Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 21:04
Static task
static1
Behavioral task
behavioral1
Sample
3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
Resource
win10v2004-20240508-en
General
-
Target
3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
-
Size
4.5MB
-
MD5
c1b3ef385e1c4d20e8dc59c7a629192a
-
SHA1
5d4d1e43ed56f67967e7f7861e26e11d3f80db8c
-
SHA256
3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be
-
SHA512
e8f818da69a16c2f6577d62261a5d8e29f3a4c93c5cfd7eb8c18e0c2fa1bacd87ce35050d3f96d1bbf6b518fc63b77248399495399f998cd9a03a99fd312330f
-
SSDEEP
49152:CYWJZoQrbTFZY1iaZgI5ROX1lW68ZM5mmhD+SbilzCUWCLcMldpxruKihtKUoy+X:zWtrbTA1SXLW6jRhdGVQguhhW31Z+unP
Malware Config
Extracted
lucastealer
https://api.telegram.org/bot6068798932:AAG_cHiqinDwNZ3Hd-rdp8tPwbT0czdVwTw
Signatures
-
Luca Stealer
Info stealer written in Rust first seen in July 2022.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Detect binaries embedding considerable number of MFA browser extension IDs. 2 IoCs
resource yara_rule behavioral1/files/0x00060000000161e7-96.dat INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs behavioral1/files/0x0006000000016c63-140.dat INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs -
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 2 IoCs
resource yara_rule behavioral1/files/0x00060000000161e7-96.dat INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs behavioral1/files/0x0006000000016c63-140.dat INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs -
Detects executables using Telegram Chat Bot 2 IoCs
resource yara_rule behavioral1/files/0x00060000000161e7-96.dat INDICATOR_SUSPICIOUS_EXE_TelegramChatBot behavioral1/files/0x0006000000016c63-140.dat INDICATOR_SUSPICIOUS_EXE_TelegramChatBot -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Modifies Windows Firewall 2 TTPs 4 IoCs
pid Process 2212 netsh.exe 2044 netsh.exe 2640 netsh.exe 2244 netsh.exe -
Executes dropped EXE 10 IoCs
pid Process 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2544 icsys.icn.exe 2428 explorer.exe 2388 spoolsv.exe 1956 svchost.exe 2732 spoolsv.exe 1852 QYWXTW.exe 2488 qywxtw.exe 2868 icsys.icn.exe 2852 explorer.exe -
Loads dropped DLL 21 IoCs
pid Process 1888 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 1888 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 1888 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2544 icsys.icn.exe 2544 icsys.icn.exe 2428 explorer.exe 2428 explorer.exe 2388 spoolsv.exe 2388 spoolsv.exe 1956 svchost.exe 1956 svchost.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 1852 QYWXTW.exe 1852 QYWXTW.exe 1852 QYWXTW.exe 1852 QYWXTW.exe 2868 icsys.icn.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0008000000015ca6-6.dat autoit_exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2544 icsys.icn.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2428 explorer.exe 2428 explorer.exe 2428 explorer.exe 2428 explorer.exe 1956 svchost.exe 1956 svchost.exe 2428 explorer.exe 1956 svchost.exe 2428 explorer.exe 2428 explorer.exe 1956 svchost.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2428 explorer.exe 1956 svchost.exe 1956 svchost.exe 2428 explorer.exe 2428 explorer.exe 1956 svchost.exe 2428 explorer.exe 1956 svchost.exe 1956 svchost.exe 2428 explorer.exe 1956 svchost.exe 2428 explorer.exe 2428 explorer.exe 1956 svchost.exe 1956 svchost.exe 2428 explorer.exe 2428 explorer.exe 1956 svchost.exe 1956 svchost.exe 2428 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2428 explorer.exe 1956 svchost.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
pid Process 1888 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 1888 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2544 icsys.icn.exe 2544 icsys.icn.exe 2428 explorer.exe 2428 explorer.exe 2388 spoolsv.exe 2388 spoolsv.exe 1956 svchost.exe 1956 svchost.exe 2732 spoolsv.exe 2732 spoolsv.exe 2428 explorer.exe 2428 explorer.exe 1852 QYWXTW.exe 1852 QYWXTW.exe 2868 icsys.icn.exe 2868 icsys.icn.exe 2852 explorer.exe 2852 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1888 wrote to memory of 2236 1888 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 28 PID 1888 wrote to memory of 2236 1888 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 28 PID 1888 wrote to memory of 2236 1888 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 28 PID 1888 wrote to memory of 2236 1888 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 28 PID 1888 wrote to memory of 2544 1888 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 29 PID 1888 wrote to memory of 2544 1888 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 29 PID 1888 wrote to memory of 2544 1888 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 29 PID 1888 wrote to memory of 2544 1888 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 29 PID 2544 wrote to memory of 2428 2544 icsys.icn.exe 30 PID 2544 wrote to memory of 2428 2544 icsys.icn.exe 30 PID 2544 wrote to memory of 2428 2544 icsys.icn.exe 30 PID 2544 wrote to memory of 2428 2544 icsys.icn.exe 30 PID 2428 wrote to memory of 2388 2428 explorer.exe 31 PID 2428 wrote to memory of 2388 2428 explorer.exe 31 PID 2428 wrote to memory of 2388 2428 explorer.exe 31 PID 2428 wrote to memory of 2388 2428 explorer.exe 31 PID 2388 wrote to memory of 1956 2388 spoolsv.exe 32 PID 2388 wrote to memory of 1956 2388 spoolsv.exe 32 PID 2388 wrote to memory of 1956 2388 spoolsv.exe 32 PID 2388 wrote to memory of 1956 2388 spoolsv.exe 32 PID 1956 wrote to memory of 2732 1956 svchost.exe 33 PID 1956 wrote to memory of 2732 1956 svchost.exe 33 PID 1956 wrote to memory of 2732 1956 svchost.exe 33 PID 1956 wrote to memory of 2732 1956 svchost.exe 33 PID 1956 wrote to memory of 1456 1956 svchost.exe 34 PID 1956 wrote to memory of 1456 1956 svchost.exe 34 PID 1956 wrote to memory of 1456 1956 svchost.exe 34 PID 1956 wrote to memory of 1456 1956 svchost.exe 34 PID 2236 wrote to memory of 1852 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 36 PID 2236 wrote to memory of 1852 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 36 PID 2236 wrote to memory of 1852 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 36 PID 2236 wrote to memory of 1852 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 36 PID 2236 wrote to memory of 328 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 37 PID 2236 wrote to memory of 328 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 37 PID 2236 wrote to memory of 328 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 37 PID 2236 wrote to memory of 328 2236 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 37 PID 328 wrote to memory of 2212 328 cmd.exe 39 PID 328 wrote to memory of 2212 328 cmd.exe 39 PID 328 wrote to memory of 2212 328 cmd.exe 39 PID 328 wrote to memory of 2212 328 cmd.exe 39 PID 1852 wrote to memory of 2488 1852 QYWXTW.exe 41 PID 1852 wrote to memory of 2488 1852 QYWXTW.exe 41 PID 1852 wrote to memory of 2488 1852 QYWXTW.exe 41 PID 1852 wrote to memory of 2488 1852 QYWXTW.exe 41 PID 1852 wrote to memory of 2868 1852 QYWXTW.exe 42 PID 1852 wrote to memory of 2868 1852 QYWXTW.exe 42 PID 1852 wrote to memory of 2868 1852 QYWXTW.exe 42 PID 1852 wrote to memory of 2868 1852 QYWXTW.exe 42 PID 2868 wrote to memory of 2852 2868 icsys.icn.exe 43 PID 2868 wrote to memory of 2852 2868 icsys.icn.exe 43 PID 2868 wrote to memory of 2852 2868 icsys.icn.exe 43 PID 2868 wrote to memory of 2852 2868 icsys.icn.exe 43 PID 328 wrote to memory of 2044 328 cmd.exe 44 PID 328 wrote to memory of 2044 328 cmd.exe 44 PID 328 wrote to memory of 2044 328 cmd.exe 44 PID 328 wrote to memory of 2044 328 cmd.exe 44 PID 328 wrote to memory of 2640 328 cmd.exe 45 PID 328 wrote to memory of 2640 328 cmd.exe 45 PID 328 wrote to memory of 2640 328 cmd.exe 45 PID 328 wrote to memory of 2640 328 cmd.exe 45 PID 328 wrote to memory of 2244 328 cmd.exe 46 PID 328 wrote to memory of 2244 328 cmd.exe 46 PID 328 wrote to memory of 2244 328 cmd.exe 46 PID 328 wrote to memory of 2244 328 cmd.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe"C:\Users\Admin\AppData\Local\Temp\3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\users\admin\appdata\local\temp\3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exec:\users\admin\appdata\local\temp\3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\QYWXTW.exe"C:\Users\Admin\AppData\Local\Temp\QYWXTW.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\users\admin\appdata\local\temp\qywxtw.exec:\users\admin\appdata\local\temp\qywxtw.exe4⤵
- Executes dropped EXE
PID:2488
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2852
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\PRUHOM.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Block Adobe Acrobat Inbound" dir=in action=block program="C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe"4⤵
- Modifies Windows Firewall
PID:2212
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Block Adobe Acrobat Outbound" dir=out action=block program="C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe"4⤵
- Modifies Windows Firewall
PID:2044
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Block Adobe Acrobat CEF Inbound" dir=in action=block program="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe"4⤵
- Modifies Windows Firewall
PID:2640
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Block Adobe Acrobat CEF Outbound" dir=out action=block program="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe"4⤵
- Modifies Windows Firewall
PID:2244
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2732
-
-
C:\Windows\SysWOW64\at.exeat 21:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:1456
-
-
C:\Windows\SysWOW64\at.exeat 21:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:2368
-
-
C:\Windows\SysWOW64\at.exeat 21:08 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:2624
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
825B
MD56bcabf6ce3cc7cd3b9a5b08c4339cbb8
SHA1c2f5e471632a3c7c0d02f8080fdd8d4dd65532c5
SHA2566e36e8a0649026adb416c01389cf8d999eeadb80046d24008252e7e331eadf5c
SHA51255ddbb321de7b4aebc949a23bf73ecc61cb82ad1370e92827639b482cfa4ec7d92725d39f9421ed7a21746588555f25a182a5871cba3c8dd3145a1cd5d99e78d
-
Filesize
206KB
MD53ae60dc5d168eb3e51f8323de5aad788
SHA17408e19bfd201bb088e4d585cab098ec4e95ab2f
SHA256ffb7f257f14a34de8829ded5d5495de8bb34aa18a50f7aa567771761b8b5182c
SHA512300eb9580e4324d558aeb6d1cf06da380b6c7fc947a77060e744ec8ffd9b5ec840e34d36d728f17f534ee9b0d390c8b99e7329fd4ee872cad2fbb13c70566489
-
Filesize
206KB
MD57d23adbe528f72952e82b9f47f2de6f2
SHA1d3b53599edab6008dfcc63ff2fe7b8388ee2a2ec
SHA256ad40d51b28949c49fd94df9628887a613be70131e6e24f551f09737380a7aafa
SHA51225d1ed2e67de4bbf3533eeba3e3c4ccc3e4e6e84c684680f34646c055f7405ea3c31b8a3b4bc6c7c15a9713a8c91477dce130c0c6a732971b0e57c20b3210376
-
Filesize
206KB
MD52ddb3f5e64a2f70a40b122067b913637
SHA1ca428463b9f40e5facf78da22569dad8c960f7ac
SHA25633f0416d60a271cb4d9d0d218b7750dc4a1b92d2ab9d52da74ab58c95c2b5f59
SHA5122044ba50019d7c1cbec03f68512d2bb66323ae160c276ab5d21cdfd8a36f41e6580025f6ba972d05f46b5f96d8b53a88a9161e39ef017ad7074912492bd8c092
-
Filesize
206KB
MD52720ab32dcc2e6eb4f801ccf1797ac92
SHA16ca3be8d877f5d0847c58c7d9f9fe43a8d723070
SHA2561587219c4e0e27fc320b49004b04676d821121d298974f71c2d87e62e30fd912
SHA5127399758c2a8a41a4178c26a891d465ad887530aeb50ee1bcfaa6b5b1e94428f3a293970286356aa3457c1226c06ad81c1d5d6210ab7690b1751d5af7c76ffa28
-
\Users\Admin\AppData\Local\Temp\3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
Filesize4.3MB
MD537e03edc3d9486da77b1e98e54942046
SHA1d8b4eabc45777b0dfbf2495101715863d3581097
SHA2568278f5bea6e38fb25361233c7490dfe4945f38dff1b9363a65225cf6229d5d6a
SHA512fd340741fe102e5ef3824dd27122d509224366395ab0cb1d1ea901fbddedc10975c6d9224a50f2aa5e113b4eaa01889fa758654e300c7a88f15b685ed1460970
-
Filesize
5.9MB
MD5021079dc0918b9c7359e93e770678000
SHA170c03da6f7b339340b1943f5d0b7b1fd87579adf
SHA256ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487
SHA5129bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0
-
Filesize
5.7MB
MD52c2055233260e5bb20ce675afd39ed0d
SHA126c056ba8e99a3fb523612b422a85be3ecbbd5b3
SHA256306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d
SHA5123e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546
-
Filesize
206KB
MD5c5f78d788265a8c2b80017a0dc351266
SHA132836c3ccaf84431beaba1b10107743c052cddc0
SHA2560a48908b44578715b511d6c067b2b0c1351783c049c68183f6067afff1ff72d0
SHA5120315d122adf425001109bae742a1aff418f301f46c3655bf3e3d0c12ecc03ac3d70b52a60a744f81b7b041d28bf235f3d93abc26c71bfdd388be6a145a1bbb16
-
Filesize
206KB
MD50d0389c4efcd358d2dd2cbd3a853c183
SHA10f5debba6616146b99cbae980805da6654374f71
SHA2562ef6fec878859d49544e76864a105d9457b0d30564eec1241ac01639ce669cd6
SHA512191a2ecee4c275642332b9ad11c2360bfe1848d8251eeb1b498969976d6481dfb6cdb6536940b9c908202bfe727f79f56e05b36e6cb40d85a86b91a7d658a2ba