Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 01:03
Behavioral task
behavioral1
Sample
38c4ab9087b1108d582789d22bb030c4832d5a08a0513381222eaf4270cf9918N.exe
Resource
win7-20240903-en
General
-
Target
38c4ab9087b1108d582789d22bb030c4832d5a08a0513381222eaf4270cf9918N.exe
-
Size
2.8MB
-
MD5
eca60170fa4fb7c4ceba3cd1889dc770
-
SHA1
5e01caec92849f371aba5752b98855186b684fbc
-
SHA256
38c4ab9087b1108d582789d22bb030c4832d5a08a0513381222eaf4270cf9918
-
SHA512
1f51fadffdf2b46f845e5439be26811ca878c43d90a8789b02b3b7b81d85148032d7c513c4ea2ee8d317123c5b6b289635b5ac4187e838d6375eb7a0aa69b0bc
-
SSDEEP
12288:fqGKl6bcNQSjEgkSiP8Lr2mFE66kjlKuJ9J7tfg+LRZq01Y:fNKl6b8JYgyP8WTGIuhZvPq
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 9 IoCs
resource yara_rule behavioral2/memory/2992-4-0x0000000000400000-0x00000000004E6000-memory.dmp family_blackmoon behavioral2/memory/3432-9-0x0000000000400000-0x00000000004E6000-memory.dmp family_blackmoon behavioral2/memory/4944-13-0x0000000000400000-0x00000000004E6000-memory.dmp family_blackmoon behavioral2/memory/3432-30-0x0000000000400000-0x00000000004E6000-memory.dmp family_blackmoon behavioral2/memory/3012-33-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral2/memory/3012-47-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral2/memory/3012-77-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral2/memory/3012-109-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral2/memory/3432-112-0x0000000000400000-0x00000000004E6000-memory.dmp family_blackmoon -
Executes dropped EXE 27 IoCs
pid Process 4944 oapu.exe 3432 oapu.exe 3012 9173944077969848.exe 2996 uin77.exe 2376 52f275a6.exe 4608 uin77.exe 1632 5139513e.exe 5056 uin77.exe 4268 5bf3eaa7.exe 4956 uin77.exe 4512 5b3ad64e.exe 3136 uin77.exe 212 5a80b1d6.exe 4984 uin77.exe 2204 553b4b4e.exe 2696 uin77.exe 2636 590d78f4.exe 2352 uin77.exe 4124 54c8027d.exe 2412 uin77.exe 5052 5e83abe6.exe 4284 uin77.exe 3312 5255d99c.exe 220 uin77.exe 3708 5d006205.exe 636 uin77.exe 528 57cbfc8e.exe -
Indicator Removal: Clear Persistence 1 TTPs 4 IoCs
Clear artifacts associated with previously established persistence like scheduletasks on a host.
pid Process 4652 cmd.exe 3788 cmd.exe 2564 cmd.exe 976 cmd.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 oapu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE oapu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies oapu.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 oapu.exe -
resource yara_rule behavioral2/memory/2992-0-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral2/memory/2992-4-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral2/files/0x0008000000023c08-5.dat upx behavioral2/memory/3432-9-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral2/memory/4944-13-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral2/files/0x0008000000023c21-14.dat upx behavioral2/memory/3012-15-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral2/memory/3432-30-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral2/memory/3012-33-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral2/memory/3012-47-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral2/memory/3012-77-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral2/memory/3012-109-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral2/memory/3432-112-0x0000000000400000-0x00000000004E6000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created \??\c:\windows\fonts\dfbln\oapu.exe 38c4ab9087b1108d582789d22bb030c4832d5a08a0513381222eaf4270cf9918N.exe File opened for modification \??\c:\windows\fonts\dfbln\oapu.exe 38c4ab9087b1108d582789d22bb030c4832d5a08a0513381222eaf4270cf9918N.exe File created \??\c:\windows\fonts\moucjea\zoxsdf.exe oapu.exe File created \??\c:\windows\fonts\pxbdmoq\qzxnlfu.exe oapu.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1484 3432 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 42 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oapu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9173944077969848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oapu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 38c4ab9087b1108d582789d22bb030c4832d5a08a0513381222eaf4270cf9918N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3620 PING.EXE 1304 cmd.exe -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" oapu.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" oapu.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ oapu.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" oapu.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" oapu.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" oapu.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" oapu.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix oapu.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3620 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2992 38c4ab9087b1108d582789d22bb030c4832d5a08a0513381222eaf4270cf9918N.exe 2992 38c4ab9087b1108d582789d22bb030c4832d5a08a0513381222eaf4270cf9918N.exe 4944 oapu.exe 4944 oapu.exe 3432 oapu.exe 3432 oapu.exe 2996 uin77.exe 2996 uin77.exe 2996 uin77.exe 2996 uin77.exe 2376 52f275a6.exe 2376 52f275a6.exe 2376 52f275a6.exe 2376 52f275a6.exe 4608 uin77.exe 4608 uin77.exe 4608 uin77.exe 4608 uin77.exe 1632 5139513e.exe 1632 5139513e.exe 1632 5139513e.exe 1632 5139513e.exe 5056 uin77.exe 5056 uin77.exe 5056 uin77.exe 5056 uin77.exe 4268 5bf3eaa7.exe 4268 5bf3eaa7.exe 4268 5bf3eaa7.exe 4268 5bf3eaa7.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe 3012 9173944077969848.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2992 38c4ab9087b1108d582789d22bb030c4832d5a08a0513381222eaf4270cf9918N.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2992 38c4ab9087b1108d582789d22bb030c4832d5a08a0513381222eaf4270cf9918N.exe Token: SeDebugPrivilege 4944 oapu.exe Token: SeDebugPrivilege 3432 oapu.exe Token: SeDebugPrivilege 2996 uin77.exe Token: SeAssignPrimaryTokenPrivilege 384 WMIC.exe Token: SeIncreaseQuotaPrivilege 384 WMIC.exe Token: SeSecurityPrivilege 384 WMIC.exe Token: SeTakeOwnershipPrivilege 384 WMIC.exe Token: SeLoadDriverPrivilege 384 WMIC.exe Token: SeSystemtimePrivilege 384 WMIC.exe Token: SeBackupPrivilege 384 WMIC.exe Token: SeRestorePrivilege 384 WMIC.exe Token: SeShutdownPrivilege 384 WMIC.exe Token: SeSystemEnvironmentPrivilege 384 WMIC.exe Token: SeUndockPrivilege 384 WMIC.exe Token: SeManageVolumePrivilege 384 WMIC.exe Token: SeDebugPrivilege 2376 52f275a6.exe Token: SeAssignPrimaryTokenPrivilege 384 WMIC.exe Token: SeIncreaseQuotaPrivilege 384 WMIC.exe Token: SeSecurityPrivilege 384 WMIC.exe Token: SeTakeOwnershipPrivilege 384 WMIC.exe Token: SeLoadDriverPrivilege 384 WMIC.exe Token: SeSystemtimePrivilege 384 WMIC.exe Token: SeBackupPrivilege 384 WMIC.exe Token: SeRestorePrivilege 384 WMIC.exe Token: SeShutdownPrivilege 384 WMIC.exe Token: SeSystemEnvironmentPrivilege 384 WMIC.exe Token: SeUndockPrivilege 384 WMIC.exe Token: SeManageVolumePrivilege 384 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 3372 WMIC.exe Token: SeIncreaseQuotaPrivilege 3372 WMIC.exe Token: SeSecurityPrivilege 3372 WMIC.exe Token: SeTakeOwnershipPrivilege 3372 WMIC.exe Token: SeLoadDriverPrivilege 3372 WMIC.exe Token: SeSystemtimePrivilege 3372 WMIC.exe Token: SeBackupPrivilege 3372 WMIC.exe Token: SeRestorePrivilege 3372 WMIC.exe Token: SeShutdownPrivilege 3372 WMIC.exe Token: SeSystemEnvironmentPrivilege 3372 WMIC.exe Token: SeUndockPrivilege 3372 WMIC.exe Token: SeManageVolumePrivilege 3372 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 3372 WMIC.exe Token: SeIncreaseQuotaPrivilege 3372 WMIC.exe Token: SeSecurityPrivilege 3372 WMIC.exe Token: SeTakeOwnershipPrivilege 3372 WMIC.exe Token: SeLoadDriverPrivilege 3372 WMIC.exe Token: SeSystemtimePrivilege 3372 WMIC.exe Token: SeBackupPrivilege 3372 WMIC.exe Token: SeRestorePrivilege 3372 WMIC.exe Token: SeShutdownPrivilege 3372 WMIC.exe Token: SeSystemEnvironmentPrivilege 3372 WMIC.exe Token: SeUndockPrivilege 3372 WMIC.exe Token: SeManageVolumePrivilege 3372 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 364 WMIC.exe Token: SeIncreaseQuotaPrivilege 364 WMIC.exe Token: SeSecurityPrivilege 364 WMIC.exe Token: SeTakeOwnershipPrivilege 364 WMIC.exe Token: SeLoadDriverPrivilege 364 WMIC.exe Token: SeSystemtimePrivilege 364 WMIC.exe Token: SeBackupPrivilege 364 WMIC.exe Token: SeRestorePrivilege 364 WMIC.exe Token: SeShutdownPrivilege 364 WMIC.exe Token: SeSystemEnvironmentPrivilege 364 WMIC.exe Token: SeUndockPrivilege 364 WMIC.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2992 38c4ab9087b1108d582789d22bb030c4832d5a08a0513381222eaf4270cf9918N.exe 4944 oapu.exe 3432 oapu.exe 3012 9173944077969848.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2992 wrote to memory of 1304 2992 38c4ab9087b1108d582789d22bb030c4832d5a08a0513381222eaf4270cf9918N.exe 83 PID 2992 wrote to memory of 1304 2992 38c4ab9087b1108d582789d22bb030c4832d5a08a0513381222eaf4270cf9918N.exe 83 PID 2992 wrote to memory of 1304 2992 38c4ab9087b1108d582789d22bb030c4832d5a08a0513381222eaf4270cf9918N.exe 83 PID 1304 wrote to memory of 3620 1304 cmd.exe 85 PID 1304 wrote to memory of 3620 1304 cmd.exe 85 PID 1304 wrote to memory of 3620 1304 cmd.exe 85 PID 1304 wrote to memory of 4944 1304 cmd.exe 87 PID 1304 wrote to memory of 4944 1304 cmd.exe 87 PID 1304 wrote to memory of 4944 1304 cmd.exe 87 PID 3432 wrote to memory of 3012 3432 oapu.exe 89 PID 3432 wrote to memory of 3012 3432 oapu.exe 89 PID 3432 wrote to memory of 3012 3432 oapu.exe 89 PID 3012 wrote to memory of 4652 3012 9173944077969848.exe 90 PID 3012 wrote to memory of 4652 3012 9173944077969848.exe 90 PID 3012 wrote to memory of 4652 3012 9173944077969848.exe 90 PID 3012 wrote to memory of 2020 3012 9173944077969848.exe 91 PID 3012 wrote to memory of 2020 3012 9173944077969848.exe 91 PID 3012 wrote to memory of 2020 3012 9173944077969848.exe 91 PID 3012 wrote to memory of 2996 3012 9173944077969848.exe 94 PID 3012 wrote to memory of 2996 3012 9173944077969848.exe 94 PID 3012 wrote to memory of 2996 3012 9173944077969848.exe 94 PID 4652 wrote to memory of 1592 4652 cmd.exe 95 PID 4652 wrote to memory of 1592 4652 cmd.exe 95 PID 4652 wrote to memory of 1592 4652 cmd.exe 95 PID 2020 wrote to memory of 384 2020 cmd.exe 96 PID 2020 wrote to memory of 384 2020 cmd.exe 96 PID 2020 wrote to memory of 384 2020 cmd.exe 96 PID 2996 wrote to memory of 2376 2996 uin77.exe 97 PID 2996 wrote to memory of 2376 2996 uin77.exe 97 PID 2020 wrote to memory of 3372 2020 cmd.exe 98 PID 2020 wrote to memory of 3372 2020 cmd.exe 98 PID 2020 wrote to memory of 3372 2020 cmd.exe 98 PID 2020 wrote to memory of 364 2020 cmd.exe 99 PID 2020 wrote to memory of 364 2020 cmd.exe 99 PID 2020 wrote to memory of 364 2020 cmd.exe 99 PID 3012 wrote to memory of 4608 3012 9173944077969848.exe 100 PID 3012 wrote to memory of 4608 3012 9173944077969848.exe 100 PID 3012 wrote to memory of 4608 3012 9173944077969848.exe 100 PID 4608 wrote to memory of 1632 4608 uin77.exe 101 PID 4608 wrote to memory of 1632 4608 uin77.exe 101 PID 3012 wrote to memory of 5056 3012 9173944077969848.exe 108 PID 3012 wrote to memory of 5056 3012 9173944077969848.exe 108 PID 3012 wrote to memory of 5056 3012 9173944077969848.exe 108 PID 5056 wrote to memory of 4268 5056 uin77.exe 109 PID 5056 wrote to memory of 4268 5056 uin77.exe 109 PID 3012 wrote to memory of 3788 3012 9173944077969848.exe 116 PID 3012 wrote to memory of 3788 3012 9173944077969848.exe 116 PID 3012 wrote to memory of 3788 3012 9173944077969848.exe 116 PID 3012 wrote to memory of 3452 3012 9173944077969848.exe 117 PID 3012 wrote to memory of 3452 3012 9173944077969848.exe 117 PID 3012 wrote to memory of 3452 3012 9173944077969848.exe 117 PID 3788 wrote to memory of 3544 3788 cmd.exe 120 PID 3788 wrote to memory of 3544 3788 cmd.exe 120 PID 3788 wrote to memory of 3544 3788 cmd.exe 120 PID 3452 wrote to memory of 4216 3452 cmd.exe 121 PID 3452 wrote to memory of 4216 3452 cmd.exe 121 PID 3452 wrote to memory of 4216 3452 cmd.exe 121 PID 3012 wrote to memory of 4956 3012 9173944077969848.exe 122 PID 3012 wrote to memory of 4956 3012 9173944077969848.exe 122 PID 3012 wrote to memory of 4956 3012 9173944077969848.exe 122 PID 4956 wrote to memory of 4512 4956 uin77.exe 123 PID 4956 wrote to memory of 4512 4956 uin77.exe 123 PID 3452 wrote to memory of 1848 3452 cmd.exe 124 PID 3452 wrote to memory of 1848 3452 cmd.exe 124
Processes
-
C:\Users\Admin\AppData\Local\Temp\38c4ab9087b1108d582789d22bb030c4832d5a08a0513381222eaf4270cf9918N.exe"C:\Users\Admin\AppData\Local\Temp\38c4ab9087b1108d582789d22bb030c4832d5a08a0513381222eaf4270cf9918N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\dfbln\oapu.exe2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3620
-
-
\??\c:\windows\fonts\dfbln\oapu.exec:\windows\fonts\dfbln\oapu.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4944
-
-
-
\??\c:\windows\fonts\dfbln\oapu.exec:\windows\fonts\dfbln\oapu.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\TEMP\9173944077969848.exeC:\Windows\TEMP\9173944077969848.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\cmd.execmd /c schtasks /DELETE /TN yqulb /F3⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /TN yqulb /F4⤵
- System Location Discovery: System Language Discovery
PID:1592
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fixrb" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="enrhv" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fixrb'" DELETE3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fixrb" DELETE4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:384
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="enrhv" DELETE4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3372
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fixrb'" DELETE4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:364
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\TEMP\52f275a6.exe"C:\Windows\TEMP\52f275a6.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\TEMP\5139513e.exe"C:\Windows\TEMP\5139513e.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1632
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\TEMP\5bf3eaa7.exe"C:\Windows\TEMP\5bf3eaa7.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4268
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks /DELETE /TN yqulb /F3⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /TN yqulb /F4⤵
- System Location Discovery: System Language Discovery
PID:3544
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fixrb" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="enrhv" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fixrb'" DELETE3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fixrb" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:4216
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="enrhv" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:1848
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fixrb'" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:2992
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\TEMP\5b3ad64e.exe"C:\Windows\TEMP\5b3ad64e.exe"4⤵
- Executes dropped EXE
PID:4512
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3136 -
C:\Windows\TEMP\5a80b1d6.exe"C:\Windows\TEMP\5a80b1d6.exe"4⤵
- Executes dropped EXE
PID:212
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4984 -
C:\Windows\TEMP\553b4b4e.exe"C:\Windows\TEMP\553b4b4e.exe"4⤵
- Executes dropped EXE
PID:2204
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks /DELETE /TN yqulb /F3⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /TN yqulb /F4⤵
- System Location Discovery: System Language Discovery
PID:992
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fixrb" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="enrhv" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fixrb'" DELETE3⤵
- System Location Discovery: System Language Discovery
PID:3584 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fixrb" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:3328
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="enrhv" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:760
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fixrb'" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:3692
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\TEMP\590d78f4.exe"C:\Windows\TEMP\590d78f4.exe"4⤵
- Executes dropped EXE
PID:2636
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\TEMP\54c8027d.exe"C:\Windows\TEMP\54c8027d.exe"4⤵
- Executes dropped EXE
PID:4124
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Windows\TEMP\5e83abe6.exe"C:\Windows\TEMP\5e83abe6.exe"4⤵
- Executes dropped EXE
PID:5052
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks /DELETE /TN wmelx /F3⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:976 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /TN wmelx /F4⤵
- System Location Discovery: System Language Discovery
PID:2644
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="lojud" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="dnia" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='lojud'" DELETE3⤵
- System Location Discovery: System Language Discovery
PID:3444 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="lojud" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:4308
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="dnia" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:432
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='lojud'" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:1608
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4284 -
C:\Windows\TEMP\5255d99c.exe"C:\Windows\TEMP\5255d99c.exe"4⤵
- Executes dropped EXE
PID:3312
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:220 -
C:\Windows\TEMP\5d006205.exe"C:\Windows\TEMP\5d006205.exe"4⤵
- Executes dropped EXE
PID:3708
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:636 -
C:\Windows\TEMP\57cbfc8e.exe"C:\Windows\TEMP\57cbfc8e.exe"4⤵
- Executes dropped EXE
PID:528
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 13242⤵
- Program crash
PID:1484
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3432 -ip 34321⤵PID:1368
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5ddf1a8d5ad6f369acc25a91846c3254a
SHA1650743f41337534f0c089a8bac470cd2a04aca65
SHA25648e4af5f1bd47b46ee9782dd7368ef74785845733cf4fb7b295f57887cf46cb8
SHA512741318b93a57fd3a52c55f9845bcc3963304ecd0cd8e9f4433cc9fe5ff63c668a57ad19af64d866981531a7c0a0b2d4a748bc12f344f0c24699e8a5eb0b4aa56
-
Filesize
95KB
MD5c92d736ce1a72ad6d4bb5b6e542a2a87
SHA1a53bece2458892d9c301ca76cfded99d48ec10a9
SHA2564171fd76196400f48fe259a4974744547c4e69021463152115c048a1484757af
SHA51291bff24706f88b72ec550da4a09971555a785283b44c5ee1db4d61e8a1a4bda56b1fc50e09589974839d653c311781b64ac0010300109306adc6edff94bf5cd5
-
Filesize
95KB
MD522a93a07a6b4c4a54aa443fd825cb9ab
SHA1c952dced642e71f0524628a9109d3afc41583ef6
SHA256af027f4eeef26a6075c6324843cd370bcf0be4ed9b6b0a18e8501a023ec90ad9
SHA5121a767491febcaee619078fc27be44154cd762d5e5204b3efafe8fe6c2404d2d40fa548ddf28438ed6cd17e628e89589a694786d280d8149e6068a7886689bcbe
-
Filesize
244KB
MD5de3b294b4edf797dfa8f45b33a0317b4
SHA1d46f49e223655eca9a21249a60de3719fe3795e0
SHA256d6d9b5fbf32d64da140ebf83495f8c3b4f28e5a336c4b7306c84e12abf7860e9
SHA5121ce19d0a57a621225702b8a7b30bbd8ca482ab305d3881f5af63cd1ac712577b633955b8b95c11ed73585dbca6377859ed27a1859e369064841639a2b4035c97
-
Filesize
173KB
MD5cb322583a02dd3e80881de4b07c04b57
SHA15a169558bca2d7d97b9317a2d31aeeb2c5280274
SHA2564257c82c06504e9c8f5604450dc87c95f2eb31f9c5def94bfe8ecf63566baea2
SHA5128dfa0082163cf57393a197df5544937977631641393bfb248e5bc84386739dfe9f7855e82a00096120eeb81c91ecd6dfaafc4b11bc0de821cfa83c4e3275eb96
-
Filesize
173KB
MD52f5b8491dc5be59160f5c31b36e15052
SHA106f258db62158e132b5601abcb8d623490d42bcd
SHA256e9005926511f9f1ff9532950af06d6986968b50fd56d3c481d09505b8780dfc3
SHA512d8ee911e9f574e9727ac1bf8a5ad7fbc6b2efc20d618c8d3d8d0d988fd50e07515c06dddac6856018fdb7a0f67b2a2e1211a6539c7963f7d64f5115e98244fd7