Malware Analysis Report

2024-11-16 15:04

Sample ID 240606-zh94bach42
Target 2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75
SHA256 2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75
Tags
upx blackmoon banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75

Threat Level: Known bad

The file 2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75 was found to be: Known bad.

Malicious Activity Summary

upx blackmoon banker trojan

Blackmoon family

UPX dump on OEP (original entry point)

Blackmoon, KrBanker

Detect Blackmoon payload

UPX dump on OEP (original entry point)

UPX packed file

Loads dropped DLL

Executes dropped EXE

Unsigned PE

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-06 20:44

Signatures

Blackmoon family

blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 20:44

Reported

2024-06-06 20:46

Platform

win7-20240419-en

Max time kernel

142s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe
PID 3020 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe
PID 3020 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe
PID 3020 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe
PID 3020 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe
PID 3020 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe
PID 3020 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe
PID 2284 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe
PID 2284 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe
PID 2284 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe
PID 2284 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe
PID 2284 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe
PID 2284 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe
PID 2284 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe
PID 2396 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe C:\Users\Admin\AppData\Local\Temp\data\Bugreport.dll
PID 2396 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe C:\Users\Admin\AppData\Local\Temp\data\Bugreport.dll
PID 2396 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe C:\Users\Admin\AppData\Local\Temp\data\Bugreport.dll
PID 2396 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe C:\Users\Admin\AppData\Local\Temp\data\Bugreport.dll
PID 2396 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe C:\Users\Admin\AppData\Local\Temp\data\Bugreport.dll
PID 2396 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe C:\Users\Admin\AppData\Local\Temp\data\Bugreport.dll
PID 2396 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe C:\Users\Admin\AppData\Local\Temp\data\Bugreport.dll

Processes

C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe

"C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe"

C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe

C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe 8.1 %43%3A%5C%55%73%65%72%73%5C%41%64%6D%69%6E%5C%41%70%70%44%61%74%61%5C%4C%6F%63%61%6C%5C%54%65%6D%70%5C%32%65%35%35%61%37%30%62%36%64%36%66%30%33%34%64%38%39%36%66%64%66%37%39%65%61%39%30%64%63%34%35%63%31%31%36%31%61%35%39%62%34%30%62%32%35%65%62%38%64%36%34%65%37%35%30%61%30%35%63%33%65%37%35%2E%65%78%65 ¼Ù http://bubusoft.dbankcloud.com/QQ%E5%8A%A8%E6%80%81%E6%89%B9%E9%87%8F%E8%B5%9E/%E7%A7%92%E8%AF%84%E7%A7%92%E8%B5%9E.txt

C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe

C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe ÃüÁîÆô¶¯

C:\Users\Admin\AppData\Local\Temp\data\Bugreport.dll

C:\Users\Admin\AppData\Local\Temp\data\Bugreport.dll %42%75%67%72%65%70%6F%72%74 %E7%A7%92%E8%AF%84%E7%A7%92%20

Network

Country Destination Domain Proto
US 8.8.8.8:53 bubusoft.dbankcloud.com udp
US 8.8.8.8:53 www.gutou.cc udp
CN 120.24.75.226:80 www.gutou.cc tcp
US 8.8.8.8:53 vip.gutou.cc udp
CN 203.195.236.181:80 vip.gutou.cc tcp
CN 203.195.236.181:80 vip.gutou.cc tcp
CN 203.195.236.181:80 vip.gutou.cc tcp
CN 203.195.236.181:80 vip.gutou.cc tcp

Files

memory/3020-0-0x0000000000400000-0x000000000075A000-memory.dmp

memory/3020-1-0x0000000002680000-0x00000000026F2000-memory.dmp

memory/3020-2-0x0000000002680000-0x00000000026F2000-memory.dmp

memory/3020-3-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3020-4-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3020-5-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3020-14-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3020-12-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3020-10-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3020-6-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3020-8-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3020-32-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3020-51-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3020-50-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3020-47-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3020-44-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3020-42-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3020-40-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3020-38-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3020-35-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3020-30-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3020-28-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3020-24-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3020-22-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3020-20-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3020-18-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3020-16-0x0000000010000000-0x000000001003E000-memory.dmp

\Users\Admin\AppData\Local\Temp\data\UpDate.exe

MD5 86ccb6cd12445f9e9741d51d483a80a5
SHA1 bcfe9946c3fd96b1d167ace0e885593db242ef6c
SHA256 fc5837a429e357cc966c9516c285dbdc8a4012cde52c28d964714738e0426071
SHA512 7d3bbf70d70540490fb0af022bcf7b9bf589f4cef215d8799dc3881e9bed687e52b8fbf91f02e138cf6da299951553762ddf8cf0de759532b279b339d01c17e1

memory/3020-62-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3020-61-0x0000000000400000-0x000000000075A000-memory.dmp

memory/3020-63-0x0000000002680000-0x00000000026F2000-memory.dmp

\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe

MD5 c5f3c4f0cdcc5b7702433ee9166b6596
SHA1 e0c644a43c65c58fe3edb9570b589cbcfa1ecebc
SHA256 922e64425aeefe8c4dfdc831ef7f7e7c02064ba92bc40e4073c0068a8f5c25f8
SHA512 909a07e0f5687e636b9b4befb2dc76bd69087d875fcff00b89e09280b752c502ac875bac74a506aad6839e9821d4b6cb86a8563bd3df06601fbff47d2a61be62

memory/2284-71-0x0000000002AE0000-0x0000000002E3A000-memory.dmp

memory/2396-73-0x0000000000400000-0x000000000075A000-memory.dmp

memory/2396-79-0x0000000000DB0000-0x000000000110A000-memory.dmp

memory/2396-78-0x0000000000DB0000-0x000000000110A000-memory.dmp

memory/2396-80-0x0000000000830000-0x00000000008A2000-memory.dmp

memory/2396-82-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2396-87-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2396-95-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2396-98-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2396-93-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2396-91-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2396-89-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2396-85-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2396-83-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2396-81-0x0000000010000000-0x000000001003E000-memory.dmp

\Users\Admin\AppData\Local\Temp\data\Bugreport.dll

MD5 14b52ec6cd16f1b730cb513d10c3da0c
SHA1 7546c64c479f24bc7af13a9f1916a2da30d19ecb
SHA256 8f46a3762f0fcbb677c8648fd4e161308ad3f63782f9d709ecd8456bae214860
SHA512 77fb3925e94c83ce3f17d91604c4091622c7e088348c55dee015e46c4dc8b64e1ddb93b05d0d715a8b66518fbf57b592692301312ca3b9b80f83187f1586860d

C:\Users\Admin\AppData\Local\Temp\data\Bugreport.ini

MD5 fc76a9a7d881844c575660bb7f8275eb
SHA1 5dd87916163e409fea6bd89d1ce3c61f20faaee0
SHA256 cfcaabd85f70ba4bd5618d350aa6a4bb160c269108afb78be8c8148a4d9c0f52
SHA512 3f2ea0aef0e99e89239effc47693189a826a36698b16e1381f33877ef34fa95a3495b1366cf566ca97239df0d4857e892eff27d4624244447844ec230a1ba34f

C:\Users\Admin\AppData\Local\Temp\data\Bugreport_error.ini

MD5 f85843b50593a59baf3332f78b8939ec
SHA1 5e1a5222e5608d792ee4a086fc3227ab9a9453ca
SHA256 191330183a08f145422cbe70dc664ac84ee99bfda2986ad5a0ed61bd02b978c8
SHA512 29cc29b146f00e6a22a580368fa144955a3bc232c5dfccabf301d4474695633cfeef942540d953d65b94ef027a982055fed0c526c37bd761f2e695cd5d6c1e0a

memory/2396-177-0x0000000000400000-0x000000000075A000-memory.dmp

memory/2396-186-0x0000000000DB0000-0x000000000110A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 20:44

Reported

2024-06-06 20:46

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1020 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe
PID 1020 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe
PID 1020 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe
PID 1140 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe
PID 1140 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe
PID 1140 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe
PID 1964 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe C:\Users\Admin\AppData\Local\Temp\data\Bugreport.dll
PID 1964 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe C:\Users\Admin\AppData\Local\Temp\data\Bugreport.dll
PID 1964 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe C:\Users\Admin\AppData\Local\Temp\data\Bugreport.dll

Processes

C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe

"C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe"

C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe

C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe 8.1 %43%3A%5C%55%73%65%72%73%5C%41%64%6D%69%6E%5C%41%70%70%44%61%74%61%5C%4C%6F%63%61%6C%5C%54%65%6D%70%5C%32%65%35%35%61%37%30%62%36%64%36%66%30%33%34%64%38%39%36%66%64%66%37%39%65%61%39%30%64%63%34%35%63%31%31%36%31%61%35%39%62%34%30%62%32%35%65%62%38%64%36%34%65%37%35%30%61%30%35%63%33%65%37%35%2E%65%78%65 ¼Ù http://bubusoft.dbankcloud.com/QQ%E5%8A%A8%E6%80%81%E6%89%B9%E9%87%8F%E8%B5%9E/%E7%A7%92%E8%AF%84%E7%A7%92%E8%B5%9E.txt

C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe

C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe ÃüÁîÆô¶¯

C:\Users\Admin\AppData\Local\Temp\data\Bugreport.dll

C:\Users\Admin\AppData\Local\Temp\data\Bugreport.dll %42%75%67%72%65%70%6F%72%74 %E7%A7%92%E8%AF%84%E7%A7%92%20

Network

Country Destination Domain Proto
US 8.8.8.8:53 bubusoft.dbankcloud.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.gutou.cc udp
CN 120.24.75.226:80 www.gutou.cc tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 vip.gutou.cc udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
CN 203.195.236.181:80 vip.gutou.cc tcp
BE 2.17.107.129:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 129.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
CN 203.195.236.181:80 vip.gutou.cc tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
CN 203.195.236.181:80 vip.gutou.cc tcp
CN 203.195.236.181:80 vip.gutou.cc tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
CN 203.195.236.181:80 vip.gutou.cc tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/1020-0-0x0000000000400000-0x000000000075A000-memory.dmp

memory/1020-1-0x00000000025F0000-0x0000000002662000-memory.dmp

memory/1020-2-0x00000000025F0000-0x0000000002662000-memory.dmp

memory/1020-31-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1020-49-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1020-51-0x0000000010000000-0x000000001003E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe

MD5 86ccb6cd12445f9e9741d51d483a80a5
SHA1 bcfe9946c3fd96b1d167ace0e885593db242ef6c
SHA256 fc5837a429e357cc966c9516c285dbdc8a4012cde52c28d964714738e0426071
SHA512 7d3bbf70d70540490fb0af022bcf7b9bf589f4cef215d8799dc3881e9bed687e52b8fbf91f02e138cf6da299951553762ddf8cf0de759532b279b339d01c17e1

memory/1020-50-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1020-58-0x0000000000400000-0x000000000075A000-memory.dmp

memory/1020-57-0x00000000025F0000-0x0000000002662000-memory.dmp

memory/1020-48-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1020-47-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1020-44-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1020-41-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1020-39-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1020-35-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1020-33-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1020-29-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1020-27-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1020-25-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1020-23-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1020-17-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1020-15-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1020-13-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1020-9-0x0000000010000000-0x000000001003E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2e55a70b6d6f034d896fdf79ea90dc45c1161a59b40b25eb8d64e750a05c3e75.exe

MD5 7ca3cf847ba91069f5f9101a6665568a
SHA1 87a2d87e6510527f87e0417bd1aa31877c0c5e3e
SHA256 6b37dbbaa445387c08e4348adb04e2d94635e621fd5c5cc1bbe561d89688dbb1
SHA512 8b9f62c1882eb32b6d5a729055000e9377bafa179b7e587d9e849440651033c14cc301a4487b06ff90ff9d4a0238165b366713e009963a03729d12928a95b8e5

memory/1020-4-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1020-3-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1020-21-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1020-19-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1020-11-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1020-7-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1020-5-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1964-62-0x0000000000400000-0x000000000075A000-memory.dmp

memory/1964-63-0x0000000002640000-0x00000000026B2000-memory.dmp

memory/1964-64-0x0000000002640000-0x00000000026B2000-memory.dmp

memory/1964-80-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1964-82-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1964-110-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1964-109-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1964-78-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1964-76-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1964-75-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1964-72-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1964-70-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1964-69-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1964-67-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1964-65-0x0000000010000000-0x000000001003E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\data\Bugreport.dll

MD5 14b52ec6cd16f1b730cb513d10c3da0c
SHA1 7546c64c479f24bc7af13a9f1916a2da30d19ecb
SHA256 8f46a3762f0fcbb677c8648fd4e161308ad3f63782f9d709ecd8456bae214860
SHA512 77fb3925e94c83ce3f17d91604c4091622c7e088348c55dee015e46c4dc8b64e1ddb93b05d0d715a8b66518fbf57b592692301312ca3b9b80f83187f1586860d

C:\Users\Admin\AppData\Local\Temp\data\Bugreport.ini

MD5 7242801a5cb840575ee2a7d9a3ae4002
SHA1 cdaee3d5d4561daa1b1c792a686984cbd4c7da86
SHA256 28e32e9fa3389401b9fb95a8be8baac14ea770e85d51417db2fa9452a9644257
SHA512 688d03f8d2486d26d45063354c75b63fe26df81a904b361754564a1056e31aabac817840742f43b19e847f95f3aaecac765d6406103a875f535e540974e57157

C:\Users\Admin\AppData\Local\Temp\data\Bugreport_error.ini

MD5 925c99d298c5b87a71f3afcd1dbfc8b2
SHA1 f71fbc0724b1a17f8b4762cfc3f3f8b5f1df7f93
SHA256 73b417e1d22dd25d3381ce6f44d547e62a448f33aca9e0f7b2501699af9ce2e6
SHA512 a3e38d916fb39db9fb1a9fb850c49820d638790d22764634ea44c25e56d3c02e540d873b43aac42223830bfd0de8f48eaecd0d6e89ad74dd886cd95a9339b70c

memory/1964-151-0x0000000000400000-0x000000000075A000-memory.dmp

memory/1964-157-0x0000000002640000-0x00000000026B2000-memory.dmp