Analysis
-
max time kernel
150s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
10/07/2023, 18:54
Behavioral task
behavioral1
Sample
dec9d8ffb3ab11exeexeexeex.exe
Resource
win7-20230703-en
General
-
Target
dec9d8ffb3ab11exeexeexeex.exe
-
Size
12.9MB
-
MD5
dec9d8ffb3ab11745e09980d8d8f0269
-
SHA1
c555b8437dfbb20736f7bae5e9cbe8aa32a31fbe
-
SHA256
57ac657bda0d36ea22eead50ae1959ff6035139086ee48a56a2921d0e49a53a8
-
SHA512
c24ee29a51307014a2ac1485e426dbf0089a020c292307a5f832ccbe902775bf5c7a64863bffb270dfa1d672a5d848c423ecc6abbb69d0c48b359bd8d242a8f3
-
SSDEEP
98304:YmBtyYXmknGzZr+HdO5SEPFtmOZ9G1Md5v/nZVnivsAl0eXTBJYa5roSCaa:I6mknGzwHdOgEPHd9BbX/nivPlTXTYr
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
mimikatz is an open source tool to dump credentials on Windows 7 IoCs
resource yara_rule behavioral1/memory/2868-54-0x0000000000400000-0x0000000000AA4000-memory.dmp mimikatz behavioral1/files/0x002b000000012306-58.dat mimikatz behavioral1/files/0x002b000000012306-60.dat mimikatz behavioral1/files/0x002b000000012306-61.dat mimikatz behavioral1/files/0x002b000000012306-59.dat mimikatz behavioral1/memory/1676-62-0x0000000000400000-0x0000000000AA4000-memory.dmp mimikatz behavioral1/files/0x002b000000012306-63.dat mimikatz -
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts myzlpbc.exe File created C:\Windows\system32\drivers\npf.sys wpcap.exe -
Executes dropped EXE 4 IoCs
pid Process 1676 myzlpbc.exe 3008 myzlpbc.exe 2972 wpcap.exe 1284 vnnkgaqtb.exe -
Loads dropped DLL 11 IoCs
pid Process 2928 cmd.exe 2928 cmd.exe 2652 cmd.exe 2972 wpcap.exe 2972 wpcap.exe 2972 wpcap.exe 2972 wpcap.exe 2972 wpcap.exe 1732 cmd.exe 1284 vnnkgaqtb.exe 1284 vnnkgaqtb.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\system32\Packet.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat myzlpbc.exe File created C:\Windows\SysWOW64\pthreadVC.dll wpcap.exe File created C:\Windows\SysWOW64\wpcap.dll wpcap.exe File created C:\Windows\SysWOW64\Packet.dll wpcap.exe File created C:\Windows\system32\wpcap.dll wpcap.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\WinPcap\rpcapd.exe wpcap.exe File created C:\Program Files\WinPcap\LICENSE wpcap.exe File created C:\Program Files\WinPcap\uninstall.exe wpcap.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\vgvisnfab\uatlaqgct\Packet.dll myzlpbc.exe File created C:\Windows\vgvisnfab\uatlaqgct\wpcap.dll myzlpbc.exe File created C:\Windows\vgvisnfab\uatlaqgct\aalnittil.exe myzlpbc.exe File created C:\Windows\beuevlbg\myzlpbc.exe dec9d8ffb3ab11exeexeexeex.exe File opened for modification C:\Windows\beuevlbg\myzlpbc.exe dec9d8ffb3ab11exeexeexeex.exe File created C:\Windows\vgvisnfab\uatlaqgct\wpcap.exe myzlpbc.exe File created C:\Windows\vgvisnfab\uatlaqgct\vnnkgaqtb.exe myzlpbc.exe File created C:\Windows\vgvisnfab\uatlaqgct\Packet.dll myzlpbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 11 IoCs
resource yara_rule behavioral1/files/0x002b000000012306-58.dat nsis_installer_2 behavioral1/files/0x002b000000012306-60.dat nsis_installer_2 behavioral1/files/0x002b000000012306-61.dat nsis_installer_2 behavioral1/files/0x002b000000012306-59.dat nsis_installer_2 behavioral1/files/0x002b000000012306-63.dat nsis_installer_2 behavioral1/files/0x000a00000001271b-68.dat nsis_installer_1 behavioral1/files/0x000a00000001271b-68.dat nsis_installer_2 behavioral1/files/0x000a00000001271b-69.dat nsis_installer_1 behavioral1/files/0x000a00000001271b-69.dat nsis_installer_2 behavioral1/files/0x000a00000001271b-70.dat nsis_installer_1 behavioral1/files/0x000a00000001271b-70.dat