lucastealer | 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-05-2024 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
Size

4.5MB
MD5

c1b3ef385e1c4d20e8dc59c7a629192a
SHA1

5d4d1e43ed56f67967e7f7861e26e11d3f80db8c
SHA256

3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be
SHA512

e8f818da69a16c2f6577d62261a5d8e29f3a4c93c5cfd7eb8c18e0c2fa1bacd87ce35050d3f96d1bbf6b518fc63b77248399495399f998cd9a03a99fd312330f
SSDEEP

49152:CYWJZoQrbTFZY1iaZgI5ROX1lW68ZM5mmhD+SbilzCUWCLcMldpxruKihtKUoy+X:zWtrbTA1SXLW6jRhdGVQguhhW31Z+unP

Score

10^/10

lucastealer evasion persistence stealer

Malware Config

Extracted

Family

lucastealer

https://api.telegram.org/bot6068798932:AAG_cHiqinDwNZ3Hd-rdp8tPwbT0czdVwTw

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Detect binaries embedding considerable number of MFA browser extension IDs. 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x00060000000161e7-96.dat	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
behavioral1/files/0x0006000000016c63-140.dat	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x00060000000161e7-96.dat	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral1/files/0x0006000000016c63-140.dat	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Detects executables using Telegram Chat Bot 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x00060000000161e7-96.dat	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
behavioral1/files/0x0006000000016c63-140.dat	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid	Process
2212	netsh.exe
2044	netsh.exe
2640	netsh.exe
2244	netsh.exe

Executes dropped EXE 10 IoCs

Processes:

3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeQYWXTW.exeqywxtw.exe icsys.icn.exeexplorer.exe

pid	Process
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2544	icsys.icn.exe
2428	explorer.exe
2388	spoolsv.exe
1956	svchost.exe
2732	spoolsv.exe
1852	QYWXTW.exe
2488	qywxtw.exe
2868	icsys.icn.exe
2852	explorer.exe

Loads dropped DLL 21 IoCs

Processes:

3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe QYWXTW.exeicsys.icn.exe

pid	Process
1888	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
1888	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
1888	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2428	explorer.exe
2428	explorer.exe
2388	spoolsv.exe
2388	spoolsv.exe
1956	svchost.exe
1956	svchost.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
1852	QYWXTW.exe
1852	QYWXTW.exe
1852	QYWXTW.exe
1852	QYWXTW.exe
2868	icsys.icn.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/files/0x0008000000015ca6-6.dat	autoit_exe

Drops file in Windows directory 6 IoCs

Processes:

explorer.exeicsys.icn.exespoolsv.exesvchost.exe

description	ioc	Process
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

icsys.icn.exe3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe explorer.exesvchost.exe

pid	Process
2544	icsys.icn.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2428	explorer.exe
2428	explorer.exe
2428	explorer.exe
2428	explorer.exe
1956	svchost.exe
1956	svchost.exe
2428	explorer.exe
1956	svchost.exe
2428	explorer.exe
2428	explorer.exe
1956	svchost.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2428	explorer.exe
1956	svchost.exe
1956	svchost.exe
2428	explorer.exe
2428	explorer.exe
1956	svchost.exe
2428	explorer.exe
1956	svchost.exe
1956	svchost.exe
2428	explorer.exe
1956	svchost.exe
2428	explorer.exe
2428	explorer.exe
1956	svchost.exe
1956	svchost.exe
2428	explorer.exe
2428	explorer.exe
1956	svchost.exe
1956	svchost.exe
2428	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid	Process
2428	explorer.exe
1956	svchost.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeQYWXTW.exeicsys.icn.exeexplorer.exe

pid	Process
1888	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
1888	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2428	explorer.exe
2428	explorer.exe
2388	spoolsv.exe
2388	spoolsv.exe
1956	svchost.exe
1956	svchost.exe
2732	spoolsv.exe
2732	spoolsv.exe
2428	explorer.exe
2428	explorer.exe
1852	QYWXTW.exe
1852	QYWXTW.exe
2868	icsys.icn.exe
2868	icsys.icn.exe
2852	explorer.exe
2852	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	Process	procid_target
PID 1888 wrote to memory of 2236	1888	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	28
PID 1888 wrote to memory of 2236	1888	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	28
PID 1888 wrote to memory of 2236	1888	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	28
PID 1888 wrote to memory of 2236	1888	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	28
PID 1888 wrote to memory of 2544	1888	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	29
PID 1888 wrote to memory of 2544	1888	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	29
PID 1888 wrote to memory of 2544	1888	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	29
PID 1888 wrote to memory of 2544	1888	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	29
PID 2544 wrote to memory of 2428	2544	icsys.icn.exe	30
PID 2544 wrote to memory of 2428	2544	icsys.icn.exe	30
PID 2544 wrote to memory of 2428	2544	icsys.icn.exe	30
PID 2544 wrote to memory of 2428	2544	icsys.icn.exe	30
PID 2428 wrote to memory of 2388	2428	explorer.exe	31
PID 2428 wrote to memory of 2388	2428	explorer.exe	31
PID 2428 wrote to memory of 2388	2428	explorer.exe	31
PID 2428 wrote to memory of 2388	2428	explorer.exe	31
PID 2388 wrote to memory of 1956	2388	spoolsv.exe	32
PID 2388 wrote to memory of 1956	2388	spoolsv.exe	32
PID 2388 wrote to memory of 1956	2388	spoolsv.exe	32
PID 2388 wrote to memory of 1956	2388	spoolsv.exe	32
PID 1956 wrote to memory of 2732	1956	svchost.exe	33
PID 1956 wrote to memory of 2732	1956	svchost.exe	33
PID 1956 wrote to memory of 2732	1956	svchost.exe	33
PID 1956 wrote to memory of 2732	1956	svchost.exe	33
PID 1956 wrote to memory of 1456	1956	svchost.exe	34
PID 1956 wrote to memory of 1456	1956	svchost.exe	34
PID 1956 wrote to memory of 1456	1956	svchost.exe	34
PID 1956 wrote to memory of 1456	1956	svchost.exe	34
PID 2236 wrote to memory of 1852	2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	36
PID 2236 wrote to memory of 1852	2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	36
PID 2236 wrote to memory of 1852	2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	36
PID 2236 wrote to memory of 1852	2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	36
PID 2236 wrote to memory of 328	2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	37
PID 2236 wrote to memory of 328	2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	37
PID 2236 wrote to memory of 328	2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	37
PID 2236 wrote to memory of 328	2236	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	37
PID 328 wrote to memory of 2212	328	cmd.exe	39
PID 328 wrote to memory of 2212	328	cmd.exe	39
PID 328 wrote to memory of 2212	328	cmd.exe	39
PID 328 wrote to memory of 2212	328	cmd.exe	39
PID 1852 wrote to memory of 2488	1852	QYWXTW.exe	41
PID 1852 wrote to memory of 2488	1852	QYWXTW.exe	41
PID 1852 wrote to memory of 2488	1852	QYWXTW.exe	41
PID 1852 wrote to memory of 2488	1852	QYWXTW.exe	41
PID 1852 wrote to memory of 2868	1852	QYWXTW.exe	42
PID 1852 wrote to memory of 2868	1852	QYWXTW.exe	42
PID 1852 wrote to memory of 2868	1852	QYWXTW.exe	42
PID 1852 wrote to memory of 2868	1852	QYWXTW.exe	42
PID 2868 wrote to memory of 2852	2868	icsys.icn.exe	43
PID 2868 wrote to memory of 2852	2868	icsys.icn.exe	43
PID 2868 wrote to memory of 2852	2868	icsys.icn.exe	43
PID 2868 wrote to memory of 2852	2868	icsys.icn.exe	43
PID 328 wrote to memory of 2044	328	cmd.exe	44
PID 328 wrote to memory of 2044	328	cmd.exe	44
PID 328 wrote to memory of 2044	328	cmd.exe	44
PID 328 wrote to memory of 2044	328	cmd.exe	44
PID 328 wrote to memory of 2640	328	cmd.exe	45
PID 328 wrote to memory of 2640	328	cmd.exe	45
PID 328 wrote to memory of 2640	328	cmd.exe	45
PID 328 wrote to memory of 2640	328	cmd.exe	45
PID 328 wrote to memory of 2244	328	cmd.exe	46
PID 328 wrote to memory of 2244	328	cmd.exe	46
PID 328 wrote to memory of 2244	328	cmd.exe	46
PID 328 wrote to memory of 2244	328	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
"C:\Users\Admin\AppData\Local\Temp\3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1888
- \??\c:\users\admin\appdata\local\temp\3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
  c:\users\admin\appdata\local\temp\3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Users\Admin\AppData\Local\Temp\QYWXTW.exe
    "C:\Users\Admin\AppData\Local\Temp\QYWXTW.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - \??\c:\users\admin\appdata\local\temp\qywxtw.exe
      c:\users\admin\appdata\local\temp\qywxtw.exe
      4⤵
      Executes dropped EXE
      PID:2488
  - - C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2868
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\PRUHOM.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:328
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Block Adobe Acrobat Inbound" dir=in action=block program="C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe"
      4⤵
      Modifies Windows Firewall
      PID:2212
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Block Adobe Acrobat Outbound" dir=out action=block program="C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe"
      4⤵
      Modifies Windows Firewall
      PID:2044
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Block Adobe Acrobat CEF Inbound" dir=in action=block program="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe"
      4⤵
      Modifies Windows Firewall
      PID:2640
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Block Adobe Acrobat CEF Outbound" dir=out action=block program="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe"
      4⤵
      Modifies Windows Firewall
      PID:2244
- C:\Users\Admin\AppData\Local\icsys.icn.exe
  C:\Users\Admin\AppData\Local\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2544
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visiblity of hidden/system files in Explorer
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - \??\c:\windows\system\spoolsv.exe
      c:\windows\system\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2388
    - - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1956
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2732
      - C:\Windows\SysWOW64\at.exe
        
