blackmoon | 16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
Size

4.5MB
MD5

08f5f72abb2dd3862ca4186f7007c665
SHA1

91c3ee72b1a10613a320e3f308bd9a43da06bb0a
SHA256

16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214
SHA512

6e88e02248aa81e77fafaa9e1f55582bb863ca9f6880ac961d5b1cae53cf02679b82bcd4873d448911c886a636b9fa3731dd53aba21c911c23f9c2b6b4299d5f
SSDEEP

49152:xNIl4FEedDqnroHO8wOZHOlvbuambSIN+6a9AknH:xNIKcnsHtvZHUbmb/+TK

Score

10^/10

blackmoon banker discovery spyware stealer trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 29 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1976-0-0x00000000021E0000-0x000000000240F000-memory.dmp	family_blackmoon
behavioral1/memory/1976-2-0x00000000021E0000-0x000000000240F000-memory.dmp	family_blackmoon
behavioral1/memory/1976-1-0x00000000021E0000-0x000000000240F000-memory.dmp	family_blackmoon
behavioral1/memory/1976-10-0x00000000021E0000-0x000000000240F000-memory.dmp	family_blackmoon
behavioral1/memory/1976-12-0x00000000003E0000-0x00000000003EF000-memory.dmp	family_blackmoon
behavioral1/memory/1976-23-0x0000000000990000-0x00000000009A1000-memory.dmp	family_blackmoon
behavioral1/memory/1976-29-0x0000000000990000-0x00000000009A1000-memory.dmp	family_blackmoon
behavioral1/memory/1976-24-0x00000000021E0000-0x000000000240F000-memory.dmp	family_blackmoon
behavioral1/memory/1976-33-0x00000000021E0000-0x000000000240F000-memory.dmp	family_blackmoon
behavioral1/memory/1976-11-0x00000000021E0000-0x000000000240F000-memory.dmp	family_blackmoon
behavioral1/memory/1976-21-0x0000000000990000-0x00000000009A1000-memory.dmp	family_blackmoon
behavioral1/memory/1976-34-0x0000000000400000-0x0000000000891000-memory.dmp	family_blackmoon
behavioral1/memory/1976-36-0x00000000021E0000-0x000000000240F000-memory.dmp	family_blackmoon
behavioral1/memory/1976-39-0x00000000021E0000-0x000000000240F000-memory.dmp	family_blackmoon
behavioral1/memory/1976-48-0x00000000021E0000-0x000000000240F000-memory.dmp	family_blackmoon
behavioral1/memory/1976-50-0x0000000000400000-0x0000000000891000-memory.dmp	family_blackmoon
behavioral1/memory/944-75-0x0000000002330000-0x000000000255F000-memory.dmp	family_blackmoon
behavioral1/memory/944-86-0x0000000002330000-0x000000000255F000-memory.dmp	family_blackmoon
behavioral1/memory/944-74-0x00000000003D0000-0x00000000003E1000-memory.dmp	family_blackmoon
behavioral1/memory/944-71-0x00000000003D0000-0x00000000003E1000-memory.dmp	family_blackmoon
behavioral1/memory/944-70-0x00000000003D0000-0x00000000003E1000-memory.dmp	family_blackmoon
behavioral1/memory/944-63-0x00000000002F0000-0x00000000002FF000-memory.dmp	family_blackmoon
behavioral1/memory/944-62-0x0000000002330000-0x000000000255F000-memory.dmp	family_blackmoon
behavioral1/memory/1976-53-0x00000000021E0000-0x000000000240F000-memory.dmp	family_blackmoon
behavioral1/memory/944-52-0x0000000002330000-0x000000000255F000-memory.dmp	family_blackmoon
behavioral1/memory/944-92-0x0000000002330000-0x000000000255F000-memory.dmp	family_blackmoon
behavioral1/memory/944-93-0x0000000002330000-0x000000000255F000-memory.dmp	family_blackmoon
behavioral1/memory/944-103-0x0000000002330000-0x000000000255F000-memory.dmp	family_blackmoon
behavioral1/memory/944-110-0x0000000002330000-0x000000000255F000-memory.dmp	family_blackmoon

Drops file in Drivers directory 2 IoCs

Processes:

16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe

description	ioc	process
File opened for modification	C:\WINDOWS\system32\drivers\etc\hosts	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened for modification	C:\WINDOWS\system32\drivers\etc\hosts	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Windows\SysWOW64\msvcp30.dll	acprotect

Loads dropped DLL 2 IoCs

Processes:

16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe

pid	process
1976	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
944	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1976-17-0x0000000000990000-0x00000000009A1000-memory.dmp	upx
behavioral1/memory/1976-23-0x0000000000990000-0x00000000009A1000-memory.dmp	upx
behavioral1/memory/1976-30-0x00000000749F0000-0x0000000074A2C000-memory.dmp	upx
behavioral1/memory/1976-29-0x0000000000990000-0x00000000009A1000-memory.dmp	upx
\Windows\SysWOW64\msvcp30.dll	upx
behavioral1/memory/1976-21-0x0000000000990000-0x00000000009A1000-memory.dmp	upx
behavioral1/memory/1976-35-0x00000000749F0000-0x0000000074A2C000-memory.dmp	upx
behavioral1/memory/944-87-0x00000000749F0000-0x0000000074A2C000-memory.dmp	upx
behavioral1/memory/944-74-0x00000000003D0000-0x00000000003E1000-memory.dmp	upx
behavioral1/memory/944-71-0x00000000003D0000-0x00000000003E1000-memory.dmp	upx
behavioral1/memory/944-70-0x00000000003D0000-0x00000000003E1000-memory.dmp	upx
behavioral1/memory/944-67-0x00000000003D0000-0x00000000003E1000-memory.dmp	upx
behavioral1/memory/1976-58-0x00000000749F0000-0x0000000074A2C000-memory.dmp	upx
behavioral1/memory/944-89-0x00000000749F0000-0x0000000074A2C000-memory.dmp	upx
behavioral1/memory/944-111-0x00000000749F0000-0x0000000074A2C000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe

description	ioc	process
File opened (read-only)	\??\P:	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened (read-only)	\??\Q:	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened (read-only)	\??\R:	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened (read-only)	\??\S:	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened (read-only)	\??\A:	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened (read-only)	\??\E:	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened (read-only)	\??\N:	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened (read-only)	\??\O:	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened (read-only)	\??\T:	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened (read-only)	\??\W:	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened (read-only)	\??\X:	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened (read-only)	\??\Y:	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened (read-only)	\??\B:	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened (read-only)	\??\G:	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened (read-only)	\??\I:	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened (read-only)	\??\L:	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened (read-only)	\??\H:	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened (read-only)	\??\K:	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened (read-only)	\??\Z:	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened (read-only)	\??\J:	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened (read-only)	\??\M:	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened (read-only)	\??\U:	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened (read-only)	\??\V:	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe

Drops file in System32 directory 4 IoCs

Processes:

16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\msvcp30.ini	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File created	C:\Windows\SysWOW64\msvcp30.dll	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened for modification	C:\Windows\SysWOW64\msvcp30.ini	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File created	C:\Windows\SysWOW64\msvcp30.dll	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe

Drops file in Windows directory 6 IoCs

Processes:

16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe

description	ioc	process
File created	C:\Windows\msvcp30.ico	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened for modification	C:\Windows\msvcp30.ini	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File created	C:\Windows\msvcp30.dll	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened for modification	C:\Windows\msvcp30.ico	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened for modification	C:\Windows\msvcp30.ini	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
File opened for modification	C:\Windows\msvcp30.dll	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3C3B39B1-195D-11EF-BDEB-D6E40795ECBF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

480
480

pid	process
480
480

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe

description	pid	process
Token: SeDebugPrivilege	1976	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
Token: SeDebugPrivilege	944	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1508 iexplore.exe

pid	process
1508	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exeiexplore.exeIEXPLORE.EXE

pid	process
1976	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
944	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
1508	iexplore.exe
1508	iexplore.exe
1192	IEXPLORE.EXE
1192	IEXPLORE.EXE
1192	IEXPLORE.EXE
1192	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exeiexplore.exe

description	pid	process	target process
PID 1976 wrote to memory of 944	1976	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
PID 1976 wrote to memory of 944	1976	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
PID 1976 wrote to memory of 944	1976	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
PID 1976 wrote to memory of 944	1976	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
PID 944 wrote to memory of 1508	944	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe	iexplore.exe
PID 944 wrote to memory of 1508	944	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe	iexplore.exe
PID 944 wrote to memory of 1508	944	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe	iexplore.exe
PID 944 wrote to memory of 1508	944	16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe	iexplore.exe
PID 1508 wrote to memory of 1192	1508	iexplore.exe	IEXPLORE.EXE
PID 1508 wrote to memory of 1192	1508	iexplore.exe	IEXPLORE.EXE
PID 1508 wrote to memory of 1192	1508	iexplore.exe	IEXPLORE.EXE
PID 1508 wrote to memory of 1192	1508	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
"C:\Users\Admin\AppData\Local\Temp\16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Local\Temp\16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe
"C:\Users\Admin\AppData\Local\Temp\16b37481476e949e1715a69f44b64be602bec1220e987027641b4f42985fa214.exe" Master
2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:944

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.30my.com/
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1508

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1508 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1192

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
252B

MD5
ec3339caae37b1f70b611c5804feb855

SHA1
842aa9219a4b340468fa8eb7b195ff8ab5df4da8

SHA256
d9d86003d24753a145e36f28eb4a10af060e17c8cde2d8f48dcffcddb72b5dc0

SHA512
fe7721307ce58074fe8de4a49eaf50f059abb791ca188fed0eb60a7174936d8f9dddcc591899ca2b25680b97e1217e22bf383ca94390a33643252f3aa5f2e8fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6e2a57a1ae95a4c18d7a1900f8da5111

SHA1
6019a22da5a49db5c6b0676f3d979d5fcbc4b13a

SHA256
12145c6fd92175fe547e3d62181ef9f94f374e54592cd8305bae9afc6c451ac8

SHA512
8458481d2ff1e3b20a73f90062064c3d1449f96f586a17802c552f4c53d74370ee803c3e37dbb3560924e4dc560d7efc3bd13d2943428d28524d7e67fab1e8a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4da99e70587fec2a93d0b8f81bdad445

SHA1
1ed64b5106a2541deca2f10f2123af8c0e1017d6

SHA256
ebb0a95fbdc3b7c5cb582974551b800b08743d2dcde940c8d43f6e149d1e57a5

SHA512
b9a86628c575c8d2d3da921b412ec0e802cfd1f6232e63563b70a356688ac41aac8292057dce4ad72ca8bfce1322a8beb559438454999153b59f1367675324b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d1c95df8894c50615022dd256d03a348

SHA1
9e574380816c70b7c6ed9a1d16b8a19896b8047a

SHA256
bb6e3fa7794f8105c439db4dcc0d74a18f9bfd0fe478ed9e72893b4d4d6abef2

SHA512
1e70f356a75b6b2261a4c4c5cf76103ebef6406bfe401866cf9e15e7e8bf398be20e833de7649334cbe16d6dd64bd1c5787d050bd16925433eeacf5e40f5189a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
de2e8616d62619f9d7558288ae42c5c0

SHA1
2845f9f9c5e1e6ff01ec07d13ad6fb20ea651291

SHA256
84b7ae69808914b4f3997284d41c230db041e67ccb12146ef1d6d509eca80531

SHA512
09458984c6d31753dcb6aea6984123fdf9c9b0a9c1bb04d8534d0d17e43e8dc5a8e2797b5769054f28002d97ec8c4201f4688f3fb37b784439e2967bda58e10b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2f20398788005891cf17006b9ca1579d

SHA1
0b267818a53ad97fd65f51c2dea838f737c96640

SHA256
1c4c102d33d0e911b8467295038f936e265d15bede585384e9c043639d5d2022

SHA512
bda44eb8433fd90c8d8cd4374ba608032ae50c371779595b7b7d6a565c1385da3fa4a661db2146349821cdd72023f3013320e4289a33e6c30cd6978a36c52865

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4aaab6fd054faede79cedafb476367c6

SHA1
fcaa04e0b7f3087663540d0265c6c2096170df17

SHA256
b1129db0863490b6579fefd8fbd636ad59efba65d15075f03a0e073012e926b4

SHA512
55d9281b5c2b0d098345fb3fcc0d113fce93c5bc6e32dd4400b20c61fb2f5cb2d2456707a7530e0084f4aa42a7c60b9e7ede8b56ea1b330c6a0a9a33c77dca79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
41769ae7ecc05e1599c765dc5885f086

SHA1
951da74d754f143e05764a9cd674e22792e7cb0d

SHA256
36ddc3d7d38aa1ae2c44123207a5c119824d45567bfc179532c48594b6f97b69

SHA512
1dc3e5c38b2f6f34b68700155318fe35bba2d19d859a10c2f9ee914f0b9e86aa4d39c297f4190d0f0535339ddad3b6036936c85fe3afcca2638367956ecca6ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
78ac2917aef1151e83ab7bf095d506a6

SHA1
9812acac97167ca1569a45eca55b3797049e6ca7

SHA256
bd0c66c9346af36087e57cc01c69f6be7b5d3d75a2fd4284f12ba9d8da211fe7

SHA512
859c2d992492f8ba2ca09e5bff79d5e20c5ade195e597fef2e3c1079a621fb297f9c026903a6f32f4c6781f09c177c07043e87391c4bdc687ee6f0c5c1cb6d8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4552d8793031f4eeeb3ff1bbf51427a2

SHA1
39855ab6fa1bc9fef95e7fdecb140dc18ac6806c

SHA256
3bc6b4cfd7910275778854ec2fed6cfe30d6ca1bcb08945f292905b1f559129a

SHA512
cf207b433396204dae987029e128cf77b8a49b0457bb58b4d19ffc2ee365286354bb131153b1a8aa38ced64d4b21405a16d6785c19776ef7017b22fd4ab901a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f8f16d9a0850674531426894982b6b0f

SHA1
b32765a1116c591bfe6949231480631f2f4aa11a

SHA256
19b54398962e30409224d65d2a5b6b2c92f7a6c7f6bfeec6a7e672d756f5d528

SHA512
75b13c92d81f4141c02c3a9b78e56adc9cc621e66685f101aca1af8dbc02b86345e09dd54b91dafa5f34e983a563b37676e5fd1aaebcbe4b2b9c13aae940a88d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6430b4cb22720a7be3ddf85ddfef2ef0

SHA1
a2d1504cc7cce849f89ea4cf07cce1cd2b8756be

SHA256
b03d435b2e3734fd0ea751a324df34cd4b6e75af6b173269a7be21f3b404df48

SHA512
3f4867975e963178d4bc3805c9414bec11489b0ad0ec01c763b83786049aec8a591b429dc5519b9f8e60f4e944a8d4a7fa81ab0dec9851322a00927d7b27bd0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
46bde4062490960f7b77d9b32c4cbbd1

SHA1
0cac93dc476521b941b4c41265969ceb4af39257

SHA256
e1c088b31aada2fc297bc831a5a9985a1be650259e9e4ffbb55bc00a16c84974

SHA512
922794f209b9f968e541d0dbd24c9c0da25af9923a239525f8cd0c67d3ed4ced7d71e8a5cffc722790c2a25b7add356c7ebb5849be366688f30448cdc7ec2340

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
69f5958b498d2be4a4973165a9798d77

SHA1
f519854b970271d8e49179bd00ffa7b6c207e360

SHA256
f56ce0232781849b08d1bf75c3b5fb3768fbcb9d89a4ed2878fadb952a57f781

SHA512
f1051df28dfe51c63cdcb87d383ed6fcdd4aecc4f8cfc32e90b06d0e9a80aa17080112c78fef9c8cd08c314f1455115cee003e4e1dd681b8f6a955a7e6b6a682

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar25FD.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\Desktop\Ä§Óò·¢²¼Íø.url
Filesize
120B

MD5
5c8c7c3ce78aa0a9d56f96ab77676682

SHA1
1a591e2d34152149274f46d754174aa7a7bb2694

SHA256
40a172493bd1337c6bfd9c0af15be6d6e5d539135dd766577a05362e859ff806

SHA512
8ef03cf1967157cf019d1e7b585a45042642d5a1d82c90ef68f1256e40fe162460e7c26919b1fdf8c33de9f95201ee6a13e69676436d7251a017c04fdf047a77

Download Submit
C:\Windows\SysWOW64\msvcp30.ini
Filesize
18B

MD5
2cd7883782c594d2e2654f8fe988fcbe

SHA1
042bcb87c29e901d70c0ad0f8fa53e0338c569fc

SHA256
aa98ce751ef6ac5401a9278f30c06e250dbbd5e8c2e2c378b0fdf33a205d7037

SHA512
88413dc63847682207d2b1e6cdfcb3de9cc73da5f900a1948e4aa262da20056bcb2486ee8a7c8a4f9b0aa3fdff6b99061262fbc67aebc99bf0b42e5bfc7db360

Download Submit
C:\Windows\msvcp30.ico
Filesize
264KB

MD5
bdccf3c42497089ae7001328305906ed

SHA1
cf6f28e09d98ebe516b408e6b15f03f5891fdc79

SHA256
5f191e3486c0bafdd237f8b79f6ce0f69d1f8c9f8c948d14ab061db36286b2f2

SHA512
d7876d8d414ca48903393aa523296ffe35bfa3c6b5bfc4ce70adfc93d31efa61a9bfeea571754cde2e205416e57c13df5c45551b5e6aae6eb53b951065ebbf5d

Download Submit
\Windows\SysWOW64\msvcp30.dll
Filesize
93KB

MD5
a6c4f055c797a43def0a92e5a85923a7

SHA1
efaa9c3a065aff6a64066f76e7c77ffcaaf779b2

SHA256
73bd285ac6fba28108cdc0d7311e37c4c4fc3ba7d0069c4370778ac3099e21a9

SHA512
d8120f7f59c212867c78af42f93db64d35f2d6eae7fc09021c0a6d8ca71a14bd2b2a3006027094ee2edcf65634dcdb3ac96da3ac810171fff021bed4c4254957

Download Submit
memory/944-63-0x00000000002F0000-0x00000000002FF000-memory.dmp

Filesize
60KB

Download
memory/944-102-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/944-86-0x0000000002330000-0x000000000255F000-memory.dmp

Filesize
2.2MB

Download
memory/944-74-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/944-73-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/944-71-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/944-70-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/944-67-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/944-111-0x00000000749F0000-0x0000000074A2C000-memory.dmp

Filesize
240KB

Download
memory/944-62-0x0000000002330000-0x000000000255F000-memory.dmp

Filesize
2.2MB

Download
memory/944-75-0x0000000002330000-0x000000000255F000-memory.dmp

Filesize
2.2MB

Download
memory/944-87-0x00000000749F0000-0x0000000074A2C000-memory.dmp

Filesize
240KB

Download
memory/944-110-0x0000000002330000-0x000000000255F000-memory.dmp

Filesize
2.2MB

Download
memory/944-103-0x0000000002330000-0x000000000255F000-memory.dmp

Filesize
2.2MB

Download
memory/944-52-0x0000000002330000-0x000000000255F000-memory.dmp

Filesize
2.2MB

Download
memory/944-89-0x00000000749F0000-0x0000000074A2C000-memory.dmp

Filesize
240KB

Download
memory/944-92-0x0000000002330000-0x000000000255F000-memory.dmp

Filesize
2.2MB

Download
memory/944-93-0x0000000002330000-0x000000000255F000-memory.dmp

Filesize
2.2MB

Download
memory/1976-50-0x0000000000400000-0x0000000000891000-memory.dmp

Filesize
4.6MB

Download
memory/1976-11-0x00000000021E0000-0x000000000240F000-memory.dmp

Filesize
2.2MB

Download
memory/1976-58-0x00000000749F0000-0x0000000074A2C000-memory.dmp

Filesize
240KB

Download
memory/1976-0-0x00000000021E0000-0x000000000240F000-memory.dmp

Filesize
2.2MB

Download
memory/1976-49-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1976-48-0x00000000021E0000-0x000000000240F000-memory.dmp

Filesize
2.2MB

Download
memory/1976-39-0x00000000021E0000-0x000000000240F000-memory.dmp

Filesize
2.2MB

Download
memory/1976-36-0x00000000021E0000-0x000000000240F000-memory.dmp

Filesize
2.2MB

Download
memory/1976-34-0x0000000000400000-0x0000000000891000-memory.dmp

Filesize
4.6MB

Download
memory/1976-35-0x00000000749F0000-0x0000000074A2C000-memory.dmp

Filesize
240KB

Download
memory/1976-21-0x0000000000990000-0x00000000009A1000-memory.dmp

Filesize
68KB

Download
memory/1976-53-0x00000000021E0000-0x000000000240F000-memory.dmp

Filesize
2.2MB

Download
memory/1976-33-0x00000000021E0000-0x000000000240F000-memory.dmp

Filesize
2.2MB

Download
memory/1976-24-0x00000000021E0000-0x000000000240F000-memory.dmp

Filesize
2.2MB

Download
memory/1976-29-0x0000000000990000-0x00000000009A1000-memory.dmp

Filesize
68KB

Download
memory/1976-30-0x00000000749F0000-0x0000000074A2C000-memory.dmp

Filesize
240KB

Download
memory/1976-23-0x0000000000990000-0x00000000009A1000-memory.dmp

Filesize
68KB

Download
memory/1976-12-0x00000000003E0000-0x00000000003EF000-memory.dmp

Filesize
60KB

Download
memory/1976-17-0x0000000000990000-0x00000000009A1000-memory.dmp

Filesize
68KB

Download
memory/1976-6-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1976-10-0x00000000021E0000-0x000000000240F000-memory.dmp

Filesize
2.2MB

Download
memory/1976-1-0x00000000021E0000-0x000000000240F000-memory.dmp

Filesize
2.2MB

Download
memory/1976-2-0x00000000021E0000-0x000000000240F000-memory.dmp

Filesize
2.2MB

Download