nsis_installer_2 -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 myzlpbc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-c6-24-d3-45-e2\WpadDecisionReason = "1" myzlpbc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix myzlpbc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections myzlpbc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 myzlpbc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E8E8C05E-F597-428A-87B2-6C842F35AA0F}\WpadNetworkName = "Network" myzlpbc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0032000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 myzlpbc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-c6-24-d3-45-e2\WpadDecisionTime = d040610d60b3d901 myzlpbc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-c6-24-d3-45-e2 myzlpbc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings myzlpbc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ myzlpbc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E8E8C05E-F597-428A-87B2-6C842F35AA0F}\WpadDecisionReason = "1" myzlpbc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" myzlpbc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad myzlpbc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E8E8C05E-F597-428A-87B2-6C842F35AA0F}\WpadDecision = "0" myzlpbc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E8E8C05E-F597-428A-87B2-6C842F35AA0F}\66-c6-24-d3-45-e2 myzlpbc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-c6-24-d3-45-e2\WpadDecision = "0" myzlpbc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings myzlpbc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" myzlpbc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" myzlpbc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" myzlpbc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E8E8C05E-F597-428A-87B2-6C842F35AA0F}\WpadDecisionTime = d040610d60b3d901 myzlpbc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" myzlpbc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E8E8C05E-F597-428A-87B2-6C842F35AA0F} myzlpbc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" netsh.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1760 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe -
Suspicious behavior: LoadsDriver 31 IoCs
pid Process 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2868 dec9d8ffb3ab11exeexeexeex.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2868 dec9d8ffb3ab11exeexeexeex.exe Token: SeDebugPrivilege 1676 myzlpbc.exe Token: SeDebugPrivilege 3008 myzlpbc.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2868 dec9d8ffb3ab11exeexeexeex.exe 2868 dec9d8ffb3ab11exeexeexeex.exe 1676 myzlpbc.exe 1676 myzlpbc.exe 3008 myzlpbc.exe 3008 myzlpbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2868 wrote to memory of 2928 2868 dec9d8ffb3ab11exeexeexeex.exe 29 PID 2868 wrote to memory of 2928 2868 dec9d8ffb3ab11exeexeexeex.exe 29 PID 2868 wrote to memory of 2928 2868 dec9d8ffb3ab11exeexeexeex.exe 29 PID 2868 wrote to memory of 2928 2868 dec9d8ffb3ab11exeexeexeex.exe 29 PID 2928 wrote to memory of 1760 2928 cmd.exe 31 PID 2928 wrote to memory of 1760 2928 cmd.exe 31 PID 2928 wrote to memory of 1760 2928 cmd.exe 31 PID 2928 wrote to memory of 1760 2928 cmd.exe 31 PID 2928 wrote to memory of 1676 2928 cmd.exe 32 PID 2928 wrote to memory of 1676 2928 cmd.exe 32 PID 2928 wrote to memory of 1676 2928 cmd.exe 32 PID 2928 wrote to memory of 1676 2928 cmd.exe 32 PID 3008 wrote to memory of 1884 3008 myzlpbc.exe 34 PID 3008 wrote to memory