        at 21:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:1456
      - C:\Windows\SysWOW64\at.exe
        
        at 21:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:2368
      - C:\Windows\SysWOW64\at.exe
        
        at 21:08 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PRUHOM.bat

Filesize
825B

MD5
6bcabf6ce3cc7cd3b9a5b08c4339cbb8

SHA1
c2f5e471632a3c7c0d02f8080fdd8d4dd65532c5

SHA256
6e36e8a0649026adb416c01389cf8d999eeadb80046d24008252e7e331eadf5c

SHA512
55ddbb321de7b4aebc949a23bf73ecc61cb82ad1370e92827639b482cfa4ec7d92725d39f9421ed7a21746588555f25a182a5871cba3c8dd3145a1cd5d99e78d

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
3ae60dc5d168eb3e51f8323de5aad788

SHA1
7408e19bfd201bb088e4d585cab098ec4e95ab2f

SHA256
ffb7f257f14a34de8829ded5d5495de8bb34aa18a50f7aa567771761b8b5182c

SHA512
300eb9580e4324d558aeb6d1cf06da380b6c7fc947a77060e744ec8ffd9b5ec840e34d36d728f17f534ee9b0d390c8b99e7329fd4ee872cad2fbb13c70566489

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
7d23adbe528f72952e82b9f47f2de6f2

SHA1
d3b53599edab6008dfcc63ff2fe7b8388ee2a2ec

SHA256
ad40d51b28949c49fd94df9628887a613be70131e6e24f551f09737380a7aafa

SHA512
25d1ed2e67de4bbf3533eeba3e3c4ccc3e4e6e84c684680f34646c055f7405ea3c31b8a3b4bc6c7c15a9713a8c91477dce130c0c6a732971b0e57c20b3210376

