blackmoon | aafa55831b65c06f4c8e1f3037364862b05c8518ebb7506b826b3e5f71a79b84

General

Target

sysbin.exe
Size

243KB
MD5

efa25924138ef8e4ad1d6438fe9dcd59
SHA1

629dfd73a63e9959ac4818042aec940b2ba3818a
SHA256

d0977ae7f56174dba4e334241d1c91a11d5f5977e3f602947515c0eb98da8555
SHA512

6ad59f237ec2b1764d0f166656fc3840439d9ce2cb809384fea9e65e51dead6ddd7e26e5d340f0b8a84fcde24c12af15994f9cb3eb14658b659b5d3bb61c7c7b
SSDEEP

6144:T7kvUwPwxmnriXB3ggz43Nb8y0olOjIcQwGte:T7mP5riXB3K3hlZwGte

Score

10^/10

blackmoon banker execution persistence trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\qjm07.exe	family_blackmoon
behavioral8/memory/4688-50-0x0000000000400000-0x0000000000421000-memory.dmp	family_blackmoon
behavioral8/memory/3704-91-0x0000000000400000-0x0000000000421000-memory.dmp	family_blackmoon
behavioral8/memory/392-137-0x0000000000400000-0x0000000000421000-memory.dmp	family_blackmoon

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sysbin.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Active Setup\Installed Components	sysbin.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

qjm07.exerlhjghsf.execcnhdpdh.exesflpltre.exesysbin.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	qjm07.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	rlhjghsf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	ccnhdpdh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	sflpltre.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	sysbin.exe

Executes dropped EXE 5 IoCs

Processes:

qjm07.exezhiqiang.exerlhjghsf.execcnhdpdh.exesflpltre.exe

pid process

4688 qjm07.exe
3452 zhiqiang.exe
3704 rlhjghsf.exe
392 ccnhdpdh.exe
3920 sflpltre.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\zhiqiang.exe	upx
behavioral8/memory/3452-18-0x0000000000400000-0x000000000054F000-memory.dmp	upx
behavioral8/memory/3452-47-0x0000000000400000-0x000000000054F000-memory.dmp	upx

Drops file in System32 directory 5 IoCs

Processes:

sysbin.exeqjm07.exe

description	ioc	process
File created	C:\Windows\SysWOW64\qjm07.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\qjm07.exe	sysbin.exe
File created	C:\Windows\SysWOW64\zhiqiang.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\zhiqiang.exe	sysbin.exe
File opened for modification	C:\Windows\SysWOW64\qjm07.exe	qjm07.exe

Drops file in Program Files directory 17 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\IE.HKLMZoneInfo\IE.HKLMZoneInfo.INI	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\IE.HKLMZoneInfo\IE.HKLMZoneInfo.INI	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\IE.HKLMZoneInfo\IE.HKLMZoneInfo.INI	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\IE.HKLMZoneInfo\IE.HKLMZoneInfo.INI	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\IE.HKLMZoneInfo\IE.HKLMZoneInfo.DAT	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\IE.HKLMZoneInfo\IE.HKLMZoneInfo.DAT	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\IE.HKLMZoneInfo\IE.HKLMZoneInfo.DAT	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\IE.HKLMZoneInfo\IE.HKLMZoneInfo.DAT	regsvr32.exe

Drops file in Windows directory 4 IoCs

Processes:

qjm07.exerlhjghsf.execcnhdpdh.exesflpltre.exe

description	ioc	process
File created	C:\Windows\winsock.bat	qjm07.exe
File opened for modification	C:\Windows\winsock.bat	rlhjghsf.exe
File opened for modification	C:\Windows\winsock.bat	ccnhdpdh.exe
File opened for modification	C:\Windows\winsock.bat	sflpltre.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F31574D6-B682-4CDC-BD56-1827860ABEC6}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E7402242-8AF9-4EBB-B4C7-53BD52937868}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00020411-0000-0000-C000-000000000046}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B63CB15A-D1AA-4A39-BC06-78E9843BF5C4}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B196B28C-BAB4-101A-B69C-00AA00341D07}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E511E73C-CAD4-40AA-BF1A-B9938AC75FF0}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A6F7288-85EF-512E-80CE-EAF2906AFB81}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AE08CF60-0965-4901-AD25-CC79B1297FCA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED89406C-763F-4C6F-AE59-BF69C7A44687}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33614250-DFEA-46CC-8347-9A655BCF1A08}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C8F91EEF-EA1B-5AEE-AD42-66842218D157}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5FC0F146-1B06-44CA-A568-283ACD690E00}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E93D4057-B9A2-42A5-8AF8-E5BBF177D365}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79eac9e2-baf9-11ce-8c82-00aa004ba90b}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT.COMPACT\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{05EDDA5C-98A3-4717-8ADB-C5E7DA991EB1}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68A4FDBA-A48A-4A86-A329-1B69B9B19E89}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6F2755FB-6C33-543C-9AB4-DE486BC7BFE2}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C91FA253-E03A-45C3-8123-15E348A62F8D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7BF80981-BF32-101A-8BBB-00AA00300CAB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F7C40885-2506-4EB9-B4AB-0E1E3D3FD5F9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7BF80980-BF32-101A-8BBB-00AA00300CAB}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5DB2128C-BFF9-4F32-872D-D0ECE6E1D3AA}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B196B288-BAB4-101A-B69C-00AA00341D07}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED646D0B-332F-4B9B-8B0E-AEF71D46F5C7}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AE159E2C-309D-5485-A126-4C30ABCB4571}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7BF3D4E-07B2-44A9-A422-5AAAB468891E}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3AF24290-0C96-11CE-A0CF-00AA00600AB8}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{020D3024-7451-51DB-B864-BCEABDA468CC}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5925316D-20B6-4FF9-A980-96482AA885DE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\http\CLSID = "{79eac9e2-baf9-11ce-8c82-00aa004ba90b}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A52F5B9B-EE55-4ADD-B559-55F1C012E15F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FECE3DD3-B657-4FC1-B2DF-532A1BDF43AC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{504B27AA-001F-4179-9AD0-663A37C317A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{47EB80E1-78CD-4325-8D67-85BFFA376707}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AE08CF60-0965-4901-AD25-CC79B1297FCA}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B196B284-BAB4-101A-B69C-00AA00341D07}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D6D737FF-9E13-4A65-BE89-A1E013CC6B76}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6F2755FB-6C33-543C-9AB4-DE486BC7BFE2}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{128BADF9-175B-44F1-86EC-7DD47C93DAC4}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7577229-A6A7-4BB6-908E-DB18AC89BA60}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AFF3F516-BCC9-5E61-B92E-D129CCF9942A}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79eac9e5-baf9-11ce-8c82-00aa004ba90b}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66A9CB08-4802-11D2-A561-00A0C92DBFE8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{02305531-F76F-4A4D-A760-B1192E72C6D5}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{88EB9442-913B-4AB4-A741-DD99DCB7558B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{49484DFC-13CA-4D28-AA1B-981C61ED37C9}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0F504B94-6E42-42E6-99E0-E20FAFE52AB4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{84524597-B734-4D3F-8B25-F753513D08CF}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30DAD006-CF4A-45E0-AEC1-2195D76FD9C0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DF60D92-6818-46D6-B358-D66170DDE466}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE05D854-A9D8-481B-9807-4E67534B33CD}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FF8C9B9C-C90F-4F30-B5B2-77C3D56BD125}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E6C3C52-5A5E-4B4B-A0F8-7FE12621A93E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB842FFC-F59B-468C-B882-8EE028B6419B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31EBDE3F-6EC3-4CBD-B9FB-0EF6D09B41F4}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{922EADA0-3424-11CF-B670-00AA004CD6D8}\ProxyStubClsid32\ = "{B196B286-BAB4-101A-B69C-00AA00341D07}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D294970D-48F2-48E7-9487-AB7A05A0BCFE}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4E26C7B-0D88-4F41-87E2-B01BD0AA96D6}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A5E657D-223A-4875-838B-C311ED73523B}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BE10E28-6AE3-42E5-B142-8F6802E85C3F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B35F5D8-852C-4509-9A85-08FB9DB1C643}\NumMethods	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

