lucastealer | d881663244daab00c57fb1715aef3ce183da334236670ea520bbf0fd198a4b3d

Resubmissions

22-10-2023 04:26

231022-e2zfpsfa72 10

21-10-2023 21:13

231021-z27gjacf54 10

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2023 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.13d37451cb332802b88bd5684f8a9f90.exe
Size

4.6MB
MD5

13d37451cb332802b88bd5684f8a9f90
SHA1

19c367dca209aff91e39aaedaa021e0c957502d0
SHA256

d881663244daab00c57fb1715aef3ce183da334236670ea520bbf0fd198a4b3d
SHA512

e38eadd8628cc6d6d8e0ef8538635328ec8d62292b1672fbc8a18c974fc1393879102746006ef5a13f1e52bbe4bf692e3111f54110427e4805e7a231b94c741a
SSDEEP

49152:CYhJZoQrbTFZY1ia/N8kHLlkMROX1lW68ZM5mmhD+SbilzCUWCLcMldpxruKihtB:zhtrbTA1OiWXLW6jRhdGVQguhhW31Z4

Score

10^/10

lucastealer evasion persistence stealer

Malware Config

Extracted

Family

lucastealer

https://api.telegram.org/bot6068798932:AAG_cHiqinDwNZ3Hd-rdp8tPwbT0czdVwTw

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

neas.13d37451cb332802b88bd5684f8a9f90.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Control Panel\International\Geo\Nation	neas.13d37451cb332802b88bd5684f8a9f90.exe

Drops startup file 1 IoCs

Processes:

neas.13d37451cb332802b88bd5684f8a9f90.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CIJRTX.lnk	neas.13d37451cb332802b88bd5684f8a9f90.exe

Executes dropped EXE 11 IoCs

Processes:

neas.13d37451cb332802b88bd5684f8a9f90.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeUPUGVT.exeRXLFSQ.exeupugvt.exe icsys.icn.exeexplorer.exe

pid	process
1960	neas.13d37451cb332802b88bd5684f8a9f90.exe
1476	icsys.icn.exe
1684	explorer.exe
1776	spoolsv.exe
4804	svchost.exe
3244	spoolsv.exe
4304	UPUGVT.exe
400	RXLFSQ.exe
1160	upugvt.exe
556	icsys.icn.exe
964	explorer.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exeneas.13d37451cb332802b88bd5684f8a9f90.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CIJRTX = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\Microsoft Office Click-to-Run.exe\""	neas.13d37451cb332802b88bd5684f8a9f90.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\neas.13d37451cb332802b88bd5684f8a9f90.exe	autoit_exe
\??\c:\users\admin\appdata\local\temp\neas.13d37451cb332802b88bd5684f8a9f90.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe	autoit_exe

Drops file in Windows directory 6 IoCs

Processes:

explorer.exespoolsv.exesvchost.exeicsys.icn.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2348 schtasks.exe

pid	process
2348	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

icsys.icn.exeexplorer.exesvchost.exe

pid	process
1476	icsys.icn.exe
1476	icsys.icn.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
4804	svchost.exe
4804	svchost.exe
4804	svchost.exe
4804	svchost.exe
1684	explorer.exe
1684	explorer.exe
4804	svchost.exe
4804	svchost.exe
1684	explorer.exe
4804	svchost.exe
1684	explorer.exe
4804	svchost.exe
1684	explorer.exe
4804	svchost.exe
1684	explorer.exe
4804	svchost.exe
1684	explorer.exe
4804	svchost.exe
1684	explorer.exe
4804	svchost.exe
1684	explorer.exe
4804	svchost.exe
1684	explorer.exe
4804	svchost.exe
4804	svchost.exe
1684	explorer.exe
4804	svchost.exe
1684	explorer.exe
1684	explorer.exe
4804	svchost.exe
1684	explorer.exe
4804	svchost.exe
1684	explorer.exe
4804	svchost.exe
1684	explorer.exe
4804	svchost.exe
1684	explorer.exe
1684	explorer.exe
4804	svchost.exe
4804	svchost.exe
1684	explorer.exe
1684	explorer.exe
4804	svchost.exe
4804	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

neas.13d37451cb332802b88bd5684f8a9f90.exe explorer.exesvchost.exe

pid process

1960 neas.13d37451cb332802b88bd5684f8a9f90.exe
1684 explorer.exe
4804 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 2760 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 2760 AUDIODG.EXE

description	pid	process
Token: 33	2760	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2760	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

