blackmoon | 6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357b

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe
Size

2.1MB
MD5

31dd29ec3ac91d92e2cbe3c1c9f58240
SHA1

afbfa2285bdab52a34226fdf86cde3ad13370303
SHA256

6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357b
SHA512

e908f4c20612b3f29f806c60a7f3a76c8e5b6138a18df30feefcb146e9e76dcea2dc653f0d7bb53c356cb16db1ee9842e6964fa27cbbd122b5bbe9922e0efee4
SSDEEP

12288:fqGKl6bcNQSjEgkSiP8Lr2mFE66kjlKuJ9J7tfg+LRZq01Y:fNKl6b8JYgyP8WTGIuhZvPq

Score

10^/10

blackmoon banker defense_evasion discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 8 IoCs

resource	yara_rule
behavioral2/memory/2716-4-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral2/memory/2584-12-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral2/memory/5080-29-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral2/memory/3096-31-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/3096-45-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/3096-75-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/3096-107-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/5080-110-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon

Executes dropped EXE 27 IoCs

pid	Process
2584	dazfuw.exe
5080	dazfuw.exe
3096	2221908858584556.exe
3932	uin77.exe
3076	f1573b97.exe
5048	uin77.exe
1188	f1ae162e.exe
4256	uin77.exe
1792	fb59a0a7.exe
4456	uin77.exe
2340	f02bed5d.exe
224	uin77.exe
3424	fae677c6.exe
4920	uin77.exe
4172	f490004f.exe
4784	uin77.exe
2780	f9733ee5.exe
4724	uin77.exe
5024	f32dd76e.exe
4428	uin77.exe
2668	f374b3f5.exe
1588	uin77.exe
956	f2ba9e8d.exe
3492	uin77.exe
1120	fc652806.exe
4636	uin77.exe
1232	f720b27e.exe

Indicator Removal: Clear Persistence 1 TTPs 4 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
1512	cmd.exe
4872	cmd.exe
2620	cmd.exe
396	cmd.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	dazfuw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	dazfuw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	dazfuw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	dazfuw.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2716-0-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/memory/2716-4-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/files/0x000a000000023b88-6.dat	upx
behavioral2/files/0x000400000001e4e1-13.dat	upx
behavioral2/memory/3096-15-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/2584-12-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/memory/5080-29-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/memory/3096-31-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/3096-45-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/3096-75-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/3096-107-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/5080-110-0x0000000000400000-0x00000000004E6000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\fonts\ijmarbc\dazfuw.exe	6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe
File created	\??\c:\windows\fonts\oydacj\rdeg.exe	dazfuw.exe
File created	\??\c:\windows\fonts\djabweu\vgjiun.exe	dazfuw.exe
File created	\??\c:\windows\fonts\ijmarbc\dazfuw.exe	6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5060	5080	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dazfuw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2221908858584556.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dazfuw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1052	cmd.exe
1056	PING.EXE

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	dazfuw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	dazfuw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	dazfuw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	dazfuw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	dazfuw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	dazfuw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	dazfuw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	dazfuw.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1056	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2716	6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe
2716	6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe
2584	dazfuw.exe
2584	dazfuw.exe
5080	dazfuw.exe
5080	dazfuw.exe
3932	uin77.exe
3932	uin77.exe
3932	uin77.exe
3932	uin77.exe
3076	f1573b97.exe
3076	f1573b97.exe
3076	f1573b97.exe
3076	f1573b97.exe
5048	uin77.exe
5048	uin77.exe
5048	uin77.exe
5048	uin77.exe
1188	f1ae162e.exe
1188	f1ae162e.exe
1188	f1ae162e.exe
1188	f1ae162e.exe
4256	uin77.exe
4256	uin77.exe
4256	uin77.exe
4256	uin77.exe
1792	fb59a0a7.exe
1792	fb59a0a7.exe
1792	fb59a0a7.exe
1792	fb59a0a7.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe
3096	2221908858584556.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2716	6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe
Token: SeDebugPrivilege	2584	dazfuw.exe
Token: SeDebugPrivilege	5080	dazfuw.exe
Token: SeAssignPrimaryTokenPrivilege	2396	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2396	WMIC.exe
Token: SeSecurityPrivilege	2396	WMIC.exe
Token: SeTakeOwnershipPrivilege	2396	WMIC.exe
Token: SeLoadDriverPrivilege	2396	WMIC.exe
Token: SeSystemtimePrivilege	2396	WMIC.exe
Token: SeBackupPrivilege	2396	WMIC.exe
Token: SeRestorePrivilege	2396	WMIC.exe
Token: SeShutdownPrivilege	2396	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2396	WMIC.exe
Token: SeUndockPrivilege	2396	WMIC.exe
Token: SeManageVolumePrivilege	2396	WMIC.exe
Token: SeDebugPrivilege	3932	uin77.exe
Token: SeAssignPrimaryTokenPrivilege	2396	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2396	WMIC.exe
Token: SeSecurityPrivilege	2396	WMIC.exe
Token: SeTakeOwnershipPrivilege	2396	WMIC.exe
Token: SeLoadDriverPrivilege	2396	WMIC.exe
Token: SeSystemtimePrivilege	2396	WMIC.exe
Token: SeBackupPrivilege	2396	WMIC.exe
Token: SeRestorePrivilege	2396	WMIC.exe
Token: SeShutdownPrivilege	2396	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2396	WMIC.exe
Token: SeUndockPrivilege	2396	WMIC.exe
Token: SeManageVolumePrivilege	2396	WMIC.exe
Token: SeDebugPrivilege	3076	f1573b97.exe
Token: SeAssignPrimaryTokenPrivilege	5004	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5004	WMIC.exe
Token: SeSecurityPrivilege	5004	WMIC.exe
Token: SeTakeOwnershipPrivilege	5004	WMIC.exe
Token: SeLoadDriverPrivilege	5004	WMIC.exe
Token: SeSystemtimePrivilege	5004	WMIC.exe
Token: SeBackupPrivilege	5004	WMIC.exe
Token: SeRestorePrivilege	5004	WMIC.exe
Token: SeShutdownPrivilege	5004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5004	WMIC.exe
Token: SeUndockPrivilege	5004	WMIC.exe
Token: SeManageVolumePrivilege	5004	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	5004	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5004	WMIC.exe
Token: SeSecurityPrivilege	5004	WMIC.exe
Token: SeTakeOwnershipPrivilege	5004	WMIC.exe
Token: SeLoadDriverPrivilege	5004	WMIC.exe
Token: SeSystemtimePrivilege	5004	WMIC.exe
Token: SeBackupPrivilege	5004	WMIC.exe
Token: SeRestorePrivilege	5004	WMIC.exe
Token: SeShutdownPrivilege	5004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5004	WMIC.exe
Token: SeUndockPrivilege	5004	WMIC.exe
Token: SeManageVolumePrivilege	5004	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2360	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2360	WMIC.exe
Token: SeSecurityPrivilege	2360	WMIC.exe
Token: SeTakeOwnershipPrivilege	2360	WMIC.exe
Token: SeLoadDriverPrivilege	2360	WMIC.exe
Token: SeSystemtimePrivilege	2360	WMIC.exe
Token: SeBackupPrivilege	2360	WMIC.exe
Token: SeRestorePrivilege	2360	WMIC.exe
Token: SeShutdownPrivilege	2360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2360	WMIC.exe
Token: SeUndockPrivilege	2360	WMIC.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2716	6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe
2584	dazfuw.exe
5080	dazfuw.exe
3096	2221908858584556.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 1052	2716	6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe	85
PID 2716 wrote to memory of 1052	2716	6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe	85
PID 2716 wrote to memory of 1052	2716	6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe	85
PID 1052 wrote to memory of 1056	1052	cmd.exe	87
PID 1052 wrote to memory of 1056	1052	cmd.exe	87
PID 1052 wrote to memory of 1056	1052	cmd.exe	87
PID 1052 wrote to memory of 2584	1052	cmd.exe	89
PID 1052 wrote to memory of 2584	1052	cmd.exe	89
PID 1052 wrote to memory of 2584	1052	cmd.exe	89
PID 5080 wrote to memory of 3096	5080	dazfuw.exe	91
PID 5080 wrote to memory of 3096	5080	dazfuw.exe	91
PID 5080 wrote to memory of 3096	5080	dazfuw.exe	91
PID 3096 wrote to memory of 2620	3096	2221908858584556.exe	92
PID 3096 wrote to memory of 2620	3096	2221908858584556.exe	92
PID 3096 wrote to memory of 2620	3096	2221908858584556.exe	92
PID 3096 wrote to memory of 2088	3096	2221908858584556.exe	93
PID 3096 wrote to memory of 2088	3096	2221908858584556.exe	93
PID 3096 wrote to memory of 2088	3096	2221908858584556.exe	93
PID 2620 wrote to memory of 400	2620	cmd.exe	96
PID 2620 wrote to memory of 400	2620	cmd.exe	96
PID 2620 wrote to memory of 400	2620	cmd.exe	96
PID 2088 wrote to memory of 2396	2088	cmd.exe	97
PID 2088 wrote to memory of 2396	2088	cmd.exe	97
PID 2088 wrote to memory of 2396	2088	cmd.exe	97
PID 3096 wrote to memory of 3932	3096	2221908858584556.exe	98
PID 3096 wrote to memory of 3932	3096	2221908858584556.exe	98
PID 3096 wrote to memory of 3932	3096	2221908858584556.exe	98
PID 3932 wrote to memory of 3076	3932	uin77.exe	99
PID 3932 wrote to memory of 3076	3932	uin77.exe	99
PID 2088 wrote to memory of 5004	2088	cmd.exe	100
PID 2088 wrote to memory of 5004	2088	cmd.exe	100
PID 2088 wrote to memory of 5004	2088	cmd.exe	100
PID 2088 wrote to memory of 2360	2088	cmd.exe	101
PID 2088 wrote to memory of 2360	2088	cmd.exe	101
PID 2088 wrote to memory of 2360	2088	cmd.exe	101
PID 3096 wrote to memory of 5048	3096	2221908858584556.exe	108
PID 3096 wrote to memory of 5048	3096	2221908858584556.exe	108
PID 3096 wrote to memory of 5048	3096	2221908858584556.exe	108
PID 5048 wrote to memory of 1188	5048	uin77.exe	109
PID 5048 wrote to memory of 1188	5048	uin77.exe	109
PID 3096 wrote to memory of 4256	3096	2221908858584556.exe	116
PID 3096 wrote to memory of 4256	3096	2221908858584556.exe	116
PID 3096 wrote to memory of 4256	3096	2221908858584556.exe	116
PID 4256 wrote to memory of 1792	4256	uin77.exe	117
PID 4256 wrote to memory of 1792	4256	uin77.exe	117
PID 3096 wrote to memory of 396	3096	2221908858584556.exe	118
PID 3096 wrote to memory of 396	3096	2221908858584556.exe	118
PID 3096 wrote to memory of 396	3096	2221908858584556.exe	118
PID 3096 wrote to memory of 4112	3096	2221908858584556.exe	119
PID 3096 wrote to memory of 4112	3096	2221908858584556.exe	119
PID 3096 wrote to memory of 4112	3096	2221908858584556.exe	119
PID 3096 wrote to memory of 4456	3096	2221908858584556.exe	122
PID 3096 wrote to memory of 4456	3096	2221908858584556.exe	122
PID 3096 wrote to memory of 4456	3096	2221908858584556.exe	122
PID 396 wrote to memory of 2648	396	cmd.exe	123
PID 396 wrote to memory of 2648	396	cmd.exe	123
PID 396 wrote to memory of 2648	396	cmd.exe	123
PID 4112 wrote to memory of 2924	4112	cmd.exe	124
PID 4112 wrote to memory of 2924	4112	cmd.exe	124
PID 4112 wrote to memory of 2924	4112	cmd.exe	124
PID 4456 wrote to memory of 2340	4456	uin77.exe	125
PID 4456 wrote to memory of 2340	4456	uin77.exe	125
PID 4112 wrote to memory of 5076	4112	cmd.exe	126
PID 4112 wrote to memory of 5076	4112	cmd.exe	126

C:\Users\Admin\AppData\Local\Temp\6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe
"C:\Users\Admin\AppData\Local\Temp\6c67d619625fd25065006383c51d6692c7ffb8ef10bbf6a5dd87a1846ce1357bN.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\ijmarbc\dazfuw.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1056
- - \??\c:\windows\fonts\ijmarbc\dazfuw.exe
    c:\windows\fonts\ijmarbc\dazfuw.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2584

\??\c:\windows\fonts\ijmarbc\dazfuw.exe
c:\windows\fonts\ijmarbc\dazfuw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\TEMP\2221908858584556.exe
  C:\Windows\TEMP\2221908858584556.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN wlvuj /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN wlvuj /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:400
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="cpdal" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="ldxfn" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='cpdal'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="cpdal" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2396
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="ldxfn" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5004
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='cpdal'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2360
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Windows\TEMP\f1573b97.exe
      "C:\Windows\TEMP\f1573b97.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3076
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Windows\TEMP\f1ae162e.exe
      "C:\Windows\TEMP\f1ae162e.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1188
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4256
  - - C:\Windows\TEMP\fb59a0a7.exe
      "C:\Windows\TEMP\fb59a0a7.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN wlvuj /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN wlvuj /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="cpdal" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="ldxfn" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='cpdal'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="cpdal" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2924
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="ldxfn" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:5076
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='cpdal'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:60
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\Windows\TEMP\f02bed5d.exe
      "C:\Windows\TEMP\f02bed5d.exe"
      4⤵
      Executes dropped EXE
      PID:2340
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:224
  - - C:\Windows\TEMP\fae677c6.exe
      "C:\Windows\TEMP\fae677c6.exe"
      4⤵
      Executes dropped EXE
      PID:3424
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4920
  - - C:\Windows\TEMP\f490004f.exe
      "C:\Windows\TEMP\f490004f.exe"
      4⤵
      Executes dropped EXE
      PID:4172
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN wlvuj /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:1512
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN wlvuj /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:552
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="cpdal" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="ldxfn" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='cpdal'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3996
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="cpdal" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:3688
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="ldxfn" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:3288
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='cpdal'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:4492
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4784
  - - C:\Windows\TEMP\f9733ee5.exe
      "C:\Windows\TEMP\f9733ee5.exe"
      4⤵
      Executes dropped EXE
      PID:2780
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4724
  - - C:\Windows\TEMP\f32dd76e.exe
      "C:\Windows\TEMP\f32dd76e.exe"
      4⤵
      Executes dropped EXE
      PID:5024
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4428
  - - C:\Windows\TEMP\f374b3f5.exe
      "C:\Windows\TEMP\f374b3f5.exe"
      4⤵
      Executes dropped EXE
      PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN cure /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:4872
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN cure /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="pdxhgs" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="qmlid" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='pdxhgs'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1468
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="pdxhgs" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:632
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="qmlid" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:3364
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='pdxhgs'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:1424
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1588
  - - C:\Windows\TEMP\f2ba9e8d.exe
      "C:\Windows\TEMP\f2ba9e8d.exe"
      4⤵
      Executes dropped EXE
      PID:956
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3492
  - - C:\Windows\TEMP\fc652806.exe
      "C:\Windows\TEMP\fc652806.exe"
      4⤵
      Executes dropped EXE
      PID:1120
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4636
  - - C:\Windows\TEMP\f720b27e.exe
      "C:\Windows\TEMP\f720b27e.exe"
      4⤵
      Executes dropped EXE
      PID:1232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1324
  2⤵
  - Program crash
  PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5080 -ip 5080
1⤵
PID:740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Fonts\ijmarbc\dazfuw.exe

