blackmoon | 3a7c5d96b8bc4cc967455d0285f85dcca94c3a29d5c94589471dc75bfec120c9

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2023 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

12.2MB
MD5

1f175ba162cc415dc0bef233b5b41ff4
SHA1

a2f55c5b155fe067e74fbbc4ae8c5f869d455df2
SHA256

3a7c5d96b8bc4cc967455d0285f85dcca94c3a29d5c94589471dc75bfec120c9
SHA512

ebcf6864b92a02bc6c7c039ee32673f7da16d262aadd14b158bffc661c09a45ca4ec4a93a18e1f6e27718fdeae3c7a24906db40bbf2e282d2ea51489c9901375
SSDEEP

196608:G9tjMI+N7N+84ja44HKDQBKkXy+XWt815j5tDobSUFQjYYG17qQMXLLsnw:ej8obja4aK0BK+Hvj5t0ZFQLQMcw

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 30 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1904-146-0x00000000035C0000-0x00000000039FD000-memory.dmp	family_blackmoon
behavioral2/memory/1904-151-0x00000000035C0000-0x00000000039FD000-memory.dmp	family_blackmoon
behavioral2/memory/1904-153-0x00000000035C0000-0x00000000039FD000-memory.dmp	family_blackmoon
behavioral2/memory/1904-155-0x00000000035C0000-0x00000000039FD000-memory.dmp	family_blackmoon
behavioral2/memory/1904-160-0x00000000035C0000-0x00000000039FD000-memory.dmp	family_blackmoon
behavioral2/memory/1136-175-0x0000000003A90000-0x0000000003ECD000-memory.dmp	family_blackmoon
behavioral2/memory/1904-178-0x00000000035C0000-0x00000000039FD000-memory.dmp	family_blackmoon
behavioral2/memory/1136-182-0x0000000003A90000-0x0000000003ECD000-memory.dmp	family_blackmoon
behavioral2/memory/1136-183-0x0000000003A90000-0x0000000003ECD000-memory.dmp	family_blackmoon
behavioral2/memory/1136-188-0x0000000003A90000-0x0000000003ECD000-memory.dmp	family_blackmoon
behavioral2/memory/1136-189-0x0000000003A90000-0x0000000003ECD000-memory.dmp	family_blackmoon
behavioral2/memory/1136-190-0x0000000003A90000-0x0000000003ECD000-memory.dmp	family_blackmoon
behavioral2/memory/1136-191-0x0000000003A90000-0x0000000003ECD000-memory.dmp	family_blackmoon
behavioral2/memory/1136-193-0x0000000003A90000-0x0000000003ECD000-memory.dmp	family_blackmoon
behavioral2/memory/1136-194-0x0000000003A90000-0x0000000003ECD000-memory.dmp	family_blackmoon
behavioral2/memory/1136-200-0x0000000003A90000-0x0000000003ECD000-memory.dmp	family_blackmoon
behavioral2/memory/1136-202-0x0000000003A90000-0x0000000003ECD000-memory.dmp	family_blackmoon
behavioral2/memory/1136-203-0x0000000003A90000-0x0000000003ECD000-memory.dmp	family_blackmoon
behavioral2/memory/1136-209-0x0000000003A90000-0x0000000003ECD000-memory.dmp	family_blackmoon
behavioral2/memory/1136-210-0x0000000003A90000-0x0000000003ECD000-memory.dmp	family_blackmoon
behavioral2/memory/1136-216-0x0000000003A90000-0x0000000003ECD000-memory.dmp	family_blackmoon
behavioral2/memory/1136-222-0x0000000007040000-0x00000000071F9000-memory.dmp	family_blackmoon
behavioral2/memory/1136-234-0x0000000007040000-0x00000000071F9000-memory.dmp	family_blackmoon
behavioral2/memory/1136-240-0x0000000007040000-0x00000000071F9000-memory.dmp	family_blackmoon
behavioral2/memory/1136-242-0x0000000003A90000-0x0000000003ECD000-memory.dmp	family_blackmoon
behavioral2/memory/1136-243-0x0000000007040000-0x00000000071F9000-memory.dmp	family_blackmoon
behavioral2/memory/1136-244-0x0000000003A90000-0x0000000003ECD000-memory.dmp	family_blackmoon
behavioral2/memory/1136-245-0x0000000007040000-0x00000000071F9000-memory.dmp	family_blackmoon
behavioral2/memory/1136-247-0x0000000007040000-0x00000000071F9000-memory.dmp	family_blackmoon
behavioral2/memory/1136-598-0x0000000007040000-0x00000000071F9000-memory.dmp	family_blackmoon

Executes dropped EXE 1 IoCs

Processes:

ÔÊ¼ºÏ»÷v2.0.exe

pid process

2140 ÔÊ¼ºÏ»÷v2.0.exe

pid	process
2140	ÔÊ¼ºÏ»÷v2.0.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1904-133-0x0000000000400000-0x000000000133B000-memory.dmp	upx
behavioral2/memory/1904-150-0x00000000031E0000-0x00000000031EB000-memory.dmp	upx
behavioral2/memory/1904-154-0x00000000031E0000-0x00000000031EB000-memory.dmp	upx
behavioral2/memory/1136-162-0x0000000000400000-0x000000000133B000-memory.dmp	upx
behavioral2/memory/1904-177-0x0000000000400000-0x000000000133B000-memory.dmp	upx
behavioral2/memory/1136-181-0x0000000001880000-0x000000000188B000-memory.dmp	upx
behavioral2/memory/1136-185-0x0000000001880000-0x000000000188B000-memory.dmp	upx
behavioral2/memory/1136-195-0x0000000000400000-0x000000000133B000-memory.dmp	upx
behavioral2/memory/1136-233-0x0000000006760000-0x000000000676B000-memory.dmp	upx
behavioral2/memory/1136-237-0x0000000006760000-0x000000000676B000-memory.dmp	upx
behavioral2/memory/2140-596-0x00000000029F0000-0x00000000029F3000-memory.dmp	upx

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ÔÊ¼ºÏ»÷v2.0.exeÔÊ¼ºÏ»÷v2.0[¶Ü].exe

description	ioc	process
File opened (read-only)	\??\B:	ÔÊ¼ºÏ»÷v2.0.exe
File opened (read-only)	\??\G:	ÔÊ¼ºÏ»÷v2.0.exe
File opened (read-only)	\??\M:	ÔÊ¼ºÏ»÷v2.0.exe
File opened (read-only)	\??\N:	ÔÊ¼ºÏ»÷v2.0.exe
File opened (read-only)	\??\Q:	ÔÊ¼ºÏ»÷v2.0.exe
File opened (read-only)	\??\R:	ÔÊ¼ºÏ»÷v2.0.exe
File opened (read-only)	\??\U:	ÔÊ¼ºÏ»÷v2.0.exe
File opened (read-only)	\??\W:	ÔÊ¼ºÏ»÷v2.0.exe
File opened (read-only)	\??\X:	ÔÊ¼ºÏ»÷v2.0.exe
File opened (read-only)	\??\Z:	ÔÊ¼ºÏ»÷v2.0.exe
File opened (read-only)	\??\H:	ÔÊ¼ºÏ»÷v2.0.exe
File opened (read-only)	\??\L:	ÔÊ¼ºÏ»÷v2.0.exe
File opened (read-only)	\??\T:	ÔÊ¼ºÏ»÷v2.0.exe
File opened (read-only)	\??\Y:	ÔÊ¼ºÏ»÷v2.0.exe
File opened (read-only)	\??\E:	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
File opened (read-only)	\??\A:	ÔÊ¼ºÏ»÷v2.0.exe
File opened (read-only)	\??\E:	ÔÊ¼ºÏ»÷v2.0.exe
File opened (read-only)	\??\J:	ÔÊ¼ºÏ»÷v2.0.exe
File opened (read-only)	\??\V:	ÔÊ¼ºÏ»÷v2.0.exe
File opened (read-only)	\??\F:	ÔÊ¼ºÏ»÷v2.0.exe
File opened (read-only)	\??\I:	ÔÊ¼ºÏ»÷v2.0.exe
File opened (read-only)	\??\K:	ÔÊ¼ºÏ»÷v2.0.exe
File opened (read-only)	\??\O:	ÔÊ¼ºÏ»÷v2.0.exe
File opened (read-only)	\??\P:	ÔÊ¼ºÏ»÷v2.0.exe
File opened (read-only)	\??\S:	ÔÊ¼ºÏ»÷v2.0.exe

Drops file in Windows directory 26 IoCs

Processes:

svchost.exeÔÊ¼ºÏ»÷v2.0[¶Ü].exe

description	ioc	process
File opened for modification	C:\Windows\Prefetch\AgAppLaunch.db	svchost.exe
File opened for modification	C:\Windows\Prefetch\WMIPRVSE.EXE-1628051C.pf	svchost.exe
File created	C:\Windows\Prefetch\TMP.EXE-877456AB.pf	svchost.exe
File created	C:\Windows\Prefetch\WAASMEDICAGENT.EXE-ED0D7511.pf	svchost.exe
File opened for modification	C:\Windows\DunLogs\2023-04-26_ÔÊ¼ºÏ»÷v2.0[¶Ü].exe.log	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
File opened for modification	C:\Windows\Prefetch\AgGlFaultHistory.db	svchost.exe
File opened for modification	C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf	svchost.exe
File opened for modification	C:\Windows\Prefetch\TRUSTEDINSTALLER.EXE-3CC531E5.pf	svchost.exe
File created	C:\Windows\Prefetch\ÔÊ¼ºÏ»÷V2.0.EXE-A8B56179.pf	svchost.exe
File created	C:\Windows\Prefetch\SIHCLIENT.EXE-A872A8BF.pf	svchost.exe
File opened for modification	C:\Windows\Prefetch\PfPre_81ba54c4.mkd	svchost.exe
File opened for modification	C:\Windows\Prefetch\AgGlGlobalHistory.db	svchost.exe
File opened for modification	C:\Windows\Prefetch\AgGlFgAppHistory.db	svchost.exe
File created	C:\Windows\Prefetch\SC.EXE-945D79AE.pf	svchost.exe
File created	C:\Windows\Prefetch\ZMSTAGE.EXE-A0DC408E.pf	svchost.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-033BBABB.pf	svchost.exe
File created	C:\Windows\Prefetch\SVCHOST.EXE-AE7DB802.pf	svchost.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-DF3D779F.pf	svchost.exe
File opened for modification	C:\Windows\Prefetch	svchost.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-72C0C855.pf	svchost.exe
File created	C:\Windows\Prefetch\SVCHOST.EXE-1698ACFD.pf	svchost.exe
File opened for modification	C:\Windows\Prefetch\AgGlUAD_S-1-5-21-1675742406-747946869-1029867430-1000.db	svchost.exe
File created	C:\Windows\Prefetch\ÔÊ¼ºÏ»÷V2.0[¶Ü].EXE-CC3A8F28.pf	svchost.exe
File opened for modification	C:\Windows\Prefetch\MOUSOCOREWORKER.EXE-681A8FEE.pf	svchost.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-5E46FA0D.pf	svchost.exe
File created	C:\Windows\Prefetch\UPFC.EXE-BDDF79D6.pf	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ÔÊ¼ºÏ»÷v2.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ÔÊ¼ºÏ»÷v2.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ÔÊ¼ºÏ»÷v2.0.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ÔÊ¼ºÏ»÷v2.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ÔÊ¼ºÏ»÷v2.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	ÔÊ¼ºÏ»÷v2.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	ÔÊ¼ºÏ»÷v2.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	ÔÊ¼ºÏ»÷v2.0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tmp.exeÔÊ¼ºÏ»÷v2.0[¶Ü].exe

pid	process
1904	tmp.exe
1904	tmp.exe
1904	tmp.exe
1904	tmp.exe
1904	tmp.exe
1904	tmp.exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ÔÊ¼ºÏ»÷v2.0[¶Ü].exe

pid process

1136 ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

tmp.exe

pid process

1904 tmp.exe

pid	process
1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tmp.exeÔÊ¼ºÏ»÷v2.0[¶Ü].exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1904	tmp.exe
Token: SeDebugPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeDebugPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeDebugPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeDebugPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeDebugPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: 1	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeCreateTokenPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeAssignPrimaryTokenPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeLockMemoryPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeIncreaseQuotaPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeMachineAccountPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeTcbPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeSecurityPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeTakeOwnershipPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeLoadDriverPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeSystemProfilePrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeSystemtimePrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeProfSingleProcessPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeIncBasePriorityPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeCreatePagefilePrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeCreatePermanentPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeBackupPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeRestorePrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeShutdownPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeDebugPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeAuditPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeSystemEnvironmentPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeChangeNotifyPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeRemoteShutdownPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeUndockPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeSyncAgentPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeEnableDelegationPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeManageVolumePrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeImpersonatePrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeCreateGlobalPrivilege	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: 31	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: 32	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: 33	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: 34	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: 35	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: 36	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: 37	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: 38	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: 39	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: 40	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: 41	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: 42	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: 43	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: 44	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: 45	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: 46	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: 47	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: 48	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
Token: SeProfSingleProcessPrivilege	5476	svchost.exe
Token: SeTakeOwnershipPrivilege	5476	svchost.exe
Token: SeIncBasePriorityPrivilege	5476	svchost.exe
Token: SeTcbPrivilege	5476	svchost.exe
Token: SeDebugPrivilege	5476	svchost.exe
Token: SeProfSingleProcessPrivilege	5476	svchost.exe
Token: SeTakeOwnershipPrivilege	5476	svchost.exe
Token: SeIncBasePriorityPrivilege	5476	svchost.exe
Token: SeProfSingleProcessPrivilege	5476	svchost.exe
Token: SeTakeOwnershipPrivilege	5476	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

tmp.exeÔÊ¼ºÏ»÷v2.0[¶Ü].exe

pid process

1904 tmp.exe
1136 ÔÊ¼ºÏ»÷v2.0[¶Ü].exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

tmp.exeÔÊ¼ºÏ»÷v2.0[¶Ü].exe

description	pid	process	target process
PID 1904 wrote to memory of 1136	1904	tmp.exe	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
PID 1904 wrote to memory of 1136	1904	tmp.exe	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
PID 1904 wrote to memory of 1136	1904	tmp.exe	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
PID 1136 wrote to memory of 2140	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe	ÔÊ¼ºÏ»÷v2.0.exe
PID 1136 wrote to memory of 2140	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe	ÔÊ¼ºÏ»÷v2.0.exe
PID 1136 wrote to memory of 2140	1136	ÔÊ¼ºÏ»÷v2.0[¶Ü].exe	ÔÊ¼ºÏ»÷v2.0.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904

C:\Users\Admin\AppData\Local\Temp\ÔÊ¼ºÏ»÷v2.0[¶Ü].exe
"C:\Users\Admin\AppData\Local\Temp\ÔÊ¼ºÏ»÷v2.0[¶Ü].exe"
2⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1136

C:\Tmp\a1ac0b7c5a7d20090cc4bdd9e62f24d1\ÔÊ¼ºÏ»÷v2.0.exe
"C:\Tmp\a1ac0b7c5a7d20090cc4bdd9e62f24d1\ÔÊ¼ºÏ»÷v2.0.exe"
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Enumerates system info in registry
PID:2140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s SysMain
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Tmp\a1ac0b7c5a7d20090cc4bdd9e62f24d1\ÔÊ¼ºÏ»÷v2.0.exe

Filesize
6.2MB

MD5
a1ac0b7c5a7d20090cc4bdd9e62f24d1

SHA1
bdd8e697d4f3b2bba3bbafef4745451775e92f49

SHA256
54fbff41225c2cb4725b8cb68eb550a2340c54bb77e572988ffd3c2ab49b937e

SHA512
a5aa50a732454be8fcfc758ae8d039759e2ea09096dc14b856857afdf376ef5ac705b68f768d319c3f9e967f98520b75687eca05377a774ea1595656fd964b67

Download Submit
C:\Tmp\a1ac0b7c5a7d20090cc4bdd9e62f24d1\ÔÊ¼ºÏ»÷v2.0.exe

Filesize
6.2MB

MD5
a1ac0b7c5a7d20090cc4bdd9e62f24d1

SHA1
bdd8e697d4f3b2bba3bbafef4745451775e92f49

SHA256
54fbff41225c2cb4725b8cb68eb550a2340c54bb77e572988ffd3c2ab49b937e

SHA512
a5aa50a732454be8fcfc758ae8d039759e2ea09096dc14b856857afdf376ef5ac705b68f768d319c3f9e967f98520b75687eca05377a774ea1595656fd964b67

Download Submit
C:\Tmp\a1ac0b7c5a7d20090cc4bdd9e62f24d1\ÔÊ¼ºÏ»÷v2.0.exe

Filesize
6.2MB

MD5
a1ac0b7c5a7d20090cc4bdd9e62f24d1

SHA1
bdd8e697d4f3b2bba3bbafef4745451775e92f49

SHA256
54fbff41225c2cb4725b8cb68eb550a2340c54bb77e572988ffd3c2ab49b937e

SHA512
a5aa50a732454be8fcfc758ae8d039759e2ea09096dc14b856857afdf376ef5ac705b68f768d319c3f9e967f98520b75687eca05377a774ea1595656fd964b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\1478537756

Filesize
1.6MB

MD5
36e632ab7ef7d87cf60d7461dab1181f

SHA1
820ef123db5a7cf3023c38e99eb267e0bcecdd53

SHA256
31c716bb6b8cecffcbda9e56fd595339512465ac02d52989ba01590b0528a8a0

SHA512
f70ee62945d9200e63e54771457debdfede7dc39b3d71df12d13a260322e670e753240ddc414915cb66e3def57f6d30cb82ce442df278ef760e33e52fb99f644

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA7C.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA9C.tmp

Filesize
1.6MB

MD5
5870ea0d6ba8dd6e2008466bdd00e0f4

SHA1
d41bf60d0dedff90e3cfc1b41b7e1a73df39a7d5

SHA256
5a7dac8c8b5d7cf1115246dfaf994e7f50e16a7eac1488642396f5e23fddfe0d

SHA512
0c620d5e7383adcf979feccc3b1bad584a5cec8b3d74d0ace8bb786f1f04ba87fa70d59d041dc3833977d44a75f2070181d4054c7c0b9c4ce2d66249b4b3c837

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAAD.tmp

Filesize
137KB

MD5
f6b847a54cfb804a25b8842b45fd1d50

SHA1
bb22fef07ce1577c8a7fa057d8cf05502c013bfc

SHA256
5dd2f5a957946e0b6f63660ebd897851aad4795d4c847396c47ddbb647715583

SHA512
dd08a55f538e2a33e6a0c496dc97ae9045594cbbf62f7894ae8ded63f4dc0b2e89c5935269adfd1c19607b1d2474bddc49f6acb955e6dc53a55560663ca2137a

Download Submit
C:\Users\Admin\Desktop\ÔÊ¼ºÏ»÷v2.0[¶Ü].lnk

Filesize
986B

MD5
92b627d7156fb99821079b0cf2982f45

SHA1
bb36523ddd3ad0c915687b38c49a1098678da3f6

SHA256
d6223567e4a0262b18038037b9ebcbeb3afb800a50b18b111029b2ff00a278f5

SHA512
4e23af68e0759e69f789fc8b9829af0bc14b9144796adb90f5ba3237ba3f3b2d0c9e92307560306e2842eb7573e58cc1dc112001a514f337e413456e573305c3

Download Submit
memory/1136-190-0x0000000003A90000-0x0000000003ECD000-memory.dmp

Filesize
4.2MB

Download
memory/1136-191-0x0000000003A90000-0x0000000003ECD000-memory.dmp

Filesize
4.2MB

Download
memory/1136-162-0x0000000000400000-0x000000000133B000-memory.dmp

Filesize
15.2MB

Download
memory/1136-163-0x00000000014D0000-0x00000000014E8000-memory.dmp

Filesize
96KB

Download
memory/1136-175-0x0000000003A90000-0x0000000003ECD000-memory.dmp

Filesize
4.2MB

Download
memory/1136-176-0x00000000014D0000-0x00000000014E8000-memory.dmp

Filesize
96KB

Download
memory/1136-598-0x0000000007040000-0x00000000071F9000-memory.dmp

Filesize
1.7MB

Download
memory/1136-559-0x000000000AB70000-0x000000000AB71000-memory.dmp

Filesize
4KB

Download
memory/1136-181-0x0000000001880000-0x000000000188B000-memory.dmp

Filesize
44KB

Download
memory/1136-182-0x0000000003A90000-0x0000000003ECD000-memory.dmp

Filesize
4.2MB

Download
memory/1136-183-0x0000000003A90000-0x0000000003ECD000-memory.dmp

Filesize
4.2MB

Download
memory/1136-185-0x0000000001880000-0x000000000188B000-memory.dmp

Filesize
44KB

Download
memory/1136-188-0x0000000003A90000-0x0000000003ECD000-memory.dmp

Filesize
4.2MB

Download
memory/1136-189-0x0000000003A90000-0x0000000003ECD000-memory.dmp

Filesize
4.2MB

Download
memory/1136-558-0x000000000AA20000-0x000000000AA21000-memory.dmp

Filesize
4KB

Download
memory/1136-240-0x0000000007040000-0x00000000071F9000-memory.dmp

Filesize
1.7MB

Download
memory/1136-193-0x0000000003A90000-0x0000000003ECD000-memory.dmp

Filesize
4.2MB

Download
memory/1136-194-0x0000000003A90000-0x0000000003ECD000-memory.dmp

Filesize
4.2MB

Download
memory/1136-195-0x0000000000400000-0x000000000133B000-memory.dmp

Filesize
15.2MB

Download
memory/1136-200-0x0000000003A90000-0x0000000003ECD000-memory.dmp

Filesize
4.2MB

Download
memory/1136-557-0x000000000A8D0000-0x000000000A8D1000-memory.dmp

Filesize
4KB

Download
memory/1136-202-0x0000000003A90000-0x0000000003ECD000-memory.dmp

Filesize
4.2MB

Download
memory/1136-203-0x0000000003A90000-0x0000000003ECD000-memory.dmp

Filesize
4.2MB

Download
memory/1136-555-0x000000000A630000-0x000000000A631000-memory.dmp

Filesize
4KB

Download
memory/1136-209-0x0000000003A90000-0x0000000003ECD000-memory.dmp

Filesize
4.2MB

Download
memory/1136-210-0x0000000003A90000-0x0000000003ECD000-memory.dmp

Filesize
4.2MB

Download
memory/1136-556-0x000000000A780000-0x000000000A781000-memory.dmp

Filesize
4KB

Download
memory/1136-553-0x000000000A390000-0x000000000A391000-memory.dmp

Filesize
4KB

Download
memory/1136-554-0x000000000A4E0000-0x000000000A4E1000-memory.dmp

Filesize
4KB

Download
memory/1136-216-0x0000000003A90000-0x0000000003ECD000-memory.dmp

Filesize
4.2MB

Download
memory/1136-552-0x000000000A100000-0x000000000A101000-memory.dmp

Filesize
4KB

Download
memory/1136-222-0x0000000007040000-0x00000000071F9000-memory.dmp

Filesize
1.7MB

Download
memory/1136-237-0x0000000006760000-0x000000000676B000-memory.dmp

Filesize
44KB

Download
memory/1136-551-0x0000000009FB0000-0x0000000009FB1000-memory.dmp

Filesize
4KB

Download
memory/1136-267-0x0000000009E60000-0x0000000009E61000-memory.dmp

Filesize
4KB

Download
memory/1136-266-0x0000000009D10000-0x0000000009D11000-memory.dmp

Filesize
4KB

Download
memory/1136-265-0x0000000009BC0000-0x0000000009BC1000-memory.dmp

Filesize
4KB

Download
memory/1136-264-0x0000000009A70000-0x0000000009A71000-memory.dmp

Filesize
4KB

Download
memory/1136-263-0x0000000009920000-0x0000000009921000-memory.dmp

Filesize
4KB

Download
memory/1136-234-0x0000000007040000-0x00000000071F9000-memory.dmp

Filesize
1.7MB

Download
memory/1136-233-0x0000000006760000-0x000000000676B000-memory.dmp

Filesize
44KB

Download
memory/1136-262-0x00000000097D0000-0x00000000097D1000-memory.dmp

Filesize
4KB

Download
memory/1136-261-0x0000000009680000-0x0000000009681000-memory.dmp

Filesize
4KB

Download
memory/1136-242-0x0000000003A90000-0x0000000003ECD000-memory.dmp

Filesize
4.2MB

Download
memory/1136-243-0x0000000007040000-0x00000000071F9000-memory.dmp

Filesize
1.7MB

Download
memory/1136-244-0x0000000003A90000-0x0000000003ECD000-memory.dmp

Filesize
4.2MB

Download
memory/1136-246-0x0000000006770000-0x0000000006771000-memory.dmp

Filesize
4KB

Download
memory/1136-245-0x0000000007040000-0x00000000071F9000-memory.dmp

Filesize
1.7MB

Download
memory/1136-248-0x0000000006E60000-0x0000000006E61000-memory.dmp

Filesize
4KB

Download
memory/1136-249-0x0000000006E70000-0x0000000006E71000-memory.dmp

Filesize
4KB

Download
memory/1136-250-0x0000000006E80000-0x0000000006E81000-memory.dmp

Filesize
4KB

Download
memory/1136-247-0x0000000007040000-0x00000000071F9000-memory.dmp

Filesize
1.7MB

Download
memory/1136-251-0x0000000008980000-0x0000000008981000-memory.dmp

Filesize
4KB

Download
memory/1136-254-0x0000000008C10000-0x0000000008C11000-memory.dmp

Filesize
4KB

Download
memory/1136-255-0x0000000008D60000-0x0000000008D61000-memory.dmp

Filesize
4KB

Download
memory/1136-256-0x0000000008EB0000-0x0000000008EB1000-memory.dmp

Filesize
4KB

Download
memory/1136-257-0x0000000009140000-0x0000000009141000-memory.dmp

Filesize
4KB

Download
memory/1136-258-0x0000000009290000-0x0000000009291000-memory.dmp

Filesize
4KB

Download
memory/1136-259-0x00000000093E0000-0x00000000093E1000-memory.dmp

Filesize
4KB

Download
memory/1136-260-0x0000000009530000-0x0000000009531000-memory.dmp

Filesize
4KB

Download
memory/1904-178-0x00000000035C0000-0x00000000039FD000-memory.dmp

Filesize
4.2MB

Download
memory/1904-134-0x00000000014D0000-0x00000000014E8000-memory.dmp

Filesize
96KB

Download
memory/1904-177-0x0000000000400000-0x000000000133B000-memory.dmp

Filesize
15.2MB

Download
memory/1904-154-0x00000000031E0000-0x00000000031EB000-memory.dmp

Filesize
44KB

Download
memory/1904-151-0x00000000035C0000-0x00000000039FD000-memory.dmp

Filesize
4.2MB

Download
memory/1904-147-0x00000000014D0000-0x00000000014E8000-memory.dmp

Filesize
96KB

Download
memory/1904-150-0x00000000031E0000-0x00000000031EB000-memory.dmp

Filesize
44KB

Download
memory/1904-153-0x00000000035C0000-0x00000000039FD000-memory.dmp

Filesize
4.2MB

Download
memory/1904-160-0x00000000035C0000-0x00000000039FD000-memory.dmp

Filesize
4.2MB

Download
memory/1904-133-0x0000000000400000-0x000000000133B000-memory.dmp

Filesize
15.2MB

Download
memory/1904-155-0x00000000035C0000-0x00000000039FD000-memory.dmp

Filesize
4.2MB

Download
memory/1904-146-0x00000000035C0000-0x00000000039FD000-memory.dmp

Filesize
4.2MB

Download
memory/2140-226-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/2140-236-0x0000000003190000-0x0000000003247000-memory.dmp

Filesize
732KB

Download
memory/2140-685-0x0000000000400000-0x0000000000CB9000-memory.dmp

Filesize
8.7MB

Download
memory/2140-220-0x0000000000400000-0x0000000000CB9000-memory.dmp

Filesize
8.7MB

Download
memory/2140-219-0x00000000029F0000-0x00000000029F3000-memory.dmp

Filesize
12KB

Download
memory/2140-596-0x00000000029F0000-0x00000000029F3000-memory.dmp

Filesize
12KB

Download
memory/2140-221-0x0000000000400000-0x0000000000CB9000-memory.dmp

Filesize
8.7MB

Download
memory/2140-599-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/2140-215-0x0000000000400000-0x0000000000CB9000-memory.dmp

Filesize
8.7MB

Download