Analysis
-
max time kernel
76s -
max time network
82s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12-07-2022 13:33
Behavioral task
behavioral1
Sample
Black Adam (2022).exe
Resource
win7-20220414-en
General
-
Target
Black Adam (2022).exe
-
Size
37KB
-
MD5
1f60289917bb553067c148fd238b24a5
-
SHA1
9540097003c4586b5e5de3103dd7a473b33398e9
-
SHA256
4c8b3ba90bc41a271d9c24139d39728c469112945f413fdc368338f39b7be356
-
SHA512
9f047b3be3c30924d688ed2160b8ec6c655dd6da579164e69368b754d607aa2ab4b432d3603e70af0dffe1ecf20be876d146b0f124998d88876b15ec54544118
Malware Config
Extracted
njrat
im523
Лошок
194.71.126.120:17954
13d65a76848c880b980676c6c1cc6341
-
reg_key
13d65a76848c880b980676c6c1cc6341
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Dllhost.exepid process 1764 Dllhost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
Dllhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13d65a76848c880b980676c6c1cc6341.exe Dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13d65a76848c880b980676c6c1cc6341.exe Dllhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Dllhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\13d65a76848c880b980676c6c1cc6341 = "\"C:\\Windows\\Dllhost.exe\" .." Dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\13d65a76848c880b980676c6c1cc6341 = "\"C:\\Windows\\Dllhost.exe\" .." Dllhost.exe -
Drops file in Windows directory 3 IoCs
Processes:
Black Adam (2022).exeDllhost.exedescription ioc process File created C:\Windows\Dllhost.exe Black Adam (2022).exe File opened for modification C:\Windows\Dllhost.exe Black Adam (2022).exe File opened for modification C:\Windows\Dllhost.exe Dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Dllhost.exetaskmgr.exepid process 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 1764 Dllhost.exe 2004 taskmgr.exe 2004 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
Dllhost.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 1764 Dllhost.exe Token: 33 1764 Dllhost.exe Token: SeIncBasePriorityPrivilege 1764 Dllhost.exe Token: 33 1764 Dllhost.exe Token: SeIncBasePriorityPrivilege 1764 Dllhost.exe Token: SeDebugPrivilege 2004 taskmgr.exe Token: 33 1764 Dllhost.exe Token: SeIncBasePriorityPrivilege 1764 Dllhost.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
taskmgr.exepid process 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe -
Suspicious use of SendNotifyMessage 25 IoCs
Processes:
taskmgr.exepid process 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe 2004 taskmgr.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Black Adam (2022).exeDllhost.exedescription pid process target process PID 1976 wrote to memory of 1764 1976 Black Adam (2022).exe Dllhost.exe PID 1976 wrote to memory of 1764 1976 Black Adam (2022).exe Dllhost.exe PID 1976 wrote to memory of 1764 1976 Black Adam (2022).exe Dllhost.exe PID 1976 wrote to memory of 1764 1976 Black Adam (2022).exe Dllhost.exe PID 1764 wrote to memory of 2016 1764 Dllhost.exe netsh.exe PID 1764 wrote to memory of 2016 1764 Dllhost.exe netsh.exe PID 1764 wrote to memory of 2016 1764 Dllhost.exe netsh.exe PID 1764 wrote to memory of 2016 1764 Dllhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Black Adam (2022).exe"C:\Users\Admin\AppData\Local\Temp\Black Adam (2022).exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Dllhost.exe"C:\Windows\Dllhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Dllhost.exe" "Dllhost.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\AddRedo.wmvFilesize
