Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2025, 17:13
Behavioral task
behavioral1
Sample
Icon.KillKnightIcon.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
Icon.KillKnightIcon.exe
Resource
win11-20250502-en
General
-
Target
Icon.KillKnightIcon.exe
-
Size
223KB
-
MD5
196e4118ca8fefc65c37ddb40a8583af
-
SHA1
0d7bdea1087a654e3c7bbbb5d4da85b72af4ff36
-
SHA256
630528e76c576b0561744ebd5032a522f162eace1f646984d1239bca1da5d850
-
SHA512
21dea2196877a728ed32d2031db238d34a24adad1db8f2af435ea4c949bebfe02eca301d0c3111667f39199658f06f8ad391f78e4646cd869f2674d5b118eb9a
-
SSDEEP
3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6un2ByE3j:zvEN2U+T6i5LirrllHy4HUcMQY6dBHj
Malware Config
Signatures
-
Detects Mofksys worm 5 IoCs
resource yara_rule behavioral1/files/0x00080000000242b7-7.dat family_mofksys behavioral1/files/0x00080000000242bd-14.dat family_mofksys behavioral1/files/0x00080000000242c0-23.dat family_mofksys behavioral1/files/0x00080000000242c2-31.dat family_mofksys behavioral1/files/0x00090000000242c1-42.dat family_mofksys -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Mofksys family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 7 IoCs
pid Process 5344 icsys.icn.exe 3440 explorer.exe 4636 spoolsv.exe 5252 svchost.exe 1988 spoolsv.exe 6040 svchost.exe 3568 explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icon.KillKnightIcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5344 icsys.icn.exe 5344 icsys.icn.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 5252 svchost.exe 5252 svchost.exe 5252 svchost.exe 5252 svchost.exe 3440 explorer.exe 3440 explorer.exe 5252 svchost.exe 5252 svchost.exe 3440 explorer.exe 3440 explorer.exe 5252 svchost.exe 5252 svchost.exe 3440 explorer.exe 3440 explorer.exe 5252 svchost.exe 5252 svchost.exe 5252 svchost.exe 5252 svchost.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 5252 svchost.exe 5252 svchost.exe 5252 svchost.exe 5252 svchost.exe 5252 svchost.exe 5252 svchost.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 3440 explorer.exe 5252 svchost.exe 5252 svchost.exe 5252 svchost.exe 5252 svchost.exe 3440 explorer.exe 3440 explorer.exe 5252 svchost.exe 5252 svchost.exe 3440 explorer.exe 3440 explorer.exe 5252 svchost.exe 5252 svchost.exe 3440 explorer.exe 3440 explorer.exe 5252 svchost.exe 5252 svchost.exe 3440 explorer.exe 3440 explorer.exe 5252 svchost.exe 5252 svchost.exe 3440 explorer.exe 3440 explorer.exe 5252 svchost.exe 5252 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3440 explorer.exe 5252 svchost.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 5328 Icon.KillKnightIcon.exe 5328 Icon.KillKnightIcon.exe 5344 icsys.icn.exe 5344 icsys.icn.exe 3440 explorer.exe 3440 explorer.exe 4636 spoolsv.exe 4636 spoolsv.exe 5252 svchost.exe 5252 svchost.exe 1988 spoolsv.exe 1988 spoolsv.exe 3440 explorer.exe 3440 explorer.exe 6040 svchost.exe 6040 svchost.exe 3568 explorer.exe 3568 explorer.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 5328 wrote to memory of 5344 5328 Icon.KillKnightIcon.exe 84 PID 5328 wrote to memory of 5344 5328 Icon.KillKnightIcon.exe 84 PID 5328 wrote to memory of 5344 5328 Icon.KillKnightIcon.exe 84 PID 5344 wrote to memory of 3440 5344 icsys.icn.exe 85 PID 5344 wrote to memory of 3440 5344 icsys.icn.exe 85 PID 5344 wrote to memory of 3440 5344 icsys.icn.exe 85 PID 3440 wrote to memory of 4636 3440 explorer.exe 86 PID 3440 wrote to memory of 4636 3440 explorer.exe 86 PID 3440 wrote to memory of 4636 3440 explorer.exe 86 PID 4636 wrote to memory of 5252 4636 spoolsv.exe 87 PID 4636 wrote to memory of 5252 4636 spoolsv.exe 87 PID 4636 wrote to memory of 5252 4636 spoolsv.exe 87 PID 5252 wrote to memory of 1988 5252 svchost.exe 88 PID 5252 wrote to memory of 1988 5252 svchost.exe 88 PID 5252 wrote to memory of 1988 5252 svchost.exe 88 PID 5252 wrote to memory of 5656 5252 svchost.exe 93 PID 5252 wrote to memory of 5656 5252 svchost.exe 93 PID 5252 wrote to memory of 5656 5252 svchost.exe 93 PID 5492 wrote to memory of 3568 5492 cmd.exe 95 PID 5492 wrote to memory of 3568 5492 cmd.exe 95 PID 5492 wrote to memory of 3568 5492 cmd.exe 95 PID 2768 wrote to memory of 6040 2768 cmd.exe 96 PID 2768 wrote to memory of 6040 2768 cmd.exe 96 PID 2768 wrote to memory of 6040 2768 cmd.exe 96 PID 5252 wrote to memory of 5076 5252 svchost.exe 116 PID 5252 wrote to memory of 5076 5252 svchost.exe 116 PID 5252 wrote to memory of 5076 5252 svchost.exe 116 PID 5252 wrote to memory of 5772 5252 svchost.exe 119 PID 5252 wrote to memory of 5772 5252 svchost.exe 119 PID 5252 wrote to memory of 5772 5252 svchost.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\Icon.KillKnightIcon.exe"C:\Users\Admin\AppData\Local\Temp\Icon.KillKnightIcon.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5328 -
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5344 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3440 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5252 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1988
-
-
C:\Windows\SysWOW64\at.exeat 17:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:5656
-
-
C:\Windows\SysWOW64\at.exeat 17:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:5076
-
-
C:\Windows\SysWOW64\at.exeat 17:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:5772
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:5492 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3568
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD512c55be0ea22f3ba4baec6ae411a47d9
SHA1c83dd8a82f865a93b4a542279603ee4e04faf934
SHA25643daea4432fe6359bca327a20d232a1905211a08f71bd8bb62a3bce260a7f481
SHA51241b334e06bf3ef0f6d72b3afad2d61d99ff356bea5c14a265e44c78aab2fb04929bfbe279096d3ad591f8d0597b26e81cb8c0358bb3cda58865d1aa6919b815a
-
Filesize
206KB
MD5b3cbaec8e6f214deb68bb487ed0e69c8
SHA1d54c2cd1f1bc569c385ed2d6186f99ecd12e7989
SHA2562d61a81a61304700a80360616ea97a29a64fd866f4d7db3b66b8fe4a6b3a2d6f
SHA51263223269f456fa442e26afdbcab363795b9916fa3cdcc00796e21028d87c2ad7dd2689fc241b9fda27210fc5ca04a72cb8ff58b6e251371b2e4be0ca668e7426
-
Filesize
206KB
MD59b224d83db112af21ac4a76d681513db
SHA13ff56bf22de969adb1d0e76e538340063dcd3d34
SHA2569ea9ff4550493d8ce140df03e3df13f743eb9faeb04a06fcd49061cc595967fd
SHA512b0d0557a465976a37b602fa630200f40d9c35a58764777fbcd46fca9455301f849a91173f24e592ca2db6c2f5efcb432af218b2a83335a08f20398959ce8b780
-
Filesize
206KB
MD591746e808a0aedfcbd3648ad4a7eb95b
SHA17b9a7d75a5ed25d795c0c5ff820e8e908a1b89ee
SHA2560f963c1128be4dc8154bd8e7ae24cf8fc562bb4c5f0b8bdb3b9b75c9f168f4f7
SHA5120fe9cf9d93395d68e999934edb5e8f0ce612ae0a0c92ae387aa8eba6a003f66dbdc6ed12aea3e6d8c23573b8acef26d5de493d580b524ad593fcf9d7b6572445
-
Filesize
206KB
MD52b37295a4a5027eff805c581aa1a1011
SHA151c9418c5a747ef4a8b1d2858a5a90e8608064b4
SHA256f1015e7c31a22b90b1edca2a0302348a662aff4d2f80f000a724119f2171186e
SHA512041bd2de12f805df828e91c9a3e78fc82ca1a09364d01e752a1f4a65d3cac4d4675a36e988af0d17db2a7f58fdf126f1793af9e0ca21d0397db3492b2b7afe0a