Overview

overview

10

Static

static

3

4e15413ea3...22.exe

windows7-x64

10

4e15413ea3...22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/09/2024, 15:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe

  • Size

    8.9MB

  • MD5

    44159a48df832e9a12636f37044b29ea

  • SHA1

    a5c43861ad91a35e71cb0ab748384b092fe4f841

  • SHA256

    4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22

  • SHA512

    4896d86350f36863967277530a837956482b046a2fd7b5ec456a0886424e2268f0414f20e9d7ecd285f4f6ec3d04c39aaffc10a4e722a31100aad1aff1beee56

  • SSDEEP

    196608:8HygLd6jkPHSwzSnuUxxpiS0My1WeeNSvJgePF4yM/CdVcVhF5:NWUerWZt0Myph20+

Score
10/10
blackmoonaspackv2bankerbootkitdiscoverypersistencetrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 3 IoCs
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks BIOS information in registry 2 TTPs 40 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 40 IoCs
  • Loads dropped DLL 20 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 20 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 40 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 63 IoCs
  • Suspicious use of SetWindowsHookEx 63 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe
    "C:\Users\Admin\AppData\Local\Temp\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4640
    • F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe
      "F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4888
      • F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe
        "F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe"
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:228
      • F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe
        "F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe"
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Writes to the Master Boot Record (MBR)
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4056
        • F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe
          "F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe"
          4⤵
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Enumerates system info in registry
          PID:4408
        • F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe
          "F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe"
          4⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Writes to the Master Boot Record (MBR)
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3912
          • F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe
            "F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe"
            5⤵
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Enumerates system info in registry
            PID:2444
          • F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe
            "F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe"
            5⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Writes to the Master Boot Record (MBR)
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2652
            • F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe
              "F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe"
              6⤵
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              • Enumerates system info in registry
              PID:4308
            • F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe
              "F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe"
              6⤵
              • Executes dropped EXE
              • Enumerates connected drives
              • Writes to the Master Boot Record (MBR)
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3328
              • F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe
                "F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe"
                7⤵
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Checks processor information in registry
                • Enumerates system info in registry
                PID:4160
              • F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe
                "F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe"
                7⤵
                • Executes dropped EXE
                • Enumerates connected drives
                • Writes to the Master Boot Record (MBR)
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:3608
                • F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe
                  "F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe"
                  8⤵
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Checks processor information in registry
                  • Enumerates system info in registry
                  PID:4024
                • F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe
                  "F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe"
                  8⤵
                  • Executes dropped EXE
                  • Enumerates connected drives
                  • Writes to the Master Boot Record (MBR)
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:4980
                  • F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe
                    "F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe"
                    9⤵
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    • Checks processor information in registry
                    • Enumerates system info in registry
                    PID:2688
                  • F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe
                    "F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe"
                    9⤵
                    • Executes dropped EXE
                    • Enumerates connected drives
                    • Writes to the Master Boot Record (MBR)
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:3352
                    • F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe
                      "F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe"
                      10⤵
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      • Checks processor information in registry
                      • Enumerates system info in registry
                      PID:4308
                    • F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe
                      "F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe"
                      10⤵
                      • Executes dropped EXE
                      • Enumerates connected drives
                      • Writes to the Master Boot Record (MBR)
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of SetWindowsHookEx
                      • Suspicious use of WriteProcessMemory
                      PID:2940
                      • F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe
                        "F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe"
                        11⤵
                        • Checks BIOS information in registry
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • System Location Discovery: System Language Discovery
                        • Checks processor information in registry
                        • Enumerates system info in registry
                        PID:788
                      • F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe
                        "F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe"
                        11⤵
                        • Executes dropped EXE
                        • Enumerates connected drives
                        • Writes to the Master Boot Record (MBR)
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        PID:3088
                        • F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe
                          "F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe"
                          12⤵
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          • Checks processor information in registry
                          • Enumerates system info in registry
                          PID:1244
                        • F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe
                          "F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe"
                          12⤵
                          • Executes dropped EXE
                          • Enumerates connected drives
                          • Writes to the Master Boot Record (MBR)
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          • Suspicious use of SetWindowsHookEx
                          • Suspicious use of WriteProcessMemory
                          PID:4636
                          • F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe
                            "F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe"
                            13⤵
                            • Checks BIOS information in registry
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • System Location Discovery: System Language Discovery
                            • Checks processor information in registry
                            • Enumerates system info in registry
                            PID:392
                          • F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe
                            "F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe"
                            13⤵
                            • Executes dropped EXE
                            • Enumerates connected drives
                            • Writes to the Master Boot Record (MBR)
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            • Suspicious use of SetWindowsHookEx
                            PID:1144
                            • F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe
                              "F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe"
                              14⤵
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • System Location Discovery: System Language Discovery
                              • Checks processor information in registry
                              • Enumerates system info in registry
                              PID:2392
                            • F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe
                              "F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe"
                              14⤵
                              • Executes dropped EXE
                              • Enumerates connected drives
                              • Writes to the Master Boot Record (MBR)
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              • Suspicious use of SetWindowsHookEx
                              PID:2624
                              • F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe
                                "F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe"
                                15⤵
                                • Checks BIOS information in registry
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Enumerates connected drives
                                • System Location Discovery: System Language Discovery
                                • Checks processor information in registry
                                • Enumerates system info in registry
                                PID:2684
                              • F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe
                                "F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe"
                                15⤵
                                • Executes dropped EXE
                                • Enumerates connected drives
                                • Writes to the Master Boot Record (MBR)
                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of FindShellTrayWindow
                                • Suspicious use of SendNotifyMessage
                                • Suspicious use of SetWindowsHookEx
                                PID:5072
                                • F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe
                                  "F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe"
                                  16⤵
                                  • Checks BIOS information in registry
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • System Location Discovery: System Language Discovery
                                  • Checks processor information in registry
                                  • Enumerates system info in registry
                                  PID:4356
                                • F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe
                                  "F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe"
                                  16⤵
                                  • Executes dropped EXE
                                  • Enumerates connected drives
                                  • Writes to the Master Boot Record (MBR)
                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of FindShellTrayWindow
                                  • Suspicious use of SendNotifyMessage
                                  • Suspicious use of SetWindowsHookEx
                                  PID:4228
                                  • F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe
                                    "F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe"
                                    17⤵
                                    • Checks BIOS information in registry
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • System Location Discovery: System Language Discovery
                                    • Checks processor information in registry
                                    • Enumerates system info in registry
                                    PID:1696
                                  • F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe
                                    "F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe"
                                    17⤵
                                    • Executes dropped EXE
                                    • Enumerates connected drives
                                    • Writes to the Master Boot Record (MBR)
                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of SendNotifyMessage
                                    • Suspicious use of SetWindowsHookEx
                                    PID:5056
                                    • F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe
                                      "F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe"
                                      18⤵
                                      • Checks BIOS information in registry
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • System Location Discovery: System Language Discovery
                                      • Checks processor information in registry
                                      • Enumerates system info in registry
                                      PID:1396
                                    • F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe
                                      "F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe"
                                      18⤵
                                      • Executes dropped EXE
                                      • Enumerates connected drives
                                      • Writes to the Master Boot Record (MBR)
                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of SendNotifyMessage
                                      • Suspicious use of SetWindowsHookEx
                                      PID:1960
                                      • F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe
                                        "F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe"
                                        19⤵
                                        • Checks BIOS information in registry
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • System Location Discovery: System Language Discovery
                                        • Checks processor information in registry
                                        • Enumerates system info in registry
                                        PID:4120
                                      • F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe
                                        "F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe"
                                        19⤵
                                        • Executes dropped EXE
                                        • Enumerates connected drives
                                        • Writes to the Master Boot Record (MBR)
                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious use of SendNotifyMessage
                                        • Suspicious use of SetWindowsHookEx
                                        PID:392
                                        • F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe
                                          "F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe"
                                          20⤵
                                          • Checks BIOS information in registry
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • System Location Discovery: System Language Discovery
                                          • Checks processor information in registry
                                          • Enumerates system info in registry
                                          PID:4432
                                        • F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe
                                          "F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe"
                                          20⤵
                                          • Executes dropped EXE
                                          • Enumerates connected drives
                                          • Writes to the Master Boot Record (MBR)
                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of SendNotifyMessage
                                          • Suspicious use of SetWindowsHookEx
                                          PID:1284
                                          • F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe
                                            "F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe"
                                            21⤵
                                            • Checks BIOS information in registry
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • System Location Discovery: System Language Discovery
                                            • Checks processor information in registry
                                            • Enumerates system info in registry
                                            PID:2288
                                          • F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe
                                            "F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe"
                                            21⤵
                                            • Executes dropped EXE
                                            • Writes to the Master Boot Record (MBR)
                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of SendNotifyMessage
                                            • Suspicious use of SetWindowsHookEx
                                            PID:3312
                                            • F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe
                                              "F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe"
                                              22⤵
                                              • Checks BIOS information in registry
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • System Location Discovery: System Language Discovery
                                              • Checks processor information in registry
                                              • Enumerates system info in registry
                                              PID:2420

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • F:\Áè·çºÏ»÷(΢¶Ë)\4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22.exe
    Filesize

    8.9MB

    MD5

    44159a48df832e9a12636f37044b29ea

    SHA1

    a5c43861ad91a35e71cb0ab748384b092fe4f841

    SHA256

    4e15413ea3ec6fda20d2b6f37a28401ea16929772ad59310ddaa4ea5cb220b22

    SHA512

    4896d86350f36863967277530a837956482b046a2fd7b5ec456a0886424e2268f0414f20e9d7ecd285f4f6ec3d04c39aaffc10a4e722a31100aad1aff1beee56

    Download Submit

  • F:\Áè·çºÏ»÷(΢¶Ë)\Hero.ini
    Filesize

    17B

    MD5

    a5a6f4a892f56c69fa47a593d716c07c

    SHA1

    1e0f1227cd2f6d4e1892b8b0a1923a791a07df66

    SHA256

    5f3e24e0c45c1e17ee349002c79fb1c0ec3aea2477a1f57dadeae3a1c4749bb2

    SHA512

    05262b7cb2612b0fbc0cc2eeca9729842aeb1e9d3dd86c067d0cc37cb93a96009526eb9ce16f9205fb4d58f97b3d2f09743808e896c008cb09186b499bff3de2

    Download Submit

  • F:\Áè·çºÏ»÷(΢¶Ë)\WuShuang.ini
    Filesize

    53B

    MD5

    33a93ca066f956f022b751d236b38e97

    SHA1

    373bd813621d8a60038278635141577dd80bf568

    SHA256

    15632ffd950219a9ab782df6b5702ba38ae0ffc3757f57d796a849671d10f033

    SHA512

    50322393d60c12bdb54c4136d7949a4c35ffdef14c65c324178b4d48042681890e9cd05e6ab2c575aaba042b2fa028f38fe886f440171499dc05aaf7acc1f448

    Download Submit

  • F:\Áè·çºÏ»÷(΢¶Ë)\bluehd.dat
    Filesize

    20KB

    MD5

    7c162d50228922f46defb0211985516e

    SHA1

    661a486eb3895bed6f87e8bb315f045961f2cc41

    SHA256

    5360f12275b203fe5340a3bfa4684de7b48d61ee1dc36954ca7ae764e0a6d216

    SHA512

    7be26eec6968322702d27abf92556dd210d43f2c65ded0631ea2f4a8b8cdf2eac6c545541c4dde07212c6e0c59a0f7be5425b711797d2c20f1d748475dac5370

    Download Submit

  • F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.exe
    Filesize

    6.2MB

    MD5

    5b6ab4e89a68d01d8e8c9f615f6c8916

    SHA1

    86caa6a20650f8c5e0a9a3625f50deda83796c78

    SHA256

    d2c6aac54c67926c5c83f45ebed6a718acab91e40b19914968aeb80afcc5a15e

    SHA512

    7c6f16a62f0b59477366cd7e05e2599617edeb81ea5b04e3531ff7dd09854037f29205f4854ddbd9d190be941af2db97f8177d5c02e4114bd09d212aced2a504

    Download Submit

  • F:\Áè·çºÏ»÷(΢¶Ë)\Áè·çºÏ»÷.ico
    Filesize

    766B

    MD5

    3d27f2460e50f2411b7d353a7950cc06

    SHA1

    76296a833032dd98af6d3b8224f80cf70f1a1a41

    SHA256

    0f9d7ac5210ae21af9f413fdc6f17edd67abcdf83490ffa9f66f665379031dfe

    SHA512

    7a482dd79e5439e8193995c3d8f5e69d3cd97bf12e53661465b4a72fe3ea24801c476bccc28e5941d78b50f30c21036233e475a683c496c232cd70e03d6ac31c

    Download Submit

  • memory/228-80-0x0000000000400000-0x00000000010F7000-memory.dmp

    Filesize

    13.0MB

    Download

  • memory/228-77-0x0000000000400000-0x00000000010F7000-memory.dmp

    Filesize

    13.0MB

    Download

  • memory/228-73-0x0000000010000000-0x0000000010017000-memory.dmp

    Filesize

    92KB

    Download

  • memory/228-75-0x0000000000400000-0x00000000010F7000-memory.dmp

    Filesize

    13.0MB

    Download

  • memory/228-76-0x0000000010000000-0x0000000010017000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4056-227-0x0000000000400000-0x0000000001B46000-memory.dmp

    Filesize

    23.3MB

    Download

  • memory/4408-178-0x0000000010000000-0x0000000010017000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4408-177-0x0000000000400000-0x00000000010F7000-memory.dmp

    Filesize

    13.0MB

    Download

  • memory/4408-183-0x0000000000400000-0x00000000010F7000-memory.dmp

    Filesize

    13.0MB

    Download

  • memory/4640-8-0x0000000000400000-0x0000000001B46000-memory.dmp

    Filesize

    23.3MB

    Download

  • memory/4640-2-0x0000000000400000-0x0000000001B46000-memory.dmp

    Filesize

    23.3MB

    Download

  • memory/4640-1-0x0000000000400000-0x0000000001B46000-memory.dmp

    Filesize

    23.3MB

    Download

  • memory/4640-3-0x00000000011C2000-0x00000000011C4000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4640-6-0x0000000003B00000-0x0000000003B08000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4640-5-0x0000000002250000-0x000000000225B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4640-4-0x0000000002230000-0x000000000223B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4640-7-0x0000000000400000-0x0000000001B46000-memory.dmp

    Filesize

    23.3MB

    Download

  • memory/4640-17-0x0000000000400000-0x0000000001B46000-memory.dmp

    Filesize

    23.3MB

    Download

  • memory/4640-11-0x0000000000400000-0x0000000001B46000-memory.dmp

    Filesize

    23.3MB

    Download

  • memory/4640-0-0x0000000000400000-0x0000000001B46000-memory.dmp

    Filesize

    23.3MB

    Download

  • memory/4888-123-0x0000000000400000-0x0000000001B46000-memory.dmp

    Filesize

    23.3MB

    Download

  • memory/4888-18-0x0000000000400000-0x0000000001B46000-memory.dmp

    Filesize

    23.3MB

    Download

  • memory/4888-59-0x00000000037C0000-0x00000000037C7000-memory.dmp

    Filesize

    28KB

    Download

  • memory/4888-22-0x00000000037B0000-0x00000000037B8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4888-21-0x0000000001F70000-0x0000000001F7B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4888-19-0x0000000000400000-0x0000000001B46000-memory.dmp

    Filesize

    23.3MB

    Download

  • memory/4888-20-0x0000000001F60000-0x0000000001F6B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4888-23-0x00000000037B0000-0x00000000037B8000-memory.dmp

    Filesize

    32KB

    Download