853KB
MD57d5d9eaec8d23ece8daaf6532d86d6df
SHA117614c3418bfdd71f365cf885a6d4c033b3a7c8e
SHA25687d27850165786a2aa0096b497ea777ba1dd3a767151611f8dcd19c8e75b281e
SHA512dd47acc26f79c5a7851345a32fee354b32e0faa6dd9b22b3299cd39bcc0f8219ed2a5722bc14578a9b2f8b5decc85c9cabdd964fda7ba563b9837c29ee5cc17b
-
C:\Users\Admin\Desktop\AssertRedo.rawFilesize
483KB
MD5d28a1f5063bc7d3572194e7344c2648b
SHA10a88b81c4e73a98d83c7d2e8c96875123341ede9
SHA256e81f9caddff9bdf7d640723a6a2fa9f6ea3ecfe89eb15725f8262e6ff482f663
SHA512f824494029205d80980554779b7377b5c72609c2b6665d9ab39be207e98f55286e64e0bacdf38a2b9236d70bc586769fc2e093a2e61e29ef1d3e61537921f587
-
C:\Users\Admin\Desktop\BlockSwitch.clrFilesize
711KB
MD5917e9b78d49f89ed18ed915fd4a549e5
SHA130eae544e16084318ddf42986039f02ebd78ccd7
SHA2562727f9f62695f0211af6422afdd282926c1cb4c0df0bbca07a07f7ffa0ed2643
SHA512a9097d9c6c0fb0ad8ca1084f6343a58aa72a9d88383001086637c11d328a549aa3946d1eea6b58087778c5e3ad9accc78a7e47e3474391f7193835d726b2fa67
-
C:\Users\Admin\Desktop\CheckpointSend.ex_Filesize
597KB
MD5dfefd7093d823a5516cbb586e29a96d2
SHA1ad836ae43fd6c14f393a18d8fae2bc188771cd9a
SHA256fb9fe101595543266b5e60352803b7a82f504fc330ff84c74dfda653884ea512
SHA512cf4c87ab6f0df349b071e0c34407afddfecdc528b184abde1874b0cf815af506b9436b152b9337894fe9af4db57c80422699656e616c3ee8497d0e34555a714d
-
C:\Users\Admin\Desktop\DisconnectRestart.MODFilesize
881KB
MD5a366e8c35c73a758231d56d7d759b814
SHA1772de4f2a106b80b87034a720c1d21f6e5434dc6
SHA25611707b02a3b7cea012f8c09a096dcdd6722ef105e56a0def0f9065097b7f690d
SHA5127ee10284c61343f7726d04d66431d6acbb3df88f4840ea2c211a12f4501743e3d9fbc7d096bc6d75f63615b3c682375e36b38094a6eac23dcefe7c87e5bcd5e7
-
C:\Users\Admin\Desktop\ExitInvoke.ppsxFilesize
767KB
MD568d9c048a4d60895fc2b2746aac58c50
SHA1975d22b92d5955c30be11a1809664a45a90b948b
SHA2568404d83c7dacf0511bb137c3549c8bbf01c1b8f0fba5d3295bfc57424bf47b46
SHA512c2db7b28b0a08b35ede62341154344cc4337812e8f1d29b958072f6571509c55fd8953dfa9d39ac8ec840a2b44eb37e9a2b55b7002930a6857007c7fc9aa976b
-
C:\Users\Admin\Desktop\InitializeUnlock.mpaFilesize
540KB
MD5c9231c08279cfcee939ea8b1aebb80e1
SHA14e6fb6f33db522e40d76f97f912d1e949991901f
SHA256c0d37c557013c5489fa6e2256c796fe9d25cfafccffa29eaa26c322f7dd30fe2
SHA5129db58d911096bbed2e39fb0dcece84a669775f122696419119f930b91bebb20ccf98d8389d9211aef8e68338fc0b82073305b0144ee9ee01f42ba6f34ff73fb2
-
C:\Users\Admin\Desktop\InstallSync.wmxFilesize
398KB
MD55d79fac8d352f3edae6cb9967a3ccc6e
SHA167e2ebb318b49ca08de051c0e37a3c2c44c5a17e
SHA256d1b3815b94950f48b35b3fa223b5293f85fb9b34f8f4a37eaf0a42d393949d90
SHA512010867fc1c4fc343f2c6bef271e6bcf6cbd5cbbaef26c49f07a5d3ffd08979e3cb0d2daf8a24b6baf88b79c49f9d816a392a97d649d6f140f86e58a74c71a771
-
C:\Users\Admin\Desktop\LockConvertTo.odsFilesize
682KB
MD5ba4f94c50bb91b403787b5bb456cf48b
SHA17b665eb73eb36f26698f0156c6f87d78b2c2d7a2
SHA2566a341bc619d15250264233d6cdcf83148c283cfd877ceb09a6abc77bc9d6b6ae
SHA512e41b913d86ae3b16fa1147ee41a04e9de30f94841c484d2ba69f662810ac5c0730df755b37b734be311149b6bb55ce7f1dfb9a4ce7d45eea98850a155a73c678
-
C:\Users\Admin\Desktop\LockRepair.mpeFilesize
824KB
MD56e963dfd2c4b2194e6277d4dc8c33611
SHA17d4c8720c8578fbd730dc758b5a4de0936f59a71
SHA25623e00a7b79df54e9cb59d77e58496a0d0a92dbbbbae75589e68fa9914d209cd5
SHA512ecb495ceafe3be7d199376c502ac533d76889a9ff48b7b396685a46951cd6f0dc6386d6afb7ea6bb38cf7c52bcffeef4bcb659d034598c48fe161ba4b1e37c0f