qjm07.exerlhjghsf.execcnhdpdh.exesflpltre.exe

pid	process
4688	qjm07.exe
4688	qjm07.exe
4688	qjm07.exe
4688	qjm07.exe
4688	qjm07.exe
4688	qjm07.exe
4688	qjm07.exe
4688	qjm07.exe
3704	rlhjghsf.exe
3704	rlhjghsf.exe
3704	rlhjghsf.exe
3704	rlhjghsf.exe
3704	rlhjghsf.exe
3704	rlhjghsf.exe
3704	rlhjghsf.exe
3704	rlhjghsf.exe
392	ccnhdpdh.exe
392	ccnhdpdh.exe
392	ccnhdpdh.exe
392	ccnhdpdh.exe
392	ccnhdpdh.exe
392	ccnhdpdh.exe
392	ccnhdpdh.exe
392	ccnhdpdh.exe
3920	sflpltre.exe
3920	sflpltre.exe
3920	sflpltre.exe
3920	sflpltre.exe
3920	sflpltre.exe
3920	sflpltre.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

qjm07.exerlhjghsf.execcnhdpdh.exesflpltre.exe

description	pid	process
Token: SeDebugPrivilege	4688	qjm07.exe
Token: SeDebugPrivilege	3704	rlhjghsf.exe
Token: SeDebugPrivilege	392	ccnhdpdh.exe
Token: SeDebugPrivilege	3920	sflpltre.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

zhiqiang.exe

pid process

3452 zhiqiang.exe
3452 zhiqiang.exe

pid	process
3452	zhiqiang.exe
3452	zhiqiang.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sysbin.exeqjm07.execmd.exerlhjghsf.execmd.exe

description	pid	process	target process
PID 2888 wrote to memory of 4688	2888	sysbin.exe	qjm07.exe
PID 2888 wrote to memory of 4688	2888	sysbin.exe	qjm07.exe
PID 2888 wrote to memory of 4688	2888	sysbin.exe	qjm07.exe
PID 2888 wrote to memory of 3452	2888	sysbin.exe	zhiqiang.exe
PID 2888 wrote to memory of 3452	2888	sysbin.exe	zhiqiang.exe
PID 2888 wrote to memory of 3452	2888	sysbin.exe	zhiqiang.exe
PID 4688 wrote to memory of 2412	4688	qjm07.exe	cmd.exe
PID 4688 wrote to memory of 2412	4688	qjm07.exe	cmd.exe
PID 4688 wrote to memory of 2412	4688	qjm07.exe	cmd.exe
PID 2412 wrote to memory of 4592	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 4592	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 4592	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 5096	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 5096	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 5096	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 3860	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 3860	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 3860	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 1108	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 1108	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 1108	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 2208	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 2208	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 2208	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 1428	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 1428	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 1428	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 1132	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 1132	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 1132	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 4052	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 4052	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 4052	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 4828	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 4828	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 4828	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 3792	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 3792	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 3792	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 4796	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 4796	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 4796	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 3180	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 3180	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 3180	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 3048	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 3048	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 3048	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 3308	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 3308	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 3308	2412	cmd.exe	regsvr32.exe
PID 2412 wrote to memory of 4596	2412	cmd.exe	netsh.exe
PID 2412 wrote to memory of 4596	2412	cmd.exe	netsh.exe
PID 2412 wrote to memory of 4596	2412	cmd.exe	netsh.exe
PID 4688 wrote to memory of 3704	4688	qjm07.exe	rlhjghsf.exe
PID 4688 wrote to memory of 3704	4688	qjm07.exe	rlhjghsf.exe
PID 4688 wrote to memory of 3704	4688	qjm07.exe	rlhjghsf.exe
PID 3704 wrote to memory of 400	3704	rlhjghsf.exe	cmd.exe
PID 3704 wrote to memory of 400	3704	rlhjghsf.exe	cmd.exe
PID 3704 wrote to memory of 400	3704	rlhjghsf.exe	cmd.exe
PID 400 wrote to memory of 3488	400	cmd.exe	regsvr32.exe
PID 400 wrote to memory of 3488	400	cmd.exe	regsvr32.exe
PID 400 wrote to memory of 3488	400	cmd.exe	regsvr32.exe
PID 400 wrote to memory of 2068	400	cmd.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\sysbin.exe
"C:\Users\Admin\AppData\Local\Temp\sysbin.exe"
1⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\SysWOW64\qjm07.exe
"C:\Windows\system32\qjm07.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\winsock.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 Shdocvw.dll /s
4⤵
PID:4592

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 Oleaut32.dll /s
4⤵
- Modifies registry class
PID:5096

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 Actxprxy.dll /s
4⤵
- Modifies registry class
PID:3860

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 Mshtml.dll /s
4⤵
PID:1108

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 Urlmon.dll /s
4⤵
- Modifies registry class
PID:2208

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 browseui.dll /s
4⤵
PID:1428

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Actxprxy.dll
4⤵
- Modifies registry class
PID:1132

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Browseui.dll
4⤵
PID:4052

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Jscript.dll
4⤵
PID:4828

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Shdocvw.dll
4⤵
PID:3792

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Oleaut32.dll
4⤵
- Modifies registry class
PID:4796

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Mshtml.dll
4⤵
PID:3180

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Urlmon.dll
4⤵
- Drops file in Program Files directory
PID:3048

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Vbscript.dll
4⤵
PID:3308

C:\Windows\SysWOW64\netsh.exe
netsh winsock reset
4⤵
PID:4596

C:\WINDOWS\temp\rlhjghsf.exe
"C:\WINDOWS\temp\rlhjghsf.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\winsock.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 Shdocvw.dll /s
5⤵
PID:3488

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 Oleaut32.dll /s
5⤵
- Modifies registry class
PID:2068

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 Actxprxy.dll /s
5⤵
- Modifies registry class
PID:3760

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 Mshtml.dll /s
5⤵
PID:3756

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 Urlmon.dll /s
5⤵
PID:1632

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 browseui.dll /s
5⤵
PID:4980

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Actxprxy.dll
5⤵
- Modifies registry class
PID:5092

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Browseui.dll
5⤵
PID:4060

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Jscript.dll
5⤵
- Modifies registry class
PID:804

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Shdocvw.dll
5⤵
PID:4692

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Oleaut32.dll
5⤵
PID:2980

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Mshtml.dll
5⤵
PID:4684

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Urlmon.dll
5⤵
- Drops file in Program Files directory
PID:1252

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Vbscript.dll
5⤵
PID:968

C:\Windows\SysWOW64\netsh.exe
netsh winsock reset
5⤵
PID:3564

C:\WINDOWS\temp\ccnhdpdh.exe
"C:\WINDOWS\temp\ccnhdpdh.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\winsock.bat" "
5⤵
PID:4356

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 Shdocvw.dll /s
6⤵
PID:3788

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 Oleaut32.dll /s
6⤵
PID:1348

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 Actxprxy.dll /s
6⤵
- Modifies registry class
PID:4872

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 Mshtml.dll /s
6⤵
PID:1228

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 Urlmon.dll /s
6⤵
PID:4288

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 browseui.dll /s
6⤵
PID:4760

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Actxprxy.dll
6⤵
- Modifies registry class
PID:2316

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Browseui.dll
6⤵
PID:2016

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Jscript.dll
6⤵
PID:4020

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Shdocvw.dll
6⤵
PID:1444

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Oleaut32.dll
6⤵
- Modifies registry class
PID:1152

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Mshtml.dll
6⤵
PID:368

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Urlmon.dll
6⤵
- Drops file in Program Files directory
- Modifies registry class
PID:4528

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Vbscript.dll
6⤵
PID:2104

C:\Windows\SysWOW64\netsh.exe
netsh winsock reset
6⤵
PID:2208

C:\WINDOWS\temp\sflpltre.exe
"C:\WINDOWS\temp\sflpltre.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\winsock.bat" "
6⤵
PID:4760

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 Shdocvw.dll /s
7⤵
PID:4020

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 Oleaut32.dll /s
7⤵
- Modifies registry class
PID:2888

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 Actxprxy.dll /s
7⤵
- Modifies registry class
PID:964

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 Mshtml.dll /s
7⤵
PID:3884

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 Urlmon.dll /s
7⤵
PID:3040

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 browseui.dll /s
7⤵
PID:2756

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Actxprxy.dll
7⤵
- Modifies registry class
PID:4428

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Browseui.dll
7⤵
PID:4040

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Jscript.dll
7⤵
- Modifies registry class
PID:1740

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Shdocvw.dll
7⤵
PID:948

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Oleaut32.dll
7⤵
PID:2104

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Mshtml.dll
7⤵
PID:4564

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Urlmon.dll
7⤵
- Drops file in Program Files directory
- Modifies registry class
PID:4068

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /i /s Vbscript.dll
7⤵
PID:660

C:\Windows\SysWOW64\netsh.exe
netsh winsock reset
7⤵
PID:2300

C:\Windows\SysWOW64\zhiqiang.exe
"C:\Windows\system32\zhiqiang.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RGI4B22.tmp

Filesize
24KB

MD5
cd869882781c4e12e060e4f37acebf5a

SHA1
309699a62d057c8bb204972315ca4055136d7754

SHA256
b3cbc765b736cfd5f3ab80797afaa5dc908620301c370ea8e446fe6165d0ea5f

SHA512
29d15b82922f401c9549e29a13c7a8dd69ce302bc4822d12e56e86150fb4d7f2cc636018d863458a512735d1fc30e80d35f1e36be66d4ecc78b3b29352f3d830

Download Submit
C:\WINDOWS\temp\qjmlol.mod

Filesize
138B

MD5
337b617543bb3988de686777deea254e

SHA1
6d6c1e731493b8f74ebed008b6f4476dbe3e4b98

SHA256
280bbf0bc6b426b0871bd915ba7c30f5176e972298e239269f3a5317418cc9f1

SHA512
52120f8dabdc82fd2d6fe22e81df45e6d6d5ade1c3f75560de53c8f065d990d9392e7babc21f8cf9a56f9ef10289fee73b0b9cd811d7fb201d586084771831d9

Download Submit
C:\Windows\SysWOW64\qjm07.exe

Filesize
48KB

MD5
3dff4966b98db76c29332f5af212f953

SHA1
a18e26538ad1e859d48fccc7a8eb34565d31905c

SHA256
4decebff176d2bd0cf735540515be354a9af5cfae6fdd04dc4be3f52724e667c

SHA512
26b22c937136d51e140f300e79700992ef319e72478953d0ceb5b6738610058016ff965363c190987c8910b46eeaf5f1bec71bda988e739bdeb31d7a23018cf9

Download Submit
C:\Windows\SysWOW64\zhiqiang.exe

Filesize
102KB

MD5
082adffc8560da3d7481210fb4eb420c

SHA1
5ce1464ad8473227682f3efc577a10e203bd0f32

SHA256
cdea3fb91fcdbfabe7beaa18147cea09785dfc0b54ac0840d5de1054e8db66be

SHA512
72ab3d8cc846d2607baa9125554fbb4602247bbe027fb22a3c3bcfed57cbf8860f134f1d36676bc654eb28a7f537c2bfe3c8a45eeae533549502d522159ed8fe

Download Submit
C:\Windows\winsock.bat

Filesize
396B

MD5
262648df5864c7e8f3fa4db879f54e77

SHA1
2383c834093a2ffe7895d12b1a3a83e84028249b

SHA256
8fac7b1e6cffea6c2f2b2865edce80888998f4c9b02fc0447be684e354a96a06

SHA512
7b6b931d656aece66b231c50163172768353f016dd5e8f371470a25561dc29c0773ad4d928b12ad43d8681441a3c0e30d72b347939d6314e4b6532a06f230e70

Download Submit
memory/392-137-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2888-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2888-17-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3452-18-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/3452-47-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/3704-91-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4688-50-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads