eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1

Analysis

max time kernel
151s
max time network
144s
platform
windows7_x64
resource
win7v20210410
submitted
11-05-2021 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
Size

1.1MB
MD5

e709b49637fe6417c4a0d87bae495ba1
SHA1

8b72aa4fa153b9f06d91eb83367223692b7e3720
SHA256

eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1
SHA512

f53381207787b2c67c0708ca6605b6aded2f06fb946ab9f38dfa6c75d8289edfd84743af214256a83a16f656671d1d15c37778d3b0a2bc1a567dee75c936fbb1

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112

Executes dropped EXE 7 IoCs

Processes:

eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeSynaptics.exe

pid	process
1524	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
1980	icsys.icn.exe
1740	explorer.exe
1724	spoolsv.exe
1344	svchost.exe
1692	spoolsv.exe
548	Synaptics.exe

Loads dropped DLL 10 IoCs

Processes:

eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exeeb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe

pid	process
1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
1980	icsys.icn.exe
1740	explorer.exe
1724	spoolsv.exe
1344	svchost.exe
1524	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
1524	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
1524	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exesvchost.exeeb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

Processes:

icsys.icn.exeexplorer.exespoolsv.exeeb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

892 schtasks.exe
596 schtasks.exe
336 schtasks.exe

pid	process
892	schtasks.exe
596	schtasks.exe
336	schtasks.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Synaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Synaptics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exeicsys.icn.exeexplorer.exesvchost.exe

pid	process
1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
1980	icsys.icn.exe
1980	icsys.icn.exe
1980	icsys.icn.exe
1980	icsys.icn.exe
1980	icsys.icn.exe
1980	icsys.icn.exe
1980	icsys.icn.exe
1980	icsys.icn.exe
1980	icsys.icn.exe
1980	icsys.icn.exe
1980	icsys.icn.exe
1980	icsys.icn.exe
1980	icsys.icn.exe
1980	icsys.icn.exe
1980	icsys.icn.exe
1980	icsys.icn.exe
1980	icsys.icn.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

1740 explorer.exe
1344 svchost.exe

pid	process
1740	explorer.exe
1344	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
1980	icsys.icn.exe
1980	icsys.icn.exe
1740	explorer.exe
1740	explorer.exe
1724	spoolsv.exe
1724	spoolsv.exe
1344	svchost.exe
1344	svchost.exe
1692	spoolsv.exe
1692	spoolsv.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exeeb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe

description	pid	process	target process
PID 1096 wrote to memory of 1524	1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
PID 1096 wrote to memory of 1524	1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
PID 1096 wrote to memory of 1524	1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
PID 1096 wrote to memory of 1524	1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
PID 1096 wrote to memory of 1980	1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe	icsys.icn.exe
PID 1096 wrote to memory of 1980	1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe	icsys.icn.exe
PID 1096 wrote to memory of 1980	1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe	icsys.icn.exe
PID 1096 wrote to memory of 1980	1096	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe	icsys.icn.exe
PID 1980 wrote to memory of 1740	1980	icsys.icn.exe	explorer.exe
PID 1980 wrote to memory of 1740	1980	icsys.icn.exe	explorer.exe
PID 1980 wrote to memory of 1740	1980	icsys.icn.exe	explorer.exe
PID 1980 wrote to memory of 1740	1980	icsys.icn.exe	explorer.exe
PID 1740 wrote to memory of 1724	1740	explorer.exe	spoolsv.exe
PID 1740 wrote to memory of 1724	1740	explorer.exe	spoolsv.exe
PID 1740 wrote to memory of 1724	1740	explorer.exe	spoolsv.exe
PID 1740 wrote to memory of 1724	1740	explorer.exe	spoolsv.exe
PID 1724 wrote to memory of 1344	1724	spoolsv.exe	svchost.exe
PID 1724 wrote to memory of 1344	1724	spoolsv.exe	svchost.exe
PID 1724 wrote to memory of 1344	1724	spoolsv.exe	svchost.exe
PID 1724 wrote to memory of 1344	1724	spoolsv.exe	svchost.exe
PID 1344 wrote to memory of 1692	1344	svchost.exe	spoolsv.exe
PID 1344 wrote to memory of 1692	1344	svchost.exe	spoolsv.exe
PID 1344 wrote to memory of 1692	1344	svchost.exe	spoolsv.exe
PID 1344 wrote to memory of 1692	1344	svchost.exe	spoolsv.exe
PID 1740 wrote to memory of 788	1740	explorer.exe	Explorer.exe
PID 1740 wrote to memory of 788	1740	explorer.exe	Explorer.exe
PID 1740 wrote to memory of 788	1740	explorer.exe	Explorer.exe
PID 1740 wrote to memory of 788	1740	explorer.exe	Explorer.exe
PID 1344 wrote to memory of 596	1344	svchost.exe	schtasks.exe
PID 1344 wrote to memory of 596	1344	svchost.exe	schtasks.exe
PID 1344 wrote to memory of 596	1344	svchost.exe	schtasks.exe
PID 1344 wrote to memory of 596	1344	svchost.exe	schtasks.exe
PID 1524 wrote to memory of 548	1524	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe	Synaptics.exe
PID 1524 wrote to memory of 548	1524	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe	Synaptics.exe
PID 1524 wrote to memory of 548	1524	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe	Synaptics.exe
PID 1524 wrote to memory of 548	1524	eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe	Synaptics.exe
PID 1344 wrote to memory of 336	1344	svchost.exe	schtasks.exe
PID 1344 wrote to memory of 336	1344	svchost.exe	schtasks.exe
PID 1344 wrote to memory of 336	1344	svchost.exe	schtasks.exe
PID 1344 wrote to memory of 336	1344	svchost.exe	schtasks.exe
PID 1344 wrote to memory of 892	1344	svchost.exe	schtasks.exe
PID 1344 wrote to memory of 892	1344	svchost.exe	schtasks.exe
PID 1344 wrote to memory of 892	1344	svchost.exe	schtasks.exe
PID 1344 wrote to memory of 892	1344	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
"C:\Users\Admin\AppData\Local\Temp\eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096

\??\c:\users\admin\appdata\local\temp\eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
c:\users\admin\appdata\local\temp\eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1524

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
3⤵
- Executes dropped EXE
- Modifies system certificate store
PID:548

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1344

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1692

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:58 /f
6⤵
- Creates scheduled task(s)
PID:596

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:59 /f
6⤵
- Creates scheduled task(s)
PID:336

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:00 /f
6⤵
- Creates scheduled task(s)
PID:892

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
4⤵
PID:788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
MD5
960fce272c2fbebbb28bf756817cae91

SHA1
b4f99481b3f6a7c5ebe47177693644c2e38edd22

SHA256
f0c826acfa4e384cb5542aa294ecfc72df1e94c0096f95465f5cac9351275d93

SHA512
b481eed9fe7db08d8d53ed6824bece7f656f0e47faa1df4a802ec69688150cfe0d7bea49df3488e826e87e7c3be573109b356a037d30ecb69aa9ebafd8c7c378

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
MD5
1e5191f0baa3f589ce1c2fff0dcca9e2

SHA1
716cdf1c46ee24d6c7962e118073164cba5a755f

SHA256
59215c2c7cf54df886eccba15ce55790101f7d3000472261d20e83f404dea7e8

SHA512
404d1328277cd9d2d9e4c430cd3b8fc3faa49846e127e32de8fef39ebae30074393d4cbf4992c7b6438262fa168ecfbe0b24c26ae698cf4c8589a12b1e20e9be

Download Submit
C:\Windows\Resources\Themes\explorer.exe
MD5
05d0fb8dfd74fd916ac7065ed69c9bb9

SHA1
c0c4ae2d6732fc5116122a012c76369f4fc5b30d

SHA256
1ee00aba12c8b9b30b050be8c97abd4197a9748c763d9096f796e40615d1c7a2

SHA512
76dc0db82090838b698e19568d2ccf5a7508c2ad1b5fa6f07c157edcad7d51f38cf34a32701d6c0266a18473791f03dd3cc3ef904b93f66a3be58d982f345b5b

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
MD5
e30a7b0835775c186a2b91c658c1a2f5

SHA1
05676f4e95c5048fd16df9305e678ccfcb6d853e

SHA256
2d0865fdb772e8efb18b0f15e3a2600a82be455ff4a1b586ca49df43c8c24232

SHA512
d658df17c9d22d2e6546a48a3e93e5269019ab4d3744500725b8b3a3f634532d2bbca62500ccd44659569ee5c90d152087bba0a876c2149b511ee17081426bfb

Download Submit
C:\Windows\Resources\spoolsv.exe
MD5
495f8ac166c31a1748ab08be2978a0a0

SHA1
a0411c31f97f70ac9c2464f4f2221c7a99234277

SHA256
a1aa63055926a85ae997f0ae8dd898d73051c857a5eb82da6b7b3fc31e4cdb5f

SHA512
39b4efdcffe81d213575120930f18f9face223d46463f9c5fd5fab56addcdadadd7974b92c23ae9b033b99d2599086f47ca6736beecce601512b867917bb1f98

Download Submit
C:\Windows\Resources\spoolsv.exe
MD5
495f8ac166c31a1748ab08be2978a0a0

SHA1
a0411c31f97f70ac9c2464f4f2221c7a99234277

SHA256
a1aa63055926a85ae997f0ae8dd898d73051c857a5eb82da6b7b3fc31e4cdb5f

SHA512
39b4efdcffe81d213575120930f18f9face223d46463f9c5fd5fab56addcdadadd7974b92c23ae9b033b99d2599086f47ca6736beecce601512b867917bb1f98

Download Submit
C:\Windows\Resources\svchost.exe
MD5
a20fc9f15ac0733fdb08528738b9b604

SHA1
421964fc39e0c95c71abef2d6708e550af670a05

SHA256
bac3ac6e79445906c98eaae77e0cd5ea3fa46130247f2f5d13cf317f673d9a65

SHA512
ecb504b61902e656e29790958b704c02150e0416afdadb23820db027099bc29fc0947d06e5400fb0e3741f363b1fd2574f4cd7cd2ad2b83403f3a42a1e4c000f

Download Submit
\??\c:\users\admin\appdata\local\temp\eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
MD5
1e5191f0baa3f589ce1c2fff0dcca9e2

SHA1
716cdf1c46ee24d6c7962e118073164cba5a755f

SHA256
59215c2c7cf54df886eccba15ce55790101f7d3000472261d20e83f404dea7e8

SHA512
404d1328277cd9d2d9e4c430cd3b8fc3faa49846e127e32de8fef39ebae30074393d4cbf4992c7b6438262fa168ecfbe0b24c26ae698cf4c8589a12b1e20e9be

Download Submit
\??\c:\windows\resources\spoolsv.exe
MD5
495f8ac166c31a1748ab08be2978a0a0

SHA1
a0411c31f97f70ac9c2464f4f2221c7a99234277

SHA256
a1aa63055926a85ae997f0ae8dd898d73051c857a5eb82da6b7b3fc31e4cdb5f

SHA512
39b4efdcffe81d213575120930f18f9face223d46463f9c5fd5fab56addcdadadd7974b92c23ae9b033b99d2599086f47ca6736beecce601512b867917bb1f98

Download Submit
\??\c:\windows\resources\svchost.exe
MD5
a20fc9f15ac0733fdb08528738b9b604

SHA1
421964fc39e0c95c71abef2d6708e550af670a05

SHA256
bac3ac6e79445906c98eaae77e0cd5ea3fa46130247f2f5d13cf317f673d9a65

SHA512
ecb504b61902e656e29790958b704c02150e0416afdadb23820db027099bc29fc0947d06e5400fb0e3741f363b1fd2574f4cd7cd2ad2b83403f3a42a1e4c000f

Download Submit
\??\c:\windows\resources\themes\explorer.exe
MD5
05d0fb8dfd74fd916ac7065ed69c9bb9

SHA1
c0c4ae2d6732fc5116122a012c76369f4fc5b30d

SHA256
1ee00aba12c8b9b30b050be8c97abd4197a9748c763d9096f796e40615d1c7a2

SHA512
76dc0db82090838b698e19568d2ccf5a7508c2ad1b5fa6f07c157edcad7d51f38cf34a32701d6c0266a18473791f03dd3cc3ef904b93f66a3be58d982f345b5b

Download Submit
\??\c:\windows\resources\themes\icsys.icn.exe
MD5
e30a7b0835775c186a2b91c658c1a2f5

SHA1
05676f4e95c5048fd16df9305e678ccfcb6d853e

SHA256
2d0865fdb772e8efb18b0f15e3a2600a82be455ff4a1b586ca49df43c8c24232

SHA512
d658df17c9d22d2e6546a48a3e93e5269019ab4d3744500725b8b3a3f634532d2bbca62500ccd44659569ee5c90d152087bba0a876c2149b511ee17081426bfb

Download Submit
\ProgramData\Synaptics\Synaptics.exe
MD5
960fce272c2fbebbb28bf756817cae91

SHA1
b4f99481b3f6a7c5ebe47177693644c2e38edd22

SHA256
f0c826acfa4e384cb5542aa294ecfc72df1e94c0096f95465f5cac9351275d93

SHA512
b481eed9fe7db08d8d53ed6824bece7f656f0e47faa1df4a802ec69688150cfe0d7bea49df3488e826e87e7c3be573109b356a037d30ecb69aa9ebafd8c7c378

Download Submit
\ProgramData\Synaptics\Synaptics.exe
MD5
960fce272c2fbebbb28bf756817cae91

SHA1
b4f99481b3f6a7c5ebe47177693644c2e38edd22

SHA256
f0c826acfa4e384cb5542aa294ecfc72df1e94c0096f95465f5cac9351275d93

SHA512
b481eed9fe7db08d8d53ed6824bece7f656f0e47faa1df4a802ec69688150cfe0d7bea49df3488e826e87e7c3be573109b356a037d30ecb69aa9ebafd8c7c378

Download Submit
\Users\Admin\AppData\Local\Temp\eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
MD5
1e5191f0baa3f589ce1c2fff0dcca9e2

SHA1
716cdf1c46ee24d6c7962e118073164cba5a755f

SHA256
59215c2c7cf54df886eccba15ce55790101f7d3000472261d20e83f404dea7e8

SHA512
404d1328277cd9d2d9e4c430cd3b8fc3faa49846e127e32de8fef39ebae30074393d4cbf4992c7b6438262fa168ecfbe0b24c26ae698cf4c8589a12b1e20e9be

Download Submit
\Users\Admin\AppData\Local\Temp\eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
MD5
1e5191f0baa3f589ce1c2fff0dcca9e2

SHA1
716cdf1c46ee24d6c7962e118073164cba5a755f

SHA256
59215c2c7cf54df886eccba15ce55790101f7d3000472261d20e83f404dea7e8

SHA512
404d1328277cd9d2d9e4c430cd3b8fc3faa49846e127e32de8fef39ebae30074393d4cbf4992c7b6438262fa168ecfbe0b24c26ae698cf4c8589a12b1e20e9be

Download Submit
\Users\Admin\AppData\Local\Temp\eb7966388d917e0699365202de9a50848c3dbe4e4be362eacc385053309911c1.exe
MD5
1e5191f0baa3f589ce1c2fff0dcca9e2

SHA1
716cdf1c46ee24d6c7962e118073164cba5a755f

SHA256
59215c2c7cf54df886eccba15ce55790101f7d3000472261d20e83f404dea7e8

SHA512
404d1328277cd9d2d9e4c430cd3b8fc3faa49846e127e32de8fef39ebae30074393d4cbf4992c7b6438262fa168ecfbe0b24c26ae698cf4c8589a12b1e20e9be

Download Submit
\Windows\Resources\Themes\explorer.exe
MD5
05d0fb8dfd74fd916ac7065ed69c9bb9

SHA1
c0c4ae2d6732fc5116122a012c76369f4fc5b30d

SHA256
1ee00aba12c8b9b30b050be8c97abd4197a9748c763d9096f796e40615d1c7a2

SHA512
76dc0db82090838b698e19568d2ccf5a7508c2ad1b5fa6f07c157edcad7d51f38cf34a32701d6c0266a18473791f03dd3cc3ef904b93f66a3be58d982f345b5b

Download Submit
\Windows\Resources\Themes\icsys.icn.exe
MD5
e30a7b0835775c186a2b91c658c1a2f5

SHA1
05676f4e95c5048fd16df9305e678ccfcb6d853e

SHA256
2d0865fdb772e8efb18b0f15e3a2600a82be455ff4a1b586ca49df43c8c24232

SHA512
d658df17c9d22d2e6546a48a3e93e5269019ab4d3744500725b8b3a3f634532d2bbca62500ccd44659569ee5c90d152087bba0a876c2149b511ee17081426bfb

Download Submit
\Windows\Resources\spoolsv.exe
MD5
495f8ac166c31a1748ab08be2978a0a0

SHA1
a0411c31f97f70ac9c2464f4f2221c7a99234277

SHA256
a1aa63055926a85ae997f0ae8dd898d73051c857a5eb82da6b7b3fc31e4cdb5f

SHA512
39b4efdcffe81d213575120930f18f9face223d46463f9c5fd5fab56addcdadadd7974b92c23ae9b033b99d2599086f47ca6736beecce601512b867917bb1f98

Download Submit
\Windows\Resources\spoolsv.exe
MD5
495f8ac166c31a1748ab08be2978a0a0

SHA1
a0411c31f97f70ac9c2464f4f2221c7a99234277

SHA256
a1aa63055926a85ae997f0ae8dd898d73051c857a5eb82da6b7b3fc31e4cdb5f

SHA512
39b4efdcffe81d213575120930f18f9face223d46463f9c5fd5fab56addcdadadd7974b92c23ae9b033b99d2599086f47ca6736beecce601512b867917bb1f98

Download Submit
\Windows\Resources\svchost.exe
MD5
a20fc9f15ac0733fdb08528738b9b604

SHA1
421964fc39e0c95c71abef2d6708e550af670a05

SHA256
bac3ac6e79445906c98eaae77e0cd5ea3fa46130247f2f5d13cf317f673d9a65

SHA512
ecb504b61902e656e29790958b704c02150e0416afdadb23820db027099bc29fc0947d06e5400fb0e3741f363b1fd2574f4cd7cd2ad2b83403f3a42a1e4c000f

Download Submit
memory/336-113-0x0000000000000000-mapping.dmp

Download
memory/548-109-0x0000000000000000-mapping.dmp

Download
memory/548-112-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/596-105-0x0000000000000000-mapping.dmp

Download
memory/788-104-0x000007FEFC221000-0x000007FEFC223000-memory.dmp

Filesize
8KB

Download
memory/788-103-0x0000000000000000-mapping.dmp

Download
memory/892-114-0x0000000000000000-mapping.dmp

Download
memory/1344-90-0x0000000000000000-mapping.dmp

Download
memory/1524-77-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1524-66-0x00000000768B1000-0x00000000768B3000-memory.dmp

Filesize
8KB

Download
memory/1524-64-0x0000000000000000-mapping.dmp

Download
memory/1692-98-0x0000000000000000-mapping.dmp

Download
memory/1724-83-0x0000000000000000-mapping.dmp

Download
memory/1740-75-0x0000000000000000-mapping.dmp

Download
memory/1980-68-0x0000000000000000-mapping.dmp

Download