of 1884 3008 myzlpbc.exe 34 PID 3008 wrote to memory of 1884 3008 myzlpbc.exe 34 PID 3008 wrote to memory of 1884 3008 myzlpbc.exe 34 PID 1884 wrote to memory of 2268 1884 cmd.exe 36 PID 1884 wrote to memory of 2268 1884 cmd.exe 36 PID 1884 wrote to memory of 2268 1884 cmd.exe 36 PID 1884 wrote to memory of 2268 1884 cmd.exe 36 PID 1884 wrote to memory of 2960 1884 cmd.exe 37 PID 1884 wrote to memory of 2960 1884 cmd.exe 37 PID 1884 wrote to memory of 2960 1884 cmd.exe 37 PID 1884 wrote to memory of 2960 1884 cmd.exe 37 PID 1884 wrote to memory of 2120 1884 cmd.exe 38 PID 1884 wrote to memory of 2120 1884 cmd.exe 38 PID 1884 wrote to memory of 2120 1884 cmd.exe 38 PID 1884 wrote to memory of 2120 1884 cmd.exe 38 PID 1884 wrote to memory of 1940 1884 cmd.exe 39 PID 1884 wrote to memory of 1940 1884 cmd.exe 39 PID 1884 wrote to memory of 1940 1884 cmd.exe 39 PID 1884 wrote to memory of 1940 1884 cmd.exe 39 PID 1884 wrote to memory of 768 1884 cmd.exe 40 PID 1884 wrote to memory of 768 1884 cmd.exe 40 PID 1884 wrote to memory of 768 1884 cmd.exe 40 PID 1884 wrote to memory of 768 1884 cmd.exe 40 PID 1884 wrote to memory of 2060 1884 cmd.exe 41 PID 1884 wrote to memory of 2060 1884 cmd.exe 41 PID 1884 wrote to memory of 2060 1884 cmd.exe 41 PID 1884 wrote to memory of 2060 1884 cmd.exe 41 PID 3008 wrote to memory of 2064 3008 myzlpbc.exe 42 PID 3008 wrote to memory of 2064 3008 myzlpbc.exe 42 PID 3008 wrote to memory of 2064 3008 myzlpbc.exe 42 PID 3008 wrote to memory of 2064 3008 myzlpbc.exe 42 PID 3008 wrote to memory of 2956 3008 myzlpbc.exe 44 PID 3008 wrote to memory of 2956 3008 myzlpbc.exe 44 PID 3008 wrote to memory of 2956 3008 myzlpbc.exe 44 PID 3008 wrote to memory of 2956 3008 myzlpbc.exe 44 PID 3008 wrote to memory of 2672 3008 myzlpbc.exe 46 PID 3008 wrote to memory of 2672 3008 myzlpbc.exe 46 PID 3008 wrote to memory of 2672 3008 myzlpbc.exe 46 PID 3008 wrote to memory of 2672 3008 myzlpbc.exe 46 PID 3008 wrote to memory of 2652 3008 myzlpbc.exe 48 PID 3008 wrote to memory of 2652 3008 myzlpbc.exe 48 PID 3008 wrote to memory of 2652 3008 myzlpbc.exe 48 PID 3008 wrote to memory of 2652 3008 myzlpbc.exe 48 PID 2652 wrote to memory of 2972 2652 cmd.exe 50 PID 2652 wrote to memory of 2972 2652 cmd.exe 50 PID 2652 wrote to memory of 2972 2652 cmd.exe 50 PID 2652 wrote to memory of 2972 2652 cmd.exe 50 PID 2652 wrote to memory of 2972 2652 cmd.exe 50 PID 2652 wrote to memory of 2972 2652 cmd.exe 50 PID 2652 wrote to memory of 2972 2652 cmd.exe 50 PID 2972 wrote to memory of 2548 2972 wpcap.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\dec9d8ffb3ab11exeexeexeex.exe"C:\Users\Admin\AppData\Local\Temp\dec9d8ffb3ab11exeexeexeex.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\beuevlbg\myzlpbc.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:1760
-
-
C:\Windows\beuevlbg\myzlpbc.exeC:\Windows\beuevlbg\myzlpbc.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1676
-
-
-
C:\Windows\beuevlbg\myzlpbc.exeC:\Windows\beuevlbg\myzlpbc.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2268
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵PID:2960
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2120
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:1940
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:768
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵PID:2060
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Modifies data under HKEY_USERS
PID:2064
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Modifies data under HKEY_USERS