Download Submit
C:\Windows\system\explorer.exe

Filesize
206KB

MD5
2ddb3f5e64a2f70a40b122067b913637

SHA1
ca428463b9f40e5facf78da22569dad8c960f7ac

SHA256
33f0416d60a271cb4d9d0d218b7750dc4a1b92d2ab9d52da74ab58c95c2b5f59

SHA512
2044ba50019d7c1cbec03f68512d2bb66323ae160c276ab5d21cdfd8a36f41e6580025f6ba972d05f46b5f96d8b53a88a9161e39ef017ad7074912492bd8c092

Download Submit
C:\Windows\system\svchost.exe

Filesize
206KB

MD5
2720ab32dcc2e6eb4f801ccf1797ac92

SHA1
6ca3be8d877f5d0847c58c7d9f9fe43a8d723070

SHA256
1587219c4e0e27fc320b49004b04676d821121d298974f71c2d87e62e30fd912

SHA512
7399758c2a8a41a4178c26a891d465ad887530aeb50ee1bcfaa6b5b1e94428f3a293970286356aa3457c1226c06ad81c1d5d6210ab7690b1751d5af7c76ffa28

Download Submit
\Users\Admin\AppData\Local\Temp\3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe

Filesize
4.3MB

MD5
37e03edc3d9486da77b1e98e54942046

SHA1
d8b4eabc45777b0dfbf2495101715863d3581097

SHA256
8278f5bea6e38fb25361233c7490dfe4945f38dff1b9363a65225cf6229d5d6a

SHA512
fd340741fe102e5ef3824dd27122d509224366395ab0cb1d1ea901fbddedc10975c6d9224a50f2aa5e113b4eaa01889fa758654e300c7a88f15b685ed1460970

Download Submit
\Users\Admin\AppData\Local\Temp\QYWXTW.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
\Users\Admin\AppData\Local\Temp\qywxtw.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
c5f78d788265a8c2b80017a0dc351266

SHA1
32836c3ccaf84431beaba1b10107743c052cddc0

SHA256
0a48908b44578715b511d6c067b2b0c1351783c049c68183f6067afff1ff72d0

SHA512
0315d122adf425001109bae742a1aff418f301f46c3655bf3e3d0c12ecc03ac3d70b52a60a744f81b7b041d28bf235f3d93abc26c71bfdd388be6a145a1bbb16

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
0d0389c4efcd358d2dd2cbd3a853c183

SHA1
0f5debba6616146b99cbae980805da6654374f71

SHA256
2ef6fec878859d49544e76864a105d9457b0d30564eec1241ac01639ce669cd6

SHA512
191a2ecee4c275642332b9ad11c2360bfe1848d8251eeb1b498969976d6481dfb6cdb6536940b9c908202bfe727f79f56e05b36e6cb40d85a86b91a7d658a2ba

Download Submit
memory/1852-118-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1852-153-0x0000000003250000-0x0000000003290000-memory.dmp

Filesize
256KB

Download
memory/1852-166-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1888-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1888-25-0x0000000002710000-0x0000000002750000-memory.dmp

Filesize
256KB

Download
memory/1888-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1888-26-0x0000000002710000-0x0000000002750000-memory.dmp

Filesize
256KB

Download
memory/1956-77-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-101-0x0000000004570000-0x00000000045B0000-memory.dmp

Filesize
256KB

Download
memory/2236-100-0x0000000004570000-0x00000000045B0000-memory.dmp

Filesize
256KB

Download
memory/2236-110-0x0000000004570000-0x00000000045B0000-memory.dmp

Filesize
256KB

Download
memory/2236-111-0x0000000004570000-0x00000000045B0000-memory.dmp

Filesize
256KB

Download
memory/2388-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2388-76-0x0000000000790000-0x00000000007D0000-memory.dmp

Filesize
256KB

Download
memory/2428-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2544-47-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/2544-91-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2544-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2732-86-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-163-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2868-167-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2868-162-0x00000000006A0000-0x00000000006E0000-memory.dmp

Filesize
256KB

Download