blackmoon | f66f84e01103098629035a6b24349e3e5d9bf52e72260ba08dae8e3ddb02406e

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2024, 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7d973f98d21bc66c9ed8b3ca8225c37_JaffaCakes118.exe
Size

3.8MB
MD5

e7d973f98d21bc66c9ed8b3ca8225c37
SHA1

021f6caece59ed9a2109f2b10384de9ccbfe6770
SHA256

f66f84e01103098629035a6b24349e3e5d9bf52e72260ba08dae8e3ddb02406e
SHA512

2904a1c12926eed286f4a4dae2d1a3af3fb77acffeaf0b8f0fa5104893ab3d5ebc4644128f2f85f90e868983523ca114bcc9b96c1f19fb3cc41afb9bac84aa05
SSDEEP

49152:CELbELbELbELbELbELbELbELbELbELbELbELbELbELbELbEL:

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 14 IoCs

resource	yara_rule
behavioral2/memory/2464-4-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackmoon
behavioral2/memory/4556-9-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackmoon
behavioral2/memory/3944-10-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackmoon
behavioral2/memory/3944-18-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackmoon
behavioral2/memory/4964-22-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackmoon
behavioral2/memory/2136-26-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackmoon
behavioral2/memory/3776-27-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackmoon
behavioral2/memory/2136-28-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackmoon
behavioral2/memory/2136-37-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackmoon
behavioral2/memory/3836-42-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackmoon
behavioral2/memory/2592-47-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackmoon
behavioral2/memory/1796-48-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackmoon
behavioral2/memory/1796-49-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackmoon
behavioral2/memory/1796-57-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackmoon

Executes dropped EXE 8 IoCs

pid	Process
4556	ubzfr.exe
3944	ubzfr.exe
4964	myxejoh.exe
3776	ubzfr.exe
2136	ubzfr.exe
3836	myxejoh.exe
2592	ubzfr.exe
1796	ubzfr.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2464-0-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral2/memory/2464-4-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral2/files/0x000a0000000231aa-5.dat	upx
behavioral2/memory/4556-9-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral2/memory/3944-10-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral2/memory/3944-18-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral2/memory/4964-22-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral2/memory/2136-26-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral2/memory/3776-27-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral2/memory/2136-28-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral2/memory/2136-37-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral2/memory/3836-39-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral2/memory/3836-42-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral2/memory/1796-46-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral2/memory/2592-47-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral2/memory/1796-48-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral2/memory/1796-49-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral2/memory/1796-57-0x0000000000400000-0x0000000000478000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	ubzfr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	ubzfr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	ubzfr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	ubzfr.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\ime\uwpczyl\myxejoh.exe	ubzfr.exe
File created	\??\c:\windows\fonts\ailbuspe\HighPower.pow	ubzfr.exe
File created	\??\c:\windows\fonts\ailbuspe\ubzfr.exe	e7d973f98d21bc66c9ed8b3ca8225c37_JaffaCakes118.exe
File created	\??\c:\windows\fonts\ailbuspe\BestPower.pow	ubzfr.exe
File created	\??\c:\windows\fonts\ailbuspe\HighPower.pow	ubzfr.exe
File opened for modification	\??\c:\windows\fonts\ailbuspe\ubzfr.exe	e7d973f98d21bc66c9ed8b3ca8225c37_JaffaCakes118.exe
File created	\??\c:\windows\ime\uwpczyl\myxejoh.exe	ubzfr.exe
File opened for modification	\??\c:\windows\ime\uwpczyl\myxejoh.exe	ubzfr.exe
File opened for modification	\??\c:\windows\fonts\ailbuspe\ubzfr.exe	myxejoh.exe
File opened for modification	\??\c:\windows\ime\uwpczyl\myxejoh.exe	ubzfr.exe
File created	\??\c:\windows\fonts\ailbuspe\BestPower.pow	ubzfr.exe
File created	\??\c:\windows\fonts\ailbuspe\HighPower.pow	ubzfr.exe
File opened for modification	\??\c:\windows\fonts\ailbuspe\ubzfr.exe	myxejoh.exe
File created	\??\c:\windows\fonts\ailbuspe\BestPower.pow	ubzfr.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4728	3944	WerFault.exe	97
1424	2136	WerFault.exe	141
2356	1796	WerFault.exe	177

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2028	schtasks.exe
1612	schtasks.exe
3964	schtasks.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	ubzfr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ubzfr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ubzfr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ubzfr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ubzfr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ubzfr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ubzfr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	ubzfr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ubzfr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	ubzfr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ubzfr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ubzfr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	ubzfr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	ubzfr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	ubzfr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ubzfr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ubzfr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	ubzfr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ubzfr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ubzfr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	ubzfr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	ubzfr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ubzfr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ubzfr.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
3160	PING.EXE
3176	PING.EXE
1008	PING.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2464	e7d973f98d21bc66c9ed8b3ca8225c37_JaffaCakes118.exe
2464	e7d973f98d21bc66c9ed8b3ca8225c37_JaffaCakes118.exe
4556	ubzfr.exe
4556	ubzfr.exe
3944	ubzfr.exe
3944	ubzfr.exe
4964	myxejoh.exe
4964	myxejoh.exe
4964	myxejoh.exe
4964	myxejoh.exe
4964	myxejoh.exe
4964	myxejoh.exe
3776	ubzfr.exe
3776	ubzfr.exe
2136	ubzfr.exe
2136	ubzfr.exe
3836	myxejoh.exe
3836	myxejoh.exe
3836	myxejoh.exe
3836	myxejoh.exe
3836	myxejoh.exe
3836	myxejoh.exe
2592	ubzfr.exe
2592	ubzfr.exe
1796	ubzfr.exe
1796	ubzfr.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2464	e7d973f98d21bc66c9ed8b3ca8225c37_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	e7d973f98d21bc66c9ed8b3ca8225c37_JaffaCakes118.exe
Token: SeDebugPrivilege	4556	ubzfr.exe
Token: SeDebugPrivilege	3944	ubzfr.exe
Token: SeAssignPrimaryTokenPrivilege	2044	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2044	WMIC.exe
Token: SeSecurityPrivilege	2044	WMIC.exe
Token: SeTakeOwnershipPrivilege	2044	WMIC.exe
Token: SeLoadDriverPrivilege	2044	WMIC.exe
Token: SeSystemtimePrivilege	2044	WMIC.exe
Token: SeBackupPrivilege	2044	WMIC.exe
Token: SeRestorePrivilege	2044	WMIC.exe
Token: SeShutdownPrivilege	2044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2044	WMIC.exe
Token: SeUndockPrivilege	2044	WMIC.exe
Token: SeManageVolumePrivilege	2044	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2044	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2044	WMIC.exe
Token: SeSecurityPrivilege	2044	WMIC.exe
Token: SeTakeOwnershipPrivilege	2044	WMIC.exe
Token: SeLoadDriverPrivilege	2044	WMIC.exe
Token: SeSystemtimePrivilege	2044	WMIC.exe
Token: SeBackupPrivilege	2044	WMIC.exe
Token: SeRestorePrivilege	2044	WMIC.exe
Token: SeShutdownPrivilege	2044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2044	WMIC.exe
Token: SeUndockPrivilege	2044	WMIC.exe
Token: SeManageVolumePrivilege	2044	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2580	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2580	WMIC.exe
Token: SeSecurityPrivilege	2580	WMIC.exe
Token: SeTakeOwnershipPrivilege	2580	WMIC.exe
Token: SeLoadDriverPrivilege	2580	WMIC.exe
Token: SeSystemtimePrivilege	2580	WMIC.exe
Token: SeBackupPrivilege	2580	WMIC.exe
Token: SeRestorePrivilege	2580	WMIC.exe
Token: SeShutdownPrivilege	2580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2580	WMIC.exe
Token: SeUndockPrivilege	2580	WMIC.exe
Token: SeManageVolumePrivilege	2580	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2580	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2580	WMIC.exe
Token: SeSecurityPrivilege	2580	WMIC.exe
Token: SeTakeOwnershipPrivilege	2580	WMIC.exe
Token: SeLoadDriverPrivilege	2580	WMIC.exe
Token: SeSystemtimePrivilege	2580	WMIC.exe
Token: SeBackupPrivilege	2580	WMIC.exe
Token: SeRestorePrivilege	2580	WMIC.exe
Token: SeShutdownPrivilege	2580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2580	WMIC.exe
Token: SeUndockPrivilege	2580	WMIC.exe
Token: SeManageVolumePrivilege	2580	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4388	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4388	WMIC.exe
Token: SeSecurityPrivilege	4388	WMIC.exe
Token: SeTakeOwnershipPrivilege	4388	WMIC.exe
Token: SeLoadDriverPrivilege	4388	WMIC.exe
Token: SeSystemtimePrivilege	4388	WMIC.exe
Token: SeBackupPrivilege	4388	WMIC.exe
Token: SeRestorePrivilege	4388	WMIC.exe
Token: SeShutdownPrivilege	4388	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4388	WMIC.exe
Token: SeUndockPrivilege	4388	WMIC.exe
Token: SeManageVolumePrivilege	4388	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4388	WMIC.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2464	e7d973f98d21bc66c9ed8b3ca8225c37_JaffaCakes118.exe
4556	ubzfr.exe
3944	ubzfr.exe
4964	myxejoh.exe
3776	ubzfr.exe
2136	ubzfr.exe
3836	myxejoh.exe
2592	ubzfr.exe
1796	ubzfr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 860	2464	e7d973f98d21bc66c9ed8b3ca8225c37_JaffaCakes118.exe	86
PID 2464 wrote to memory of 860	2464	e7d973f98d21bc66c9ed8b3ca8225c37_JaffaCakes118.exe	86
PID 2464 wrote to memory of 860	2464	e7d973f98d21bc66c9ed8b3ca8225c37_JaffaCakes118.exe	86
PID 860 wrote to memory of 3176	860	cmd.exe	88
PID 860 wrote to memory of 3176	860	cmd.exe	88
PID 860 wrote to memory of 3176	860	cmd.exe	88
PID 860 wrote to memory of 4556	860	cmd.exe	96
PID 860 wrote to memory of 4556	860	cmd.exe	96
PID 860 wrote to memory of 4556	860	cmd.exe	96
PID 3944 wrote to memory of 4980	3944	ubzfr.exe	101
PID 3944 wrote to memory of 4980	3944	ubzfr.exe	101
PID 3944 wrote to memory of 4980	3944	ubzfr.exe	101
PID 4980 wrote to memory of 2044	4980	cmd.exe	103
PID 4980 wrote to memory of 2044	4980	cmd.exe	103
PID 4980 wrote to memory of 2044	4980	cmd.exe	103
PID 4980 wrote to memory of 2580	4980	cmd.exe	104
PID 4980 wrote to memory of 2580	4980	cmd.exe	104
PID 4980 wrote to memory of 2580	4980	cmd.exe	104
PID 4980 wrote to memory of 4388	4980	cmd.exe	105
PID 4980 wrote to memory of 4388	4980	cmd.exe	105
PID 4980 wrote to memory of 4388	4980	cmd.exe	105
PID 3944 wrote to memory of 3068	3944	ubzfr.exe	106
PID 3944 wrote to memory of 3068	3944	ubzfr.exe	106
PID 3944 wrote to memory of 3068	3944	ubzfr.exe	106
PID 3944 wrote to memory of 3788	3944	ubzfr.exe	107
PID 3944 wrote to memory of 3788	3944	ubzfr.exe	107
PID 3944 wrote to memory of 3788	3944	ubzfr.exe	107
PID 3068 wrote to memory of 5048	3068	cmd.exe	110
PID 3068 wrote to memory of 5048	3068	cmd.exe	110
PID 3068 wrote to memory of 5048	3068	cmd.exe	110
PID 3788 wrote to memory of 2636	3788	cmd.exe	111
PID 3788 wrote to memory of 2636	3788	cmd.exe	111
PID 3788 wrote to memory of 2636	3788	cmd.exe	111
PID 3944 wrote to memory of 3000	3944	ubzfr.exe	112
PID 3944 wrote to memory of 3000	3944	ubzfr.exe	112
PID 3944 wrote to memory of 3000	3944	ubzfr.exe	112
PID 3944 wrote to memory of 3008	3944	ubzfr.exe	113
PID 3944 wrote to memory of 3008	3944	ubzfr.exe	113
PID 3944 wrote to memory of 3008	3944	ubzfr.exe	113
PID 3068 wrote to memory of 4852	3068	cmd.exe	116
PID 3068 wrote to memory of 4852	3068	cmd.exe	116
PID 3068 wrote to memory of 4852	3068	cmd.exe	116
PID 3008 wrote to memory of 1828	3008	cmd.exe	117
PID 3008 wrote to memory of 1828	3008	cmd.exe	117
PID 3008 wrote to memory of 1828	3008	cmd.exe	117
PID 1828 wrote to memory of 4656	1828	cmd.exe	118
PID 1828 wrote to memory of 4656	1828	cmd.exe	118
PID 1828 wrote to memory of 4656	1828	cmd.exe	118
PID 3000 wrote to memory of 4140	3000	cmd.exe	119
PID 3000 wrote to memory of 4140	3000	cmd.exe	119
PID 3000 wrote to memory of 4140	3000	cmd.exe	119
PID 3000 wrote to memory of 3964	3000	cmd.exe	120
PID 3000 wrote to memory of 3964	3000	cmd.exe	120
PID 3000 wrote to memory of 3964	3000	cmd.exe	120
PID 3068 wrote to memory of 4088	3068	cmd.exe	121
PID 3068 wrote to memory of 4088	3068	cmd.exe	121
PID 3068 wrote to memory of 4088	3068	cmd.exe	121
PID 3944 wrote to memory of 1084	3944	ubzfr.exe	122
PID 3944 wrote to memory of 1084	3944	ubzfr.exe	122
PID 3944 wrote to memory of 1084	3944	ubzfr.exe	122
PID 2724 wrote to memory of 3420	2724	cmd.exe	125
PID 2724 wrote to memory of 3420	2724	cmd.exe	125
PID 2724 wrote to memory of 3420	2724	cmd.exe	125
PID 3944 wrote to memory of 3448	3944	ubzfr.exe	126

C:\Users\Admin\AppData\Local\Temp\e7d973f98d21bc66c9ed8b3ca8225c37_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e7d973f98d21bc66c9ed8b3ca8225c37_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\ailbuspe\ubzfr.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:3176
- - \??\c:\windows\fonts\ailbuspe\ubzfr.exe
    c:\windows\fonts\ailbuspe\ubzfr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4556

\??\c:\windows\fonts\ailbuspe\ubzfr.exe
c:\windows\fonts\ailbuspe\ubzfr.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="ebvufw" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="fipsc" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='ebvufw'" DELETE
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="ebvufw" DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2044
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="fipsc" DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='ebvufw'" DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="ebvufw", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'" & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="fipsc",CommandLineTemplate="c:\windows\ime\uwpczyl\myxejoh.exe" & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="ebvufw"", Consumer="CommandLineEventConsumer.Name="fipsc""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="ebvufw", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="fipsc",CommandLineTemplate="c:\windows\ime\uwpczyl\myxejoh.exe"
    3⤵
    PID:4852
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="ebvufw"", Consumer="CommandLineEventConsumer.Name="fipsc""
    3⤵
    PID:4088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Schtasks /DELETE /TN unea /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Windows\SysWOW64\schtasks.exe
    Schtasks /DELETE /TN unea /F
    3⤵
    PID:2636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 30 /tn "unea" /ru system /tr "c:\windows\ime\uwpczyl\myxejoh.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:4140
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 30 /tn "unea" /ru system /tr "c:\windows\ime\uwpczyl\myxejoh.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cmd /c powercfg -import c:\windows\fonts\ailbuspe\BestPower.pow
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powercfg -import c:\windows\fonts\ailbuspe\BestPower.pow
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg -import c:\windows\fonts\ailbuspe\BestPower.pow
      4⤵
      PID:4656
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cmd /c powercfg -setactive e9262d26-25b6-46aa-b7c5-b483423807cd
  2⤵
  PID:1084
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powercfg -setactive e9262d26-25b6-46aa-b7c5-b483423807cd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg -setactive e9262d26-25b6-46aa-b7c5-b483423807cd
      4⤵
      PID:3420
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powercfg -h off
  2⤵
  PID:3448
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg -h off
    3⤵
    PID:4672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 1368
  2⤵
  - Program crash
  PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3944 -ip 3944
1⤵
PID:4628

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3740

\??\c:\windows\ime\uwpczyl\myxejoh.exe
c:\windows\ime\uwpczyl\myxejoh.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\ailbuspe\ubzfr.exe
  2⤵
  PID:4368
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:1008
- - \??\c:\windows\fonts\ailbuspe\ubzfr.exe
    c:\windows\fonts\ailbuspe\ubzfr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3776

\??\c:\windows\fonts\ailbuspe\ubzfr.exe
c:\windows\fonts\ailbuspe\ubzfr.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="ebvufw" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="fipsc" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='ebvufw'" DELETE
  2⤵
  PID:4320
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="ebvufw" DELETE
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="fipsc" DELETE
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='ebvufw'" DELETE
    3⤵
    PID:2420
- C:\Windows\SysWOW64\cmd.exe
  cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="ebvufw", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'" & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="fipsc",CommandLineTemplate="c:\windows\ime\uwpczyl\myxejoh.exe" & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="ebvufw"", Consumer="CommandLineEventConsumer.Name="fipsc""
  2⤵
  PID:4752
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="ebvufw", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
    3⤵
    PID:4672
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="fipsc",CommandLineTemplate="c:\windows\ime\uwpczyl\myxejoh.exe"
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="ebvufw"", Consumer="CommandLineEventConsumer.Name="fipsc""
    3⤵
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Schtasks /DELETE /TN unea /F
  2⤵
  PID:4380
- - C:\Windows\SysWOW64\schtasks.exe
    Schtasks /DELETE /TN unea /F
    3⤵
    PID:4376
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 30 /tn "unea" /ru system /tr "c:\windows\ime\uwpczyl\myxejoh.exe"
  2⤵
  PID:4848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 30 /tn "unea" /ru system /tr "c:\windows\ime\uwpczyl\myxejoh.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cmd /c powercfg -import c:\windows\fonts\ailbuspe\BestPower.pow
  2⤵
  PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powercfg -import c:\windows\fonts\ailbuspe\BestPower.pow
    3⤵
    PID:1016
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg -import c:\windows\fonts\ailbuspe\BestPower.pow
      4⤵
      PID:228
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cmd /c powercfg -setactive 80e9b2d5-61af-495b-8f38-1e2b94faab03
  2⤵
  PID:856
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powercfg -setactive 80e9b2d5-61af-495b-8f38-1e2b94faab03
    3⤵
    PID:4844
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg -setactive 80e9b2d5-61af-495b-8f38-1e2b94faab03
      4⤵
      PID:4556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powercfg -h off
  2⤵
  PID:2068
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg -h off
    3⤵
    PID:2800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 1396
  2⤵
  - Program crash
  PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2136 -ip 2136
1⤵
PID:860

\??\c:\windows\ime\uwpczyl\myxejoh.exe
c:\windows\ime\uwpczyl\myxejoh.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\ailbuspe\ubzfr.exe
  2⤵
  PID:4764
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:3160
- - \??\c:\windows\fonts\ailbuspe\ubzfr.exe
    c:\windows\fonts\ailbuspe\ubzfr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2592

\??\c:\windows\fonts\ailbuspe\ubzfr.exe
c:\windows\fonts\ailbuspe\ubzfr.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="ebvufw" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="fipsc" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='ebvufw'" DELETE
  2⤵
  PID:3768
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="ebvufw" DELETE
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="fipsc" DELETE
    3⤵
    PID:4580
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='ebvufw'" DELETE
    3⤵
    PID:3628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="ebvufw", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'" & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="fipsc",CommandLineTemplate="c:\windows\ime\uwpczyl\myxejoh.exe" & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="ebvufw"", Consumer="CommandLineEventConsumer.Name="fipsc""
  2⤵
  PID:3008
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="ebvufw", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="fipsc",CommandLineTemplate="c:\windows\ime\uwpczyl\myxejoh.exe"
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="ebvufw"", Consumer="CommandLineEventConsumer.Name="fipsc""
    3⤵
    PID:3996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Schtasks /DELETE /TN unea /F
  2⤵
  PID:3020
- - C:\Windows\SysWOW64\schtasks.exe
    Schtasks /DELETE /TN unea /F
    3⤵
    PID:4040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 30 /tn "unea" /ru system /tr "c:\windows\ime\uwpczyl\myxejoh.exe"
  2⤵
  PID:384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:220
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 30 /tn "unea" /ru system /tr "c:\windows\ime\uwpczyl\myxejoh.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1612
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cmd /c powercfg -import c:\windows\fonts\ailbuspe\BestPower.pow
  2⤵
  PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powercfg -import c:\windows\fonts\ailbuspe\BestPower.pow
    3⤵
    PID:4848
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg -import c:\windows\fonts\ailbuspe\BestPower.pow
      4⤵
      PID:1016
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cmd /c powercfg -setactive de426638-35a6-4ddc-a133-22e5dad1f892
  2⤵
  PID:4568
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powercfg -setactive de426638-35a6-4ddc-a133-22e5dad1f892
    3⤵
    PID:4844
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg -setactive de426638-35a6-4ddc-a133-22e5dad1f892
      4⤵
      PID:4960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powercfg -h off
  2⤵
  PID:4508
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg -h off
    3⤵
    PID:2796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 1372
  2⤵
  - Program crash
  PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1796 -ip 1796
1⤵
PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Fonts\ailbuspe\ubzfr.exe

Filesize
3.9MB

MD5
e28fe51b0aac615777db22a11f8edbe4

SHA1
525693dac72b4ee223a8f71b31edc72787a21ed6

SHA256
0391834905a270595aac4744c873046089ef608820a11e6d5232cedf32606cad

SHA512
0d49f51ff9ed96febafa9e28c1302a1c851505c22468fcfe3c819cf74b96d5a3c06e9b410b7acd7815df4c79dbe8550ca0b5cc3cda6da9cf990c38cd73637ad2

Download Submit
memory/1796-57-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-49-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-48-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1796-46-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2136-26-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2136-28-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2136-37-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2464-0-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2464-4-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2592-47-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3776-27-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3836-42-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3836-39-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3944-18-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3944-10-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4556-9-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4964-22-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download