blackmoon | f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 16:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
Size

2.9MB
MD5

bac00647c096be9861a89a110118b5d0
SHA1

52b5f446af1978f331c69e39375900baf749a4ca
SHA256

f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0
SHA512

a0193ab45d535e58905a7b4d82cd7d304175a1a6812d075c9aac260380bbf6854a4b5cc075a643dcba0cbcf8dd81cafee21df2cac7254602639e87a5d54e433b
SSDEEP

49152:jUjWQ1EPNu5Nx3s/togaiK+QPzatFULvYqDPK7LEEut0Lq0i:oKQ1EPNubxOogaiK+IdDPZi

Score

10^/10

blackmoon aspackv2 banker discovery trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral2/memory/4196-12-0x0000000000400000-0x000000000044F000-memory.dmp	family_blackmoon
behavioral2/memory/4196-21-0x0000000000400000-0x000000000044F000-memory.dmp	family_blackmoon
behavioral2/memory/4196-13-0x0000000000400000-0x000000000044F000-memory.dmp	family_blackmoon
behavioral2/memory/4196-80-0x0000000000400000-0x000000000044F000-memory.dmp	family_blackmoon

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0009000000023591-25.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
2564	hdzs.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2540	takeown.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2564-72-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2564-71-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2564-68-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2564-66-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2564-64-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2564-62-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2564-61-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2564-58-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2564-56-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2564-54-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2564-52-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2564-50-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2564-48-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2564-46-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2564-45-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2564-42-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2564-40-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2564-38-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2564-36-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2564-34-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2564-32-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2564-31-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2564-30-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cfhuodongzhushou_config.ini	hdzs.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5036 set thread context of 4196	5036	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	99
PID 5036 set thread context of 4364	5036	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	100

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\config.ini	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
File created	C:\Windows\hdzs.exe	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3632	ipconfig.exe
2168	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4196	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4196	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
2564	hdzs.exe
2564	hdzs.exe
2564	hdzs.exe
2564	hdzs.exe
2564	hdzs.exe
2564	hdzs.exe
2564	hdzs.exe
2564	hdzs.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
5036	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
5036	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4196	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
4364	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
2564	hdzs.exe
2564	hdzs.exe
2564	hdzs.exe
2564	hdzs.exe
2564	hdzs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 4196	5036	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	99
PID 5036 wrote to memory of 4196	5036	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	99
PID 5036 wrote to memory of 4196	5036	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	99
PID 5036 wrote to memory of 4196	5036	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	99
PID 5036 wrote to memory of 4196	5036	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	99
PID 5036 wrote to memory of 4196	5036	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	99
PID 5036 wrote to memory of 4196	5036	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	99
PID 5036 wrote to memory of 4196	5036	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	99
PID 5036 wrote to memory of 4196	5036	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	99
PID 5036 wrote to memory of 4364	5036	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	100
PID 5036 wrote to memory of 4364	5036	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	100
PID 5036 wrote to memory of 4364	5036	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	100
PID 5036 wrote to memory of 4364	5036	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	100
PID 5036 wrote to memory of 4364	5036	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	100
PID 5036 wrote to memory of 4364	5036	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	100
PID 5036 wrote to memory of 4364	5036	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	100
PID 5036 wrote to memory of 4364	5036	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	100
PID 5036 wrote to memory of 4364	5036	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	100
PID 5036 wrote to memory of 2564	5036	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	101
PID 5036 wrote to memory of 2564	5036	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	101
PID 5036 wrote to memory of 2564	5036	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	101
PID 4196 wrote to memory of 3220	4196	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	102
PID 4196 wrote to memory of 3220	4196	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	102
PID 4196 wrote to memory of 3220	4196	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	102
PID 3220 wrote to memory of 2540	3220	cmd.exe	104
PID 3220 wrote to memory of 2540	3220	cmd.exe	104
PID 3220 wrote to memory of 2540	3220	cmd.exe	104
PID 4196 wrote to memory of 3116	4196	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	105
PID 4196 wrote to memory of 3116	4196	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	105
PID 4196 wrote to memory of 3116	4196	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	105
PID 3116 wrote to memory of 2324	3116	cmd.exe	107
PID 3116 wrote to memory of 2324	3116	cmd.exe	107
PID 3116 wrote to memory of 2324	3116	cmd.exe	107
PID 4196 wrote to memory of 4956	4196	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	108
PID 4196 wrote to memory of 4956	4196	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	108
PID 4196 wrote to memory of 4956	4196	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	108
PID 4956 wrote to memory of 2284	4956	cmd.exe	110
PID 4956 wrote to memory of 2284	4956	cmd.exe	110
PID 4956 wrote to memory of 2284	4956	cmd.exe	110
PID 4196 wrote to memory of 3092	4196	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	111
PID 4196 wrote to memory of 3092	4196	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	111
PID 4196 wrote to memory of 3092	4196	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	111
PID 3092 wrote to memory of 4824	3092	cmd.exe	113
PID 3092 wrote to memory of 4824	3092	cmd.exe	113
PID 3092 wrote to memory of 4824	3092	cmd.exe	113
PID 4196 wrote to memory of 3500	4196	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	114
PID 4196 wrote to memory of 3500	4196	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	114
PID 4196 wrote to memory of 3500	4196	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	114
PID 3500 wrote to memory of 4816	3500	cmd.exe	116
PID 3500 wrote to memory of 4816	3500	cmd.exe	116
PID 3500 wrote to memory of 4816	3500	cmd.exe	116
PID 4196 wrote to memory of 2916	4196	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	117
PID 4196 wrote to memory of 2916	4196	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	117
PID 4196 wrote to memory of 2916	4196	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	117
PID 4196 wrote to memory of 3340	4196	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	119
PID 4196 wrote to memory of 3340	4196	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	119
PID 4196 wrote to memory of 3340	4196	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	119
PID 3340 wrote to memory of 3632	3340	cmd.exe	121
PID 3340 wrote to memory of 3632	3340	cmd.exe	121
PID 3340 wrote to memory of 3632	3340	cmd.exe	121
PID 4196 wrote to memory of 4580	4196	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	122
PID 4196 wrote to memory of 4580	4196	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	122
PID 4196 wrote to memory of 4580	4196	f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe	122
PID 4580 wrote to memory of 2168	4580	cmd.exe	124

C:\Users\Admin\AppData\Local\Temp\f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
"C:\Users\Admin\AppData\Local\Temp\f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
  f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
  2⤵
  - Drops file in Drivers directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c takeown /f C:\Windows\System32\drivers\etc\hosts
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3220
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f C:\Windows\System32\drivers\etc\hosts
      4⤵
      Modifies file permissions
      PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c cacls.exe C:\Windows\System32\drivers\etc\hosts /e /t /g Admin:F
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3116
  - - C:\Windows\SysWOW64\cacls.exe
      cacls.exe C:\Windows\System32\drivers\etc\hosts /e /t /g Admin:F
      4⤵
      PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c cacls.exe C:\Windows\System32\drivers\etc\hosts /e /t /g Administrator:F
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Windows\SysWOW64\cacls.exe
      cacls.exe C:\Windows\System32\drivers\etc\hosts /e /t /g Administrator:F
      4⤵
      PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c cacls.exe C:\Windows\System32\drivers\etc\hosts /e /t /g Administrators:F
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3092
  - - C:\Windows\SysWOW64\cacls.exe
      cacls.exe C:\Windows\System32\drivers\etc\hosts /e /t /g Administrators:F
      4⤵
      PID:4824
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c cacls.exe C:\Windows\System32\drivers\etc\hosts /e /t /g User:F
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3500
  - - C:\Windows\SysWOW64\cacls.exe
      cacls.exe C:\Windows\System32\drivers\etc\hosts /e /t /g User:F
      4⤵
      PID:4816
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c del /f /s /q /a:h-s C:\Windows\System32\drivers\etc\hosts
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ipconfig/flushdns
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3340
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /flushdns
      4⤵
      Gathers network information
      PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ipconfig/flushdns
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /flushdns
      4⤵
      Gathers network information
      PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c cmd /c cacls.exe C:\Windows\System32\drivers\etc\hosts /e /t /p Administrator:N
    3⤵
    PID:2336
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c cacls.exe C:\Windows\System32\drivers\etc\hosts /e /t /p Administrator:N
      4⤵
      PID:2112
    - - C:\Windows\SysWOW64\cacls.exe
        
        cacls.exe C:\Windows\System32\drivers\etc\hosts /e /t /p Administrator:N
        5⤵
        
        PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c cmd /c cacls.exe C:\Windows\System32\drivers\etc\hosts /e /t /p Administrators:N
    3⤵
    PID:2216
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c cacls.exe C:\Windows\System32\drivers\etc\hosts /e /t /p Administrators:N
      4⤵
      PID:4460
    - - C:\Windows\SysWOW64\cacls.exe
        
        cacls.exe C:\Windows\System32\drivers\etc\hosts /e /t /p Administrators:N
        5⤵
        
        PID:3904
- C:\Users\Admin\AppData\Local\Temp\f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
  f95317f8758f28ffc1f7706b6bd8a68f094091ee06e001c9bfe87e792aa1dfc0.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4364
- C:\Windows\hdzs.exe
  C:\Windows\hdzs.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\hdzs.exe

Filesize
1.1MB

MD5
03beafc5637a9b575e877ae7dc95dbe6

SHA1
066ddde89cac33880b8450af7e48fe6657139a96

SHA256
7048f4fa95d09a183a18e4bc9f97fc75f11872a68bb65e1ec0cdeaf684d1c96f

SHA512
7b575a5d70ee250ed56b0ea2d3f99f3594e5f8093d294adf32599d8bd7ca6afbb48de10ba37f308a48949166092a2ffcb5fc289d4c85d9e61b8ffb7c0f970565

Download Submit
memory/2564-42-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2564-52-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2564-72-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2564-73-0x000000000053E000-0x000000000053F000-memory.dmp

Filesize
4KB

Download
memory/2564-74-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/2564-71-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2564-75-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/2564-68-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2564-66-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2564-64-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2564-62-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2564-61-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2564-58-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2564-34-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2564-54-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2564-36-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2564-50-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2564-48-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2564-46-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2564-45-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2564-82-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/2564-40-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2564-28-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/2564-38-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2564-56-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2564-32-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2564-31-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2564-30-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2564-29-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/2564-27-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/2564-26-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/4196-11-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4196-80-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4196-13-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4196-79-0x0000000000450000-0x0000000000519000-memory.dmp

Filesize
804KB

Download
memory/4196-10-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4196-21-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4196-12-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4364-22-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/4364-18-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/4364-15-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/4364-16-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/4364-81-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/4364-17-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/4364-83-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download