File name:	e123e08ec6b27371204d63a0908f358430df4b20e60df704894199639481264e
Full analysis:	https://app.any.run/tasks/72e43b9d-8d25-4386-8101-175e8fed52d2
Verdict:	Malicious activity
Analysis date:	December 13, 2024, 20:30:44
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion upx blackmoon
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	AE3BE987AB774DD9C5F7F12B954326C3
SHA1:	34718458EC825AF5030CD19C2A56C95E51F40CA7
SHA256:	E123E08EC6B27371204D63A0908F358430DF4B20E60DF704894199639481264E
SSDEEP:	98304:xga2rzHKwg7w7bTbLTmLAjSkSh5lczqcL9yFTxsUtU3cxxVZ3TbicGd2LsmaNYxY:+qU

.exe	\|	Win32 Executable MS Visual C++ (generic) (22.1)
.exe	\|	Win64 Executable (generic) (19.6)
.exe	\|	UPX compressed Win32 Executable (19.2)
.exe	\|	Win32 EXE Yoda's Crypter (18.8)
.scr	\|	Windows screen saver (9.3)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:12:11 03:32:14+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	913408
InitializedDataSize:	2027520
UninitializedDataSize:	-
EntryPoint:	0xbcfb1
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Chinese (Simplified)
CharacterSet:	Unicode
FileVersion:	1.0.0.0
FileDescription:	易语言程序
ProductName:	Synaptics
ProductVersion:	1.0.0.0
LegalCopyright:	作者版权所有请尊重并使用正版
Comments:	本程序使用易语言编写(http://www.eyuyan.com)


(PID) Process:	(6248) e123e08ec6b27371204d63a0908f358430df4b20e60df704894199639481264e.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings
Operation:	write	Name:	JITDebug
Value: 0
(PID) Process:	(6248) e123e08ec6b27371204d63a0908f358430df4b20e60df704894199639481264e.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\e123e08ec6b27371204d63a0908f358430df4b20e60df704894199639481264e.exe
Operation:	write	Name:	JScriptSetScriptStateStarted
Value: FC78130000000000

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
720	RUXIMICS.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6248	e123e08ec6b27371204d63a0908f358430df4b20e60df704894199639481264e.exe	GET	200	42.120.158.5:80	http://www.net.cn/static/customercare/yourip.asp	unknown	—	—	—
4712	MoUsoCoreWorker.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6248	e123e08ec6b27371204d63a0908f358430df4b20e60df704894199639481264e.exe	GET	200	8.141.58.141:80	http://www.fm4000888.cn/a/zhinenchanpin/2024/0718/38.html	unknown	—	—	—
720	RUXIMICS.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	103.235.46.96:443	https://sp0.baidu.com/8aQDcjqpAAV3otqbppnN2DJv/api.php?query=88.240.188.96&resource_id=6006	unknown	binary	397 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
5564	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
720	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.23.209.176:443	www.bing.com	Akamai International B.V.	GB	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
6248	e123e08ec6b27371204d63a0908f358430df4b20e60df704894199639481264e.exe	8.141.58.141:80	www.fm4000888.cn	Hangzhou Alibaba Advertising Co.,Ltd.	CN	unknown
4712	MoUsoCoreWorker.exe	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
720	RUXIMICS.exe	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.124.78.146 51.104.136.2	whitelisted
www.bing.com	2.23.209.176 2.23.209.161 2.23.209.140 2.23.209.150 2.23.209.133 2.23.209.177 2.23.209.130 2.23.209.149 2.23.209.158	whitelisted
google.com	172.217.18.110	whitelisted
www.fm4000888.cn	8.141.58.141	unknown
crl.microsoft.com	2.16.241.12 2.16.241.19	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
www.net.cn	42.120.158.5	unknown
sp0.baidu.com	103.235.47.188 103.235.46.96	whitelisted
self.events.data.microsoft.com	104.208.16.90	whitelisted

General Info

e123e08ec6b27371204d63a0908f358430df4b20e60df704894199639481264e

AE3BE987AB774DD9C5F7F12B954326C3

34718458EC825AF5030CD19C2A56C95E51F40CA7

E123E08EC6B27371204D63A0908F358430DF4B20E60DF704894199639481264E

98304:xga2rzHKwg7w7bTbLTmLAjSkSh5lczqcL9yFTxsUtU3cxxVZ3TbicGd2LsmaNYxY:+qU

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

BLACKMOON has been detected (YARA)

SUSPICIOUS

There is functionality for taking screenshot (YARA)

Checks for external IP

Connects to unusual port

INFO

Reads the computer name

Checks supported languages

Reads the machine GUID from the registry

UPX packer has been detected

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings