blackmoon | eb752c61cfac892e83a69aad91eef9e9d03a67db225deed68c199fef293700f1

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51a88b3ddca9383fb41774f44e1263f0N.exe
Size

1.1MB
MD5

51a88b3ddca9383fb41774f44e1263f0
SHA1

f364ae968f3559a936126362d867d3615a20d8dd
SHA256

eb752c61cfac892e83a69aad91eef9e9d03a67db225deed68c199fef293700f1
SHA512

4c3140fd3b1046d8ae4d94862515dc978e9fa1e1108f2173927b50fff1a593632efa49afce02001740ee01956f926a0734261544c7dad5f2848b1cff35ff7502
SSDEEP

6144:gL0RQ3YYWEowc1F0G0/VSyfdH75Q+mUTK:gL0RQ3YYWEodmGwH575Z

Score

10^/10

blackmoon banker defense_evasion discovery persistence trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 13 IoCs

resource	yara_rule
behavioral1/memory/2704-0-0x0000000000400000-0x0000000000485000-memory.dmp	family_blackmoon
behavioral1/memory/2704-4-0x0000000000400000-0x0000000000485000-memory.dmp	family_blackmoon
behavioral1/files/0x000800000001748d-5.dat	family_blackmoon
behavioral1/memory/1732-12-0x0000000000400000-0x0000000000485000-memory.dmp	family_blackmoon
behavioral1/memory/2808-13-0x0000000000400000-0x0000000000485000-memory.dmp	family_blackmoon
behavioral1/memory/2808-22-0x0000000000400000-0x0000000000485000-memory.dmp	family_blackmoon
behavioral1/memory/1272-24-0x0000000000400000-0x0000000000485000-memory.dmp	family_blackmoon
behavioral1/memory/1272-27-0x0000000000400000-0x0000000000485000-memory.dmp	family_blackmoon
behavioral1/memory/1084-30-0x0000000000190000-0x0000000000215000-memory.dmp	family_blackmoon
behavioral1/memory/788-33-0x0000000000400000-0x0000000000485000-memory.dmp	family_blackmoon
behavioral1/memory/892-34-0x0000000000400000-0x0000000000485000-memory.dmp	family_blackmoon
behavioral1/memory/892-43-0x0000000000400000-0x0000000000485000-memory.dmp	family_blackmoon
behavioral1/memory/2016-47-0x0000000000400000-0x0000000000485000-memory.dmp	family_blackmoon

Executes dropped EXE 6 IoCs

pid	Process
1732	pdrywai.exe
2808	pdrywai.exe
1272	eozruw.exe
788	pdrywai.exe
892	pdrywai.exe
2016	eozruw.exe

Loads dropped DLL 7 IoCs

pid	Process
2224	cmd.exe
2224	cmd.exe
1092	WerFault.exe
1092	WerFault.exe
1084	cmd.exe
2736	WerFault.exe
2736	WerFault.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2704-0-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2704-4-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/files/0x000800000001748d-5.dat	upx
behavioral1/memory/1732-12-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2808-13-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2808-22-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/1272-24-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/1272-27-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/788-33-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/892-34-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/892-43-0x0000000000400000-0x0000000000485000-memory.dmp	upx
behavioral1/memory/2016-47-0x0000000000400000-0x0000000000485000-memory.dmp	upx

Indicator Removal: Clear Persistence 1 TTPs 2 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
1712	cmd.exe
2092	cmd.exe

Power Settings 1 TTPs 16 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2944	cmd.exe
2868	cmd.exe
1664	powercfg.exe
2420	cmd.exe
2580	powercfg.exe
2764	cmd.exe
2256	powercfg.exe
2816	cmd.exe
1884	cmd.exe
2972	cmd.exe
2912	cmd.exe
2452	powercfg.exe
2836	cmd.exe
1988	cmd.exe
2648	powercfg.exe
1980	powercfg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	pdrywai.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	pdrywai.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	\??\c:\windows\fonts\rbzfyd\BestPower.pow	pdrywai.exe
File opened for modification	\??\c:\windows\ime\cjnxaoyr\eozruw.exe	pdrywai.exe
File opened for modification	\??\c:\windows\fonts\rbzfyd\pdrywai.exe	eozruw.exe
File created	\??\c:\windows\ime\cjnxaoyr\eozruw.exe	pdrywai.exe
File opened for modification	\??\c:\windows\fonts\rbzfyd\pdrywai.exe	51a88b3ddca9383fb41774f44e1263f0N.exe
File opened for modification	\??\c:\windows\ime\cjnxaoyr\eozruw.exe	pdrywai.exe
File created	\??\c:\windows\fonts\rbzfyd\HighPower.pow	pdrywai.exe
File opened for modification	\??\c:\windows\fonts\rbzfyd\pdrywai.exe	eozruw.exe
File created	\??\c:\windows\fonts\rbzfyd\BestPower.pow	pdrywai.exe
File created	\??\c:\windows\fonts\rbzfyd\HighPower.pow	pdrywai.exe
File created	\??\c:\windows\fonts\rbzfyd\pdrywai.exe	51a88b3ddca9383fb41774f44e1263f0N.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1092	2808	WerFault.exe	34
2736	892	WerFault.exe	73

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eozruw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51a88b3ddca9383fb41774f44e1263f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdrywai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdrywai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eozruw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2224	cmd.exe
2556	PING.EXE
1084	cmd.exe
1832	PING.EXE
2608	cmd.exe
2112	PING.EXE

Modifies data under HKEY_USERS 49 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-d4-29-2e-8c-f7	pdrywai.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	pdrywai.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	pdrywai.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	pdrywai.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{185BB66B-4D8B-478D-8995-0C16D9B16498}\WpadDecision = "0"	pdrywai.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	pdrywai.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	pdrywai.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	pdrywai.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	pdrywai.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-d4-29-2e-8c-f7\WpadDecisionTime = 80704adb46f3da01	pdrywai.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	pdrywai.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{185BB66B-4D8B-478D-8995-0C16D9B16498}\WpadNetworkName = "Network 3"	pdrywai.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	pdrywai.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{185BB66B-4D8B-478D-8995-0C16D9B16498}\WpadDecisionTime = c01beeb546f3da01	pdrywai.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{185BB66B-4D8B-478D-8995-0C16D9B16498}\WpadDecisionReason = "1"	pdrywai.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	pdrywai.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{185BB66B-4D8B-478D-8995-0C16D9B16498}\62-d4-29-2e-8c-f7	pdrywai.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-d4-29-2e-8c-f7\WpadDecision = "0"	pdrywai.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{185BB66B-4D8B-478D-8995-0C16D9B16498}\WpadDecision = "0"	pdrywai.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	pdrywai.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-d4-29-2e-8c-f7\WpadDecision = "0"	pdrywai.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	pdrywai.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{185BB66B-4D8B-478D-8995-0C16D9B16498}\62-d4-29-2e-8c-f7	pdrywai.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	pdrywai.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	pdrywai.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	pdrywai.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{185BB66B-4D8B-478D-8995-0C16D9B16498}\WpadDecisionReason = "1"	pdrywai.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-d4-29-2e-8c-f7\WpadDecisionTime = c01beeb546f3da01	pdrywai.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	pdrywai.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	pdrywai.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	pdrywai.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	pdrywai.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-d4-29-2e-8c-f7	pdrywai.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{185BB66B-4D8B-478D-8995-0C16D9B16498}	pdrywai.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-d4-29-2e-8c-f7\WpadDecisionReason = "1"	pdrywai.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-d4-29-2e-8c-f7\WpadDecisionReason = "1"	pdrywai.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	pdrywai.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-d4-29-2e-8c-f7\WpadDecisionTime = c01beeb546f3da01	pdrywai.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{185BB66B-4D8B-478D-8995-0C16D9B16498}\WpadNetworkName = "Network 3"	pdrywai.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	pdrywai.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	pdrywai.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	pdrywai.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{185BB66B-4D8B-478D-8995-0C16D9B16498}	pdrywai.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{185BB66B-4D8B-478D-8995-0C16D9B16498}\WpadDecisionTime = 80704adb46f3da01	pdrywai.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	pdrywai.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	pdrywai.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	pdrywai.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	pdrywai.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-d4-29-2e-8c-f7\WpadDetectedUrl	pdrywai.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2556	PING.EXE
1832	PING.EXE
2112	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2860	schtasks.exe
2628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2704	51a88b3ddca9383fb41774f44e1263f0N.exe
2704	51a88b3ddca9383fb41774f44e1263f0N.exe
1732	pdrywai.exe
1732	pdrywai.exe
2808	pdrywai.exe
2808	pdrywai.exe
1272	eozruw.exe
1272	eozruw.exe
1272	eozruw.exe
1272	eozruw.exe
788	pdrywai.exe
788	pdrywai.exe
892	pdrywai.exe
892	pdrywai.exe
2016	eozruw.exe
2016	eozruw.exe
2016	eozruw.exe
2016	eozruw.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2704	51a88b3ddca9383fb41774f44e1263f0N.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	51a88b3ddca9383fb41774f44e1263f0N.exe
Token: SeDebugPrivilege	1732	pdrywai.exe
Token: SeDebugPrivilege	2808	pdrywai.exe
Token: SeAssignPrimaryTokenPrivilege	2788	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2788	WMIC.exe
Token: SeSecurityPrivilege	2788	WMIC.exe
Token: SeTakeOwnershipPrivilege	2788	WMIC.exe
Token: SeLoadDriverPrivilege	2788	WMIC.exe
Token: SeSystemtimePrivilege	2788	WMIC.exe
Token: SeBackupPrivilege	2788	WMIC.exe
Token: SeRestorePrivilege	2788	WMIC.exe
Token: SeShutdownPrivilege	2788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2788	WMIC.exe
Token: SeUndockPrivilege	2788	WMIC.exe
Token: SeManageVolumePrivilege	2788	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2788	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2788	WMIC.exe
Token: SeSecurityPrivilege	2788	WMIC.exe
Token: SeTakeOwnershipPrivilege	2788	WMIC.exe
Token: SeLoadDriverPrivilege	2788	WMIC.exe
Token: SeSystemtimePrivilege	2788	WMIC.exe
Token: SeBackupPrivilege	2788	WMIC.exe
Token: SeRestorePrivilege	2788	WMIC.exe