NEAS.13d37451cb332802b88bd5684f8a9f90.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeUPUGVT.exeRXLFSQ.exeicsys.icn.exeexplorer.exe

pid	process
1488	NEAS.13d37451cb332802b88bd5684f8a9f90.exe
1488	NEAS.13d37451cb332802b88bd5684f8a9f90.exe
1476	icsys.icn.exe
1476	icsys.icn.exe
1684	explorer.exe
1684	explorer.exe
1776	spoolsv.exe
1776	spoolsv.exe
4804	svchost.exe
4804	svchost.exe
3244	spoolsv.exe
3244	spoolsv.exe
4304	UPUGVT.exe
1684	explorer.exe
1684	explorer.exe
4304	UPUGVT.exe
400	RXLFSQ.exe
556	icsys.icn.exe
556	icsys.icn.exe
964	explorer.exe
964	explorer.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

NEAS.13d37451cb332802b88bd5684f8a9f90.exeicsys.icn.exeexplorer.exespoolsv.exeneas.13d37451cb332802b88bd5684f8a9f90.exe svchost.execmd.exeUPUGVT.exeicsys.icn.exe

description	pid	process	target process
PID 1488 wrote to memory of 1960	1488	NEAS.13d37451cb332802b88bd5684f8a9f90.exe	neas.13d37451cb332802b88bd5684f8a9f90.exe
PID 1488 wrote to memory of 1960	1488	NEAS.13d37451cb332802b88bd5684f8a9f90.exe	neas.13d37451cb332802b88bd5684f8a9f90.exe
PID 1488 wrote to memory of 1960	1488	NEAS.13d37451cb332802b88bd5684f8a9f90.exe	neas.13d37451cb332802b88bd5684f8a9f90.exe
PID 1488 wrote to memory of 1476	1488	NEAS.13d37451cb332802b88bd5684f8a9f90.exe	icsys.icn.exe
PID 1488 wrote to memory of 1476	1488	NEAS.13d37451cb332802b88bd5684f8a9f90.exe	icsys.icn.exe
PID 1488 wrote to memory of 1476	1488	NEAS.13d37451cb332802b88bd5684f8a9f90.exe	icsys.icn.exe
PID 1476 wrote to memory of 1684	1476	icsys.icn.exe	explorer.exe
PID 1476 wrote to memory of 1684	1476	icsys.icn.exe	explorer.exe
PID 1476 wrote to memory of 1684	1476	icsys.icn.exe	explorer.exe
PID 1684 wrote to memory of 1776	1684	explorer.exe	spoolsv.exe
PID 1684 wrote to memory of 1776	1684	explorer.exe	spoolsv.exe
PID 1684 wrote to memory of 1776	1684	explorer.exe	spoolsv.exe
PID 1776 wrote to memory of 4804	1776	spoolsv.exe	svchost.exe
PID 1776 wrote to memory of 4804	1776	spoolsv.exe	svchost.exe
PID 1776 wrote to memory of 4804	1776	spoolsv.exe	svchost.exe
PID 1960 wrote to memory of 4304	1960	neas.13d37451cb332802b88bd5684f8a9f90.exe	UPUGVT.exe
PID 1960 wrote to memory of 4304	1960	neas.13d37451cb332802b88bd5684f8a9f90.exe	UPUGVT.exe
PID 1960 wrote to memory of 4304	1960	neas.13d37451cb332802b88bd5684f8a9f90.exe	UPUGVT.exe
PID 4804 wrote to memory of 3244	4804	svchost.exe	spoolsv.exe
PID 4804 wrote to memory of 3244	4804	svchost.exe	spoolsv.exe
PID 4804 wrote to memory of 3244	4804	svchost.exe	spoolsv.exe
PID 1960 wrote to memory of 400	1960	neas.13d37451cb332802b88bd5684f8a9f90.exe	RXLFSQ.exe
PID 1960 wrote to memory of 400	1960	neas.13d37451cb332802b88bd5684f8a9f90.exe	RXLFSQ.exe
PID 1960 wrote to memory of 400	1960	neas.13d37451cb332802b88bd5684f8a9f90.exe	RXLFSQ.exe
PID 4804 wrote to memory of 3560	4804	svchost.exe	at.exe
PID 4804 wrote to memory of 3560	4804	svchost.exe	at.exe
PID 4804 wrote to memory of 3560	4804	svchost.exe	at.exe
PID 1960 wrote to memory of 3184	1960	neas.13d37451cb332802b88bd5684f8a9f90.exe	cmd.exe
PID 1960 wrote to memory of 3184	1960	neas.13d37451cb332802b88bd5684f8a9f90.exe	cmd.exe
PID 1960 wrote to memory of 3184	1960	neas.13d37451cb332802b88bd5684f8a9f90.exe	cmd.exe
PID 3184 wrote to memory of 2348	3184	cmd.exe	schtasks.exe
PID 3184 wrote to memory of 2348	3184	cmd.exe	schtasks.exe
PID 3184 wrote to memory of 2348	3184	cmd.exe	schtasks.exe
PID 4304 wrote to memory of 1160	4304	UPUGVT.exe	upugvt.exe
PID 4304 wrote to memory of 1160	4304	UPUGVT.exe	upugvt.exe
PID 4304 wrote to memory of 556	4304	UPUGVT.exe	icsys.icn.exe
PID 4304 wrote to memory of 556	4304	UPUGVT.exe	icsys.icn.exe
PID 4304 wrote to memory of 556	4304	UPUGVT.exe	icsys.icn.exe
PID 556 wrote to memory of 964	556	icsys.icn.exe	explorer.exe
PID 556 wrote to memory of 964	556	icsys.icn.exe	explorer.exe
PID 556 wrote to memory of 964	556	icsys.icn.exe	explorer.exe
PID 4804 wrote to memory of 2816	4804	svchost.exe	at.exe
PID 4804 wrote to memory of 2816	4804	svchost.exe	at.exe
PID 4804 wrote to memory of 2816	4804	svchost.exe	at.exe
PID 4804 wrote to memory of 1844	4804	svchost.exe	at.exe
PID 4804 wrote to memory of 1844	4804	svchost.exe	at.exe
PID 4804 wrote to memory of 1844	4804	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.13d37451cb332802b88bd5684f8a9f90.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.13d37451cb332802b88bd5684f8a9f90.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488
- \??\c:\users\admin\appdata\local\temp\neas.13d37451cb332802b88bd5684f8a9f90.exe
  c:\users\admin\appdata\local\temp\neas.13d37451cb332802b88bd5684f8a9f90.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\UPUGVT.exe
    "C:\Users\Admin\AppData\Local\Temp\UPUGVT.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - \??\c:\users\admin\appdata\local\temp\upugvt.exe
      c:\users\admin\appdata\local\temp\upugvt.exe
      4⤵
      Executes dropped EXE
      PID:1160
  - - C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:556
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:964
- - C:\Users\Admin\AppData\Local\Temp\RXLFSQ.exe
    "C:\Users\Admin\AppData\Local\Temp\RXLFSQ.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /create /tn CIJRTX.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3184
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn CIJRTX.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 1
      4⤵
      Creates scheduled task(s)
      PID:2348
- C:\Users\Admin\AppData\Local\icsys.icn.exe
  C:\Users\Admin\AppData\Local\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1476
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visiblity of hidden/system files in Explorer
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - \??\c:\windows\system\spoolsv.exe
      c:\windows\system\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1776
    - - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4804
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3244
      - C:\Windows\SysWOW64\at.exe
        
        at 21:59 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:3560
      - C:\Windows\SysWOW64\at.exe
        
        at 22:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:2816
      - C:\Windows\SysWOW64\at.exe
        
        at 22:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:1844

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x418 0x40c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RXLFSQ.exe

Filesize
85KB

MD5
1963215be5bef2cc0b8786057b2f406e

SHA1
66b0cff746baa348719eab2508e4b7ccba75e335

SHA256
d50bc227c8e0c573daca7291d9f684a9626e6274aa4e08f778f7cc2aa9eb57b0

SHA512
e3c88d1ad4bf9593519ee7cde1a784c14ab5c15784e2c49e35454df3280dd638f068d28989af9f953cce955a4452de38baf9883070de66a2fad488524a038ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RXLFSQ.exe

Filesize
85KB

MD5
1963215be5bef2cc0b8786057b2f406e

SHA1
66b0cff746baa348719eab2508e4b7ccba75e335

SHA256
d50bc227c8e0c573daca7291d9f684a9626e6274aa4e08f778f7cc2aa9eb57b0

SHA512
e3c88d1ad4bf9593519ee7cde1a784c14ab5c15784e2c49e35454df3280dd638f068d28989af9f953cce955a4452de38baf9883070de66a2fad488524a038ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RXLFSQ.exe

Filesize
85KB

MD5
1963215be5bef2cc0b8786057b2f406e

SHA1
66b0cff746baa348719eab2508e4b7ccba75e335

SHA256
d50bc227c8e0c573daca7291d9f684a9626e6274aa4e08f778f7cc2aa9eb57b0

SHA512
e3c88d1ad4bf9593519ee7cde1a784c14ab5c15784e2c49e35454df3280dd638f068d28989af9f953cce955a4452de38baf9883070de66a2fad488524a038ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPUGVT.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPUGVT.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\neas.13d37451cb332802b88bd5684f8a9f90.exe

Filesize
4.4MB

MD5
4ef9093c4d69f66d224b6734abc50345

SHA1
ac7e66abb63ef71d14a7753d769379ec7ee5eb5e

SHA256
a7d420fbd384b07ca436d9a48f2975f5401fd4efb16445bff7a0d2ffba53dcfa

SHA512
dddc114583045a49e0e9757f5dac6bcd517bd5b577501d84f5d750944206e3c376c7db37914fa6f3cc216a3442078d2b64109004aee4a82f8a7f1154423f8732

Download Submit
C:\Users\Admin\AppData\Local\Temp\upugvt.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
97968fd70aa980e0f26118b2fe567364

SHA1
c698ef8de25dc4e8c311cc64fd65875ed54b421d

SHA256
60790ecc8c9eeebce2a76e408d6cbcfb37e39e0bb9ab7b9eb1212dd586a505de

SHA512
3b1a501d30e5bc773c029d9707a3553c9f8c401291a98c4df7006eed078bfae0318a0b71e2b60a1ff2bf80ae52df0d0d0cc5ca3cbf4b4d4acb385934ddd3a5d0

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
97968fd70aa980e0f26118b2fe567364

SHA1
c698ef8de25dc4e8c311cc64fd65875ed54b421d

SHA256
60790ecc8c9eeebce2a76e408d6cbcfb37e39e0bb9ab7b9eb1212dd586a505de

SHA512
3b1a501d30e5bc773c029d9707a3553c9f8c401291a98c4df7006eed078bfae0318a0b71e2b60a1ff2bf80ae52df0d0d0cc5ca3cbf4b4d4acb385934ddd3a5d0

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
97968fd70aa980e0f26118b2fe567364

SHA1
c698ef8de25dc4e8c311cc64fd65875ed54b421d

SHA256
60790ecc8c9eeebce2a76e408d6cbcfb37e39e0bb9ab7b9eb1212dd586a505de

SHA512
3b1a501d30e5bc773c029d9707a3553c9f8c401291a98c4df7006eed078bfae0318a0b71e2b60a1ff2bf80ae52df0d0d0cc5ca3cbf4b4d4acb385934ddd3a5d0

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe

Filesize
4.4MB

MD5
4ef9093c4d69f66d224b6734abc50345

SHA1
ac7e66abb63ef71d14a7753d769379ec7ee5eb5e

SHA256
a7d420fbd384b07ca436d9a48f2975f5401fd4efb16445bff7a0d2ffba53dcfa

SHA512
dddc114583045a49e0e9757f5dac6bcd517bd5b577501d84f5d750944206e3c376c7db37914fa6f3cc216a3442078d2b64109004aee4a82f8a7f1154423f8732

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
1ef6118c2d62bd3ee74b1eb5708a1ce5

SHA1
af5e489b6b3c7f3420a2cd965aee1abe88f4e4e8

SHA256
dede44ccf747d5632258693a91203ed5cc73c8ee136dbf920de1d875be243594

SHA512
2320abf772a2b94564660ae47e1da24ccedc1d3524f268db4ceaf349190b830fef43bc525a0344d10e5904363b4d559db9dc8bb4b7cb58846ad726321b861bf3

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
cc41d088a968c849c7c06782ded1e085

SHA1
a6f726a4cd79bdc68a648dafd0d4f820bda0001d

SHA256
a2364d78dd940a3a3c0470c44c07659eef3bfc1950ced835efd79252028690aa

SHA512
9f3c9584d87bd467ae313357d77d879ecf91fef0b45436b251bfab89b0f6d1eae122734ec5d74be0261622fce1aa785e46729496d6252c911dda63449ea4edb0

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
cc41d088a968c849c7c06782ded1e085

SHA1
a6f726a4cd79bdc68a648dafd0d4f820bda0001d

SHA256
a2364d78dd940a3a3c0470c44c07659eef3bfc1950ced835efd79252028690aa

SHA512
9f3c9584d87bd467ae313357d77d879ecf91fef0b45436b251bfab89b0f6d1eae122734ec5d74be0261622fce1aa785e46729496d6252c911dda63449ea4edb0

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
cc41d088a968c849c7c06782ded1e085

SHA1
a6f726a4cd79bdc68a648dafd0d4f820bda0001d

SHA256
a2364d78dd940a3a3c0470c44c07659eef3bfc1950ced835efd79252028690aa

SHA512
9f3c9584d87bd467ae313357d77d879ecf91fef0b45436b251bfab89b0f6d1eae122734ec5d74be0261622fce1aa785e46729496d6252c911dda63449ea4edb0

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
f74e175a59c282cc4f0079f8f239ce8e

SHA1
2cdd2698ceae94f176112803e8346d605c265cce

SHA256
bcf50fe7f67299c45a525ae2a339d5db97e28c2c9943fa5f424bc652eb068884

SHA512
f13994993e700ed99ce96e1bd5d398d281dc35b2572f7841bf21650909cbd0c3d8701036978adec26d5656e1549eb56d798320d7a68f45a2abc5730bc9333baa

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
f74e175a59c282cc4f0079f8f239ce8e

SHA1
2cdd2698ceae94f176112803e8346d605c265cce

SHA256
bcf50fe7f67299c45a525ae2a339d5db97e28c2c9943fa5f424bc652eb068884

SHA512
f13994993e700ed99ce96e1bd5d398d281dc35b2572f7841bf21650909cbd0c3d8701036978adec26d5656e1549eb56d798320d7a68f45a2abc5730bc9333baa

Download Submit
C:\Windows\System\svchost.exe

Filesize
206KB

MD5
372d0d9c1e51f7cf4e0d1f4ba6b855f0

SHA1
57eebed2e8e84f9dded2945262da6c4a74c48efd

SHA256
c8474b960f66a5808c20322e05b10f01e67d5b02f11f03898089840cded02871

SHA512
d909f1440adf41b5f7a5a31700c6a6de36f805c079de2a078a8b24765736944bf07223fbf7a6b526cd1faa8b8ad716e7c68d6928dcb2df91ca8a60dd8ecf67b1

Download Submit
\??\c:\users\admin\appdata\local\temp\neas.13d37451cb332802b88bd5684f8a9f90.exe

Filesize
4.4MB

MD5
4ef9093c4d69f66d224b6734abc50345

SHA1
ac7e66abb63ef71d14a7753d769379ec7ee5eb5e

SHA256
a7d420fbd384b07ca436d9a48f2975f5401fd4efb16445bff7a0d2ffba53dcfa

SHA512
dddc114583045a49e0e9757f5dac6bcd517bd5b577501d84f5d750944206e3c376c7db37914fa6f3cc216a3442078d2b64109004aee4a82f8a7f1154423f8732

Download Submit
\??\c:\users\admin\appdata\local\temp\upugvt.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
206KB

MD5
cc41d088a968c849c7c06782ded1e085

SHA1
a6f726a4cd79bdc68a648dafd0d4f820bda0001d

SHA256
a2364d78dd940a3a3c0470c44c07659eef3bfc1950ced835efd79252028690aa

SHA512
9f3c9584d87bd467ae313357d77d879ecf91fef0b45436b251bfab89b0f6d1eae122734ec5d74be0261622fce1aa785e46729496d6252c911dda63449ea4edb0

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
206KB

MD5
f74e175a59c282cc4f0079f8f239ce8e

SHA1
2cdd2698ceae94f176112803e8346d605c265cce

SHA256
bcf50fe7f67299c45a525ae2a339d5db97e28c2c9943fa5f424bc652eb068884

SHA512
f13994993e700ed99ce96e1bd5d398d281dc35b2572f7841bf21650909cbd0c3d8701036978adec26d5656e1549eb56d798320d7a68f45a2abc5730bc9333baa

Download Submit
\??\c:\windows\system\svchost.exe

Filesize
206KB

MD5
372d0d9c1e51f7cf4e0d1f4ba6b855f0

SHA1
57eebed2e8e84f9dded2945262da6c4a74c48efd

SHA256
c8474b960f66a5808c20322e05b10f01e67d5b02f11f03898089840cded02871

SHA512
d909f1440adf41b5f7a5a31700c6a6de36f805c079de2a078a8b24765736944bf07223fbf7a6b526cd1faa8b8ad716e7c68d6928dcb2df91ca8a60dd8ecf67b1

Download Submit
memory/400-103-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/400-111-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/400-80-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/400-82-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/400-121-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/400-116-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/400-115-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/400-118-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/400-112-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/400-117-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/400-120-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/400-109-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/400-119-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/400-104-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/400-105-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/400-106-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/400-107-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/400-108-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/556-101-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/964-100-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1476-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1488-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1488-78-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1684-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1776-77-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3244-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4304-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4304-102-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4804-114-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4804-50-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download