6be97e9708660b387be276163822faad0c58d1eeee623a76

Download Submit
\Windows\system\svchost.exe
Filesize
206KB

MD5
1470e0fc41c7a289accc19a2eec99a9d

SHA1
2aaa8b9b362ff3672b71e45d1c9f728ce78e761a

SHA256
390762b9c914947d04100f40eb8a703fcc3752d9ce3d4b6eff452d75d64eb00a

SHA512
fc6940385e55969eed8febde0ec7cb5432357c6d1a0bd131dab27701e3dcee028ede2a439c8db4c5f8a17c263c4da2f43e45008ca87422d31b8ddb9996abf4be

Download Submit
\Windows\system\svchost.exe
Filesize
206KB

MD5
1470e0fc41c7a289accc19a2eec99a9d

SHA1
2aaa8b9b362ff3672b71e45d1c9f728ce78e761a

SHA256
390762b9c914947d04100f40eb8a703fcc3752d9ce3d4b6eff452d75d64eb00a

SHA512
fc6940385e55969eed8febde0ec7cb5432357c6d1a0bd131dab27701e3dcee028ede2a439c8db4c5f8a17c263c4da2f43e45008ca87422d31b8ddb9996abf4be

Download Submit
memory/364-60-0x0000000000000000-mapping.dmp

Download
memory/520-112-0x0000000000000000-mapping.dmp

Download
memory/940-57-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download
memory/1080-93-0x0000000000000000-mapping.dmp

Download
memory/1176-66-0x0000000000000000-mapping.dmp

Download
memory/1676-75-0x0000000000000000-mapping.dmp

Download
memory/1768-102-0x0000000000000000-mapping.dmp

Download
memory/1780-110-0x0000000000000000-mapping.dmp

Download
memory/1848-84-0x0000000000000000-mapping.dmp

Download
memory/1996-107-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads