Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-10-2024 19:30
Behavioral task
behavioral1
Sample
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe
Resource
win10v2004-20240802-en
General
-
Target
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe
-
Size
547KB
-
MD5
7c9c30680dd2f61cd7f5a93527cd2200
-
SHA1
2f1121e93475e3dba2d25ed10fc8fd1ae3d2e982
-
SHA256
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83
-
SHA512
dd233d82e64c9be1e89d6d6670e0d10e411a82d27205010e98a1a070e01a2a392c1d903749474319bb3a59bc57f0bcf4e829128de5226f51182ef4b962eb819e
-
SSDEEP
6144:UvEN2U+T6i5LirrllHy4HUcMQY6Fn5wnb+gWxb3:GENN+T5xYrllrU7QY6Nb3
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.lamela.si - Port:
587 - Username:
[email protected] - Password:
2014viks5961lamela - Email To:
[email protected]
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 6 IoCs
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2732 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe 3020 icsys.icn.exe 2592 explorer.exe 2376 spoolsv.exe 2016 svchost.exe 2844 spoolsv.exe -
Loads dropped DLL 16 IoCs
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exeWerFault.exepid process 2776 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe 2776 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe 2776 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe 3020 icsys.icn.exe 3020 icsys.icn.exe 2592 explorer.exe 2592 explorer.exe 2376 spoolsv.exe 2376 spoolsv.exe 2016 svchost.exe 2016 svchost.exe 1844 WerFault.exe 1844 WerFault.exe 1844 WerFault.exe 1844 WerFault.exe 1844 WerFault.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Drops file in Windows directory 6 IoCs
Processes:
icsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription ioc process File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1844 2732 WerFault.exe 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe explorer.exespoolsv.exesvchost.exeat.exeat.exeicsys.icn.exespoolsv.exeat.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe icsys.icn.exeexplorer.exesvchost.exepid process 2732 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe 3020 icsys.icn.exe 2592 explorer.exe 2592 explorer.exe 2592 explorer.exe 2592 explorer.exe 2016 svchost.exe 2016 svchost.exe 2592 explorer.exe 2016 svchost.exe 2016 svchost.exe 2592 explorer.exe 2016 svchost.exe 2592 explorer.exe 2016 svchost.exe 2592 explorer.exe 2592 explorer.exe 2016 svchost.exe 2592 explorer.exe 2016 svchost.exe 2016 svchost.exe 2592 explorer.exe 2016 svchost.exe 2592 explorer.exe 2592 explorer.exe 2016 svchost.exe 2016 svchost.exe 2592 explorer.exe 2016 svchost.exe 2592 explorer.exe 2592 explorer.exe 2016 svchost.exe 2016 svchost.exe 2592 explorer.exe 2592 explorer.exe 2016 svchost.exe 2592 explorer.exe 2016 svchost.exe 2592 explorer.exe 2016 svchost.exe 2016 svchost.exe 2592 explorer.exe 2016 svchost.exe 2592 explorer.exe 2592 explorer.exe 2016 svchost.exe 2592 explorer.exe 2016 svchost.exe 2592 explorer.exe 2016 svchost.exe 2592 explorer.exe 2016 svchost.exe 2016 svchost.exe 2592 explorer.exe 2592 explorer.exe 2016 svchost.exe 2016 svchost.exe 2592 explorer.exe 2016 svchost.exe 2592 explorer.exe 2592 explorer.exe 2016 svchost.exe 2592 explorer.exe 2016 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2592 explorer.exe 2016 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exedescription pid process Token: SeDebugPrivilege 2732 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2776 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe 2776 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe 3020 icsys.icn.exe 3020 icsys.icn.exe 2592 explorer.exe 2592 explorer.exe 2376 spoolsv.exe 2376 spoolsv.exe 2016 svchost.exe 2016 svchost.exe 2844 spoolsv.exe 2844 spoolsv.exe 2592 explorer.exe 2592 explorer.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exedescription pid process target process PID 2776 wrote to memory of 2732 2776 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe PID 2776 wrote to memory of 2732 2776 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe PID 2776 wrote to memory of 2732 2776 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe PID 2776 wrote to memory of 2732 2776 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe PID 2776 wrote to memory of 3020 2776 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe icsys.icn.exe PID 2776 wrote to memory of 3020 2776 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe icsys.icn.exe PID 2776 wrote to memory of 3020 2776 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe icsys.icn.exe PID 2776 wrote to memory of 3020 2776 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe icsys.icn.exe PID 3020 wrote to memory of 2592 3020 icsys.icn.exe explorer.exe PID 3020 wrote to memory of 2592 3020 icsys.icn.exe explorer.exe PID 3020 wrote to memory of 2592 3020 icsys.icn.exe explorer.exe PID 3020 wrote to memory of 2592 3020 icsys.icn.exe explorer.exe PID 2592 wrote to memory of 2376 2592 explorer.exe spoolsv.exe PID 2592 wrote to memory of 2376 2592 explorer.exe spoolsv.exe PID 2592 wrote to memory of 2376 2592 explorer.exe spoolsv.exe PID 2592 wrote to memory of 2376 2592 explorer.exe spoolsv.exe PID 2376 wrote to memory of 2016 2376 spoolsv.exe svchost.exe PID 2376 wrote to memory of 2016 2376 spoolsv.exe svchost.exe PID 2376 wrote to memory of 2016 2376 spoolsv.exe svchost.exe PID 2376 wrote to memory of 2016 2376 spoolsv.exe svchost.exe PID 2016 wrote to memory of 2844 2016 svchost.exe spoolsv.exe PID 2016 wrote to memory of 2844 2016 svchost.exe spoolsv.exe PID 2016 wrote to memory of 2844 2016 svchost.exe spoolsv.exe PID 2016 wrote to memory of 2844 2016 svchost.exe spoolsv.exe PID 2016 wrote to memory of 2684 2016 svchost.exe at.exe PID 2016 wrote to memory of 2684 2016 svchost.exe at.exe PID 2016 wrote to memory of 2684 2016 svchost.exe at.exe PID 2016 wrote to memory of 2684 2016 svchost.exe at.exe PID 2732 wrote to memory of 1844 2732 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe WerFault.exe PID 2732 wrote to memory of 1844 2732 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe WerFault.exe PID 2732 wrote to memory of 1844 2732 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe WerFault.exe PID 2732 wrote to memory of 1844 2732 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe WerFault.exe PID 2016 wrote to memory of 1252 2016 svchost.exe at.exe PID 2016 wrote to memory of 1252 2016 svchost.exe at.exe PID 2016 wrote to memory of 1252 2016 svchost.exe at.exe PID 2016 wrote to memory of 1252 2016 svchost.exe at.exe PID 2016 wrote to memory of 1976 2016 svchost.exe at.exe PID 2016 wrote to memory of 1976 2016 svchost.exe at.exe PID 2016 wrote to memory of 1976 2016 svchost.exe at.exe PID 2016 wrote to memory of 1976 2016 svchost.exe at.exe -
outlook_office_path 1 IoCs
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe -
outlook_win_path 1 IoCs
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe"C:\Users\Admin\AppData\Local\Temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\users\admin\appdata\local\temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exec:\users\admin\appdata\local\temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2732 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 16843⤵
- Loads dropped DLL
- Program crash
PID:1844 -
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2844 -
C:\Windows\SysWOW64\at.exeat 19:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\at.exeat 19:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:1252 -
C:\Windows\SysWOW64\at.exeat 19:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:1976
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
274KB
MD5cd1ccd1fd40416961967d7694b240b0d
SHA15c998271bfa37a56c262c8fe6d9a38d46ee3be81
SHA256293204c7823cb9531a4ace3d150c8db6c16b55b7877c175be9e7f864924851f0
SHA5124482dcd07985cb323c907fc2f64dfb41b3604e3f7834ccba77c7b3843e5a03c872ffa2786bac1cd545b284173f973167340e7406028dc7c38378f24a889d61ae
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe
Filesize272KB
MD5b046211fe3f420a9ceb7663a560ece96
SHA1785a1cff39f2a75cbfffed3d718e9e026b3c80a1
SHA25696134c810750cc56e372551f8070f06aee80ae0cc8eeac983502d6b8f66c77df
SHA5125a0fc701606682de24dfc1b8408b6d7c13205952128b211b9b7ef11a97871f2590d7c705b4032eab6a5661a1295fe4bc8bb58418b68e999e8fdd315009ca7eb3
-
Filesize
274KB
MD51cf16e75b8173523ed0d5ef4211b9f64
SHA111dbca355fc318803987ab9756bd27f3009734ed
SHA25670924977c57603c3f4f891951795650c96343308fff9ca30bff0140409c7d30c
SHA512147a33e14145a0f21edcc53cf21b5300385df2deb484fc6eaafceb7e5704c2ac544e2d7f90f59fc4c4888cdbb1136feadd87b02f8ecb42b5fe4063e551bec83d
-
Filesize
274KB
MD5c905dab8c0e9f21368cbcdd9d073bcbb
SHA169285a00e627958b99b15b29c93f10183d357375
SHA256054c0d5c739fb572d622655cc0d066a66001f34ea06eb00a9546e1409486229f
SHA512d9bea6814ada2e10a8fae33f77ffee2ece7295abaac0d19e9738d594f455985db7a61291bb843ff4197d1612fca693cd3a24fd921f82ba1262cef31a4bf23a9f
-
Filesize
274KB
MD576b9b717cf3092418179a3f07969b450
SHA131fbd67d757b24b6de85489df4f0e39c0c65dd15
SHA256e7255bfc8128201ab78d6227ccaded56a94e23c42bd7266eafc06521caef860a
SHA51274376ad73dd5065165151112d331a2e9dc2a0ec4ae2c899ebe4a2ce806142b58768ec823e572709aec33a5e4a56047762d35de07ecf2da0f65c4012ff5e39c98
-
Filesize
274KB
MD5901cb3a39ab350fe5973b7f8a21607f0
SHA14e28495617ee15f2bddb0f11a29d578289d66534
SHA2560ade4c6916258b0cca4bb71d517d80b141c85290e0cc3f7ad517a0b807bd317c
SHA512c0c6a15d60749f1e98c9662eab277eec6edd39765ca3346f99b81c9f9e986f117403bebb346e4152e4eb4c9a418ff3d20d489db0cf3130477d9ec4e9db9a4c44