lucastealer | 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
Size

4.5MB
MD5

b07543ce10033160a338e01933cb8b86
SHA1

30b8d4fd6864e3a056c1d57320efff1bb89c2228
SHA256

65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0
SHA512

26389076fddf72f5318065b2f6112a7973b059a449160cf974adf3ff3b883a3f2dd154eb472c0b02d6b2ddd9f0f76799bfebc969944fe9ae678fb849c32dd716
SSDEEP

98304:zXtrbTA1+sVDTXLW6jRhdGVQguhhW31ZO:z9c1+0zL5LdGVzu+lE

Score

10^/10

lucastealer evasion execution persistence stealer

Malware Config

Extracted

Family

lucastealer

https://api.telegram.org/bot6068798932:AAG_cHiqinDwNZ3Hd-rdp8tPwbT0czdVwTw

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3444 powershell.exe
3444 powershell.exe

pid	process
3444	powershell.exe
3444	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe

Drops startup file 1 IoCs

Processes:

65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PWNHLD.lnk	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe

Executes dropped EXE 10 IoCs

Processes:

65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeUVLZVA.exeuvlzva.exe icsys.icn.exeexplorer.exe

pid	process
3104	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
1916	icsys.icn.exe
3892	explorer.exe
1180	spoolsv.exe
4760	svchost.exe
3356	spoolsv.exe
4776	UVLZVA.exe
572	uvlzva.exe
5084	icsys.icn.exe
4456	explorer.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PWNHLD = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\Microsoft Office Click-to-Run.exe\""	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	autoit_exe

Drops file in Windows directory 6 IoCs

Processes:

explorer.exesvchost.exeicsys.icn.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4976 schtasks.exe

pid	process
4976	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

icsys.icn.exeexplorer.exesvchost.exe65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe

pid	process
1916	icsys.icn.exe
1916	icsys.icn.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
4760	svchost.exe
4760	svchost.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
4760	svchost.exe
4760	svchost.exe
3892	explorer.exe
3892	explorer.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
3892	explorer.exe
3892	explorer.exe
3104	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
3104	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
3892	explorer.exe
4760	svchost.exe
3892	explorer.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
4760	svchost.exe
3892	explorer.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
3892	explorer.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe explorer.exesvchost.exe

pid process

3104 65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
3892 explorer.exe
4760 svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3444 powershell.exe

description	pid	process
Token: SeDebugPrivilege	3444	powershell.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeUVLZVA.exeicsys.icn.exeexplorer.exe

pid	process
3608	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
3608	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
1916	icsys.icn.exe
1916	icsys.icn.exe
3892	explorer.exe
3892	explorer.exe
1180	spoolsv.exe
1180	spoolsv.exe
4760	svchost.exe
4760	svchost.exe
3356	spoolsv.exe
3356	spoolsv.exe
3892	explorer.exe
3892	explorer.exe
4776	UVLZVA.exe
4776	UVLZVA.exe
5084	icsys.icn.exe
5084	icsys.icn.exe
4456	explorer.exe
4456	explorer.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exeicsys.icn.exeexplorer.exespoolsv.exe65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe svchost.execmd.exeUVLZVA.execmd.exeicsys.icn.exe

description	pid	process	target process
PID 3608 wrote to memory of 3104	3608	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
PID 3608 wrote to memory of 3104	3608	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
PID 3608 wrote to memory of 3104	3608	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
PID 3608 wrote to memory of 1916	3608	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	icsys.icn.exe
PID 3608 wrote to memory of 1916	3608	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	icsys.icn.exe
PID 3608 wrote to memory of 1916	3608	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	icsys.icn.exe
PID 1916 wrote to memory of 3892	1916	icsys.icn.exe	explorer.exe
PID 1916 wrote to memory of 3892	1916	icsys.icn.exe	explorer.exe
PID 1916 wrote to memory of 3892	1916	icsys.icn.exe	explorer.exe
PID 3892 wrote to memory of 1180	3892	explorer.exe	spoolsv.exe
PID 3892 wrote to memory of 1180	3892	explorer.exe	spoolsv.exe
PID 3892 wrote to memory of 1180	3892	explorer.exe	spoolsv.exe
PID 1180 wrote to memory of 4760	1180	spoolsv.exe	svchost.exe
PID 1180 wrote to memory of 4760	1180	spoolsv.exe	svchost.exe
PID 1180 wrote to memory of 4760	1180	spoolsv.exe	svchost.exe
PID 3104 wrote to memory of 4776	3104	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	UVLZVA.exe
PID 3104 wrote to memory of 4776	3104	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	UVLZVA.exe
PID 3104 wrote to memory of 4776	3104	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	UVLZVA.exe
PID 4760 wrote to memory of 3356	4760	svchost.exe	spoolsv.exe
PID 4760 wrote to memory of 3356	4760	svchost.exe	spoolsv.exe
PID 4760 wrote to memory of 3356	4760	svchost.exe	spoolsv.exe
PID 3104 wrote to memory of 2300	3104	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	cmd.exe
PID 3104 wrote to memory of 2300	3104	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	cmd.exe
PID 3104 wrote to memory of 2300	3104	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	cmd.exe
PID 4760 wrote to memory of 2776	4760	svchost.exe	at.exe
PID 4760 wrote to memory of 2776	4760	svchost.exe	at.exe
PID 4760 wrote to memory of 2776	4760	svchost.exe	at.exe
PID 2300 wrote to memory of 1460	2300	cmd.exe	reg.exe
PID 2300 wrote to memory of 1460	2300	cmd.exe	reg.exe
PID 2300 wrote to memory of 1460	2300	cmd.exe	reg.exe
PID 3104 wrote to memory of 2124	3104	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	cmd.exe
PID 3104 wrote to memory of 2124	3104	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	cmd.exe
PID 3104 wrote to memory of 2124	3104	65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe	cmd.exe
PID 4776 wrote to memory of 572	4776	UVLZVA.exe	uvlzva.exe
PID 4776 wrote to memory of 572	4776	UVLZVA.exe	uvlzva.exe
PID 2124 wrote to memory of 4976	2124	cmd.exe	schtasks.exe
PID 2124 wrote to memory of 4976	2124	cmd.exe	schtasks.exe
PID 2124 wrote to memory of 4976	2124	cmd.exe	schtasks.exe
PID 2300 wrote to memory of 3444	2300	cmd.exe	powershell.exe
PID 2300 wrote to memory of 3444	2300	cmd.exe	powershell.exe
PID 2300 wrote to memory of 3444	2300	cmd.exe	powershell.exe
PID 2300 wrote to memory of 4300	2300	cmd.exe	reg.exe
PID 2300 wrote to memory of 4300	2300	cmd.exe	reg.exe
PID 2300 wrote to memory of 4300	2300	cmd.exe	reg.exe
PID 4776 wrote to memory of 5084	4776	UVLZVA.exe	icsys.icn.exe
PID 4776 wrote to memory of 5084	4776	UVLZVA.exe	icsys.icn.exe
PID 4776 wrote to memory of 5084	4776	UVLZVA.exe	icsys.icn.exe
PID 5084 wrote to memory of 4456	5084	icsys.icn.exe	explorer.exe
PID 5084 wrote to memory of 4456	5084	icsys.icn.exe	explorer.exe
PID 5084 wrote to memory of 4456	5084	icsys.icn.exe	explorer.exe
PID 4760 wrote to memory of 3860	4760	svchost.exe	at.exe
PID 4760 wrote to memory of 3860	4760	svchost.exe	at.exe
PID 4760 wrote to memory of 3860	4760	svchost.exe	at.exe
PID 4760 wrote to memory of 3724	4760	svchost.exe	at.exe
PID 4760 wrote to memory of 3724	4760	svchost.exe	at.exe
PID 4760 wrote to memory of 3724	4760	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
"C:\Users\Admin\AppData\Local\Temp\65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3608
- \??\c:\users\admin\appdata\local\temp\65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
  c:\users\admin\appdata\local\temp\65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Users\Admin\AppData\Local\Temp\UVLZVA.exe
    "C:\Users\Admin\AppData\Local\Temp\UVLZVA.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - \??\c:\users\admin\appdata\local\temp\uvlzva.exe
      c:\users\admin\appdata\local\temp\uvlzva.exe
      4⤵
      Executes dropped EXE
      PID:572
  - - C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5084
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BVSURZ.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\S-1-5-19\Environment"
      4⤵
      PID:1460
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell -nologo -noninteractive -windowStyle hidden -noprofile -command $First = "Add-MpPreference -ThreatIDDefaultAction_Ids "; $Third = " -ThreatIDDefaultAction_Actions Allow -Force"; $ListID = 2147685180, 2147735507, 2147736914, 2147743522, 2147734094, 2147743421, 251873, 213927, 2147722906, 2147748160; ForEach ($ID in $ListID) { Invoke-Expression ($First + $ID + $Third) }; $ListPath = "C:\Windows\KMSAutoS", "C:\Windows\System32\SppExtComObjHook.dll", "C:\Windows\System32\SppExtComObjPatcher.exe", "C:\Windows\AAct_Tools", "C:\Windows\AAct_Tools\AAct_x64.exe", "C:\Windows\AAct_Tools\AAct_files\KMSSS.exe", "C:\Windows\AAct_Tools\AAct_files", "C:\Windows\KMS"; $First = "Add-MpPreference -ExclusionPath "; $Third = "-Force"; ForEach ($Path in $ListPath) { Invoke-Expression ($First + $Path + $Third) }; :Admin
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3444
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\S-1-5-19\Environment"
      4⤵
      PID:4300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /create /tn PWNHLD.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn PWNHLD.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 1
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4976
- C:\Users\Admin\AppData\Local\icsys.icn.exe
  C:\Users\Admin\AppData\Local\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1916
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visiblity of hidden/system files in Explorer
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3892
  - - \??\c:\windows\system\spoolsv.exe
      c:\windows\system\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1180
    - - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4760
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3356
      - C:\Windows\SysWOW64\at.exe
        
        at 22:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:2776
      - C:\Windows\SysWOW64\at.exe
        
        at 22:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:3860
      - C:\Windows\SysWOW64\at.exe
        
        at 22:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\65b159164f936a8f15e1673cb6e5b7c0c87707fc2524b746c8f049949ccd1bf0.exe

Filesize
4.3MB

MD5
1c548cff5a0fbce841e13c9f788793d0

SHA1
55c2d9f23a5cea3ae4b8f629f968369b171d1af8

SHA256
a75a3cc0efa0b8015ce6ad54c3b55783dcbea82507aafcd0dcb0302c6e66d61e

SHA512
332dff21acd741f7b64f104a4f8d20fb5a52ee3fba6b3b2f1080ab4a97523e264f252c0310ae71600295b3f604379c8887640132c3372f7751a67c8ac9ba6f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\BVSURZ.cmd

Filesize
1KB

MD5
15a1fe3d0f342bdd3232253c7810a05d

SHA1
b658e0d903b37bf12e8e640bece22f235552dc50

SHA256
4070dcb09b69ef57160fae0be5ee3664e39170eeacc46e6f50a080493552b338

SHA512
1961fc65a839c55806162a197385859cfe3a24551ab9b7e0121166eac5e5ae1a4a0d9180229d0ea0240dccb770e4c2d508577e60988c9271bb11f94de1897a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\UVLZVA.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ep3iewid.3bn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
207KB

MD5
48a26cf1587666ce901401c65575a7bd

SHA1
416738612e20c2b245d6c410def49f8bd2478c86

SHA256
c5aba06a9ed1291191b9888ad75a51048f5eba7e56387182325653e37bea0945

SHA512
f15639ef35b6e95dea6096c8abf81db55528ca7246d168c1694af284090f839fd3431d9b97887e78d754bcb3a81f8fe613a14c8e5b3e95edfd3dc5b5b076a7cb

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
207KB

MD5
49a90883d13abd3ac862abcc7216fce6

SHA1
ea55265f6e2780d173814b72c95be341dae107e7

SHA256
72fb072e0caa7997d02e59d7bb8000dbc407da883696db9120bdd8e39953622e

SHA512
7c4473265a2ec07c3c5637c172433924a0af079553014943d3746825b224633588117c7b0d23c207126830379a45a1e16dae0f52d142d7f5cbd9c4c36cd0b546

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
a569ef3711e837dbb350b24e5554431d

SHA1
25d3bae3ce8eaf41a66074ac6ab4ae42e309f8c0

SHA256
9a5450b03d8e74bf42d25cd1cf5e5ab7f59bff84f77ac1ab1e8858d75b4393d6

SHA512
283936f604e6c8443aabc6c7eebb88a986db3e7eb0ec15b98c26caf9aa6a580918d856b69719ac3d5778a9ee0426cecebae84710a83c843116dc6d8e86e71262

Download Submit
C:\Windows\System\svchost.exe

Filesize
206KB

MD5
42530bfb67c36622174f51b37f174961

SHA1
580606f89497a5b016a6c3ea1a53271c80aa35b1

SHA256
f926eec1885d8adbd913eb755031b8ed5b0494ad8c6ab7089bac0e6fbbf194f6

SHA512
8346df056786acbd25dabaf05cc20a1c35c056908ebf7c3c50974a8e64c302b8d216eccbfc69d09d6ad013bb255f78c6f18435fdba380cf9f540016eac11e885

Download Submit
\??\c:\users\admin\appdata\local\temp\uvlzva.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
206KB

MD5
131d19fc01a6e8caeca7f0158c588c2e

SHA1
e5486d0cdd7d894754150aa86a5727c1d97b0f1d

SHA256
920ce78a1011103a1f6c4a1678b966d47f5ec9a8ddff274c9177b0ae29695d8e

SHA512
2437a224098ea155be15c65b3ae7f0e71714d922889082ec3dd9a9f6e7cb64196f3840a78d2be1b236d73e31f490b5a0e0563c0851900fba0d1ef0d2149d30c5

Download Submit
memory/1180-74-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1916-75-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1916-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3356-68-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3444-113-0x00000000068E0000-0x00000000068FE000-memory.dmp

Filesize
120KB

Download
memory/3444-112-0x00000000062F0000-0x0000000006644000-memory.dmp

Filesize
3.3MB

Download
memory/3444-114-0x0000000006A20000-0x0000000006A6C000-memory.dmp

Filesize
304KB

Download
memory/3444-99-0x0000000006210000-0x0000000006276000-memory.dmp

Filesize
408KB

Download
memory/3444-89-0x0000000003310000-0x0000000003346000-memory.dmp

Filesize
216KB

Download
memory/3444-92-0x0000000005A30000-0x0000000006058000-memory.dmp

Filesize
6.2MB

Download
memory/3444-97-0x0000000005940000-0x0000000005962000-memory.dmp

Filesize
136KB

Download
memory/3444-100-0x0000000006280000-0x00000000062E6000-memory.dmp

Filesize
408KB

Download
memory/3608-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3608-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4456-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4760-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4776-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4776-67-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5084-101-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download