blackmoon | 244bd32ae44d01e1a9b39e0dec49af8837aecaf062eaab8bd34ce37a2c47c7af

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

244bd32ae44d01e1a9b39e0dec49af8837aecaf062eaab8bd34ce37a2c47c7af.exe
Size

2.9MB
MD5

2daf6d725e3aecf2630c173dce1d6128
SHA1

8bd07dfe0e5f15459ac9d9560d274c04d2ea69e3
SHA256

244bd32ae44d01e1a9b39e0dec49af8837aecaf062eaab8bd34ce37a2c47c7af
SHA512

84335cf40ab3257390b99056a6846acb419692d0cbedc3f862c501348d09367c02896825c45d6a651894e8a27c5bfd83c58c921587ed838b9d56ced86168f52d
SSDEEP

12288:fqGKl6bcNQSjEgkSiP8Lr2mFE66kjlKuJ9J7tfg+LRZq01Y4:fNKl6b8JYgyP8WTGIuhZvPqA

Score

10^/10

blackmoon banker defense_evasion discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 9 IoCs

resource	yara_rule
behavioral2/memory/3100-4-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral2/memory/5064-11-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral2/memory/548-29-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral2/memory/3120-32-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/3120-46-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/3120-76-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/3120-108-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/548-109-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral2/memory/548-112-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon

Executes dropped EXE 27 IoCs

pid	Process
5064	dazfuw.exe
548	dazfuw.exe
3120	8675443750919029.exe
1380	uin77.exe
4844	1c38223c.exe
4972	uin77.exe
2288	1b7e0ec3.exe
3712	uin77.exe
3348	1639984c.exe
2736	uin77.exe
5116	157f83d4.exe
2200	uin77.exe
4280	15c66f6b.exe
2808	uin77.exe
2232	1f71f8e4.exe
3148	uin77.exe
1644	1ec7d47b.exe
2304	uin77.exe
1380	1e0ecf03.exe
776	uin77.exe
528	18c8598c.exe
4112	uin77.exe
4812	180f3413.exe
2356	uin77.exe
4368	174510aa.exe
2612	uin77.exe
2312	1100a923.exe

Indicator Removal: Clear Persistence 1 TTPs 4 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
2904	cmd.exe
1844	cmd.exe
2740	cmd.exe
2692	cmd.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	dazfuw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	dazfuw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	dazfuw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	dazfuw.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3100-0-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/memory/3100-4-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/files/0x0007000000023ca0-6.dat	upx
behavioral2/files/0x0007000000023ca4-13.dat	upx
behavioral2/memory/3120-15-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/5064-11-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/memory/548-29-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/memory/3120-32-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/3120-46-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/3120-76-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/3120-108-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/548-109-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/memory/548-112-0x0000000000400000-0x00000000004E6000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	\??\c:\windows\fonts\ijmarbc\dazfuw.exe	244bd32ae44d01e1a9b39e0dec49af8837aecaf062eaab8bd34ce37a2c47c7af.exe
File opened for modification	\??\c:\windows\fonts\ijmarbc\dazfuw.exe	244bd32ae44d01e1a9b39e0dec49af8837aecaf062eaab8bd34ce37a2c47c7af.exe
File created	\??\c:\windows\fonts\oydacj\rdeg.exe	dazfuw.exe
File created	\??\c:\windows\fonts\djabweu\vgjiun.exe	dazfuw.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1788	548	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8675443750919029.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	244bd32ae44d01e1a9b39e0dec49af8837aecaf062eaab8bd34ce37a2c47c7af.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dazfuw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dazfuw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4740	cmd.exe
532	PING.EXE

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	dazfuw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	dazfuw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	dazfuw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	dazfuw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	dazfuw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	dazfuw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	dazfuw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	dazfuw.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
532	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3100	244bd32ae44d01e1a9b39e0dec49af8837aecaf062eaab8bd34ce37a2c47c7af.exe
3100	244bd32ae44d01e1a9b39e0dec49af8837aecaf062eaab8bd34ce37a2c47c7af.exe
5064	dazfuw.exe
5064	dazfuw.exe
548	dazfuw.exe
548	dazfuw.exe
1380	uin77.exe
1380	uin77.exe
1380	uin77.exe
1380	uin77.exe
4844	1c38223c.exe
4844	1c38223c.exe
4844	1c38223c.exe
4844	1c38223c.exe
4972	uin77.exe
4972	uin77.exe
4972	uin77.exe
4972	uin77.exe
2288	1b7e0ec3.exe
2288	1b7e0ec3.exe
2288	1b7e0ec3.exe
2288	1b7e0ec3.exe
3712	uin77.exe
3712	uin77.exe
3712	uin77.exe
3712	uin77.exe
3348	1639984c.exe
3348	1639984c.exe
3348	1639984c.exe
3348	1639984c.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe
3120	8675443750919029.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3100	244bd32ae44d01e1a9b39e0dec49af8837aecaf062eaab8bd34ce37a2c47c7af.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3100	244bd32ae44d01e1a9b39e0dec49af8837aecaf062eaab8bd34ce37a2c47c7af.exe
Token: SeDebugPrivilege	5064	dazfuw.exe
Token: SeDebugPrivilege	548	dazfuw.exe
Token: SeAssignPrimaryTokenPrivilege	1644	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1644	WMIC.exe
Token: SeSecurityPrivilege	1644	WMIC.exe
Token: SeTakeOwnershipPrivilege	1644	WMIC.exe
Token: SeLoadDriverPrivilege	1644	WMIC.exe
Token: SeSystemtimePrivilege	1644	WMIC.exe
Token: SeBackupPrivilege	1644	WMIC.exe
Token: SeRestorePrivilege	1644	WMIC.exe
Token: SeShutdownPrivilege	1644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1644	WMIC.exe
Token: SeUndockPrivilege	1644	WMIC.exe
Token: SeManageVolumePrivilege	1644	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1644	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1644	WMIC.exe
Token: SeSecurityPrivilege	1644	WMIC.exe
Token: SeTakeOwnershipPrivilege	1644	WMIC.exe
Token: SeLoadDriverPrivilege	1644	WMIC.exe
Token: SeSystemtimePrivilege	1644	WMIC.exe
Token: SeBackupPrivilege	1644	WMIC.exe
Token: SeRestorePrivilege	1644	WMIC.exe
Token: SeShutdownPrivilege	1644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1644	WMIC.exe
Token: SeUndockPrivilege	1644	WMIC.exe
Token: SeManageVolumePrivilege	1644	WMIC.exe
Token: SeDebugPrivilege	1380	uin77.exe
Token: SeAssignPrimaryTokenPrivilege	3848	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3848	WMIC.exe
Token: SeSecurityPrivilege	3848	WMIC.exe
Token: SeTakeOwnershipPrivilege	3848	WMIC.exe
Token: SeLoadDriverPrivilege	3848	WMIC.exe
Token: SeSystemtimePrivilege	3848	WMIC.exe
Token: SeBackupPrivilege	3848	WMIC.exe
Token: SeRestorePrivilege	3848	WMIC.exe
Token: SeShutdownPrivilege	3848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3848	WMIC.exe
Token: SeUndockPrivilege	3848	WMIC.exe
Token: SeManageVolumePrivilege	3848	WMIC.exe
Token: SeDebugPrivilege	4844	1c38223c.exe
Token: SeAssignPrimaryTokenPrivilege	3848	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3848	WMIC.exe
Token: SeSecurityPrivilege	3848	WMIC.exe
Token: SeTakeOwnershipPrivilege	3848	WMIC.exe
Token: SeLoadDriverPrivilege	3848	WMIC.exe
Token: SeSystemtimePrivilege	3848	WMIC.exe
Token: SeBackupPrivilege	3848	WMIC.exe
Token: SeRestorePrivilege	3848	WMIC.exe
Token: SeShutdownPrivilege	3848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3848	WMIC.exe
Token: SeUndockPrivilege	3848	WMIC.exe
Token: SeManageVolumePrivilege	3848	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1836	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1836	WMIC.exe
Token: SeSecurityPrivilege	1836	WMIC.exe
Token: SeTakeOwnershipPrivilege	1836	WMIC.exe
Token: SeLoadDriverPrivilege	1836	WMIC.exe
Token: SeSystemtimePrivilege	1836	WMIC.exe
Token: SeBackupPrivilege	1836	WMIC.exe
Token: SeRestorePrivilege	1836	WMIC.exe
Token: SeShutdownPrivilege	1836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1836	WMIC.exe
Token: SeUndockPrivilege	1836	WMIC.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3100	244bd32ae44d01e1a9b39e0dec49af8837aecaf062eaab8bd34ce37a2c47c7af.exe
5064	dazfuw.exe
548	dazfuw.exe
3120	8675443750919029.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 4740	3100	244bd32ae44d01e1a9b39e0dec49af8837aecaf062eaab8bd34ce37a2c47c7af.exe	83
PID 3100 wrote to memory of 4740	3100	244bd32ae44d01e1a9b39e0dec49af8837aecaf062eaab8bd34ce37a2c47c7af.exe	83
PID 3100 wrote to memory of 4740	3100	244bd32ae44d01e1a9b39e0dec49af8837aecaf062eaab8bd34ce37a2c47c7af.exe	83
PID 4740 wrote to memory of 532	4740	cmd.exe	85
PID 4740 wrote to memory of 532	4740	cmd.exe	85
PID 4740 wrote to memory of 532	4740	cmd.exe	85
PID 4740 wrote to memory of 5064	4740	cmd.exe	87
PID 4740 wrote to memory of 5064	4740	cmd.exe	87
PID 4740 wrote to memory of 5064	4740	cmd.exe	87
PID 548 wrote to memory of 3120	548	dazfuw.exe	89
PID 548 wrote to memory of 3120	548	dazfuw.exe	89
PID 548 wrote to memory of 3120	548	dazfuw.exe	89
PID 3120 wrote to memory of 2904	3120	8675443750919029.exe	90
PID 3120 wrote to memory of 2904	3120	8675443750919029.exe	90
PID 3120 wrote to memory of 2904	3120	8675443750919029.exe	90
PID 3120 wrote to memory of 2004	3120	8675443750919029.exe	91
PID 3120 wrote to memory of 2004	3120	8675443750919029.exe	91
PID 3120 wrote to memory of 2004	3120	8675443750919029.exe	91
PID 2004 wrote to memory of 1644	2004	cmd.exe	94
PID 2004 wrote to memory of 1644	2004	cmd.exe	94
PID 2004 wrote to memory of 1644	2004	cmd.exe	94
PID 2904 wrote to memory of 4504	2904	cmd.exe	95
PID 2904 wrote to memory of 4504	2904	cmd.exe	95
PID 2904 wrote to memory of 4504	2904	cmd.exe	95
PID 3120 wrote to memory of 1380	3120	8675443750919029.exe	96
PID 3120 wrote to memory of 1380	3120	8675443750919029.exe	96
PID 3120 wrote to memory of 1380	3120	8675443750919029.exe	96
PID 2004 wrote to memory of 3848	2004	cmd.exe	97
PID 2004 wrote to memory of 3848	2004	cmd.exe	97
PID 2004 wrote to memory of 3848	2004	cmd.exe	97
PID 1380 wrote to memory of 4844	1380	uin77.exe	98
PID 1380 wrote to memory of 4844	1380	uin77.exe	98
PID 2004 wrote to memory of 1836	2004	cmd.exe	99
PID 2004 wrote to memory of 1836	2004	cmd.exe	99
PID 2004 wrote to memory of 1836	2004	cmd.exe	99
PID 3120 wrote to memory of 4972	3120	8675443750919029.exe	109
PID 3120 wrote to memory of 4972	3120	8675443750919029.exe	109
PID 3120 wrote to memory of 4972	3120	8675443750919029.exe	109
PID 4972 wrote to memory of 2288	4972	uin77.exe	110
PID 4972 wrote to memory of 2288	4972	uin77.exe	110
PID 3120 wrote to memory of 3712	3120	8675443750919029.exe	115
PID 3120 wrote to memory of 3712	3120	8675443750919029.exe	115
PID 3120 wrote to memory of 3712	3120	8675443750919029.exe	115
PID 3712 wrote to memory of 3348	3712	uin77.exe	116
PID 3712 wrote to memory of 3348	3712	uin77.exe	116
PID 3120 wrote to memory of 1844	3120	8675443750919029.exe	117
PID 3120 wrote to memory of 1844	3120	8675443750919029.exe	117
PID 3120 wrote to memory of 1844	3120	8675443750919029.exe	117
PID 3120 wrote to memory of 2380	3120	8675443750919029.exe	118
PID 3120 wrote to memory of 2380	3120	8675443750919029.exe	118
PID 3120 wrote to memory of 2380	3120	8675443750919029.exe	118
PID 3120 wrote to memory of 2736	3120	8675443750919029.exe	121
PID 3120 wrote to memory of 2736	3120	8675443750919029.exe	121
PID 3120 wrote to memory of 2736	3120	8675443750919029.exe	121
PID 2380 wrote to memory of 1692	2380	cmd.exe	122
PID 2380 wrote to memory of 1692	2380	cmd.exe	122
PID 2380 wrote to memory of 1692	2380	cmd.exe	122
PID 1844 wrote to memory of 4268	1844	cmd.exe	123
PID 1844 wrote to memory of 4268	1844	cmd.exe	123
PID 1844 wrote to memory of 4268	1844	cmd.exe	123
PID 2736 wrote to memory of 5116	2736	uin77.exe	124
PID 2736 wrote to memory of 5116	2736	uin77.exe	124
PID 2380 wrote to memory of 4736	2380	cmd.exe	125
PID 2380 wrote to memory of 4736	2380	cmd.exe	125

C:\Users\Admin\AppData\Local\Temp\244bd32ae44d01e1a9b39e0dec49af8837aecaf062eaab8bd34ce37a2c47c7af.exe
"C:\Users\Admin\AppData\Local\Temp\244bd32ae44d01e1a9b39e0dec49af8837aecaf062eaab8bd34ce37a2c47c7af.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\ijmarbc\dazfuw.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:532
- - \??\c:\windows\fonts\ijmarbc\dazfuw.exe
    c:\windows\fonts\ijmarbc\dazfuw.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5064

\??\c:\windows\fonts\ijmarbc\dazfuw.exe
c:\windows\fonts\ijmarbc\dazfuw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\TEMP\8675443750919029.exe
  C:\Windows\TEMP\8675443750919029.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN wlvuj /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN wlvuj /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4504
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="cpdal" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="ldxfn" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='cpdal'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="cpdal" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1644
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="ldxfn" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3848
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='cpdal'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1836
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Windows\TEMP\1c38223c.exe
      "C:\Windows\TEMP\1c38223c.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4844
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Windows\TEMP\1b7e0ec3.exe
      "C:\Windows\TEMP\1b7e0ec3.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2288
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3712
  - - C:\Windows\TEMP\1639984c.exe
      "C:\Windows\TEMP\1639984c.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3348
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN wlvuj /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN wlvuj /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4268
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="cpdal" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="ldxfn" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='cpdal'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="cpdal" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:1692
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="ldxfn" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:4736
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='cpdal'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:3264
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\TEMP\157f83d4.exe
      "C:\Windows\TEMP\157f83d4.exe"
      4⤵
      Executes dropped EXE
      PID:5116
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2200
  - - C:\Windows\TEMP\15c66f6b.exe
      "C:\Windows\TEMP\15c66f6b.exe"
      4⤵
      Executes dropped EXE
      PID:4280
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2808
  - - C:\Windows\TEMP\1f71f8e4.exe
      "C:\Windows\TEMP\1f71f8e4.exe"
      4⤵
      Executes dropped EXE
      PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN wlvuj /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:2740
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN wlvuj /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="cpdal" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="ldxfn" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='cpdal'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4012
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="cpdal" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:116
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="ldxfn" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:3848
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='cpdal'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:3824
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3148
  - - C:\Windows\TEMP\1ec7d47b.exe
      "C:\Windows\TEMP\1ec7d47b.exe"
      4⤵
      Executes dropped EXE
      PID:1644
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2304
  - - C:\Windows\TEMP\1e0ecf03.exe
      "C:\Windows\TEMP\1e0ecf03.exe"
      4⤵
      Executes dropped EXE
      PID:1380
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:776
  - - C:\Windows\TEMP\18c8598c.exe
      "C:\Windows\TEMP\18c8598c.exe"
      4⤵
      Executes dropped EXE
      PID:528
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN cure /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:2692
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN cure /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3480
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="pdxhgs" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="qmlid" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='pdxhgs'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2188
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="pdxhgs" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:4972
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="qmlid" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:4572
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='pdxhgs'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:64
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4112
  - - C:\Windows\TEMP\180f3413.exe
      "C:\Windows\TEMP\180f3413.exe"
      4⤵
      Executes dropped EXE
      PID:4812
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2356
  - - C:\Windows\TEMP\174510aa.exe
      "C:\Windows\TEMP\174510aa.exe"
      4⤵
      Executes dropped EXE
      PID:4368
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2612
  - - C:\Windows\TEMP\1100a923.exe
      "C:\Windows\TEMP\1100a923.exe"
      4⤵
      Executes dropped EXE
      PID:2312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1332
  2⤵
  - Program crash
  PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 548 -ip 548
1⤵
PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Fonts\ijmarbc\dazfuw.exe

Filesize
2.9MB

MD5
d62205914a3036f7312ff0cafe91822c

SHA1
b083555a057e359178bc1c9b19351eaa5cd7eae6

SHA256
c23066e18f62a4990a578c712fae87ad4712fb27e6c6bd74e4b17b335596c460

SHA512
11dbf9911489e4aeadee8df44f154c0365b753ecb9eed8eecd4557f36ebcded615f73ad465602138bc5470fd48b86f0839bcff72558e45298c28d3e3ac2150ee

Download Submit
C:\Windows\Temp\1c38223c.exe

Filesize
95KB

MD5
692f63018525d7bc6eebf733568dbdcb

SHA1
28cd1b0606b5d66f0d43ade75c0bb4ca168c6cf6

SHA256
22e7ee4e58de27a3d303c76cf3f94cdefcdfdfbca7509617c8fc16f8c04ada6c

SHA512
84384be7725519d2c7ba9e7aff643aedc89d3c754d0b9ffc1f0e1c2216205ff010ff961ac4a044871a9372f6340c1a515213bd88601610d3aa5d22f618a9ed1e

Download Submit
C:\Windows\Temp\1ec7d47b.exe

Filesize
95KB

MD5
1c6f0257b0dd2992ae828a849c7861d0

SHA1
3abfa2bb4aa5c07ebd51c7762c8898967e9af3f2

SHA256
8fbf3bf6b90664ac5199fdd059e1ba3fa8feab2b0d7094c25ba7ca23ce283242

SHA512
f02e626015d7ffd44553ba8af6f1b5be4208b21fb67703eff93a3dbcf2e08638db865f1427a0d2f1dbe8a0f91ff26a477852d0c92b69815618183312d5bcd06e

Download Submit
C:\Windows\Temp\8675443750919029.exe

Filesize
244KB

MD5
de3b294b4edf797dfa8f45b33a0317b4

SHA1
d46f49e223655eca9a21249a60de3719fe3795e0

SHA256
d6d9b5fbf32d64da140ebf83495f8c3b4f28e5a336c4b7306c84e12abf7860e9

SHA512
1ce19d0a57a621225702b8a7b30bbd8ca482ab305d3881f5af63cd1ac712577b633955b8b95c11ed73585dbca6377859ed27a1859e369064841639a2b4035c97

Download Submit
C:\Windows\Temp\uin77.exe

Filesize
173KB

MD5
bc5769af922f9c090288ce3a91324639

SHA1
694fddf04fc22f2bdc4bd0b2c5512253c8ec5e0d

SHA256
6d846e70f69c4a13621ea290464991c8d634f176ecd8cd111a2d7d4897432964

SHA512
4d3f225b4ec8a3fc44bfc6ff1d5e710d3d675aeb63eeff322fd240cf9a5dc5240acb60b0fa0b4ea9d47d2f7ae4dec9a294116ec4cbc5ac0d9f65c3fe6f06ecb8

Download Submit
C:\Windows\Temp\uin77.exe

Filesize
173KB

MD5
c17fadedd6f88f9a41fb45796506360b

SHA1
4b9813bb75f5305c386bc9e81ed40db89e3ed2ce

SHA256
43ba8e0a74e3af033345f66e4b19ece3e895b4f40fe704a98548d152932e7906

SHA512
a98292f0dc4692348fc76de73ee21691d5004b590d9578d98c7c47bf7486376f69ad2548e1a65d4f521c3b42f13fd61ab426f01c4bc958fbac422c794e310bfa

Download Submit
memory/548-29-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/548-109-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/548-112-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3100-0-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3100-4-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3120-32-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3120-46-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3120-15-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3120-76-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3120-108-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5064-11-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download