blackmoon | 2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6

Analysis

max time kernel
152s
max time network
171s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
Size

565KB
MD5

b42674ba4f39012a0ee3c88002ebc92c
SHA1

1c06d50188a03ac488db25774b7d51a73ba77ca3
SHA256

2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6
SHA512

a53f74d65a62bfc6d71ca4059c6674f2f2ec33c99bd6b8b60408a388387cafdf373397dfd95a7cf382651cabd2cc4ea8d1aa1f507b2884a5fa964c8499d094d4
SSDEEP

12288:XaKoq63D9WtxtIdn5OezP2OwmTjFF1n19vX:X563JUinf23gjnNPP

Score

10^/10

blackmoon banker phishing trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 15 IoCs

Processes:

resource	yara_rule
behavioral1/memory/872-55-0x0000000000400000-0x0000000000668000-memory.dmp	family_blackmoon
behavioral1/memory/872-100-0x0000000000400000-0x0000000000668000-memory.dmp	family_blackmoon
\Users\Admin\AppData\Local\Temp\data\UpDate.exe	family_blackmoon
behavioral1/memory/872-103-0x00000000042B0000-0x0000000004317000-memory.dmp	family_blackmoon
C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe	family_blackmoon
C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe	family_blackmoon
\Users\Admin\AppData\Local\Temp\data\UpDate.exe	family_blackmoon
\Users\Admin\AppData\Local\Temp\data\UpDate.exe	family_blackmoon
\Users\Admin\AppData\Local\Temp\data\UpDate.exe	family_blackmoon
behavioral1/memory/568-111-0x0000000000400000-0x0000000000467000-memory.dmp	family_blackmoon
behavioral1/memory/872-114-0x0000000000400000-0x0000000000668000-memory.dmp	family_blackmoon
behavioral1/memory/1496-124-0x0000000000400000-0x0000000000668000-memory.dmp	family_blackmoon
behavioral1/memory/1496-127-0x0000000000400000-0x0000000000668000-memory.dmp	family_blackmoon
behavioral1/memory/568-132-0x0000000000400000-0x0000000000467000-memory.dmp	family_blackmoon
behavioral1/memory/1496-174-0x0000000000400000-0x0000000000668000-memory.dmp	family_blackmoon

Detected phishing page
phishing
Executes dropped EXE 2 IoCs

Processes:

UpDate.exe2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe

pid process

568 UpDate.exe
1496 2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe

pid	process
568	UpDate.exe
1496	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/872-58-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/872-59-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/872-63-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/872-65-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/872-69-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/872-71-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/872-73-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/872-77-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/872-79-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/872-83-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/872-81-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/872-87-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/872-89-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/872-91-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/872-95-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/872-97-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/872-93-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/872-85-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/872-75-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/872-99-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/872-67-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/872-61-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/872-57-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/872-101-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/568-112-0x00000000008D0000-0x0000000000937000-memory.dmp	upx
behavioral1/memory/1496-128-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1496-130-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1496-131-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1496-134-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1496-136-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1496-138-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1496-140-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1496-142-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1496-173-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Loads dropped DLL 9 IoCs

Processes:

2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exeUpDate.exe2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe

pid	process
872	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
568	UpDate.exe
568	UpDate.exe
568	UpDate.exe
568	UpDate.exe
568	UpDate.exe
1496	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
1496	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
1496	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376511105"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BCDA49D1-7012-11ED-B390-DA7E66F9F45D} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e5ab102c5d02e340a9b3948937073000000000000200000000001066000000010000200000008812d25597011b374ecdc5140dfcd07f5959c87a8007c706a2f8c8e5f45de0e4000000000e8000000002000020000000ddfdf8dd8d9bb2732ee5c44dfdec9116f5c8e666a27d9e192913bb6d58332cb3200000006fb5c5db2f298ebd07c9ee3fb97610bd5a683b4686a6c543c8e72212d2145aa8400000002fd0d7c16feff4fc49a2a0a08700412b74111be3d579ab812348e437be7d64493c65c9775b9df5e5d5a644e6321acbbf8229fbdf0a8c35880e06e1bf87d908b2	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0d8a7961f04d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e5ab102c5d02e340a9b394893707300000000000020000000000106600000001000020000000905168f86f74b9d09aa4b9660c2c4ec5db2fa60d5a5d90da430361cbfe8aa62c000000000e8000000002000020000000bac03a3173d26ca3bde6c1edc873b69e0ab8377892ff98018b18559f0438286a90000000bcea020388eb8f57005df04555183ff75b282d9443dd3b028fe7f6b6fbf32407da233a365b894ad55b783297d909c865c9ff6a9646cd2688d4c72dd0acc0dff9dc514f86bbbc0ac5f50d7931525c6526c271fa46210597d6f204074658a28f3ffe1210e05ee0a4caa12d838d0915c5109bb9bc2ab9072a4e14203ae25fbf7679b4e1e82e3fce3c79006b40965aaed75340000000695115242ca6f6b05820f7d64b84d6bba8422eed1192d7165fbe16835a307c7871f26d554d2c2123cb75e04a6307d73bc72d74b0c6f042cc376349ab080cb967	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1968 iexplore.exe

pid	process
1968	iexplore.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exeiexplore.exeIEXPLORE.EXE

pid	process
872	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
872	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
872	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
872	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
872	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
1496	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
1496	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
1496	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
1496	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
1496	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
1968	iexplore.exe
1968	iexplore.exe
1976	IEXPLORE.EXE
1976	IEXPLORE.EXE
1976	IEXPLORE.EXE
1976	IEXPLORE.EXE
1976	IEXPLORE.EXE
1976	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exeUpDate.exe2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exeiexplore.exe

description	pid	process	target process
PID 872 wrote to memory of 568	872	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe	UpDate.exe
PID 872 wrote to memory of 568	872	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe	UpDate.exe
PID 872 wrote to memory of 568	872	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe	UpDate.exe
PID 872 wrote to memory of 568	872	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe	UpDate.exe
PID 872 wrote to memory of 568	872	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe	UpDate.exe
PID 872 wrote to memory of 568	872	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe	UpDate.exe
PID 872 wrote to memory of 568	872	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe	UpDate.exe
PID 568 wrote to memory of 1496	568	UpDate.exe	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
PID 568 wrote to memory of 1496	568	UpDate.exe	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
PID 568 wrote to memory of 1496	568	UpDate.exe	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
PID 568 wrote to memory of 1496	568	UpDate.exe	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
PID 568 wrote to memory of 1496	568	UpDate.exe	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
PID 568 wrote to memory of 1496	568	UpDate.exe	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
PID 568 wrote to memory of 1496	568	UpDate.exe	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
PID 1496 wrote to memory of 1968	1496	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe	iexplore.exe
PID 1496 wrote to memory of 1968	1496	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe	iexplore.exe
PID 1496 wrote to memory of 1968	1496	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe	iexplore.exe
PID 1496 wrote to memory of 1968	1496	2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe	iexplore.exe
PID 1968 wrote to memory of 1976	1968	iexplore.exe	IEXPLORE.EXE
PID 1968 wrote to memory of 1976	1968	iexplore.exe	IEXPLORE.EXE
PID 1968 wrote to memory of 1976	1968	iexplore.exe	IEXPLORE.EXE
PID 1968 wrote to memory of 1976	1968	iexplore.exe	IEXPLORE.EXE
PID 1968 wrote to memory of 1976	1968	iexplore.exe	IEXPLORE.EXE
PID 1968 wrote to memory of 1976	1968	iexplore.exe	IEXPLORE.EXE
PID 1968 wrote to memory of 1976	1968	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
"C:\Users\Admin\AppData\Local\Temp\2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:872

