blackmoon | 237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe
Size

1.9MB
MD5

d4336e63a31a969555e979eeb8fce130
SHA1

31ce041073beb8ac5e904e8d37006b869b8d5938
SHA256

237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92
SHA512

504f0a21d3139cdf41509767bb2607743c29172a3a0bd68d9124bff5504e8b313b8e3571c4d397eb04cd2969249a5a94de68fc5b2472289adb39ef1c5f869cc9
SSDEEP

12288:fqGKl6bcNQSjEgkSiP8Lr2mFE66kjlKuJ9J7tfg+LRZq01Y:fNKl6b8JYgyP8WTGIuhZvPq

Score

10^/10

blackmoon banker defense_evasion discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 8 IoCs

resource	yara_rule
behavioral2/memory/2840-5-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral2/memory/3252-10-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral2/memory/4852-29-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral2/memory/4896-31-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/4896-45-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/4896-75-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/4896-108-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/4852-111-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon

Executes dropped EXE 27 IoCs

pid	Process
3252	mswxiug.exe
4852	mswxiug.exe
4896	8743089324746483.exe
1824	uin77.exe
2956	eaabb389.exe
5000	uin77.exe
1888	e9e19f11.exe
112	uin77.exe
3516	e3ac299a.exe
1432	uin77.exe
2204	e3e20421.exe
4548	uin77.exe
1724	edadaeaa.exe
5048	uin77.exe
1272	ede48931.exe
3732	uin77.exe
3500	ec3a65c9.exe
3544	uin77.exe
3144	e6e5fe32.exe
4960	uin77.exe
1720	e1a088bb.exe
3180	uin77.exe
2392	e572c561.exe
2008	uin77.exe
4156	ef2d5fd9.exe
1688	uin77.exe
5024	eae7e852.exe

Indicator Removal: Clear Persistence 1 TTPs 4 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
2336	cmd.exe
4776	cmd.exe
4424	cmd.exe
1276	cmd.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	mswxiug.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	mswxiug.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	mswxiug.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	mswxiug.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2840-0-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/memory/2840-5-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/files/0x000a000000023b99-7.dat	upx
behavioral2/memory/3252-10-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/memory/4896-15-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/files/0x000a000000023b9c-14.dat	upx
behavioral2/memory/4852-29-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/memory/4896-31-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/4896-45-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/4896-75-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/4896-108-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/4852-111-0x0000000000400000-0x00000000004E6000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	\??\c:\windows\fonts\auhim\mswxiug.exe	237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe
File opened for modification	\??\c:\windows\fonts\auhim\mswxiug.exe	237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe
File created	\??\c:\windows\fonts\ivnjz\qfnjirg.exe	mswxiug.exe
File created	\??\c:\windows\fonts\gmedsz\wbmafre.exe	mswxiug.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2056	4852	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8743089324746483.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mswxiug.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mswxiug.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3552	cmd.exe
2744	PING.EXE

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mswxiug.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mswxiug.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mswxiug.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mswxiug.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mswxiug.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mswxiug.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mswxiug.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mswxiug.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2744	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2840	237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe
2840	237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe
3252	mswxiug.exe
3252	mswxiug.exe
4852	mswxiug.exe
4852	mswxiug.exe
1824	uin77.exe
1824	uin77.exe
1824	uin77.exe
1824	uin77.exe
2956	eaabb389.exe
2956	eaabb389.exe
2956	eaabb389.exe
2956	eaabb389.exe
5000	uin77.exe
5000	uin77.exe
5000	uin77.exe
5000	uin77.exe
1888	e9e19f11.exe
1888	e9e19f11.exe
1888	e9e19f11.exe
1888	e9e19f11.exe
112	uin77.exe
112	uin77.exe
112	uin77.exe
112	uin77.exe
3516	e3ac299a.exe
3516	e3ac299a.exe
3516	e3ac299a.exe
3516	e3ac299a.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe
4896	8743089324746483.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2840	237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe
Token: SeDebugPrivilege	3252	mswxiug.exe
Token: SeDebugPrivilege	4852	mswxiug.exe
Token: SeAssignPrimaryTokenPrivilege	1804	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1804	WMIC.exe
Token: SeSecurityPrivilege	1804	WMIC.exe
Token: SeTakeOwnershipPrivilege	1804	WMIC.exe
Token: SeLoadDriverPrivilege	1804	WMIC.exe
Token: SeSystemtimePrivilege	1804	WMIC.exe
Token: SeBackupPrivilege	1804	WMIC.exe
Token: SeRestorePrivilege	1804	WMIC.exe
Token: SeShutdownPrivilege	1804	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1804	WMIC.exe
Token: SeUndockPrivilege	1804	WMIC.exe
Token: SeManageVolumePrivilege	1804	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1804	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1804	WMIC.exe
Token: SeSecurityPrivilege	1804	WMIC.exe
Token: SeTakeOwnershipPrivilege	1804	WMIC.exe
Token: SeLoadDriverPrivilege	1804	WMIC.exe
Token: SeSystemtimePrivilege	1804	WMIC.exe
Token: SeBackupPrivilege	1804	WMIC.exe
Token: SeRestorePrivilege	1804	WMIC.exe
Token: SeShutdownPrivilege	1804	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1804	WMIC.exe
Token: SeUndockPrivilege	1804	WMIC.exe
Token: SeManageVolumePrivilege	1804	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1224	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1224	WMIC.exe
Token: SeSecurityPrivilege	1224	WMIC.exe
Token: SeTakeOwnershipPrivilege	1224	WMIC.exe
Token: SeLoadDriverPrivilege	1224	WMIC.exe
Token: SeSystemtimePrivilege	1224	WMIC.exe
Token: SeBackupPrivilege	1224	WMIC.exe
Token: SeRestorePrivilege	1224	WMIC.exe
Token: SeShutdownPrivilege	1224	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1224	WMIC.exe
Token: SeUndockPrivilege	1224	WMIC.exe
Token: SeManageVolumePrivilege	1224	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1224	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1224	WMIC.exe
Token: SeSecurityPrivilege	1224	WMIC.exe
Token: SeTakeOwnershipPrivilege	1224	WMIC.exe
Token: SeLoadDriverPrivilege	1224	WMIC.exe
Token: SeSystemtimePrivilege	1224	WMIC.exe
Token: SeBackupPrivilege	1224	WMIC.exe
Token: SeRestorePrivilege	1224	WMIC.exe
Token: SeShutdownPrivilege	1224	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1224	WMIC.exe
Token: SeUndockPrivilege	1224	WMIC.exe
Token: SeManageVolumePrivilege	1224	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3360	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3360	WMIC.exe
Token: SeSecurityPrivilege	3360	WMIC.exe
Token: SeTakeOwnershipPrivilege	3360	WMIC.exe
Token: SeLoadDriverPrivilege	3360	WMIC.exe
Token: SeSystemtimePrivilege	3360	WMIC.exe
Token: SeBackupPrivilege	3360	WMIC.exe
Token: SeRestorePrivilege	3360	WMIC.exe
Token: SeShutdownPrivilege	3360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3360	WMIC.exe
Token: SeUndockPrivilege	3360	WMIC.exe
Token: SeManageVolumePrivilege	3360	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3360	WMIC.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2840	237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe
3252	mswxiug.exe
4852	mswxiug.exe
4896	8743089324746483.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 3552	2840	237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe	82
PID 2840 wrote to memory of 3552	2840	237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe	82
PID 2840 wrote to memory of 3552	2840	237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe	82
PID 3552 wrote to memory of 2744	3552	cmd.exe	84
PID 3552 wrote to memory of 2744	3552	cmd.exe	84
PID 3552 wrote to memory of 2744	3552	cmd.exe	84
PID 3552 wrote to memory of 3252	3552	cmd.exe	85
PID 3552 wrote to memory of 3252	3552	cmd.exe	85
PID 3552 wrote to memory of 3252	3552	cmd.exe	85
PID 4852 wrote to memory of 4896	4852	mswxiug.exe	87
PID 4852 wrote to memory of 4896	4852	mswxiug.exe	87
PID 4852 wrote to memory of 4896	4852	mswxiug.exe	87
PID 4896 wrote to memory of 2336	4896	8743089324746483.exe	88
PID 4896 wrote to memory of 2336	4896	8743089324746483.exe	88
PID 4896 wrote to memory of 2336	4896	8743089324746483.exe	88
PID 4896 wrote to memory of 4116	4896	8743089324746483.exe	89
PID 4896 wrote to memory of 4116	4896	8743089324746483.exe	89
PID 4896 wrote to memory of 4116	4896	8743089324746483.exe	89
PID 4116 wrote to memory of 1804	4116	cmd.exe	92
PID 4116 wrote to memory of 1804	4116	cmd.exe	92
PID 4116 wrote to memory of 1804	4116	cmd.exe	92
PID 2336 wrote to memory of 1072	2336	cmd.exe	93
PID 2336 wrote to memory of 1072	2336	cmd.exe	93
PID 2336 wrote to memory of 1072	2336	cmd.exe	93
PID 4116 wrote to memory of 1224	4116	cmd.exe	94
PID 4116 wrote to memory of 1224	4116	cmd.exe	94
PID 4116 wrote to memory of 1224	4116	cmd.exe	94
PID 4116 wrote to memory of 3360	4116	cmd.exe	95
PID 4116 wrote to memory of 3360	4116	cmd.exe	95
PID 4116 wrote to memory of 3360	4116	cmd.exe	95
PID 4896 wrote to memory of 1824	4896	8743089324746483.exe	96
PID 4896 wrote to memory of 1824	4896	8743089324746483.exe	96
PID 4896 wrote to memory of 1824	4896	8743089324746483.exe	96
PID 1824 wrote to memory of 2956	1824	uin77.exe	97
PID 1824 wrote to memory of 2956	1824	uin77.exe	97
PID 4896 wrote to memory of 5000	4896	8743089324746483.exe	98
PID 4896 wrote to memory of 5000	4896	8743089324746483.exe	98
PID 4896 wrote to memory of 5000	4896	8743089324746483.exe	98
PID 5000 wrote to memory of 1888	5000	uin77.exe	99
PID 5000 wrote to memory of 1888	5000	uin77.exe	99
PID 4896 wrote to memory of 112	4896	8743089324746483.exe	102
PID 4896 wrote to memory of 112	4896	8743089324746483.exe	102
PID 4896 wrote to memory of 112	4896	8743089324746483.exe	102
PID 112 wrote to memory of 3516	112	uin77.exe	103
PID 112 wrote to memory of 3516	112	uin77.exe	103
PID 4896 wrote to memory of 4776	4896	8743089324746483.exe	107
PID 4896 wrote to memory of 4776	4896	8743089324746483.exe	107
PID 4896 wrote to memory of 4776	4896	8743089324746483.exe	107
PID 4896 wrote to memory of 4676	4896	8743089324746483.exe	108
PID 4896 wrote to memory of 4676	4896	8743089324746483.exe	108
PID 4896 wrote to memory of 4676	4896	8743089324746483.exe	108
PID 4676 wrote to memory of 2636	4676	cmd.exe	111
PID 4676 wrote to memory of 2636	4676	cmd.exe	111
PID 4676 wrote to memory of 2636	4676	cmd.exe	111
PID 4776 wrote to memory of 4416	4776	cmd.exe	112
PID 4776 wrote to memory of 4416	4776	cmd.exe	112
PID 4776 wrote to memory of 4416	4776	cmd.exe	112
PID 4896 wrote to memory of 1432	4896	8743089324746483.exe	113
PID 4896 wrote to memory of 1432	4896	8743089324746483.exe	113
PID 4896 wrote to memory of 1432	4896	8743089324746483.exe	113
PID 1432 wrote to memory of 2204	1432	uin77.exe	114
PID 1432 wrote to memory of 2204	1432	uin77.exe	114
PID 4676 wrote to memory of 3944	4676	cmd.exe	115
PID 4676 wrote to memory of 3944	4676	cmd.exe	115

C:\Users\Admin\AppData\Local\Temp\237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe
"C:\Users\Admin\AppData\Local\Temp\237d94d8f772fdbfc1142dc9e97969d3729a8feb4253a9f5038c4482053dfe92N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\auhim\mswxiug.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2744
- - \??\c:\windows\fonts\auhim\mswxiug.exe
    c:\windows\fonts\auhim\mswxiug.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3252

\??\c:\windows\fonts\auhim\mswxiug.exe
c:\windows\fonts\auhim\mswxiug.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\TEMP\8743089324746483.exe
  C:\Windows\TEMP\8743089324746483.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN pdvl /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN pdvl /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="adjqcz" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="jecsz" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='adjqcz'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4116
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="adjqcz" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1804
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="jecsz" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1224
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='adjqcz'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3360
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1824
  - - C:\Windows\TEMP\eaabb389.exe
      "C:\Windows\TEMP\eaabb389.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2956
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\TEMP\e9e19f11.exe
      "C:\Windows\TEMP\e9e19f11.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1888
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:112
  - - C:\Windows\TEMP\e3ac299a.exe
      "C:\Windows\TEMP\e3ac299a.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3516
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN pdvl /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN pdvl /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4416
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="adjqcz" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="jecsz" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='adjqcz'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4676
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="adjqcz" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2636
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="jecsz" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:3944
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='adjqcz'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:3464
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\TEMP\e3e20421.exe
      "C:\Windows\TEMP\e3e20421.exe"
      4⤵
      Executes dropped EXE
      PID:2204
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4548
  - - C:\Windows\TEMP\edadaeaa.exe
      "C:\Windows\TEMP\edadaeaa.exe"
      4⤵
      Executes dropped EXE
      PID:1724
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5048
  - - C:\Windows\TEMP\ede48931.exe
      "C:\Windows\TEMP\ede48931.exe"
      4⤵
      Executes dropped EXE
      PID:1272
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN pdvl /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:4424
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN pdvl /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3228
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="adjqcz" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="jecsz" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='adjqcz'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1472
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="adjqcz" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:1340
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="jecsz" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:4480
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='adjqcz'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:4376
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3732
  - - C:\Windows\TEMP\ec3a65c9.exe
      "C:\Windows\TEMP\ec3a65c9.exe"
      4⤵
      Executes dropped EXE
      PID:3500
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3544
  - - C:\Windows\TEMP\e6e5fe32.exe
      "C:\Windows\TEMP\e6e5fe32.exe"
      4⤵
      Executes dropped EXE
      PID:3144
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4960
  - - C:\Windows\TEMP\e1a088bb.exe
      "C:\Windows\TEMP\e1a088bb.exe"
      4⤵
      Executes dropped EXE
      PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN xqmzc /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:1276
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN xqmzc /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:5100
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="yucwf" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="svacx" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='yucwf'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1016
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="yucwf" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:5016
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="svacx" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:3564
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='yucwf'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2032
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3180
  - - C:\Windows\TEMP\e572c561.exe
      "C:\Windows\TEMP\e572c561.exe"
      4⤵
      Executes dropped EXE
      PID:2392
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2008
  - - C:\Windows\TEMP\ef2d5fd9.exe
      "C:\Windows\TEMP\ef2d5fd9.exe"
      4⤵
      Executes dropped EXE
      PID:4156
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1688
  - - C:\Windows\TEMP\eae7e852.exe
      "C:\Windows\TEMP\eae7e852.exe"
      4⤵
      Executes dropped EXE
      PID:5024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 1328
  2⤵
  - Program crash
  PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4852 -ip 4852
1⤵
PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Fonts\auhim\mswxiug.exe

Filesize
2.0MB

MD5
b0de02df0d46a55e5b4ea5adb63b644a

SHA1
1017fb360b2f9d28e7417bf307baf45f5fc3111f

SHA256
b05e32032abda02bdbfa5b12523b9edd16857a2d1b798a7f2164f5927b4265ae

SHA512
094ac98dc9505a78b2ecebb5912bf48ddf18567f154160b703c9725912fdfaadfa3b686883b4b0ef8abe2919c298b70ab5f6da74f96a1a56cd1fb827a2d272d7

Download Submit
C:\Windows\TEMP\8743089324746483.exe

Filesize
244KB

MD5
de3b294b4edf797dfa8f45b33a0317b4

SHA1
d46f49e223655eca9a21249a60de3719fe3795e0

SHA256
d6d9b5fbf32d64da140ebf83495f8c3b4f28e5a336c4b7306c84e12abf7860e9

SHA512
1ce19d0a57a621225702b8a7b30bbd8ca482ab305d3881f5af63cd1ac712577b633955b8b95c11ed73585dbca6377859ed27a1859e369064841639a2b4035c97

Download Submit
C:\Windows\Temp\eaabb389.exe

Filesize
95KB

MD5
487d6b2a47cd413d339994910c7543d7

SHA1
0ce067c54a365dc5763caa90946e0ea740877caf

SHA256
4b3d53303bf7eda3e8566a208b4f123cd8ce3c42dc32b2d6c58788c58296a6b5

SHA512
30be857204d8f5b6059d1f989d4f37e7c880c28da2e7e7396fa08d053711e978b8cd0f2fef2d93d3cd3d30e9b1734a8dd0269be92d65825a1a5f66392a3a87a9

Download Submit
C:\Windows\Temp\ec3a65c9.exe

Filesize
95KB

MD5
975b2d427e4cb66f7ea6d98a998b9942

SHA1
aadd3353c2bec1737ae4550e1cac7b30bed522a9

SHA256
1303923e973faf958386565794abb796c6be23b01c39da0d8fb188f38a5d5784

SHA512
28cb4f10ea98247e9727c189d7c196a5c84c12b40297cdc05853e5daf1e2ef011c67ba152e9bd9aa7e2a8224a08cc32804cad6e2efb6a85ea263af7733a1201d

Download Submit
C:\Windows\Temp\uin77.exe

Filesize
173KB

MD5
50e6afc261cd07595b382984e922525e

SHA1
21b9b6803c667117dea500406733e8b3e34f5fc3

SHA256
a245085ef19480ce8257d348d95e724a17e3b48026378a4fabab693e7089313c

SHA512
485345b65630a9dabe82e92d2ca0d5c1702341cbe1d9b6b799f4ffec0f6a65b5dfb5b334d0937708c969727eb0dcdf83d538dcbcd4804899e371ec1c484c7fbb

Download Submit
C:\Windows\Temp\uin77.exe

Filesize
173KB

MD5
17bff961e76f3f6952699c695ca71b63

SHA1
7977e84185a2471bb78eb05a66a2df89137b83e1

SHA256
07e171b5511926f3eda2012c5b3f9bef543aa4a4009908ccaab7d398895cbfe2

SHA512
32787db567991a8699bcc8ddc4041ac505555ec943f3759a2c27c03229d62ca56e7195eebf5148620f601ae093885db6204577c23e6b31011589e9ce4b48f248

Download Submit
memory/2840-5-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2840-0-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3252-10-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4852-29-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4852-111-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4896-45-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4896-31-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4896-15-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4896-75-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4896-108-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download