lucastealer | 3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
Size

4.5MB
MD5

c1b3ef385e1c4d20e8dc59c7a629192a
SHA1

5d4d1e43ed56f67967e7f7861e26e11d3f80db8c
SHA256

3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be
SHA512

e8f818da69a16c2f6577d62261a5d8e29f3a4c93c5cfd7eb8c18e0c2fa1bacd87ce35050d3f96d1bbf6b518fc63b77248399495399f998cd9a03a99fd312330f
SSDEEP

49152:CYWJZoQrbTFZY1iaZgI5ROX1lW68ZM5mmhD+SbilzCUWCLcMldpxruKihtKUoy+X:zWtrbTA1SXLW6jRhdGVQguhhW31Z+unP

Score

10^/10

lucastealer evasion persistence stealer

Malware Config

Extracted

Family

lucastealer

https://api.telegram.org/bot6068798932:AAG_cHiqinDwNZ3Hd-rdp8tPwbT0czdVwTw

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Detect binaries embedding considerable number of MFA browser extension IDs. 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\QYWXTW.exe	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
\??\c:\users\admin\appdata\local\temp\qywxtw.exe	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\QYWXTW.exe	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
\??\c:\users\admin\appdata\local\temp\qywxtw.exe	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Detects executables using Telegram Chat Bot 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\QYWXTW.exe	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
\??\c:\users\admin\appdata\local\temp\qywxtw.exe	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Modifies Windows Firewall 2 TTPs 4 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

3716 netsh.exe
3776 netsh.exe
780 netsh.exe
3720 netsh.exe

pid	process
3716	netsh.exe
3776	netsh.exe
780	netsh.exe
3720	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe

Executes dropped EXE 10 IoCs

Processes:

3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeQYWXTW.exeqywxtw.exe icsys.icn.exeexplorer.exe

pid	process
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3208	icsys.icn.exe
600	explorer.exe
2196	spoolsv.exe
4472	svchost.exe
3932	spoolsv.exe
4736	QYWXTW.exe
1580	qywxtw.exe
4980	icsys.icn.exe
3184	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	autoit_exe

Drops file in Windows directory 6 IoCs

Processes:

icsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

icsys.icn.exe3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe explorer.exesvchost.exe

pid	process
3208	icsys.icn.exe
3208	icsys.icn.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
600	explorer.exe
600	explorer.exe
600	explorer.exe
600	explorer.exe
600	explorer.exe
600	explorer.exe
600	explorer.exe
600	explorer.exe
600	explorer.exe
600	explorer.exe
4472	svchost.exe
4472	svchost.exe
4472	svchost.exe
4472	svchost.exe
600	explorer.exe
600	explorer.exe
4472	svchost.exe
4472	svchost.exe
600	explorer.exe
600	explorer.exe
4472	svchost.exe
4472	svchost.exe
600	explorer.exe
600	explorer.exe
4472	svchost.exe
4472	svchost.exe
4472	svchost.exe
600	explorer.exe
600	explorer.exe
4472	svchost.exe
4472	svchost.exe
4472	svchost.exe
600	explorer.exe
600	explorer.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

600 explorer.exe
4472 svchost.exe

pid	process
600	explorer.exe
4472	svchost.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeQYWXTW.exeicsys.icn.exeexplorer.exe

pid	process
2948	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
2948	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
3208	icsys.icn.exe
3208	icsys.icn.exe
600	explorer.exe
600	explorer.exe
2196	spoolsv.exe
2196	spoolsv.exe
4472	svchost.exe
4472	svchost.exe
3932	spoolsv.exe
3932	spoolsv.exe
600	explorer.exe
600	explorer.exe
4736	QYWXTW.exe
4736	QYWXTW.exe
4980	icsys.icn.exe
4980	icsys.icn.exe
3184	explorer.exe
3184	explorer.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe QYWXTW.execmd.exeicsys.icn.exe

description	pid	process	target process
PID 2948 wrote to memory of 3492	2948	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
PID 2948 wrote to memory of 3492	2948	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
PID 2948 wrote to memory of 3492	2948	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
PID 2948 wrote to memory of 3208	2948	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	icsys.icn.exe
PID 2948 wrote to memory of 3208	2948	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	icsys.icn.exe
PID 2948 wrote to memory of 3208	2948	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	icsys.icn.exe
PID 3208 wrote to memory of 600	3208	icsys.icn.exe	explorer.exe
PID 3208 wrote to memory of 600	3208	icsys.icn.exe	explorer.exe
PID 3208 wrote to memory of 600	3208	icsys.icn.exe	explorer.exe
PID 600 wrote to memory of 2196	600	explorer.exe	spoolsv.exe
PID 600 wrote to memory of 2196	600	explorer.exe	spoolsv.exe
PID 600 wrote to memory of 2196	600	explorer.exe	spoolsv.exe
PID 2196 wrote to memory of 4472	2196	spoolsv.exe	svchost.exe
PID 2196 wrote to memory of 4472	2196	spoolsv.exe	svchost.exe
PID 2196 wrote to memory of 4472	2196	spoolsv.exe	svchost.exe
PID 4472 wrote to memory of 3932	4472	svchost.exe	spoolsv.exe
PID 4472 wrote to memory of 3932	4472	svchost.exe	spoolsv.exe
PID 4472 wrote to memory of 3932	4472	svchost.exe	spoolsv.exe
PID 4472 wrote to memory of 836	4472	svchost.exe	at.exe
PID 4472 wrote to memory of 836	4472	svchost.exe	at.exe
PID 4472 wrote to memory of 836	4472	svchost.exe	at.exe
PID 3492 wrote to memory of 4736	3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	QYWXTW.exe
PID 3492 wrote to memory of 4736	3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	QYWXTW.exe
PID 3492 wrote to memory of 4736	3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	QYWXTW.exe
PID 3492 wrote to memory of 1116	3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	cmd.exe
PID 3492 wrote to memory of 1116	3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	cmd.exe
PID 3492 wrote to memory of 1116	3492	3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe	cmd.exe
PID 4736 wrote to memory of 1580	4736	QYWXTW.exe	qywxtw.exe
PID 4736 wrote to memory of 1580	4736	QYWXTW.exe	qywxtw.exe
PID 4736 wrote to memory of 4980	4736	QYWXTW.exe	icsys.icn.exe
PID 4736 wrote to memory of 4980	4736	QYWXTW.exe	icsys.icn.exe
PID 4736 wrote to memory of 4980	4736	QYWXTW.exe	icsys.icn.exe
PID 1116 wrote to memory of 3716	1116	cmd.exe	netsh.exe
PID 1116 wrote to memory of 3716	1116	cmd.exe	netsh.exe
PID 1116 wrote to memory of 3716	1116	cmd.exe	netsh.exe
PID 4980 wrote to memory of 3184	4980	icsys.icn.exe	explorer.exe
PID 4980 wrote to memory of 3184	4980	icsys.icn.exe	explorer.exe
PID 4980 wrote to memory of 3184	4980	icsys.icn.exe	explorer.exe
PID 1116 wrote to memory of 3776	1116	cmd.exe	netsh.exe
PID 1116 wrote to memory of 3776	1116	cmd.exe	netsh.exe
PID 1116 wrote to memory of 3776	1116	cmd.exe	netsh.exe
PID 1116 wrote to memory of 780	1116	cmd.exe	netsh.exe
PID 1116 wrote to memory of 780	1116	cmd.exe	netsh.exe
PID 1116 wrote to memory of 780	1116	cmd.exe	netsh.exe
PID 1116 wrote to memory of 3720	1116	cmd.exe	netsh.exe
PID 1116 wrote to memory of 3720	1116	cmd.exe	netsh.exe
PID 1116 wrote to memory of 3720	1116	cmd.exe	netsh.exe
PID 4472 wrote to memory of 1344	4472	svchost.exe	at.exe
PID 4472 wrote to memory of 1344	4472	svchost.exe	at.exe
PID 4472 wrote to memory of 1344	4472	svchost.exe	at.exe
PID 4472 wrote to memory of 1668	4472	svchost.exe	at.exe
PID 4472 wrote to memory of 1668	4472	svchost.exe	at.exe
PID 4472 wrote to memory of 1668	4472	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
"C:\Users\Admin\AppData\Local\Temp\3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2948
- \??\c:\users\admin\appdata\local\temp\3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
  c:\users\admin\appdata\local\temp\3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Users\Admin\AppData\Local\Temp\QYWXTW.exe
    "C:\Users\Admin\AppData\Local\Temp\QYWXTW.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - \??\c:\users\admin\appdata\local\temp\qywxtw.exe
      c:\users\admin\appdata\local\temp\qywxtw.exe
      4⤵
      Executes dropped EXE
      PID:1580
  - - C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4980
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PRUHOM.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Block Adobe Acrobat Inbound" dir=in action=block program="C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe"
      4⤵
      Modifies Windows Firewall
      PID:3716
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Block Adobe Acrobat Outbound" dir=out action=block program="C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe"
      4⤵
      Modifies Windows Firewall
      PID:3776
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Block Adobe Acrobat CEF Inbound" dir=in action=block program="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe"
      4⤵
      Modifies Windows Firewall
      PID:780
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Block Adobe Acrobat CEF Outbound" dir=out action=block program="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe"
      4⤵
      Modifies Windows Firewall
      PID:3720
- C:\Users\Admin\AppData\Local\icsys.icn.exe
  C:\Users\Admin\AppData\Local\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3208
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visiblity of hidden/system files in Explorer
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:600
  - - \??\c:\windows\system\spoolsv.exe
      c:\windows\system\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2196
    - - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4472
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3932
      - C:\Windows\SysWOW64\at.exe
        
        at 21:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:836
      - C:\Windows\SysWOW64\at.exe
        
        at 21:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:1344
      - C:\Windows\SysWOW64\at.exe
        
        at 21:08 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3ab76dfb6466fd93828ad15cf0b8b07f2af35afcf80cdfa61d13020c99cab4be.exe

Filesize
4.3MB

MD5
37e03edc3d9486da77b1e98e54942046

SHA1
d8b4eabc45777b0dfbf2495101715863d3581097

SHA256
8278f5bea6e38fb25361233c7490dfe4945f38dff1b9363a65225cf6229d5d6a

SHA512
fd340741fe102e5ef3824dd27122d509224366395ab0cb1d1ea901fbddedc10975c6d9224a50f2aa5e113b4eaa01889fa758654e300c7a88f15b685ed1460970

Download Submit
C:\Users\Admin\AppData\Local\Temp\PRUHOM.bat

Filesize
825B

MD5
6bcabf6ce3cc7cd3b9a5b08c4339cbb8

SHA1
c2f5e471632a3c7c0d02f8080fdd8d4dd65532c5

SHA256
6e36e8a0649026adb416c01389cf8d999eeadb80046d24008252e7e331eadf5c

SHA512
55ddbb321de7b4aebc949a23bf73ecc61cb82ad1370e92827639b482cfa4ec7d92725d39f9421ed7a21746588555f25a182a5871cba3c8dd3145a1cd5d99e78d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYWXTW.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
3ae60dc5d168eb3e51f8323de5aad788

SHA1
7408e19bfd201bb088e4d585cab098ec4e95ab2f

SHA256
ffb7f257f14a34de8829ded5d5495de8bb34aa18a50f7aa567771761b8b5182c

SHA512
300eb9580e4324d558aeb6d1cf06da380b6c7fc947a77060e744ec8ffd9b5ec840e34d36d728f17f534ee9b0d390c8b99e7329fd4ee872cad2fbb13c70566489

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
c5f78d788265a8c2b80017a0dc351266

SHA1
32836c3ccaf84431beaba1b10107743c052cddc0

SHA256
0a48908b44578715b511d6c067b2b0c1351783c049c68183f6067afff1ff72d0

SHA512
0315d122adf425001109bae742a1aff418f301f46c3655bf3e3d0c12ecc03ac3d70b52a60a744f81b7b041d28bf235f3d93abc26c71bfdd388be6a145a1bbb16

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
207KB

MD5
5a3821a6ccb2acb3accc0054a2d79802

SHA1
af0b9f5d820397c5917932f6358a270ed64f5928

SHA256
a0aa24660af1642ed5e95607c0817400e479af430494e348c5c4da03da2d3d50

SHA512
6e2f3b2c1dc095598c92084dc3dd7858fb59b967943bc158a651067228886d7319c16cb755c3b4b5134198b4d67b2bf4e8365cbb3688f6a3f68c54484dd1bf63

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
d29fd19684b858dbe6c78c6e5311bd38

SHA1
748e192e236677f67ed5e8102f573879b1636a42

SHA256
590ad482cb4c0b999c241292b52cae6e2425a440b52f7da91f7981dea29ad5e0

SHA512
e65012f5ec7822b20074fdc9b8202042b563a6da477e8b130f16c7037dcb9fb602db65d640ba1fca14d682eff2891fa9caa6ae36ccac9c2af76aafb69e7ecece

Download Submit
C:\Windows\System\svchost.exe

Filesize
206KB

MD5
d31e79fd2f6b67ff4047949cf9c30a27

SHA1
3200db0a2cd33bc4064d6fff4a832ab4aafd9351

SHA256
65357f79c823b6ae4ecd5d1a7905208f78a566a8b8e85879761eae4072cd61e3

SHA512
ed668697372f0a7d108fd4ded539424e7f248c7175595b617e4052c6384da8a4649f27e4bba50ec73b03396994dea8d2e19a66efac67895ef5fffa0875a14c6d

Download Submit
\??\c:\users\admin\appdata\local\temp\qywxtw.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
206KB

MD5
5d236cd9e7f8c62cd1cf24f4ccbb46d6

SHA1
bb21e32b7c96c0e8be69822994c11577717e3646

SHA256
62e234341bbd74d3ed0f7361761f51285ffe6307afd57e74a9eece1030dc61a8

SHA512
60afa1e8ce2b39fda9f45d70ee3afa20339fea61bccc710b4b3817627c77e5549bfad1e7c6883dac85ca141374e79849e54ab24f583f9e70290dd53523cf125c

Download Submit
memory/2196-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2948-61-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2948-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3184-102-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3208-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3932-52-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4472-43-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4736-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4736-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4980-93-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4980-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download