Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 21:04
Static task
static1
Behavioral task
behavioral1
Sample
3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
Resource
win10v2004-20240508-en
General
-
Target
3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
-
Size
4.5MB
-
MD5
c1b3ef385e1c4d20e8dc59c7a629192a
-
SHA1
5d4d1e43ed56f67967e7f7861e26e11d3f80db8c
-
SHA256
3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be
-
SHA512
e8f818da69a16c2f6577d62261a5d8e29f3a4c93c5cfd7eb8c18e0c2fa1bacd87ce35050d3f96d1bbf6b518fc63b77248399495399f998cd9a03a99fd312330f
-
SSDEEP
49152:CYWJZoQrbTFZY1iaZgI5ROX1lW68ZM5mmhD+SbilzCUWCLcMldpxruKihtKUoy+X:zWtrbTA1SXLW6jRhdGVQguhhW31Z+unP
Malware Config
Extracted
lucastealer
https://api.telegram.org/bot6068798932:AAG_cHiqinDwNZ3Hd-rdp8tPwbT0czdVwTw
Signatures
-
Luca Stealer
Info stealer written in Rust first seen in July 2022.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Detect binaries embedding considerable number of MFA browser extension IDs. 2 IoCs
resource yara_rule behavioral2/files/0x000700000002342b-71.dat INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs behavioral2/files/0x000700000002342d-89.dat INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs -
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 2 IoCs
resource yara_rule behavioral2/files/0x000700000002342b-71.dat INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs behavioral2/files/0x000700000002342d-89.dat INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs -
Detects executables using Telegram Chat Bot 2 IoCs
resource yara_rule behavioral2/files/0x000700000002342b-71.dat INDICATOR_SUSPICIOUS_EXE_TelegramChatBot behavioral2/files/0x000700000002342d-89.dat INDICATOR_SUSPICIOUS_EXE_TelegramChatBot -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Modifies Windows Firewall 2 TTPs 4 IoCs
pid Process 3716 netsh.exe 3776 netsh.exe 780 netsh.exe 3720 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe -
Executes dropped EXE 10 IoCs
pid Process 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3208 icsys.icn.exe 600 explorer.exe 2196 spoolsv.exe 4472 svchost.exe 3932 spoolsv.exe 4736 QYWXTW.exe 1580 qywxtw.exe 4980 icsys.icn.exe 3184 explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023422-7.dat autoit_exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3208 icsys.icn.exe 3208 icsys.icn.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 600 explorer.exe 4472 svchost.exe 4472 svchost.exe 4472 svchost.exe 4472 svchost.exe 600 explorer.exe 600 explorer.exe 4472 svchost.exe 4472 svchost.exe 600 explorer.exe 600 explorer.exe 4472 svchost.exe 4472 svchost.exe 600 explorer.exe 600 explorer.exe 4472 svchost.exe 4472 svchost.exe 4472 svchost.exe 600 explorer.exe 600 explorer.exe 4472 svchost.exe 4472 svchost.exe 4472 svchost.exe 600 explorer.exe 600 explorer.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 600 explorer.exe 4472 svchost.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
pid Process 2948 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 2948 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 3208 icsys.icn.exe 3208 icsys.icn.exe 600 explorer.exe 600 explorer.exe 2196 spoolsv.exe 2196 spoolsv.exe 4472 svchost.exe 4472 svchost.exe 3932 spoolsv.exe 3932 spoolsv.exe 600 explorer.exe 600 explorer.exe 4736 QYWXTW.exe 4736 QYWXTW.exe 4980 icsys.icn.exe 4980 icsys.icn.exe 3184 explorer.exe 3184 explorer.exe -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 2948 wrote to memory of 3492 2948 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 83 PID 2948 wrote to memory of 3492 2948 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 83 PID 2948 wrote to memory of 3492 2948 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 83 PID 2948 wrote to memory of 3208 2948 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 86 PID 2948 wrote to memory of 3208 2948 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 86 PID 2948 wrote to memory of 3208 2948 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 86 PID 3208 wrote to memory of 600 3208 icsys.icn.exe 87 PID 3208 wrote to memory of 600 3208 icsys.icn.exe 87 PID 3208 wrote to memory of 600 3208 icsys.icn.exe 87 PID 600 wrote to memory of 2196 600 explorer.exe 88 PID 600 wrote to memory of 2196 600 explorer.exe 88 PID 600 wrote to memory of 2196 600 explorer.exe 88 PID 2196 wrote to memory of 4472 2196 spoolsv.exe 89 PID 2196 wrote to memory of 4472 2196 spoolsv.exe 89 PID 2196 wrote to memory of 4472 2196 spoolsv.exe 89 PID 4472 wrote to memory of 3932 4472 svchost.exe 90 PID 4472 wrote to memory of 3932 4472 svchost.exe 90 PID 4472 wrote to memory of 3932 4472 svchost.exe 90 PID 4472 wrote to memory of 836 4472 svchost.exe 91 PID 4472 wrote to memory of 836 4472 svchost.exe 91 PID 4472 wrote to memory of 836 4472 svchost.exe 91 PID 3492 wrote to memory of 4736 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 93 PID 3492 wrote to memory of 4736 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 93 PID 3492 wrote to memory of 4736 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 93 PID 3492 wrote to memory of 1116 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 95 PID 3492 wrote to memory of 1116 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 95 PID 3492 wrote to memory of 1116 3492 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe 95 PID 4736 wrote to memory of 1580 4736 QYWXTW.exe 99 PID 4736 wrote to memory of 1580 4736 QYWXTW.exe 99 PID 4736 wrote to memory of 4980 4736 QYWXTW.exe 100 PID 4736 wrote to memory of 4980 4736 QYWXTW.exe 100 PID 4736 wrote to memory of 4980 4736 QYWXTW.exe 100 PID 1116 wrote to memory of 3716 1116 cmd.exe 101 PID 1116 wrote to memory of 3716 1116 cmd.exe 101 PID 1116 wrote to memory of 3716 1116 cmd.exe 101 PID 4980 wrote to memory of 3184 4980 icsys.icn.exe 102 PID 4980 wrote to memory of 3184 4980 icsys.icn.exe 102 PID 4980 wrote to memory of 3184 4980 icsys.icn.exe 102 PID 1116 wrote to memory of 3776 1116 cmd.exe 103 PID 1116 wrote to memory of 3776 1116 cmd.exe 103 PID 1116 wrote to memory of 3776 1116 cmd.exe 103 PID 1116 wrote to memory of 780 1116 cmd.exe 104 PID 1116 wrote to memory of 780 1116 cmd.exe 104 PID 1116 wrote to memory of 780 1116 cmd.exe 104 PID 1116 wrote to memory of 3720 1116 cmd.exe 105 PID 1116 wrote to memory of 3720 1116 cmd.exe 105 PID 1116 wrote to memory of 3720 1116 cmd.exe 105 PID 4472 wrote to memory of 1344 4472 svchost.exe 115 PID 4472 wrote to memory of 1344 4472 svchost.exe 115 PID 4472 wrote to memory of 1344 4472 svchost.exe 115 PID 4472 wrote to memory of 1668 4472 svchost.exe 128 PID 4472 wrote to memory of 1668 4472 svchost.exe 128 PID 4472 wrote to memory of 1668 4472 svchost.exe 128
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe"C:\Users\Admin\AppData\Local\Temp\3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\users\admin\appdata\local\temp\3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exec:\users\admin\appdata\local\temp\3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\QYWXTW.exe"C:\Users\Admin\AppData\Local\Temp\QYWXTW.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\users\admin\appdata\local\temp\qywxtw.exec:\users\admin\appdata\local\temp\qywxtw.exe4⤵
- Executes dropped EXE
PID:1580
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3184
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PRUHOM.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Block Adobe Acrobat Inbound" dir=in action=block program="C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe"4⤵
- Modifies Windows Firewall
PID:3716
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Block Adobe Acrobat Outbound" dir=out action=block program="C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe"4⤵
- Modifies Windows Firewall
PID:3776
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Block Adobe Acrobat CEF Inbound" dir=in action=block program="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe"4⤵
- Modifies Windows Firewall
PID:780
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Block Adobe Acrobat CEF Outbound" dir=out action=block program="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe"4⤵
- Modifies Windows Firewall
PID:3720
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3208 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:600 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3932
-
-
C:\Windows\SysWOW64\at.exeat 21:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:836
-
-
C:\Windows\SysWOW64\at.exeat 21:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:1344
-
-
C:\Windows\SysWOW64\at.exeat 21:08 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:1668
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
Filesize4.3MB
MD537e03edc3d9486da77b1e98e54942046
SHA1d8b4eabc45777b0dfbf2495101715863d3581097
SHA2568278f5bea6e38fb25361233c7490dfe4945f38dff1b9363a65225cf6229d5d6a
SHA512fd340741fe102e5ef3824dd27122d509224366395ab0cb1d1ea901fbddedc10975c6d9224a50f2aa5e113b4eaa01889fa758654e300c7a88f15b685ed1460970
-
Filesize
825B
MD56bcabf6ce3cc7cd3b9a5b08c4339cbb8
SHA1c2f5e471632a3c7c0d02f8080fdd8d4dd65532c5
SHA2566e36e8a0649026adb416c01389cf8d999eeadb80046d24008252e7e331eadf5c
SHA51255ddbb321de7b4aebc949a23bf73ecc61cb82ad1370e92827639b482cfa4ec7d92725d39f9421ed7a21746588555f25a182a5871cba3c8dd3145a1cd5d99e78d
-
Filesize
5.9MB
MD5021079dc0918b9c7359e93e770678000
SHA170c03da6f7b339340b1943f5d0b7b1fd87579adf
SHA256ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487
SHA5129bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0
-
Filesize
206KB
MD53ae60dc5d168eb3e51f8323de5aad788
SHA17408e19bfd201bb088e4d585cab098ec4e95ab2f
SHA256ffb7f257f14a34de8829ded5d5495de8bb34aa18a50f7aa567771761b8b5182c
SHA512300eb9580e4324d558aeb6d1cf06da380b6c7fc947a77060e744ec8ffd9b5ec840e34d36d728f17f534ee9b0d390c8b99e7329fd4ee872cad2fbb13c70566489
-
Filesize
206KB
MD5c5f78d788265a8c2b80017a0dc351266
SHA132836c3ccaf84431beaba1b10107743c052cddc0
SHA2560a48908b44578715b511d6c067b2b0c1351783c049c68183f6067afff1ff72d0
SHA5120315d122adf425001109bae742a1aff418f301f46c3655bf3e3d0c12ecc03ac3d70b52a60a744f81b7b041d28bf235f3d93abc26c71bfdd388be6a145a1bbb16
-
Filesize
207KB
MD55a3821a6ccb2acb3accc0054a2d79802
SHA1af0b9f5d820397c5917932f6358a270ed64f5928
SHA256a0aa24660af1642ed5e95607c0817400e479af430494e348c5c4da03da2d3d50
SHA5126e2f3b2c1dc095598c92084dc3dd7858fb59b967943bc158a651067228886d7319c16cb755c3b4b5134198b4d67b2bf4e8365cbb3688f6a3f68c54484dd1bf63
-
Filesize
206KB
MD5d29fd19684b858dbe6c78c6e5311bd38
SHA1748e192e236677f67ed5e8102f573879b1636a42
SHA256590ad482cb4c0b999c241292b52cae6e2425a440b52f7da91f7981dea29ad5e0
SHA512e65012f5ec7822b20074fdc9b8202042b563a6da477e8b130f16c7037dcb9fb602db65d640ba1fca14d682eff2891fa9caa6ae36ccac9c2af76aafb69e7ecece
-
Filesize
206KB
MD5d31e79fd2f6b67ff4047949cf9c30a27
SHA13200db0a2cd33bc4064d6fff4a832ab4aafd9351
SHA25665357f79c823b6ae4ecd5d1a7905208f78a566a8b8e85879761eae4072cd61e3
SHA512ed668697372f0a7d108fd4ded539424e7f248c7175595b617e4052c6384da8a4649f27e4bba50ec73b03396994dea8d2e19a66efac67895ef5fffa0875a14c6d
-
Filesize
5.7MB
MD52c2055233260e5bb20ce675afd39ed0d
SHA126c056ba8e99a3fb523612b422a85be3ecbbd5b3
SHA256306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d
SHA5123e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546
-
Filesize
206KB
MD55d236cd9e7f8c62cd1cf24f4ccbb46d6
SHA1bb21e32b7c96c0e8be69822994c11577717e3646
SHA25662e234341bbd74d3ed0f7361761f51285ffe6307afd57e74a9eece1030dc61a8
SHA51260afa1e8ce2b39fda9f45d70ee3afa20339fea61bccc710b4b3817627c77e5549bfad1e7c6883dac85ca141374e79849e54ab24f583f9e70290dd53523cf125c