Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 18:20
Behavioral task
behavioral1
Sample
237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe
Resource
win7-20240708-en
windows7-x64
19 signatures
120 seconds
General
-
Target
237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe
-
Size
1.9MB
-
MD5
d4336e63a31a969555e979eeb8fce130
-
SHA1
31ce041073beb8ac5e904e8d37006b869b8d5938
-
SHA256
237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92
-
SHA512
504f0a21d3139cdf41509767bb2607743c29172a3a0bd68d9124bff5504e8b313b8e3571c4d397eb04cd2969249a5a94de68fc5b2472289adb39ef1c5f869cc9
-
SSDEEP
12288:fqGKl6bcNQSjEgkSiP8Lr2mFE66kjlKuJ9J7tfg+LRZq01Y:fNKl6b8JYgyP8WTGIuhZvPq
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 9 IoCs
resource yara_rule behavioral1/memory/2364-5-0x0000000000400000-0x00000000004E6000-memory.dmp family_blackmoon behavioral1/memory/2864-13-0x0000000000400000-0x00000000004E6000-memory.dmp family_blackmoon behavioral1/memory/2988-43-0x0000000000400000-0x00000000004E6000-memory.dmp family_blackmoon behavioral1/memory/2920-45-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2920-69-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2920-111-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2920-155-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2988-159-0x0000000000400000-0x00000000004E6000-memory.dmp family_blackmoon behavioral1/memory/2988-162-0x0000000000400000-0x00000000004E6000-memory.dmp family_blackmoon -
Executes dropped EXE 27 IoCs
pid Process 2864 faduco.exe 2988 faduco.exe 2920 1757194207921478.exe 2076 uin77.exe 2968 eaabb389.exe 3008 uin77.exe 1088 e4654d02.exe 900 uin77.exe 2640 ee10d77b.exe 2824 uin77.exe 532 ee67b213.exe 2132 uin77.exe 2440 e8115c8b.exe 1660 uin77.exe 1648 e2dce504.exe 1564 uin77.exe 1224 e7ae13aa.exe 2204 uin77.exe 1936 e159ac23.exe 1000 uin77.exe 1516 eb1436ac.exe 2844 uin77.exe 2392 eb5a2133.exe 1964 uin77.exe 2968 e515bbac.exe 2964 uin77.exe 2648 efd04525.exe -
Loads dropped DLL 30 IoCs
pid Process 2128 cmd.exe 2128 cmd.exe 2988 faduco.exe 2988 faduco.exe 2920 1757194207921478.exe 2076 uin77.exe 2920 1757194207921478.exe 3008 uin77.exe 2920 1757194207921478.exe 900 uin77.exe 2920 1757194207921478.exe 2824 uin77.exe 2920 1757194207921478.exe 2132 uin77.exe 2920 1757194207921478.exe 1660 uin77.exe 2920 1757194207921478.exe 1564 uin77.exe 2920 1757194207921478.exe 2204 uin77.exe 2920 1757194207921478.exe 1000 uin77.exe 2920 1757194207921478.exe 2844 uin77.exe 2920 1757194207921478.exe 1964 uin77.exe 2920 1757194207921478.exe 2964 uin77.exe 1932 WerFault.exe 1932 WerFault.exe -
Indicator Removal: Clear Persistence 1 TTPs 4 IoCs
Clear artifacts associated with previously established persistence like scheduletasks on a host.
pid Process 1552 cmd.exe 2160 cmd.exe 2608 cmd.exe 2420 cmd.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat faduco.exe -
resource yara_rule behavioral1/memory/2364-0-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral1/memory/2364-5-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral1/files/0x0008000000016d71-8.dat upx behavioral1/memory/2864-10-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral1/memory/2864-13-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral1/memory/2988-16-0x0000000001210000-0x000000000129C000-memory.dmp upx behavioral1/files/0x0032000000016d04-14.dat upx behavioral1/memory/2920-23-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2988-43-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral1/memory/2920-45-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2920-69-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2920-111-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2920-155-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2988-159-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral1/memory/2988-162-0x0000000000400000-0x00000000004E6000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created \??\c:\windows\fonts\usgcpao\faduco.exe 237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe File opened for modification \??\c:\windows\fonts\usgcpao\faduco.exe 237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe File created \??\c:\windows\fonts\uxgdvi\dgejoa.exe faduco.exe File created \??\c:\windows\fonts\cafesd\ayucez.exe faduco.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1932 2988 WerFault.exe 34 -
System Location Discovery: System Language Discovery 1 TTPs 41 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language faduco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1757194207921478.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2764 PING.EXE 2128 cmd.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" faduco.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 faduco.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings faduco.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad faduco.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" faduco.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" faduco.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CE0DE308-37D1-4200-A46D-AD1F9E59DC62}\WpadDecision = "0" faduco.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix faduco.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-56-55-fa-02-ca faduco.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CE0DE308-37D1-4200-A46D-AD1F9E59DC62}\WpadNetworkName = "Network 3" faduco.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" faduco.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" faduco.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-56-55-fa-02-ca\WpadDecisionReason = "1" faduco.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-56-55-fa-02-ca\WpadDecisionTime = f0c522ccf956db01 faduco.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings faduco.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0191000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 faduco.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CE0DE308-37D1-4200-A46D-AD1F9E59DC62} faduco.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CE0DE308-37D1-4200-A46D-AD1F9E59DC62}\WpadDecisionReason = "1" faduco.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CE0DE308-37D1-4200-A46D-AD1F9E59DC62}\WpadDecisionTime = f0c522ccf956db01 faduco.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CE0DE308-37D1-4200-A46D-AD1F9E59DC62}\2a-56-55-fa-02-ca faduco.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections faduco.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ faduco.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-56-55-fa-02-ca\WpadDecision = "0" faduco.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 faduco.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2764 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2364 237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe 2864 faduco.exe 2988 faduco.exe 2076 uin77.exe 2076 uin77.exe 2076 uin77.exe 2076 uin77.exe 2968 eaabb389.exe 2968 eaabb389.exe 2968 eaabb389.exe 2968 eaabb389.exe 3008 uin77.exe 3008 uin77.exe 3008 uin77.exe 3008 uin77.exe 1088 e4654d02.exe 1088 e4654d02.exe 1088 e4654d02.exe 1088 e4654d02.exe 900 uin77.exe 900 uin77.exe 900 uin77.exe 900 uin77.exe 2640 ee10d77b.exe 2640 ee10d77b.exe 2640 ee10d77b.exe 2640 ee10d77b.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2920 1757194207921478.exe 2824 uin77.exe 2824 uin77.exe 2824 uin77.exe 2824 uin77.exe 532 ee67b213.exe 532 ee67b213.exe 532 ee67b213.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2364 237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2364 237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe Token: SeDebugPrivilege 2864 faduco.exe Token: SeDebugPrivilege 2988 faduco.exe Token: SeAssignPrimaryTokenPrivilege 1336 WMIC.exe Token: SeIncreaseQuotaPrivilege 1336 WMIC.exe Token: SeSecurityPrivilege 1336 WMIC.exe Token: SeTakeOwnershipPrivilege 1336 WMIC.exe Token: SeLoadDriverPrivilege 1336 WMIC.exe Token: SeSystemtimePrivilege 1336 WMIC.exe Token: SeBackupPrivilege 1336 WMIC.exe Token: SeRestorePrivilege 1336 WMIC.exe Token: SeShutdownPrivilege 1336 WMIC.exe Token: SeSystemEnvironmentPrivilege 1336 WMIC.exe Token: SeUndockPrivilege 1336 WMIC.exe Token: SeManageVolumePrivilege 1336 WMIC.exe Token: SeDebugPrivilege 2076 uin77.exe Token: SeAssignPrimaryTokenPrivilege 1336 WMIC.exe Token: SeIncreaseQuotaPrivilege 1336 WMIC.exe Token: SeSecurityPrivilege 1336 WMIC.exe Token: SeTakeOwnershipPrivilege 1336 WMIC.exe Token: SeLoadDriverPrivilege 1336 WMIC.exe Token: SeSystemtimePrivilege 1336 WMIC.exe Token: SeBackupPrivilege 1336 WMIC.exe Token: SeRestorePrivilege 1336 WMIC.exe Token: SeShutdownPrivilege 1336 WMIC.exe Token: SeSystemEnvironmentPrivilege 1336 WMIC.exe Token: SeUndockPrivilege 1336 WMIC.exe Token: SeManageVolumePrivilege 1336 WMIC.exe Token: SeDebugPrivilege 2968 eaabb389.exe Token: SeAssignPrimaryTokenPrivilege 2892 WMIC.exe Token: SeIncreaseQuotaPrivilege 2892 WMIC.exe Token: SeSecurityPrivilege 2892 WMIC.exe Token: SeTakeOwnershipPrivilege 2892 WMIC.exe Token: SeLoadDriverPrivilege 2892 WMIC.exe Token: SeSystemtimePrivilege 2892 WMIC.exe Token: SeBackupPrivilege 2892 WMIC.exe Token: SeRestorePrivilege 2892 WMIC.exe Token: SeShutdownPrivilege 2892 WMIC.exe Token: SeSystemEnvironmentPrivilege 2892 WMIC.exe Token: SeUndockPrivilege 2892 WMIC.exe Token: SeManageVolumePrivilege 2892 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 2892 WMIC.exe Token: SeIncreaseQuotaPrivilege 2892 WMIC.exe Token: SeSecurityPrivilege 2892 WMIC.exe Token: SeTakeOwnershipPrivilege 2892 WMIC.exe Token: SeLoadDriverPrivilege 2892 WMIC.exe Token: SeSystemtimePrivilege 2892 WMIC.exe Token: SeBackupPrivilege 2892 WMIC.exe Token: SeRestorePrivilege 2892 WMIC.exe Token: SeShutdownPrivilege 2892 WMIC.exe Token: SeSystemEnvironmentPrivilege 2892 WMIC.exe Token: SeUndockPrivilege 2892 WMIC.exe Token: SeManageVolumePrivilege 2892 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1252 WMIC.exe Token: SeIncreaseQuotaPrivilege 1252 WMIC.exe Token: SeSecurityPrivilege 1252 WMIC.exe Token: SeTakeOwnershipPrivilege 1252 WMIC.exe Token: SeLoadDriverPrivilege 1252 WMIC.exe Token: SeSystemtimePrivilege 1252 WMIC.exe Token: SeBackupPrivilege 1252 WMIC.exe Token: SeRestorePrivilege 1252 WMIC.exe Token: SeShutdownPrivilege 1252 WMIC.exe Token: SeSystemEnvironmentPrivilege 1252 WMIC.exe Token: SeUndockPrivilege 1252 WMIC.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2364 237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe 2864 faduco.exe 2988 faduco.exe 2920 1757194207921478.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2128 2364 237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe 30 PID 2364 wrote to memory of 2128 2364 237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe 30 PID 2364 wrote to memory of 2128 2364 237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe 30 PID 2364 wrote to memory of 2128 2364 237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe 30 PID 2128 wrote to memory of 2764 2128 cmd.exe 32 PID 2128 wrote to memory of 2764 2128 cmd.exe 32 PID 2128 wrote to memory of 2764 2128 cmd.exe 32 PID 2128 wrote to memory of 2764 2128 cmd.exe 32 PID 2128 wrote to memory of 2864 2128 cmd.exe 33 PID 2128 wrote to memory of 2864 2128 cmd.exe 33 PID 2128 wrote to memory of 2864 2128 cmd.exe 33 PID 2128 wrote to memory of 2864 2128 cmd.exe 33 PID 2988 wrote to memory of 2920 2988 faduco.exe 35 PID 2988 wrote to memory of 2920 2988 faduco.exe 35 PID 2988 wrote to memory of 2920 2988 faduco.exe 35 PID 2988 wrote to memory of 2920 2988 faduco.exe 35 PID 2920 wrote to memory of 2608 2920 1757194207921478.exe 36 PID 2920 wrote to memory of 2608 2920 1757194207921478.exe 36 PID 2920 wrote to memory of 2608 2920 1757194207921478.exe 36 PID 2920 wrote to memory of 2608 2920 1757194207921478.exe 36 PID 2920 wrote to memory of 2776 2920 1757194207921478.exe 37 PID 2920 wrote to memory of 2776 2920 1757194207921478.exe 37 PID 2920 wrote to memory of 2776 2920 1757194207921478.exe 37 PID 2920 wrote to memory of 2776 2920 1757194207921478.exe 37 PID 2608 wrote to memory of 2572 2608 cmd.exe 39 PID 2608 wrote to memory of 2572 2608 cmd.exe 39 PID 2608 wrote to memory of 2572 2608 cmd.exe 39 PID 2608 wrote to memory of 2572 2608 cmd.exe 39 PID 2776 wrote to memory of 1336 2776 cmd.exe 41 PID 2776 wrote to memory of 1336 2776 cmd.exe 41 PID 2776 wrote to memory of 1336 2776 cmd.exe 41 PID 2776 wrote to memory of 1336 2776 cmd.exe 41 PID 2920 wrote to memory of 2076 2920 1757194207921478.exe 42 PID 2920 wrote to memory of 2076 2920 1757194207921478.exe 42 PID 2920 wrote to memory of 2076 2920 1757194207921478.exe 42 PID 2920 wrote to memory of 2076 2920 1757194207921478.exe 42 PID 2076 wrote to memory of 2968 2076 uin77.exe 43 PID 2076 wrote to memory of 2968 2076 uin77.exe 43 PID 2076 wrote to memory of 2968 2076 uin77.exe 43 PID 2076 wrote to memory of 2968 2076 uin77.exe 43 PID 2776 wrote to memory of 2892 2776 cmd.exe 44 PID 2776 wrote to memory of 2892 2776 cmd.exe 44 PID 2776 wrote to memory of 2892 2776 cmd.exe 44 PID 2776 wrote to memory of 2892 2776 cmd.exe 44 PID 2776 wrote to memory of 1252 2776 cmd.exe 45 PID 2776 wrote to memory of 1252 2776 cmd.exe 45 PID 2776 wrote to memory of 1252 2776 cmd.exe 45 PID 2776 wrote to memory of 1252 2776 cmd.exe 45 PID 2920 wrote to memory of 3008 2920 1757194207921478.exe 46 PID 2920 wrote to memory of 3008 2920 1757194207921478.exe 46 PID 2920 wrote to memory of 3008 2920 1757194207921478.exe 46 PID 2920 wrote to memory of 3008 2920 1757194207921478.exe 46 PID 3008 wrote to memory of 1088 3008 uin77.exe 47 PID 3008 wrote to memory of 1088 3008 uin77.exe 47 PID 3008 wrote to memory of 1088 3008 uin77.exe 47 PID 3008 wrote to memory of 1088 3008 uin77.exe 47 PID 2920 wrote to memory of 900 2920 1757194207921478.exe 48 PID 2920 wrote to memory of 900 2920 1757194207921478.exe 48 PID 2920 wrote to memory of 900 2920 1757194207921478.exe 48 PID 2920 wrote to memory of 900 2920 1757194207921478.exe 48 PID 900 wrote to memory of 2640 900 uin77.exe 49 PID 900 wrote to memory of 2640 900 uin77.exe 49 PID 900 wrote to memory of 2640 900 uin77.exe 49 PID 900 wrote to memory of 2640 900 uin77.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe"C:\Users\Admin\AppData\Local\Temp\237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\usgcpao\faduco.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2764
-
-
\??\c:\windows\fonts\usgcpao\faduco.exec:\windows\fonts\usgcpao\faduco.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2864
-
-
-
\??\c:\windows\fonts\usgcpao\faduco.exec:\windows\fonts\usgcpao\faduco.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\TEMP\1757194207921478.exeC:\Windows\TEMP\1757194207921478.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\cmd.execmd /c schtasks /DELETE /TN uijdc /F3⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /TN uijdc /F4⤵
- System Location Discovery: System Language Discovery
PID:2572
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="bfmxco" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="segn" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='bfmxco'" DELETE3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="bfmxco" DELETE4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1336
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="segn" DELETE4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='bfmxco'" DELETE4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1252
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\TEMP\eaabb389.exe"C:\Windows\TEMP\eaabb389.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\TEMP\e4654d02.exe"C:\Windows\TEMP\e4654d02.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1088
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\TEMP\ee10d77b.exe"C:\Windows\TEMP\ee10d77b.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2640
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks /DELETE /TN uijdc /F3⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /TN uijdc /F4⤵
- System Location Discovery: System Language Discovery
PID:2264
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="bfmxco" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="segn" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='bfmxco'" DELETE3⤵
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="bfmxco" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:1688
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="segn" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:1152
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='bfmxco'" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:1880
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2824 -
C:\Windows\TEMP\ee67b213.exe"C:\Windows\TEMP\ee67b213.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:532
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Windows\TEMP\e8115c8b.exe"C:\Windows\TEMP\e8115c8b.exe"4⤵
- Executes dropped EXE
PID:2440
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\TEMP\e2dce504.exe"C:\Windows\TEMP\e2dce504.exe"4⤵
- Executes dropped EXE
PID:1648
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks /DELETE /TN uijdc /F3⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /TN uijdc /F4⤵
- System Location Discovery: System Language Discovery
PID:2000
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="bfmxco" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="segn" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='bfmxco'" DELETE3⤵
- System Location Discovery: System Language Discovery
PID:1364 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="bfmxco" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:2104
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="segn" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:2256
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='bfmxco'" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:1676
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1564 -
C:\Windows\TEMP\e7ae13aa.exe"C:\Windows\TEMP\e7ae13aa.exe"4⤵
- Executes dropped EXE
PID:1224
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\TEMP\e159ac23.exe"C:\Windows\TEMP\e159ac23.exe"4⤵
- Executes dropped EXE
PID:1936
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1000 -
C:\Windows\TEMP\eb1436ac.exe"C:\Windows\TEMP\eb1436ac.exe"4⤵
- Executes dropped EXE
PID:1516
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks /DELETE /TN hswcb /F3⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:2160 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /TN hswcb /F4⤵
- System Location Discovery: System Language Discovery
PID:1616
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="jlghwq" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="nwxqy" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='jlghwq'" DELETE3⤵
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="jlghwq" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:2680
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="nwxqy" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:2224
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='jlghwq'" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:2560
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\TEMP\eb5a2133.exe"C:\Windows\TEMP\eb5a2133.exe"4⤵
- Executes dropped EXE
PID:2392
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\TEMP\e515bbac.exe"C:\Windows\TEMP\e515bbac.exe"4⤵
- Executes dropped EXE
PID:2968
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Windows\TEMP\efd04525.exe"C:\Windows\TEMP\efd04525.exe"4⤵
- Executes dropped EXE
PID:2648
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 7882⤵
- Loads dropped DLL
- Program crash
PID:1932
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD5f63a92d67978914cfb8d0bc7f77e2508
SHA18a0526e2bf317fd485c1de4f933ee2074114ca80
SHA2563ce560323af98a9c57dc342dea47e54355aec1daf718df72ecfce4716fed7626
SHA512cd9c148f48f805019a8a32237c0e030e05a3849c8ce17e19f1a8825462eb9c25c1aaab3d58a80f57c6da256dd7776b9cce374541de2f46195c45b6d911443c3a
-
Filesize
173KB
MD5583eb8d1e8b30ce33e8159aff74a603c
SHA1c88c5dd58575a544163b48c0d1f656688fddb1b6
SHA256f4d95300c4d677ce441e895f077f541471fcd8f72ff6675860b780e9cea606b4
SHA512a9e6418fb3948f54bd8a28de30e164e6027af2642081631ef14fc520fa8200d1f808d2d09994bf79e83a6b0cb361807d333babe3252a05fc245813b3422c30de
-
Filesize
2.0MB
MD535c79dd1595930c3177624f47390cd57
SHA131ef4e01b5355a6d4c55af4cd1f59785e0c270da
SHA256b7c3d1ae2151b3ffb19ad1e4b99eb94dc3bf73806a2ceb6874296dc383a2fda4
SHA512262e37d57efb8d6e4814e168bfd8a1021b3452fa63e6f6d1f40e38aaf1929a2651e5f8b1ad0cb1beeb156c08937609dd3afe03b4625df78bb7773ddabf4266ac
-
Filesize
244KB
MD5de3b294b4edf797dfa8f45b33a0317b4
SHA1d46f49e223655eca9a21249a60de3719fe3795e0
SHA256d6d9b5fbf32d64da140ebf83495f8c3b4f28e5a336c4b7306c84e12abf7860e9
SHA5121ce19d0a57a621225702b8a7b30bbd8ca482ab305d3881f5af63cd1ac712577b633955b8b95c11ed73585dbca6377859ed27a1859e369064841639a2b4035c97
-
Filesize
95KB
MD59c74e2f24cddadc6ce4dd14c76eee796
SHA10bd9fc3fbf74bc244aa05b04980c12eef96bba9a
SHA256a334a9a06ab2dbb47c2914f2fd301f02de3af23b4c68329207f2faa9dfe19891
SHA5123342899c5af0cb73aa97210e8fedd4b6dfa0a5b21aa4a2ba55c2b967f76a26849127aa64995a54584baa7fde3dbe58aabdeab537217b0c8fa949486d1d86fbc1
-
Filesize
173KB
MD5c90b284158d97b9b0671a7ba4c0cbcc3
SHA15b7b4dda02fd8a28c507c23b0255cdc212610a58
SHA2563994e287e4b5aab4e9890531db99b6f857842d77355dcc42dad7eac281511d1e
SHA5128720ae53da7d7b0da9ad0833d8fa8ded623b7f23f6068f70d4abe4e99968e368474c0414fb2fda54249aa6c966ffa61d936764f87f393d317b329b1518f1829d