blackmoon | 7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0

General

Target

7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Size

29KB
MD5

0816fbe3f9db95d1d5d17c847ad7de7f
SHA1

11860a60879b14b8b08193f52ff9bbe5cd9cbdd2
SHA256

7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0
SHA512

9ed81069776a877bd70aedb51deb2c0bf87810105aa63164defb99d69ba8ae52612d83c1f0edeec1bc349f4fda649dd07ddcbddb3cc610d7edb59aeccb8b2976
SSDEEP

768:bncSv1fYN9bjyoPg3lspxTjWtL8LIazF9:ASve9bjm1spJWV6IE9

Score

10^/10

blackmoon banker persistence trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1080-138-0x0000000000400000-0x0000000000440000-memory.dmp	family_blackmoon
behavioral2/memory/1080-139-0x0000000000400000-0x0000000000440000-memory.dmp	family_blackmoon

Drops file in Drivers directory 4 IoCs

Processes:

7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts.ics	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
File created	C:\Windows\System32\drivers\etc\hosts	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.ics	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\koreaautoup = "C:\\Program Files (x86)\\Common Files\\7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe"	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe

description	pid	process	target process
PID 3932 set thread context of 1080	3932	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe

Drops file in Program Files directory 2 IoCs

Processes:

7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
File opened for modification	C:\Program Files (x86)\Common Files\7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXE7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "282510130"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375966330"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3C38C451-6B1E-11ED-B696-D2371B4A40BE} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "282510130"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998315"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998315"	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.naver.com"	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe

pid	process
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1436 IEXPLORE.EXE
Suspicious behavior: RenamesItself 1 IoCs

Processes:

7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe

pid process

1080 7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe

pid	process
1436	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe

description	pid	process
Token: SeDebugPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: SeIncBasePriorityPrivilege	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
Token: 33	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1436 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1436 IEXPLORE.EXE
1436 IEXPLORE.EXE
4128 IEXPLORE.EXE
4128 IEXPLORE.EXE
4128 IEXPLORE.EXE
4128 IEXPLORE.EXE

pid	process
1436	IEXPLORE.EXE

pid	process
1436	IEXPLORE.EXE
1436	IEXPLORE.EXE
4128	IEXPLORE.EXE
4128	IEXPLORE.EXE
4128	IEXPLORE.EXE
4128	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exeiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 3932 wrote to memory of 1080	3932	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
PID 3932 wrote to memory of 1080	3932	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
PID 3932 wrote to memory of 1080	3932	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
PID 3932 wrote to memory of 1080	3932	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
PID 3932 wrote to memory of 1080	3932	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
PID 3932 wrote to memory of 1080	3932	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
PID 1080 wrote to memory of 4688	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe	iexplore.exe
PID 1080 wrote to memory of 4688	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe	iexplore.exe
PID 1080 wrote to memory of 4688	1080	7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe	iexplore.exe
PID 4688 wrote to memory of 1436	4688	iexplore.exe	IEXPLORE.EXE
PID 4688 wrote to memory of 1436	4688	iexplore.exe	IEXPLORE.EXE
PID 1436 wrote to memory of 4128	1436	IEXPLORE.EXE	IEXPLORE.EXE
PID 1436 wrote to memory of 4128	1436	IEXPLORE.EXE	IEXPLORE.EXE
PID 1436 wrote to memory of 4128	1436	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
"C:\Users\Admin\AppData\Local\Temp\7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3932

C:\Users\Admin\AppData\Local\Temp\7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe
"C:\Users\Admin\AppData\Local\Temp\7a8979d7529aff95bc92828b7e005192c451f764c831c2819891d18af966bda0.exe"
2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4688

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1436

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1436 CREDAT:17410 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1080-133-0x0000000000000000-mapping.dmp

Download
memory/1080-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1080-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1080-138-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1080-139-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3932-132-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3932-135-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads