Analysis
-
max time kernel
150s -
max time network
104s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
20/05/2025, 17:13
Behavioral task
behavioral1
Sample
Icon.KillKnightIcon.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
Icon.KillKnightIcon.exe
Resource
win11-20250502-en
General
-
Target
Icon.KillKnightIcon.exe
-
Size
223KB
-
MD5
196e4118ca8fefc65c37ddb40a8583af
-
SHA1
0d7bdea1087a654e3c7bbbb5d4da85b72af4ff36
-
SHA256
630528e76c576b0561744ebd5032a522f162eace1f646984d1239bca1da5d850
-
SHA512
21dea2196877a728ed32d2031db238d34a24adad1db8f2af435ea4c949bebfe02eca301d0c3111667f39199658f06f8ad391f78e4646cd869f2674d5b118eb9a
-
SSDEEP
3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6un2ByE3j:zvEN2U+T6i5LirrllHy4HUcMQY6dBHj
Malware Config
Signatures
-
Detects Mofksys worm 5 IoCs
resource yara_rule behavioral2/files/0x001a00000002b1eb-7.dat family_mofksys behavioral2/files/0x001a00000002b1f7-15.dat family_mofksys behavioral2/files/0x001a00000002b1fb-23.dat family_mofksys behavioral2/files/0x001a00000002b201-31.dat family_mofksys behavioral2/files/0x001b00000002b1fd-42.dat family_mofksys -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Mofksys family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 7 IoCs
pid Process 484 icsys.icn.exe 3240 explorer.exe 4788 spoolsv.exe 1460 svchost.exe 4728 spoolsv.exe 5856 svchost.exe 784 explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icon.KillKnightIcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 484 icsys.icn.exe 484 icsys.icn.exe 3240 explorer.exe 3240 explorer.exe 3240 explorer.exe 3240 explorer.exe 3240 explorer.exe 3240 explorer.exe 1460 svchost.exe 1460 svchost.exe 1460 svchost.exe 1460 svchost.exe 3240 explorer.exe 3240 explorer.exe 1460 svchost.exe 1460 svchost.exe 3240 explorer.exe 3240 explorer.exe 1460 svchost.exe 1460 svchost.exe 1460 svchost.exe 1460 svchost.exe 3240 explorer.exe 3240 explorer.exe 1460 svchost.exe 1460 svchost.exe 1460 svchost.exe 1460 svchost.exe 3240 explorer.exe 3240 explorer.exe 1460 svchost.exe 1460 svchost.exe 3240 explorer.exe 3240 explorer.exe 1460 svchost.exe 1460 svchost.exe 3240 explorer.exe 3240 explorer.exe 1460 svchost.exe 1460 svchost.exe 3240 explorer.exe 3240 explorer.exe 1460 svchost.exe 1460 svchost.exe 3240 explorer.exe 3240 explorer.exe 1460 svchost.exe 1460 svchost.exe 3240 explorer.exe 3240 explorer.exe 1460 svchost.exe 1460 svchost.exe 3240 explorer.exe 3240 explorer.exe 1460 svchost.exe 1460 svchost.exe 3240 explorer.exe 3240 explorer.exe 1460 svchost.exe 1460 svchost.exe 3240 explorer.exe 3240 explorer.exe 1460 svchost.exe 1460 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3240 explorer.exe 1460 svchost.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 3024 Icon.KillKnightIcon.exe 3024 Icon.KillKnightIcon.exe 484 icsys.icn.exe 484 icsys.icn.exe 3240 explorer.exe 3240 explorer.exe 4788 spoolsv.exe 4788 spoolsv.exe 1460 svchost.exe 1460 svchost.exe 4728 spoolsv.exe 4728 spoolsv.exe 3240 explorer.exe 3240 explorer.exe 5856 svchost.exe 5856 svchost.exe 784 explorer.exe 784 explorer.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 3024 wrote to memory of 484 3024 Icon.KillKnightIcon.exe 82 PID 3024 wrote to memory of 484 3024 Icon.KillKnightIcon.exe 82 PID 3024 wrote to memory of 484 3024 Icon.KillKnightIcon.exe 82 PID 484 wrote to memory of 3240 484 icsys.icn.exe 83 PID 484 wrote to memory of 3240 484 icsys.icn.exe 83 PID 484 wrote to memory of 3240 484 icsys.icn.exe 83 PID 3240 wrote to memory of 4788 3240 explorer.exe 84 PID 3240 wrote to memory of 4788 3240 explorer.exe 84 PID 3240 wrote to memory of 4788 3240 explorer.exe 84 PID 4788 wrote to memory of 1460 4788 spoolsv.exe 85 PID 4788 wrote to memory of 1460 4788 spoolsv.exe 85 PID 4788 wrote to memory of 1460 4788 spoolsv.exe 85 PID 1460 wrote to memory of 4728 1460 svchost.exe 86 PID 1460 wrote to memory of 4728 1460 svchost.exe 86 PID 1460 wrote to memory of 4728 1460 svchost.exe 86 PID 1460 wrote to memory of 5064 1460 svchost.exe 91 PID 1460 wrote to memory of 5064 1460 svchost.exe 91 PID 1460 wrote to memory of 5064 1460 svchost.exe 91 PID 4872 wrote to memory of 5856 4872 cmd.exe 93 PID 4872 wrote to memory of 5856 4872 cmd.exe 93 PID 4872 wrote to memory of 5856 4872 cmd.exe 93 PID 4852 wrote to memory of 784 4852 cmd.exe 94 PID 4852 wrote to memory of 784 4852 cmd.exe 94 PID 4852 wrote to memory of 784 4852 cmd.exe 94 PID 1460 wrote to memory of 3168 1460 svchost.exe 96 PID 1460 wrote to memory of 3168 1460 svchost.exe 96 PID 1460 wrote to memory of 3168 1460 svchost.exe 96 PID 1460 wrote to memory of 5268 1460 svchost.exe 98 PID 1460 wrote to memory of 5268 1460 svchost.exe 98 PID 1460 wrote to memory of 5268 1460 svchost.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\Icon.KillKnightIcon.exe"C:\Users\Admin\AppData\Local\Temp\Icon.KillKnightIcon.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:484 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3240 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4728
-
-
C:\Windows\SysWOW64\at.exeat 17:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:5064
-
-
C:\Windows\SysWOW64\at.exeat 17:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:3168
-
-
C:\Windows\SysWOW64\at.exeat 17:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:5268
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5856
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD512c55be0ea22f3ba4baec6ae411a47d9
SHA1c83dd8a82f865a93b4a542279603ee4e04faf934
SHA25643daea4432fe6359bca327a20d232a1905211a08f71bd8bb62a3bce260a7f481
SHA51241b334e06bf3ef0f6d72b3afad2d61d99ff356bea5c14a265e44c78aab2fb04929bfbe279096d3ad591f8d0597b26e81cb8c0358bb3cda58865d1aa6919b815a
-
Filesize
206KB
MD55dfe48d6e2915f7396c6a2229a79a7a2
SHA1ab444c8bbfa5d6f05dbc3709d09a381642a94bc6
SHA256088837e79e9a92be39ba3ec8b62a1a54585228555ca24ba412d1117b6418146e
SHA5128e35054307c11a2bede06e2f03b88e1dbbfb18de4e69d89325b506b074dc24946990c909f55a937a6dffb250332003cf31e18a512e7613d89787c1b0e0e581f0
-
Filesize
206KB
MD56ae2fbc17236af517dca6f16ddf272c7
SHA195268a494cd32053fad035c1489f4b626f97935c
SHA2563e3a015268885951d9b142e79dcb5d66350b0a6d1fe15ea667a5a143814bd977
SHA512c78ebd33b779861f0d0f0cba77f598d2e4e9548fcd86ca8e7aa3f4467b132a50a3af794dc2f6b932c2ef72074a5f98bbe2c13d34c6eb4525582adc66a17bcfe2
-
Filesize
206KB
MD571f73876d7dcf79583154786a0c5c8ac
SHA1cc0f41616d934099d3438605a97744ce25a9869a
SHA2561e5e1331a5aa72d16a59b0b2f1803300f7bf909be70da0f17e9a976e11d58374
SHA512936b056f1f2817cd2534ded47a4e9e769b9a4b188ac7c13110002edac8fea5d88d055f2011e517815ac8c0d208fa450e5f24751ab54a2da879240dbf12d80fd1
-
Filesize
206KB
MD530bd8539f46a241f572e743c6d706f12
SHA1a795b3dbbdd56789b23364dcf8e7b7df6a3bcc36
SHA256484582da59c06580b30fd6381e4237649334d6dad2fdd2e2a08f11fc17071a85
SHA512722386de03ca59f95dc09339d1aee6ce47fb86a77016744751bdabe1e1e308cc69b438cf489ce95d8e5deac2890909cf139f113b43e1f237be89223f20776c8a