blackmoon | b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe
Size

2.8MB
MD5

872174dfea3ac9ff2a3c96ac1602d7ae
SHA1

61477e372556c428bb7c8ff544092b5a9a0b54fc
SHA256

b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba
SHA512

2c665ff14870f2453c54a7a531dca88a83038380a6e7b1494b95c7a9b31424b3d87526a8fa688fa422c20c1a166f8adbd5d730a493235e5274f9ecf3745f67c3
SSDEEP

12288:fqGKl6bcNQSjEgkSiP8Lr2mFE66kjlKuJ9J7tfg+LRZq01Yo:fNKl6b8JYgyP8WTGIuhZvPqA

Score

10^/10

blackmoon banker defense_evasion discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 7 IoCs

resource	yara_rule
behavioral2/memory/4536-4-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral2/memory/2952-11-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral2/memory/1088-29-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral2/memory/1480-31-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/1480-45-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/1480-107-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/1088-110-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon

Executes dropped EXE 27 IoCs

pid	Process
2952	aiyerc.exe
1088	aiyerc.exe
1480	3817271794814901.exe
4808	uin77.exe
2408	83684c80.exe
876	uin77.exe
4228	8e23d6f9.exe
680	uin77.exe
4828	88ee6f72.exe
4752	uin77.exe
5116	8db0ad28.exe
3836	uin77.exe
1836	876b3691.exe
4864	uin77.exe
2908	8126c01a.exe
4964	uin77.exe
2600	86f8fdb0.exe
1716	uin77.exe
2584	80b39738.exe
2436	uin77.exe
4468	8a6d21b1.exe
1660	uin77.exe
4976	8aa40c49.exe
4376	uin77.exe
1976	89fae8d0.exe
3304	uin77.exe
3164	84a57149.exe

Indicator Removal: Clear Persistence 1 TTPs 4 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
3180	cmd.exe
3704	cmd.exe
900	cmd.exe
3304	cmd.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	aiyerc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	aiyerc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	aiyerc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	aiyerc.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4536-0-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/memory/4536-4-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/files/0x0007000000023cad-6.dat	upx
behavioral2/memory/2952-11-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/files/0x000300000001e754-13.dat	upx
behavioral2/memory/1480-15-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/1088-29-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/memory/1480-31-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/1480-45-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/1480-107-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/1088-110-0x0000000000400000-0x00000000004E6000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	\??\c:\windows\fonts\zbgcual\aiyerc.exe	b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe
File opened for modification	\??\c:\windows\fonts\zbgcual\aiyerc.exe	b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe
File created	\??\c:\windows\fonts\emhiuc\masp.exe	aiyerc.exe
File created	\??\c:\windows\fonts\cxusbz\zscpvf.exe	aiyerc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3288	1088	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aiyerc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3817271794814901.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aiyerc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
508	PING.EXE
5024	cmd.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	aiyerc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	aiyerc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	aiyerc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	aiyerc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	aiyerc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	aiyerc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	aiyerc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	aiyerc.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
508	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4536	b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe
4536	b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe
2952	aiyerc.exe
2952	aiyerc.exe
1088	aiyerc.exe
1088	aiyerc.exe
4808	uin77.exe
4808	uin77.exe
4808	uin77.exe
4808	uin77.exe
2408	83684c80.exe
2408	83684c80.exe
2408	83684c80.exe
2408	83684c80.exe
876	uin77.exe
876	uin77.exe
876	uin77.exe
876	uin77.exe
4228	8e23d6f9.exe
4228	8e23d6f9.exe
4228	8e23d6f9.exe
4228	8e23d6f9.exe
680	uin77.exe
680	uin77.exe
680	uin77.exe
680	uin77.exe
4828	88ee6f72.exe
4828	88ee6f72.exe
4828	88ee6f72.exe
4828	88ee6f72.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe
1480	3817271794814901.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4536	b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4536	b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe
Token: SeDebugPrivilege	2952	aiyerc.exe
Token: SeDebugPrivilege	1088	aiyerc.exe
Token: SeDebugPrivilege	4808	uin77.exe
Token: SeDebugPrivilege	2408	83684c80.exe
Token: SeAssignPrimaryTokenPrivilege	1184	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1184	WMIC.exe
Token: SeSecurityPrivilege	1184	WMIC.exe
Token: SeTakeOwnershipPrivilege	1184	WMIC.exe
Token: SeLoadDriverPrivilege	1184	WMIC.exe
Token: SeSystemtimePrivilege	1184	WMIC.exe
Token: SeBackupPrivilege	1184	WMIC.exe
Token: SeRestorePrivilege	1184	WMIC.exe
Token: SeShutdownPrivilege	1184	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1184	WMIC.exe
Token: SeUndockPrivilege	1184	WMIC.exe
Token: SeManageVolumePrivilege	1184	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1184	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1184	WMIC.exe
Token: SeSecurityPrivilege	1184	WMIC.exe
Token: SeTakeOwnershipPrivilege	1184	WMIC.exe
Token: SeLoadDriverPrivilege	1184	WMIC.exe
Token: SeSystemtimePrivilege	1184	WMIC.exe
Token: SeBackupPrivilege	1184	WMIC.exe
Token: SeRestorePrivilege	1184	WMIC.exe
Token: SeShutdownPrivilege	1184	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1184	WMIC.exe
Token: SeUndockPrivilege	1184	WMIC.exe
Token: SeManageVolumePrivilege	1184	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3844	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3844	WMIC.exe
Token: SeSecurityPrivilege	3844	WMIC.exe
Token: SeTakeOwnershipPrivilege	3844	WMIC.exe
Token: SeLoadDriverPrivilege	3844	WMIC.exe
Token: SeSystemtimePrivilege	3844	WMIC.exe
Token: SeBackupPrivilege	3844	WMIC.exe
Token: SeRestorePrivilege	3844	WMIC.exe
Token: SeShutdownPrivilege	3844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3844	WMIC.exe
Token: SeUndockPrivilege	3844	WMIC.exe
Token: SeManageVolumePrivilege	3844	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3844	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3844	WMIC.exe
Token: SeSecurityPrivilege	3844	WMIC.exe
Token: SeTakeOwnershipPrivilege	3844	WMIC.exe
Token: SeLoadDriverPrivilege	3844	WMIC.exe
Token: SeSystemtimePrivilege	3844	WMIC.exe
Token: SeBackupPrivilege	3844	WMIC.exe
Token: SeRestorePrivilege	3844	WMIC.exe
Token: SeShutdownPrivilege	3844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3844	WMIC.exe
Token: SeUndockPrivilege	3844	WMIC.exe
Token: SeManageVolumePrivilege	3844	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1076	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1076	WMIC.exe
Token: SeSecurityPrivilege	1076	WMIC.exe
Token: SeTakeOwnershipPrivilege	1076	WMIC.exe
Token: SeLoadDriverPrivilege	1076	WMIC.exe
Token: SeSystemtimePrivilege	1076	WMIC.exe
Token: SeBackupPrivilege	1076	WMIC.exe
Token: SeRestorePrivilege	1076	WMIC.exe
Token: SeShutdownPrivilege	1076	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1076	WMIC.exe
Token: SeUndockPrivilege	1076	WMIC.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4536	b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe
2952	aiyerc.exe
1088	aiyerc.exe
1480	3817271794814901.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 5024	4536	b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe	82
PID 4536 wrote to memory of 5024	4536	b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe	82
PID 4536 wrote to memory of 5024	4536	b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe	82
PID 5024 wrote to memory of 508	5024	cmd.exe	84
PID 5024 wrote to memory of 508	5024	cmd.exe	84
PID 5024 wrote to memory of 508	5024	cmd.exe	84
PID 5024 wrote to memory of 2952	5024	cmd.exe	85
PID 5024 wrote to memory of 2952	5024	cmd.exe	85
PID 5024 wrote to memory of 2952	5024	cmd.exe	85
PID 1088 wrote to memory of 1480	1088	aiyerc.exe	87
PID 1088 wrote to memory of 1480	1088	aiyerc.exe	87
PID 1088 wrote to memory of 1480	1088	aiyerc.exe	87
PID 1480 wrote to memory of 900	1480	3817271794814901.exe	88
PID 1480 wrote to memory of 900	1480	3817271794814901.exe	88
PID 1480 wrote to memory of 900	1480	3817271794814901.exe	88
PID 1480 wrote to memory of 1932	1480	3817271794814901.exe	89
PID 1480 wrote to memory of 1932	1480	3817271794814901.exe	89
PID 1480 wrote to memory of 1932	1480	3817271794814901.exe	89
PID 1480 wrote to memory of 4808	1480	3817271794814901.exe	92
PID 1480 wrote to memory of 4808	1480	3817271794814901.exe	92
PID 1480 wrote to memory of 4808	1480	3817271794814901.exe	92
PID 900 wrote to memory of 3028	900	cmd.exe	93
PID 900 wrote to memory of 3028	900	cmd.exe	93
PID 900 wrote to memory of 3028	900	cmd.exe	93
PID 1932 wrote to memory of 1184	1932	cmd.exe	94
PID 1932 wrote to memory of 1184	1932	cmd.exe	94
PID 1932 wrote to memory of 1184	1932	cmd.exe	94
PID 4808 wrote to memory of 2408	4808	uin77.exe	95
PID 4808 wrote to memory of 2408	4808	uin77.exe	95
PID 1932 wrote to memory of 3844	1932	cmd.exe	96
PID 1932 wrote to memory of 3844	1932	cmd.exe	96
PID 1932 wrote to memory of 3844	1932	cmd.exe	96
PID 1932 wrote to memory of 1076	1932	cmd.exe	97
PID 1932 wrote to memory of 1076	1932	cmd.exe	97
PID 1932 wrote to memory of 1076	1932	cmd.exe	97
PID 1480 wrote to memory of 876	1480	3817271794814901.exe	98
PID 1480 wrote to memory of 876	1480	3817271794814901.exe	98
PID 1480 wrote to memory of 876	1480	3817271794814901.exe	98
PID 876 wrote to memory of 4228	876	uin77.exe	99
PID 876 wrote to memory of 4228	876	uin77.exe	99
PID 1480 wrote to memory of 680	1480	3817271794814901.exe	102
PID 1480 wrote to memory of 680	1480	3817271794814901.exe	102
PID 1480 wrote to memory of 680	1480	3817271794814901.exe	102
PID 680 wrote to memory of 4828	680	uin77.exe	103
PID 680 wrote to memory of 4828	680	uin77.exe	103
PID 1480 wrote to memory of 3304	1480	3817271794814901.exe	107
PID 1480 wrote to memory of 3304	1480	3817271794814901.exe	107
PID 1480 wrote to memory of 3304	1480	3817271794814901.exe	107
PID 1480 wrote to memory of 4504	1480	3817271794814901.exe	108
PID 1480 wrote to memory of 4504	1480	3817271794814901.exe	108
PID 1480 wrote to memory of 4504	1480	3817271794814901.exe	108
PID 1480 wrote to memory of 4752	1480	3817271794814901.exe	112
PID 1480 wrote to memory of 4752	1480	3817271794814901.exe	112
PID 1480 wrote to memory of 4752	1480	3817271794814901.exe	112
PID 4504 wrote to memory of 2148	4504	cmd.exe	113
PID 4504 wrote to memory of 2148	4504	cmd.exe	113
PID 4504 wrote to memory of 2148	4504	cmd.exe	113
PID 3304 wrote to memory of 4108	3304	cmd.exe	114
PID 3304 wrote to memory of 4108	3304	cmd.exe	114
PID 3304 wrote to memory of 4108	3304	cmd.exe	114
PID 4752 wrote to memory of 5116	4752	uin77.exe	115
PID 4752 wrote to memory of 5116	4752	uin77.exe	115
PID 4504 wrote to memory of 524	4504	cmd.exe	117
PID 4504 wrote to memory of 524	4504	cmd.exe	117

C:\Users\Admin\AppData\Local\Temp\b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe
"C:\Users\Admin\AppData\Local\Temp\b77c47033b141e00d799971337da996e22c03dab34e39292837f10cf5611adba.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\zbgcual\aiyerc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:508
- - \??\c:\windows\fonts\zbgcual\aiyerc.exe
    c:\windows\fonts\zbgcual\aiyerc.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2952

\??\c:\windows\fonts\zbgcual\aiyerc.exe
c:\windows\fonts\zbgcual\aiyerc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\TEMP\3817271794814901.exe
  C:\Windows\TEMP\3817271794814901.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN uxiwd /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN uxiwd /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="wfuad" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="uxbfo" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='wfuad'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="wfuad" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1184
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="uxbfo" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3844
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='wfuad'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1076
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Windows\TEMP\83684c80.exe
      "C:\Windows\TEMP\83684c80.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2408
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Windows\TEMP\8e23d6f9.exe
      "C:\Windows\TEMP\8e23d6f9.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4228
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:680
  - - C:\Windows\TEMP\88ee6f72.exe
      "C:\Windows\TEMP\88ee6f72.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN uxiwd /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3304
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN uxiwd /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4108
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="wfuad" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="uxbfo" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='wfuad'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="wfuad" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2148
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="uxbfo" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:524
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='wfuad'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2576
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\TEMP\8db0ad28.exe
      "C:\Windows\TEMP\8db0ad28.exe"
      4⤵
      Executes dropped EXE
      PID:5116
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3836
  - - C:\Windows\TEMP\876b3691.exe
      "C:\Windows\TEMP\876b3691.exe"
      4⤵
      Executes dropped EXE
      PID:1836
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4864
  - - C:\Windows\TEMP\8126c01a.exe
      "C:\Windows\TEMP\8126c01a.exe"
      4⤵
      Executes dropped EXE
      PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN uxiwd /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:3180
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN uxiwd /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4260
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="wfuad" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="uxbfo" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='wfuad'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4800
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="wfuad" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:1636
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="uxbfo" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:1844
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='wfuad'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:3520
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4964
  - - C:\Windows\TEMP\86f8fdb0.exe
      "C:\Windows\TEMP\86f8fdb0.exe"
      4⤵
      Executes dropped EXE
      PID:2600
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1716
  - - C:\Windows\TEMP\80b39738.exe
      "C:\Windows\TEMP\80b39738.exe"
      4⤵
      Executes dropped EXE
      PID:2584
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2436
  - - C:\Windows\TEMP\8a6d21b1.exe
      "C:\Windows\TEMP\8a6d21b1.exe"
      4⤵
      Executes dropped EXE
      PID:4468
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN mcfga /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:3704
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN mcfga /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fuh" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="gifxc" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fuh'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3844
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fuh" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:1092
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="gifxc" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2828
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fuh'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:3200
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1660
  - - C:\Windows\TEMP\8aa40c49.exe
      "C:\Windows\TEMP\8aa40c49.exe"
      4⤵
      Executes dropped EXE
      PID:4976
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4376
  - - C:\Windows\TEMP\89fae8d0.exe
      "C:\Windows\TEMP\89fae8d0.exe"
      4⤵
      Executes dropped EXE
      PID:1976
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3304
  - - C:\Windows\TEMP\84a57149.exe
      "C:\Windows\TEMP\84a57149.exe"
      4⤵
      Executes dropped EXE
      PID:3164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 1332
  2⤵
  - Program crash
  PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 1088 -ip 1088
1⤵
PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Fonts\zbgcual\aiyerc.exe

Filesize
2.9MB

MD5
36a9fb702225f391847b119a0b626213

SHA1
2d7dfa0e31f19546d813716a27cdddd9bd543482

SHA256
d32c46c0dd32690d89b7835bc624dd6505921ef860f979c159b8167d171cf668

SHA512
00549673d083e799d9658ce5c75baef197adbc7d55051450f668a0d777a6b48d6829e91b565c6606e89f0cbe7866cffcc5d09c0748e9f9ef7403540e4239aa13

Download Submit
C:\Windows\TEMP\83684c80.exe

Filesize
95KB

MD5
3252c16698f0c40568b763883db23340

SHA1
9fcf4caa07eaacbad82cb1ab568edccb67e22a64

SHA256
9bbe7be11559f22d2b40de1852cc01099fb8f92c16250603fa9c91131fe7ed43

SHA512
f16daaabbde38ce9404450ab7583e04182ab66073f61c5a119b3727359600e316c809f12d6c699caca694de226a9f40e215b9a9b51b9a68d19e0b623085df433

Download Submit
C:\Windows\Temp\3817271794814901.exe

Filesize
244KB

MD5
de3b294b4edf797dfa8f45b33a0317b4

SHA1
d46f49e223655eca9a21249a60de3719fe3795e0

SHA256
d6d9b5fbf32d64da140ebf83495f8c3b4f28e5a336c4b7306c84e12abf7860e9

SHA512
1ce19d0a57a621225702b8a7b30bbd8ca482ab305d3881f5af63cd1ac712577b633955b8b95c11ed73585dbca6377859ed27a1859e369064841639a2b4035c97

Download Submit
C:\Windows\Temp\86f8fdb0.exe

Filesize
95KB

MD5
ad408ec223eeba676b45db36d9f32f24

SHA1
5b0e4960ce304f2b76449935f3902938c8ceabaf

SHA256
c2553337ef365b6c0dd8b28912fd7d8f47171638e9b53006e7e333d40c867176

SHA512
f49edfc0549b4cbfda5bff6e80bbfa0af008aafe806e6d9b75ea25a425d8c4acb9d8a7fe81ba027d041f3410fc1dbaed8a1a05d9d4a7235050187a266fb0e338

Download Submit
C:\Windows\Temp\uin77.exe

Filesize
173KB

MD5
55c07884fbcb97ef0be93aff9dc21a62

SHA1
0d32041d6f7f37e1e3934831b0de4297a3932132

SHA256
13bcabbc8ea661deb9fa5b7289ece6b9e59eb267abae2f68aa597c7489e3abae

SHA512
ae2400b0829dda3a08fe8a9d224921fc32b1caf9f6197d40a72b061940dda4c249c29f85e772adee4c00b290c93cb9598853b019af41007e524aa5b05d36cee4

Download Submit
C:\Windows\Temp\uin77.exe

Filesize
173KB

MD5
42eb1bd3fe1c9944241edd49652a6345

SHA1
4907f7a130dc79f774ee4a3f9c42b99cf9479359

SHA256
6befde74b572da96ab1eeba04e4ce0d30789218e80c3c290478cb35b9d173e5f

SHA512
5d01da5738301c99a29ac25e46c472c3d5c25da68c54961aeec3f592c1f2f677a4764e832827ca1f3240ba99d500c2bde8206ecc77e0ddc7d0cca20cd254efb1

Download Submit
memory/1088-29-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1088-110-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1480-31-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1480-45-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1480-15-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1480-107-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2952-11-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4536-0-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4536-4-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download