Analysis

  • max time kernel
    150s
  • max time network
    104s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250502-en
  • resource tags

    arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20/05/2025, 17:13

General

  • Target

    Icon.KillKnightIcon.exe

  • Size

    223KB

  • MD5

    196e4118ca8fefc65c37ddb40a8583af

  • SHA1

    0d7bdea1087a654e3c7bbbb5d4da85b72af4ff36

  • SHA256

    630528e76c576b0561744ebd5032a522f162eace1f646984d1239bca1da5d850

  • SHA512

    21dea2196877a728ed32d2031db238d34a24adad1db8f2af435ea4c949bebfe02eca301d0c3111667f39199658f06f8ad391f78e4646cd869f2674d5b118eb9a

  • SSDEEP

    3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6un2ByE3j:zvEN2U+T6i5LirrllHy4HUcMQY6dBHj

Malware Config

Signatures

  • Detects Mofksys worm 5 IoCs
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Mofksys

    Mofksys is a worm written in VisualBasic.

  • Mofksys family
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 7 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Icon.KillKnightIcon.exe
    "C:\Users\Admin\AppData\Local\Temp\Icon.KillKnightIcon.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:484
      • \??\c:\windows\system\explorer.exe
        c:\windows\system\explorer.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visiblity of hidden/system files in Explorer
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3240
        • \??\c:\windows\system\spoolsv.exe
          c:\windows\system\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4788
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1460
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4728
            • C:\Windows\SysWOW64\at.exe
              at 17:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:5064
            • C:\Windows\SysWOW64\at.exe
              at 17:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3168
            • C:\Windows\SysWOW64\at.exe
              at 17:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:5268
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4852
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe RO
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:784
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4872
    • \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe RO
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5856

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\icsys.icn.exe

          Filesize

          206KB

          MD5

          12c55be0ea22f3ba4baec6ae411a47d9

          SHA1

          c83dd8a82f865a93b4a542279603ee4e04faf934

          SHA256

          43daea4432fe6359bca327a20d232a1905211a08f71bd8bb62a3bce260a7f481

          SHA512

          41b334e06bf3ef0f6d72b3afad2d61d99ff356bea5c14a265e44c78aab2fb04929bfbe279096d3ad591f8d0597b26e81cb8c0358bb3cda58865d1aa6919b815a

        • C:\Users\Admin\AppData\Roaming\mrsys.exe

          Filesize

          206KB

          MD5

          5dfe48d6e2915f7396c6a2229a79a7a2

          SHA1

          ab444c8bbfa5d6f05dbc3709d09a381642a94bc6

          SHA256

          088837e79e9a92be39ba3ec8b62a1a54585228555ca24ba412d1117b6418146e

          SHA512

          8e35054307c11a2bede06e2f03b88e1dbbfb18de4e69d89325b506b074dc24946990c909f55a937a6dffb250332003cf31e18a512e7613d89787c1b0e0e581f0

        • C:\Windows\System\explorer.exe

          Filesize

          206KB

          MD5

          6ae2fbc17236af517dca6f16ddf272c7

          SHA1

          95268a494cd32053fad035c1489f4b626f97935c

          SHA256

          3e3a015268885951d9b142e79dcb5d66350b0a6d1fe15ea667a5a143814bd977

          SHA512

          c78ebd33b779861f0d0f0cba77f598d2e4e9548fcd86ca8e7aa3f4467b132a50a3af794dc2f6b932c2ef72074a5f98bbe2c13d34c6eb4525582adc66a17bcfe2

        • C:\Windows\System\spoolsv.exe

          Filesize

          206KB

          MD5

          71f73876d7dcf79583154786a0c5c8ac

          SHA1

          cc0f41616d934099d3438605a97744ce25a9869a

          SHA256

          1e5e1331a5aa72d16a59b0b2f1803300f7bf909be70da0f17e9a976e11d58374

          SHA512

          936b056f1f2817cd2534ded47a4e9e769b9a4b188ac7c13110002edac8fea5d88d055f2011e517815ac8c0d208fa450e5f24751ab54a2da879240dbf12d80fd1

        • C:\Windows\System\svchost.exe

          Filesize

          206KB

          MD5

          30bd8539f46a241f572e743c6d706f12

          SHA1

          a795b3dbbdd56789b23364dcf8e7b7df6a3bcc36

          SHA256

          484582da59c06580b30fd6381e4237649334d6dad2fdd2e2a08f11fc17071a85

          SHA512

          722386de03ca59f95dc09339d1aee6ce47fb86a77016744751bdabe1e1e308cc69b438cf489ce95d8e5deac2890909cf139f113b43e1f237be89223f20776c8a