Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 12:50
Behavioral task
behavioral1
Sample
d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
Resource
win10v2004-20240226-en
General
-
Target
d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
-
Size
804KB
-
MD5
daf5ddf2a53dde0a2398973fc6ac93e0
-
SHA1
a225fec587cb4763eba40943c88396a86e74c6c4
-
SHA256
d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d
-
SHA512
19d4ed705cb2550c9a5bf6f8ca0c5800c166ee20a64a401eff46b284c39ed5a8b1ed6838513379c60eae18d53e0d7e4dc0f43857b815c9c138664f6dd5bf738c
-
SSDEEP
12288:zENN+T5xYrllrU7QY6/5xYrllrU7QY6vaLo3K3ahaMcqDJXKuJUsENN+7:Z5xolYQY6/5xolYQY6UomahakN6uJUs
Malware Config
Signatures
-
Detect Neshta payload 2 IoCs
Processes:
resource yara_rule \??\c:\users\admin\appdata\local\temp\d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe family_neshta behavioral1/memory/2588-153-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 6 IoCs
Processes:
d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2588 d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe 2540 icsys.icn.exe 2684 explorer.exe 2324 spoolsv.exe 2428 svchost.exe 1944 spoolsv.exe -
Loads dropped DLL 15 IoCs
Processes:
d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exed4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exepid process 2872 d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe 2872 d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe 2872 d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe 2872 d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe 2540 icsys.icn.exe 2540 icsys.icn.exe 2684 explorer.exe 2684 explorer.exe 2324 spoolsv.exe 2324 spoolsv.exe 2428 svchost.exe 2428 svchost.exe 2588 d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe 2588 d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe 2588 d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Drops file in Program Files directory 64 IoCs
Processes:
d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe -
Drops file in Windows directory 7 IoCs
Processes:
icsys.icn.exeexplorer.exespoolsv.exesvchost.exed4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exedescription ioc process File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\svchost.com d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
icsys.icn.exeexplorer.exesvchost.exepid process 2540 icsys.icn.exe 2684 explorer.exe 2684 explorer.exe 2684 explorer.exe 2428 svchost.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe 2684 explorer.exe 2428 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2684 explorer.exe 2428 svchost.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2872 d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe 2872 d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe 2540 icsys.icn.exe 2540 icsys.icn.exe 2684 explorer.exe 2684 explorer.exe 2324 spoolsv.exe 2324 spoolsv.exe 2428 svchost.exe 2428 svchost.exe 1944 spoolsv.exe 1944 spoolsv.exe 2684 explorer.exe 2684 explorer.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 2872 wrote to memory of 2588 2872 d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe PID 2872 wrote to memory of 2588 2872 d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe PID 2872 wrote to memory of 2588 2872 d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe PID 2872 wrote to memory of 2588 2872 d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe PID 2872 wrote to memory of 2540 2872 d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe icsys.icn.exe PID 2872 wrote to memory of 2540 2872 d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe icsys.icn.exe PID 2872 wrote to memory of 2540 2872 d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe icsys.icn.exe PID 2872 wrote to memory of 2540 2872 d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe icsys.icn.exe PID 2540 wrote to memory of 2684 2540 icsys.icn.exe explorer.exe PID 2540 wrote to memory of 2684 2540 icsys.icn.exe explorer.exe PID 2540 wrote to memory of 2684 2540 icsys.icn.exe explorer.exe PID 2540 wrote to memory of 2684 2540 icsys.icn.exe explorer.exe PID 2684 wrote to memory of 2324 2684 explorer.exe spoolsv.exe PID 2684 wrote to memory of 2324 2684 explorer.exe spoolsv.exe PID 2684 wrote to memory of 2324 2684 explorer.exe spoolsv.exe PID 2684 wrote to memory of 2324 2684 explorer.exe spoolsv.exe PID 2324 wrote to memory of 2428 2324 spoolsv.exe svchost.exe PID 2324 wrote to memory of 2428 2324 spoolsv.exe svchost.exe PID 2324 wrote to memory of 2428 2324 spoolsv.exe svchost.exe PID 2324 wrote to memory of 2428 2324 spoolsv.exe svchost.exe PID 2428 wrote to memory of 1944 2428 svchost.exe spoolsv.exe PID 2428 wrote to memory of 1944 2428 svchost.exe spoolsv.exe PID 2428 wrote to memory of 1944 2428 svchost.exe spoolsv.exe PID 2428 wrote to memory of 1944 2428 svchost.exe spoolsv.exe PID 2428 wrote to memory of 2576 2428 svchost.exe at.exe PID 2428 wrote to memory of 2576 2428 svchost.exe at.exe PID 2428 wrote to memory of 2576 2428 svchost.exe at.exe PID 2428 wrote to memory of 2576 2428 svchost.exe at.exe PID 2428 wrote to memory of 1188 2428 svchost.exe at.exe PID 2428 wrote to memory of 1188 2428 svchost.exe at.exe PID 2428 wrote to memory of 1188 2428 svchost.exe at.exe PID 2428 wrote to memory of 1188 2428 svchost.exe at.exe PID 2428 wrote to memory of 1900 2428 svchost.exe at.exe PID 2428 wrote to memory of 1900 2428 svchost.exe at.exe PID 2428 wrote to memory of 1900 2428 svchost.exe at.exe PID 2428 wrote to memory of 1900 2428 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe"C:\Users\Admin\AppData\Local\Temp\d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exec:\users\admin\appdata\local\temp\d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 12:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 12:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 12:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\icsys.icn.exeFilesize
206KB
MD5f2872915e8e25fe162e1f2001411a6bd
SHA1dfc8ee7d8ac71ffb9e50f497068b6cc5339ccd2a
SHA2569de96fbf380d228bb3e02860aeab04ad62c78978deab132bcb834ef2f833bfb5
SHA512ea5ba2550ea3cab404c7e2cd73c201f71703d34918e39468cefac41df496afa253e116c8ae44d463db8f3c13c44e5953158ed467ca654e990a877d0dc45aebb4
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
207KB
MD59cba4eb509b31ac86c81aa93d5ce8173
SHA1ef9e0df306def1dd41a10f0037abd0c238faa250
SHA25623ecde6debc3fecb8275a3e8b232f5c242d7332bc00b64ab5155f3cb90e15626
SHA512dc28e89eabf4bc966e1f1451aa2c444b451b7ff9f295049ff26e14c99fc9e9ff5164d2a29e99e614fdc4a19fd470b03d51fde9279d573d2a7ae4b78587b2ecd7
-
C:\Windows\system\spoolsv.exeFilesize
206KB
MD5198c430dba40794b2af33c9fa2faca8e
SHA1b7b8000f580564f9a579a938aaabe53c5e2118b1
SHA256b505cf8e4cd9bcd4f1fe733e2dce0f1b4377d563d1ec8a51bd80657e8ea3b711
SHA512936fa92afd547b9f4edd245a896bb4cffda4fb91aa3904d41a5d3e155126bbaa412638b4467b426d7a0d96abe71872d400f14b0ee4f546fd1ab23c5490a20946
-
C:\Windows\system\svchost.exeFilesize
206KB
MD5ded2dbe9e7aa8fcafecaec53b4f50815
SHA1fc91dd8b8f8377aacdff5f365f3f5b7b31535a1e
SHA2565d200477ca0d2b34a166da3dbc694434db7590bdabafcf6b49192de05e96c300
SHA512ea0d3e3a4678309d10ca7e148c09d8803c1ad98cc7d6666a2d7f012c452205f2b53f34c3f58893b5963a3eeeaf4207d327930f2b759e6203b6fae69b36a4815b
-
\??\c:\users\admin\appdata\local\temp\d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exeFilesize
598KB
MD5e0d1b214c3901f72582de29380ad0f11
SHA18b3a505c4e6195fd2eb2522191a8ea8eee2a248c
SHA256c7971981baf58b28fa5cfd06112caf63f63667eece0ac563e5082a6a28533c18
SHA5120f340c05a8d68536113bedf586060cc5223b5bd3cfc88dc6942da150b88246e3bb656b145a9e64cf2520dd848428ca314f1d60f0914d58e026f1715a8f38371f
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEFilesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Windows\system\explorer.exeFilesize
206KB
MD5cbe70224477b3ccff130c9c6c5d2a851
SHA11cdcf42b2ee3b105eb4b8ff35ca6ad6e61d03bf9
SHA256dffb2ea9e8dd1c3d9158ed82992eb9a65d1dc8c63b4bf5310de6748d601ac6e0
SHA51243fa03f66c2e180b89cb79cb262ba92a7c298f07271ecd638b6178afe3380ae6f9d0d89b7e46e38ea4f99905722f0c961276469884bb8c88923284d4ccd7d3d3
-
memory/2588-153-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB