blackmoon | 7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe
Size

2.9MB
MD5

4833ec8dc2c54e604af9a36f5ca884f0
SHA1

ab322e271682bb7df83717faa84a557c08a89376
SHA256

7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8
SHA512

19392c1a2b9ba6a0ba59fd4566929d299bd86dc021b4666ebcc680a0fdfec57c1781ae92b7c445b737bba139c893f849f763fe4096ae12dcb00459791335fe43
SSDEEP

12288:fqGKl6bcNQSjEgkSiP8Lr2mFE66kjlKuJ9J7tfg+LRZq01Y:fNKl6b8JYgyP8WTGIuhZvPq

Score

10^/10

blackmoon banker defense_evasion discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 8 IoCs

resource	yara_rule
behavioral2/memory/3556-4-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral2/memory/2920-8-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral2/memory/2920-13-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral2/memory/1544-30-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon
behavioral2/memory/532-33-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/532-47-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/532-109-0x0000000000400000-0x000000000048C000-memory.dmp	family_blackmoon
behavioral2/memory/1544-112-0x0000000000400000-0x00000000004E6000-memory.dmp	family_blackmoon

Executes dropped EXE 27 IoCs

pid	Process
2920	mfclzys.exe
1544	mfclzys.exe
532	1126690105283402.exe
2476	uin77.exe
2408	b456233f.exe
4632	uin77.exe
228	b3ad0fc6.exe
4968	uin77.exe
4792	be58984f.exe
1436	uin77.exe
4876	bdae74d7.exe
540	uin77.exe
1872	b7590d5f.exe
2160	uin77.exe
448	b7aff9e7.exe
4880	uin77.exe
1632	b6e6d47e.exe
2408	uin77.exe
4000	b1a16ee7.exe
3928	uin77.exe
4512	bb5bf860.exe
3116	uin77.exe
632	ba92d3f7.exe
3488	uin77.exe
3876	bae8cf8f.exe
3320	uin77.exe
5084	b4935808.exe

Indicator Removal: Clear Persistence 1 TTPs 4 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
972	cmd.exe
4712	cmd.exe
1868	cmd.exe
676	cmd.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	mfclzys.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	mfclzys.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	mfclzys.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	mfclzys.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3556-0-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/memory/3556-4-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/files/0x000b000000023b60-6.dat	upx
behavioral2/memory/2920-8-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/memory/2920-13-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/memory/532-16-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/files/0x000200000001e733-15.dat	upx
behavioral2/memory/1544-30-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/memory/532-33-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/532-47-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/532-109-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/1544-112-0x0000000000400000-0x00000000004E6000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	\??\c:\windows\fonts\qocfag\mfclzys.exe	7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe
File opened for modification	\??\c:\windows\fonts\qocfag\mfclzys.exe	7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe
File created	\??\c:\windows\fonts\zdoafl\xlnsqau.exe	mfclzys.exe
File created	\??\c:\windows\fonts\jvcu\povurjx.exe	mfclzys.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1684	1544	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1126690105283402.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mfclzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mfclzys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uin77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1936	cmd.exe
4784	PING.EXE

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mfclzys.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mfclzys.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mfclzys.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mfclzys.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mfclzys.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mfclzys.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mfclzys.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mfclzys.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4784	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3556	7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe
3556	7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe
2920	mfclzys.exe
2920	mfclzys.exe
1544	mfclzys.exe
1544	mfclzys.exe
2476	uin77.exe
2476	uin77.exe
2476	uin77.exe
2476	uin77.exe
2408	b456233f.exe
2408	b456233f.exe
2408	b456233f.exe
2408	b456233f.exe
4632	uin77.exe
4632	uin77.exe
4632	uin77.exe
4632	uin77.exe
228	b3ad0fc6.exe
228	b3ad0fc6.exe
228	b3ad0fc6.exe
228	b3ad0fc6.exe
4968	uin77.exe
4968	uin77.exe
4968	uin77.exe
4968	uin77.exe
4792	be58984f.exe
4792	be58984f.exe
4792	be58984f.exe
4792	be58984f.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe
532	1126690105283402.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3556	7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3556	7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe
Token: SeDebugPrivilege	2920	mfclzys.exe
Token: SeDebugPrivilege	1544	mfclzys.exe
Token: SeDebugPrivilege	2476	uin77.exe
Token: SeAssignPrimaryTokenPrivilege	1572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1572	WMIC.exe
Token: SeSecurityPrivilege	1572	WMIC.exe
Token: SeTakeOwnershipPrivilege	1572	WMIC.exe
Token: SeLoadDriverPrivilege	1572	WMIC.exe
Token: SeSystemtimePrivilege	1572	WMIC.exe
Token: SeBackupPrivilege	1572	WMIC.exe
Token: SeRestorePrivilege	1572	WMIC.exe
Token: SeShutdownPrivilege	1572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1572	WMIC.exe
Token: SeUndockPrivilege	1572	WMIC.exe
Token: SeManageVolumePrivilege	1572	WMIC.exe
Token: SeDebugPrivilege	2408	b456233f.exe
Token: SeAssignPrimaryTokenPrivilege	1572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1572	WMIC.exe
Token: SeSecurityPrivilege	1572	WMIC.exe
Token: SeTakeOwnershipPrivilege	1572	WMIC.exe
Token: SeLoadDriverPrivilege	1572	WMIC.exe
Token: SeSystemtimePrivilege	1572	WMIC.exe
Token: SeBackupPrivilege	1572	WMIC.exe
Token: SeRestorePrivilege	1572	WMIC.exe
Token: SeShutdownPrivilege	1572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1572	WMIC.exe
Token: SeUndockPrivilege	1572	WMIC.exe
Token: SeManageVolumePrivilege	1572	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4588	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4588	WMIC.exe
Token: SeSecurityPrivilege	4588	WMIC.exe
Token: SeTakeOwnershipPrivilege	4588	WMIC.exe
Token: SeLoadDriverPrivilege	4588	WMIC.exe
Token: SeSystemtimePrivilege	4588	WMIC.exe
Token: SeBackupPrivilege	4588	WMIC.exe
Token: SeRestorePrivilege	4588	WMIC.exe
Token: SeShutdownPrivilege	4588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4588	WMIC.exe
Token: SeUndockPrivilege	4588	WMIC.exe
Token: SeManageVolumePrivilege	4588	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4588	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4588	WMIC.exe
Token: SeSecurityPrivilege	4588	WMIC.exe
Token: SeTakeOwnershipPrivilege	4588	WMIC.exe
Token: SeLoadDriverPrivilege	4588	WMIC.exe
Token: SeSystemtimePrivilege	4588	WMIC.exe
Token: SeBackupPrivilege	4588	WMIC.exe
Token: SeRestorePrivilege	4588	WMIC.exe
Token: SeShutdownPrivilege	4588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4588	WMIC.exe
Token: SeUndockPrivilege	4588	WMIC.exe
Token: SeManageVolumePrivilege	4588	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4000	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4000	WMIC.exe
Token: SeSecurityPrivilege	4000	WMIC.exe
Token: SeTakeOwnershipPrivilege	4000	WMIC.exe
Token: SeLoadDriverPrivilege	4000	WMIC.exe
Token: SeSystemtimePrivilege	4000	WMIC.exe
Token: SeBackupPrivilege	4000	WMIC.exe
Token: SeRestorePrivilege	4000	WMIC.exe
Token: SeShutdownPrivilege	4000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4000	WMIC.exe
Token: SeUndockPrivilege	4000	WMIC.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3556	7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe
2920	mfclzys.exe
1544	mfclzys.exe
532	1126690105283402.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 1936	3556	7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe	83
PID 3556 wrote to memory of 1936	3556	7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe	83
PID 3556 wrote to memory of 1936	3556	7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe	83
PID 1936 wrote to memory of 4784	1936	cmd.exe	85
PID 1936 wrote to memory of 4784	1936	cmd.exe	85
PID 1936 wrote to memory of 4784	1936	cmd.exe	85
PID 1936 wrote to memory of 2920	1936	cmd.exe	87
PID 1936 wrote to memory of 2920	1936	cmd.exe	87
PID 1936 wrote to memory of 2920	1936	cmd.exe	87
PID 1544 wrote to memory of 532	1544	mfclzys.exe	89
PID 1544 wrote to memory of 532	1544	mfclzys.exe	89
PID 1544 wrote to memory of 532	1544	mfclzys.exe	89
PID 532 wrote to memory of 972	532	1126690105283402.exe	90
PID 532 wrote to memory of 972	532	1126690105283402.exe	90
PID 532 wrote to memory of 972	532	1126690105283402.exe	90
PID 532 wrote to memory of 5056	532	1126690105283402.exe	91
PID 532 wrote to memory of 5056	532	1126690105283402.exe	91
PID 532 wrote to memory of 5056	532	1126690105283402.exe	91
PID 532 wrote to memory of 2476	532	1126690105283402.exe	94
PID 532 wrote to memory of 2476	532	1126690105283402.exe	94
PID 532 wrote to memory of 2476	532	1126690105283402.exe	94
PID 972 wrote to memory of 3032	972	cmd.exe	95
PID 972 wrote to memory of 3032	972	cmd.exe	95
PID 972 wrote to memory of 3032	972	cmd.exe	95
PID 5056 wrote to memory of 1572	5056	cmd.exe	96
PID 5056 wrote to memory of 1572	5056	cmd.exe	96
PID 5056 wrote to memory of 1572	5056	cmd.exe	96
PID 2476 wrote to memory of 2408	2476	uin77.exe	97
PID 2476 wrote to memory of 2408	2476	uin77.exe	97
PID 5056 wrote to memory of 4588	5056	cmd.exe	98
PID 5056 wrote to memory of 4588	5056	cmd.exe	98
PID 5056 wrote to memory of 4588	5056	cmd.exe	98
PID 5056 wrote to memory of 4000	5056	cmd.exe	99
PID 5056 wrote to memory of 4000	5056	cmd.exe	99
PID 5056 wrote to memory of 4000	5056	cmd.exe	99
PID 532 wrote to memory of 4632	532	1126690105283402.exe	100
PID 532 wrote to memory of 4632	532	1126690105283402.exe	100
PID 532 wrote to memory of 4632	532	1126690105283402.exe	100
PID 4632 wrote to memory of 228	4632	uin77.exe	101
PID 4632 wrote to memory of 228	4632	uin77.exe	101
PID 532 wrote to memory of 4968	532	1126690105283402.exe	108
PID 532 wrote to memory of 4968	532	1126690105283402.exe	108
PID 532 wrote to memory of 4968	532	1126690105283402.exe	108
PID 4968 wrote to memory of 4792	4968	uin77.exe	109
PID 4968 wrote to memory of 4792	4968	uin77.exe	109
PID 532 wrote to memory of 4712	532	1126690105283402.exe	116
PID 532 wrote to memory of 4712	532	1126690105283402.exe	116
PID 532 wrote to memory of 4712	532	1126690105283402.exe	116
PID 532 wrote to memory of 4380	532	1126690105283402.exe	117
PID 532 wrote to memory of 4380	532	1126690105283402.exe	117
PID 532 wrote to memory of 4380	532	1126690105283402.exe	117
PID 4380 wrote to memory of 2944	4380	cmd.exe	120
PID 4380 wrote to memory of 2944	4380	cmd.exe	120
PID 4380 wrote to memory of 2944	4380	cmd.exe	120
PID 4712 wrote to memory of 3636	4712	cmd.exe	121
PID 4712 wrote to memory of 3636	4712	cmd.exe	121
PID 4712 wrote to memory of 3636	4712	cmd.exe	121
PID 532 wrote to memory of 1436	532	1126690105283402.exe	122
PID 532 wrote to memory of 1436	532	1126690105283402.exe	122
PID 532 wrote to memory of 1436	532	1126690105283402.exe	122
PID 1436 wrote to memory of 4876	1436	uin77.exe	123
PID 1436 wrote to memory of 4876	1436	uin77.exe	123
PID 4380 wrote to memory of 760	4380	cmd.exe	124
PID 4380 wrote to memory of 760	4380	cmd.exe	124

C:\Users\Admin\AppData\Local\Temp\7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe
"C:\Users\Admin\AppData\Local\Temp\7e1d686f1d6d26ce7b86e3ed9e737612904f37c620dadf340d2481c2a0e3e5a8N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\qocfag\mfclzys.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4784
- - \??\c:\windows\fonts\qocfag\mfclzys.exe
    c:\windows\fonts\qocfag\mfclzys.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2920

\??\c:\windows\fonts\qocfag\mfclzys.exe
c:\windows\fonts\qocfag\mfclzys.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\TEMP\1126690105283402.exe
  C:\Windows\TEMP\1126690105283402.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN napiy /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:972
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN napiy /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fsirl" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="pagfz" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fsirl'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fsirl" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1572
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="pagfz" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4588
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fsirl'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4000
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\TEMP\b456233f.exe
      "C:\Windows\TEMP\b456233f.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2408
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Windows\TEMP\b3ad0fc6.exe
      "C:\Windows\TEMP\b3ad0fc6.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:228
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Windows\TEMP\be58984f.exe
      "C:\Windows\TEMP\be58984f.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4792
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN napiy /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN napiy /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3636
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fsirl" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="pagfz" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fsirl'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fsirl" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2944
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="pagfz" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:760
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fsirl'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:1412
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Windows\TEMP\bdae74d7.exe
      "C:\Windows\TEMP\bdae74d7.exe"
      4⤵
      Executes dropped EXE
      PID:4876
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:540
  - - C:\Windows\TEMP\b7590d5f.exe
      "C:\Windows\TEMP\b7590d5f.exe"
      4⤵
      Executes dropped EXE
      PID:1872
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2160
  - - C:\Windows\TEMP\b7aff9e7.exe
      "C:\Windows\TEMP\b7aff9e7.exe"
      4⤵
      Executes dropped EXE
      PID:448
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN napiy /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:1868
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN napiy /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:972
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fsirl" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="pagfz" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fsirl'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4656
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fsirl" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:4468
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="pagfz" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:3416
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fsirl'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2080
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4880
  - - C:\Windows\TEMP\b6e6d47e.exe
      "C:\Windows\TEMP\b6e6d47e.exe"
      4⤵
      Executes dropped EXE
      PID:1632
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2408
  - - C:\Windows\TEMP\b1a16ee7.exe
      "C:\Windows\TEMP\b1a16ee7.exe"
      4⤵
      Executes dropped EXE
      PID:4000
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3928
  - - C:\Windows\TEMP\bb5bf860.exe
      "C:\Windows\TEMP\bb5bf860.exe"
      4⤵
      Executes dropped EXE
      PID:4512
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN hfms /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:676
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN hfms /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="urviec" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="uvi" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='urviec'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3164
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="urviec" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:3544
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="uvi" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:4580
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='urviec'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2692
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3116
  - - C:\Windows\TEMP\ba92d3f7.exe
      "C:\Windows\TEMP\ba92d3f7.exe"
      4⤵
      Executes dropped EXE
      PID:632
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3488
  - - C:\Windows\TEMP\bae8cf8f.exe
      "C:\Windows\TEMP\bae8cf8f.exe"
      4⤵
      Executes dropped EXE
      PID:3876
- - C:\Windows\TEMP\uin77.exe
    C:\Windows\TEMP\uin77.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3320
  - - C:\Windows\TEMP\b4935808.exe
      "C:\Windows\TEMP\b4935808.exe"
      4⤵
      Executes dropped EXE
      PID:5084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1324
  2⤵
  - Program crash
  PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1544 -ip 1544
1⤵
PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Fonts\qocfag\mfclzys.exe

Filesize
2.9MB

MD5
03307a638d93a26f52f1b0f5638c770f

SHA1
6fe78df4d083724bf1a53bc565bcec1376d98705

SHA256
2d5ae7644bf47624e5a645259b3d6cf2263180bed1b288885dbc4d3fea282407

SHA512
e0db776d334d5d8a7053ddf11132d31a11e802c0a682f713f910742c21b8f095c283216705add2072c2f82989f77e8804aef3ac2fabafb20f3aabf2b45fc8ae8

Download Submit
C:\Windows\TEMP\1126690105283402.exe

Filesize
244KB

MD5
de3b294b4edf797dfa8f45b33a0317b4

SHA1
d46f49e223655eca9a21249a60de3719fe3795e0

SHA256
d6d9b5fbf32d64da140ebf83495f8c3b4f28e5a336c4b7306c84e12abf7860e9

SHA512
1ce19d0a57a621225702b8a7b30bbd8ca482ab305d3881f5af63cd1ac712577b633955b8b95c11ed73585dbca6377859ed27a1859e369064841639a2b4035c97

Download Submit
C:\Windows\TEMP\b456233f.exe

Filesize
95KB

MD5
e5f9f508c84392b9586a69e9f3b6b570

SHA1
2b3e5af9382cbec0aacc57c8b03f4c5914f83987

SHA256
f97a09cbbc04e402e564f921d9cbcea1f7e7b505a1f18fa19293e28ffbe8f640

SHA512
4085e9fd61189a16a376795ea4bfc9a33d33a589aef76aa1d1486f52f9c7d04ed7c89c1287921e2c771003e3fad7b9c3d918847f8689be6f3b5713dca4e82e28

Download Submit
C:\Windows\TEMP\uin77.exe

Filesize
173KB

MD5
d5d1ee1bcd03383e6f14e0390ea86cfa

SHA1
c6a69aa0f8d33f549fd722431c1c314b0668ad43

SHA256
3249f722cdc8166e1418cd1f5d83ae6aaa527803c1613bbd4436102d4824c285

SHA512
43edd163afe009699a6b2970c551e4f87dca93dbd550489ec39ab9056ec4221c581e599035d8ebfc1957836e6714ec6d56888f409378035f9948bf72e15087de

Download Submit
C:\Windows\Temp\b6e6d47e.exe

Filesize
95KB

MD5
22ebcafa9cb106f66b25cd4891013c3c

SHA1
2fb91e7bda6bfd5cad919351ab29f6a25c3557b7

SHA256
620f9d7beef9eaddbb9f3aa3f64462590dae8107f6f8ab898dd1ab700445ea07

SHA512
b716f10498d25a56801f6d9e68133725a681a8ab746f27765c0dcf3fe9b0256df6f89cc76f4139366e90a498e10d566e73b67065a7f102c44262292370ed17c9

Download Submit
C:\Windows\Temp\uin77.exe

Filesize
173KB

MD5
6aebe24bebefb90e749285acd626e8b3

SHA1
56e28cd3e70032004aa4001ba582b19024ee7b97

SHA256
277942c33f2a4c33c3986894df7aad6d0c8eed93eee02af9de65b8d5b93dd0a6

SHA512
b845e01718d5efea56ac819fc2d66abfa36a842ac60e2a985d2be9974d4014cd44a440ac30d6fc3ffcd365ccbe0e91ab0a30a879119f630049bd200c0181e7ad

Download Submit
memory/532-16-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/532-33-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/532-47-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/532-109-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1544-30-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1544-112-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2920-13-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2920-8-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3556-0-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3556-4-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download