C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe
C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe 3.0 %43%3A%5C%55%73%65%72%73%5C%41%64%6D%69%6E%5C%41%70%70%44%61%74%61%5C%4C%6F%63%61%6C%5C%54%65%6D%70%5C%32%61%65%63%36%32%36%34%65%31%64%66%38%64%33%63%66%32%31%61%65%65%64%62%61%38%38%64%36%62%65%34%64%64%38%66%63%32%37%38%61%63%64%31%61%63%34%62%63%38%37%61%32%66%31%35%63%35%33%31%37%65%66%36%2E%65%78%65 ¼Ù http://www.gutou.cc/up/shiyimiaozan.txt
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\AppData\Local\Temp\2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
C:\Users\Admin\AppData\Local\Temp\2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe ÃüÁîÆô¶¯
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1496

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://gutou.cc/ad/shiyi/dingyue.htm
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1968 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
982990518a437b0540d6108115e34479

SHA1
8028345ec1d2a6981b372eca2e5a9c1f3d82a358

SHA256
7565caaaa39a3988c6153bb82bfe4bc5327a4788492a2d5b6c56917ff1d669cd

SHA512
13dd83296d592f9145b3235b41705ca11205a35a771915fcee773198467cbae29df666e8c6c362dbcaef348a257060a57966f6bf0746a90a5f4bb9074d680b24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat
Filesize
8KB

MD5
7c8b2e066ce2a4f21b720268714a4278

SHA1
382fc6fcb9d9d86da07687b8ff547132ea039736

SHA256
f6c3913a0d7e9f6551bd519b2d641286adebed6b44ab5818a47cf306bf074c98

SHA512
004d120d15e2ca9fc56bbe2de8a82662e08865f0e718981db37c56f0768227120e2a232f54ef6c27a6dae4808874d8653a087391f8d42a7686dbe39f0340debc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat
Filesize
12KB

MD5
96c5c50b58cc1b7266286af18de1f994

SHA1
c258b72fa666b507c55f8a9651f44e7a6be8c51a

SHA256
f90d477e84a38900f43b2b57fe1ff6fa0d4336ee41662bb5589e96a4b0239d2e

SHA512
5c7498d3958758007b40c233a80b67ff3e06917e029dcf42468ce297a1342c2af5a7bc7781f51060f52d8d89d58f65f167cbe374b25c208007bcf227f8c1692c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
Filesize
565KB

MD5
19b8f9f0a535cde42111758d34205269

SHA1
0cf5c595d7f6191883cb4c126f2f963833bcd372

SHA256
9ce5eb658c2a00e34ea754d42da55f35a08456279d4235448ea4c6dfa9ad8dd2

SHA512
05089cb525a1d53aeb59680b3f7db404d3764ce47c9c417e3976ef03b8aa2f98a24a84a7a0b2d4ed2b53fdfbf8530b2a32d34823cf83309e876ea3cb320e1c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
Filesize
565KB

MD5
19b8f9f0a535cde42111758d34205269

SHA1
0cf5c595d7f6191883cb4c126f2f963833bcd372

SHA256
9ce5eb658c2a00e34ea754d42da55f35a08456279d4235448ea4c6dfa9ad8dd2

SHA512
05089cb525a1d53aeb59680b3f7db404d3764ce47c9c417e3976ef03b8aa2f98a24a84a7a0b2d4ed2b53fdfbf8530b2a32d34823cf83309e876ea3cb320e1c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe
Filesize
352KB

MD5
055068cf99073f7fe89a235fa7baa30e

SHA1
cf50106dc2c32080e4136822bc5c625f8bb0ef8f

SHA256
fd92a629cf49ec0477898a3ded5c6b16107275b8e115921a4f7f4e5dcc0aa62d

SHA512
88748fec907dfeb7c5771ef01dd988cfbcfab85af7fa6367b375727e73f569d50cdd7e36af82b5d69f3aeae0a25e58b086b3b181c04eb378a2cb62386e55c9fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe
Filesize
352KB

MD5
055068cf99073f7fe89a235fa7baa30e

SHA1
cf50106dc2c32080e4136822bc5c625f8bb0ef8f

SHA256
fd92a629cf49ec0477898a3ded5c6b16107275b8e115921a4f7f4e5dcc0aa62d

SHA512
88748fec907dfeb7c5771ef01dd988cfbcfab85af7fa6367b375727e73f569d50cdd7e36af82b5d69f3aeae0a25e58b086b3b181c04eb378a2cb62386e55c9fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TS3V5SPV.txt
Filesize
608B

MD5
055399f8f5d12c5daa4baa7868ea1f8b

SHA1
c467b569f64b4dab38eadcb2f836c42f0d7263c0

SHA256
57c1a30ad8e4799773545bea9b52774b6328dbd9f42fc347bda1c43db6984ea4

SHA512
7e8a6a9ad2885d618a0af50fb2bc2bc9c481335ffccf981dccfab8f7f5ce0fbc87061e962902ece6b9d2a3cc997a0f0201e09476c3f7ffa2ecd718aaeb3a03af

Download Submit
\Users\Admin\AppData\Local\Temp\2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
Filesize
565KB

MD5
19b8f9f0a535cde42111758d34205269

SHA1
0cf5c595d7f6191883cb4c126f2f963833bcd372

SHA256
9ce5eb658c2a00e34ea754d42da55f35a08456279d4235448ea4c6dfa9ad8dd2

SHA512
05089cb525a1d53aeb59680b3f7db404d3764ce47c9c417e3976ef03b8aa2f98a24a84a7a0b2d4ed2b53fdfbf8530b2a32d34823cf83309e876ea3cb320e1c13

Download Submit
\Users\Admin\AppData\Local\Temp\2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
Filesize
565KB

MD5
19b8f9f0a535cde42111758d34205269

SHA1
0cf5c595d7f6191883cb4c126f2f963833bcd372

SHA256
9ce5eb658c2a00e34ea754d42da55f35a08456279d4235448ea4c6dfa9ad8dd2

SHA512
05089cb525a1d53aeb59680b3f7db404d3764ce47c9c417e3976ef03b8aa2f98a24a84a7a0b2d4ed2b53fdfbf8530b2a32d34823cf83309e876ea3cb320e1c13

Download Submit
\Users\Admin\AppData\Local\Temp\2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
Filesize
565KB

MD5
19b8f9f0a535cde42111758d34205269

SHA1
0cf5c595d7f6191883cb4c126f2f963833bcd372

SHA256
9ce5eb658c2a00e34ea754d42da55f35a08456279d4235448ea4c6dfa9ad8dd2

SHA512
05089cb525a1d53aeb59680b3f7db404d3764ce47c9c417e3976ef03b8aa2f98a24a84a7a0b2d4ed2b53fdfbf8530b2a32d34823cf83309e876ea3cb320e1c13

Download Submit
\Users\Admin\AppData\Local\Temp\2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
Filesize
565KB

MD5
19b8f9f0a535cde42111758d34205269

SHA1
0cf5c595d7f6191883cb4c126f2f963833bcd372

SHA256
9ce5eb658c2a00e34ea754d42da55f35a08456279d4235448ea4c6dfa9ad8dd2

SHA512
05089cb525a1d53aeb59680b3f7db404d3764ce47c9c417e3976ef03b8aa2f98a24a84a7a0b2d4ed2b53fdfbf8530b2a32d34823cf83309e876ea3cb320e1c13

Download Submit
\Users\Admin\AppData\Local\Temp\2aec6264e1df8d3cf21aeedba88d6be4dd8fc278acd1ac4bc87a2f15c5317ef6.exe
Filesize
565KB

MD5
19b8f9f0a535cde42111758d34205269

SHA1
0cf5c595d7f6191883cb4c126f2f963833bcd372

SHA256
9ce5eb658c2a00e34ea754d42da55f35a08456279d4235448ea4c6dfa9ad8dd2

SHA512
05089cb525a1d53aeb59680b3f7db404d3764ce47c9c417e3976ef03b8aa2f98a24a84a7a0b2d4ed2b53fdfbf8530b2a32d34823cf83309e876ea3cb320e1c13

