Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-11-2024 00:50
Behavioral task
behavioral1
Sample
a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe
Resource
win7-20240903-en
General
-
Target
a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe
-
Size
1.8MB
-
MD5
10a99d00159dcd34d509a3f1014d20d0
-
SHA1
af060b8c9712beb1f9be5d326ea80751a0ff52d7
-
SHA256
a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934cc
-
SHA512
975e4814453c9f616618e41a424c27f378b9ebb94cc34afd2c27655c061eb2d6032f39796777da28655f7fd7fb560cedc862d4065a79488b754c2556c7a483e4
-
SSDEEP
12288:fqGKl6bcNQSjEgkSiP8Lr2mFE66kjlKuJ9J7tfg+LRZq01Y:fNKl6b8JYgyP8WTGIuhZvPq
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 7 IoCs
resource yara_rule behavioral1/memory/1708-4-0x0000000000400000-0x00000000004E6000-memory.dmp family_blackmoon behavioral1/memory/2508-13-0x0000000000400000-0x00000000004E6000-memory.dmp family_blackmoon behavioral1/memory/2684-43-0x0000000000400000-0x00000000004E6000-memory.dmp family_blackmoon behavioral1/memory/2732-45-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2732-67-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2732-153-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2684-159-0x0000000000400000-0x00000000004E6000-memory.dmp family_blackmoon -
Executes dropped EXE 27 IoCs
pid Process 2508 fazsuyr.exe 2684 fazsuyr.exe 2732 8248635648034056.exe 1488 uin77.exe 2744 ebe697a1.exe 1656 uin77.exe 1248 e591202a.exe 2036 uin77.exe 2780 ef5cbaa2.exe 1784 uin77.exe 1932 ef92a63a.exe 2192 uin77.exe 2984 eed981c1.exe 888 uin77.exe 1916 e9931b3a.exe 2932 uin77.exe 1368 e8daf6d2.exe 2524 uin77.exe 2124 f295804a.exe 1752 uin77.exe 2412 fd5f29c3.exe 2072 uin77.exe 2848 fc96055b.exe 2688 uin77.exe 1488 f6519ec4.exe 2588 uin77.exe 1508 f10b284c.exe -
Loads dropped DLL 30 IoCs
pid Process 580 cmd.exe 580 cmd.exe 2684 fazsuyr.exe 2684 fazsuyr.exe 2732 8248635648034056.exe 1488 uin77.exe 2732 8248635648034056.exe 1656 uin77.exe 2732 8248635648034056.exe 2036 uin77.exe 2732 8248635648034056.exe 1784 uin77.exe 2732 8248635648034056.exe 2192 uin77.exe 2732 8248635648034056.exe 888 uin77.exe 2732 8248635648034056.exe 2932 uin77.exe 2732 8248635648034056.exe 2524 uin77.exe 2732 8248635648034056.exe 1752 uin77.exe 2732 8248635648034056.exe 2072 uin77.exe 2732 8248635648034056.exe 2688 uin77.exe 2732 8248635648034056.exe 2588 uin77.exe 2868 WerFault.exe 2868 WerFault.exe -
Indicator Removal: Clear Persistence 1 TTPs 4 IoCs
Clear artifacts associated with previously established persistence like scheduletasks on a host.
pid Process 1940 cmd.exe 1692 cmd.exe 2728 cmd.exe 2468 cmd.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat fazsuyr.exe -
resource yara_rule behavioral1/memory/1708-0-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral1/memory/1708-4-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral1/files/0x0008000000016da7-5.dat upx behavioral1/memory/2508-10-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral1/memory/2508-13-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral1/files/0x0004000000004ed7-14.dat upx behavioral1/memory/2732-23-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2684-20-0x0000000000E90000-0x0000000000F1C000-memory.dmp upx behavioral1/memory/2684-43-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral1/memory/2732-45-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2732-67-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2732-153-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2684-159-0x0000000000400000-0x00000000004E6000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created \??\c:\windows\fonts\eaiwmfd\fazsuyr.exe a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe File opened for modification \??\c:\windows\fonts\eaiwmfd\fazsuyr.exe a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe File created \??\c:\windows\fonts\lxdfmu\scmxpu.exe fazsuyr.exe File created \??\c:\windows\fonts\bjzsxc\objhsu.exe fazsuyr.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2868 2684 WerFault.exe 35 -
System Location Discovery: System Language Discovery 1 TTPs 41 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fazsuyr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8248635648034056.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 580 cmd.exe 2320 PING.EXE -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections fazsuyr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 fazsuyr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-4f-33-8d-3d-8c fazsuyr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-4f-33-8d-3d-8c\WpadDecisionReason = "1" fazsuyr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-4f-33-8d-3d-8c\WpadDecisionTime = c0e9be559d3fdb01 fazsuyr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix fazsuyr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3258774B-C9CB-4688-BFA2-927802793410}\WpadDecision = "0" fazsuyr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3258774B-C9CB-4688-BFA2-927802793410}\WpadNetworkName = "Network 3" fazsuyr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3258774B-C9CB-4688-BFA2-927802793410}\da-4f-33-8d-3d-8c fazsuyr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-4f-33-8d-3d-8c\WpadDecision = "0" fazsuyr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ fazsuyr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0068000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 fazsuyr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3258774B-C9CB-4688-BFA2-927802793410} fazsuyr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" fazsuyr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings fazsuyr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" fazsuyr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 fazsuyr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad fazsuyr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3258774B-C9CB-4688-BFA2-927802793410}\WpadDecisionReason = "1" fazsuyr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" fazsuyr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings fazsuyr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" fazsuyr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3258774B-C9CB-4688-BFA2-927802793410}\WpadDecisionTime = c0e9be559d3fdb01 fazsuyr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" fazsuyr.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2320 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1708 a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe 2508 fazsuyr.exe 2684 fazsuyr.exe 1488 uin77.exe 1488 uin77.exe 1488 uin77.exe 1488 uin77.exe 2744 ebe697a1.exe 2744 ebe697a1.exe 2744 ebe697a1.exe 2744 ebe697a1.exe 1656 uin77.exe 1656 uin77.exe 1656 uin77.exe 1656 uin77.exe 1248 e591202a.exe 1248 e591202a.exe 1248 e591202a.exe 1248 e591202a.exe 2036 uin77.exe 2036 uin77.exe 2036 uin77.exe 2036 uin77.exe 2780 ef5cbaa2.exe 2780 ef5cbaa2.exe 2780 ef5cbaa2.exe 2780 ef5cbaa2.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 2732 8248635648034056.exe 1784 uin77.exe 1784 uin77.exe 1784 uin77.exe 1784 uin77.exe 1932 ef92a63a.exe 1932 ef92a63a.exe 1932 ef92a63a.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1708 a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1708 a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe Token: SeDebugPrivilege 2508 fazsuyr.exe Token: SeDebugPrivilege 2684 fazsuyr.exe Token: SeAssignPrimaryTokenPrivilege 2808 WMIC.exe Token: SeIncreaseQuotaPrivilege 2808 WMIC.exe Token: SeSecurityPrivilege 2808 WMIC.exe Token: SeTakeOwnershipPrivilege 2808 WMIC.exe Token: SeLoadDriverPrivilege 2808 WMIC.exe Token: SeSystemtimePrivilege 2808 WMIC.exe Token: SeBackupPrivilege 2808 WMIC.exe Token: SeRestorePrivilege 2808 WMIC.exe Token: SeShutdownPrivilege 2808 WMIC.exe Token: SeSystemEnvironmentPrivilege 2808 WMIC.exe Token: SeUndockPrivilege 2808 WMIC.exe Token: SeManageVolumePrivilege 2808 WMIC.exe Token: SeDebugPrivilege 1488 uin77.exe Token: SeDebugPrivilege 2744 ebe697a1.exe Token: SeAssignPrimaryTokenPrivilege 2808 WMIC.exe Token: SeIncreaseQuotaPrivilege 2808 WMIC.exe Token: SeSecurityPrivilege 2808 WMIC.exe Token: SeTakeOwnershipPrivilege 2808 WMIC.exe Token: SeLoadDriverPrivilege 2808 WMIC.exe Token: SeSystemtimePrivilege 2808 WMIC.exe Token: SeBackupPrivilege 2808 WMIC.exe Token: SeRestorePrivilege 2808 WMIC.exe Token: SeShutdownPrivilege 2808 WMIC.exe Token: SeSystemEnvironmentPrivilege 2808 WMIC.exe Token: SeUndockPrivilege 2808 WMIC.exe Token: SeManageVolumePrivilege 2808 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 2564 WMIC.exe Token: SeIncreaseQuotaPrivilege 2564 WMIC.exe Token: SeSecurityPrivilege 2564 WMIC.exe Token: SeTakeOwnershipPrivilege 2564 WMIC.exe Token: SeLoadDriverPrivilege 2564 WMIC.exe Token: SeSystemtimePrivilege 2564 WMIC.exe Token: SeBackupPrivilege 2564 WMIC.exe Token: SeRestorePrivilege 2564 WMIC.exe Token: SeShutdownPrivilege 2564 WMIC.exe Token: SeSystemEnvironmentPrivilege 2564 WMIC.exe Token: SeUndockPrivilege 2564 WMIC.exe Token: SeManageVolumePrivilege 2564 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 2564 WMIC.exe Token: SeIncreaseQuotaPrivilege 2564 WMIC.exe Token: SeSecurityPrivilege 2564 WMIC.exe Token: SeTakeOwnershipPrivilege 2564 WMIC.exe Token: SeLoadDriverPrivilege 2564 WMIC.exe Token: SeSystemtimePrivilege 2564 WMIC.exe Token: SeBackupPrivilege 2564 WMIC.exe Token: SeRestorePrivilege 2564 WMIC.exe Token: SeShutdownPrivilege 2564 WMIC.exe Token: SeSystemEnvironmentPrivilege 2564 WMIC.exe Token: SeUndockPrivilege 2564 WMIC.exe Token: SeManageVolumePrivilege 2564 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 2648 WMIC.exe Token: SeIncreaseQuotaPrivilege 2648 WMIC.exe Token: SeSecurityPrivilege 2648 WMIC.exe Token: SeTakeOwnershipPrivilege 2648 WMIC.exe Token: SeLoadDriverPrivilege 2648 WMIC.exe Token: SeSystemtimePrivilege 2648 WMIC.exe Token: SeBackupPrivilege 2648 WMIC.exe Token: SeRestorePrivilege 2648 WMIC.exe Token: SeShutdownPrivilege 2648 WMIC.exe Token: SeSystemEnvironmentPrivilege 2648 WMIC.exe Token: SeUndockPrivilege 2648 WMIC.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1708 a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe 2508 fazsuyr.exe 2684 fazsuyr.exe 2732 8248635648034056.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1708 wrote to memory of 580 1708 a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe 31 PID 1708 wrote to memory of 580 1708 a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe 31 PID 1708 wrote to memory of 580 1708 a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe 31 PID 1708 wrote to memory of 580 1708 a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe 31 PID 580 wrote to memory of 2320 580 cmd.exe 33 PID 580 wrote to memory of 2320 580 cmd.exe 33 PID 580 wrote to memory of 2320 580 cmd.exe 33 PID 580 wrote to memory of 2320 580 cmd.exe 33 PID 580 wrote to memory of 2508 580 cmd.exe 34 PID 580 wrote to memory of 2508 580 cmd.exe 34 PID 580 wrote to memory of 2508 580 cmd.exe 34 PID 580 wrote to memory of 2508 580 cmd.exe 34 PID 2684 wrote to memory of 2732 2684 fazsuyr.exe 36 PID 2684 wrote to memory of 2732 2684 fazsuyr.exe 36 PID 2684 wrote to memory of 2732 2684 fazsuyr.exe 36 PID 2684 wrote to memory of 2732 2684 fazsuyr.exe 36 PID 2732 wrote to memory of 2728 2732 8248635648034056.exe 37 PID 2732 wrote to memory of 2728 2732 8248635648034056.exe 37 PID 2732 wrote to memory of 2728 2732 8248635648034056.exe 37 PID 2732 wrote to memory of 2728 2732 8248635648034056.exe 37 PID 2732 wrote to memory of 2700 2732 8248635648034056.exe 38 PID 2732 wrote to memory of 2700 2732 8248635648034056.exe 38 PID 2732 wrote to memory of 2700 2732 8248635648034056.exe 38 PID 2732 wrote to memory of 2700 2732 8248635648034056.exe 38 PID 2728 wrote to memory of 2280 2728 cmd.exe 41 PID 2728 wrote to memory of 2280 2728 cmd.exe 41 PID 2728 wrote to memory of 2280 2728 cmd.exe 41 PID 2728 wrote to memory of 2280 2728 cmd.exe 41 PID 2700 wrote to memory of 2808 2700 cmd.exe 42 PID 2700 wrote to memory of 2808 2700 cmd.exe 42 PID 2700 wrote to memory of 2808 2700 cmd.exe 42 PID 2700 wrote to memory of 2808 2700 cmd.exe 42 PID 2732 wrote to memory of 1488 2732 8248635648034056.exe 43 PID 2732 wrote to memory of 1488 2732 8248635648034056.exe 43 PID 2732 wrote to memory of 1488 2732 8248635648034056.exe 43 PID 2732 wrote to memory of 1488 2732 8248635648034056.exe 43 PID 1488 wrote to memory of 2744 1488 uin77.exe 44 PID 1488 wrote to memory of 2744 1488 uin77.exe 44 PID 1488 wrote to memory of 2744 1488 uin77.exe 44 PID 1488 wrote to memory of 2744 1488 uin77.exe 44 PID 2700 wrote to memory of 2564 2700 cmd.exe 45 PID 2700 wrote to memory of 2564 2700 cmd.exe 45 PID 2700 wrote to memory of 2564 2700 cmd.exe 45 PID 2700 wrote to memory of 2564 2700 cmd.exe 45 PID 2700 wrote to memory of 2648 2700 cmd.exe 46 PID 2700 wrote to memory of 2648 2700 cmd.exe 46 PID 2700 wrote to memory of 2648 2700 cmd.exe 46 PID 2700 wrote to memory of 2648 2700 cmd.exe 46 PID 2732 wrote to memory of 1656 2732 8248635648034056.exe 47 PID 2732 wrote to memory of 1656 2732 8248635648034056.exe 47 PID 2732 wrote to memory of 1656 2732 8248635648034056.exe 47 PID 2732 wrote to memory of 1656 2732 8248635648034056.exe 47 PID 1656 wrote to memory of 1248 1656 uin77.exe 48 PID 1656 wrote to memory of 1248 1656 uin77.exe 48 PID 1656 wrote to memory of 1248 1656 uin77.exe 48 PID 1656 wrote to memory of 1248 1656 uin77.exe 48 PID 2732 wrote to memory of 2036 2732 8248635648034056.exe 49 PID 2732 wrote to memory of 2036 2732 8248635648034056.exe 49 PID 2732 wrote to memory of 2036 2732 8248635648034056.exe 49 PID 2732 wrote to memory of 2036 2732 8248635648034056.exe 49 PID 2036 wrote to memory of 2780 2036 uin77.exe 50 PID 2036 wrote to memory of 2780 2036 uin77.exe 50 PID 2036 wrote to memory of 2780 2036 uin77.exe 50 PID 2036 wrote to memory of 2780 2036 uin77.exe 50
Processes
-
C:\Users\Admin\AppData\Local\Temp\a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe"C:\Users\Admin\AppData\Local\Temp\a03d0f95fc769d2d3e3e657fdfb69b9b02413e6459ffb676fe86dc0678e934ccN.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\eaiwmfd\fazsuyr.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2320
-
-
\??\c:\windows\fonts\eaiwmfd\fazsuyr.exec:\windows\fonts\eaiwmfd\fazsuyr.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2508
-
-
-
\??\c:\windows\fonts\eaiwmfd\fazsuyr.exec:\windows\fonts\eaiwmfd\fazsuyr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\TEMP\8248635648034056.exeC:\Windows\TEMP\8248635648034056.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\cmd.execmd /c schtasks /DELETE /TN jlfyc /F3⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /TN jlfyc /F4⤵
- System Location Discovery: System Language Discovery
PID:2280
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="sduyz" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="coua" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='sduyz'" DELETE3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="sduyz" DELETE4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="coua" DELETE4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='sduyz'" DELETE4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\TEMP\ebe697a1.exe"C:\Windows\TEMP\ebe697a1.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\TEMP\e591202a.exe"C:\Windows\TEMP\e591202a.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1248
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\TEMP\ef5cbaa2.exe"C:\Windows\TEMP\ef5cbaa2.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2780
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks /DELETE /TN jlfyc /F3⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:2468 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /TN jlfyc /F4⤵
- System Location Discovery: System Language Discovery
PID:2460
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="sduyz" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="coua" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='sduyz'" DELETE3⤵
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="sduyz" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:1160
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="coua" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:2668
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='sduyz'" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:1788
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1784 -
C:\Windows\TEMP\ef92a63a.exe"C:\Windows\TEMP\ef92a63a.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1932
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\TEMP\eed981c1.exe"C:\Windows\TEMP\eed981c1.exe"4⤵
- Executes dropped EXE
PID:2984
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:888 -
C:\Windows\TEMP\e9931b3a.exe"C:\Windows\TEMP\e9931b3a.exe"4⤵
- Executes dropped EXE
PID:1916
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks /DELETE /TN jlfyc /F3⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:1940 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /TN jlfyc /F4⤵
- System Location Discovery: System Language Discovery
PID:748
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="sduyz" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="coua" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='sduyz'" DELETE3⤵
- System Location Discovery: System Language Discovery
PID:1388 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="sduyz" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:1688
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="coua" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:1584
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='sduyz'" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:1356
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\TEMP\e8daf6d2.exe"C:\Windows\TEMP\e8daf6d2.exe"4⤵
- Executes dropped EXE
PID:1368
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2524 -
C:\Windows\TEMP\f295804a.exe"C:\Windows\TEMP\f295804a.exe"4⤵
- Executes dropped EXE
PID:2124
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1752 -
C:\Windows\TEMP\fd5f29c3.exe"C:\Windows\TEMP\fd5f29c3.exe"4⤵
- Executes dropped EXE
PID:2412
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks /DELETE /TN ugbeq /F3⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /TN ugbeq /F4⤵
- System Location Discovery: System Language Discovery
PID:2040
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="ifeqhu" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="ypdc" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='ifeqhu'" DELETE3⤵
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="ifeqhu" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:2208
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="ypdc" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:2664
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='ifeqhu'" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:2812
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\TEMP\fc96055b.exe"C:\Windows\TEMP\fc96055b.exe"4⤵
- Executes dropped EXE
PID:2848
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\TEMP\f6519ec4.exe"C:\Windows\TEMP\f6519ec4.exe"4⤵
- Executes dropped EXE
PID:1488
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\TEMP\f10b284c.exe"C:\Windows\TEMP\f10b284c.exe"4⤵
- Executes dropped EXE
PID:1508
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 8202⤵
- Loads dropped DLL
- Program crash
PID:2868
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
173KB
MD54be968d673f8ceabd4258456c9e23bc7
SHA171c02fa92ec3dc94b9ef3889b677449570c56673
SHA2563b2dd6fdf9107a6b022f29424fcbe814deab9c5b745e9f4a619557e00a5caa9c
SHA512b8ebecb5a1f76d82352f0836a71c351ae489b474dd4aee8e0132ef3787d0dc1914e36a5639cd6c8f7b4382ada6a9c2d4b46591322043069f1a504e4d7110c334
-
Filesize
1.9MB
MD576a0ecb70b7ca335fc5c906cac34ccc3
SHA1dcec0d5b6989eaa6e943d05e3dd7a30dd3f71d75
SHA25681285b8aecfbd931e794342d80efc5f2792ce953eff2d00318736e7a077ae1a6
SHA51256df42ec2d354bb027f23c846c4651d7403745353558074b4e7feb6b421a666beeb8d9e7c7e2abf478aebd966008c0aa7ec764b6d2fc4ceb8ceba506f1ed650c
-
Filesize
244KB
MD5de3b294b4edf797dfa8f45b33a0317b4
SHA1d46f49e223655eca9a21249a60de3719fe3795e0
SHA256d6d9b5fbf32d64da140ebf83495f8c3b4f28e5a336c4b7306c84e12abf7860e9
SHA5121ce19d0a57a621225702b8a7b30bbd8ca482ab305d3881f5af63cd1ac712577b633955b8b95c11ed73585dbca6377859ed27a1859e369064841639a2b4035c97
-
Filesize
95KB
MD535cd4c255b0e277c6b2e8db84b387a82
SHA1d200ae287bfca34dc19294b5c64885f25743feed
SHA256147826b10636a9dc6a576618e95483848e930e000a47cb5aae91c379efd7e4de
SHA5120c2ef38f0cb9a57a825d87931285ccd24622747ee1c77146d694d4fc11b5c50c92d2c4f3c1f29e86350f037b9416e3fbdcb205b9a5bf2c2172f115e92f740d5f
-
Filesize
95KB
MD5e39ab07c259dbad8f2af02d2c17176d8
SHA1d99ad6cecaa43ed0b4c74922cfb58da104995ddc
SHA256c50faa0b8521fe4d0c32a0fc48bd9e90104cdfe10bf33a7fad3ec04602cf6564
SHA5122267bab51bc6bdced5717f3377c16af5cdc02d3c9ed841d335820d1788bbd45237980fcc3d51f63982853edabc75f22a0e14a0ada7a10b7063da9e1b529bffcc
-
Filesize
173KB
MD5629217733c9035c8c845924626125b85
SHA1711f63124dca4001c01741847f0d8f7f19c22b46
SHA256bc2c72241289bb1cfa8b36adce7696e9e79554a7d532d8c3c0a2a37fee269d83
SHA51222e0567e1c4e39c17306e8e509e0bf898970178247fc5b66f24cd59f895b151169019ed837cd05c6fee8178190966b1a0cb528ea64d248c427c6e470060ab6dc