blackmoon | 6d7eee0253c4fb6bdd946c309f3db823a348b1cdc9dcb2bd3f2412b30eb9590f

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64c2e949a2f92c4f458ea1e18ef0829b.exe
Size

2.0MB
MD5

64c2e949a2f92c4f458ea1e18ef0829b
SHA1

5274af76387950b897e4cd1fd9f8cf69755dd05e
SHA256

6d7eee0253c4fb6bdd946c309f3db823a348b1cdc9dcb2bd3f2412b30eb9590f
SHA512

6b52f421f8f03402d012cc185547e26ee5e562b18bdc42cf81e80e6a5463ac57383e1d11099770057149c0a6477564b20efb39960e0f1a44b7ebe9e6e89e8b29
SSDEEP

24576:bSH25PwcN2jx23LdZNtWFKVsIdaY5VFt1LuqJhDqGFeyUQPurCD8JYjSK5ECl:blDoOTNtGKOIvfuRVy/Pur2Mgl

Score

10^/10

blackmoon banker bootkit persistence trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 8 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000146c8-5.dat	family_blackmoon
behavioral1/files/0x0007000000016d2e-26.dat	family_blackmoon
behavioral1/files/0x0007000000016d2e-39.dat	family_blackmoon
behavioral1/files/0x000c0000000146c8-44.dat	family_blackmoon
behavioral1/files/0x0007000000016d2e-58.dat	family_blackmoon
behavioral1/files/0x0007000000016d2e-97.dat	family_blackmoon
behavioral1/files/0x0006000000018f81-112.dat	family_blackmoon
behavioral1/files/0x000c0000000146c8-102.dat	family_blackmoon

Deletes itself 1 IoCs

pid	Process
2764	cmd.exe

Drops startup file 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IP.lnk	ipsee.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\360tray.lnk	ippatch.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IP.lnk	ipsee.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\360tray.lnk	ippatch.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IP.lnk	ipsee.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IP.lnk	ipsee.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IP.lnk	ipsee.exe

Executes dropped EXE 24 IoCs

pid	Process
1512	ippatch.exe
2164	ipsee.exe
1104	ippatch.exe
2004	ipsee.exe
2348	ipsee.exe
612	ipsee.exe
1076	ipsee.exe
776	ipsee.exe
1196	ipsee.exe
240	ipsee.exe
2760	ipsee.exe
3060	ipsee.exe
2192	ipsee.exe
1008	ipsee.exe
1936	ipsee.exe
1616	ipsee.exe
2928	ipsee.exe
576	ipsee.exe
2480	ipsee.exe
1944	ipsee.exe
884	ipsee.exe
2436	ipsee.exe
2448	ipsee.exe
1148	ipsee.exe

Loads dropped DLL 64 IoCs

pid	Process
2556	64c2e949a2f92c4f458ea1e18ef0829b.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
2164	ipsee.exe
2164	ipsee.exe
2164	ipsee.exe
2556	64c2e949a2f92c4f458ea1e18ef0829b.exe
1512	ippatch.exe
1512	ippatch.exe
2004	ipsee.exe
2004	ipsee.exe
2004	ipsee.exe
1104	ippatch.exe
1104	ippatch.exe
1104	ippatch.exe
2004	ipsee.exe
1104	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
2348	ipsee.exe
2348	ipsee.exe
2348	ipsee.exe
2348	ipsee.exe
1512	ippatch.exe
1512	ippatch.exe
612	ipsee.exe
612	ipsee.exe
612	ipsee.exe
612	ipsee.exe
1512	ippatch.exe
1512	ippatch.exe
1076	ipsee.exe
1076	ipsee.exe
1076	ipsee.exe
1076	ipsee.exe
1512	ippatch.exe
1512	ippatch.exe
776	ipsee.exe
776	ipsee.exe
776	ipsee.exe
1512	ippatch.exe
1512	ippatch.exe
1196	ipsee.exe
1196	ipsee.exe
1196	ipsee.exe
1512	ippatch.exe
1512	ippatch.exe
240	ipsee.exe
240	ipsee.exe
240	ipsee.exe
1512	ippatch.exe
1512	ippatch.exe
2760	ipsee.exe
2760	ipsee.exe
2760	ipsee.exe
1512	ippatch.exe
1512	ippatch.exe
3060	ipsee.exe
3060	ipsee.exe
3060	ipsee.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ippatch.exe
File opened for modification	\??\PhysicalDrive0	64c2e949a2f92c4f458ea1e18ef0829b.exe
File opened for modification	\??\PhysicalDrive0	ippatch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 34 IoCs

evasion

pid	Process
2916	taskkill.exe
3020	taskkill.exe
2888	taskkill.exe
2716	taskkill.exe
1628	taskkill.exe
1328	taskkill.exe
660	taskkill.exe
2292	taskkill.exe
2688	taskkill.exe
1756	taskkill.exe
1728	taskkill.exe
1152	taskkill.exe
2768	taskkill.exe
292	taskkill.exe
760	taskkill.exe
2040	taskkill.exe
1232	taskkill.exe
1496	taskkill.exe
2628	taskkill.exe
1928	taskkill.exe
1980	taskkill.exe
1700	taskkill.exe
2496	taskkill.exe
2188	taskkill.exe
2372	taskkill.exe
2336	taskkill.exe
1940	taskkill.exe
1384	taskkill.exe
760	taskkill.exe
1208	taskkill.exe
1980	taskkill.exe
1672	taskkill.exe
2292	taskkill.exe
2676	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2556	64c2e949a2f92c4f458ea1e18ef0829b.exe
2556	64c2e949a2f92c4f458ea1e18ef0829b.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
2004	ipsee.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
2004	ipsee.exe
2556	64c2e949a2f92c4f458ea1e18ef0829b.exe
1512	ippatch.exe
2556	64c2e949a2f92c4f458ea1e18ef0829b.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
2348	ipsee.exe
2348	ipsee.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
2556	64c2e949a2f92c4f458ea1e18ef0829b.exe
2556	64c2e949a2f92c4f458ea1e18ef0829b.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
2556	64c2e949a2f92c4f458ea1e18ef0829b.exe
2556	64c2e949a2f92c4f458ea1e18ef0829b.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
612	ipsee.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
2556	64c2e949a2f92c4f458ea1e18ef0829b.exe
2556	64c2e949a2f92c4f458ea1e18ef0829b.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
1512	ippatch.exe
1076	ipsee.exe
1512	ippatch.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	taskkill.exe
Token: SeDebugPrivilege	2688	taskkill.exe
Token: SeDebugPrivilege	3020	taskkill.exe
Token: SeDebugPrivilege	1208	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	1628	taskkill.exe
Token: SeDebugPrivilege	1940	taskkill.exe
Token: SeDebugPrivilege	1384	taskkill.exe
Token: SeDebugPrivilege	1928	taskkill.exe
Token: SeDebugPrivilege	2292	taskkill.exe
Token: SeDebugPrivilege	2716	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	760	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	2372	taskkill.exe
Token: SeDebugPrivilege	1152	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	2336	taskkill.exe
Token: SeDebugPrivilege	1700	taskkill.exe
Token: SeDebugPrivilege	2768	taskkill.exe
Token: SeDebugPrivilege	1496	taskkill.exe
Token: SeDebugPrivilege	2292	taskkill.exe
Token: SeDebugPrivilege	292	taskkill.exe
Token: SeDebugPrivilege	760	taskkill.exe
Token: SeDebugPrivilege	2676	taskkill.exe
Token: SeDebugPrivilege	660	taskkill.exe
Token: SeDebugPrivilege	2888	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2724	DllHost.exe

Suspicious use of SetWindowsHookEx 46 IoCs

pid	Process
2556	64c2e949a2f92c4f458ea1e18ef0829b.exe
2556	64c2e949a2f92c4f458ea1e18ef0829b.exe
1512	ippatch.exe
1512	ippatch.exe
2164	ipsee.exe
2164	ipsee.exe
2004	ipsee.exe
2004	ipsee.exe
1104	ippatch.exe
1104	ippatch.exe
2348	ipsee.exe
2348	ipsee.exe
612	ipsee.exe
612	ipsee.exe
1076	ipsee.exe
1076	ipsee.exe
776	ipsee.exe
776	ipsee.exe
1196	ipsee.exe
1196	ipsee.exe
240	ipsee.exe
240	ipsee.exe
2760	ipsee.exe
2760	ipsee.exe
3060	ipsee.exe
3060	ipsee.exe
2192	ipsee.exe
2192	ipsee.exe
1008	ipsee.exe
1008	ipsee.exe
1936	ipsee.exe
1936	ipsee.exe
1616	ipsee.exe
1616	ipsee.exe
2928	ipsee.exe
2928	ipsee.exe
1944	ipsee.exe
1944	ipsee.exe
884	ipsee.exe
884	ipsee.exe
2436	ipsee.exe
2436	ipsee.exe
2448	ipsee.exe
2448	ipsee.exe
1148	ipsee.exe
1148	ipsee.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2688	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	29
PID 2556 wrote to memory of 2688	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	29
PID 2556 wrote to memory of 2688	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	29
PID 2556 wrote to memory of 2688	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	29
PID 2556 wrote to memory of 2916	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	30
PID 2556 wrote to memory of 2916	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	30
PID 2556 wrote to memory of 2916	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	30
PID 2556 wrote to memory of 2916	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	30
PID 2556 wrote to memory of 1512	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	34
PID 2556 wrote to memory of 1512	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	34
PID 2556 wrote to memory of 1512	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	34
PID 2556 wrote to memory of 1512	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	34
PID 2556 wrote to memory of 1512	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	34
PID 2556 wrote to memory of 1512	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	34
PID 2556 wrote to memory of 1512	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	34
PID 1512 wrote to memory of 3020	1512	ippatch.exe	35
PID 1512 wrote to memory of 3020	1512	ippatch.exe	35
PID 1512 wrote to memory of 3020	1512	ippatch.exe	35
PID 1512 wrote to memory of 3020	1512	ippatch.exe	35
PID 1512 wrote to memory of 3020	1512	ippatch.exe	35
PID 1512 wrote to memory of 3020	1512	ippatch.exe	35
PID 1512 wrote to memory of 3020	1512	ippatch.exe	35
PID 1512 wrote to memory of 2164	1512	ippatch.exe	37
PID 1512 wrote to memory of 2164	1512	ippatch.exe	37
PID 1512 wrote to memory of 2164	1512	ippatch.exe	37
PID 1512 wrote to memory of 2164	1512	ippatch.exe	37
PID 1512 wrote to memory of 2164	1512	ippatch.exe	37
PID 1512 wrote to memory of 2164	1512	ippatch.exe	37
PID 1512 wrote to memory of 2164	1512	ippatch.exe	37
PID 1512 wrote to memory of 1208	1512	ippatch.exe	38
PID 1512 wrote to memory of 1208	1512	ippatch.exe	38
PID 1512 wrote to memory of 1208	1512	ippatch.exe	38
PID 1512 wrote to memory of 1208	1512	ippatch.exe	38
PID 1512 wrote to memory of 1208	1512	ippatch.exe	38
PID 1512 wrote to memory of 1208	1512	ippatch.exe	38
PID 1512 wrote to memory of 1208	1512	ippatch.exe	38
PID 1512 wrote to memory of 2004	1512	ippatch.exe	40
PID 1512 wrote to memory of 2004	1512	ippatch.exe	40
PID 1512 wrote to memory of 2004	1512	ippatch.exe	40
PID 1512 wrote to memory of 2004	1512	ippatch.exe	40
PID 1512 wrote to memory of 2004	1512	ippatch.exe	40
PID 1512 wrote to memory of 2004	1512	ippatch.exe	40
PID 1512 wrote to memory of 2004	1512	ippatch.exe	40
PID 2556 wrote to memory of 1104	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	39
PID 2556 wrote to memory of 1104	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	39
PID 2556 wrote to memory of 1104	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	39
PID 2556 wrote to memory of 1104	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	39
PID 2556 wrote to memory of 1104	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	39
PID 2556 wrote to memory of 1104	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	39
PID 2556 wrote to memory of 1104	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	39
PID 2556 wrote to memory of 2040	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	42
PID 2556 wrote to memory of 2040	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	42
PID 2556 wrote to memory of 2040	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	42
PID 2556 wrote to memory of 2040	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	42
PID 2556 wrote to memory of 2496	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	43
PID 2556 wrote to memory of 2496	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	43
PID 2556 wrote to memory of 2496	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	43
PID 2556 wrote to memory of 2496	2556	64c2e949a2f92c4f458ea1e18ef0829b.exe	43
PID 1512 wrote to memory of 1980	1512	ippatch.exe	82
PID 1512 wrote to memory of 1980	1512	ippatch.exe	82
PID 1512 wrote to memory of 1980	1512	ippatch.exe	82
PID 1512 wrote to memory of 1980	1512	ippatch.exe	82
PID 1512 wrote to memory of 1980	1512	ippatch.exe	82
PID 1512 wrote to memory of 1980	1512	ippatch.exe	82

C:\Users\Admin\AppData\Local\Temp\64c2e949a2f92c4f458ea1e18ef0829b.exe
"C:\Users\Admin\AppData\Local\Temp\64c2e949a2f92c4f458ea1e18ef0829b.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im ippatch.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im ipsee.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Users\Admin\AppData\Roaming\ippatch.exe
  "C:\Users\Admin\AppData\Roaming\ippatch.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ipsee.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
- - C:\Users\Admin\AppData\Roaming\ipsee.exe
    "C:\Users\Admin\AppData\Roaming\ipsee.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2164
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ipsee.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1208
- - C:\Users\Admin\AppData\Roaming\ipsee.exe
    "C:\Users\Admin\AppData\Roaming\ipsee.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2004
- - C:\Users\Admin\AppData\Roaming\ipsee.exe
    "C:\Users\Admin\AppData\Roaming\ipsee.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2348
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ipsee.exe /f
    3⤵
    - Kills process with taskkill
    PID:1980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ipsee.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- - C:\Users\Admin\AppData\Roaming\ipsee.exe
    "C:\Users\Admin\AppData\Roaming\ipsee.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:612
- - C:\Users\Admin\AppData\Roaming\ipsee.exe
    "C:\Users\Admin\AppData\Roaming\ipsee.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1076
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ipsee.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- - C:\Users\Admin\AppData\Roaming\ipsee.exe
    "C:\Users\Admin\AppData\Roaming\ipsee.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ipsee.exe /f
    3⤵
    - Kills process with taskkill
    PID:760
- - C:\Users\Admin\AppData\Roaming\ipsee.exe
    "C:\Users\Admin\AppData\Roaming\ipsee.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1196
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ipsee.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1728
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ipsee.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- - C:\Users\Admin\AppData\Roaming\ipsee.exe
    "C:\Users\Admin\AppData\Roaming\ipsee.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:240
- - C:\Users\Admin\AppData\Roaming\ipsee.exe
    "C:\Users\Admin\AppData\Roaming\ipsee.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ipsee.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2372
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ipsee.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1152
- - C:\Users\Admin\AppData\Roaming\ipsee.exe
    "C:\Users\Admin\AppData\Roaming\ipsee.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2192
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ipsee.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
- - C:\Users\Admin\AppData\Roaming\ipsee.exe
    "C:\Users\Admin\AppData\Roaming\ipsee.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ipsee.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2336
- - C:\Users\Admin\AppData\Roaming\ipsee.exe
    "C:\Users\Admin\AppData\Roaming\ipsee.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1936
- - C:\Users\Admin\AppData\Roaming\ipsee.exe
    "C:\Users\Admin\AppData\Roaming\ipsee.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3060
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ipsee.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- - C:\Users\Admin\AppData\Roaming\ipsee.exe
    "C:\Users\Admin\AppData\Roaming\ipsee.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ipsee.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ipsee.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1496
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ipsee.exe /f
    3⤵
    - Kills process with taskkill
    PID:2292
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ipsee.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:292
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ipsee.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:760
- - C:\Users\Admin\AppData\Roaming\ipsee.exe
    "C:\Users\Admin\AppData\Roaming\ipsee.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ipsee.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- - C:\Users\Admin\AppData\Roaming\ipsee.exe
    "C:\Users\Admin\AppData\Roaming\ipsee.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1944
- - C:\Users\Admin\AppData\Roaming\ipsee.exe
    "C:\Users\Admin\AppData\Roaming\ipsee.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2436
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ipsee.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:660
- - C:\Users\Admin\AppData\Roaming\ipsee.exe
    "C:\Users\Admin\AppData\Roaming\ipsee.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ipsee.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2888
- - C:\Users\Admin\AppData\Roaming\ipsee.exe
    "C:\Users\Admin\AppData\Roaming\ipsee.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1148
- - C:\Users\Admin\AppData\Roaming\ipsee.exe
    "C:\Users\Admin\AppData\Roaming\ipsee.exe"
    3⤵
    - Executes dropped EXE
    PID:2480
- - C:\Users\Admin\AppData\Roaming\ipsee.exe
    "C:\Users\Admin\AppData\Roaming\ipsee.exe"
    3⤵
    - Executes dropped EXE
    PID:576
- - C:\Users\Admin\AppData\Roaming\ipsee.exe
    "C:\Users\Admin\AppData\Roaming\ipsee.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1616
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ipsee.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- C:\Users\Admin\AppData\Roaming\ippatch.exe
  "C:\Users\Admin\AppData\Roaming\ippatch.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:1104
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im QQ.EXE /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im QQ .EXE /f
  2⤵
  - Kills process with taskkill
  PID:2496
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im QQ.EXE /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im QQ .EXE /f
  2⤵
  - Kills process with taskkill
  PID:1232
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im QQ.EXE /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1384
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im QQ .EXE /f
  2⤵
  - Kills process with taskkill
  PID:1328
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im QQ .EXE /f
  2⤵
  - Kills process with taskkill
  PID:2188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""64c2e949a2f92c4f458ea1e18ef0829b.exe_And DeleteMe.bat""
  2⤵
  - Deletes itself
  PID:2764
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im QQ .EXE /f
  2⤵
  - Kills process with taskkill
  PID:2628
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im QQ.EXE /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im QQ.EXE /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1928

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RCX69B1.tmp

Filesize
868KB

MD5
e6cdfee330f68490a9c8d012f628fc67

SHA1
f050fb03898e48d43015c58c51641835a07b3da8

SHA256
fb316744be1148351e52391901223ea9a3da70509f1c93a4315b0b4b9f79ac68

SHA512
646bdbcd70de70febfb8548c4cdc829f57bf7ab491d7423ac17e76c6d8cb242808497cca65bb2cc147b6df53e9561514639818f0dcc76e0c90c48a2d1232dc41

Download Submit
C:\RCX6EE5.tmp

Filesize
868KB

MD5
672fbc1f5211b406913be23e15c9752b

SHA1
4dd3f13f154659d78ddbc86269951503d9c51e49

SHA256
796195e50c745704a10501e964deb836c5118a88761cdf9b2d38ea03f5ff8d88

SHA512
42c229fbb93e091ae9c8a8f48e8f067c35411f101d2fb6acc8dd4f148a6cd88047b1592166b718c5424e6f00cc8de1ed023517707ce78aac73a3abc10e1be5e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\64c2e949a2f92c4f458ea1e18ef0829b.exe_And DeleteMe.bat

Filesize
182B

MD5
5456a0b28263c7a628170db49628fffa

SHA1
30055dfb031a66acc06ee164299d52b569af0d7f

SHA256
c1c90f3befec0d1483908adb9a23336b566cae149935ceef22f87430b51eeb5b

SHA512
afac429831ba1d83f7c03642b70f4852700811416b3a6cd1f812ad97bb053a1ab5cb323451c754d2c55327b372e3cd454c512af799d5f5747c3daf8a4a78199c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rar.exe

Filesize
260KB

MD5
818270317d9e33b1d498c7e93df51cc3

SHA1
3c553cd21234f09416ce6968f7347dc948d075aa

SHA256
97924da59c4619ba66cf78259f1565a12de4a322386db9c2d3eee9cc71fee013

SHA512
09ecb9886ac82119dfe430dd21a5d4db4ebda7385e9741c0858a3b85507f005ae4602e5828f1b85b6a7055ab7ba6d5be685f879ed135d4ef9b989689b0934481

Download Submit
C:\Users\Admin\AppData\Roaming\1.jpg

Filesize
53KB

MD5
3e6a6eef02a43bab4e580c30fa8ddf05

SHA1
6893ca9f204ccac1b625229e2f270856077ae755

SHA256
33264a92e66ea4bc57ddcf38bf8807f4e98656091d47f2cafafc67459411babb

SHA512
5033b65b07d91669d7f7cbeb17f1659ba9947d16b73468ea83c7e091875c42f898f7e24ed1a3732857adb9a372452b709c4021e224d6f56a4b1aa7125dc0c5b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\360tray.lnk

Filesize
692B

MD5
76f7ec6a02b525339042126020a57300

SHA1
9a93712fc517d2974879be0bc51ca64e3f483feb

SHA256
019273d981056f07e6053316506d442896b2f79a8c62f0e60c098cadaff9ef90

SHA512
139c9f8f03742d0df12273dc98a40183c8d80a5bf5e99f4f418ab5c5d921dffc291440b65aea394bae3eda97daeb24af8f35072ecf5b59e9bdd202dea4422ae7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IP.lnk

Filesize
680B

MD5
af33958f3d3b6b94e95192eae7ae7661

SHA1
bc12aa923730b05941459a3a4f5e45a49ad6e79f

SHA256
89099c7263e5623c83c5473cd6157afca4a8432ee169b47cb0a6733320f17425

SHA512
3f6f967bb97380bc7a67ed383cf6ab3976022bbcc751b71382a775849d0f972e67ffa0f3d05ea9705323709ad99b9ffa744a8ddb969bb6d35166868223bfa784

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IP.lnk

Filesize
680B

MD5
565220821e07e142fc360da1f3d952c9

SHA1
1667a206d5009bbe92ccdb6f9cfc09f50e94d483

SHA256
18725f6802917c469613c2bb371ee3a3c1c6c3e8931d35f2881cb00c3a0f84bc

SHA512
79619c6a3b1d0195fceb958d1d5d394b3057c913f1e6de3c472c55d3c3e3c082972f5d7d928951102bfc14f8f5af26df281e4acc930b70fe05b2215952fe0043

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yhxx.dll

Filesize
154B

MD5
40b80bda339faae4739d77caa3ebd0eb

SHA1
54e11813769d714dbf3153ec6f2620b919a00fca

SHA256
c551be73cdf086d8b11a4b92910c939cec35e1a8805ee3099b18c5a26f14aff3

SHA512
ab087ef1fb1a60772dcd091dc45a47d5b3f5f17f3aa6ae0f1293983b4015a7b1217e69bea95d6f3e4085962f8ef3ca3f529e76d083ab805648aa1bb76480e376

Download Submit
C:\Users\Admin\AppData\Roaming\RCX5E57.tmp

Filesize
256KB

MD5
8eb37cb8139006950876850958db625d

SHA1
c0aebe0e8ef59993163c719154a1cd0e8179da3a

SHA256
1f5412e5eed20ba076ca88f18e7a5f0f22ff233fce654395e504cfe45d823190

SHA512
b11fb79875f516e26f33a85f639c67ec3e6dcc88a237f642f97d478562055f84c397008f741cdee678bb68eaa46c1247703fb4ed836dc847ea32bb2a87924935

Download Submit
C:\Users\Admin\AppData\Roaming\ippatch.edd

Filesize
1000KB

MD5
5519e314038e41030aafac988229c64e

SHA1
f64e7ca1d2733b8a5cfc57a75879eee0234d124f

SHA256
72ceb91950e369788b8f17b03fcdef702946114fd76e1d36ded9cc4ab7e2c219

SHA512
29022b12839188248b64d99a1ab331107962f9bb82efd5d9f84dc7fcba2b17116419a7b4c8fd1bcb27eb0ddecfb891dfa438f1183feeb04865f39049a0c12c4f

Download Submit
C:\Users\Admin\AppData\Roaming\ippatch.exe

Filesize
2.0MB

MD5
2498c979b39944e98f967098b6df8e6f

SHA1
62e3a5de097051d8b657af9f326403d006bd73d2

SHA256
6b42cbcc8b7cab2fe7cb0f8ca0fd34965d03f1cbfa5b1a26f97eda15f1be2e83

SHA512
d2396e9b0267dc2a53a4a5c994f8fd664863c14081c89d9527efa5f423aa64675f69e387286d2efe215473030be6b5ee43cf518f826f7958ebf1481ea8806fef

Download Submit
C:\Users\Admin\AppData\Roaming\ipsee.exe

Filesize
868KB

MD5
89f15854b5ad4374876e1bbef83e3bf8

SHA1
0f84e9ab958dc06e2b24182bbb6a6edcdcba25ce

SHA256
b1553b1a86e04d61c3d9fb1410daed548c3774645ebefa7d8353d9a12843f4f1

SHA512
7e7d37533248498320542ca2aeae11009be665ae6ff9def7c448aa24f765c9ec4ef97a9cf6368b9fac55d0e09ba5edaba08b41cef0e66f7aa232f7b3fb8ab931

Download Submit
C:\Users\Admin\AppData\Roaming\mydll.dll

Filesize
256KB

MD5
19bbf2af9cb6c7666f49bf0b4da77900

SHA1
07bc498d6c64a5c739f40dadae57d5053d2d2dd4

SHA256
aeb6ec9c823ef6f981670fb272771b69d8559dc4e2b28d7ae4bb33afc81291dc

SHA512
d0d8259739d73d13dc7affde8e8a4563b49be74df38578920858b7a2f4abf0d2569314325ae01c40078741bb6ecdc4cf9ff3a38754c0d4f59ba01da2093ef250

Download Submit
C:\Users\Admin\AppData\Roaming\mydll.dll

Filesize
256KB

MD5
6ff4c5bef44266ad33c91e6c9ee3aa2e

SHA1
3e6b03a80a3c409dd027b8c136a76f0d803e726b

SHA256
525a755b5acda82246a0c2a7b8414aff9f7b6281134c97ae2d7e75070ac0221d

SHA512
607ca49be5e37bac6bb93552f9030b63a3b74b31ddd37e64a5dda292953cb3dc368ab3d8339c4e083bd95c7d25b15f39ff8a42b4578afc148489fe6aeb6bcf22

Download Submit
C:\Users\Admin\AppData\Roaming\mydll.dll

Filesize
256KB

MD5
7f139c026d25038f6bbd941e44b45e22

SHA1
347d697d86f865b13e0f4f281de7a8a7d1c0b38b

SHA256
c27173606c6925766d9f739bdc5d874d1b0a41afe930a2b1af4c550a2a9b8804

SHA512
079bb4c5e56ca6585ffc80f659764990e410cc79ba8c240f692bb2d595ec37acefddecc1097990222c0be8c67cea046b803a291254fc31bbd2ed2c21b383d79b

Download Submit
\Users\Admin\AppData\Roaming\ippatch.exe

Filesize
2.0MB

MD5
ebc7ebc57a45ada5e666df89c4d20cb0

SHA1
05594838728c2e424197f4b772de111149f5a46c

SHA256
bf72b0899a27515c516de790db7775c7819b3af0f283ea8f1967f8612dac9fa7

SHA512
66648cccb6b2f5d7727d89bd571014d7ece0803fc7650363f6f47d4f67b62a41ddfb884b53d9128394346c8a1e2b53e3e111f61fdbd62e04807ca3321fa5bd67

Download Submit
\Users\Admin\AppData\Roaming\ippatch.exe

Filesize
1.9MB

MD5
9c2308a6425e29e60d367af5b14d0b17

SHA1
d12045af3eb68f8b1d83835ec4c57ab6603c821b

SHA256
be5d9dd19b317f9de24a8a75ccbb684ce931c1c985166d2c86f75200186e5c3c

SHA512
f0a534d0af191cb8655dcbb7d11251ed4f9722c170d6ae9048b3cca5185e6fc64ecba478af7ae590650d81a67fd6e0e0e40231e3712677d3b94e56730e7d2ba6

Download Submit
\Users\Admin\AppData\Roaming\ippatch.exe

Filesize
1.4MB

MD5
cc295659f14ba0d602171c330df5d03b

SHA1
61a16bf2eaf20c8edfc34fd711d533f205cdd166

SHA256
4b243b4f8eedc3f12fdb9a0a6b3688c67e9f8e7e8ced3d895dff877fa0246a81

SHA512
27c6b98f7619ba8f724a9b7399ae1351d844ff762013c8c0aa1c787ad66dcdc6e252cfa591e339ca9c0a05d36bdb003897486f2613bdadf4c897dd463e587d3d

Download Submit
memory/2556-15-0x0000000002000000-0x0000000002002000-memory.dmp

Filesize
8KB

Download
memory/2724-17-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2724-16-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/2724-566-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download