PID:2956
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Modifies data under HKEY_USERS
PID:2672
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\vgvisnfab\uatlaqgct\wpcap.exe /S2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\vgvisnfab\uatlaqgct\wpcap.exeC:\Windows\vgvisnfab\uatlaqgct\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵PID:2548
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵PID:2452
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵PID:2512
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵PID:2912
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵PID:2240
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵PID:2416
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵PID:1636
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵PID:2660
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:1516
-
C:\Windows\SysWOW64\net.exenet start npf3⤵PID:976
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵PID:1876
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:1536
-
C:\Windows\SysWOW64\net.exenet start npf3⤵PID:1364
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵PID:1068
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\vgvisnfab\uatlaqgct\vnnkgaqtb.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\vgvisnfab\uatlaqgct\Scant.txt2⤵
- Loads dropped DLL
PID:1732 -
C:\Windows\vgvisnfab\uatlaqgct\vnnkgaqtb.exeC:\Windows\vgvisnfab\uatlaqgct\vnnkgaqtb.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\vgvisnfab\uatlaqgct\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1284
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
12.9MB
MD583ffd3757a05989d13c86016a806acdb
SHA145fe96625ebcefb3df6d4831774829650f8b534f
SHA2563611dc16f963edd4184c3d8706b454af0537fc4509fe7f6f8356983775213dd7
SHA51278b6a4ce956ae3bf0d7e36ec21ff87e1e487b55cb122ca2f7850e7c8edf46acaee0f05789f55ceceaf6e1022ff9cfa8a1f3f0c79c7b32f34208933d4a11b4897
-
Filesize
12.9MB
MD583ffd3757a05989d13c86016a806acdb
SHA145fe96625ebcefb3df6d4831774829650f8b534f
SHA2563611dc16f963edd4184c3d8706b454af0537fc4509fe7f6f8356983775213dd7
SHA51278b6a4ce956ae3bf0d7e36ec21ff87e1e487b55cb122ca2f7850e7c8edf46acaee0f05789f55ceceaf6e1022ff9cfa8a1f3f0c79c7b32f34208933d4a11b4897
-
Filesize
12.9MB
MD583ffd3757a05989d13c86016a806acdb
SHA145fe96625ebcefb3df6d4831774829650f8b534f
SHA2563611dc16f963edd4184c3d8706b454af0537fc4509fe7f6f8356983775213dd7
SHA51278b6a4ce956ae3bf0d7e36ec21ff87e1e487b55cb122ca2f7850e7c8edf46acaee0f05789f55ceceaf6e1022ff9cfa8a1f3f0c79c7b32f34208933d4a11b4897
-
Filesize
975B
MD5b5d815ff5310f62de5020591be598bc0
SHA18013562b0cc2516d16d474308c8982a31b7f5dd0
SHA256a7ea603e6e80aed429a34b68ca8210ae3b082cf6104646ed7f8025c3b304ae85
SHA5124e3175ef0c289e1beea60f51239a98533690505b709f778703502dad3f72e3c7e9aa26e1a3837712ed5e1344e28e5ccff1d63a1245352bbc8435a71e15347a94
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
12.9MB
MD583ffd3757a05989d13c86016a806acdb
SHA145fe96625ebcefb3df6d4831774829650f8b534f
SHA2563611dc16f963edd4184c3d8706b454af0537fc4509fe7f6f8356983775213dd7
SHA51278b6a4ce956ae3bf0d7e36ec21ff87e1e487b55cb122ca2f7850e7c8edf46acaee0f05789f55ceceaf6e1022ff9cfa8a1f3f0c79c7b32f34208933d4a11b4897
-
Filesize
12.9MB
MD583ffd3757a05989d13c86016a806acdb
SHA145fe96625ebcefb3df6d4831774829650f8b534f
SHA2563611dc16f963edd4184c3d8706b454af0537fc4509fe7f6f8356983775213dd7
SHA51278b6a4ce956ae3bf0d7e36ec21ff87e1e487b55cb122ca2f7850e7c8edf46acaee0f05789f55ceceaf6e1022ff9cfa8a1f3f0c79c7b32f34208933d4a11b4897
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe