blackmoon | 58df7b839d34916ebae21d29e997af3a6cd00de0c939402202467a247bfed6fd

Analysis

max time kernel
150s
max time network
140s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 14:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d6cded3c9fc8ca880b8bfbfbbf78e96e_JaffaCakes118.exe
Size

375KB
MD5

d6cded3c9fc8ca880b8bfbfbbf78e96e
SHA1

0764cf56ae697694152f6eec6e6b5d7876eeeb87
SHA256

58df7b839d34916ebae21d29e997af3a6cd00de0c939402202467a247bfed6fd
SHA512

217b7d5cf48e0b14f271d774000ca13fd06ce62511a9fc9095e526636f6675669b9345c18a710a61a4e5266cc21ad3e8c1e0ca5a2827c1a041f5676efc7f6a5c
SSDEEP

6144:tczH+8QD8sg+ZvFXaczH+8QD8sg+ZvFX:CaHFZvFbaHFZvF

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 13 IoCs

resource	yara_rule
behavioral1/memory/1992-4-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackmoon
behavioral1/memory/2552-12-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackmoon
behavioral1/memory/2656-13-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackmoon
behavioral1/memory/2656-23-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackmoon
behavioral1/memory/2956-27-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackmoon
behavioral1/memory/1672-33-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackmoon
behavioral1/memory/1816-34-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackmoon
behavioral1/memory/1816-44-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackmoon
behavioral1/memory/2720-48-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackmoon
behavioral1/memory/2340-51-0x0000000000BF0000-0x0000000000C68000-memory.dmp	family_blackmoon
behavioral1/memory/2336-54-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackmoon
behavioral1/memory/392-55-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackmoon
behavioral1/memory/392-65-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackmoon

Executes dropped EXE 8 IoCs

pid	Process
2552	zhfluxb.exe
2656	zhfluxb.exe
2956	pguyon.exe
1672	zhfluxb.exe
1816	zhfluxb.exe
2720	pguyon.exe
2336	zhfluxb.exe
392	zhfluxb.exe

Loads dropped DLL 8 IoCs

pid	Process
844	cmd.exe
844	cmd.exe
1012	WerFault.exe
1012	WerFault.exe
2320	cmd.exe
2536	WerFault.exe
2536	WerFault.exe
2340	cmd.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1992-0-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/memory/1992-4-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/files/0x000b00000001558c-6.dat	upx
behavioral1/memory/2552-9-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/memory/2656-11-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/memory/2552-12-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/memory/2656-13-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/memory/2656-23-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/memory/2956-27-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/memory/1816-32-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/memory/1672-33-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/memory/1816-34-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/memory/1816-44-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/memory/2720-48-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/memory/2336-54-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/memory/392-55-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/memory/392-65-0x0000000000400000-0x0000000000478000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	zhfluxb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	zhfluxb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	zhfluxb.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	\??\c:\windows\fonts\eufcdaz\zhfluxb.exe	d6cded3c9fc8ca880b8bfbfbbf78e96e_JaffaCakes118.exe
File opened for modification	\??\c:\windows\ime\cyzxugq\pguyon.exe	zhfluxb.exe
File opened for modification	\??\c:\windows\fonts\eufcdaz\zhfluxb.exe	pguyon.exe
File created	\??\c:\windows\fonts\eufcdaz\HighPower.pow	zhfluxb.exe
File created	\??\c:\windows\fonts\eufcdaz\BestPower.pow	zhfluxb.exe
File created	\??\c:\windows\fonts\eufcdaz\HighPower.pow	zhfluxb.exe
File opened for modification	\??\c:\windows\fonts\eufcdaz\zhfluxb.exe	d6cded3c9fc8ca880b8bfbfbbf78e96e_JaffaCakes118.exe
File opened for modification	\??\c:\windows\ime\cyzxugq\pguyon.exe	zhfluxb.exe
File opened for modification	\??\c:\windows\fonts\eufcdaz\zhfluxb.exe	pguyon.exe
File opened for modification	\??\c:\windows\ime\cyzxugq\pguyon.exe	zhfluxb.exe
File created	\??\c:\windows\ime\cyzxugq\pguyon.exe	zhfluxb.exe
File created	\??\c:\windows\fonts\eufcdaz\HighPower.pow	zhfluxb.exe
File created	\??\c:\windows\fonts\eufcdaz\BestPower.pow	zhfluxb.exe
File created	\??\c:\windows\fonts\eufcdaz\BestPower.pow	zhfluxb.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1012	2656	WerFault.exe	32
2536	1816	WerFault.exe	72
1808	392	WerFault.exe	107

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
876	schtasks.exe
2328	schtasks.exe
1976	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	zhfluxb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	zhfluxb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC3A3061-16F2-41E4-918E-DB6F61C68F7A}\WpadDecision = "0"	zhfluxb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	zhfluxb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	zhfluxb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-e3-86-3f-ce-75\WpadDecision = "0"	zhfluxb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	zhfluxb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC3A3061-16F2-41E4-918E-DB6F61C68F7A}\WpadDecision = "0"	zhfluxb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-e3-86-3f-ce-75\WpadDecisionTime = 70e7abbc6887da01	zhfluxb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	zhfluxb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC3A3061-16F2-41E4-918E-DB6F61C68F7A}\WpadDecisionTime = f077dee26887da01	zhfluxb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC3A3061-16F2-41E4-918E-DB6F61C68F7A}\WpadDecisionTime = 90f039056987da01	zhfluxb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	zhfluxb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	zhfluxb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	zhfluxb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-e3-86-3f-ce-75\WpadDecisionReason = "1"	zhfluxb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	zhfluxb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	zhfluxb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	zhfluxb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	zhfluxb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	zhfluxb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	zhfluxb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-e3-86-3f-ce-75	zhfluxb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	zhfluxb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	zhfluxb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	zhfluxb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC3A3061-16F2-41E4-918E-DB6F61C68F7A}	zhfluxb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-e3-86-3f-ce-75\WpadDecisionReason = "1"	zhfluxb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	zhfluxb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC3A3061-16F2-41E4-918E-DB6F61C68F7A}\WpadDecisionReason = "1"	zhfluxb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC3A3061-16F2-41E4-918E-DB6F61C68F7A}\WpadDecision = "0"	zhfluxb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC3A3061-16F2-41E4-918E-DB6F61C68F7A}\WpadNetworkName = "Network 3"	zhfluxb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	zhfluxb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	zhfluxb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	zhfluxb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	zhfluxb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC3A3061-16F2-41E4-918E-DB6F61C68F7A}\d6-e3-86-3f-ce-75	zhfluxb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-e3-86-3f-ce-75\WpadDecisionTime = 70e7abbc6887da01	zhfluxb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-e3-86-3f-ce-75\WpadDetectedUrl	zhfluxb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	zhfluxb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-e3-86-3f-ce-75\WpadDecisionTime = f077dee26887da01	zhfluxb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	zhfluxb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-e3-86-3f-ce-75	zhfluxb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	zhfluxb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-e3-86-3f-ce-75	zhfluxb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	zhfluxb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC3A3061-16F2-41E4-918E-DB6F61C68F7A}\WpadNetworkName = "Network 3"	zhfluxb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC3A3061-16F2-41E4-918E-DB6F61C68F7A}	zhfluxb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	zhfluxb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	zhfluxb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	zhfluxb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC3A3061-16F2-41E4-918E-DB6F61C68F7A}	zhfluxb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	zhfluxb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-e3-86-3f-ce-75\WpadDecision = "0"	zhfluxb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-e3-86-3f-ce-75\WpadDecisionTime = f077dee26887da01	zhfluxb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	zhfluxb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC3A3061-16F2-41E4-918E-DB6F61C68F7A}\d6-e3-86-3f-ce-75	zhfluxb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC3A3061-16F2-41E4-918E-DB6F61C68F7A}\WpadDecisionTime = 70e7abbc6887da01	zhfluxb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-e3-86-3f-ce-75\WpadDecisionReason = "1"	zhfluxb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	zhfluxb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	zhfluxb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC3A3061-16F2-41E4-918E-DB6F61C68F7A}\d6-e3-86-3f-ce-75	zhfluxb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	zhfluxb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	zhfluxb.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2928	PING.EXE
1920	PING.EXE
2756	PING.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1992	d6cded3c9fc8ca880b8bfbfbbf78e96e_JaffaCakes118.exe
2552	zhfluxb.exe
2656	zhfluxb.exe
2956	pguyon.exe
2956	pguyon.exe
2956	pguyon.exe
1672	zhfluxb.exe
1816	zhfluxb.exe
2720	pguyon.exe
2720	pguyon.exe
2720	pguyon.exe
2336	zhfluxb.exe
392	zhfluxb.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1992	d6cded3c9fc8ca880b8bfbfbbf78e96e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	d6cded3c9fc8ca880b8bfbfbbf78e96e_JaffaCakes118.exe
Token: SeDebugPrivilege	2552	zhfluxb.exe
Token: SeDebugPrivilege	2656	zhfluxb.exe
Token: SeAssignPrimaryTokenPrivilege	2444	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2444	WMIC.exe
Token: SeSecurityPrivilege	2444	WMIC.exe
Token: SeTakeOwnershipPrivilege	2444	WMIC.exe
Token: SeLoadDriverPrivilege	2444	WMIC.exe
Token: SeSystemtimePrivilege	2444	WMIC.exe
Token: SeBackupPrivilege	2444	WMIC.exe
Token: SeRestorePrivilege	2444	WMIC.exe
Token: SeShutdownPrivilege	2444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2444	WMIC.exe
Token: SeUndockPrivilege	2444	WMIC.exe
Token: SeManageVolumePrivilege	2444	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2444	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2444	WMIC.exe
Token: SeSecurityPrivilege	2444	WMIC.exe
Token: SeTakeOwnershipPrivilege	2444	WMIC.exe
Token: SeLoadDriverPrivilege	2444	WMIC.exe
Token: SeSystemtimePrivilege	2444	WMIC.exe
Token: SeBackupPrivilege	2444	WMIC.exe
Token: SeRestorePrivilege	2444	WMIC.exe
Token: SeShutdownPrivilege	2444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2444	WMIC.exe
Token: SeUndockPrivilege	2444	WMIC.exe
Token: SeManageVolumePrivilege	2444	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2860	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2860	WMIC.exe
Token: SeSecurityPrivilege	2860	WMIC.exe
Token: SeTakeOwnershipPrivilege	2860	WMIC.exe
Token: SeLoadDriverPrivilege	2860	WMIC.exe
Token: SeSystemtimePrivilege	2860	WMIC.exe
Token: SeBackupPrivilege	2860	WMIC.exe
Token: SeRestorePrivilege	2860	WMIC.exe
Token: SeShutdownPrivilege	2860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2860	WMIC.exe
Token: SeUndockPrivilege	2860	WMIC.exe
Token: SeManageVolumePrivilege	2860	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2860	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2860	WMIC.exe
Token: SeSecurityPrivilege	2860	WMIC.exe
Token: SeTakeOwnershipPrivilege	2860	WMIC.exe
Token: SeLoadDriverPrivilege	2860	WMIC.exe
Token: SeSystemtimePrivilege	2860	WMIC.exe
Token: SeBackupPrivilege	2860	WMIC.exe
Token: SeRestorePrivilege	2860	WMIC.exe
Token: SeShutdownPrivilege	2860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2860	WMIC.exe
Token: SeUndockPrivilege	2860	WMIC.exe
Token: SeManageVolumePrivilege	2860	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2664	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2664	WMIC.exe
Token: SeSecurityPrivilege	2664	WMIC.exe
Token: SeTakeOwnershipPrivilege	2664	WMIC.exe
Token: SeLoadDriverPrivilege	2664	WMIC.exe
Token: SeSystemtimePrivilege	2664	WMIC.exe
Token: SeBackupPrivilege	2664	WMIC.exe
Token: SeRestorePrivilege	2664	WMIC.exe
Token: SeShutdownPrivilege	2664	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2664	WMIC.exe
Token: SeUndockPrivilege	2664	WMIC.exe
Token: SeManageVolumePrivilege	2664	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2664	WMIC.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1992	d6cded3c9fc8ca880b8bfbfbbf78e96e_JaffaCakes118.exe
2552	zhfluxb.exe
2656	zhfluxb.exe
2956	pguyon.exe
1672	zhfluxb.exe
1816	zhfluxb.exe
2720	pguyon.exe
2336	zhfluxb.exe
392	zhfluxb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 844	1992	d6cded3c9fc8ca880b8bfbfbbf78e96e_JaffaCakes118.exe	28
PID 1992 wrote to memory of 844	1992	d6cded3c9fc8ca880b8bfbfbbf78e96e_JaffaCakes118.exe	28
PID 1992 wrote to memory of 844	1992	d6cded3c9fc8ca880b8bfbfbbf78e96e_JaffaCakes118.exe	28
PID 1992 wrote to memory of 844	1992	d6cded3c9fc8ca880b8bfbfbbf78e96e_JaffaCakes118.exe	28
PID 844 wrote to memory of 2928	844	cmd.exe	30
PID 844 wrote to memory of 2928	844	cmd.exe	30
PID 844 wrote to memory of 2928	844	cmd.exe	30
PID 844 wrote to memory of 2928	844	cmd.exe	30
PID 844 wrote to memory of 2552	844	cmd.exe	31
PID 844 wrote to memory of 2552	844	cmd.exe	31
PID 844 wrote to memory of 2552	844	cmd.exe	31
PID 844 wrote to memory of 2552	844	cmd.exe	31
PID 2656 wrote to memory of 2228	2656	zhfluxb.exe	33
PID 2656 wrote to memory of 2228	2656	zhfluxb.exe	33
PID 2656 wrote to memory of 2228	2656	zhfluxb.exe	33
PID 2656 wrote to memory of 2228	2656	zhfluxb.exe	33
PID 2228 wrote to memory of 2444	2228	cmd.exe	35
PID 2228 wrote to memory of 2444	2228	cmd.exe	35
PID 2228 wrote to memory of 2444	2228	cmd.exe	35
PID 2228 wrote to memory of 2444	2228	cmd.exe	35
PID 2228 wrote to memory of 2860	2228	cmd.exe	36
PID 2228 wrote to memory of 2860	2228	cmd.exe	36
PID 2228 wrote to memory of 2860	2228	cmd.exe	36
PID 2228 wrote to memory of 2860	2228	cmd.exe	36
PID 2228 wrote to memory of 2664	2228	cmd.exe	37
PID 2228 wrote to memory of 2664	2228	cmd.exe	37
PID 2228 wrote to memory of 2664	2228	cmd.exe	37
PID 2228 wrote to memory of 2664	2228	cmd.exe	37
PID 2656 wrote to memory of 1944	2656	zhfluxb.exe	38
PID 2656 wrote to memory of 1944	2656	zhfluxb.exe	38
PID 2656 wrote to memory of 1944	2656	zhfluxb.exe	38
PID 2656 wrote to memory of 1944	2656	zhfluxb.exe	38
PID 2656 wrote to memory of 2356	2656	zhfluxb.exe	39
PID 2656 wrote to memory of 2356	2656	zhfluxb.exe	39
PID 2656 wrote to memory of 2356	2656	zhfluxb.exe	39
PID 2656 wrote to memory of 2356	2656	zhfluxb.exe	39
PID 1944 wrote to memory of 2724	1944	cmd.exe	42
PID 1944 wrote to memory of 2724	1944	cmd.exe	42
PID 1944 wrote to memory of 2724	1944	cmd.exe	42
PID 1944 wrote to memory of 2724	1944	cmd.exe	42
PID 2356 wrote to memory of 2604	2356	cmd.exe	43
PID 2356 wrote to memory of 2604	2356	cmd.exe	43
PID 2356 wrote to memory of 2604	2356	cmd.exe	43
PID 2356 wrote to memory of 2604	2356	cmd.exe	43
PID 1944 wrote to memory of 2200	1944	cmd.exe	44
PID 1944 wrote to memory of 2200	1944	cmd.exe	44
PID 1944 wrote to memory of 2200	1944	cmd.exe	44
PID 1944 wrote to memory of 2200	1944	cmd.exe	44
PID 2656 wrote to memory of 2336	2656	zhfluxb.exe	45
PID 2656 wrote to memory of 2336	2656	zhfluxb.exe	45
PID 2656 wrote to memory of 2336	2656	zhfluxb.exe	45
PID 2656 wrote to memory of 2336	2656	zhfluxb.exe	45
PID 2656 wrote to memory of 2392	2656	zhfluxb.exe	46
PID 2656 wrote to memory of 2392	2656	zhfluxb.exe	46
PID 2656 wrote to memory of 2392	2656	zhfluxb.exe	46
PID 2656 wrote to memory of 2392	2656	zhfluxb.exe	46
PID 2336 wrote to memory of 2196	2336	cmd.exe	48
PID 2336 wrote to memory of 2196	2336	cmd.exe	48
PID 2336 wrote to memory of 2196	2336	cmd.exe	48
PID 2336 wrote to memory of 2196	2336	cmd.exe	48
PID 2336 wrote to memory of 1976	2336	cmd.exe	50
PID 2336 wrote to memory of 1976	2336	cmd.exe	50
PID 2336 wrote to memory of 1976	2336	cmd.exe	50
PID 2336 wrote to memory of 1976	2336	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\d6cded3c9fc8ca880b8bfbfbbf78e96e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d6cded3c9fc8ca880b8bfbfbbf78e96e_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\eufcdaz\zhfluxb.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:2928
- - \??\c:\windows\fonts\eufcdaz\zhfluxb.exe
    c:\windows\fonts\eufcdaz\zhfluxb.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2552

\??\c:\windows\fonts\eufcdaz\zhfluxb.exe
c:\windows\fonts\eufcdaz\zhfluxb.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="wdmcha" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="lgspv" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='wdmcha'" DELETE
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="wdmcha" DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2444
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="lgspv" DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='wdmcha'" DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="wdmcha", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'" & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="lgspv",CommandLineTemplate="c:\windows\ime\cyzxugq\pguyon.exe" & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="wdmcha"", Consumer="CommandLineEventConsumer.Name="lgspv""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="wdmcha", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="lgspv",CommandLineTemplate="c:\windows\ime\cyzxugq\pguyon.exe"
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="wdmcha"", Consumer="CommandLineEventConsumer.Name="lgspv""
    3⤵
    PID:1312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Schtasks /DELETE /TN pedxa /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\schtasks.exe
    Schtasks /DELETE /TN pedxa /F
    3⤵
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 30 /tn "pedxa" /ru system /tr "c:\windows\ime\cyzxugq\pguyon.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 30 /tn "pedxa" /ru system /tr "c:\windows\ime\cyzxugq\pguyon.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cmd /c powercfg -import c:\windows\fonts\eufcdaz\BestPower.pow
  2⤵
  PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powercfg -import c:\windows\fonts\eufcdaz\BestPower.pow
    3⤵
    PID:2032
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg -import c:\windows\fonts\eufcdaz\BestPower.pow
      4⤵
      PID:1960
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cmd /c powercfg -setactive 5bdc7b6d-e9d3-407a-a095-60aef2e62da1
  2⤵
  PID:808
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powercfg -setactive 5bdc7b6d-e9d3-407a-a095-60aef2e62da1
    3⤵
    PID:1652
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg -setactive 5bdc7b6d-e9d3-407a-a095-60aef2e62da1
      4⤵
      PID:2484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powercfg -h off
  2⤵
  PID:368
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg -h off
    3⤵
    PID:1476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 636
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:1012

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:320

\??\c:\windows\ime\cyzxugq\pguyon.exe
c:\windows\ime\cyzxugq\pguyon.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\eufcdaz\zhfluxb.exe
  2⤵
  - Loads dropped DLL
  PID:2320
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:1920
- - \??\c:\windows\fonts\eufcdaz\zhfluxb.exe
    c:\windows\fonts\eufcdaz\zhfluxb.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1672

\??\c:\windows\fonts\eufcdaz\zhfluxb.exe
c:\windows\fonts\eufcdaz\zhfluxb.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="wdmcha" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="lgspv" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='wdmcha'" DELETE
  2⤵
  PID:560
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="wdmcha" DELETE
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="lgspv" DELETE
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='wdmcha'" DELETE
    3⤵
    PID:2092
- C:\Windows\SysWOW64\cmd.exe
  cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="wdmcha", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'" & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="lgspv",CommandLineTemplate="c:\windows\ime\cyzxugq\pguyon.exe" & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="wdmcha"", Consumer="CommandLineEventConsumer.Name="lgspv""
  2⤵
  PID:2140
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="wdmcha", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="lgspv",CommandLineTemplate="c:\windows\ime\cyzxugq\pguyon.exe"
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="wdmcha"", Consumer="CommandLineEventConsumer.Name="lgspv""
    3⤵
    PID:2652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Schtasks /DELETE /TN pedxa /F
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\schtasks.exe
    Schtasks /DELETE /TN pedxa /F
    3⤵
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 30 /tn "pedxa" /ru system /tr "c:\windows\ime\cyzxugq\pguyon.exe"
  2⤵
  PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 30 /tn "pedxa" /ru system /tr "c:\windows\ime\cyzxugq\pguyon.exe"
    3⤵
    - Creates scheduled task(s)
    PID:876
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cmd /c powercfg -import c:\windows\fonts\eufcdaz\BestPower.pow
  2⤵
  PID:1088
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powercfg -import c:\windows\fonts\eufcdaz\BestPower.pow
    3⤵
    PID:2788
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg -import c:\windows\fonts\eufcdaz\BestPower.pow
      4⤵
      PID:2936
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cmd /c powercfg -setactive 05d7cee9-b260-477b-b0e2-f922539a2dd0
  2⤵
  PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powercfg -setactive 05d7cee9-b260-477b-b0e2-f922539a2dd0
    3⤵
    PID:1580
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg -setactive 05d7cee9-b260-477b-b0e2-f922539a2dd0
      4⤵
      PID:2560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powercfg -h off
  2⤵
  PID:2612
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg -h off
    3⤵
    PID:2456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 648
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2536

\??\c:\windows\ime\cyzxugq\pguyon.exe
c:\windows\ime\cyzxugq\pguyon.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\eufcdaz\zhfluxb.exe
  2⤵
  - Loads dropped DLL
  PID:2340
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:2756
- - \??\c:\windows\fonts\eufcdaz\zhfluxb.exe
    c:\windows\fonts\eufcdaz\zhfluxb.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2336

\??\c:\windows\fonts\eufcdaz\zhfluxb.exe
c:\windows\fonts\eufcdaz\zhfluxb.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="wdmcha" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="lgspv" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='wdmcha'" DELETE
  2⤵
  PID:2780
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="wdmcha" DELETE
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="lgspv" DELETE
    3⤵
    PID:796
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='wdmcha'" DELETE
    3⤵
    PID:2492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="wdmcha", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'" & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="lgspv",CommandLineTemplate="c:\windows\ime\cyzxugq\pguyon.exe" & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="wdmcha"", Consumer="CommandLineEventConsumer.Name="lgspv""
  2⤵
  PID:2108
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="wdmcha", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="lgspv",CommandLineTemplate="c:\windows\ime\cyzxugq\pguyon.exe"
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="wdmcha"", Consumer="CommandLineEventConsumer.Name="lgspv""
    3⤵
    PID:2796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Schtasks /DELETE /TN pedxa /F
  2⤵
  PID:3020
- - C:\Windows\SysWOW64\schtasks.exe
    Schtasks /DELETE /TN pedxa /F
    3⤵
    PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 30 /tn "pedxa" /ru system /tr "c:\windows\ime\cyzxugq\pguyon.exe"
  2⤵
  PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:828
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 30 /tn "pedxa" /ru system /tr "c:\windows\ime\cyzxugq\pguyon.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2328
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cmd /c powercfg -import c:\windows\fonts\eufcdaz\BestPower.pow
  2⤵
  PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powercfg -import c:\windows\fonts\eufcdaz\BestPower.pow
    3⤵
    PID:1552
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg -import c:\windows\fonts\eufcdaz\BestPower.pow
      4⤵
      PID:3008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cmd /c powercfg -setactive 9d5ab69f-afea-4d08-8ad1-db7f4ab517ab
  2⤵
  PID:956
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powercfg -setactive 9d5ab69f-afea-4d08-8ad1-db7f4ab517ab
    3⤵
    PID:592
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg -setactive 9d5ab69f-afea-4d08-8ad1-db7f4ab517ab
      4⤵
      PID:608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powercfg -h off
  2⤵
  PID:1540
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg -h off
    3⤵
    PID:2772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 576
  2⤵
  - Program crash
  PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\fonts\eufcdaz\zhfluxb.exe

Filesize
450KB

MD5
65495f2f4513a8d21197a44f4e43b023

SHA1
aeaea64178e248332ab5e389d9774ede9a6b3eb4

SHA256
3b266636a601b9f5d02b2cca3c15f8368a6626684a0d168379d274bf98a7b98a

SHA512
68ccd2c6e25df5d441e40f3e76cec71426af7cea99188be9907894508e9ab3d2ec0ed621b1fa5db65c1b452cec0cd5fe66bf5be838c69cc7388659e565d34938

Download Submit
memory/392-65-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/392-55-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1672-33-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1816-32-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1816-34-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1816-44-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1992-0-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1992-4-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2336-54-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2340-51-0x0000000000BF0000-0x0000000000C68000-memory.dmp

Filesize
480KB

Download
memory/2552-12-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2552-9-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2656-11-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2656-23-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2656-13-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2720-48-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2956-27-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download