Analysis
-
max time kernel
150s -
max time network
103s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
23-09-2021 13:08
Static task
static1
Behavioral task
behavioral1
Sample
09876523456789.exe
Resource
win7-en-20210920
General
-
Target
09876523456789.exe
-
Size
926KB
-
MD5
b8cdebc24a5ab6241373ae3bcc7d3053
-
SHA1
bb17815265e215c6de61489aca8019bb5ae473e0
-
SHA256
5521410a48148459362ab36b0fad3e61b1ca9b674339476eac02381ffbc04aa2
-
SHA512
b57809010853fce4520d4f0a144c5827f07e0105da22814480472d2d147006712867fcaead42e3aabaf88592344dad2ddca9771a5a616a105253cb5cd8b949e8
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
09876523456789.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 09876523456789.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 8 IoCs
Processes:
09876523456789.exe09876523456789.exe 09876523456789.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 868 09876523456789.exe 984 09876523456789.exe 1236 09876523456789.exe 1224 icsys.icn.exe 1324 explorer.exe 888 spoolsv.exe 1584 svchost.exe 1216 spoolsv.exe -
Modifies Installed Components in the registry 2 TTPs
-
Loads dropped DLL 18 IoCs
Processes:
09876523456789.exe09876523456789.exe09876523456789.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exepid process 1044 09876523456789.exe 1044 09876523456789.exe 868 09876523456789.exe 984 09876523456789.exe 984 09876523456789.exe 868 09876523456789.exe 868 09876523456789.exe 1224 icsys.icn.exe 1224 icsys.icn.exe 1324 explorer.exe 1324 explorer.exe 888 spoolsv.exe 888 spoolsv.exe 1584 svchost.exe 1584 svchost.exe 1044 09876523456789.exe 1044 09876523456789.exe 1044 09876523456789.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 freegeoip.app 6 freegeoip.app 3 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
09876523456789.exedescription pid process target process PID 984 set thread context of 1236 984 09876523456789.exe 09876523456789.exe -
Drops file in Program Files directory 64 IoCs
Processes:
09876523456789.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 09876523456789.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 09876523456789.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 09876523456789.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe 09876523456789.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 09876523456789.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 09876523456789.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 09876523456789.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE 09876523456789.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 09876523456789.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 09876523456789.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe 09876523456789.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe 09876523456789.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 09876523456789.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 09876523456789.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe 09876523456789.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe 09876523456789.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe 09876523456789.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe 09876523456789.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe 09876523456789.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 09876523456789.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe 09876523456789.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe 09876523456789.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE 09876523456789.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE 09876523456789.exe -
Drops file in Windows directory 7 IoCs
Processes:
explorer.exe09876523456789.exeicsys.icn.exespoolsv.exesvchost.exedescription ioc process File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\svchost.com 09876523456789.exe File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 14 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe nsis_installer_2 \Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe nsis_installer_2 \??\c:\users\admin\appdata\local\temp\3582-490\09876523456789.exe nsis_installer_2 \Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe nsis_installer_2 \??\c:\users\admin\appdata\local\temp\3582-490\09876523456789.exe nsis_installer_1 \??\c:\users\admin\appdata\local\temp\3582-490\09876523456789.exe nsis_installer_2 \Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe nsis_installer_2 -
Modifies registry class 1 IoCs
Processes:
09876523456789.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 09876523456789.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
icsys.icn.exeexplorer.exesvchost.exe09876523456789.exepid process 1224 icsys.icn.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1584 svchost.exe 1584 svchost.exe 1324 explorer.exe 1584 svchost.exe 1324 explorer.exe 1584 svchost.exe 1324 explorer.exe 1584 svchost.exe 1324 explorer.exe 1584 svchost.exe 1236 09876523456789.exe 1324 explorer.exe 1584 svchost.exe 1324 explorer.exe 1584 svchost.exe 1324 explorer.exe 1584 svchost.exe 1324 explorer.exe 1584 svchost.exe 1324 explorer.exe 1584 svchost.exe 1324 explorer.exe 1584 svchost.exe 1324 explorer.exe 1584 svchost.exe 1324 explorer.exe 1584 svchost.exe 1324 explorer.exe 1584 svchost.exe 1324 explorer.exe 1584 svchost.exe 1324 explorer.exe 1584 svchost.exe 1324 explorer.exe 1584 svchost.exe 1324 explorer.exe 1584 svchost.exe 1324 explorer.exe 1584 svchost.exe 1324 explorer.exe 1584 svchost.exe 1324 explorer.exe 1584 svchost.exe 1324 explorer.exe 1584 svchost.exe 1324 explorer.exe 1584 svchost.exe 1324 explorer.exe 1584 svchost.exe 1324 explorer.exe 1584 svchost.exe 1324 explorer.exe 1584 svchost.exe 1324 explorer.exe 1584 svchost.exe 1324 explorer.exe 1584 svchost.exe 1324 explorer.exe 1584 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 1324 explorer.exe 1584 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
09876523456789.exedescription pid process Token: SeDebugPrivilege 1236 09876523456789.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
09876523456789.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 868 09876523456789.exe 868 09876523456789.exe 1224 icsys.icn.exe 1224 icsys.icn.exe 1324 explorer.exe 1324 explorer.exe 888 spoolsv.exe 888 spoolsv.exe 1584 svchost.exe 1584 svchost.exe 1216 spoolsv.exe 1216 spoolsv.exe 1324 explorer.exe 1324 explorer.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
09876523456789.exe09876523456789.exe09876523456789.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 1044 wrote to memory of 868 1044 09876523456789.exe 09876523456789.exe PID 1044 wrote to memory of 868 1044 09876523456789.exe 09876523456789.exe PID 1044 wrote to memory of 868 1044 09876523456789.exe 09876523456789.exe PID 1044 wrote to memory of 868 1044 09876523456789.exe 09876523456789.exe PID 868 wrote to memory of 984 868 09876523456789.exe 09876523456789.exe PID 868 wrote to memory of 984 868 09876523456789.exe 09876523456789.exe PID 868 wrote to memory of 984 868 09876523456789.exe 09876523456789.exe PID 868 wrote to memory of 984 868 09876523456789.exe 09876523456789.exe PID 984 wrote to memory of 1236 984 09876523456789.exe 09876523456789.exe PID 984 wrote to memory of 1236 984 09876523456789.exe 09876523456789.exe PID 984 wrote to memory of 1236 984 09876523456789.exe 09876523456789.exe PID 984 wrote to memory of 1236 984 09876523456789.exe 09876523456789.exe PID 984 wrote to memory of 1236 984 09876523456789.exe 09876523456789.exe PID 984 wrote to memory of 1236 984 09876523456789.exe 09876523456789.exe PID 984 wrote to memory of 1236 984 09876523456789.exe 09876523456789.exe PID 984 wrote to memory of 1236 984 09876523456789.exe 09876523456789.exe PID 984 wrote to memory of 1236 984 09876523456789.exe 09876523456789.exe PID 984 wrote to memory of 1236 984 09876523456789.exe 09876523456789.exe PID 984 wrote to memory of 1236 984 09876523456789.exe 09876523456789.exe PID 868 wrote to memory of 1224 868 09876523456789.exe icsys.icn.exe PID 868 wrote to memory of 1224 868 09876523456789.exe icsys.icn.exe PID 868 wrote to memory of 1224 868 09876523456789.exe icsys.icn.exe PID 868 wrote to memory of 1224 868 09876523456789.exe icsys.icn.exe PID 1224 wrote to memory of 1324 1224 icsys.icn.exe explorer.exe PID 1224 wrote to memory of 1324 1224 icsys.icn.exe explorer.exe PID 1224 wrote to memory of 1324 1224 icsys.icn.exe explorer.exe PID 1224 wrote to memory of 1324 1224 icsys.icn.exe explorer.exe PID 1324 wrote to memory of 888 1324 explorer.exe spoolsv.exe PID 1324 wrote to memory of 888 1324 explorer.exe spoolsv.exe PID 1324 wrote to memory of 888 1324 explorer.exe spoolsv.exe PID 1324 wrote to memory of 888 1324 explorer.exe spoolsv.exe PID 888 wrote to memory of 1584 888 spoolsv.exe svchost.exe PID 888 wrote to memory of 1584 888 spoolsv.exe svchost.exe PID 888 wrote to memory of 1584 888 spoolsv.exe svchost.exe PID 888 wrote to memory of 1584 888 spoolsv.exe svchost.exe PID 1584 wrote to memory of 1216 1584 svchost.exe spoolsv.exe PID 1584 wrote to memory of 1216 1584 svchost.exe spoolsv.exe PID 1584 wrote to memory of 1216 1584 svchost.exe spoolsv.exe PID 1584 wrote to memory of 1216 1584 svchost.exe spoolsv.exe PID 1584 wrote to memory of 1092 1584 svchost.exe at.exe PID 1584 wrote to memory of 1092 1584 svchost.exe at.exe PID 1584 wrote to memory of 1092 1584 svchost.exe at.exe PID 1584 wrote to memory of 1092 1584 svchost.exe at.exe PID 1584 wrote to memory of 1732 1584 svchost.exe at.exe PID 1584 wrote to memory of 1732 1584 svchost.exe at.exe PID 1584 wrote to memory of 1732 1584 svchost.exe at.exe PID 1584 wrote to memory of 1732 1584 svchost.exe at.exe PID 1584 wrote to memory of 1132 1584 svchost.exe at.exe PID 1584 wrote to memory of 1132 1584 svchost.exe at.exe PID 1584 wrote to memory of 1132 1584 svchost.exe at.exe PID 1584 wrote to memory of 1132 1584 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\09876523456789.exe"C:\Users\Admin\AppData\Local\Temp\09876523456789.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\users\admin\appdata\local\temp\3582-490\09876523456789.exec:\users\admin\appdata\local\temp\3582-490\09876523456789.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:984 -
\??\c:\users\admin\appdata\local\temp\3582-490\09876523456789.exec:\users\admin\appdata\local\temp\3582-490\09876523456789.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236 -
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1324 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:888 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1216 -
C:\Windows\SysWOW64\at.exeat 13:10 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵PID:1092
-
C:\Windows\SysWOW64\at.exeat 13:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵PID:1732
-
C:\Windows\SysWOW64\at.exeat 13:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵PID:1132
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exeMD5
2fce217b06eab217e49e58ae373f8ddb
SHA13145657a134272e403320b87a2ef1df87ea9ab07
SHA256dcc03ca5b2fcce59c03b279d100abfe39f0b1bba99187ce8fd706baa1e106a91
SHA512421ae69e2381f6e07f1626c20f9b7fec8995c3bcfdc0abd9e45118c3db984997bfff373e2274ce5966a31013c806856df1a79ab9531d827a975ff26176e56d72
-
C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exeMD5
bcc7a93ad8bad83eb4caf6228bf8ae6b
SHA1c7cc5a1b3e11fa3bf8a5b387190a5bc371c3f523
SHA256cf956f8945da4247164dc3bfb243e6d56a721bed701a518cb9e3997505e11601
SHA512a8d435d39f62488bf592171e1addd13c07fe7105bb844a7d0b3af1220fa6b916cba7272731b87b6c129be5fd5e1099923cdf700b6682e82774eee11c672bcc7f
-
C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exeMD5
bcc7a93ad8bad83eb4caf6228bf8ae6b
SHA1c7cc5a1b3e11fa3bf8a5b387190a5bc371c3f523
SHA256cf956f8945da4247164dc3bfb243e6d56a721bed701a518cb9e3997505e11601
SHA512a8d435d39f62488bf592171e1addd13c07fe7105bb844a7d0b3af1220fa6b916cba7272731b87b6c129be5fd5e1099923cdf700b6682e82774eee11c672bcc7f
-
C:\Users\Admin\AppData\Local\icsys.icn.exeMD5
8329f0288b6df014a04153c750b678db
SHA15fb72256bbfdde0e47928e4d1712722b0ab64439
SHA25613d0e98683b22102fdfa7d36a0a509c273c3901f6d20969d8ce2a217e3be274b
SHA5128b586b39cb3a1944e16f791e1e637c3432ed382596f482f29f2845fb2803e29b929ced47c269ef305a2289c10202f0d8442cf16fd049ccd8cca55b32703ee394
-
C:\Users\Admin\AppData\Roaming\mrsys.exeMD5
cfd97063f21b585b7f4abe267298f6d1
SHA187aa494f51a7858048818ca784e9cbfd962e45d5
SHA256d80859dc4ea6a674987a0ff80b113701076f2861a707a4b199f8e7b0c74cb248
SHA51238ecd619867ca76607c6fd74ff05c53939f0be4e4da542a1d7077ea266971a2a9db50c346d58a5dd462dc37182b809dd45a20e5e38c7adeb969ed0ee71d5fef8
-
C:\Windows\system\explorer.exeMD5
5b1da0d67621b3d0467e0148142745d6
SHA1d093447c7c584e9f03282f219db74345c0884111
SHA2562541efd96b72d7d4f3d0ba6d123368e7b8ef92b4a865214a20df936cf48b210f
SHA5121315190b8e88315bb01c803d330909ecdec05079773ac005e791691b6e038804139d6a25ef9b63b64d487d9b65ed4fedde8153aa87d06e2a695dabd5b38cbe0d
-
C:\Windows\system\spoolsv.exeMD5
e6c9b8acbe46874f785f597259ebe071
SHA1510bc65b7578ea6082d5baed4fe344d1cabb1c23
SHA256f225134f8e83e33f1a1bac0014a2c5a3e12ae1deb51357ccbb3cf609a8007848
SHA5126ead6577ffd7b02399bbbc62284461afb33f4b45de3af5be548ae66a939d0e4a22f8a3dd9aceb2e72b6f849dbbe6ee01e47a1eb971aa53b11a5b8a255b0440cc
-
C:\Windows\system\spoolsv.exeMD5
e6c9b8acbe46874f785f597259ebe071
SHA1510bc65b7578ea6082d5baed4fe344d1cabb1c23
SHA256f225134f8e83e33f1a1bac0014a2c5a3e12ae1deb51357ccbb3cf609a8007848
SHA5126ead6577ffd7b02399bbbc62284461afb33f4b45de3af5be548ae66a939d0e4a22f8a3dd9aceb2e72b6f849dbbe6ee01e47a1eb971aa53b11a5b8a255b0440cc
-
C:\Windows\system\svchost.exeMD5
8ab0d16deeb98f242159b6378857adb1
SHA121b5560500bfc09443115d7c477f13d9f764d77a
SHA2562e8eeee26e361940e5d2799dc848c20eeb49650bf85e2c42081ba1e2bdc9face
SHA512f07329a816d40f0171a85d2b1326ad08eeef26819f84ae1192f9cfac0c423f29e9076827823d33cd1f081cf4f12526d33f03dddbc17fc03179fd545e3bb9dc7c
-
\??\c:\users\admin\appdata\local\icsys.icn.exeMD5
8329f0288b6df014a04153c750b678db
SHA15fb72256bbfdde0e47928e4d1712722b0ab64439
SHA25613d0e98683b22102fdfa7d36a0a509c273c3901f6d20969d8ce2a217e3be274b
SHA5128b586b39cb3a1944e16f791e1e637c3432ed382596f482f29f2845fb2803e29b929ced47c269ef305a2289c10202f0d8442cf16fd049ccd8cca55b32703ee394
-
\??\c:\users\admin\appdata\local\temp\3582-490\09876523456789.exeMD5
2fce217b06eab217e49e58ae373f8ddb
SHA13145657a134272e403320b87a2ef1df87ea9ab07
SHA256dcc03ca5b2fcce59c03b279d100abfe39f0b1bba99187ce8fd706baa1e106a91
SHA512421ae69e2381f6e07f1626c20f9b7fec8995c3bcfdc0abd9e45118c3db984997bfff373e2274ce5966a31013c806856df1a79ab9531d827a975ff26176e56d72
-
\??\c:\users\admin\appdata\local\temp\3582-490\09876523456789.exeMD5
bcc7a93ad8bad83eb4caf6228bf8ae6b
SHA1c7cc5a1b3e11fa3bf8a5b387190a5bc371c3f523
SHA256cf956f8945da4247164dc3bfb243e6d56a721bed701a518cb9e3997505e11601
SHA512a8d435d39f62488bf592171e1addd13c07fe7105bb844a7d0b3af1220fa6b916cba7272731b87b6c129be5fd5e1099923cdf700b6682e82774eee11c672bcc7f
-
\??\c:\windows\system\explorer.exeMD5
5b1da0d67621b3d0467e0148142745d6
SHA1d093447c7c584e9f03282f219db74345c0884111
SHA2562541efd96b72d7d4f3d0ba6d123368e7b8ef92b4a865214a20df936cf48b210f
SHA5121315190b8e88315bb01c803d330909ecdec05079773ac005e791691b6e038804139d6a25ef9b63b64d487d9b65ed4fedde8153aa87d06e2a695dabd5b38cbe0d
-
\??\c:\windows\system\spoolsv.exeMD5
e6c9b8acbe46874f785f597259ebe071
SHA1510bc65b7578ea6082d5baed4fe344d1cabb1c23
SHA256f225134f8e83e33f1a1bac0014a2c5a3e12ae1deb51357ccbb3cf609a8007848
SHA5126ead6577ffd7b02399bbbc62284461afb33f4b45de3af5be548ae66a939d0e4a22f8a3dd9aceb2e72b6f849dbbe6ee01e47a1eb971aa53b11a5b8a255b0440cc
-
\??\c:\windows\system\svchost.exeMD5
8ab0d16deeb98f242159b6378857adb1
SHA121b5560500bfc09443115d7c477f13d9f764d77a
SHA2562e8eeee26e361940e5d2799dc848c20eeb49650bf85e2c42081ba1e2bdc9face
SHA512f07329a816d40f0171a85d2b1326ad08eeef26819f84ae1192f9cfac0c423f29e9076827823d33cd1f081cf4f12526d33f03dddbc17fc03179fd545e3bb9dc7c
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEMD5
9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exeMD5
2fce217b06eab217e49e58ae373f8ddb
SHA13145657a134272e403320b87a2ef1df87ea9ab07
SHA256dcc03ca5b2fcce59c03b279d100abfe39f0b1bba99187ce8fd706baa1e106a91
SHA512421ae69e2381f6e07f1626c20f9b7fec8995c3bcfdc0abd9e45118c3db984997bfff373e2274ce5966a31013c806856df1a79ab9531d827a975ff26176e56d72
-
\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exeMD5
2fce217b06eab217e49e58ae373f8ddb
SHA13145657a134272e403320b87a2ef1df87ea9ab07
SHA256dcc03ca5b2fcce59c03b279d100abfe39f0b1bba99187ce8fd706baa1e106a91
SHA512421ae69e2381f6e07f1626c20f9b7fec8995c3bcfdc0abd9e45118c3db984997bfff373e2274ce5966a31013c806856df1a79ab9531d827a975ff26176e56d72
-
\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exeMD5
bcc7a93ad8bad83eb4caf6228bf8ae6b
SHA1c7cc5a1b3e11fa3bf8a5b387190a5bc371c3f523
SHA256cf956f8945da4247164dc3bfb243e6d56a721bed701a518cb9e3997505e11601
SHA512a8d435d39f62488bf592171e1addd13c07fe7105bb844a7d0b3af1220fa6b916cba7272731b87b6c129be5fd5e1099923cdf700b6682e82774eee11c672bcc7f
-
\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exeMD5
bcc7a93ad8bad83eb4caf6228bf8ae6b
SHA1c7cc5a1b3e11fa3bf8a5b387190a5bc371c3f523
SHA256cf956f8945da4247164dc3bfb243e6d56a721bed701a518cb9e3997505e11601
SHA512a8d435d39f62488bf592171e1addd13c07fe7105bb844a7d0b3af1220fa6b916cba7272731b87b6c129be5fd5e1099923cdf700b6682e82774eee11c672bcc7f
-
\Users\Admin\AppData\Local\Temp\nsbB1D2.tmp\shbtviyozv.dllMD5
b08548c50aeca632a4f589cf225be6e2
SHA1102d9cb4a737eb6a0e130544f3aaf28603b199ac
SHA25673d6764798d0afe045ef2dfd8c04d19fdaaa844ccd8beb8297025bca8bdb4cf0
SHA512bb07aebac4284c457c99d36ccc1c1a8dcb8056c20ca5749f7bd20f9260cc974293ef0271fc6b311078569029c216f60fd470e0fc9adaef3a6a9b3c7b1f0ad94b
-
\Users\Admin\AppData\Local\icsys.icn.exeMD5
8329f0288b6df014a04153c750b678db
SHA15fb72256bbfdde0e47928e4d1712722b0ab64439
SHA25613d0e98683b22102fdfa7d36a0a509c273c3901f6d20969d8ce2a217e3be274b
SHA5128b586b39cb3a1944e16f791e1e637c3432ed382596f482f29f2845fb2803e29b929ced47c269ef305a2289c10202f0d8442cf16fd049ccd8cca55b32703ee394
-
\Users\Admin\AppData\Local\icsys.icn.exeMD5
8329f0288b6df014a04153c750b678db
SHA15fb72256bbfdde0e47928e4d1712722b0ab64439
SHA25613d0e98683b22102fdfa7d36a0a509c273c3901f6d20969d8ce2a217e3be274b
SHA5128b586b39cb3a1944e16f791e1e637c3432ed382596f482f29f2845fb2803e29b929ced47c269ef305a2289c10202f0d8442cf16fd049ccd8cca55b32703ee394
-
\Users\Admin\AppData\Local\icsys.icn.exeMD5
8329f0288b6df014a04153c750b678db
SHA15fb72256bbfdde0e47928e4d1712722b0ab64439
SHA25613d0e98683b22102fdfa7d36a0a509c273c3901f6d20969d8ce2a217e3be274b
SHA5128b586b39cb3a1944e16f791e1e637c3432ed382596f482f29f2845fb2803e29b929ced47c269ef305a2289c10202f0d8442cf16fd049ccd8cca55b32703ee394
-
\Users\Admin\AppData\Roaming\mrsys.exeMD5
cfd97063f21b585b7f4abe267298f6d1
SHA187aa494f51a7858048818ca784e9cbfd962e45d5
SHA256d80859dc4ea6a674987a0ff80b113701076f2861a707a4b199f8e7b0c74cb248
SHA51238ecd619867ca76607c6fd74ff05c53939f0be4e4da542a1d7077ea266971a2a9db50c346d58a5dd462dc37182b809dd45a20e5e38c7adeb969ed0ee71d5fef8
-
\Windows\system\explorer.exeMD5
5b1da0d67621b3d0467e0148142745d6
SHA1d093447c7c584e9f03282f219db74345c0884111
SHA2562541efd96b72d7d4f3d0ba6d123368e7b8ef92b4a865214a20df936cf48b210f
SHA5121315190b8e88315bb01c803d330909ecdec05079773ac005e791691b6e038804139d6a25ef9b63b64d487d9b65ed4fedde8153aa87d06e2a695dabd5b38cbe0d
-
\Windows\system\explorer.exeMD5
5b1da0d67621b3d0467e0148142745d6
SHA1d093447c7c584e9f03282f219db74345c0884111
SHA2562541efd96b72d7d4f3d0ba6d123368e7b8ef92b4a865214a20df936cf48b210f
SHA5121315190b8e88315bb01c803d330909ecdec05079773ac005e791691b6e038804139d6a25ef9b63b64d487d9b65ed4fedde8153aa87d06e2a695dabd5b38cbe0d
-
\Windows\system\spoolsv.exeMD5
e6c9b8acbe46874f785f597259ebe071
SHA1510bc65b7578ea6082d5baed4fe344d1cabb1c23
SHA256f225134f8e83e33f1a1bac0014a2c5a3e12ae1deb51357ccbb3cf609a8007848
SHA5126ead6577ffd7b02399bbbc62284461afb33f4b45de3af5be548ae66a939d0e4a22f8a3dd9aceb2e72b6f849dbbe6ee01e47a1eb971aa53b11a5b8a255b0440cc
-
\Windows\system\spoolsv.exeMD5
e6c9b8acbe46874f785f597259ebe071
SHA1510bc65b7578ea6082d5baed4fe344d1cabb1c23
SHA256f225134f8e83e33f1a1bac0014a2c5a3e12ae1deb51357ccbb3cf609a8007848
SHA5126ead6577ffd7b02399bbbc62284461afb33f4b45de3af5be548ae66a939d0e4a22f8a3dd9aceb2e72b6f849dbbe6ee01e47a1eb971aa53b11a5b8a255b0440cc
-
\Windows\system\spoolsv.exeMD5
e6c9b8acbe46874f785f597259ebe071
SHA1510bc65b7578ea6082d5baed4fe344d1cabb1c23
SHA256f225134f8e83e33f1a1bac0014a2c5a3e12ae1deb51357ccbb3cf609a8007848
SHA5126ead6577ffd7b02399bbbc62284461afb33f4b45de3af5be548ae66a939d0e4a22f8a3dd9aceb2e72b6f849dbbe6ee01e47a1eb971aa53b11a5b8a255b0440cc
-
\Windows\system\spoolsv.exeMD5
e6c9b8acbe46874f785f597259ebe071
SHA1510bc65b7578ea6082d5baed4fe344d1cabb1c23
SHA256f225134f8e83e33f1a1bac0014a2c5a3e12ae1deb51357ccbb3cf609a8007848
SHA5126ead6577ffd7b02399bbbc62284461afb33f4b45de3af5be548ae66a939d0e4a22f8a3dd9aceb2e72b6f849dbbe6ee01e47a1eb971aa53b11a5b8a255b0440cc
-
\Windows\system\svchost.exeMD5
8ab0d16deeb98f242159b6378857adb1
SHA121b5560500bfc09443115d7c477f13d9f764d77a
SHA2562e8eeee26e361940e5d2799dc848c20eeb49650bf85e2c42081ba1e2bdc9face
SHA512f07329a816d40f0171a85d2b1326ad08eeef26819f84ae1192f9cfac0c423f29e9076827823d33cd1f081cf4f12526d33f03dddbc17fc03179fd545e3bb9dc7c
-
\Windows\system\svchost.exeMD5
8ab0d16deeb98f242159b6378857adb1
SHA121b5560500bfc09443115d7c477f13d9f764d77a
SHA2562e8eeee26e361940e5d2799dc848c20eeb49650bf85e2c42081ba1e2bdc9face
SHA512f07329a816d40f0171a85d2b1326ad08eeef26819f84ae1192f9cfac0c423f29e9076827823d33cd1f081cf4f12526d33f03dddbc17fc03179fd545e3bb9dc7c
-
memory/868-56-0x0000000000000000-mapping.dmp
-
memory/888-95-0x0000000000000000-mapping.dmp
-
memory/984-64-0x0000000000000000-mapping.dmp
-
memory/1044-53-0x0000000075871000-0x0000000075873000-memory.dmpFilesize
8KB
-
memory/1092-119-0x0000000000000000-mapping.dmp
-
memory/1132-131-0x0000000000000000-mapping.dmp
-
memory/1216-114-0x0000000000000000-mapping.dmp
-
memory/1224-76-0x0000000000000000-mapping.dmp
-
memory/1236-123-0x0000000001F91000-0x0000000001F92000-memory.dmpFilesize
4KB
-
memory/1236-70-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/1236-71-0x000000000040188B-mapping.dmp
-
memory/1236-125-0x0000000001F97000-0x0000000001F98000-memory.dmpFilesize
4KB
-
memory/1236-124-0x0000000001F92000-0x0000000001F94000-memory.dmpFilesize
8KB
-
memory/1236-126-0x0000000001F98000-0x0000000001F99000-memory.dmpFilesize
4KB
-
memory/1236-103-0x0000000001F90000-0x0000000001F91000-memory.dmpFilesize
4KB
-
memory/1236-92-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/1324-85-0x0000000000000000-mapping.dmp
-
memory/1584-105-0x0000000000000000-mapping.dmp
-
memory/1732-129-0x0000000000000000-mapping.dmp