mimikatz | 57d9d6ecc1341c9284c4b75aa3be362296c43388f34fe7acc8eb0aa673cfe7aa

Analysis

max time kernel
62s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-12_8642242fc8dbe8de96ca8d1ce42f493a_hacktools_icedid_mimikatz.exe
Size

8.5MB
MD5

8642242fc8dbe8de96ca8d1ce42f493a
SHA1

368a412d9724d89c8ad48562a153523a499cb677
SHA256

ac7326fb31a5482160f84ecf4b2c491f4ec7194f859e5f4d520971a16c7eb5c9
SHA512

39cbb680dd30248e9ac1ef3785a96f77de3c0dce1bbd0a99825f9d580182df61832d4d237a5d4607c223bff25627aac3e364ef71c301cdd7768e9f6a0d6c164a
SSDEEP

196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1

Score

10^/10

mimikatz discovery persistence privilege_escalation

Malware Config

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 4 IoCs

resource	yara_rule
behavioral2/memory/1968-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/1968-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/files/0x000800000002342b-6.dat	mimikatz
behavioral2/memory/1516-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	upwllyl.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe

Executes dropped EXE 3 IoCs

pid	Process
1516	upwllyl.exe
1036	upwllyl.exe
2904	wpcap.exe

Loads dropped DLL 9 IoCs

pid	Process
2904	wpcap.exe
2904	wpcap.exe
2904	wpcap.exe
2904	wpcap.exe
2904	wpcap.exe
2904	wpcap.exe
2904	wpcap.exe
2904	wpcap.exe
2904	wpcap.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe
File created	C:\Windows\system32\wpcap.dll	wpcap.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\ebetisly\upwllyl.exe	2024-09-12_8642242fc8dbe8de96ca8d1ce42f493a_hacktools_icedid_mimikatz.exe
File opened for modification	C:\Windows\ebetisly\upwllyl.exe	2024-09-12_8642242fc8dbe8de96ca8d1ce42f493a_hacktools_icedid_mimikatz.exe
File created	C:\Windows\kvbeuieka\ebcevjhrl\wpcap.exe	upwllyl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-12_8642242fc8dbe8de96ca8d1ce42f493a_hacktools_icedid_mimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upwllyl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upwllyl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2184	cmd.exe
3972	PING.EXE

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x000800000002342b-6.dat	nsis_installer_2
behavioral2/files/0x000700000001da86-28.dat	nsis_installer_1
behavioral2/files/0x000700000001da86-28.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	upwllyl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	upwllyl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	upwllyl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	upwllyl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	upwllyl.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3972	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1968	2024-09-12_8642242fc8dbe8de96ca8d1ce42f493a_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	2024-09-12_8642242fc8dbe8de96ca8d1ce42f493a_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	1516	upwllyl.exe
Token: SeDebugPrivilege	1036	upwllyl.exe
Token: SeDebugPrivilege	2244	taskmgr.exe
Token: SeSystemProfilePrivilege	2244	taskmgr.exe
Token: SeCreateGlobalPrivilege	2244	taskmgr.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe

Suspicious use of SendNotifyMessage 58 IoCs

pid	Process
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1968	2024-09-12_8642242fc8dbe8de96ca8d1ce42f493a_hacktools_icedid_mimikatz.exe
1968	2024-09-12_8642242fc8dbe8de96ca8d1ce42f493a_hacktools_icedid_mimikatz.exe
1516	upwllyl.exe
1516	upwllyl.exe
1036	upwllyl.exe
1036	upwllyl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2184	1968	2024-09-12_8642242fc8dbe8de96ca8d1ce42f493a_hacktools_icedid_mimikatz.exe	85
PID 1968 wrote to memory of 2184	1968	2024-09-12_8642242fc8dbe8de96ca8d1ce42f493a_hacktools_icedid_mimikatz.exe	85
PID 1968 wrote to memory of 2184	1968	2024-09-12_8642242fc8dbe8de96ca8d1ce42f493a_hacktools_icedid_mimikatz.exe	85
PID 2184 wrote to memory of 3972	2184	cmd.exe	87
PID 2184 wrote to memory of 3972	2184	cmd.exe	87
PID 2184 wrote to memory of 3972	2184	cmd.exe	87
PID 2184 wrote to memory of 1516	2184	cmd.exe	93
PID 2184 wrote to memory of 1516	2184	cmd.exe	93
PID 2184 wrote to memory of 1516	2184	cmd.exe	93
PID 1036 wrote to memory of 1672	1036	upwllyl.exe	95
PID 1036 wrote to memory of 1672	1036	upwllyl.exe	95
PID 1036 wrote to memory of 1672	1036	upwllyl.exe	95
PID 1672 wrote to memory of 4932	1672	cmd.exe	97
PID 1672 wrote to memory of 4932	1672	cmd.exe	97
PID 1672 wrote to memory of 4932	1672	cmd.exe	97
PID 1672 wrote to memory of 4812	1672	cmd.exe	98
PID 1672 wrote to memory of 4812	1672	cmd.exe	98
PID 1672 wrote to memory of 4812	1672	cmd.exe	98
PID 1672 wrote to memory of 5092	1672	cmd.exe	99
PID 1672 wrote to memory of 5092	1672	cmd.exe	99
PID 1672 wrote to memory of 5092	1672	cmd.exe	99
PID 1672 wrote to memory of 1648	1672	cmd.exe	100
PID 1672 wrote to memory of 1648	1672	cmd.exe	100
PID 1672 wrote to memory of 1648	1672	cmd.exe	100
PID 1672 wrote to memory of 4832	1672	cmd.exe	101
PID 1672 wrote to memory of 4832	1672	cmd.exe	101
PID 1672 wrote to memory of 4832	1672	cmd.exe	101
PID 1672 wrote to memory of 2164	1672	cmd.exe	102
PID 1672 wrote to memory of 2164	1672	cmd.exe	102
PID 1672 wrote to memory of 2164	1672	cmd.exe	102
PID 1036 wrote to memory of 4636	1036	upwllyl.exe	113
PID 1036 wrote to memory of 4636	1036	upwllyl.exe	113
PID 1036 wrote to memory of 4636	1036	upwllyl.exe	113
PID 1036 wrote to memory of 4588	1036	upwllyl.exe	115
PID 1036 wrote to memory of 4588	1036	upwllyl.exe	115
PID 1036 wrote to memory of 4588	1036	upwllyl.exe	115
PID 1036 wrote to memory of 1324	1036	upwllyl.exe	117
PID 1036 wrote to memory of 1324	1036	upwllyl.exe	117
PID 1036 wrote to memory of 1324	1036	upwllyl.exe	117
PID 1036 wrote to memory of 3236	1036	upwllyl.exe	121
PID 1036 wrote to memory of 3236	1036	upwllyl.exe	121
PID 1036 wrote to memory of 3236	1036	upwllyl.exe	121
PID 3236 wrote to memory of 2904	3236	cmd.exe	123
PID 3236 wrote to memory of 2904	3236	cmd.exe	123
PID 3236 wrote to memory of 2904	3236	cmd.exe	123
PID 2904 wrote to memory of 2588	2904	wpcap.exe	124
PID 2904 wrote to memory of 2588	2904	wpcap.exe	124
PID 2904 wrote to memory of 2588	2904	wpcap.exe	124
PID 2588 wrote to memory of 2976	2588	net.exe	126
PID 2588 wrote to memory of 2976	2588	net.exe	126
PID 2588 wrote to memory of 2976	2588	net.exe	126
PID 2904 wrote to memory of 3680	2904	wpcap.exe	127
PID 2904 wrote to memory of 3680	2904	wpcap.exe	127
PID 2904 wrote to memory of 3680	2904	wpcap.exe	127
PID 3680 wrote to memory of 2168	3680	net.exe	129
PID 3680 wrote to memory of 2168	3680	net.exe	129
PID 3680 wrote to memory of 2168	3680	net.exe	129
PID 2904 wrote to memory of 4732	2904	wpcap.exe	130
PID 2904 wrote to memory of 4732	2904	wpcap.exe	130
PID 2904 wrote to memory of 4732	2904	wpcap.exe	130
PID 4732 wrote to memory of 1276	4732	net.exe	132
PID 4732 wrote to memory of 1276	4732	net.exe	132
PID 4732 wrote to memory of 1276	4732	net.exe	132
PID 2904 wrote to memory of 3648	2904	wpcap.exe	133

C:\Users\Admin\AppData\Local\Temp\2024-09-12_8642242fc8dbe8de96ca8d1ce42f493a_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-12_8642242fc8dbe8de96ca8d1ce42f493a_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\ebetisly\upwllyl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3972
- - C:\Windows\ebetisly\upwllyl.exe
    C:\Windows\ebetisly\upwllyl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1516

C:\Windows\ebetisly\upwllyl.exe
C:\Windows\ebetisly\upwllyl.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4932
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5092
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4832
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2164
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4636
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4588
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\kvbeuieka\ebcevjhrl\wpcap.exe /S
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Windows\kvbeuieka\ebcevjhrl\wpcap.exe
    C:\Windows\kvbeuieka\ebcevjhrl\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3680
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4732
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1276
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:3648
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3604
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:2276

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\nsb152B.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nsb152B.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\ebetisly\upwllyl.exe

Filesize
8.5MB

MD5
f779205644f6cbd4ed6a23e96057f809

SHA1
026b310155e39dd9ddf5f3fe37fa2746c13a568c

SHA256
655615e56fdc0c140d09979b41706fbc924b2d629b958f00c9b63cd86f0c325f

SHA512
cc8ab60697d7db5e821b685227370e8d836255ff6f2943459004f87c6e44ad121d7c65b3083383aaea19cd6dcb419e5a532dae2f428c4267634fb947d21ef7f3

Download Submit
C:\Windows\kvbeuieka\ebcevjhrl\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
memory/1516-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/1968-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/1968-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/2244-21-0x00000236706A0000-0x00000236706A1000-memory.dmp

Filesize
4KB

Download
memory/2244-25-0x00000236706A0000-0x00000236706A1000-memory.dmp

Filesize
4KB

Download
memory/2244-24-0x00000236706A0000-0x00000236706A1000-memory.dmp

Filesize
4KB

Download
memory/2244-23-0x00000236706A0000-0x00000236706A1000-memory.dmp

Filesize
4KB

Download
memory/2244-22-0x00000236706A0000-0x00000236706A1000-memory.dmp

Filesize
4KB

Download
memory/2244-20-0x00000236706A0000-0x00000236706A1000-memory.dmp

Filesize
4KB

Download
memory/2244-19-0x00000236706A0000-0x00000236706A1000-memory.dmp

Filesize
4KB

Download
memory/2244-15-0x00000236706A0000-0x00000236706A1000-memory.dmp

Filesize
4KB

Download
memory/2244-14-0x00000236706A0000-0x00000236706A1000-memory.dmp

Filesize
4KB

Download
memory/2244-13-0x00000236706A0000-0x00000236706A1000-memory.dmp

Filesize
4KB

Download