blackmoon | 85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7

System Information Discovery

Processes:

壹游1.70月卡合击.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	壹游1.70月卡合击.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	壹游1.70月卡合击.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe

Executes dropped EXE 4 IoCs

Processes:

壹游1.70月卡合击.exe壹游1.70月卡合.exe壹游1.70月卡合.exeEgFs4bJM.exe

pid process

1176 壹游1.70月卡合击.exe
2744 壹游1.70月卡合.exe
4712 壹游1.70月卡合.exe
972 EgFs4bJM.exe
Loads dropped DLL 1 IoCs

Processes:

EgFs4bJM.exe

pid process

972 EgFs4bJM.exe

pid	process
1176	壹游1.70月卡合击.exe
2744	壹游1.70月卡合.exe
4712	壹游1.70月卡合.exe
972	EgFs4bJM.exe

pid	process
972	EgFs4bJM.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

壹游1.70月卡合击.exe

description	ioc	process
File opened (read-only)	\??\X:	壹游1.70月卡合击.exe
File opened (read-only)	\??\Y:	壹游1.70月卡合击.exe
File opened (read-only)	\??\H:	壹游1.70月卡合击.exe
File opened (read-only)	\??\J:	壹游1.70月卡合击.exe
File opened (read-only)	\??\O:	壹游1.70月卡合击.exe
File opened (read-only)	\??\T:	壹游1.70月卡合击.exe
File opened (read-only)	\??\U:	壹游1.70月卡合击.exe
File opened (read-only)	\??\L:	壹游1.70月卡合击.exe
File opened (read-only)	\??\M:	壹游1.70月卡合击.exe
File opened (read-only)	\??\N:	壹游1.70月卡合击.exe
File opened (read-only)	\??\P:	壹游1.70月卡合击.exe
File opened (read-only)	\??\Q:	壹游1.70月卡合击.exe
File opened (read-only)	\??\E:	壹游1.70月卡合击.exe
File opened (read-only)	\??\W:	壹游1.70月卡合击.exe
File opened (read-only)	\??\Z:	壹游1.70月卡合击.exe
File opened (read-only)	\??\V:	壹游1.70月卡合击.exe
File opened (read-only)	\??\G:	壹游1.70月卡合击.exe
File opened (read-only)	\??\I:	壹游1.70月卡合击.exe
File opened (read-only)	\??\K:	壹游1.70月卡合击.exe
File opened (read-only)	\??\R:	壹游1.70月卡合击.exe
File opened (read-only)	\??\S:	壹游1.70月卡合击.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

壹游1.70月卡合击.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	壹游1.70月卡合击.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	壹游1.70月卡合击.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

System Information Discovery

Processes:

壹游1.70月卡合击.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	壹游1.70月卡合击.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	壹游1.70月卡合击.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	壹游1.70月卡合击.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	壹游1.70月卡合击.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	壹游1.70月卡合击.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

EgFs4bJM.exe

pid process

972 EgFs4bJM.exe
972 EgFs4bJM.exe
972 EgFs4bJM.exe
972 EgFs4bJM.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

EgFs4bJM.exe

description pid process

Token: SeDebugPrivilege 972 EgFs4bJM.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

壹游1.70月卡合.exe壹游1.70月卡合.exeEgFs4bJM.exe

pid process

2744 壹游1.70月卡合.exe
4712 壹游1.70月卡合.exe
972 EgFs4bJM.exe
972 EgFs4bJM.exe
972 EgFs4bJM.exe
972 EgFs4bJM.exe

pid	process
972	EgFs4bJM.exe
972	EgFs4bJM.exe
972	EgFs4bJM.exe
972	EgFs4bJM.exe

description	pid	process
Token: SeDebugPrivilege	972	EgFs4bJM.exe

pid	process
2744	壹游1.70月卡合.exe
4712	壹游1.70月卡合.exe
972	EgFs4bJM.exe
972	EgFs4bJM.exe
972	EgFs4bJM.exe
972	EgFs4bJM.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe壹游1.70月卡合.exe壹游1.70月卡合.exe

description	pid	process	target process
PID 3936 wrote to memory of 1176	3936	85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe	壹游1.70月卡合击.exe
PID 3936 wrote to memory of 1176	3936	85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe	壹游1.70月卡合击.exe
PID 3936 wrote to memory of 1176	3936	85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe	壹游1.70月卡合击.exe
PID 3936 wrote to memory of 2744	3936	85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe	壹游1.70月卡合.exe
PID 3936 wrote to memory of 2744	3936	85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe	壹游1.70月卡合.exe
PID 2744 wrote to memory of 4712	2744	壹游1.70月卡合.exe	壹游1.70月卡合.exe
PID 2744 wrote to memory of 4712	2744	壹游1.70月卡合.exe	壹游1.70月卡合.exe
PID 4712 wrote to memory of 972	4712	壹游1.70月卡合.exe	EgFs4bJM.exe
PID 4712 wrote to memory of 972	4712	壹游1.70月卡合.exe	EgFs4bJM.exe
PID 4712 wrote to memory of 972	4712	壹游1.70月卡合.exe	EgFs4bJM.exe

C:\Users\Admin\AppData\Local\Temp\85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe
"C:\Users\Admin\AppData\Local\Temp\85e67caed2a6ce894acdffbae48d92af12cbad9198f72e3e87b477b5cffe55f7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3936

C:\ProgramData\TTQQinstall\壹游1.70月卡合击.exe
"C:\ProgramData\TTQQinstall\壹游1.70月卡合击.exe"
2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Enumerates system info in registry
PID:1176

C:\ProgramData\TTQQinstall\壹游1.70月卡合.exe
"C:\ProgramData\TTQQinstall\壹游1.70月卡合.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744

C:\ProgramData\TTQQinstall\壹游1.70月卡合.exe
C:\ProgramData\TTQQinstall\壹游1.70月卡合.exe 490A300A560A5A0A780A650A6D0A780A6B0A670A4E0A6B0A7E0A6B0A560A5E0A5E0A5B0A5B0A630A640A790A7E0A6B0A660A660A560A710A320A3B0A660A7A0A680A7A0A590A390A480A3D0A7B0A5E0A5F0A770A560A4F0A6D0A4C0A790A3E0A680A400A470A-2
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4712

C:\ProgramData\TTQQinstall\{81lpbpS3B7qTU}\EgFs4bJM.exe
"C:\ProgramData\TTQQinstall\{81lpbpS3B7qTU}\EgFs4bJM.exe"
4⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

6