Token: SeShutdownPrivilege	2788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2788	WMIC.exe
Token: SeUndockPrivilege	2788	WMIC.exe
Token: SeManageVolumePrivilege	2788	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2620	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2620	WMIC.exe
Token: SeSecurityPrivilege	2620	WMIC.exe
Token: SeTakeOwnershipPrivilege	2620	WMIC.exe
Token: SeLoadDriverPrivilege	2620	WMIC.exe
Token: SeSystemtimePrivilege	2620	WMIC.exe
Token: SeBackupPrivilege	2620	WMIC.exe
Token: SeRestorePrivilege	2620	WMIC.exe
Token: SeShutdownPrivilege	2620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2620	WMIC.exe
Token: SeUndockPrivilege	2620	WMIC.exe
Token: SeManageVolumePrivilege	2620	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2620	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2620	WMIC.exe
Token: SeSecurityPrivilege	2620	WMIC.exe
Token: SeTakeOwnershipPrivilege	2620	WMIC.exe
Token: SeLoadDriverPrivilege	2620	WMIC.exe
Token: SeSystemtimePrivilege	2620	WMIC.exe
Token: SeBackupPrivilege	2620	WMIC.exe
Token: SeRestorePrivilege	2620	WMIC.exe
Token: SeShutdownPrivilege	2620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2620	WMIC.exe
Token: SeUndockPrivilege	2620	WMIC.exe
Token: SeManageVolumePrivilege	2620	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2652	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2652	WMIC.exe
Token: SeSecurityPrivilege	2652	WMIC.exe
Token: SeTakeOwnershipPrivilege	2652	WMIC.exe
Token: SeLoadDriverPrivilege	2652	WMIC.exe
Token: SeSystemtimePrivilege	2652	WMIC.exe
Token: SeBackupPrivilege	2652	WMIC.exe
Token: SeRestorePrivilege	2652	WMIC.exe
Token: SeShutdownPrivilege	2652	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2652	WMIC.exe
Token: SeUndockPrivilege	2652	WMIC.exe
Token: SeManageVolumePrivilege	2652	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2652	WMIC.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2704	51a88b3ddca9383fb41774f44e1263f0N.exe
1732	pdrywai.exe
2808	pdrywai.exe
1272	eozruw.exe
788	pdrywai.exe
892	pdrywai.exe
2016	eozruw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2224	2704	51a88b3ddca9383fb41774f44e1263f0N.exe	30
PID 2704 wrote to memory of 2224	2704	51a88b3ddca9383fb41774f44e1263f0N.exe	30
PID 2704 wrote to memory of 2224	2704	51a88b3ddca9383fb41774f44e1263f0N.exe	30
PID 2704 wrote to memory of 2224	2704	51a88b3ddca9383fb41774f44e1263f0N.exe	30
PID 2224 wrote to memory of 2556	2224	cmd.exe	32
PID 2224 wrote to memory of 2556	2224	cmd.exe	32
PID 2224 wrote to memory of 2556	2224	cmd.exe	32
PID 2224 wrote to memory of 2556	2224	cmd.exe	32
PID 2224 wrote to memory of 1732	2224	cmd.exe	33
PID 2224 wrote to memory of 1732	2224	cmd.exe	33
PID 2224 wrote to memory of 1732	2224	cmd.exe	33
PID 2224 wrote to memory of 1732	2224	cmd.exe	33
PID 2808 wrote to memory of 2644	2808	pdrywai.exe	36
PID 2808 wrote to memory of 2644	2808	pdrywai.exe	36
PID 2808 wrote to memory of 2644	2808	pdrywai.exe	36
PID 2808 wrote to memory of 2644	2808	pdrywai.exe	36
PID 2644 wrote to memory of 2788	2644	cmd.exe	38
PID 2644 wrote to memory of 2788	2644	cmd.exe	38
PID 2644 wrote to memory of 2788	2644	cmd.exe	38
PID 2644 wrote to memory of 2788	2644	cmd.exe	38
PID 2644 wrote to memory of 2620	2644	cmd.exe	39
PID 2644 wrote to memory of 2620	2644	cmd.exe	39
PID 2644 wrote to memory of 2620	2644	cmd.exe	39
PID 2644 wrote to memory of 2620	2644	cmd.exe	39
PID 2644 wrote to memory of 2652	2644	cmd.exe	40
PID 2644 wrote to memory of 2652	2644	cmd.exe	40
PID 2644 wrote to memory of 2652	2644	cmd.exe	40
PID 2644 wrote to memory of 2652	2644	cmd.exe	40
PID 2808 wrote to memory of 2204	2808	pdrywai.exe	41
PID 2808 wrote to memory of 2204	2808	pdrywai.exe	41
PID 2808 wrote to memory of 2204	2808	pdrywai.exe	41
PID 2808 wrote to memory of 2204	2808	pdrywai.exe	41
PID 2808 wrote to memory of 2092	2808	pdrywai.exe	42
PID 2808 wrote to memory of 2092	2808	pdrywai.exe	42
PID 2808 wrote to memory of 2092	2808	pdrywai.exe	42
PID 2808 wrote to memory of 2092	2808	pdrywai.exe	42
PID 2204 wrote to memory of 2040	2204	cmd.exe	46
PID 2204 wrote to memory of 2040	2204	cmd.exe	46
PID 2204 wrote to memory of 2040	2204	cmd.exe	46
PID 2204 wrote to memory of 2040	2204	cmd.exe	46
PID 2092 wrote to memory of 668	2092	cmd.exe	45
PID 2092 wrote to memory of 668	2092	cmd.exe	45
PID 2092 wrote to memory of 668	2092	cmd.exe	45
PID 2092 wrote to memory of 668	2092	cmd.exe	45
PID 2204 wrote to memory of 2692	2204	cmd.exe	47
PID 2204 wrote to memory of 2692	2204	cmd.exe	47
PID 2204 wrote to memory of 2692	2204	cmd.exe	47
PID 2204 wrote to memory of 2692	2204	cmd.exe	47
PID 2808 wrote to memory of 2884	2808	pdrywai.exe	48
PID 2808 wrote to memory of 2884	2808	pdrywai.exe	48
PID 2808 wrote to memory of 2884	2808	pdrywai.exe	48
PID 2808 wrote to memory of 2884	2808	pdrywai.exe	48
PID 2808 wrote to memory of 1884	2808	pdrywai.exe	49
PID 2808 wrote to memory of 1884	2808	pdrywai.exe	49
PID 2808 wrote to memory of 1884	2808	pdrywai.exe	49
PID 2808 wrote to memory of 1884	2808	pdrywai.exe	49
PID 2884 wrote to memory of 2844	2884	cmd.exe	52
PID 2884 wrote to memory of 2844	2884	cmd.exe	52
PID 2884 wrote to memory of 2844	2884	cmd.exe	52
PID 2884 wrote to memory of 2844	2884	cmd.exe	52
PID 2884 wrote to memory of 2860	2884	cmd.exe	53
PID 2884 wrote to memory of 2860	2884	cmd.exe	53
PID 2884 wrote to memory of 2860	2884	cmd.exe	53
PID 2884 wrote to memory of 2860	2884	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\51a88b3ddca9383fb41774f44e1263f0N.exe
"C:\Users\Admin\AppData\Local\Temp\51a88b3ddca9383fb41774f44e1263f0N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\rbzfyd\pdrywai.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2556
- - \??\c:\windows\fonts\rbzfyd\pdrywai.exe
    c:\windows\fonts\rbzfyd\pdrywai.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1732

\??\c:\windows\fonts\rbzfyd\pdrywai.exe
c:\windows\fonts\rbzfyd\pdrywai.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="yhfapd" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="azclo" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='yhfapd'" DELETE
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="yhfapd" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2788
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="azclo" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='yhfapd'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="yhfapd", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'" & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="azclo",CommandLineTemplate="c:\windows\ime\cjnxaoyr\eozruw.exe" & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="yhfapd"", Consumer="CommandLineEventConsumer.Name="azclo""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="yhfapd", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2040
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="azclo",CommandLineTemplate="c:\windows\ime\cjnxaoyr\eozruw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2692
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="yhfapd"", Consumer="CommandLineEventConsumer.Name="azclo""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Schtasks /DELETE /TN aexog /F
  2⤵
  - Indicator Removal: Clear Persistence
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\schtasks.exe
    Schtasks /DELETE /TN aexog /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 30 /tn "aexog" /ru system /tr "c:\windows\ime\cjnxaoyr\eozruw.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 30 /tn "aexog" /ru system /tr "c:\windows\ime\cjnxaoyr\eozruw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cmd /c powercfg -import c:\windows\fonts\rbzfyd\BestPower.pow
  2⤵
  - Power Settings
  - System Location Discovery: System Language Discovery
  PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powercfg -import c:\windows\fonts\rbzfyd\BestPower.pow
    3⤵
    - Power Settings
    - System Location Discovery: System Language Discovery
    PID:2868
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg -import c:\windows\fonts\rbzfyd\BestPower.pow
      4⤵
      Power Settings
      System Location Discovery: System Language Discovery
      PID:2452
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cmd /c powercfg -setactive e9157d81-1426-430e-9153-892fb912c3da
  2⤵
  - Power Settings
  - System Location Discovery: System Language Discovery
  PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powercfg -setactive e9157d81-1426-430e-9153-892fb912c3da
    3⤵
    - Power Settings
    - System Location Discovery: System Language Discovery
    PID:1988
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg -setactive e9157d81-1426-430e-9153-892fb912c3da
      4⤵
      Power Settings
      System Location Discovery: System Language Discovery
      PID:1664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powercfg -h off
  2⤵
  - Power Settings
  - System Location Discovery: System Language Discovery
  PID:2972
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg -h off
    3⤵
    - Power Settings
    - System Location Discovery: System Language Discovery
    PID:2256
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 640
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:1092

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2140

\??\c:\windows\ime\cjnxaoyr\eozruw.exe
c:\windows\ime\cjnxaoyr\eozruw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\rbzfyd\pdrywai.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1084
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1832
- - \??\c:\windows\fonts\rbzfyd\pdrywai.exe
    c:\windows\fonts\rbzfyd\pdrywai.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:788

\??\c:\windows\fonts\rbzfyd\pdrywai.exe
c:\windows\fonts\rbzfyd\pdrywai.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="yhfapd" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="azclo" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='yhfapd'" DELETE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3008
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="yhfapd" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3064
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="azclo" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1768
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='yhfapd'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="yhfapd", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'" & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="azclo",CommandLineTemplate="c:\windows\ime\cjnxaoyr\eozruw.exe" & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="yhfapd"", Consumer="CommandLineEventConsumer.Name="azclo""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1596
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="yhfapd", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2936
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="azclo",CommandLineTemplate="c:\windows\ime\cjnxaoyr\eozruw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:572
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="yhfapd"", Consumer="CommandLineEventConsumer.Name="azclo""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Schtasks /DELETE /TN aexog /F
  2⤵
  - Indicator Removal: Clear Persistence
  - System Location Discovery: System Language Discovery
  PID:1712
- - C:\Windows\SysWOW64\schtasks.exe
    Schtasks /DELETE /TN aexog /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2424
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|schtasks /create /sc minute /mo 30 /tn "aexog" /ru system /tr "c:\windows\ime\cjnxaoyr\eozruw.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2768
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 30 /tn "aexog" /ru system /tr "c:\windows\ime\cjnxaoyr\eozruw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2628
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cmd /c powercfg -import c:\windows\fonts\rbzfyd\BestPower.pow
  2⤵
  - Power Settings
  - System Location Discovery: System Language Discovery
  PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powercfg -import c:\windows\fonts\rbzfyd\BestPower.pow
    3⤵
    - Power Settings
    - System Location Discovery: System Language Discovery
    PID:2816
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg -import c:\windows\fonts\rbzfyd\BestPower.pow
      4⤵
      Power Settings
      System Location Discovery: System Language Discovery
      PID:2580
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cmd /c powercfg -setactive 4ce73429-ed00-4a88-a1b5-382f01473031
  2⤵
  - Power Settings
  - System Location Discovery: System Language Discovery
  PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powercfg -setactive 4ce73429-ed00-4a88-a1b5-382f01473031
    3⤵
    - Power Settings
    - System Location Discovery: System Language Discovery
    PID:2944
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg -setactive 4ce73429-ed00-4a88-a1b5-382f01473031
      4⤵
      Power Settings
      System Location Discovery: System Language Discovery
      PID:2648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powercfg -h off
  2⤵
  - Power Settings
  - System Location Discovery: System Language Discovery
  PID:2912
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg -h off
    3⤵
    - Power Settings
    - System Location Discovery: System Language Discovery
    PID:1980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 608
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2736

\??\c:\windows\ime\cjnxaoyr\eozruw.exe
c:\windows\ime\cjnxaoyr\eozruw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\rbzfyd\pdrywai.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2608
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\Fonts\rbzfyd\pdrywai.exe

Filesize
1.1MB

MD5
b32dbae57d17b6552f4d8243fc715e38

SHA1
59aa9c92241f0dc5510ae4c52ff9d98749fb18c8

SHA256
26e560573b9334f7fb7d1a604377cc709f0657b0e160049ac250058ab4d6609e

SHA512
4716782b68bb36654a733463ad4f2c6a8c8fb28bc43bdfb7e97fce2f2f9df9dd0b3d998a79fc96e3b2d61376f856f784b30a9719bd9fab999a24a97b218df6e0

Download Submit
memory/788-33-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/892-43-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/892-34-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1084-30-0x0000000000190000-0x0000000000215000-memory.dmp

Filesize
532KB

Download
memory/1272-27-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1272-24-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1732-12-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2016-47-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2224-9-0x0000000000120000-0x00000000001A5000-memory.dmp

Filesize
532KB

Download
memory/2224-7-0x0000000000120000-0x00000000001A5000-memory.dmp

Filesize
532KB

Download
memory/2704-0-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2704-4-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2808-22-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2808-13-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download