Analysis Overview
SHA256
d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f
Threat Level: Known bad
The file d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f was found to be: Known bad.
Malicious Activity Summary
Detect Blackmoon payload
Blackmoon, KrBanker
joker
ASPack v2.12-2.42
UPX packed file
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-15 22:12
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-15 22:12
Reported
2022-11-15 22:14
Platform
win7-20221111-en
Max time kernel
148s
Max time network
145s
Command Line
Signatures
Blackmoon, KrBanker
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
joker
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\International\CpMRU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374715820" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000add3922a01ad56d1fc18b1f713d3cde13c6a0030b017b73fbe76fdc4aaeec21e000000000e80000000020000200000001420c46f92cd2a7ba8c33e28bd8e3e6e81152d0815032662a97190048dba62d0900000004e2497dde17d8afc76688ef598651d6ca5751aa29b9343b26124f0838a5604d83405f848f2ce092b5a54c4c27d9cafeac2404e6439727a5997b59bce4a833207e8e90f8d4f19e7bd7db177b3f333d39324f63c7d13652a9675754fec15fe4ba8c766af51e49b226b77d85769ac4dacf222277e36b54dc72c4c20457d25ce6605b2e186e242403fc66b0c45e34c7b0e9840000000197f4dd9d225622745afcb1fcc1eb17e103049ff73d3c30bd411968a2273cd10a0949be54827a0c591b7d8a7ed92cd247ea4478e32b0c1f8c6bf09725ebbd5b8 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10fb5dd547f9d801 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FC44FE91-653A-11ED-8B07-42F1C931D1AB} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da000000000200000000001066000000010000200000008d9f54df0f3f411326f8a6d134b152d60eebb4635b61f42bde66c091f3b08416000000000e800000000200002000000026c19f16b3d891a477a77c4038498a32f0f32e27f33cf7ea7629f11bd5a5fa1c200000004d03f1a5f2e7e26e1ad5633bc6587f5ae4ec78f7c747b85cbe0116fe93e74741400000006b96200d7c0560a2d28f97737b6a02e4fde33e1c3ba07d0586e72a78f32d1e2e3434fbea58f4ec0f5aa3850e6ec53ce0fba93e75ba71f49ad849d3f5dc394066 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe
"C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.htuzi.com/
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:928 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.htuzi.com | udp |
| N/A | 47.91.134.74:443 | www.htuzi.com | tcp |
| N/A | 8.8.8.8:53 | bj.bcebos.com | udp |
| N/A | 103.235.46.61:443 | bj.bcebos.com | tcp |
| N/A | 8.8.8.8:53 | ocsp.digicert.cn | udp |
| N/A | 47.246.48.205:80 | ocsp.digicert.cn | tcp |
| N/A | 8.8.8.8:53 | image.suning.cn | udp |
| N/A | 101.226.26.244:443 | image.suning.cn | tcp |
| N/A | 47.91.134.74:443 | www.htuzi.com | tcp |
| N/A | 47.91.134.74:443 | www.htuzi.com | tcp |
| N/A | 8.8.8.8:53 | statuse.digitalcertvalidation.com | udp |
| N/A | 72.21.91.29:80 | statuse.digitalcertvalidation.com | tcp |
| N/A | 72.21.91.29:80 | statuse.digitalcertvalidation.com | tcp |
| N/A | 8.8.8.8:53 | lib.baomitu.com | udp |
| N/A | 8.8.8.8:53 | pv.sohu.com | udp |
| N/A | 8.8.8.8:53 | sdk.51.la | udp |
| N/A | 47.91.134.74:443 | www.htuzi.com | tcp |
| N/A | 47.91.134.74:443 | www.htuzi.com | tcp |
| N/A | 47.91.134.74:443 | www.htuzi.com | tcp |
| N/A | 47.91.134.74:443 | www.htuzi.com | tcp |
| N/A | 8.8.8.8:53 | img14.360buyimg.com | udp |
| N/A | 47.253.50.2:443 | sdk.51.la | tcp |
| N/A | 47.253.50.2:443 | sdk.51.la | tcp |
| N/A | 163.171.143.15:443 | img14.360buyimg.com | tcp |
| N/A | 163.171.143.15:443 | img14.360buyimg.com | tcp |
| N/A | 47.91.134.74:443 | www.htuzi.com | tcp |
| N/A | 47.91.134.74:443 | www.htuzi.com | tcp |
| N/A | 51.141.184.179:443 | pv.sohu.com | tcp |
| N/A | 51.141.184.179:443 | pv.sohu.com | tcp |
| N/A | 18.65.39.123:443 | lib.baomitu.com | tcp |
| N/A | 18.65.39.123:443 | lib.baomitu.com | tcp |
| N/A | 18.65.39.123:443 | lib.baomitu.com | tcp |
| N/A | 18.65.39.123:443 | lib.baomitu.com | tcp |
| N/A | 163.171.143.15:443 | img14.360buyimg.com | tcp |
| N/A | 47.246.48.205:80 | ocsp.digicert.cn | tcp |
| N/A | 47.246.48.205:80 | ocsp.digicert.cn | tcp |
| N/A | 8.8.8.8:53 | ocsp.crlocsp.cn | udp |
| N/A | 8.8.8.8:53 | ocsp.crlocsp.cn | udp |
| N/A | 101.198.193.5:80 | ocsp.crlocsp.cn | tcp |
| N/A | 101.198.193.5:80 | ocsp.crlocsp.cn | tcp |
| N/A | 101.198.193.5:80 | ocsp.crlocsp.cn | tcp |
| N/A | 101.198.193.5:80 | ocsp.crlocsp.cn | tcp |
| N/A | 8.8.8.8:53 | collect-v6.51.la | udp |
| N/A | 103.143.19.103:443 | collect-v6.51.la | tcp |
| N/A | 8.8.8.8:53 | tpc.googlesyndication.wiki | udp |
| N/A | 188.114.97.0:443 | tpc.googlesyndication.wiki | tcp |
| N/A | 188.114.97.0:443 | tpc.googlesyndication.wiki | tcp |
| N/A | 188.114.97.0:443 | tpc.googlesyndication.wiki | tcp |
| N/A | 8.8.8.8:53 | store.heytapimage.com | udp |
| N/A | 218.67.91.82:443 | store.heytapimage.com | tcp |
| N/A | 218.67.91.82:443 | store.heytapimage.com | tcp |
| N/A | 8.8.8.8:53 | ocsp.dcocsp.cn | udp |
| N/A | 8.8.8.8:53 | ocsp.dcocsp.cn | udp |
| N/A | 47.246.48.230:80 | ocsp.dcocsp.cn | tcp |
| N/A | 47.246.48.230:80 | ocsp.dcocsp.cn | tcp |
| N/A | 8.8.8.8:53 | crl.crlocsp.cn | udp |
| N/A | 180.163.251.149:80 | crl.crlocsp.cn | tcp |
| N/A | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| N/A | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| N/A | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| N/A | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| N/A | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| N/A | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| N/A | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| N/A | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/1284-54-0x00000000766F1000-0x00000000766F3000-memory.dmp
memory/1284-55-0x0000000000400000-0x00000000010A2000-memory.dmp
memory/1284-56-0x0000000000400000-0x00000000010A2000-memory.dmp
memory/1284-57-0x0000000000400000-0x00000000010A2000-memory.dmp
memory/1284-58-0x0000000000400000-0x00000000010A2000-memory.dmp
memory/1284-59-0x000000001006C000-0x00000000100AC000-memory.dmp
memory/1284-60-0x0000000000400000-0x00000000010A2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 057ffed45719f1bac328142ba1dd17f3 |
| SHA1 | cc3210366aae2b97007182f63404dd4c3b39e2b8 |
| SHA256 | bd8a18e49f3643190507433b5a6a2813fa0d5d9f9c8f47adfcd725a797e0b695 |
| SHA512 | 99aac20354da966817029e14ab771852adc41c35b7d0353a1362247e9b9b50e2f926e6168f63dfe1c87aa05396302863f3e66eeb4e686fe7410cb0f5d05016dc |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\t9o3c8r\imagestore.dat
| MD5 | 62166b418a0e12321acdeffb5cd8feda |
| SHA1 | f765c50eaa692d18f3be172d4e8c977e80ef2ba6 |
| SHA256 | af61977e29c192c59af24e42d9bfda543e1d6e34b30fc8df0071fc86dcf7b6aa |
| SHA512 | faf44782d3f483c3cfb7fdfaa22cbc424ddf192e7c85e3f84b918e35480647613ca941881093553819e76d6e2bb896b17aaeac4d8cda880033abb49a02a23c88 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ed1287c73284bc4411f68303f9bdd877 |
| SHA1 | e0c2d4f3ff8950817827631ade9daa9828d362fe |
| SHA256 | 4cda93962ea5ee3566f82b0ac57fefbba2ee1dda49bf4ea064af9f40d9094f99 |
| SHA512 | fffcd536cba1f716b552e1c4541c89dfe41da273e4b9bfea18c618fe35cd3ec53595f3bf9d83b15cbaf34cf3a29f68e23db5edea2c80d26f75fb4b3aa9b2451b |
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-15 22:12
Reported
2022-11-15 22:14
Platform
win10v2004-20221111-en
Max time kernel
90s
Max time network
143s
Command Line
Signatures
Blackmoon, KrBanker
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
joker
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5036 set thread context of 4268 | N/A | C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe | C:\Windows\SysWOW64\fontview.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe
"C:\Users\Admin\AppData\Local\Temp\d6db09cf67696d87898a507d1d2ed27e90778dc9272240932b26cd1b58ef7e1f.exe"
C:\Windows\SysWOW64\fontview.exe
C:\Windows\SysWOW64\fontview.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 8.8.8.8:53 | www.htuzi.com | udp |
| N/A | 47.91.134.74:443 | www.htuzi.com | tcp |
| N/A | 8.8.8.8:53 | bj.bcebos.com | udp |
| N/A | 103.235.46.61:443 | bj.bcebos.com | tcp |
| N/A | 8.8.8.8:53 | ocsp.digicert.cn | udp |
| N/A | 47.246.48.205:80 | ocsp.digicert.cn | tcp |
| N/A | 8.8.8.8:53 | image.suning.cn | udp |
| N/A | 180.163.40.34:443 | image.suning.cn | tcp |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 40.79.189.58:443 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 8.238.21.126:80 | tcp |
Files
memory/5036-133-0x0000000000400000-0x00000000010A2000-memory.dmp
memory/5036-132-0x0000000000400000-0x00000000010A2000-memory.dmp
memory/5036-134-0x0000000000400000-0x00000000010A2000-memory.dmp
memory/5036-135-0x0000000000400000-0x00000000010A2000-memory.dmp
memory/5036-136-0x0000000010000000-0x00000000100BE000-memory.dmp
memory/5036-140-0x0000000010000000-0x00000000100BE000-memory.dmp
memory/5036-139-0x0000000010000000-0x00000000100BE000-memory.dmp
memory/4268-141-0x0000000000000000-mapping.dmp
memory/4268-142-0x0000000000400000-0x0000000000503000-memory.dmp
memory/4268-143-0x0000000000400000-0x0000000000503000-memory.dmp
memory/4268-144-0x0000000000400000-0x0000000000503000-memory.dmp
memory/4268-145-0x0000000000400000-0x0000000000503000-memory.dmp
memory/4268-147-0x0000000000400000-0x0000000000503000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5036_update\7z.7z
| MD5 | bbff4f98fe176335df3a0d98e9a1f5f3 |
| SHA1 | 88c0eb3ce20c013d5a22445b3a37d67a74d727cd |
| SHA256 | 87d2d4d94ea048792b0a05e126feacca9bb7902d857ed4dd30d6b5fe05df230b |
| SHA512 | a454e9739ce9949bce41933aced118164820df02d6d28cd6fabc774bbc6e6ce63e8f46a2b2063a1740f2b9b834642261a1764e2afe4265b4eb6d98ed76cb5728 |
C:\Users\Admin\AppData\Local\Temp\5036_update\data.ini
| MD5 | af4d7d9e29e2dbbfbb5251b5e4bf81e6 |
| SHA1 | 21cb7480e8d126c7aec17254c1ed5e81775d5565 |
| SHA256 | 998ab36245f6efbe322ca6269ce446040a88b1e65e3f32217b251702ca9bec1f |
| SHA512 | 8a461991469aa1096572613ea6796127ed23136aaa2eabcef311b0ce5d7b666cd0362bca6f966236dfd151029b62aea9b30e4c95902d18a8f3cf6f17103763dd |
C:\EasySkin.ini
| MD5 | 78d89536fa344a82364f1dda81d78f3a |
| SHA1 | e866b4f7713f3b6718c2b4b836937c8b35ff7c31 |
| SHA256 | 32c064c7c56cae4ea4ee32cf8ee2f110f2f715ed064c28c1a5e5b4b384439fa5 |
| SHA512 | 2a04d9ea26e8617c60f5af189f2fce74baf151bb414390aa617adf140bce277d492764dc7a34671d0a09c61edebbd0b9f8d3ce591a2d6d54f66495f53cce6d58 |
memory/5036-151-0x0000000000400000-0x00000000010A2000-memory.dmp