5f423a4f624dbc6411dd0653fe49bb960a406ba099f20248d45fd91e9326c1e1

Resubmissions

20-06-2024 20:22

240620-y5qgrazfkk 10

20-06-2024 18:55

240620-xkvejawhkq 10

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

16.6MB
MD5

d4c24856daa2edf79bd799e83f0a7e68
SHA1

6d75c42674416078e020060ace152eb94b0a47fc
SHA256

5f423a4f624dbc6411dd0653fe49bb960a406ba099f20248d45fd91e9326c1e1
SHA512

6b94b058c08c33cebdbcf8af3c30aec45695cad4f210db76da19c61c057bbbb3383e380d05fd100b976a04c445f8c0283a87584d9ea2f0b3647ae9730b94aa81
SSDEEP

393216:qlJ41TXb46gZ9A9xLj7wAAA7AnxsdAAnBoVakGUIQUTAp:cKl4GL3X7eVAn6VakGUIop

Score

10^/10

evasion execution persistence trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

loader.exe Loader.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ loader.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Loader.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Drops file in Drivers directory 1 IoCs

Processes:

Loader.exe

description ioc process

File created C:\Windows\System32\drivers\winhb.sys Loader.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	loader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader.exe

description	ioc	process
File created	C:\Windows\System32\drivers\winhb.sys	Loader.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

loader.exe Loader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader.exe

Executes dropped EXE 7 IoCs

Processes:

loader.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeLoader.exe

pid process

2728 loader.exe
2880 icsys.icn.exe
2748 explorer.exe
2660 spoolsv.exe
2868 svchost.exe
2592 spoolsv.exe
1200 Loader.exe
Loads dropped DLL 11 IoCs

Processes:

Loader.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exeloader.exe

pid process

2440 Loader.exe
2440 Loader.exe
2632
2880 icsys.icn.exe
2748 explorer.exe
2660 spoolsv.exe
2868 svchost.exe
1352
2728 loader.exe
1696
1352

pid	process
2728	loader.exe
2880	icsys.icn.exe
2748	explorer.exe
2660	spoolsv.exe
2868	svchost.exe
2592	spoolsv.exe
1200	Loader.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

loader.exe Loader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	loader.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe

Drops file in System32 directory 6 IoCs

Processes:

explorer.exesvchost.exeloader.exe Loader.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444}	loader.exe
File opened for modification	C:\Windows\System32\IME\SHARED\namef.ini	loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444}	Loader.exe
File opened for modification	C:\Windows\System32\IME\SHARED\namef.ini	Loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

loader.exe Loader.exe

pid process

2728 loader.exe
1200 Loader.exe

pid	process
2728	loader.exe
1200	Loader.exe

Drops file in Windows directory 7 IoCs

Processes:

icsys.icn.exeexplorer.exespoolsv.exeloader.exe Loader.exeLoader.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE}	loader.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE}	Loader.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Loader.exe

Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1268 sc.exe
1880 sc.exe
2356 sc.exe
1508 sc.exe
876 sc.exe
1044 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2820 schtasks.exe
2180 schtasks.exe
2152 schtasks.exe

pid	process
1268	sc.exe
1880	sc.exe
2356	sc.exe
1508	sc.exe
876	sc.exe
1044	sc.exe

pid	process
2820	schtasks.exe
2180	schtasks.exe
2152	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Loader.exeicsys.icn.exeexplorer.exesvchost.exe

pid	process
2440	Loader.exe
2440	Loader.exe
2440	Loader.exe
2440	Loader.exe
2440	Loader.exe
2440	Loader.exe
2440	Loader.exe
2440	Loader.exe
2440	Loader.exe
2440	Loader.exe
2440	Loader.exe
2440	Loader.exe
2440	Loader.exe
2440	Loader.exe
2440	Loader.exe
2440	Loader.exe
2880	icsys.icn.exe
2880	icsys.icn.exe
2880	icsys.icn.exe
2880	icsys.icn.exe
2880	icsys.icn.exe
2880	icsys.icn.exe
2880	icsys.icn.exe
2880	icsys.icn.exe
2880	icsys.icn.exe
2880	icsys.icn.exe
2880	icsys.icn.exe
2880	icsys.icn.exe
2880	icsys.icn.exe
2880	icsys.icn.exe
2880	icsys.icn.exe
2880	icsys.icn.exe
2880	icsys.icn.exe
2748	explorer.exe
2748	explorer.exe
2748	explorer.exe
2748	explorer.exe
2748	explorer.exe
2748	explorer.exe
2748	explorer.exe
2748	explorer.exe
2748	explorer.exe
2748	explorer.exe
2748	explorer.exe
2748	explorer.exe
2748	explorer.exe
2748	explorer.exe
2748	explorer.exe
2748	explorer.exe
2868	svchost.exe
2868	svchost.exe
2868	svchost.exe
2868	svchost.exe
2868	svchost.exe
2868	svchost.exe
2868	svchost.exe
2868	svchost.exe
2868	svchost.exe
2868	svchost.exe
2868	svchost.exe
2868	svchost.exe
2868	svchost.exe
2868	svchost.exe
2868	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2748 explorer.exe
2868 svchost.exe

pid	process
2748	explorer.exe
2868	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

loader.exe Loader.exe

description	pid	process
Token: SeBackupPrivilege	2728	loader.exe
Token: SeSecurityPrivilege	2728	loader.exe
Token: SeBackupPrivilege	2728	loader.exe
Token: SeSecurityPrivilege	2728	loader.exe
Token: SeBackupPrivilege	1200	Loader.exe
Token: SeSecurityPrivilege	1200	Loader.exe
Token: SeBackupPrivilege	1200	Loader.exe
Token: SeSecurityPrivilege	1200	Loader.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

Loader.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2440 Loader.exe
2440 Loader.exe
2880 icsys.icn.exe
2880 icsys.icn.exe
2748 explorer.exe
2748 explorer.exe
2660 spoolsv.exe
2660 spoolsv.exe
2868 svchost.exe
2868 svchost.exe
2592 spoolsv.exe
2592 spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Loader.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exeloader.exe cmd.execmd.exeLoader.exe

description	pid	process	target process
PID 2440 wrote to memory of 2728	2440	Loader.exe	loader.exe
PID 2440 wrote to memory of 2728	2440	Loader.exe	loader.exe
PID 2440 wrote to memory of 2728	2440	Loader.exe	loader.exe
PID 2440 wrote to memory of 2728	2440	Loader.exe	loader.exe
PID 2440 wrote to memory of 2880	2440	Loader.exe	icsys.icn.exe
PID 2440 wrote to memory of 2880	2440	Loader.exe	icsys.icn.exe
PID 2440 wrote to memory of 2880	2440	Loader.exe	icsys.icn.exe
PID 2440 wrote to memory of 2880	2440	Loader.exe	icsys.icn.exe
PID 2880 wrote to memory of 2748	2880	icsys.icn.exe	explorer.exe
PID 2880 wrote to memory of 2748	2880	icsys.icn.exe	explorer.exe
PID 2880 wrote to memory of 2748	2880	icsys.icn.exe	explorer.exe
PID 2880 wrote to memory of 2748	2880	icsys.icn.exe	explorer.exe
PID 2748 wrote to memory of 2660	2748	explorer.exe	spoolsv.exe
PID 2748 wrote to memory of 2660	2748	explorer.exe	spoolsv.exe
PID 2748 wrote to memory of 2660	2748	explorer.exe	spoolsv.exe
PID 2748 wrote to memory of 2660	2748	explorer.exe	spoolsv.exe
PID 2660 wrote to memory of 2868	2660	spoolsv.exe	svchost.exe
PID 2660 wrote to memory of 2868	2660	spoolsv.exe	svchost.exe
PID 2660 wrote to memory of 2868	2660	spoolsv.exe	svchost.exe
PID 2660 wrote to memory of 2868	2660	spoolsv.exe	svchost.exe
PID 2868 wrote to memory of 2592	2868	svchost.exe	spoolsv.exe
PID 2868 wrote to memory of 2592	2868	svchost.exe	spoolsv.exe
PID 2868 wrote to memory of 2592	2868	svchost.exe	spoolsv.exe
PID 2868 wrote to memory of 2592	2868	svchost.exe	spoolsv.exe
PID 2748 wrote to memory of 3020	2748	explorer.exe	Explorer.exe
PID 2748 wrote to memory of 3020	2748	explorer.exe	Explorer.exe
PID 2748 wrote to memory of 3020	2748	explorer.exe	Explorer.exe
PID 2748 wrote to memory of 3020	2748	explorer.exe	Explorer.exe
PID 2728 wrote to memory of 2860	2728	loader.exe	cmd.exe
PID 2728 wrote to memory of 2860	2728	loader.exe	cmd.exe
PID 2728 wrote to memory of 2860	2728	loader.exe	cmd.exe
PID 2728 wrote to memory of 2896	2728	loader.exe	cmd.exe
PID 2728 wrote to memory of 2896	2728	loader.exe	cmd.exe
PID 2728 wrote to memory of 2896	2728	loader.exe	cmd.exe
PID 2728 wrote to memory of 2916	2728	loader.exe	cmd.exe
PID 2728 wrote to memory of 2916	2728	loader.exe	cmd.exe
PID 2728 wrote to memory of 2916	2728	loader.exe	cmd.exe
PID 2896 wrote to memory of 2356	2896	cmd.exe	sc.exe
PID 2896 wrote to memory of 2356	2896	cmd.exe	sc.exe
PID 2896 wrote to memory of 2356	2896	cmd.exe	sc.exe
PID 2860 wrote to memory of 1880	2860	cmd.exe	sc.exe
PID 2860 wrote to memory of 1880	2860	cmd.exe	sc.exe
PID 2860 wrote to memory of 1880	2860	cmd.exe	sc.exe
PID 2868 wrote to memory of 2820	2868	svchost.exe	schtasks.exe
PID 2868 wrote to memory of 2820	2868	svchost.exe	schtasks.exe
PID 2868 wrote to memory of 2820	2868	svchost.exe	schtasks.exe
PID 2868 wrote to memory of 2820	2868	svchost.exe	schtasks.exe
PID 2728 wrote to memory of 1680	2728	loader.exe	cmd.exe
PID 2728 wrote to memory of 1680	2728	loader.exe	cmd.exe
PID 2728 wrote to memory of 1680	2728	loader.exe	cmd.exe
PID 2728 wrote to memory of 1072	2728	loader.exe	cmd.exe
PID 2728 wrote to memory of 1072	2728	loader.exe	cmd.exe
PID 2728 wrote to memory of 1072	2728	loader.exe	cmd.exe
PID 2728 wrote to memory of 1200	2728	loader.exe	Loader.exe
PID 2728 wrote to memory of 1200	2728	loader.exe	Loader.exe
PID 2728 wrote to memory of 1200	2728	loader.exe	Loader.exe
PID 1200 wrote to memory of 2004	1200	Loader.exe	cmd.exe
PID 1200 wrote to memory of 2004	1200	Loader.exe	cmd.exe
PID 1200 wrote to memory of 2004	1200	Loader.exe	cmd.exe
PID 1200 wrote to memory of 2488	1200	Loader.exe	cmd.exe
PID 1200 wrote to memory of 2488	1200	Loader.exe	cmd.exe
PID 1200 wrote to memory of 2488	1200	Loader.exe	cmd.exe
PID 1200 wrote to memory of 1588	1200	Loader.exe	cmd.exe
PID 1200 wrote to memory of 1588	1200	Loader.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440