Filesize
2.1MB

MD5
d5dceeb769511d06e04d742a8c02cf54

SHA1
0f94511a1cd1ab481abff8afa849132748af375b

SHA256
d7401d39a6af5134ac7ca3333ec4ae8710e6efa4f4088c660b4880202f74d9f6

SHA512
1c126692fd300a16805bc623ddf9748faacf210108e3fdbff0bfbcf318075575bd42d95cb3199adcc7ff2687c5f5e71ca48fb8db4b2f8458171ed95d0a3adf77

Download Submit
C:\Windows\Temp\2221908858584556.exe

Filesize
244KB

MD5
de3b294b4edf797dfa8f45b33a0317b4

SHA1
d46f49e223655eca9a21249a60de3719fe3795e0

SHA256
d6d9b5fbf32d64da140ebf83495f8c3b4f28e5a336c4b7306c84e12abf7860e9

SHA512
1ce19d0a57a621225702b8a7b30bbd8ca482ab305d3881f5af63cd1ac712577b633955b8b95c11ed73585dbca6377859ed27a1859e369064841639a2b4035c97

Download Submit
C:\Windows\Temp\f1573b97.exe

Filesize
95KB

MD5
692f63018525d7bc6eebf733568dbdcb

SHA1
28cd1b0606b5d66f0d43ade75c0bb4ca168c6cf6

SHA256
22e7ee4e58de27a3d303c76cf3f94cdefcdfdfbca7509617c8fc16f8c04ada6c

SHA512
84384be7725519d2c7ba9e7aff643aedc89d3c754d0b9ffc1f0e1c2216205ff010ff961ac4a044871a9372f6340c1a515213bd88601610d3aa5d22f618a9ed1e

Download Submit
C:\Windows\Temp\f9733ee5.exe

Filesize
95KB

MD5
1c6f0257b0dd2992ae828a849c7861d0

SHA1
3abfa2bb4aa5c07ebd51c7762c8898967e9af3f2

SHA256
8fbf3bf6b90664ac5199fdd059e1ba3fa8feab2b0d7094c25ba7ca23ce283242

SHA512
f02e626015d7ffd44553ba8af6f1b5be4208b21fb67703eff93a3dbcf2e08638db865f1427a0d2f1dbe8a0f91ff26a477852d0c92b69815618183312d5bcd06e

Download Submit
C:\Windows\Temp\uin77.exe

Filesize
173KB

MD5
bc5769af922f9c090288ce3a91324639

SHA1
694fddf04fc22f2bdc4bd0b2c5512253c8ec5e0d

SHA256
6d846e70f69c4a13621ea290464991c8d634f176ecd8cd111a2d7d4897432964

SHA512
4d3f225b4ec8a3fc44bfc6ff1d5e710d3d675aeb63eeff322fd240cf9a5dc5240acb60b0fa0b4ea9d47d2f7ae4dec9a294116ec4cbc5ac0d9f65c3fe6f06ecb8

Download Submit
C:\Windows\Temp\uin77.exe

Filesize
173KB

MD5
c17fadedd6f88f9a41fb45796506360b

SHA1
4b9813bb75f5305c386bc9e81ed40db89e3ed2ce

SHA256
43ba8e0a74e3af033345f66e4b19ece3e895b4f40fe704a98548d152932e7906

SHA512
a98292f0dc4692348fc76de73ee21691d5004b590d9578d98c7c47bf7486376f69ad2548e1a65d4f521c3b42f13fd61ab426f01c4bc958fbac422c794e310bfa

Download Submit
memory/2584-12-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2716-4-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2716-0-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3096-15-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3096-45-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3096-31-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3096-75-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3096-107-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5080-29-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/5080-110-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download