blackmoon | dd847b7624e96514b2ee1c6b942867b69e1281d76802244917cda997776d8a2e

Analysis

max time kernel
51s
max time network
53s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
21/03/2025, 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YH.msi
Size

13.4MB
MD5

e41527007d14c7f084a0b702b283e1e5
SHA1

e51d10f9918816e9f7abbf289ff4f9a271d4f1af
SHA256

dd847b7624e96514b2ee1c6b942867b69e1281d76802244917cda997776d8a2e
SHA512

1aaafc3992bc6a0e57c6316288cf6fbc0ecdb11f78c8eb38cf99a77fd33f834a79727d1cad1eb48be938b0a1733c1b5251430b564968022eac15d9d5979ce999
SSDEEP

196608:pBfMDJ9/wXYZUpMqJsfvgfKJ10PlJc3DN2ZlcLB0kS731:pBfMDJ9+pMq4vcKPElJmZ2/c9A

Score

10^/10

blackmoon fatalrat banker discovery infostealer persistence privilege_escalation rat stealer trojan vmprotect

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/memory/2976-117-0x0000000000400000-0x0000000000B99000-memory.dmp	family_blackmoon

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
stealer trojan fatalrat
Fatalrat family
fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/4608-131-0x0000000010000000-0x000000001002D000-memory.dmp	fatalrat
behavioral1/memory/2384-140-0x0000000010000000-0x000000001002D000-memory.dmp	fatalrat

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000b00000002816c-66.dat	vmprotect
behavioral1/memory/5556-68-0x00007FF78E1C0000-0x00007FF78E76C000-memory.dmp	vmprotect
behavioral1/files/0x0009000000028176-110.dat	vmprotect
behavioral1/memory/4296-113-0x00007FF78E1C0000-0x00007FF78E76C000-memory.dmp	vmprotect
behavioral1/memory/2976-117-0x0000000000400000-0x0000000000B99000-memory.dmp	vmprotect

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\D:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\D:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TjNkNpAilaYvt.exe.log	TjNkNpAilaYvt.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI87ED.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A22.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A92.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8AA2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57877f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8917.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A12.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A81.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DBB56E52-B2C8-4BD0-96DC-EE1D75DE3BAC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8BCC.tmp	msiexec.exe
File created	C:\Windows\Installer\e57877f.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Executes dropped EXE 11 IoCs

pid	Process
3716	aa.exe
5556	scrok.exe
5624	TjNkNpAilaYvt.exe
4596	TjNkNpAilaYvt.exe
2956	TjNkNpAilaYvt.exe
5464	TjNkNpAilaYvt.exe
4296	scrok.exe
2976	setup.exe
4608	svchost.exe
2384	svchost.exe
4708	svchost.exe

