Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 14:58
Static task
static1
Behavioral task
behavioral1
Sample
feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe
Resource
win10v2004-20220812-en
General
-
Target
feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe
-
Size
841KB
-
MD5
f3723316ea9e9ca580f47c7c66d0bbac
-
SHA1
046519fe23523cb7e5b1c78b9088aa26fe39cbb4
-
SHA256
feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb
-
SHA512
359604062b283162a1434ab91fb2e5dfee9d7ae99bf34aa3ed1bd47c7d6fa3e67097d7568cbf96eaa976c992ee417821fb59f72c6ad0707ce8e16a94d792b438
-
SSDEEP
12288:zENN+T5xYrllrU7QY6dM7VLbToNzkTW8nsWHd5u8etTH1Z7KconCG/z+lq:Z5xolYQY6aVnsWHHyfZ7KcoCG/z+lq
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 6 IoCs
Processes:
feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2988 feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe 4984 icsys.icn.exe 2516 explorer.exe 4440 spoolsv.exe 4880 svchost.exe 3352 spoolsv.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exeexplorer.exeicsys.icn.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
icsys.icn.exeexplorer.exesvchost.exepid process 4984 icsys.icn.exe 4984 icsys.icn.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 4880 svchost.exe 4880 svchost.exe 4880 svchost.exe 4880 svchost.exe 2516 explorer.exe 2516 explorer.exe 4880 svchost.exe 4880 svchost.exe 2516 explorer.exe 2516 explorer.exe 4880 svchost.exe 4880 svchost.exe 2516 explorer.exe 2516 explorer.exe 4880 svchost.exe 4880 svchost.exe 2516 explorer.exe 2516 explorer.exe 4880 svchost.exe 4880 svchost.exe 2516 explorer.exe 2516 explorer.exe 4880 svchost.exe 4880 svchost.exe 2516 explorer.exe 2516 explorer.exe 4880 svchost.exe 4880 svchost.exe 2516 explorer.exe 2516 explorer.exe 4880 svchost.exe 4880 svchost.exe 2516 explorer.exe 2516 explorer.exe 4880 svchost.exe 4880 svchost.exe 2516 explorer.exe 2516 explorer.exe 4880 svchost.exe 4880 svchost.exe 2516 explorer.exe 2516 explorer.exe 4880 svchost.exe 4880 svchost.exe 2516 explorer.exe 2516 explorer.exe 4880 svchost.exe 4880 svchost.exe 2516 explorer.exe 2516 explorer.exe 4880 svchost.exe 4880 svchost.exe 2516 explorer.exe 2516 explorer.exe 4880 svchost.exe 4880 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2516 explorer.exe 4880 svchost.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exefeff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 3300 feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe 3300 feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe 2988 feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe 2988 feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe 4984 icsys.icn.exe 4984 icsys.icn.exe 2516 explorer.exe 2516 explorer.exe 4440 spoolsv.exe 4440 spoolsv.exe 4880 svchost.exe 4880 svchost.exe 3352 spoolsv.exe 3352 spoolsv.exe 2516 explorer.exe 2516 explorer.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 3300 wrote to memory of 2988 3300 feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe PID 3300 wrote to memory of 2988 3300 feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe PID 3300 wrote to memory of 2988 3300 feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe PID 3300 wrote to memory of 4984 3300 feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe icsys.icn.exe PID 3300 wrote to memory of 4984 3300 feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe icsys.icn.exe PID 3300 wrote to memory of 4984 3300 feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe icsys.icn.exe PID 4984 wrote to memory of 2516 4984 icsys.icn.exe explorer.exe PID 4984 wrote to memory of 2516 4984 icsys.icn.exe explorer.exe PID 4984 wrote to memory of 2516 4984 icsys.icn.exe explorer.exe PID 2516 wrote to memory of 4440 2516 explorer.exe spoolsv.exe PID 2516 wrote to memory of 4440 2516 explorer.exe spoolsv.exe PID 2516 wrote to memory of 4440 2516 explorer.exe spoolsv.exe PID 4440 wrote to memory of 4880 4440 spoolsv.exe svchost.exe PID 4440 wrote to memory of 4880 4440 spoolsv.exe svchost.exe PID 4440 wrote to memory of 4880 4440 spoolsv.exe svchost.exe PID 4880 wrote to memory of 3352 4880 svchost.exe spoolsv.exe PID 4880 wrote to memory of 3352 4880 svchost.exe spoolsv.exe PID 4880 wrote to memory of 3352 4880 svchost.exe spoolsv.exe PID 4880 wrote to memory of 2896 4880 svchost.exe at.exe PID 4880 wrote to memory of 2896 4880 svchost.exe at.exe PID 4880 wrote to memory of 2896 4880 svchost.exe at.exe PID 4880 wrote to memory of 2128 4880 svchost.exe at.exe PID 4880 wrote to memory of 2128 4880 svchost.exe at.exe PID 4880 wrote to memory of 2128 4880 svchost.exe at.exe PID 4880 wrote to memory of 884 4880 svchost.exe at.exe PID 4880 wrote to memory of 884 4880 svchost.exe at.exe PID 4880 wrote to memory of 884 4880 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe"C:\Users\Admin\AppData\Local\Temp\feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exec:\users\admin\appdata\local\temp\feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 22:39 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 22:40 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 22:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exeFilesize
634KB
MD52d4509d72478d600c9f6768509b39502
SHA10b0a88b574e9aeb95510c9217d0351603e63cea9
SHA256e2a18c05183f1b7da8fe50a7863ac9cfa09a420d36f1c9c93a3c0a3e62a0dd1c
SHA5127b67f2bf05b038177afe32397892d47c045598c97b1af7833ffb5a28a97f773b05f5c558d42f75df7d73bc75cf089b67c1da8de806944dd62cc8e545cce9c89a
-
C:\Users\Admin\AppData\Local\icsys.icn.exeFilesize
206KB
MD505c34c66392f37d2ec52ab2b2ca018bc
SHA1c605dc223d6bd543e535d27761f917857f3a40c4
SHA2567115412de4c96d3080713d83618e8da75b1fede28c64a7cbffa44497d5ab3f9d
SHA512475313f41996d12ade4b8ebfc22df5910fa4110c631adf27afbf665690d9729b98dd3b841530654f62604256d6b03cb98982b8d6610140f88e0e9b56d3ea79d3
-
C:\Users\Admin\AppData\Local\icsys.icn.exeFilesize
206KB
MD505c34c66392f37d2ec52ab2b2ca018bc
SHA1c605dc223d6bd543e535d27761f917857f3a40c4
SHA2567115412de4c96d3080713d83618e8da75b1fede28c64a7cbffa44497d5ab3f9d
SHA512475313f41996d12ade4b8ebfc22df5910fa4110c631adf27afbf665690d9729b98dd3b841530654f62604256d6b03cb98982b8d6610140f88e0e9b56d3ea79d3
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
206KB
MD5f7d7f5fcf5809ff398e4700ec2b6d367
SHA1d03765b9ff777898653b3669efbabb0914827685
SHA2561d3fe12089d7e3ef873e93dcba8f30647bc39e5bd813c5b11607d494f79b61ba
SHA512a1381a259bd93dfa2c40d0a5cc19c3aecd80e2e978a0969ba5338887a7beb684bb33b7d28ad052a20038f67e5195b1755a214b1dcd9054063d118f4e9d853bc3
-
C:\Windows\System\explorer.exeFilesize
206KB
MD5040fbc6c8d349dd0da4dd7f0c8cbab7c
SHA1656648da1be97978ecbb787b50000d125446522b
SHA2565ddaff5e5f0e6ae2bf1d6034ff2d10713dc631c96c9b246bc3f83cbae8b4f018
SHA5127b742b3257bead780b53e663e1dc35d3b246d9276c262c19034ec7b2529da97a96a9ff4c1f41d649b8ecb01edf2bfbb7a6de8951bcfa518f57a730dab961ee24
-
C:\Windows\System\spoolsv.exeFilesize
206KB
MD53adeeeed5a78efcc3825b58dd4c9e122
SHA1cb1bc18e82c2df03ffe79e6c206bdd9b2c866cf2
SHA256a411b5b0a0f7eecf374329726a427f68955619719d926c767ee4dadd65c9f6b0
SHA512a0c7f52a48cc1ee4b4b941961c1ec859d73051d7ac2724fbf8fbee88c0fd86ca2bb52c867f1277553857aa046c05d3917dd68e6e25dd05a0490f95ef81eb26ec
-
C:\Windows\System\spoolsv.exeFilesize
206KB
MD53adeeeed5a78efcc3825b58dd4c9e122
SHA1cb1bc18e82c2df03ffe79e6c206bdd9b2c866cf2
SHA256a411b5b0a0f7eecf374329726a427f68955619719d926c767ee4dadd65c9f6b0
SHA512a0c7f52a48cc1ee4b4b941961c1ec859d73051d7ac2724fbf8fbee88c0fd86ca2bb52c867f1277553857aa046c05d3917dd68e6e25dd05a0490f95ef81eb26ec
-
C:\Windows\System\svchost.exeFilesize
206KB
MD5424d8cb9b65bbe0f56e555e8b7b74588
SHA1c06715fad00fa4e79fe3b7d2e201d7db3b819a8e
SHA2567fa29e5d1399b9c1d867c0f2a8268905a14f68979e62fc34325d83761ac3a6f6
SHA5121f40eb7ba52da653a5fa8b019aef77482c6f5fdbe116a939a764eac9411b3c7eef8da10f09b03cccf4cfdb0ac9ffc405c6fc331b5c664d53a29c7a8d99c725a1
-
\??\c:\users\admin\appdata\local\temp\feff48dbec77da1c81729746bb0eaa86962b80c5ea6900fe9c25f184157f5ffb.exeFilesize
634KB
MD52d4509d72478d600c9f6768509b39502
SHA10b0a88b574e9aeb95510c9217d0351603e63cea9
SHA256e2a18c05183f1b7da8fe50a7863ac9cfa09a420d36f1c9c93a3c0a3e62a0dd1c
SHA5127b67f2bf05b038177afe32397892d47c045598c97b1af7833ffb5a28a97f773b05f5c558d42f75df7d73bc75cf089b67c1da8de806944dd62cc8e545cce9c89a
-
\??\c:\windows\system\explorer.exeFilesize
206KB
MD5040fbc6c8d349dd0da4dd7f0c8cbab7c
SHA1656648da1be97978ecbb787b50000d125446522b
SHA2565ddaff5e5f0e6ae2bf1d6034ff2d10713dc631c96c9b246bc3f83cbae8b4f018
SHA5127b742b3257bead780b53e663e1dc35d3b246d9276c262c19034ec7b2529da97a96a9ff4c1f41d649b8ecb01edf2bfbb7a6de8951bcfa518f57a730dab961ee24
-
\??\c:\windows\system\spoolsv.exeFilesize
206KB
MD53adeeeed5a78efcc3825b58dd4c9e122
SHA1cb1bc18e82c2df03ffe79e6c206bdd9b2c866cf2
SHA256a411b5b0a0f7eecf374329726a427f68955619719d926c767ee4dadd65c9f6b0
SHA512a0c7f52a48cc1ee4b4b941961c1ec859d73051d7ac2724fbf8fbee88c0fd86ca2bb52c867f1277553857aa046c05d3917dd68e6e25dd05a0490f95ef81eb26ec
-
\??\c:\windows\system\svchost.exeFilesize
206KB
MD5424d8cb9b65bbe0f56e555e8b7b74588
SHA1c06715fad00fa4e79fe3b7d2e201d7db3b819a8e
SHA2567fa29e5d1399b9c1d867c0f2a8268905a14f68979e62fc34325d83761ac3a6f6
SHA5121f40eb7ba52da653a5fa8b019aef77482c6f5fdbe116a939a764eac9411b3c7eef8da10f09b03cccf4cfdb0ac9ffc405c6fc331b5c664d53a29c7a8d99c725a1
-
memory/884-170-0x0000000000000000-mapping.dmp
-
memory/2128-169-0x0000000000000000-mapping.dmp
-
memory/2516-144-0x0000000000000000-mapping.dmp
-
memory/2896-167-0x0000000000000000-mapping.dmp
-
memory/2988-135-0x0000000000000000-mapping.dmp
-
memory/3352-162-0x0000000000000000-mapping.dmp
-
memory/4440-150-0x0000000000000000-mapping.dmp
-
memory/4880-156-0x0000000000000000-mapping.dmp
-
memory/4984-138-0x0000000000000000-mapping.dmp