Download Submit
\Users\Admin\AppData\Local\Temp\data\UpDate.exe
Filesize
352KB

MD5
055068cf99073f7fe89a235fa7baa30e

SHA1
cf50106dc2c32080e4136822bc5c625f8bb0ef8f

SHA256
fd92a629cf49ec0477898a3ded5c6b16107275b8e115921a4f7f4e5dcc0aa62d

SHA512
88748fec907dfeb7c5771ef01dd988cfbcfab85af7fa6367b375727e73f569d50cdd7e36af82b5d69f3aeae0a25e58b086b3b181c04eb378a2cb62386e55c9fa

Download Submit
\Users\Admin\AppData\Local\Temp\data\UpDate.exe
Filesize
352KB

MD5
055068cf99073f7fe89a235fa7baa30e

SHA1
cf50106dc2c32080e4136822bc5c625f8bb0ef8f

SHA256
fd92a629cf49ec0477898a3ded5c6b16107275b8e115921a4f7f4e5dcc0aa62d

SHA512
88748fec907dfeb7c5771ef01dd988cfbcfab85af7fa6367b375727e73f569d50cdd7e36af82b5d69f3aeae0a25e58b086b3b181c04eb378a2cb62386e55c9fa

Download Submit
\Users\Admin\AppData\Local\Temp\data\UpDate.exe
Filesize
352KB

MD5
055068cf99073f7fe89a235fa7baa30e

SHA1
cf50106dc2c32080e4136822bc5c625f8bb0ef8f

SHA256
fd92a629cf49ec0477898a3ded5c6b16107275b8e115921a4f7f4e5dcc0aa62d

SHA512
88748fec907dfeb7c5771ef01dd988cfbcfab85af7fa6367b375727e73f569d50cdd7e36af82b5d69f3aeae0a25e58b086b3b181c04eb378a2cb62386e55c9fa

Download Submit
\Users\Admin\AppData\Local\Temp\data\UpDate.exe
Filesize
352KB

MD5
055068cf99073f7fe89a235fa7baa30e

SHA1
cf50106dc2c32080e4136822bc5c625f8bb0ef8f

SHA256
fd92a629cf49ec0477898a3ded5c6b16107275b8e115921a4f7f4e5dcc0aa62d

SHA512
88748fec907dfeb7c5771ef01dd988cfbcfab85af7fa6367b375727e73f569d50cdd7e36af82b5d69f3aeae0a25e58b086b3b181c04eb378a2cb62386e55c9fa

Download Submit
memory/568-132-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/568-112-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/568-111-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/568-113-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/568-104-0x0000000000000000-mapping.dmp

Download
memory/568-126-0x0000000003880000-0x0000000003AE8000-memory.dmp

Filesize
2.4MB

Download
memory/872-95-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/872-77-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/872-100-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/872-101-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/872-61-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/872-103-0x00000000042B0000-0x0000000004317000-memory.dmp

Filesize
412KB

Download
memory/872-67-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/872-99-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/872-75-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/872-85-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/872-93-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/872-97-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/872-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/872-91-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/872-89-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/872-114-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/872-87-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/872-81-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/872-83-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/872-55-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/872-79-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/872-57-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/872-73-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/872-71-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/872-58-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/872-69-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/872-59-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/872-63-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/872-65-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1496-140-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1496-173-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1496-130-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1496-134-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1496-136-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1496-138-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1496-129-0x0000000000D20000-0x0000000000F88000-memory.dmp

Filesize
2.4MB

Download
memory/1496-142-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1496-131-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1496-174-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/1496-175-0x0000000000D20000-0x0000000000F88000-memory.dmp

Filesize
2.4MB

Download
memory/1496-127-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/1496-128-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1496-124-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/1496-117-0x0000000000000000-mapping.dmp

Download