Loads dropped DLL 7 IoCs

pid	Process
3136	MsiExec.exe
3136	MsiExec.exe
3136	MsiExec.exe
3136	MsiExec.exe
3136	MsiExec.exe
3136	MsiExec.exe
3136	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
5880	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b7cf3f444b48aaeb0000000000000000000000000000000000000000000000000000000000000000000000000000000000001071020000000000c01200000000ffffffff000000002701010000883801b7cf3f440000000000001071020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d083020000000000c050e1000000ffffffff000000000700010000e84101b7cf3f44000000000000d08302000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000090d4e30000000000000005000000ffffffff00000000070001000048ea71b7cf3f4400000000000090d4e300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b7cf3f4400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
5576	timeout.exe
1516	timeout.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Group = "Fatal"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\InstallTime = "2025-03-21 00:50"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5836	msiexec.exe
5836	msiexec.exe
5556	scrok.exe
5556	scrok.exe
5556	scrok.exe
5556	scrok.exe
5464	TjNkNpAilaYvt.exe
4296	scrok.exe
4296	scrok.exe
4296	scrok.exe
4296	scrok.exe
2976	setup.exe
2976	setup.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe
4608	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5880	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5880	msiexec.exe
Token: SeSecurityPrivilege	5836	msiexec.exe
Token: SeCreateTokenPrivilege	5880	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5880	msiexec.exe
Token: SeLockMemoryPrivilege	5880	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5880	msiexec.exe
Token: SeMachineAccountPrivilege	5880	msiexec.exe
Token: SeTcbPrivilege	5880	msiexec.exe
Token: SeSecurityPrivilege	5880	msiexec.exe
Token: SeTakeOwnershipPrivilege	5880	msiexec.exe
Token: SeLoadDriverPrivilege	5880	msiexec.exe
Token: SeSystemProfilePrivilege	5880	msiexec.exe
Token: SeSystemtimePrivilege	5880	msiexec.exe
Token: SeProfSingleProcessPrivilege	5880	msiexec.exe
Token: SeIncBasePriorityPrivilege	5880	msiexec.exe
Token: SeCreatePagefilePrivilege	5880	msiexec.exe
Token: SeCreatePermanentPrivilege	5880	msiexec.exe
Token: SeBackupPrivilege	5880	msiexec.exe
Token: SeRestorePrivilege	5880	msiexec.exe
Token: SeShutdownPrivilege	5880	msiexec.exe
Token: SeDebugPrivilege	5880	msiexec.exe
Token: SeAuditPrivilege	5880	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5880	msiexec.exe
Token: SeChangeNotifyPrivilege	5880	msiexec.exe
Token: SeRemoteShutdownPrivilege	5880	msiexec.exe
Token: SeUndockPrivilege	5880	msiexec.exe
Token: SeSyncAgentPrivilege	5880	msiexec.exe
Token: SeEnableDelegationPrivilege	5880	msiexec.exe
Token: SeManageVolumePrivilege	5880	msiexec.exe
Token: SeImpersonatePrivilege	5880	msiexec.exe
Token: SeCreateGlobalPrivilege	5880	msiexec.exe
Token: SeBackupPrivilege	1276	vssvc.exe
Token: SeRestorePrivilege	1276	vssvc.exe
Token: SeAuditPrivilege	1276	vssvc.exe
Token: SeBackupPrivilege	5836	msiexec.exe
Token: SeRestorePrivilege	5836	msiexec.exe
Token: SeRestorePrivilege	5836	msiexec.exe
Token: SeTakeOwnershipPrivilege	5836	msiexec.exe
Token: SeRestorePrivilege	5836	msiexec.exe
Token: SeTakeOwnershipPrivilege	5836	msiexec.exe
Token: SeRestorePrivilege	5836	msiexec.exe
Token: SeTakeOwnershipPrivilege	5836	msiexec.exe
Token: SeRestorePrivilege	5836	msiexec.exe
Token: SeTakeOwnershipPrivilege	5836	msiexec.exe
Token: SeRestorePrivilege	5836	msiexec.exe
Token: SeTakeOwnershipPrivilege	5836	msiexec.exe
Token: SeRestorePrivilege	5836	msiexec.exe
Token: SeTakeOwnershipPrivilege	5836	msiexec.exe
Token: SeRestorePrivilege	5836	msiexec.exe
Token: SeTakeOwnershipPrivilege	5836	msiexec.exe
Token: SeRestorePrivilege	5836	msiexec.exe
Token: SeTakeOwnershipPrivilege	5836	msiexec.exe
Token: SeRestorePrivilege	5836	msiexec.exe
Token: SeTakeOwnershipPrivilege	5836	msiexec.exe
Token: SeRestorePrivilege	5836	msiexec.exe
Token: SeTakeOwnershipPrivilege	5836	msiexec.exe
Token: SeRestorePrivilege	5836	msiexec.exe
Token: SeTakeOwnershipPrivilege	5836	msiexec.exe
Token: SeDebugPrivilege	5556	scrok.exe
Token: SeDebugPrivilege	5624	TjNkNpAilaYvt.exe
Token: SeDebugPrivilege	4596	TjNkNpAilaYvt.exe
Token: SeBackupPrivilege	1524	srtasks.exe
Token: SeRestorePrivilege	1524	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5880	msiexec.exe
5880	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2976	setup.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 5836 wrote to memory of 1524	5836	msiexec.exe	85
PID 5836 wrote to memory of 1524	5836	msiexec.exe	85
PID 5836 wrote to memory of 3136	5836	msiexec.exe	87
PID 5836 wrote to memory of 3136	5836	msiexec.exe	87
PID 5836 wrote to memory of 3136	5836	msiexec.exe	87
PID 3136 wrote to memory of 3852	3136	MsiExec.exe	88
PID 3136 wrote to memory of 3852	3136	MsiExec.exe	88
PID 3136 wrote to memory of 3852	3136	MsiExec.exe	88
PID 3852 wrote to memory of 5576	3852	cmd.exe	90
PID 3852 wrote to memory of 5576	3852	cmd.exe	90
PID 3852 wrote to memory of 5576	3852	cmd.exe	90
PID 3852 wrote to memory of 3716	3852	cmd.exe	91
PID 3852 wrote to memory of 3716	3852	cmd.exe	91
PID 3852 wrote to memory of 3716	3852	cmd.exe	91
PID 3852 wrote to memory of 5556	3852	cmd.exe	92
PID 3852 wrote to memory of 5556	3852	cmd.exe	92
PID 5556 wrote to memory of 808	5556	scrok.exe	10
PID 5556 wrote to memory of 808	5556	scrok.exe	10
PID 5556 wrote to memory of 808	5556	scrok.exe	10
PID 3852 wrote to memory of 5624	3852	cmd.exe	93
PID 3852 wrote to memory of 5624	3852	cmd.exe	93
PID 3852 wrote to memory of 4596	3852	cmd.exe	94
PID 3852 wrote to memory of 4596	3852	cmd.exe	94
PID 3852 wrote to memory of 1516	3852	cmd.exe	95
PID 3852 wrote to memory of 1516	3852	cmd.exe	95
PID 3852 wrote to memory of 1516	3852	cmd.exe	95
PID 3852 wrote to memory of 2956	3852	cmd.exe	96
PID 3852 wrote to memory of 2956	3852	cmd.exe	96
PID 3852 wrote to memory of 4296	3852	cmd.exe	98
PID 3852 wrote to memory of 4296	3852	cmd.exe	98
PID 5464 wrote to memory of 2976	5464	TjNkNpAilaYvt.exe	99
PID 5464 wrote to memory of 2976	5464	TjNkNpAilaYvt.exe	99
PID 5464 wrote to memory of 2976	5464	TjNkNpAilaYvt.exe	99
PID 4296 wrote to memory of 808	4296	scrok.exe	10
PID 4296 wrote to memory of 808	4296	scrok.exe	10
PID 4296 wrote to memory of 808	4296	scrok.exe	10
PID 2976 wrote to memory of 2384	2976	setup.exe	100
PID 2976 wrote to memory of 2384	2976	setup.exe	100
PID 2976 wrote to memory of 2384	2976	setup.exe	100
PID 2976 wrote to memory of 4708	2976	setup.exe	101
PID 2976 wrote to memory of 4708	2976	setup.exe	101
PID 2976 wrote to memory of 4708	2976	setup.exe	101
PID 2976 wrote to memory of 4608	2976	setup.exe	102
PID 2976 wrote to memory of 4608	2976	setup.exe	102
PID 2976 wrote to memory of 4608	2976	setup.exe	102

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:808

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\YH.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5880

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5836
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 94083EC285AA846E7CC9F8E46084C146
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe" /c timeout /nobreak /t 7 & C:\ProgramData\setup\aa.exe x C:\ProgramData\setup\ddd. -key 000000 -f -to C:\ProgramData & C:\ProgramData\Packas\scrok.exe & C:\ProgramData\Smart\TjNkNpAilaYvt.exe install & C:\ProgramData\Smart\TjNkNpAilaYvt.exe install & timeout /nobreak /t 2 & C:\ProgramData\Smart\TjNkNpAilaYvt.exe start & C:\ProgramData\Packas\scrok.exe & del C:\ProgramData\Packas\scrok.exe & C:\ProgramData\setup\setup.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /nobreak /t 7
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:5576
  - - C:\ProgramData\setup\aa.exe
      C:\ProgramData\setup\aa.exe x C:\ProgramData\setup\ddd. -key 000000 -f -to C:\ProgramData
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3716
  - - C:\ProgramData\Packas\scrok.exe
      C:\ProgramData\Packas\scrok.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5556
  - - C:\ProgramData\Smart\TjNkNpAilaYvt.exe
      C:\ProgramData\Smart\TjNkNpAilaYvt.exe install
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5624
  - - C:\ProgramData\Smart\TjNkNpAilaYvt.exe
      C:\ProgramData\Smart\TjNkNpAilaYvt.exe install
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4596
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /nobreak /t 2
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1516
  - - C:\ProgramData\Smart\TjNkNpAilaYvt.exe
      C:\ProgramData\Smart\TjNkNpAilaYvt.exe start
      4⤵
      Executes dropped EXE
      PID:2956
  - - C:\ProgramData\Packas\scrok.exe
      C:\ProgramData\Packas\scrok.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4296

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\ProgramData\Smart\TjNkNpAilaYvt.exe
"C:\ProgramData\Smart\TjNkNpAilaYvt.exe"
1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5464
- C:\ProgramData\Smart\setup.exe
  "C:\ProgramData\Smart\setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\ProgramData\NVIDIARV\svchost.exe
    "C:\ProgramData\NVIDIARV\svchost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2384
- - C:\ProgramData\NVIDIARV\svchost.exe
    "C:\ProgramData\NVIDIARV\svchost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4708
- - C:\ProgramData\NVIDIARV\svchost.exe
    "C:\ProgramData\NVIDIARV\svchost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e578782.rbs

Filesize
1KB

MD5
4c19aae3cf31f6b07898ce1f982316a8

SHA1
377a5c6dda2183e11a4fc469f74ba62ef8af5e69

SHA256
930dea1248f64679e51466557c5064d628e1ec0f73e017a4667b62474929d7bb

SHA512
b1b26d25313381e02ed76ce2bb19d23f221440edb5de6bc0c1d32c342fb38dfec0e885095bf98274c93e642f1f5285546022f56547f7b8a313b64ec64e1ea414

Download Submit
C:\ProgramData\NVIDIARV\svchost.exe

Filesize
3.4MB

MD5
e67516972f762b64b2dc4b03ba8296b3

SHA1
15a764f0dd0f0e98b1dbc2e54858ea4228123853

SHA256
f23fc1c9fc311388f659a3c3c839c8c2be94b74837b5af19afcfc0df9e8b25e1

SHA512
e1e29ae8854932944377039ec681a443b7528366568991f89845c62d6d65503355a5e76a22c2495209cacd1f64e8346c41671d3af1e691a7b64183c5734f40da

Download Submit
C:\ProgramData\Packas\scrok.exe

Filesize
2.7MB

MD5
ac30909929056007eaf0fbcf53c3a21f

SHA1
7046d48c84748b246ebaa1c0153e8f81d3b0acc1

SHA256
f11baf3657a9bbfeb5d140a37d456573f589212447446a1519033ad010b9f58f

SHA512
71a40652f3cdfbd33cfc539855d6cbb1fba601e83bbd4b3e4f5e397144b3abfed5d148b486aec4eec17136e063609f93beae72a5e78d12d876dd79ccd3c9c849

Download Submit
C:\ProgramData\Smart\TjNkNpAilaYvt.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\ProgramData\Smart\TjNkNpAilaYvt.wrapper.log

Filesize
935B

MD5
0c8250bbfea64b164538b1008bbdd268

SHA1
1e4fd96cf24192eb3e996cd7fe8a2bd67a3d92ea

SHA256
9efbc202209a0c0e0e74af22a423a991e82ac0b1df2aa93b95b3870526082e2c

SHA512
da755d07904b0bcb5398cf40329075b6b987c6a15d74b41670a02f26eb4e8ce2e5307ecc097cec732855f3a1457c7f82112895c164d2dee87d6013e2738a38db

Download Submit
C:\ProgramData\Smart\TjNkNpAilaYvt.wrapper.log

Filesize
1009B

MD5
21228e67d080e4b4d39f5f43633db89a

SHA1
7c6377b4421f4cb160644d57604e5a9bd8b5d3f0

SHA256
c96c84d7864d8c936e2007a8ea044bdba093aaef798acd2308ef41866dc57fec

SHA512
ef173a08ceb4ea812889e03dfcdacde6891027634e437749e89b2960812288cf2ef6ea2d33fd86c4f4c06a17049a38321edd5ae2817837a82ba0e2b32d094352

Download Submit
C:\ProgramData\Smart\TjNkNpAilaYvt.wrapper.log

Filesize
266B

MD5
0d570001880691fe1166b31fd17dae7c

SHA1
022f180cae60b6dcd6410c9abcb52d699ea5e515

SHA256
39b619b226cb27f36bc9a1ec153e9153ad93ea22154731fd7caa9ff25e80a81c

SHA512
3e0f639f31863af40caab7a7bfd106dc8655e24e944634f013d8993b9a951ccda83a1c3c62ad661e77acce899567ba8e029426bd1129e39736685caa693e28ca

Download Submit
C:\ProgramData\Smart\TjNkNpAilaYvt.wrapper.log

Filesize
613B

MD5
b9f21658f3986bbcfa7551a44324cf84

SHA1
06c97bfe73730706b996d43164e3814ccd2ec103

SHA256
7c79fcaf2c8af012731d2909eeb0465f9d84b993dcc351a7cbdd3595390312c6

SHA512
3dae829d279a10f7f18593e19d9dd690c9bf36d633ab7d288469caa7300833e78509398c43ca315c35688338849b57c1a4594110b142de37a4fb1220040fccc7

Download Submit
C:\ProgramData\Smart\TjNkNpAilaYvt.wrapper.log

Filesize
769B

MD5
37987c2cbfcb0df3c991aaf4b6d47d1f

SHA1
584f31278f70bb16a1ceabcff8d44ce4f81a28d7

SHA256
1bfb8a990aaef23a835ef26690bec190355c224a66f82ca88f5e7dafa423f052

SHA512
0e9c888dcb9abeb175f72834b9268db13af54e54e95129fca5653c33982091a580fc4b758b796d4ff0cb5ba18a91c6930f2936f9d4981ca2404acc19f6ab65b6

Download Submit
C:\ProgramData\Smart\TjNkNpAilaYvt.xml

Filesize
298B

MD5
2c706293a3cfff8cc184a8e9a3b3da08

SHA1
873d7c9f51aa6cebd4ad3ae5930d1de84bb4437d

SHA256
ed28baf8be3a588d50ed246c2cd741bbd498aee74ea0675d57e0b33236e22067

SHA512
4aba3e25507ba5c29219ff51553f3616d07aeeb30f7465f9e921eea94cdcb411d1f48d1eefed647c22405df275e7f9d7506aac52202aae137391c6831463b043

Download Submit
C:\ProgramData\Smart\setup.exe

Filesize
4.7MB

MD5
113f2ba0cb86477d66f1d8c85a1babfc

SHA1
b5501c19f3fe899565df3bead0580fa3fee54856

SHA256
6cc5816529c56e5b0c871accbbb3de9abf83ac541645f587da4607d60d3b0e11

SHA512
50617759533ca626d79bb19764da0a44774ced9d59a4a6386eda46ad6c21dc54189605b7555fee870059e447c5d4dde28c7c68dc185ab5cd53002f68f4c27d40

Download Submit
C:\ProgramData\setup\aa.exe

Filesize
1.0MB

MD5
09c448be7e7d84e6e544cc03afbb05d8

SHA1
ddc13e71a72bc49c60f89b98cbb79c2449cfa07e

SHA256
a0f127a70943b0262060498c1723c795a8e2980f1acf0c42ee8c1dae72ae54b5

SHA512
e5f7a988a999e7e34d0aa2d2a5b2fbb22689588d3def4bed4518ceed38710e3714c5614bab192b0ce6bcac5172a87ebf3b3b923e495eb7344c70bd11f4bf1c12

Download Submit
C:\ProgramData\setup\ddd

Filesize
10.7MB

MD5
719e58569397eae6dcd46b0fbddfcb32

SHA1
a383266b8014c52d92e87a510c9ab5f6f4b7c0bc

SHA256
0c8e0665a47d1d912fff8db473ee93e33631b68af70fa7fb03bcebc2d887226f

SHA512
e349321ca84a08f99e6d85a7a39090990a25f5dd012d87b31a354975c0cacdf9452147fede97fa48eca761214de0e4c839898e0e1b36f1175e6114508c134b70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TjNkNpAilaYvt.exe.log

Filesize
1KB

MD5
065ba7ab4a148dd96ec21e112d3f71db

SHA1
18e9ca2d097e6f1e3b0b944e8d32b321bcde667d

SHA256
6a36e0ff68fc9afc92361191bedcde371ed1a05a9e8e19290583a890493f7b62

SHA512
049d43d80cb6806aef2f3828c6505660d53d05e5fb338f00f830a231da836b3ea493994b78d4ed4d7b7939cf4cc27ca927c765c2372e9b385caf64f4a906c720

Download Submit
C:\Windows\Installer\MSI87ED.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
C:\Windows\Installer\MSI8A81.tmp

Filesize
1.1MB

MD5
ae463676775a1dd0b7a28ddb265b4065

SHA1
dff64c17885c7628b22631a2cdc9da83e417d348

SHA256
83fbfcaff3da3eb89f9aec29e6574cf15502fd670cbb2ab0c8a84451b2598b22

SHA512
e47c2db249e7a08c5d2864671fbc235e48aebecbe0b2c2334d1a4cba1b5b3037522ff89408589f3559b3a1eaf507bd338645387d55800029bb3b941d4c7744d6

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.0MB

MD5
aa98a771d8eb9d2e5def0604ee51bb2a

SHA1
bca968d8f0cb5ae3195dc75a7bd0f0ff788ffd46

SHA256
1b656e757922c01181d8a03e07ac8f61180d48140c50c76f1bad23b58bd70c5c

SHA512
ca6a527ba221db5564880f8e57d6c9ebe77eb5338d945c26ce4a452d3aa142b232047ab7614c652f9806a854d99d4d3463987f4b740e047bdba7afb7c1fd41c1

Download Submit
\??\Volume{443fcfb7-0000-0000-0000-d08302000000}\System Volume Information\SPP\OnlineMetadataCache\{8961242b-ac2a-4780-ad9b-0057a86bad02}_OnDiskSnapshotProp

Filesize
6KB

MD5
88d699729943a1d67949fc360eb9abc7

SHA1
b44de19a586d4f6679a8aedabd8b4f4f170c44cd

SHA256
6ccad2c30ab3d47457f28b381874d200c880ddd41322f3f3e28f1970f38c81a1

SHA512
bf41ff78d9c2f4f775beaa9ca373e0790593d90234401a5b8a815ac23b18329c53aa5ee383a798a720d8931737cf434a0d4dad1a183818fcd0f63ab1b95e1e2e

Download Submit
memory/2384-140-0x0000000010000000-0x000000001002D000-memory.dmp

Filesize
180KB

Download
memory/2384-136-0x0000000000400000-0x0000000000911000-memory.dmp

Filesize
5.1MB

Download
memory/2976-117-0x0000000000400000-0x0000000000B99000-memory.dmp

Filesize
7.6MB

Download
memory/2976-116-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3716-63-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/4296-113-0x00007FF78E1C0000-0x00007FF78E76C000-memory.dmp

Filesize
5.7MB

Download
memory/4608-129-0x0000000000400000-0x0000000000911000-memory.dmp

Filesize
5.1MB

Download
memory/4608-131-0x0000000010000000-0x000000001002D000-memory.dmp

Filesize
180KB

Download
memory/5556-68-0x00007FF78E1C0000-0x00007FF78E76C000-memory.dmp

Filesize
5.7MB

Download
memory/5556-67-0x00007FFDC0A30000-0x00007FFDC0A32000-memory.dmp

Filesize
8KB

Download
memory/5624-74-0x00000000006C0000-0x0000000000796000-memory.dmp

Filesize
856KB

Download