\??\c:\users\admin\appdata\local\temp\loader.exe
c:\users\admin\appdata\local\temp\loader.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop iqvw64e.sys
3⤵
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\system32\sc.exe
sc stop iqvw64e.sys
4⤵
- Launches sc.exe
PID:1880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc delete iqvw64e.sys
3⤵
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\system32\sc.exe
sc delete iqvw64e.sys
4⤵
- Launches sc.exe
PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:2916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop iqvw64e.sys
4⤵
PID:2004

C:\Windows\system32\sc.exe
sc stop iqvw64e.sys
5⤵
- Launches sc.exe
PID:876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc delete iqvw64e.sys
4⤵
PID:2488

C:\Windows\system32\sc.exe
sc delete iqvw64e.sys
5⤵
- Launches sc.exe
PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:2268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:2292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
4⤵
PID:2264

C:\Windows\system32\sc.exe
sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
5⤵
- Launches sc.exe
PID:1044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc start windowsproc
4⤵
PID:2964

C:\Windows\system32\sc.exe
sc start windowsproc
5⤵
- Launches sc.exe
PID:1268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:320

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2592

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 18:57 /f
6⤵
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 18:58 /f
6⤵
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 18:59 /f
6⤵
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
4⤵
PID:3020

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

Service Execution

Scheduled Task/Job

Scheduled Task

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Loader.exe
Filesize
16.4MB

MD5
370fdf7ae4d986cba1368db27f435bb9

SHA1
8deb6ed94bc18c1bfb6f7952251f7868c93d41f0

SHA256
821d6437c628998d00735fb854b2be35172d42a6f708c6c4406f2d11c162f368

SHA512
740bd5386224bba03469b5bcb4131758f4d3977f1ac2eaa306383e4da29d73d5b87b56200274670bd51ca994a22cf89a7dd2369f0b976d64a8a1970a55a61209

Download Submit
C:\Windows\Resources\Themes\explorer.exe
Filesize
135KB

MD5
7484566862f29734c072951acd4e4314

SHA1
a534172f803ead575d1bdf81f60685afdc8e3a74

SHA256
8be5955eec2329a7381bbbbb9112695cac9f3c53745c15f1381ca609c9a130d8

SHA512
c0557e4f1c576b6f2183896e6807de7b448c515e00a47f98f0886d371662cfa47eb4e1fbd73266150fdda04a488662cb161faba1ee01eb1f97e6c4c8d07e32c0

Download Submit
C:\Windows\System32\IME\SHARED\namef.ini
Filesize
16B

MD5
f32dea2b04dc3f7dca1ab634f22e501a

SHA1
069f843cc7f23a2a957af76feb337713893f2e7e

SHA256
b8386a42222a00e4844a222153a0e7ab20229eb7f788916a4e83d5f2997ec855

SHA512
864cc622d8c2433a6961fd9ac7713802034c0b60e4c85db7f2ad6f61aea83a0e8476d332802c5fe483564d7a5e8ebeb08a2ca98a4b2fb136484d6353ba31a4f4

Download Submit
\??\c:\windows\resources\svchost.exe
Filesize
135KB

MD5
bf13942b828afe663fa3f2e81db4fa2d

SHA1
2f2869987f5b697f3d88b08cca0476809321ce9e

SHA256
3dee052d3e89d190baa10a0fa070c5411aa721580af30d2278b567be4b86b12b

SHA512
eb95a7d32898e816f1613c4562e1042c3426c02475efc374979f931257f410fde0194608cf160da4bd59bc3f36fc51d4f9ff547208f1800a9d8f25c963167858

Download Submit
\Users\Admin\AppData\Local\Temp\loader.exe
Filesize
16.4MB

MD5
771eb39dd1312a63bb974018cb70d1b4

SHA1
94d751af62d417ff127ec0890179b5412b5e9e41

SHA256
98007690007fc38b33912f4113ccd7ddddbf881adfea23bf5cf53031666f2cfb

SHA512
4f9c5cefb8d9329ca7145fe15c0ab8bc445e5b9430776eaf06c51e810c14cb96a6cb679e36cf5713c3f1576e26199b72d6a8b1c819305a7d18f4c59b39e32af5

Download Submit
\Windows\Resources\Themes\icsys.icn.exe
Filesize
135KB

MD5
902bc13c7b437a5ea7814a56c7083c7e

SHA1
61ec421d2c0d10c50fb3fdd0ebe040ea1eba07e8

SHA256
a2006295e0e65e89662634bb44b688b670ed4596ab419aab6f54bb40a0340e7b

SHA512
032c3fb9f425730aa3cdbc1e9d602cc1381b6da845e5308aea44124eaccb489f7911e86c211d4248539c1e9b1145451c5c8e2ac15c051191ae4515f913f5649a

Download Submit
\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
2345375a5e7e0cd087f4090057734c78

SHA1
2f98f6f1acb274e39be62964fe7919293651085a

SHA256
3b1777b7befb47a1364f7a88a316046cd8dde7977c5e7f92c08d009e33b20436

SHA512
1df5bbae52b5a8e0ebec5436dba7757d26835e894c30a744f3555b350be074f9d675a514af6ff91ae7ca2c3e4939a5c7020161636b634385d9aa87c14683b963

Download Submit
memory/1200-88-0x0000000140000000-0x0000000142564000-memory.dmp

Filesize
37.4MB

Download
memory/1200-82-0x0000000140000000-0x0000000142564000-memory.dmp

Filesize
37.4MB

Download
memory/1200-83-0x0000000140000000-0x0000000142564000-memory.dmp

Filesize
37.4MB

Download
memory/1200-81-0x0000000140000000-0x0000000142564000-memory.dmp

Filesize
37.4MB

Download
memory/2440-69-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2440-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2440-25-0x00000000002C0000-0x00000000002DF000-memory.dmp

Filesize
124KB

Download
memory/2440-24-0x0000000002C30000-0x0000000005194000-memory.dmp

Filesize
37.4MB

Download
memory/2592-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2660-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2660-57-0x0000000000310000-0x000000000032F000-memory.dmp

Filesize
124KB

Download
memory/2660-67-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2728-66-0x0000000140000000-0x0000000142564000-memory.dmp

Filesize
37.4MB

Download
memory/2728-30-0x0000000140000000-0x0000000142564000-memory.dmp

Filesize
37.4MB

Download
memory/2728-78-0x0000000140000000-0x0000000142564000-memory.dmp

Filesize
37.4MB

Download
memory/2728-64-0x0000000140000000-0x0000000142564000-memory.dmp

Filesize
37.4MB

Download
memory/2728-65-0x0000000140000000-0x0000000142564000-memory.dmp

Filesize
37.4MB

Download
memory/2748-39-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/2868-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2880-68-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2880-26-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2880-27-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads