ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac

Analysis

max time kernel
180s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 09:05

Target

ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe
Size

344KB
MD5

d9000ac737b18eff07324c75c9fa6fd4
SHA1

b745b8bc8b574a7c2f9bdd81bc9bf08120aa40b3
SHA256

ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac
SHA512

e2bd0a20a6c12fb8cf4a49998127ccd5aa13ffe97171b417089048fe6036ea1019577f0bd9ab86bc5601063656a542ffd13b0daa3e12e8cdacff7378abf4a01b
SSDEEP

6144:3MgV3XC1RdXyLK53SVBJMxzPq3HT1Zvh4kD0DiYgP6yp5r1iGMclTgSRAL3A/WHs:cOCbdXyBBJIzPq3HT1Zvh4kD0DiYgP6m

Score

8^/10

Executes dropped EXE 2 IoCs

pid	Process
5056	ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe
4912	icsys.icn.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\explorer.exe	icsys.icn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1652	ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe
1652	ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe
4912	icsys.icn.exe
4912	icsys.icn.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 5056	1652	ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe	80
PID 1652 wrote to memory of 5056	1652	ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe	80
PID 1652 wrote to memory of 5056	1652	ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe	80
PID 1652 wrote to memory of 4912	1652	ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe	81
PID 1652 wrote to memory of 4912	1652	ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe	81
PID 1652 wrote to memory of 4912	1652	ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe	81
PID 4912 wrote to memory of 1112	4912	icsys.icn.exe	82
PID 4912 wrote to memory of 1112	4912	icsys.icn.exe	82
PID 4912 wrote to memory of 1112	4912	icsys.icn.exe	82

C:\Users\Admin\AppData\Local\Temp\ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe
"C:\Users\Admin\AppData\Local\Temp\ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652
- \??\c:\users\admin\appdata\local\temp\ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe
  c:\users\admin\appdata\local\temp\ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Users\Admin\AppData\Roaming\icsys.icn.exe
  C:\Users\Admin\AppData\Roaming\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4912
- - \??\c:\windows\SysWOW64\explorer.exe
    c:\windows\system32\explorer.exe
    3⤵
    - Modifies registry class
    PID:1112

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\ba6bb8bae52e4dbb14e7a68681927f2605f051486babc197ba14552dc5b4aeac.exe

Filesize
128KB

MD5
b30ec69964337b67bf6aa159e5fe79c8

SHA1
4a81b8a62a0331795583309aad2ae5326aa5014f

SHA256
46c7f6f5ad202f09a24719fe22b529e64cceb82e54678c99e60aabbfeae8e616

SHA512
2f74d7d1931403b86d53aae7340d5d66faa8e9fc84873969df6152761f6677137d340c66ca7b32a2f5f7809d43f749c4f0b68f69d583fddcb96c2c37be8ef097

Download Submit
C:\Users\Admin\AppData\Roaming\icsys.icn.exe

Filesize
215KB

MD5
18be8a11d29f9800e3c89aed1a7b0220

SHA1
19288079744a7819434f8beead7802b4bdb9ce09

SHA256
07fbe54674af2a6acafeba0b54b05b10b4363ab58bccc25eed782ccc78bc4d2d

SHA512
e631c73ea207287adf5abe4100b24aa6719c978f8834d1bf20b81d59c7a316bb9e4904643674fef6fc3aa1865909f8007bdea9bdd7020f6647a825010eec0625

Download Submit
C:\Users\Admin\AppData\Roaming\icsys.icn.exe

Filesize
215KB

MD5
18be8a11d29f9800e3c89aed1a7b0220

SHA1
19288079744a7819434f8beead7802b4bdb9ce09

SHA256
07fbe54674af2a6acafeba0b54b05b10b4363ab58bccc25eed782ccc78bc4d2d

SHA512
e631c73ea207287adf5abe4100b24aa6719c978f8834d1bf20b81d59c7a316bb9e4904643674fef6fc3aa1865909f8007bdea9bdd7020f6647a825010eec0625

Download Submit