blackmoon | 2a86de51dd8ada59e1bdf188fea1d1ba828d595ee5d7fff173cf34f5515e048c

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a86de51dd8ada59e1bdf188fea1d1ba828d595ee5d7fff173cf34f5515e048c.exe
Size

1.9MB
MD5

ec875cd387239311582c3e0ddcdedddc
SHA1

ab905bdb6ba1543860e5bdad4359f44b469d3c6d
SHA256

2a86de51dd8ada59e1bdf188fea1d1ba828d595ee5d7fff173cf34f5515e048c
SHA512

ebfcdff666c891fe6ae8b82b00ac58c3809643cde057896536c9c62b97e42a2833220e6c9dbf60e54aba11f37b4c374b2f2264b8dbd550983b4f12503411c4b2
SSDEEP

12288:fqGKl6bcNQSjEgkSiP8Lr2mFE66kjlKuJ9J7tfg+LRZq01Y4:fNKl6b8JYgyP8WTGIuhZvPqw

Score

10^/10

blackmoon banker defense_evasion discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 9 IoCs

resource	yara_rule
behavioral2/memory/4560-4-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral2/memory/4476-11-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral2/memory/3008-29-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral2/memory/5064-31-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/5064-45-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/5064-75-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/5064-84-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/5064-107-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/3008-110-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon

Executes dropped EXE 27 IoCs

pid	Process
4476	smfylpa.exe
3008	smfylpa.exe
5064	9963622799115769.exe
1872	uin77.exe
2604	de03c111.exe
4356	uin77.exe
576	d9ce5a9a.exe
4116	uin77.exe
1676	d389f413.exe
2692	uin77.exe
4052	d85b21b9.exe
1292	uin77.exe
1372	d206bb32.exe
3960	uin77.exe
5096	dcc045bb.exe
4520	uin77.exe
964	d1937251.exe
3776	uin77.exe
3388	db5d1cda.exe
1932	uin77.exe
5044	d508a543.exe
3644	uin77.exe
2616	d55f81da.exe
4944	uin77.exe
2468	d4956c71.exe
4548	uin77.exe
768	de40f6ea.exe

Indicator Removal: Clear Persistence 1 TTPs 4 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
4824	cmd.exe
4000	cmd.exe
1616	cmd.exe
1784	cmd.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	smfylpa.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	smfylpa.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	smfylpa.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	smfylpa.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4560-0-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/memory/4560-4-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/files/0x000b000000023b8a-6.dat	upx
behavioral2/memory/4476-11-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/files/0x000200000001e72a-15.dat	upx
behavioral2/memory/5064-14-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/3008-29-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/memory/5064-31-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/5064-45-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/5064-75-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/5064-84-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/5064-107-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/3008-110-0x0000000000400000-0x00000000004E6000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\fonts\mwdarnie\smfylpa.exe	2a86de51dd8ada59e1bdf188fea1d1ba828d595ee5d7fff173cf34f5515e048c.exe
File created	\??\c:\windows\fonts\cipfaug\wdcyg.exe	smfylpa.exe
File created	\??\c:\windows\fonts\xqrsdby\fcqags.exe	smfylpa.exe
File created	\??\c:\windows\fonts\mwdarnie\smfylpa.exe	2a86de51dd8ada59e1bdf188fea1d1ba828d595ee5d7fff173cf34f5515e048c.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1712	3008	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smfylpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9963622799115769.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a86de51dd8ada59e1bdf188fea1d1ba828d595ee5d7fff173cf34f5515e048c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smfylpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3388	cmd.exe
3776	PING.EXE

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	smfylpa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	smfylpa.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	smfylpa.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	smfylpa.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	smfylpa.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	smfylpa.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	smfylpa.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	smfylpa.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3776	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4560	2a86de51dd8ada59e1bdf188fea1d1ba828d595ee5d7fff173cf34f5515e048c.exe
4560	2a86de51dd8ada59e1bdf188fea1d1ba828d595ee5d7fff173cf34f5515e048c.exe
4476	smfylpa.exe
4476	smfylpa.exe
3008	smfylpa.exe
3008	smfylpa.exe
1872	uin77.exe
1872	uin77.exe
1872	uin77.exe
1872	uin77.exe
2604	de03c111.exe
2604	de03c111.exe
2604	de03c111.exe
2604	de03c111.exe
4356	uin77.exe
4356	uin77.exe
4356	uin77.exe
4356	uin77.exe
576	d9ce5a9a.exe
576	d9ce5a9a.exe
576	d9ce5a9a.exe
576	d9ce5a9a.exe
4116	uin77.exe
4116	uin77.exe
4116	uin77.exe
4116	uin77.exe
1676	d389f413.exe
1676	d389f413.exe
1676	d389f413.exe
1676	d389f413.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe
5064	9963622799115769.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4560	2a86de51dd8ada59e1bdf188fea1d1ba828d595ee5d7fff173cf34f5515e048c.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4560	2a86de51dd8ada59e1bdf188fea1d1ba828d595ee5d7fff173cf34f5515e048c.exe
Token: SeDebugPrivilege	4476	smfylpa.exe
Token: SeDebugPrivilege	3008	smfylpa.exe
Token: SeDebugPrivilege	1872	uin77.exe
Token: SeAssignPrimaryTokenPrivilege	1432	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1432	WMIC.exe
Token: SeSecurityPrivilege	1432	WMIC.exe
Token: SeTakeOwnershipPrivilege	1432	WMIC.exe
Token: SeLoadDriverPrivilege	1432	WMIC.exe
Token: SeSystemtimePrivilege	1432	WMIC.exe
Token: SeBackupPrivilege	1432	WMIC.exe
Token: SeRestorePrivilege	1432	WMIC.exe
Token: SeShutdownPrivilege	1432	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1432	WMIC.exe
Token: SeUndockPrivilege	1432	WMIC.exe
Token: SeManageVolumePrivilege	1432	WMIC.exe
Token: SeDebugPrivilege	2604	de03c111.exe
Token: SeAssignPrimaryTokenPrivilege	1432	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1432	WMIC.exe
Token: SeSecurityPrivilege	1432	WMIC.exe
Token: SeTakeOwnershipPrivilege	1432	WMIC.exe
Token: SeLoadDriverPrivilege	1432	WMIC.exe
Token: SeSystemtimePrivilege	1432	WMIC.exe
Token: SeBackupPrivilege	1432	WMIC.exe
Token: SeRestorePrivilege	1432	WMIC.exe
Token: SeShutdownPrivilege	1432	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1432	WMIC.exe
Token: SeUndockPrivilege	1432	WMIC.exe
Token: SeManageVolumePrivilege	1432	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1776	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1776	WMIC.exe
Token: SeSecurityPrivilege	1776	WMIC.exe
Token: SeTakeOwnershipPrivilege	1776	WMIC.exe
Token: SeLoadDriverPrivilege	1776	WMIC.exe
Token: SeSystemtimePrivilege	1776	WMIC.exe
Token: SeBackupPrivilege	1776	WMIC.exe
Token: SeRestorePrivilege	1776	WMIC.exe
Token: SeShutdownPrivilege	1776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1776	WMIC.exe
Token: SeUndockPrivilege	1776	WMIC.exe
Token: SeManageVolumePrivilege	1776	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1776	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1776	WMIC.exe
Token: SeSecurityPrivilege	1776	WMIC.exe
Token: SeTakeOwnershipPrivilege	1776	WMIC.exe
Token: SeLoadDriverPrivilege	1776	WMIC.exe
Token: SeSystemtimePrivilege	1776	WMIC.exe
Token: SeBackupPrivilege	1776	WMIC.exe
Token: SeRestorePrivilege	1776	WMIC.exe
Token: SeShutdownPrivilege	1776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1776	WMIC.exe
Token: SeUndockPrivilege	1776	WMIC.exe
Token: SeManageVolumePrivilege	1776	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2616	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2616	WMIC.exe
Token: SeSecurityPrivilege	2616	WMIC.exe
Token: SeTakeOwnershipPrivilege	2616	WMIC.exe
Token: SeLoadDriverPrivilege	2616	WMIC.exe
Token: SeSystemtimePrivilege	2616	WMIC.exe
Token: SeBackupPrivilege	2616	WMIC.exe
Token: SeRestorePrivilege	2616	WMIC.exe
Token: SeShutdownPrivilege	2616	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2616	WMIC.exe
Token: SeUndockPrivilege	2616	WMIC.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4560	2a86de51dd8ada59e1bdf188fea1d1ba828d595ee5d7fff173cf34f5515e048c.exe
4476	smfylpa.exe
3008	smfylpa.exe
5064	9963622799115769.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 3388	4560	2a86de51dd8ada59e1bdf188fea1d1ba828d595ee5d7fff173cf34f5515e048c.exe	82
PID 4560 wrote to memory of 3388	4560	2a86de51dd8ada59e1bdf188fea1d1ba828d595ee5d7fff173cf34f5515e048c.exe	82
PID 4560 wrote to memory of 3388	4560	2a86de51dd8ada59e1bdf188fea1d1ba828d595ee5d7fff173cf34f5515e048c.exe	82
PID 3388 wrote to memory of 3776	3388	cmd.exe	84
PID 3388 wrote to memory of 3776	3388	cmd.exe	84
PID 3388 wrote to memory of 3776	3388	cmd.exe	84
PID 3388 wrote to memory of 4476	3388	cmd.exe	85
PID 3388 wrote to memory of 4476	3388	cmd.exe	85
PID 3388 wrote to memory of 4476	3388	cmd.exe	85
PID 3008 wrote to memory of 5064	3008	smfylpa.exe	87
PID 3008 wrote to memory of 5064	3008	smfylpa.exe	87
PID 3008 wrote to memory of 5064	3008	smfylpa.exe	87
PID 5064 wrote to memory of 4824	5064	9963622799115769.exe	88
PID 5064 wrote to memory of 4824	5064	9963622799115769.exe	88
PID 5064 wrote to memory of 4824	5064	9963622799115769.exe	88
PID 5064 wrote to memory of 1772	5064	9963622799115769.exe	89
PID 5064 wrote to memory of 1772	5064	9963622799115769.exe	89
PID 5064 wrote to memory of 1772	5064	9963622799115769.exe	89
PID 4824 wrote to memory of 1412	4824	cmd.exe	92
PID 4824 wrote to memory of 1412	4824	cmd.exe	92
PID 4824 wrote to memory of 1412	4824	cmd.exe	92
PID 5064 wrote to memory of 1872	5064	9963622799115769.exe	93
PID 5064 wrote to memory of 1872	5064	9963622799115769.exe	93
PID 5064 wrote to memory of 1872	5064	9963622799115769.exe	93
PID 1772 wrote to memory of 1432	1772	cmd.exe	94
PID 1772 wrote to memory of 1432	1772	cmd.exe	94
PID 1772 wrote to memory of 1432	1772	cmd.exe	94
PID 1872 wrote to memory of 2604	1872	uin77.exe	95
PID 1872 wrote to memory of 2604	1872	uin77.exe	95
PID 1772 wrote to memory of 1776	1772	cmd.exe	96
PID 1772 wrote to memory of 1776	1772	cmd.exe	96
PID 1772 wrote to memory of 1776	1772	cmd.exe	96
PID 1772 wrote to memory of 2616	1772	cmd.exe	97
PID 1772 wrote to memory of 2616	1772	cmd.exe	97
PID 1772 wrote to memory of 2616	1772	cmd.exe	97
PID 5064 wrote to memory of 4356	5064	9963622799115769.exe	103
PID 5064 wrote to memory of 4356	5064	9963622799115769.exe	103
PID 5064 wrote to memory of 4356	5064	9963622799115769.exe	103
PID 4356 wrote to memory of 576	4356	uin77.exe	104
PID 4356 wrote to memory of 576	4356	uin77.exe	104
PID 5064 wrote to memory of 4116	5064	9963622799115769.exe	107
PID 5064 wrote to memory of 4116	5064	9963622799115769.exe	107
PID 5064 wrote to memory of 4116	5064	9963622799115769.exe	107
PID 4116 wrote to memory of 1676	4116	uin77.exe	108
PID 4116 wrote to memory of 1676	4116	uin77.exe	108
PID 5064 wrote to memory of 4000	5064	9963622799115769.exe	109
PID 5064 wrote to memory of 4000	5064	9963622799115769.exe	109
PID 5064 wrote to memory of 4000	5064	9963622799115769.exe	109
PID 5064 wrote to memory of 4752	5064	9963622799115769.exe	110
PID 5064 wrote to memory of 4752	5064	9963622799115769.exe	110
PID 5064 wrote to memory of 4752	5064	9963622799115769.exe	110
PID 4000 wrote to memory of 1712	4000	cmd.exe	113
PID 4000 wrote to memory of 1712	4000	cmd.exe	113
PID 4000 wrote to memory of 1712	4000	cmd.exe	113
PID 5064 wrote to memory of 2692	5064	9963622799115769.exe	114
PID 5064 wrote to memory of 2692	5064	9963622799115769.exe	114
PID 5064 wrote to memory of 2692	5064	9963622799115769.exe	114
PID 4752 wrote to memory of 2432	4752	cmd.exe	115
PID 4752 wrote to memory of 2432	4752	cmd.exe	115
PID 4752 wrote to memory of 2432	4752	cmd.exe	115
PID 2692 wrote to memory of 4052	2692	uin77.exe	116
PID 2692 wrote to memory of 4052	2692	uin77.exe	116
PID 4752 wrote to memory of 4156	4752	cmd.exe	117
PID 4752 wrote to memory of 4156	4752	cmd.exe	117

C:\Users\Admin\AppData\Local\Temp\2a86de51dd8ada59e1bdf188fea1d1ba828d595ee5d7fff173cf34f5515e048c.exe
"C:\Users\Admin\AppData\Local\Temp\2a86de51dd8ada59e1bdf188fea1d1ba828d595ee5d7fff173cf34f5515e048c.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\mwdarnie\smfylpa.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3776
- - \??\c:\windows\fonts\mwdarnie\smfylpa.exe
    c:\windows\fonts\mwdarnie\smfylpa.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4476

\??\c:\windows\fonts\mwdarnie\smfylpa.exe
c:\windows\fonts\mwdarnie\smfylpa.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\TEMP\9963622799115769.exe
  C:\Windows\TEMP\9963622799115769.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN dnypr /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN dnypr /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="gaz" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="cfwhb" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='gaz'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="gaz" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1432
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="cfwhb" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1776
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='gaz'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2616
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Windows\TEMP\de03c111.exe
      "C:\Windows\TEMP\de03c111.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2604
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Windows\TEMP\d9ce5a9a.exe
      "C:\Windows\TEMP\d9ce5a9a.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:576
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4116
  - - C:\Windows\TEMP\d389f413.exe
      "C:\Windows\TEMP\d389f413.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN dnypr /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN dnypr /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="gaz" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="cfwhb" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='gaz'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="gaz" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2432
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="cfwhb" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:4156
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='gaz'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:4128
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\TEMP\d85b21b9.exe
      "C:\Windows\TEMP\d85b21b9.exe"
      4⤵
      Executes dropped EXE
      PID:4052
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1292
  - - C:\Windows\TEMP\d206bb32.exe
      "C:\Windows\TEMP\d206bb32.exe"
      4⤵
      Executes dropped EXE
      PID:1372
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3960
  - - C:\Windows\TEMP\dcc045bb.exe
      "C:\Windows\TEMP\dcc045bb.exe"
      4⤵
      Executes dropped EXE
      PID:5096
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN dnypr /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:1616
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN dnypr /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4320
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="gaz" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="cfwhb" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='gaz'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1148
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="gaz" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2368
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="cfwhb" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2252
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='gaz'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:744
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4520
  - - C:\Windows\TEMP\d1937251.exe
      "C:\Windows\TEMP\d1937251.exe"
      4⤵
      Executes dropped EXE
      PID:964
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3776
  - - C:\Windows\TEMP\db5d1cda.exe
      "C:\Windows\TEMP\db5d1cda.exe"
      4⤵
      Executes dropped EXE
      PID:3388
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1932
  - - C:\Windows\TEMP\d508a543.exe
      "C:\Windows\TEMP\d508a543.exe"
      4⤵
      Executes dropped EXE
      PID:5044
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN cqjxr /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:1784
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN cqjxr /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="orasl" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="queio" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='orasl'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:948
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="orasl" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:3064
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="queio" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:1312
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='orasl'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2336
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3644
  - - C:\Windows\TEMP\d55f81da.exe
      "C:\Windows\TEMP\d55f81da.exe"
      4⤵
      Executes dropped EXE
      PID:2616
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4944
  - - C:\Windows\TEMP\d4956c71.exe
      "C:\Windows\TEMP\d4956c71.exe"
      4⤵
      Executes dropped EXE
      PID:2468
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4548
  - - C:\Windows\TEMP\de40f6ea.exe
      "C:\Windows\TEMP\de40f6ea.exe"
      4⤵
      Executes dropped EXE
      PID:768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1328
  2⤵
  - Program crash
  PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3008 -ip 3008
1⤵
PID:4136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Fonts\mwdarnie\smfylpa.exe

Filesize
2.0MB

MD5
e082553b8724a96ad489683c1be26a41

SHA1
9915693901dde89afe1b52225f300cc5907e020d

SHA256
a133b874596058fd0581ab6a29276d36bc819a94dbb6b515d719f2382e01c06d

SHA512
4dadc682209287a21f70443e43c2cde13a542215b109faa9180ba9c94f445f674874319669eb853914fbf9649d473c7874d60c38138367cdc135f09125b36e70

Download Submit
C:\Windows\TEMP\9963622799115769.exe

Filesize
244KB

MD5
de3b294b4edf797dfa8f45b33a0317b4

SHA1
d46f49e223655eca9a21249a60de3719fe3795e0

SHA256
d6d9b5fbf32d64da140ebf83495f8c3b4f28e5a336c4b7306c84e12abf7860e9

SHA512
1ce19d0a57a621225702b8a7b30bbd8ca482ab305d3881f5af63cd1ac712577b633955b8b95c11ed73585dbca6377859ed27a1859e369064841639a2b4035c97

Download Submit
C:\Windows\TEMP\d1937251.exe

Filesize
95KB

MD5
85888e731242c7eabf8d0832d6e293a4

SHA1
5f1d84e46a437d1bef1ed5f38799bf3a205b7160

SHA256
09d7effe489baf58b68690deeebd48f62464e6b1368c049d7f10946030873a27

SHA512
3051168ce183314896950fac2bcbe66286800abfdee0ce0a5ecd933ec0572e017eeb7f6e056266a8346b3c0a30bd5f38cf48cef1d448c16a241e679149b4718e

Download Submit
C:\Windows\Temp\de03c111.exe

Filesize
95KB

MD5
43764ee8490518c5c14472e6ddd368a5

SHA1
883360a38bb54cf09b77f00d9b2d85b04be9dd52

SHA256
b031dea33955cc393484e544a22d886c28f2a13ce2e75f2e5bc02323868ec1cc

SHA512
b6d1c1b5fbe74ab6e61ae2adbc8aceb70ff84dfb9d4769803f00cb24925cd84451ff8f8011d19d4fcb530d636b824b7608971b13a56109e9c257af91992f793e

Download Submit
C:\Windows\Temp\uin77.exe

Filesize
173KB

MD5
3f12654eb3d9c3f9b7c29b4d9765f88e

SHA1
ad22200fe51a18c0a1310baf3faa5873c326828b

SHA256
846bb05819e5596538fede0e4008a49226b3b5a286d5e66e0f2ce0561c91169f

SHA512
8e87503ace64091683a18509112978fc27012119b31eecea86ca94371f89cd14b20f2fdde3cbbcbddbf759daaacb53eaf3b351f5ab5756931fdcdcb38719db8d

Download Submit
C:\Windows\Temp\uin77.exe

Filesize
173KB

MD5
a55f37e7158d243cf1c9d35caf58e91b

SHA1
614d941fe3e35ebd7d9b20e6ef70d181ecf11747

SHA256
9482a9123621bc2a6c8f6e122ff5b742d31fd49406662d63d5a151313f5b6961

SHA512
0e073347dfec9fa9159bfd429fa9cc67450fa122dfa3a35ffc7234362e1f7b4ba51ab4b7dc091602a64af122be0f598358fbc584d063a60bc081e02491d53b7a

Download Submit
memory/3008-110-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3008-29-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4476-11-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4560-0-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4560-4-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/5064-45-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5064-31-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5064-14-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5064-75-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5064-84-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5064-107-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download