ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac

Analysis

max time kernel
42s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe
Size

344KB
MD5

d9000ac737b18eff07324c75c9fa6fd4
SHA1

b745b8bc8b574a7c2f9bdd81bc9bf08120aa40b3
SHA256

ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac
SHA512

e2bd0a20a6c12fb8cf4a49998127ccd5aa13ffe97171b417089048fe6036ea1019577f0bd9ab86bc5601063656a542ffd13b0daa3e12e8cdacff7378abf4a01b
SSDEEP

6144:3MgV3XC1RdXyLK53SVBJMxzPq3HT1Zvh4kD0DiYgP6yp5r1iGMclTgSRAL3A/WHs:cOCbdXyBBJIzPq3HT1Zvh4kD0DiYgP6m

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1928	ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe
516	icsys.icn.exe

Loads dropped DLL 4 IoCs

pid	Process
1636	ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe
1928	ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe
1636	ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe
1636	ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\explorer.exe	icsys.icn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe
516	icsys.icn.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	340	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	340	AUDIODG.EXE
Token: 33	340	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	340	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1636	ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe
1636	ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe
516	icsys.icn.exe
516	icsys.icn.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1928	1636	ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe	29
PID 1636 wrote to memory of 1928	1636	ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe	29
PID 1636 wrote to memory of 1928	1636	ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe	29
PID 1636 wrote to memory of 1928	1636	ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe	29
PID 1636 wrote to memory of 516	1636	ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe	31
PID 1636 wrote to memory of 516	1636	ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe	31
PID 1636 wrote to memory of 516	1636	ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe	31
PID 1636 wrote to memory of 516	1636	ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe	31
PID 516 wrote to memory of 1916	516	icsys.icn.exe	32
PID 516 wrote to memory of 1916	516	icsys.icn.exe	32
PID 516 wrote to memory of 1916	516	icsys.icn.exe	32
PID 516 wrote to memory of 1916	516	icsys.icn.exe	32

C:\Users\Admin\AppData\Local\Temp\ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe
"C:\Users\Admin\AppData\Local\Temp\ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636
- \??\c:\users\admin\appdata\local\temp\ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe
  c:\users\admin\appdata\local\temp\ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1928
- C:\Users\Admin\AppData\Roaming\icsys.icn.exe
  C:\Users\Admin\AppData\Roaming\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:516
- - \??\c:\windows\SysWOW64\explorer.exe
    c:\windows\system32\explorer.exe
    3⤵
    PID:1916

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1c0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe

Filesize
128KB

MD5
b30ec69964337b67bf6aa159e5fe79c8

SHA1
4a81b8a62a0331795583309aad2ae5326aa5014f

SHA256
46c7f6f5ad202f09a24719fe22b529e64cceb82e54678c99e60aabbfeae8e616

SHA512
2f74d7d1931403b86d53aae7340d5d66faa8e9fc84873969df6152761f6677137d340c66ca7b32a2f5f7809d43f749c4f0b68f69d583fddcb96c2c37be8ef097

Download Submit
C:\Users\Admin\AppData\Roaming\icsys.icn.exe

Filesize
215KB

MD5
18be8a11d29f9800e3c89aed1a7b0220

SHA1
19288079744a7819434f8beead7802b4bdb9ce09

SHA256
07fbe54674af2a6acafeba0b54b05b10b4363ab58bccc25eed782ccc78bc4d2d

SHA512
e631c73ea207287adf5abe4100b24aa6719c978f8834d1bf20b81d59c7a316bb9e4904643674fef6fc3aa1865909f8007bdea9bdd7020f6647a825010eec0625

Download Submit
\??\c:\users\admin\appdata\roaming\icsys.icn.exe

Filesize
215KB

MD5
18be8a11d29f9800e3c89aed1a7b0220

SHA1
19288079744a7819434f8beead7802b4bdb9ce09

SHA256
07fbe54674af2a6acafeba0b54b05b10b4363ab58bccc25eed782ccc78bc4d2d

SHA512
e631c73ea207287adf5abe4100b24aa6719c978f8834d1bf20b81d59c7a316bb9e4904643674fef6fc3aa1865909f8007bdea9bdd7020f6647a825010eec0625

Download Submit
\Users\Admin\AppData\Local\Temp\ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe

Filesize
128KB

MD5
b30ec69964337b67bf6aa159e5fe79c8

SHA1
4a81b8a62a0331795583309aad2ae5326aa5014f

SHA256
46c7f6f5ad202f09a24719fe22b529e64cceb82e54678c99e60aabbfeae8e616

SHA512
2f74d7d1931403b86d53aae7340d5d66faa8e9fc84873969df6152761f6677137d340c66ca7b32a2f5f7809d43f749c4f0b68f69d583fddcb96c2c37be8ef097

Download Submit
\Users\Admin\AppData\Local\Temp\bassmod.dll

Filesize
33KB

MD5
e4ec57e8508c5c4040383ebe6d367928

SHA1
b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

SHA256
8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

SHA512
77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

Download Submit
\Users\Admin\AppData\Roaming\icsys.icn.exe

Filesize
215KB

MD5
18be8a11d29f9800e3c89aed1a7b0220

SHA1
19288079744a7819434f8beead7802b4bdb9ce09

SHA256
07fbe54674af2a6acafeba0b54b05b10b4363ab58bccc25eed782ccc78bc4d2d

SHA512
e631c73ea207287adf5abe4100b24aa6719c978f8834d1bf20b81d59c7a316bb9e4904643674fef6fc3aa1865909f8007bdea9bdd7020f6647a825010eec0625

Download Submit
\Users\Admin\AppData\Roaming\icsys.icn.exe

Filesize
215KB

MD5
18be8a11d29f9800e3c89aed1a7b0220

SHA1
19288079744a7819434f8beead7802b4bdb9ce09

SHA256
07fbe54674af2a6acafeba0b54b05b10b4363ab58bccc25eed782ccc78bc4d2d

SHA512
e631c73ea207287adf5abe4100b24aa6719c978f8834d1bf20b81d59c7a316bb9e4904643674fef6fc3aa1865909f8007bdea9bdd7020f6647a825010eec0625

Download Submit
memory/1636-57-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download
memory/1916-75-0x0000000074D11000-0x0000000074D13000-memory.dmp

Filesize
8KB

Download
memory/1928-63-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1928-76-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download