blackmoon | f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b

Analysis

max time kernel
114s
max time network
68s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe
Size

5.1MB
MD5

ce69253483584dce46c4bda872bb579d
SHA1

bfe495ed5df21a726810fddb84a731db8a7b0312
SHA256

f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b
SHA512

6e4a0c64409894bd730cd594764e6d45b543d64f8fbc34aa6bcb0c5fd6b0a939bdbd5815d498538e203f9a3ce06498a8878a918589cc61841742304f09a5fccd
SSDEEP

98304:mfgwpJXZdLmpdT2pVWLncQC0ofccWg1uMb3XmcTYmRKlUfgwpJXZdLmpdT2pVWLh:6HpzdwIWLYc41uaTZ5HpzdwIWLYc41uB

Score

10^/10

blackmoon xmrig banker defense_evasion discovery execution miner persistence trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2296-5-0x0000000000400000-0x0000000000695000-memory.dmp	family_blackmoon
behavioral1/memory/1200-15-0x0000000000400000-0x0000000000695000-memory.dmp	family_blackmoon
behavioral1/memory/2184-248-0x0000000000400000-0x0000000000695000-memory.dmp	family_blackmoon
behavioral1/memory/2704-1023-0x0000000000400000-0x0000000000695000-memory.dmp	family_blackmoon
behavioral1/memory/2348-1058-0x0000000000400000-0x0000000000695000-memory.dmp	family_blackmoon
behavioral1/memory/2348-1060-0x0000000000400000-0x0000000000695000-memory.dmp	family_blackmoon

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description	pid	Process	procid_target
PID 2752 created 432	2752	powershell.EXE	5
PID 2756 created 432	2756	powershell.EXE	5

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2232-955-0x000000013FEE0000-0x00000001404FF000-memory.dmp	xmrig

Drops file in Drivers directory 1 IoCs

Processes:

cpfawbj.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cpfawbj.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

cpfawbj.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	cpfawbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "svchost.exe"	cpfawbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	cpfawbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "svchost.exe"	cpfawbj.exe

Executes dropped EXE 5 IoCs

Processes:

cpfawbj.execpfawbj.exefdwsej.exevuxuaz.exejcunw.exe

pid	Process
1200	cpfawbj.exe
2184	cpfawbj.exe
2592	fdwsej.exe
2232	vuxuaz.exe
2704	jcunw.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

Processes:

svchost.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx	svchost.exe

Loads dropped DLL 4 IoCs

Processes:

cmd.execpfawbj.exe

pid	Process
2504	cmd.exe
2504	cmd.exe
2184	cpfawbj.exe
2184	cpfawbj.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.EXEpowershell.EXE

pid	Process
2756	powershell.EXE
2752	powershell.EXE

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

Processes:

cmd.exe

pid	Process
2172	cmd.exe

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

Processes:

cmd.exepowercfg.execmd.execmd.exepowercfg.execmd.exepowercfg.execmd.exe

pid	Process
1480	cmd.exe
2496	powercfg.exe
1840	cmd.exe
2884	cmd.exe
1304	powercfg.exe
2188	cmd.exe
1268	powercfg.exe
2464	cmd.exe

Drops file in System32 directory 18 IoCs

Processes:

WMIADAP.EXEpowershell.EXEpowershell.EXEcpfawbj.exe

description	ioc	Process
File created	C:\Windows\system32\perfc007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00C.dat	WMIADAP.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\perfh007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc011.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh011.dat	WMIADAP.EXE
File created	C:\Windows\system32\PerfStringBackup.TMP	WMIADAP.EXE
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	WMIADAP.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\perfh009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh010.dat	WMIADAP.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	cpfawbj.exe
File created	C:\Windows\system32\perfc010.dat	WMIADAP.EXE
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	WMIADAP.EXE
File created	C:\Windows\system32\perfc00C.dat	WMIADAP.EXE

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description	pid	Process	procid_target
PID 2752 set thread context of 2548	2752	powershell.EXE	42
PID 2756 set thread context of 1592	2756	powershell.EXE	43

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2296-0-0x0000000000400000-0x0000000000695000-memory.dmp	upx
behavioral1/memory/2296-5-0x0000000000400000-0x0000000000695000-memory.dmp	upx
behavioral1/files/0x0008000000015d6d-6.dat	upx
behavioral1/memory/1200-11-0x0000000000400000-0x0000000000695000-memory.dmp	upx
behavioral1/memory/2504-9-0x00000000023A0000-0x0000000002635000-memory.dmp	upx
behavioral1/memory/2184-13-0x0000000000400000-0x0000000000695000-memory.dmp	upx
behavioral1/memory/1200-15-0x0000000000400000-0x0000000000695000-memory.dmp	upx
behavioral1/memory/2184-248-0x0000000000400000-0x0000000000695000-memory.dmp	upx
behavioral1/files/0x00080000000160ae-679.dat	upx
behavioral1/memory/2232-692-0x000000013FEE0000-0x00000001404FF000-memory.dmp	upx
behavioral1/memory/2232-955-0x000000013FEE0000-0x00000001404FF000-memory.dmp	upx
behavioral1/memory/2704-1021-0x0000000000400000-0x0000000000695000-memory.dmp	upx
behavioral1/memory/2704-1023-0x0000000000400000-0x0000000000695000-memory.dmp	upx
behavioral1/memory/2348-1058-0x0000000000400000-0x0000000000695000-memory.dmp	upx
behavioral1/memory/2348-1060-0x0000000000400000-0x0000000000695000-memory.dmp	upx

Drops file in Windows directory 22 IoCs

Processes:

WMIADAP.EXEcpfawbj.exefdwsej.exesvchost.exevuxuaz.exef37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe

description	ioc	Process
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File created	\??\c:\windows\ime\xfguocq\jcunw.exe	cpfawbj.exe
File created	\??\c:\windows\fonts\lrbiqc\BestPower.pow	cpfawbj.exe
File created	\??\c:\windows\fonts\cuaqzscw\rhjubre.exe	cpfawbj.exe
File created	C:\Windows\Tasks\$dzlosxhybrmqiaue.job	fdwsej.exe
File opened for modification	C:\Windows\Tasks\$dzlosxhybrmqiaue.job	fdwsej.exe
File opened for modification	C:\Windows\Tasks\$dzlosxhyczrhdlpa.job	fdwsej.exe
File opened for modification	C:\Windows\Tasks\$dzlosxhyczrhdlpa.job	svchost.exe
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File opened for modification	\??\c:\windows\fonts\ngunerqm\config.json	vuxuaz.exe
File created	\??\c:\windows\fonts\lrbiqc\cpfawbj.exe	f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe
File opened for modification	\??\c:\windows\fonts\lrbiqc\cpfawbj.exe	f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe
File created	C:\Windows\Tasks\$dzlosxhyczrhdlpa.job	fdwsej.exe
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File opened for modification	\??\c:\windows\ime\xfguocq\jcunw.exe	cpfawbj.exe
File created	\??\c:\windows\fonts\ngunerqm\config.json	cpfawbj.exe
File created	\??\c:\windows\fonts\ngunerqm\vuxuaz.exe	cpfawbj.exe
File created	\??\c:\windows\fonts\ngunerqm\WinRing0x64.sys	cpfawbj.exe
File created	\??\c:\windows\fonts\lrbiqc\HighPower.pow	cpfawbj.exe
File opened for modification	\??\c:\windows\fonts\ngunerqm\vuxuaz.exe	cpfawbj.exe
File opened for modification	C:\Windows\Tasks\$dzlosxhybrmqiaue.job	svchost.exe
File created	C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini	WMIADAP.EXE

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.execmd.execmd.execmd.exepowershell.EXEdllhost.execmd.execmd.exepowercfg.execmd.exeWMIC.exeschtasks.execmd.execmd.exeWMIC.execmd.exepowercfg.exef37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exePING.EXEcpfawbj.exefdwsej.execmd.exeWMIC.exeWMIC.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cpfawbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdwsej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

cmd.exePING.EXE

pid	Process
2504	cmd.exe
2512	PING.EXE

Modifies data under HKEY_USERS 26 IoCs

Processes:

cpfawbj.exepowershell.EXE

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-ec-74-ad-84-40	cpfawbj.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-ec-74-ad-84-40\WpadDecisionTime = 80ce64a3343ddb01	cpfawbj.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a0602aa4343ddb01	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	cpfawbj.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cpfawbj.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e6000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cpfawbj.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	cpfawbj.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3B98AC70-5774-4D33-A5DA-7946EDDBE69B}\WpadDecisionReason = "1"	cpfawbj.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	cpfawbj.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3B98AC70-5774-4D33-A5DA-7946EDDBE69B}\WpadDecision = "0"	cpfawbj.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3B98AC70-5774-4D33-A5DA-7946EDDBE69B}\be-ec-74-ad-84-40	cpfawbj.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-ec-74-ad-84-40\WpadDecisionReason = "1"	cpfawbj.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3B98AC70-5774-4D33-A5DA-7946EDDBE69B}\WpadDecisionTime = 80ce64a3343ddb01	cpfawbj.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-ec-74-ad-84-40\WpadDecision = "0"	cpfawbj.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	cpfawbj.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	cpfawbj.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	cpfawbj.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	cpfawbj.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3B98AC70-5774-4D33-A5DA-7946EDDBE69B}	cpfawbj.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3B98AC70-5774-4D33-A5DA-7946EDDBE69B}\WpadNetworkName = "Network 3"	cpfawbj.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	cpfawbj.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	cpfawbj.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cpfawbj.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	cpfawbj.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	cpfawbj.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2512	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
1872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.execpfawbj.execpfawbj.exepowershell.EXEpowershell.EXEdllhost.exedllhost.exe

pid	Process
2296	f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe
1200	cpfawbj.exe
2184	cpfawbj.exe
2184	cpfawbj.exe
2752	powershell.EXE
2756	powershell.EXE
2752	powershell.EXE
2548	dllhost.exe
2548	dllhost.exe
2548	dllhost.exe
2548	dllhost.exe
2548	dllhost.exe
2548	dllhost.exe
2548	dllhost.exe
2548	dllhost.exe
2756	powershell.EXE
2548	dllhost.exe
2548	dllhost.exe
1592	dllhost.exe
1592	dllhost.exe
1592	dllhost.exe
1592	dllhost.exe
2548	dllhost.exe
2548	dllhost.exe
1592	dllhost.exe
1592	dllhost.exe
2548	dllhost.exe
2548	dllhost.exe
1592	dllhost.exe
1592	dllhost.exe
2548	dllhost.exe
2548	dllhost.exe
1592	dllhost.exe
1592	dllhost.exe
2548	dllhost.exe
2548	dllhost.exe
1592	dllhost.exe
1592	dllhost.exe
2548	dllhost.exe
2548	dllhost.exe
1592	dllhost.exe
1592	dllhost.exe
2548	dllhost.exe
2548	dllhost.exe
1592	dllhost.exe
1592	dllhost.exe
2548	dllhost.exe
2548	dllhost.exe
1592	dllhost.exe
1592	dllhost.exe
2548	dllhost.exe
2548	dllhost.exe
1592	dllhost.exe
1592	dllhost.exe
2548	dllhost.exe
2548	dllhost.exe
1592	dllhost.exe
1592	dllhost.exe
2548	dllhost.exe
2548	dllhost.exe
1592	dllhost.exe
1592	dllhost.exe
2548	dllhost.exe
2548	dllhost.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe

pid	Process
2296	f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.execpfawbj.execpfawbj.exepowershell.EXEpowershell.EXEdllhost.exedllhost.exesvchost.exeWMIC.exeWMIC.exepowercfg.exesvchost.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	2296	f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe
Token: SeDebugPrivilege	1200	cpfawbj.exe
Token: SeDebugPrivilege	2184	cpfawbj.exe
Token: SeDebugPrivilege	2184	cpfawbj.exe
Token: SeDebugPrivilege	2752	powershell.EXE
Token: SeDebugPrivilege	2756	powershell.EXE
Token: SeDebugPrivilege	2752	powershell.EXE
Token: SeDebugPrivilege	2548	dllhost.exe
Token: SeDebugPrivilege	2756	powershell.EXE
Token: SeDebugPrivilege	1592	dllhost.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2276	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2276	WMIC.exe
Token: SeSecurityPrivilege	2276	WMIC.exe
Token: SeTakeOwnershipPrivilege	2276	WMIC.exe
Token: SeLoadDriverPrivilege	2276	WMIC.exe
Token: SeSystemtimePrivilege	2276	WMIC.exe
Token: SeBackupPrivilege	2276	WMIC.exe
Token: SeRestorePrivilege	2276	WMIC.exe
Token: SeShutdownPrivilege	2276	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2276	WMIC.exe
Token: SeUndockPrivilege	2276	WMIC.exe
Token: SeManageVolumePrivilege	2276	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2176	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2176	WMIC.exe
Token: SeSecurityPrivilege	2176	WMIC.exe
Token: SeTakeOwnershipPrivilege	2176	WMIC.exe
Token: SeLoadDriverPrivilege	2176	WMIC.exe
Token: SeSystemtimePrivilege	2176	WMIC.exe
Token: SeBackupPrivilege	2176	WMIC.exe
Token: SeRestorePrivilege	2176	WMIC.exe
Token: SeShutdownPrivilege	2176	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2176	WMIC.exe
Token: SeUndockPrivilege	2176	WMIC.exe
Token: SeManageVolumePrivilege	2176	WMIC.exe
Token: SeShutdownPrivilege	2496	powercfg.exe
Token: SeRestorePrivilege	600	svchost.exe
Token: SeBackupPrivilege	600	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2276	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2276	WMIC.exe
Token: SeSecurityPrivilege	2276	WMIC.exe
Token: SeTakeOwnershipPrivilege	2276	WMIC.exe
Token: SeLoadDriverPrivilege	2276	WMIC.exe
Token: SeSystemtimePrivilege	2276	WMIC.exe
Token: SeBackupPrivilege	2276	WMIC.exe
Token: SeRestorePrivilege	2276	WMIC.exe
Token: SeShutdownPrivilege	2276	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2276	WMIC.exe
Token: SeUndockPrivilege	2276	WMIC.exe
Token: SeManageVolumePrivilege	2276	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2176	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2176	WMIC.exe
Token: SeSecurityPrivilege	2176	WMIC.exe
Token: SeTakeOwnershipPrivilege	2176	WMIC.exe
Token: SeLoadDriverPrivilege	2176	WMIC.exe
Token: SeSystemtimePrivilege	2176	WMIC.exe
Token: SeBackupPrivilege	2176	WMIC.exe
Token: SeRestorePrivilege	2176	WMIC.exe
Token: SeShutdownPrivilege	2176	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2176	WMIC.exe
Token: SeUndockPrivilege	2176	WMIC.exe
Token: SeManageVolumePrivilege	2176	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2888	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2888	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vuxuaz.exe

pid	Process
2232	vuxuaz.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.execpfawbj.execpfawbj.execonhost.exejcunw.exe

pid	Process
2296	f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe
1200	cpfawbj.exe
2184	cpfawbj.exe
1388	conhost.exe
2704	jcunw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.execmd.execpfawbj.exetaskeng.exepowershell.EXEdllhost.exepowershell.EXE

description	pid	Process	procid_target
PID 2296 wrote to memory of 2504	2296	f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe	30
PID 2296 wrote to memory of 2504	2296	f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe	30
PID 2296 wrote to memory of 2504	2296	f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe	30
PID 2296 wrote to memory of 2504	2296	f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe	30
PID 2504 wrote to memory of 2512	2504	cmd.exe	32
PID 2504 wrote to memory of 2512	2504	cmd.exe	32
PID 2504 wrote to memory of 2512	2504	cmd.exe	32
PID 2504 wrote to memory of 2512	2504	cmd.exe	32
PID 2504 wrote to memory of 1200	2504	cmd.exe	33
PID 2504 wrote to memory of 1200	2504	cmd.exe	33
PID 2504 wrote to memory of 1200	2504	cmd.exe	33
PID 2504 wrote to memory of 1200	2504	cmd.exe	33
PID 2184 wrote to memory of 2592	2184	cpfawbj.exe	36
PID 2184 wrote to memory of 2592	2184	cpfawbj.exe	36
PID 2184 wrote to memory of 2592	2184	cpfawbj.exe	36
PID 2184 wrote to memory of 2592	2184	cpfawbj.exe	36
PID 2872 wrote to memory of 2752	2872	taskeng.exe	38
PID 2872 wrote to memory of 2752	2872	taskeng.exe	38
PID 2872 wrote to memory of 2752	2872	taskeng.exe	38
PID 2872 wrote to memory of 2756	2872	taskeng.exe	39
PID 2872 wrote to memory of 2756	2872	taskeng.exe	39
PID 2872 wrote to memory of 2756	2872	taskeng.exe	39
PID 2872 wrote to memory of 2756	2872	taskeng.exe	39
PID 2752 wrote to memory of 2548	2752	powershell.EXE	42
PID 2752 wrote to memory of 2548	2752	powershell.EXE	42
PID 2752 wrote to memory of 2548	2752	powershell.EXE	42
PID 2752 wrote to memory of 2548	2752	powershell.EXE	42
PID 2752 wrote to memory of 2548	2752	powershell.EXE	42
PID 2752 wrote to memory of 2548	2752	powershell.EXE	42
PID 2752 wrote to memory of 2548	2752	powershell.EXE	42
PID 2752 wrote to memory of 2548	2752	powershell.EXE	42
PID 2752 wrote to memory of 2548	2752	powershell.EXE	42
PID 2752 wrote to memory of 2548	2752	powershell.EXE	42
PID 2752 wrote to memory of 2548	2752	powershell.EXE	42
PID 2752 wrote to memory of 2548	2752	powershell.EXE	42
PID 2548 wrote to memory of 432	2548	dllhost.exe	5
PID 2548 wrote to memory of 476	2548	dllhost.exe	6
PID 2548 wrote to memory of 492	2548	dllhost.exe	7
PID 2548 wrote to memory of 500	2548	dllhost.exe	8
PID 2548 wrote to memory of 600	2548	dllhost.exe	9
PID 2548 wrote to memory of 668	2548	dllhost.exe	10
PID 2548 wrote to memory of 736	2548	dllhost.exe	11
PID 2548 wrote to memory of 824	2548	dllhost.exe	12
PID 2548 wrote to memory of 848	2548	dllhost.exe	13
PID 2548 wrote to memory of 968	2548	dllhost.exe	15
PID 2548 wrote to memory of 112	2548	dllhost.exe	16
PID 2548 wrote to memory of 1016	2548	dllhost.exe	17
PID 2548 wrote to memory of 1060	2548	dllhost.exe	18
PID 2548 wrote to memory of 1104	2548	dllhost.exe	19
PID 2548 wrote to memory of 1152	2548	dllhost.exe	20
PID 2548 wrote to memory of 1216	2548	dllhost.exe	21
PID 2548 wrote to memory of 1744	2548	dllhost.exe	23
PID 2548 wrote to memory of 1040	2548	dllhost.exe	24
PID 2548 wrote to memory of 1600	2548	dllhost.exe	25
PID 2548 wrote to memory of 2224	2548	dllhost.exe	26
PID 2548 wrote to memory of 1664	2548	dllhost.exe	27
PID 2548 wrote to memory of 2696	2548	dllhost.exe	35
PID 2548 wrote to memory of 2872	2548	dllhost.exe	37
PID 2548 wrote to memory of 2560	2548	dllhost.exe	41
PID 2756 wrote to memory of 1592	2756	powershell.EXE	43
PID 2756 wrote to memory of 1592	2756	powershell.EXE	43
PID 2756 wrote to memory of 1592	2756	powershell.EXE	43
PID 2756 wrote to memory of 1592	2756	powershell.EXE	43
PID 2756 wrote to memory of 1592	2756	powershell.EXE	43

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f0b1948d-d574-49ed-8bb7-71c8b190e098}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2548
- C:\Windows\SysWOW64\dllhost.exe
  C:\Windows\SysWOW64\dllhost.exe /Processid:{5ae6b80b-e2a0-4f10-9c71-9fd2a1fae7ab}
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1592

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:476
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:600
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:1040
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1040 -s 1332
      4⤵
      PID:1608
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1600
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    PID:2524
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    PID:2588
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -Embedding
    3⤵
    PID:2852
  - - \??\c:\windows\ime\xfguocq\jcunw.exe
      c:\windows\ime\xfguocq\jcunw.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2704
  - - \??\c:\windows\ime\xfguocq\jcunw.exe
      c:\windows\ime\xfguocq\jcunw.exe
      4⤵
      PID:2348
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:668
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Indicator Removal: Clear Windows Event Logs
  PID:736
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:824
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1152
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:848
- - C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:2696
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {A956FE8B-DD0D-46A6-B5B5-EFF22A895F9A} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$dzlosxhystager')).EntryPoint.Invoke($Null,$Null)"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2752
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$dzlosxhystager')).EntryPoint.Invoke($Null,$Null)"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2756
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:968
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:112
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:1016
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1060
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1104
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1744
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2224
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1664
- \??\c:\windows\fonts\lrbiqc\cpfawbj.exe
  c:\windows\fonts\lrbiqc\cpfawbj.exe
  2⤵
  - Drops file in Drivers directory
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\TEMP\brfoqnpl\fdwsej.exe
    C:\Windows\TEMP\brfoqnpl\fdwsej.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="nzssjeji" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="xnmsooua" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='nzssjeji'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1740
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="nzssjeji" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2276
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="xnmsooua" DELETE
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='nzssjeji'" DELETE
      4⤵
      PID:840
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="nzssjeji", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'" & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="xnmsooua",CommandLineTemplate="c:\windows\ime\xfguocq\jcunw.exe" & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="nzssjeji"", Consumer="CommandLineEventConsumer.Name="xnmsooua""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:684
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="nzssjeji", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2176
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="xnmsooua",CommandLineTemplate="c:\windows\ime\xfguocq\jcunw.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2888
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="nzssjeji"", Consumer="CommandLineEventConsumer.Name="xnmsooua""
      4⤵
      System Location Discovery: System Language Discovery
      PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN wsdonayo /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:2172
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN wsdonayo /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo Y|schtasks /create /sc minute /mo 30 /tn "wsdonayo" /ru system /tr "c:\windows\ime\xfguocq\jcunw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2508
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 30 /tn "wsdonayo" /ru system /tr "c:\windows\ime\xfguocq\jcunw.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1872
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c cmd /c powercfg -import c:\windows\fonts\lrbiqc\BestPower.pow
    3⤵
    - Power Settings
    - System Location Discovery: System Language Discovery
    PID:2464
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c powercfg -import c:\windows\fonts\lrbiqc\BestPower.pow
      4⤵
      Power Settings
      System Location Discovery: System Language Discovery
      PID:1480
    - - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg -import c:\windows\fonts\lrbiqc\BestPower.pow
        5⤵
        Power Settings
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c cmd /c powercfg -setactive 7ce8785d-2df7-4b3f-989d-c920d9b4f4b2
    3⤵
    - Power Settings
    - System Location Discovery: System Language Discovery
    PID:1840
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c powercfg -setactive 7ce8785d-2df7-4b3f-989d-c920d9b4f4b2
      4⤵
      Power Settings
      System Location Discovery: System Language Discovery
      PID:2884
    - - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg -setactive 7ce8785d-2df7-4b3f-989d-c920d9b4f4b2
        5⤵
        Power Settings
        
        PID:1304
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powercfg -h off
    3⤵
    - Power Settings
    - System Location Discovery: System Language Discovery
    PID:2188
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg -h off
      4⤵
      Power Settings
      System Location Discovery: System Language Discovery
      PID:1268
- - \??\c:\windows\fonts\ngunerqm\vuxuaz.exe
    c:\windows\fonts\ngunerqm\vuxuaz.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of FindShellTrayWindow
    PID:2232
- C:\Windows\system32\wbem\WmiApSrv.exe
  C:\Windows\system32\wbem\WmiApSrv.exe
  2⤵
  PID:2648
- C:\Windows\system32\wbem\WmiApSrv.exe
  C:\Windows\system32\wbem\WmiApSrv.exe
  2⤵
  PID:2912

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe
  "C:\Users\Admin\AppData\Local\Temp\f37d9f34f4247d7d47dcc690ab2da3983be5c7e7814aa9d98fda637f7984586b.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\lrbiqc\cpfawbj.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 5
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2512
  - - \??\c:\windows\fonts\lrbiqc\cpfawbj.exe
      c:\windows\fonts\lrbiqc\cpfawbj.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1200

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16290384541305411099-104685877639306025173369470-411318635746283012-1946181433"
1⤵
PID:2560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6301089491132776785-9882133371437849377-1110556658-64697276010727940861256240412"
1⤵
PID:896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1511162007166174570-718895780-1546558274-6865603531114357421-266922993-140110214"
1⤵
PID:1596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5380086731230213612-32921283-913160462766444826537160102935830165-969343731"
1⤵
PID:1576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-490097383-227513618-13120283671274053859-2867182262112285220511199421616822434"
1⤵
PID:752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19139471496642871248954232991316017913-6388003015874480771209539940-252150724"
1⤵
PID:1604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "186016181-1865112767853522366-167687761233254140118542431311288562523358676855"
1⤵
PID:2760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8567358091093483405-1903109796-143638102118186932041358081906-9318394761240574225"
1⤵
PID:1964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2092703991-471183961162320768229132266092323912-9272709772101253089301700790"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\perfc007.dat

Filesize
141KB

MD5
0f3d76321f0a7986b42b25a3aa554f82

SHA1
7036bba62109cc25da5d6a84d22b6edb954987c0

SHA256
dfad62e3372760d303f7337fe290e4cb28e714caadd3c59294b77968d81fe460

SHA512
bb02a3f14d47d233fbda046f61bbf5612ebc6213b156af9c47f56733a03df1bb484d1c3576569eb4499d7b378eb01f4d6e906c36c6f71738482584c2e84b47d0

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
150KB

MD5
540138285295c68de32a419b7d9de687

SHA1
1cf6a2a0f53f0516ff9fe5ac733dbb5a9255ae56

SHA256
33867c52f756f2b0f645f4bd503c65969d73676dcb14e6a6fdb2ffb11c7562eb

SHA512
7c17c10d4b6165aa0c208811dc6d98e2f4e75e3da1cc2313cc7da9d657626beb3e4ec00b07b71376a7c549725d40db20d8952753e70acc86e87a8390e224a64a

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
141KB

MD5
831dbe568992299e589143ee8898e131

SHA1
737726173aab8b76fe1f98104d72bb91abd273bf

SHA256
4f22ef1625fb2a2370779d0992f80b8e5e5da8dc727aa99ade152044d28e9405

SHA512
39015d29d593c9df59cdafbff95a6ddc000a5dbf767665b65f8ec65751e70315918c93d3583b922d32e9b6261b8c07023da660098ca79c5420b782c150b5c139

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
138KB

MD5
cf82e7354e591c1408eb2cc0e29dd274

SHA1
7e91bd50c3e6b64b81e2b5c1ce723f52e34748e9

SHA256
59b5e6fbbe68f47db14a3c045b0ac1abb026c626ca4bee708fbd3940e6d2e06d

SHA512
98bd4809c1c418be4100096bc9df328d2ad435c5615c082fa2bfa424935203107015862cd9c1737800b7f7bd020fea4538c325707927c1557bc3efebffb27620

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
114KB

MD5
1f998386566e5f9b7f11cc79254d1820

SHA1
e1da5fe1f305099b94de565d06bc6f36c6794481

SHA256
1665d97fb8786b94745295feb616a30c27af84e8a5e1d25cd1bcaf70723040ea

SHA512
a7c9702dd5833f4d6d27ce293efb9507948a3b05db350fc9909af6a48bd649c7578f856b4d64d87df451d0efbe202c62da7fffcac03b3fe72c7caaea553de75f

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
668KB

MD5
5026297c7c445e7f6f705906a6f57c02

SHA1
4ec3b66d44b0d44ec139bd1475afd100748f9e91

SHA256
506d3bec72805973df3b2e11aba4d074aeb4b26b7335536e79ea1145108817cc

SHA512
5be8e51ecacda465b905df3e38ac114240d8fa6bae5bb17e8e53a87630454b57514ca0abbd8afefd798d450cd4ee89caf4391eeb837ced384260c188482fb48d

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
634KB

MD5
1c678ee06bd02b5d9e4d51c3a4ec2d2b

SHA1
90aa7fdfaaa37fb4f2edfc8efc3994871087dedb

SHA256
2d168ab31836a08d8ca00aab9685f040aac4052a7f10fbbf0c28e9f880a79dd3

SHA512
ec665d7a20f27b2a0fe2475883009c6d34615cc2046d096de447ef57bcac9da0ae842be0556f5736f42d9c1c601fb8629896a2444990e508f7c573165088ab32

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
727KB

MD5
3251572461218e279aa1ffd235c6b74d

SHA1
bd6db180b78c22fab20f55dbf0f84a39a0fc19a2

SHA256
baeac7bef7ece88ea3cb784effd1a34232c13d998ce272ac8bc7395e6b5ec60e

SHA512
700b36964455f960511f5bbeea804febaf0ebea17a6f092cd875f7f6593ffbe79f763bd2e0bee89bb8538e67ee34c49270626d3f78db71cb39c8022d0d4baa8c

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
727KB

MD5
5f684ce126de17a7d4433ed2494c5ca9

SHA1
ce1a30a477daa1bac2ec358ce58731429eafe911

SHA256
2e2ba0c47e71991d646ec380cde47f44318d695e6f3f56ec095955a129af1c2c

SHA512
4d0c2669b5002da14d44c21dc2f521fb37b6b41b61bca7b2a9af7c03f616dda9ca825f79a81d3401af626a90017654f9221a6ccc83010ff73de71967fc2f3f5b

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
722KB

MD5
4623482c106cf6cc1bac198f31787b65

SHA1
5abb0decf7b42ef5daf7db012a742311932f6dad

SHA256
eceda45aedbf6454b79f010c891bead3844d43189972f6beeb5ccddb13cc0349

SHA512
afecefcec652856dd8b4275f11d75a68a582337b682309c4b61fd26ed7038b92e6b9aa72c1bfc350ce2caf5e357098b54eb1e448a4392960f9f82e01c447669f

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
394KB

MD5
24da30cbb5f0fe4939862880e72cc32c

SHA1
9132497736f52dae62b79be1677c05e32a7ba2ab

SHA256
a11a4228f8485db2f90466651f6cab07245a8ff5b3448636ab0abc4d618a4a1f

SHA512
332a57e8f0e8d7f82044f90388afd7509768ecb3f657c6be12d1f51ec1c66b8886c30d4b4a42d3a64c3e0d8b76d7cc86a1ac3b92713a68a62c12fdae6a77d6c2

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.ini

Filesize
27KB

MD5
46d08e3a55f007c523ac64dce6dcf478

SHA1
62edf88697e98d43f32090a2197bead7e7244245

SHA256
5b15b1fc32713447c3fbc952a0fb02f1fd78c6f9ac69087bdb240625b0282614

SHA512
b1f42e70c0ba866a9ed34eb531dbcbae1a659d7349c1e1a14b18b9e23d8cbd302d8509c6d3a28bc7509dd92e83bcb400201fb5d5a70f613421d81fe649d02e42

Download Submit
C:\Windows\Tasks\$dzlosxhybrmqiaue.job

Filesize
572B

MD5
5e94eb536c63868f17b76d7e1711a290

SHA1
746306b5347e7a9604dcbab1018d949b092de2d2

SHA256
22f4ff7ded85921a988f29283e020066a58cc786ae94ec27bf29f5e534c3183f

SHA512
a0b246bd7f5b4d1c84d9b104d8e247e19c343f0c6e9338d851f24daa6f03c4e01873753de405ed845fd57be940f7887ab364dfe7fe16d6fcc796527416556c54

Download Submit
C:\Windows\Tasks\$dzlosxhyczrhdlpa.job

Filesize
486B

MD5
6ea8f01615cad38a1368af8b5e2412b5

SHA1
15adf19baca70d9f56a5a003c8c161d0f7f5bf0c

SHA256
065c1661e1e0d7a6688c8c3f8687bc7ca21d9f2812e1fc1b3838c7da51f92ea6

SHA512
c441a915958b0e5a6ac143a5b37e56d5c6315cb91f99d4c5b7f598289fcb76f26dba6c7f89c97ea1cd535279aebe01263090bf5875a98b2e71cd8cc4b00fb3da

Download Submit
C:\Windows\system32\perfc009.dat

Filesize
118KB

MD5
b6a40d83e0fd90f0c9ba062102a8eb99

SHA1
d5b564584ea2b5eab4ddda1a225594d790cc585b

SHA256
0efde37b0dfcd63a634f9448fdfdfb9c689e7f28accaa063e7abfe5747c7a054

SHA512
7b4d6e842ce0433e965eb923f3359634494a735368a04832d85e5778c3a9590144e1c7cc0f336ac9a1208215838433dfb6ff5837c8494231989e3164c10d3f2c

Download Submit
C:\Windows\system32\perfh009.dat

Filesize
646KB

MD5
aecab86cc5c705d7a036cba758c1d7b0

SHA1
e88cf81fd282d91c7fc0efae13c13c55f4857b5e

SHA256
9bab92e274fcc0af88a7fdd143c9045b9d3a13cac2c00b63f00b320128dcc066

SHA512
e0aa8da41373fc64d0e3dc86c9e92a9dd5232f6bcae42dfe6f79012d7e780de85511a9ec6941cb39476632972573a18063d3ecd8b059b1d008d34f585d9edbe8

Download Submit
\??\c:\windows\fonts\lrbiqc\BestPower.pow

Filesize
8KB

MD5
183887e994658a630e7810755723ec20

SHA1
a094da22e2363dbbb5880666b44c077aae0ef62e

SHA256
5920e1aa24762daa5e49a924e90f42a4b1ae4588ab38514cc74d4499396ded44

SHA512
72b3ee12b2cb14aaf1d7453226c6e8bdda69915fb1c65f9bc22aa5960dad2f3a7c355a0512f806d75801196e23897a0f2bebcb038e6fcab917f0fa4a3f170953

Download Submit
\??\c:\windows\fonts\ngunerqm\config.json

Filesize
355B

MD5
34edaaa8430ae81f6f5ad438c4022148

SHA1
f3188a1e9784bb033220ca052fa925db8de52ae1

SHA256
3a57224d9dd364d682123cb5bd5b0f68135b519ec988a37204643478be89a324

SHA512
f8d2c9794622759cd314ed299d84b5f74541ad8b0802faf5bcb0ec331e8930eff0bc774d93a804de6f0ff50d581ac33d2ef0b38f0f4c1e45324c98cf4f103159

Download Submit
\Windows\Fonts\lrbiqc\cpfawbj.exe

Filesize
5.1MB

MD5
8e6cd16e4170df994f358d76d4d447ad

SHA1
734a35cadc29158226ce127cc1d1bb619a6e61d7

SHA256
e267fda3eb397d96398affb97f2d0c82c0ba7ffdd3d8db4f2d6c65ceca7ab3e3

SHA512
65aef9ef526bec5e6dadf9845e18dba513c52ce76a400cc504183c7bd3acb0ed3c46231538302ed22dcc0cc463b1e9a9564ef06b2d57a42b3db14f1bff649c10

Download Submit
\Windows\Fonts\ngunerqm\vuxuaz.exe

Filesize
1.4MB

MD5
8a4790999eca395444ee53c69dd9416d

SHA1
638c53b18834d275831f4d2268bca60a32e1072f

SHA256
021a949d825b66a84b9527fef6ab1b920da65b74a3740b56350640118342b0e2

SHA512
8b8925cf1aeb2f93d0d1019854ee2df25f422be8066a8597759239cefa79e269ec7a880f1c9a9eae250001da956350c85b9d384ded53808001853e5d7e624c59

Download Submit
\Windows\Temp\brfoqnpl\fdwsej.exe

Filesize
539KB

MD5
c84b650daf63d81b1e0a0738306929ca

SHA1
87288aeaebc2cfc586127c209accc0611ded08b2

SHA256
35ebd6cfdf77c0c742fa62b4cba647709976df449a047199afd0b46b568f6dfc

SHA512
6f1a8b68031f2d1dceefa2f0fb9f29b615af2fb38c41d233230236a1f0b79e61881328bd55ef9c1198b2e044a0ad4c1b5bf5191a35902d030f16454e2bb92c55

Download Submit
memory/432-65-0x00000000375C0000-0x00000000375D0000-memory.dmp

Filesize
64KB

Download
memory/432-64-0x000007FEBF200000-0x000007FEBF210000-memory.dmp

Filesize
64KB

Download
memory/432-63-0x0000000000BB0000-0x0000000000BDC000-memory.dmp

Filesize
176KB

Download
memory/432-50-0x0000000000B80000-0x0000000000BA4000-memory.dmp

Filesize
144KB

Download
memory/432-48-0x0000000000B80000-0x0000000000BA4000-memory.dmp

Filesize
144KB

Download
memory/476-98-0x000007FEBF200000-0x000007FEBF210000-memory.dmp

Filesize
64KB

Download
memory/476-99-0x00000000375C0000-0x00000000375D0000-memory.dmp

Filesize
64KB

Download
memory/476-97-0x0000000000D50000-0x0000000000D7C000-memory.dmp

Filesize
176KB

Download
memory/492-70-0x00000000009B0000-0x00000000009DC000-memory.dmp

Filesize
176KB

Download
memory/492-72-0x000007FEBF200000-0x000007FEBF210000-memory.dmp

Filesize
64KB

Download
memory/492-73-0x00000000375C0000-0x00000000375D0000-memory.dmp

Filesize
64KB

Download
memory/1200-11-0x0000000000400000-0x0000000000695000-memory.dmp

Filesize
2.6MB

Download
memory/1200-15-0x0000000000400000-0x0000000000695000-memory.dmp

Filesize
2.6MB

Download
memory/2184-699-0x0000000002170000-0x000000000278F000-memory.dmp

Filesize
6.1MB

Download
memory/2184-691-0x0000000002170000-0x000000000278F000-memory.dmp

Filesize
6.1MB

Download
memory/2184-248-0x0000000000400000-0x0000000000695000-memory.dmp

Filesize
2.6MB

Download
memory/2184-13-0x0000000000400000-0x0000000000695000-memory.dmp

Filesize
2.6MB

Download
memory/2232-692-0x000000013FEE0000-0x00000001404FF000-memory.dmp

Filesize
6.1MB

Download
memory/2232-955-0x000000013FEE0000-0x00000001404FF000-memory.dmp

Filesize
6.1MB

Download
memory/2296-5-0x0000000000400000-0x0000000000695000-memory.dmp

Filesize
2.6MB

Download
memory/2296-0-0x0000000000400000-0x0000000000695000-memory.dmp

Filesize
2.6MB

Download
memory/2348-1060-0x0000000000400000-0x0000000000695000-memory.dmp

Filesize
2.6MB

Download
memory/2348-1058-0x0000000000400000-0x0000000000695000-memory.dmp

Filesize
2.6MB

Download
memory/2504-9-0x00000000023A0000-0x0000000002635000-memory.dmp

Filesize
2.6MB

Download
memory/2548-44-0x0000000077580000-0x0000000077729000-memory.dmp

Filesize
1.7MB

Download
memory/2548-46-0x0000000140000000-0x0000000140043000-memory.dmp

Filesize
268KB

Download
memory/2548-43-0x0000000140000000-0x0000000140043000-memory.dmp

Filesize
268KB

Download
memory/2548-45-0x0000000077360000-0x000000007747F000-memory.dmp

Filesize
1.1MB

Download
memory/2548-42-0x0000000140000000-0x0000000140043000-memory.dmp

Filesize
268KB

Download
memory/2704-1023-0x0000000000400000-0x0000000000695000-memory.dmp

Filesize
2.6MB

Download
memory/2704-1021-0x0000000000400000-0x0000000000695000-memory.dmp

Filesize
2.6MB

Download
memory/2752-38-0x00000000009E0000-0x00000000009E8000-memory.dmp

Filesize
32KB

Download
memory/2752-41-0x0000000077360000-0x000000007747F000-memory.dmp

Filesize
1.1MB

Download
memory/2752-40-0x0000000077580000-0x0000000077729000-memory.dmp

Filesize
1.7MB

Download
memory/2752-37-0x000000001A0B0000-0x000000001A392000-memory.dmp

Filesize
2.9MB

Download
memory/2752-39-0x0000000001300000-0x0000000001378000-memory.dmp

Filesize
480KB

Download