exelastealer | c52b4812edf1000b01f84e165f171ae91a3b45af59d3ecf10b7df0b1a7949e97

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4324	netsh.exe
2604	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\Control Panel\International\Geo\Nation	Crypt TestBuild.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5100	cmd.exe
1560	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
4004	7B48398G4S.EXE
772	EXELA SLOTTED.EXE
4240	7b48398g4s.exe
1364	icsys.icn.exe
3588	EXELA SLOTTED.EXE
4936	explorer.exe
4556	spoolsv.exe
1692	svchost.exe
972	spoolsv.exe

Loads dropped DLL 32 IoCs

pid	Process
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE
3588	EXELA SLOTTED.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023581-90.dat	upx
behavioral2/memory/3588-97-0x00007FF8BE310000-0x00007FF8BE9D4000-memory.dmp	upx
behavioral2/files/0x0007000000023547-122.dat	upx
behavioral2/files/0x000700000002357b-128.dat	upx
behavioral2/files/0x000700000002354e-147.dat	upx
behavioral2/memory/3588-154-0x00007FF8D1FB0000-0x00007FF8D1FBF000-memory.dmp	upx
behavioral2/files/0x0007000000023583-165.dat	upx
behavioral2/files/0x000700000002354f-164.dat	upx
behavioral2/memory/3588-169-0x00007FF8BDFC0000-0x00007FF8BE13F000-memory.dmp	upx
behavioral2/memory/3588-168-0x00007FF8CDAA0000-0x00007FF8CDAC4000-memory.dmp	upx
behavioral2/memory/3588-167-0x00007FF8CE190000-0x00007FF8CE1BD000-memory.dmp	upx
behavioral2/files/0x000700000002356d-178.dat	upx
behavioral2/memory/3588-166-0x00007FF8D19C0000-0x00007FF8D19DA000-memory.dmp	upx
behavioral2/files/0x000700000002354a-163.dat	upx
behavioral2/files/0x0007000000023545-162.dat	upx
behavioral2/memory/3588-160-0x00007FF8D1FA0000-0x00007FF8D1FAD000-memory.dmp	upx
behavioral2/memory/3588-159-0x00007FF8D1CA0000-0x00007FF8D1CAF000-memory.dmp	upx
behavioral2/memory/3588-158-0x00007FF8D1BD0000-0x00007FF8D1BE9000-memory.dmp	upx
behavioral2/files/0x0007000000023552-157.dat	upx
behavioral2/memory/3588-180-0x00007FF8BE310000-0x00007FF8BE9D4000-memory.dmp	upx
behavioral2/memory/3588-181-0x00007FF8BD660000-0x00007FF8BDE01000-memory.dmp	upx
behavioral2/files/0x0007000000023582-156.dat	upx
behavioral2/memory/3588-153-0x00007FF8D1BF0000-0x00007FF8D1C15000-memory.dmp	upx
behavioral2/files/0x0007000000023550-149.dat	upx
behavioral2/files/0x000700000002354d-146.dat	upx
behavioral2/files/0x000700000002354c-145.dat	upx
behavioral2/files/0x000700000002354b-144.dat	upx
behavioral2/files/0x0007000000023549-142.dat	upx
behavioral2/files/0x0007000000023548-141.dat	upx
behavioral2/files/0x0007000000023546-140.dat	upx
behavioral2/files/0x0007000000023544-138.dat	upx
behavioral2/files/0x0007000000023584-136.dat	upx
behavioral2/files/0x000700000002357f-133.dat	upx
behavioral2/files/0x000700000002357c-132.dat	upx
behavioral2/files/0x000700000002357a-131.dat	upx
behavioral2/memory/3588-184-0x00007FF8CCC70000-0x00007FF8CCCA9000-memory.dmp	upx
behavioral2/memory/3588-188-0x00007FF8BCD30000-0x00007FF8BCDFD000-memory.dmp	upx
behavioral2/memory/3588-189-0x00007FF8BCE00000-0x00007FF8BD329000-memory.dmp	upx
behavioral2/memory/3588-187-0x00007FF8CCC30000-0x00007FF8CCC63000-memory.dmp	upx
behavioral2/memory/3588-191-0x00007FF8CE4D0000-0x00007FF8CE4E6000-memory.dmp	upx
behavioral2/memory/3588-192-0x00007FF8CDA80000-0x00007FF8CDA92000-memory.dmp	upx
behavioral2/memory/3588-195-0x00007FF8CD3F0000-0x00007FF8CD404000-memory.dmp	upx
behavioral2/memory/3588-194-0x00007FF8CD730000-0x00007FF8CD744000-memory.dmp	upx
behavioral2/memory/3588-193-0x00007FF8D1CA0000-0x00007FF8D1CAF000-memory.dmp	upx
behavioral2/memory/3588-199-0x00007FF8BCC10000-0x00007FF8BCD2B000-memory.dmp	upx
behavioral2/memory/3588-198-0x00007FF8BD660000-0x00007FF8BDE01000-memory.dmp	upx
behavioral2/memory/3588-197-0x00007FF8BDFC0000-0x00007FF8BE13F000-memory.dmp	upx
behavioral2/memory/3588-196-0x00007FF8CDAA0000-0x00007FF8CDAC4000-memory.dmp	upx
behavioral2/memory/3588-200-0x00007FF8CB5C0000-0x00007FF8CB5E2000-memory.dmp	upx
behavioral2/memory/3588-201-0x00007FF8CD130000-0x00007FF8CD147000-memory.dmp	upx
behavioral2/memory/3588-204-0x00007FF8C4A50000-0x00007FF8C4A9C000-memory.dmp	upx
behavioral2/memory/3588-203-0x00007FF8CCB50000-0x00007FF8CCB69000-memory.dmp	upx
behavioral2/memory/3588-206-0x00007FF8CB6E0000-0x00007FF8CB6F1000-memory.dmp	upx
behavioral2/memory/3588-205-0x00007FF8BCD30000-0x00007FF8BCDFD000-memory.dmp	upx
behavioral2/memory/3588-202-0x00007FF8CCC30000-0x00007FF8CCC63000-memory.dmp	upx
behavioral2/memory/3588-210-0x00007FF8BF080000-0x00007FF8BF09E000-memory.dmp	upx
behavioral2/memory/3588-209-0x00007FF8BCE00000-0x00007FF8BD329000-memory.dmp	upx
behavioral2/memory/3588-256-0x00007FF8C4310000-0x00007FF8C431D000-memory.dmp	upx
behavioral2/memory/3588-255-0x00007FF8CE4D0000-0x00007FF8CE4E6000-memory.dmp	upx
behavioral2/memory/3588-296-0x00007FF8CE4D0000-0x00007FF8CE4E6000-memory.dmp	upx
behavioral2/memory/3588-307-0x00007FF8C4310000-0x00007FF8C431D000-memory.dmp	upx
behavioral2/memory/3588-304-0x00007FF8C4A50000-0x00007FF8C4A9C000-memory.dmp	upx
behavioral2/memory/3588-303-0x00007FF8CCB50000-0x00007FF8CCB69000-memory.dmp	upx
behavioral2/memory/3588-302-0x00007FF8CD130000-0x00007FF8CD147000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

Network Service Discovery

T1046

pid	Process
4724	cmd.exe
4852	ARP.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery

T1057

pid	Process
3528	tasklist.exe
1044	tasklist.exe
3192	tasklist.exe
1004	tasklist.exe
1380	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

persistence privilege_escalation

pid	Process
2804	cmd.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	7B48398G4S.EXE
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1172	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0008000000023540-17.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypt TestBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7B48398G4S.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

Wi-Fi Discovery

T1016.002

pid	Process
1084	cmd.exe
2528	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

System Network Connections Discovery

T1049

pid	Process
5072	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
1756	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

pid	Process
2668	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command and Scripting Interpreter

T1059

pid	Process
3716	ipconfig.exe
5072	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

pid	Process
4396	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe
1364	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4936	explorer.exe
1692	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2668	WMIC.exe
Token: SeSecurityPrivilege	2668	WMIC.exe
Token: SeTakeOwnershipPrivilege	2668	WMIC.exe
Token: SeLoadDriverPrivilege	2668	WMIC.exe
Token: SeSystemProfilePrivilege	2668	WMIC.exe
Token: SeSystemtimePrivilege	2668	WMIC.exe
Token: SeProfSingleProcessPrivilege	2668	WMIC.exe
Token: SeIncBasePriorityPrivilege	2668	WMIC.exe
Token: SeCreatePagefilePrivilege	2668	WMIC.exe
Token: SeBackupPrivilege	2668	WMIC.exe
Token: SeRestorePrivilege	2668	WMIC.exe
Token: SeShutdownPrivilege	2668	WMIC.exe
Token: SeDebugPrivilege	2668	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2668	WMIC.exe
Token: SeRemoteShutdownPrivilege	2668	WMIC.exe
Token: SeUndockPrivilege	2668	WMIC.exe
Token: SeManageVolumePrivilege	2668	WMIC.exe
Token: 33	2668	WMIC.exe
Token: 34	2668	WMIC.exe
Token: 35	2668	WMIC.exe
Token: 36	2668	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2680	WMIC.exe
Token: SeSecurityPrivilege	2680	WMIC.exe
Token: SeTakeOwnershipPrivilege	2680	WMIC.exe
Token: SeLoadDriverPrivilege	2680	WMIC.exe
Token: SeSystemProfilePrivilege	2680	WMIC.exe
Token: SeSystemtimePrivilege	2680	WMIC.exe
Token: SeProfSingleProcessPrivilege	2680	WMIC.exe
Token: SeIncBasePriorityPrivilege	2680	WMIC.exe
Token: SeCreatePagefilePrivilege	2680	WMIC.exe
Token: SeBackupPrivilege	2680	WMIC.exe
Token: SeRestorePrivilege	2680	WMIC.exe
Token: SeShutdownPrivilege	2680	WMIC.exe
Token: SeDebugPrivilege	2680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2680	WMIC.exe
Token: SeRemoteShutdownPrivilege	2680	WMIC.exe
Token: SeUndockPrivilege	2680	WMIC.exe
Token: SeManageVolumePrivilege	2680	WMIC.exe
Token: 33	2680	WMIC.exe
Token: 34	2680	WMIC.exe
Token: 35	2680	WMIC.exe
Token: 36	2680	WMIC.exe
Token: SeDebugPrivilege	3528	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2668	WMIC.exe
Token: SeSecurityPrivilege	2668	WMIC.exe
Token: SeTakeOwnershipPrivilege	2668	WMIC.exe
Token: SeLoadDriverPrivilege	2668	WMIC.exe
Token: SeSystemProfilePrivilege	2668	WMIC.exe
Token: SeSystemtimePrivilege	2668	WMIC.exe
Token: SeProfSingleProcessPrivilege	2668	WMIC.exe
Token: SeIncBasePriorityPrivilege	2668	WMIC.exe
Token: SeCreatePagefilePrivilege	2668	WMIC.exe
Token: SeBackupPrivilege	2668	WMIC.exe
Token: SeRestorePrivilege	2668	WMIC.exe
Token: SeShutdownPrivilege	2668	WMIC.exe
Token: SeDebugPrivilege	2668	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2668	WMIC.exe
Token: SeRemoteShutdownPrivilege	2668	WMIC.exe
Token: SeUndockPrivilege	2668	WMIC.exe
Token: SeManageVolumePrivilege	2668	WMIC.exe
Token: 33	2668	WMIC.exe
Token: 34	2668	WMIC.exe
Token: 35	2668	WMIC.exe
Token: 36	2668	WMIC.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4004	7B48398G4S.EXE
4004	7B48398G4S.EXE
1364	icsys.icn.exe
1364	icsys.icn.exe
4936	explorer.exe
4936	explorer.exe
4556	spoolsv.exe
4556	spoolsv.exe
1692	svchost.exe
1692	svchost.exe
972	spoolsv.exe
972	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 4004	4944	Crypt TestBuild.exe	88
PID 4944 wrote to memory of 4004	4944	Crypt TestBuild.exe	88
PID 4944 wrote to memory of 4004	4944	Crypt TestBuild.exe	88
PID 4944 wrote to memory of 772	4944	Crypt TestBuild.exe	89
PID 4944 wrote to memory of 772	4944	Crypt TestBuild.exe	89
PID 4004 wrote to memory of 4240	4004	7B48398G4S.EXE	90
PID 4004 wrote to memory of 4240	4004	7B48398G4S.EXE	90
PID 4004 wrote to memory of 1364	4004	7B48398G4S.EXE	92
PID 4004 wrote to memory of 1364	4004	7B48398G4S.EXE	92
PID 4004 wrote to memory of 1364	4004	7B48398G4S.EXE	92
PID 772 wrote to memory of 3588	772	EXELA SLOTTED.EXE	93
PID 772 wrote to memory of 3588	772	EXELA SLOTTED.EXE	93
PID 1364 wrote to memory of 4936	1364	icsys.icn.exe	94
PID 1364 wrote to memory of 4936	1364	icsys.icn.exe	94
PID 1364 wrote to memory of 4936	1364	icsys.icn.exe	94
PID 4936 wrote to memory of 4556	4936	explorer.exe	95
PID 4936 wrote to memory of 4556	4936	explorer.exe	95
PID 4936 wrote to memory of 4556	4936	explorer.exe	95
PID 4556 wrote to memory of 1692	4556	spoolsv.exe	96
PID 4556 wrote to memory of 1692	4556	spoolsv.exe	96
PID 4556 wrote to memory of 1692	4556	spoolsv.exe	96
PID 1692 wrote to memory of 972	1692	svchost.exe	97
PID 1692 wrote to memory of 972	1692	svchost.exe	97
PID 1692 wrote to memory of 972	1692	svchost.exe	97
PID 3588 wrote to memory of 4388	3588	EXELA SLOTTED.EXE	99
PID 3588 wrote to memory of 4388	3588	EXELA SLOTTED.EXE	99
PID 3588 wrote to memory of 4380	3588	EXELA SLOTTED.EXE	100
PID 3588 wrote to memory of 4380	3588	EXELA SLOTTED.EXE	100
PID 3588 wrote to memory of 2856	3588	EXELA SLOTTED.EXE	101
PID 3588 wrote to memory of 2856	3588	EXELA SLOTTED.EXE	101
PID 3588 wrote to memory of 3572	3588	EXELA SLOTTED.EXE	103
PID 3588 wrote to memory of 3572	3588	EXELA SLOTTED.EXE	103
PID 4380 wrote to memory of 2680	4380	cmd.exe	107
PID 4380 wrote to memory of 2680	4380	cmd.exe	107
PID 4388 wrote to memory of 2668	4388	cmd.exe	108
PID 4388 wrote to memory of 2668	4388	cmd.exe	108
PID 3572 wrote to memory of 3528	3572	cmd.exe	109
PID 3572 wrote to memory of 3528	3572	cmd.exe	109
PID 3588 wrote to memory of 2724	3588	EXELA SLOTTED.EXE	110
PID 3588 wrote to memory of 2724	3588	EXELA SLOTTED.EXE	110
PID 2724 wrote to memory of 3008	2724	cmd.exe	112
PID 2724 wrote to memory of 3008	2724	cmd.exe	112
PID 3588 wrote to memory of 4424	3588	EXELA SLOTTED.EXE	113
PID 3588 wrote to memory of 4424	3588	EXELA SLOTTED.EXE	113
PID 3588 wrote to memory of 4140	3588	EXELA SLOTTED.EXE	114
PID 3588 wrote to memory of 4140	3588	EXELA SLOTTED.EXE	114
PID 4140 wrote to memory of 1044	4140	cmd.exe	117
PID 4140 wrote to memory of 1044	4140	cmd.exe	117
PID 4424 wrote to memory of 4304	4424	cmd.exe	118
PID 4424 wrote to memory of 4304	4424	cmd.exe	118
PID 3588 wrote to memory of 2804	3588	EXELA SLOTTED.EXE	119
PID 3588 wrote to memory of 2804	3588	EXELA SLOTTED.EXE	119
PID 2804 wrote to memory of 2400	2804	cmd.exe	121
PID 2804 wrote to memory of 2400	2804	cmd.exe	121
PID 3588 wrote to memory of 4688	3588	EXELA SLOTTED.EXE	122
PID 3588 wrote to memory of 4688	3588	EXELA SLOTTED.EXE	122
PID 3588 wrote to memory of 4884	3588	EXELA SLOTTED.EXE	123
PID 3588 wrote to memory of 4884	3588	EXELA SLOTTED.EXE	123
PID 4688 wrote to memory of 4600	4688	cmd.exe	126
PID 4688 wrote to memory of 4600	4688	cmd.exe	126
PID 4884 wrote to memory of 3192	4884	cmd.exe	127
PID 4884 wrote to memory of 3192	4884	cmd.exe	127
PID 3588 wrote to memory of 2280	3588	EXELA SLOTTED.EXE	128
PID 3588 wrote to memory of 2280	3588	EXELA SLOTTED.EXE	128

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

pid	Process
2400	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Crypt TestBuild.exe
"C:\Users\Admin\AppData\Local\Temp\Crypt TestBuild.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Users\Admin\AppData\Local\Temp\7B48398G4S.EXE
  "C:\Users\Admin\AppData\Local\Temp\7B48398G4S.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4004
- - \??\c:\users\admin\appdata\local\temp\7b48398g4s.exe
    c:\users\admin\appdata\local\temp\7b48398g4s.exe
    3⤵
    - Executes dropped EXE
    PID:4240
- - C:\Windows\Resources\Themes\icsys.icn.exe
    C:\Windows\Resources\Themes\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4936
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4556
      - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        6⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:972
- C:\Users\Admin\AppData\Local\Temp\EXELA SLOTTED.EXE
  "C:\Users\Admin\AppData\Local\Temp\EXELA SLOTTED.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Users\Admin\AppData\Local\Temp\EXELA SLOTTED.EXE
    "C:\Users\Admin\AppData\Local\Temp\EXELA SLOTTED.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4388
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4380
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "gdb --version"
      4⤵
      PID:2856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3572
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        5⤵
        
        PID:3008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4424
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:4304
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4140
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:1044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        5⤵
        Views/modifies file attributes
        
        PID:2400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4688
    - - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
        5⤵
        
        PID:4600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4884
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:3192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:2280
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:4964
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:2744
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:1440
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:4888
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:2912
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4784
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1004
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
      4⤵
      Clipboard Data
      PID:5100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:1560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
      4⤵
      Network Service Discovery
      PID:4724
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:4396
    - - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        5⤵
        
        PID:5116
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        5⤵
        Collects information from the system
        
        PID:1756
    - - C:\Windows\system32\net.exe
        
        net user
        5⤵
        
        PID:2676
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        6⤵
        
        PID:4344
    - - C:\Windows\system32\query.exe
        
        query user
        5⤵
        
        PID:2608
      - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        6⤵
        
        PID:396
    - - C:\Windows\system32\net.exe
        
        net localgroup
        5⤵
        
        PID:4976
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        6⤵
        
        PID:768
    - - C:\Windows\system32\net.exe
        
        net localgroup administrators
        5⤵
        
        PID:3272
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        6⤵
        
        PID:1288
    - - C:\Windows\system32\net.exe
        
        net user guest
        5⤵
        
        PID:404
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        6⤵
        
        PID:400
    - - C:\Windows\system32\net.exe
        
        net user administrator
        5⤵
        
        PID:4760
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        6⤵
        
        PID:2284
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        5⤵
        
        PID:5060
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        5⤵
        Enumerates processes with tasklist
        
        PID:1380
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:3716
    - - C:\Windows\system32\ROUTE.EXE
        
        route print
        5⤵
        
        PID:1556
    - - C:\Windows\system32\ARP.EXE
        
        arp -a
        5⤵
        Network Service Discovery
        
        PID:4852
    - - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        5⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:5072
    - - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        5⤵
        Launches sc.exe
        
        PID:1172
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4324
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1084
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:4376
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:1660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:3396
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery