Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 16:00
Behavioral task
behavioral1
Sample
7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe
Resource
win7-20240903-en
windows7-x64
19 signatures
120 seconds
General
-
Target
7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe
-
Size
2.9MB
-
MD5
4833ec8dc2c54e604af9a36f5ca884f0
-
SHA1
ab322e271682bb7df83717faa84a557c08a89376
-
SHA256
7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8
-
SHA512
19392c1a2b9ba6a0ba59fd4566929d299bd86dc021b4666ebcc680a0fdfec57c1781ae92b7c445b737bba139c893f849f763fe4096ae12dcb00459791335fe43
-
SSDEEP
12288:fqGKl6bcNQSjEgkSiP8Lr2mFE66kjlKuJ9J7tfg+LRZq01Y:fNKl6b8JYgyP8WTGIuhZvPq
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 9 IoCs
resource yara_rule behavioral1/memory/2652-5-0x0000000000400000-0x00000000004E6000-memory.dmp family_blackmoon behavioral1/memory/1924-13-0x0000000000400000-0x00000000004E6000-memory.dmp family_blackmoon behavioral1/memory/2068-23-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2596-43-0x0000000000400000-0x00000000004E6000-memory.dmp family_blackmoon behavioral1/memory/2068-47-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2068-69-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2068-155-0x0000000000400000-0x000000000048C000-memory.dmp family_blackmoon behavioral1/memory/2596-159-0x0000000000400000-0x00000000004E6000-memory.dmp family_blackmoon behavioral1/memory/2596-162-0x0000000000400000-0x00000000004E6000-memory.dmp family_blackmoon -
Executes dropped EXE 27 IoCs
pid Process 1924 aeuoswp.exe 2596 aeuoswp.exe 2068 5624490732756533.exe 3064 uin77.exe 776 b9e2755d.exe 648 uin77.exe 1780 b3ad0fc6.exe 284 uin77.exe 1732 be58984f.exe 2044 uin77.exe 1032 bdae74d7.exe 2356 uin77.exe 1488 b7590d5f.exe 1368 uin77.exe 2960 b21497c8.exe 792 uin77.exe 1988 b6e6d47e.exe 3012 uin77.exe 2020 b1a16ee7.exe 344 uin77.exe 1308 bb5bf860.exe 2716 uin77.exe 2748 ba92d3f7.exe 2592 uin77.exe 1484 b55d7d70.exe 1720 uin77.exe 2012 bf1706e9.exe -
Loads dropped DLL 30 IoCs
pid Process 2712 cmd.exe 2712 cmd.exe 2596 aeuoswp.exe 2596 aeuoswp.exe 2068 5624490732756533.exe 3064 uin77.exe 2068 5624490732756533.exe 648 uin77.exe 2068 5624490732756533.exe 284 uin77.exe 2068 5624490732756533.exe 2044 uin77.exe 2068 5624490732756533.exe 2356 uin77.exe 2068 5624490732756533.exe 1368 uin77.exe 2068 5624490732756533.exe 792 uin77.exe 2068 5624490732756533.exe 3012 uin77.exe 2068 5624490732756533.exe 344 uin77.exe 2068 5624490732756533.exe 2716 uin77.exe 2068 5624490732756533.exe 2592 uin77.exe 2068 5624490732756533.exe 1720 uin77.exe 2244 WerFault.exe 2244 WerFault.exe -
Indicator Removal: Clear Persistence 1 TTPs 4 IoCs
Clear artifacts associated with previously established persistence like scheduletasks on a host.
pid Process 1256 cmd.exe 2016 cmd.exe 1836 cmd.exe 1544 cmd.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat aeuoswp.exe -
resource yara_rule behavioral1/memory/2652-0-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral1/memory/2652-5-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral1/files/0x0008000000016ea4-7.dat upx behavioral1/memory/1924-10-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral1/memory/1924-13-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral1/files/0x002d000000016dbe-15.dat upx behavioral1/memory/2596-17-0x00000000011A0000-0x000000000122C000-memory.dmp upx behavioral1/memory/2068-23-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2596-43-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral1/memory/2596-44-0x00000000011A0000-0x000000000122C000-memory.dmp upx behavioral1/memory/2068-47-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2068-69-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2068-155-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2596-159-0x0000000000400000-0x00000000004E6000-memory.dmp upx behavioral1/memory/2596-162-0x0000000000400000-0x00000000004E6000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created \??\c:\windows\fonts\qrzeuav\lqryz.exe aeuoswp.exe File created \??\c:\windows\fonts\riagyfv\aeuoswp.exe 7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe File opened for modification \??\c:\windows\fonts\riagyfv\aeuoswp.exe 7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe File created \??\c:\windows\fonts\xlndb\hmucy.exe aeuoswp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2244 2596 WerFault.exe 34 -
System Location Discovery: System Language Discovery 1 TTPs 41 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aeuoswp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5624490732756533.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uin77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2776 PING.EXE 2712 cmd.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix aeuoswp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections aeuoswp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings aeuoswp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{20197DB9-CDFD-414C-B02E-DDC356873D6A} aeuoswp.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" aeuoswp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" aeuoswp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ aeuoswp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" aeuoswp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-ef-c1-4f-9f-9d aeuoswp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-ef-c1-4f-9f-9d\WpadDecisionReason = "1" aeuoswp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad aeuoswp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0166000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 aeuoswp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{20197DB9-CDFD-414C-B02E-DDC356873D6A}\WpadDecision = "0" aeuoswp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{20197DB9-CDFD-414C-B02E-DDC356873D6A}\e6-ef-c1-4f-9f-9d aeuoswp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-ef-c1-4f-9f-9d\WpadDecisionTime = 00db3c81af57db01 aeuoswp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings aeuoswp.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" aeuoswp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 aeuoswp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 aeuoswp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" aeuoswp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{20197DB9-CDFD-414C-B02E-DDC356873D6A}\WpadDecisionReason = "1" aeuoswp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{20197DB9-CDFD-414C-B02E-DDC356873D6A}\WpadDecisionTime = 00db3c81af57db01 aeuoswp.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{20197DB9-CDFD-414C-B02E-DDC356873D6A}\WpadNetworkName = "Network 3" aeuoswp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-ef-c1-4f-9f-9d\WpadDecision = "0" aeuoswp.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2776 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2652 7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe 1924 aeuoswp.exe 2596 aeuoswp.exe 3064 uin77.exe 3064 uin77.exe 3064 uin77.exe 3064 uin77.exe 776 b9e2755d.exe 776 b9e2755d.exe 776 b9e2755d.exe 776 b9e2755d.exe 648 uin77.exe 648 uin77.exe 648 uin77.exe 648 uin77.exe 1780 b3ad0fc6.exe 1780 b3ad0fc6.exe 1780 b3ad0fc6.exe 1780 b3ad0fc6.exe 284 uin77.exe 284 uin77.exe 284 uin77.exe 284 uin77.exe 1732 be58984f.exe 1732 be58984f.exe 1732 be58984f.exe 1732 be58984f.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2068 5624490732756533.exe 2044 uin77.exe 2044 uin77.exe 2044 uin77.exe 2044 uin77.exe 1032 bdae74d7.exe 1032 bdae74d7.exe 1032 bdae74d7.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2652 7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2652 7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe Token: SeDebugPrivilege 1924 aeuoswp.exe Token: SeDebugPrivilege 2596 aeuoswp.exe Token: SeDebugPrivilege 3064 uin77.exe Token: SeAssignPrimaryTokenPrivilege 796 WMIC.exe Token: SeIncreaseQuotaPrivilege 796 WMIC.exe Token: SeSecurityPrivilege 796 WMIC.exe Token: SeTakeOwnershipPrivilege 796 WMIC.exe Token: SeLoadDriverPrivilege 796 WMIC.exe Token: SeSystemtimePrivilege 796 WMIC.exe Token: SeBackupPrivilege 796 WMIC.exe Token: SeRestorePrivilege 796 WMIC.exe Token: SeShutdownPrivilege 796 WMIC.exe Token: SeSystemEnvironmentPrivilege 796 WMIC.exe Token: SeUndockPrivilege 796 WMIC.exe Token: SeManageVolumePrivilege 796 WMIC.exe Token: SeDebugPrivilege 776 b9e2755d.exe Token: SeAssignPrimaryTokenPrivilege 796 WMIC.exe Token: SeIncreaseQuotaPrivilege 796 WMIC.exe Token: SeSecurityPrivilege 796 WMIC.exe Token: SeTakeOwnershipPrivilege 796 WMIC.exe Token: SeLoadDriverPrivilege 796 WMIC.exe Token: SeSystemtimePrivilege 796 WMIC.exe Token: SeBackupPrivilege 796 WMIC.exe Token: SeRestorePrivilege 796 WMIC.exe Token: SeShutdownPrivilege 796 WMIC.exe Token: SeSystemEnvironmentPrivilege 796 WMIC.exe Token: SeUndockPrivilege 796 WMIC.exe Token: SeManageVolumePrivilege 796 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1632 WMIC.exe Token: SeIncreaseQuotaPrivilege 1632 WMIC.exe Token: SeSecurityPrivilege 1632 WMIC.exe Token: SeTakeOwnershipPrivilege 1632 WMIC.exe Token: SeLoadDriverPrivilege 1632 WMIC.exe Token: SeSystemtimePrivilege 1632 WMIC.exe Token: SeBackupPrivilege 1632 WMIC.exe Token: SeRestorePrivilege 1632 WMIC.exe Token: SeShutdownPrivilege 1632 WMIC.exe Token: SeSystemEnvironmentPrivilege 1632 WMIC.exe Token: SeUndockPrivilege 1632 WMIC.exe Token: SeManageVolumePrivilege 1632 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1632 WMIC.exe Token: SeIncreaseQuotaPrivilege 1632 WMIC.exe Token: SeSecurityPrivilege 1632 WMIC.exe Token: SeTakeOwnershipPrivilege 1632 WMIC.exe Token: SeLoadDriverPrivilege 1632 WMIC.exe Token: SeSystemtimePrivilege 1632 WMIC.exe Token: SeBackupPrivilege 1632 WMIC.exe Token: SeRestorePrivilege 1632 WMIC.exe Token: SeShutdownPrivilege 1632 WMIC.exe Token: SeSystemEnvironmentPrivilege 1632 WMIC.exe Token: SeUndockPrivilege 1632 WMIC.exe Token: SeManageVolumePrivilege 1632 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1972 WMIC.exe Token: SeIncreaseQuotaPrivilege 1972 WMIC.exe Token: SeSecurityPrivilege 1972 WMIC.exe Token: SeTakeOwnershipPrivilege 1972 WMIC.exe Token: SeLoadDriverPrivilege 1972 WMIC.exe Token: SeSystemtimePrivilege 1972 WMIC.exe Token: SeBackupPrivilege 1972 WMIC.exe Token: SeRestorePrivilege 1972 WMIC.exe Token: SeShutdownPrivilege 1972 WMIC.exe Token: SeSystemEnvironmentPrivilege 1972 WMIC.exe Token: SeUndockPrivilege 1972 WMIC.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2652 7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe 1924 aeuoswp.exe 2596 aeuoswp.exe 2068 5624490732756533.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2652 wrote to memory of 2712 2652 7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe 30 PID 2652 wrote to memory of 2712 2652 7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe 30 PID 2652 wrote to memory of 2712 2652 7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe 30 PID 2652 wrote to memory of 2712 2652 7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe 30 PID 2712 wrote to memory of 2776 2712 cmd.exe 32 PID 2712 wrote to memory of 2776 2712 cmd.exe 32 PID 2712 wrote to memory of 2776 2712 cmd.exe 32 PID 2712 wrote to memory of 2776 2712 cmd.exe 32 PID 2712 wrote to memory of 1924 2712 cmd.exe 33 PID 2712 wrote to memory of 1924 2712 cmd.exe 33 PID 2712 wrote to memory of 1924 2712 cmd.exe 33 PID 2712 wrote to memory of 1924 2712 cmd.exe 33 PID 2596 wrote to memory of 2068 2596 aeuoswp.exe 35 PID 2596 wrote to memory of 2068 2596 aeuoswp.exe 35 PID 2596 wrote to memory of 2068 2596 aeuoswp.exe 35 PID 2596 wrote to memory of 2068 2596 aeuoswp.exe 35 PID 2068 wrote to memory of 1256 2068 5624490732756533.exe 36 PID 2068 wrote to memory of 1256 2068 5624490732756533.exe 36 PID 2068 wrote to memory of 1256 2068 5624490732756533.exe 36 PID 2068 wrote to memory of 1256 2068 5624490732756533.exe 36 PID 2068 wrote to memory of 2564 2068 5624490732756533.exe 37 PID 2068 wrote to memory of 2564 2068 5624490732756533.exe 37 PID 2068 wrote to memory of 2564 2068 5624490732756533.exe 37 PID 2068 wrote to memory of 2564 2068 5624490732756533.exe 37 PID 2564 wrote to memory of 796 2564 cmd.exe 40 PID 2564 wrote to memory of 796 2564 cmd.exe 40 PID 2564 wrote to memory of 796 2564 cmd.exe 40 PID 2564 wrote to memory of 796 2564 cmd.exe 40 PID 1256 wrote to memory of 3060 1256 cmd.exe 41 PID 1256 wrote to memory of 3060 1256 cmd.exe 41 PID 1256 wrote to memory of 3060 1256 cmd.exe 41 PID 1256 wrote to memory of 3060 1256 cmd.exe 41 PID 2068 wrote to memory of 3064 2068 5624490732756533.exe 42 PID 2068 wrote to memory of 3064 2068 5624490732756533.exe 42 PID 2068 wrote to memory of 3064 2068 5624490732756533.exe 42 PID 2068 wrote to memory of 3064 2068 5624490732756533.exe 42 PID 3064 wrote to memory of 776 3064 uin77.exe 43 PID 3064 wrote to memory of 776 3064 uin77.exe 43 PID 3064 wrote to memory of 776 3064 uin77.exe 43 PID 3064 wrote to memory of 776 3064 uin77.exe 43 PID 2564 wrote to memory of 1632 2564 cmd.exe 44 PID 2564 wrote to memory of 1632 2564 cmd.exe 44 PID 2564 wrote to memory of 1632 2564 cmd.exe 44 PID 2564 wrote to memory of 1632 2564 cmd.exe 44 PID 2564 wrote to memory of 1972 2564 cmd.exe 45 PID 2564 wrote to memory of 1972 2564 cmd.exe 45 PID 2564 wrote to memory of 1972 2564 cmd.exe 45 PID 2564 wrote to memory of 1972 2564 cmd.exe 45 PID 2068 wrote to memory of 648 2068 5624490732756533.exe 46 PID 2068 wrote to memory of 648 2068 5624490732756533.exe 46 PID 2068 wrote to memory of 648 2068 5624490732756533.exe 46 PID 2068 wrote to memory of 648 2068 5624490732756533.exe 46 PID 648 wrote to memory of 1780 648 uin77.exe 47 PID 648 wrote to memory of 1780 648 uin77.exe 47 PID 648 wrote to memory of 1780 648 uin77.exe 47 PID 648 wrote to memory of 1780 648 uin77.exe 47 PID 2068 wrote to memory of 284 2068 5624490732756533.exe 48 PID 2068 wrote to memory of 284 2068 5624490732756533.exe 48 PID 2068 wrote to memory of 284 2068 5624490732756533.exe 48 PID 2068 wrote to memory of 284 2068 5624490732756533.exe 48 PID 284 wrote to memory of 1732 284 uin77.exe 49 PID 284 wrote to memory of 1732 284 uin77.exe 49 PID 284 wrote to memory of 1732 284 uin77.exe 49 PID 284 wrote to memory of 1732 284 uin77.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe"C:\Users\Admin\AppData\Local\Temp\7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\riagyfv\aeuoswp.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2776
-
-
\??\c:\windows\fonts\riagyfv\aeuoswp.exec:\windows\fonts\riagyfv\aeuoswp.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1924
-
-
-
\??\c:\windows\fonts\riagyfv\aeuoswp.exec:\windows\fonts\riagyfv\aeuoswp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\TEMP\5624490732756533.exeC:\Windows\TEMP\5624490732756533.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\cmd.execmd /c schtasks /DELETE /TN nwlve /F3⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /TN nwlve /F4⤵
- System Location Discovery: System Language Discovery
PID:3060
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="aymfue" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="blivq" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='aymfue'" DELETE3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="aymfue" DELETE4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:796
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="blivq" DELETE4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='aymfue'" DELETE4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\TEMP\b9e2755d.exe"C:\Windows\TEMP\b9e2755d.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:776
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\TEMP\b3ad0fc6.exe"C:\Windows\TEMP\b3ad0fc6.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1780
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Windows\TEMP\be58984f.exe"C:\Windows\TEMP\be58984f.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1732
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks /DELETE /TN nwlve /F3⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /TN nwlve /F4⤵
- System Location Discovery: System Language Discovery
PID:1040
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="aymfue" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="blivq" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='aymfue'" DELETE3⤵
- System Location Discovery: System Language Discovery
PID:2120 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="aymfue" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:1500
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="blivq" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:1964
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='aymfue'" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:2368
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2044 -
C:\Windows\TEMP\bdae74d7.exe"C:\Windows\TEMP\bdae74d7.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1032
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\TEMP\b7590d5f.exe"C:\Windows\TEMP\b7590d5f.exe"4⤵
- Executes dropped EXE
PID:1488
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1368 -
C:\Windows\TEMP\b21497c8.exe"C:\Windows\TEMP\b21497c8.exe"4⤵
- Executes dropped EXE
PID:2960
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks /DELETE /TN nwlve /F3⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:1836 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /TN nwlve /F4⤵
- System Location Discovery: System Language Discovery
PID:2548
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="aymfue" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="blivq" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='aymfue'" DELETE3⤵
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="aymfue" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:1520
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="blivq" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:464
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='aymfue'" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:2460
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:792 -
C:\Windows\TEMP\b6e6d47e.exe"C:\Windows\TEMP\b6e6d47e.exe"4⤵
- Executes dropped EXE
PID:1988
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Windows\TEMP\b1a16ee7.exe"C:\Windows\TEMP\b1a16ee7.exe"4⤵
- Executes dropped EXE
PID:2020
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:344 -
C:\Windows\TEMP\bb5bf860.exe"C:\Windows\TEMP\bb5bf860.exe"4⤵
- Executes dropped EXE
PID:1308
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks /DELETE /TN inao /F3⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /TN inao /F4⤵
- System Location Discovery: System Language Discovery
PID:2156
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="iyhfbo" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="aqnme" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='iyhfbo'" DELETE3⤵
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="iyhfbo" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:2720
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="aqnme" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:2728
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='iyhfbo'" DELETE4⤵
- System Location Discovery: System Language Discovery
PID:2676
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\TEMP\ba92d3f7.exe"C:\Windows\TEMP\ba92d3f7.exe"4⤵
- Executes dropped EXE
PID:2748
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Windows\TEMP\b55d7d70.exe"C:\Windows\TEMP\b55d7d70.exe"4⤵
- Executes dropped EXE
PID:1484
-
-
-
C:\Windows\TEMP\uin77.exeC:\Windows\TEMP\uin77.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\TEMP\bf1706e9.exe"C:\Windows\TEMP\bf1706e9.exe"4⤵
- Executes dropped EXE
PID:2012
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 7842⤵
- Loads dropped DLL
- Program crash
PID:2244
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD5351da346f5c12846d8511f4933247550
SHA165c709ed8f81e10e2d0acd7f9ebc522bfc7ad588
SHA25679032d7902a081be28417dfe3f45ce4c575a5c7cc54a7c1d08e5b3123fd8aa08
SHA5128351caf6045991fc82184c0e6af84e63906c989e1ecf2ba1f77d5ca927a3a7fa6b26f4b4713c83b3153e4b8927ceee6c750b05cd28bedafa213bc7494f95812a
-
Filesize
2.9MB
MD53551e5a53f9e0a37bf3ac00b05cd2572
SHA112156fb08aa97c9cc3720bc36439acb992771e7f
SHA256df2807d4b6e1dfb2f65ce01140b0d6578a76a953084a34d9901e25d549c7e31a
SHA512fe6fdd1fb490501fa4cbdb27727b06d729d732286f425e86c07ebc9fee435105a2a728810388eeb1a2d1fb9424e13aa3319dc9675437e7c2c638c680a8efb9b8
-
Filesize
244KB
MD5de3b294b4edf797dfa8f45b33a0317b4
SHA1d46f49e223655eca9a21249a60de3719fe3795e0
SHA256d6d9b5fbf32d64da140ebf83495f8c3b4f28e5a336c4b7306c84e12abf7860e9
SHA5121ce19d0a57a621225702b8a7b30bbd8ca482ab305d3881f5af63cd1ac712577b633955b8b95c11ed73585dbca6377859ed27a1859e369064841639a2b4035c97
-
Filesize
95KB
MD5c505672b725bd181d353c146c0e4197f
SHA1fd53abaeb91331a711221d321f4e77a55d2d5530
SHA256343528292a580344462458f3881925933f5e4dd381be9483fd4415960b6263dc
SHA5127c80752aee62fb99a20bfcfc3515030c911ed417526f0d40396fc3e90c3fb6fdbba535df142411a35ba0dde77d00985bccb389581ae0c19b2b45ca40feb9e75d
-
Filesize
173KB
MD5fe45603f5313c2712e0e4b33d0c1aaf4
SHA1a7159ee2d43d612b4ca87a4ad9cc50d0cbec6428
SHA2568464a458a905b66f3579cad8770042a7003d891197a27005cd25b1c0207c95eb
SHA5124f184a04e5de40c121283e1054ed31ea1cac33589d2a0aa3e1eeae2c2130e39f63c4ef3d4b4cc8c9cd5619c34428e7c19d642d2ee1b8960dd550048fab2e2009
-
Filesize
173KB
MD5f3c2bd261b9674bae77007320d8fabc5
SHA1d0c1e60f07bec2666632e465de2b6fdb800624b0
SHA256db9d02f6f3949be2afe94a93cdbc69000aebfb0ff72c9eda311234794a020540
SHA512459b910d823df50bd64727d7ce1c8db92339a36583db0535dfe79e2114d8bfa072eb5ef0bb91fa62ce942f4e3e1dc7f1355a68dcaaef144ab4b4f11b2f2415cb