-
C:\Users\Admin\Desktop\PublishDisable.vdxFilesize
739KB
MD5b5d1c754b147828138898d3f02fc4d1a
SHA15fd31a125232742607f25c81118057ac9297e39e
SHA256c76159001e13ce30543d318a4ea5a27501b3ddacb328be94ff7beb3b80f9cd4d
SHA5122a694ca7ba4ce3c17bedc1a5dd451f020ebd9a2561437d79f364a5e25b17ca942ed1e5c49ed7ce06add6c57bb3d4a44f871fa10625bc2808080fae3b41b2c729
-
C:\Users\Admin\Desktop\PublishMerge.htmFilesize
568KB
MD590fc4d0faa32572562a2fa16a54d9225
SHA16aca2d290968200ffddb07a3543f6ef4637f92f3
SHA25675ea6e130e0811a42d10ed65cc84f945ea2350b8d51be3359b85b8b6da88c580
SHA512aaf1d02a1abadcabdca724bc2fe22168663427699ca8aa4f12a6c9128216662a0283c51543c2c5e29e7f02efaf45879b9c0c754ca6f27c97abf3e9cfedfe3949
-
C:\Users\Admin\Desktop\ReceiveCheckpoint.wmvFilesize
511KB
MD5be9a8494ed54e16fab0b4e547e7d16dc
SHA1e0073038700463acf5d19158b27f40256aeb3980
SHA256b41fc456a8b26a00a54aae6fa716778ef31215938da6f19d16ed349bcf930833
SHA51249f9a5094aa45ba98ea978cf3a87235e6ba158d6b12e872432fd6af79942149a4fa7cb9d99c4d9560c0f682748dbfbd7ab33653ea4739ed31a9c2508f615aed8
-
C:\Users\Admin\Desktop\RemoveStep.wmvFilesize
967KB
MD581276504ef3e1beb36cfbc3d29b9cf31
SHA1114dc162de04b45e3c15f0bcd89d7dcb7d4ec2cc
SHA256ea61a65abbcf11bb3fb2b6c68adffe4ae536fa0de4bc29843ce386d176fbb7d1
SHA5127a38d86b6e5e93c245fcb19da28ebceb1189652d7aed4f1e462590a9e39a2e9985206ac2566a5ba48f4ed16fec74fa36b5a2c895c5edb8b4089ddaf66159d8c5
-
C:\Users\Admin\Desktop\RenameWrite.mhtFilesize
938KB
MD53e1c8b54e08e299a799ae61fdc09d9f4
SHA15e981467b77910e47add4d192357a16af0a7c850
SHA256f64f5e505b87f81b5555466cda1540a8581ff91287b86763f28616b8098c2d1b
SHA512960b7301a40943d13c7810ca7271ee3dbf52e3e74c504c0312dc5e00b6e760ad8caf51929ca03cbf0150ac5f7917771d5b8e9e509dba4ec65f1e58ff86f4109a
-
C:\Users\Admin\Desktop\StartDeny.bmpFilesize
426KB
MD5e840121f209801c42fcf3f1a863dca2a
SHA17859d55985993b16a3c4fd3388ee273bbd9fc026
SHA2567a53c802139a4763cd2f20fbb06f8d1c95b26d421153749185337e5885e6037a
SHA512dca5229356eef81322efc80e22bd8942cfe62f5786d5085d550236e477bca13f20329f705317effdc2e89413f0446facd0ad984581ab045c76b5412dd2ea37e4
-
C:\Users\Admin\Desktop\SubmitBackup.MTSFilesize
796KB
MD5c085adf3c82697b12c29029ec4663438
SHA1b785eef354eb8fcee38b606cd0022dea2008fc7b
SHA25600f30bb12a5dfc172b66491285fc9092b79859fdadf3aff8167259dfdcb020bf
SHA5123f25fc127c105282a5d61ac7eea330d1975e20cd485700a0043ed51e3f0457b981aaa86f4762cb5fe91bcbbc2bd38c435dd1b49f42a52fdce073f3ed6cc23577
-
C:\Users\Admin\Desktop\TestConvertFrom.asxFilesize
369KB
MD50e93fab73f4efa674555035469ef5967
SHA1a9fd5f7208aa5c927ddfc7a614224a73d54c8079
SHA256ca153777d2b412e6a9c440a01e1935623765341c07b6c67b0e74b75ab336731e
SHA512c5c6d5a111b5abb2fb6a728d4773cbc23db217dd90f77aa123cca07c40e7898a9800580412277a567fcd4ae00a1b56f0a828782e3722d827511803fbd6b836dc
-
C:\Users\Admin\Desktop\TraceMove.vsdFilesize
654KB
MD53fa3e9abf5aab3be78e7e3dbdcfc13e7
SHA15bd737e076aefb1fcb6612207d30aa7691f4312c
SHA256920d29de0791d17c81f89d57668c8091cd36d5dc308728c73701b4f18207f6e8
SHA51297b531d04ad12da1bea9680003e9a7676d490510da67dd58353051ac23f57d2b4ad207fd2733c87554c9c45c22ee7d74e8b4d3184b8ae5fbd076093aca695a4e
-
C:\Users\Admin\Desktop\TracePing.csvFilesize
910KB
MD5fc77950d4bfcbd43c4c10ad146efebe1
SHA14e1b8e5bfb925d6853bff78d4f6d5d779261097b
SHA256e22d7c133fcd66b9237e9f83302020fbafea6bec09b0f1aa3451e8999763b7be
SHA512abd4eb700d0b0e7ec668eaeb6cf0cb8dc4f0bce19a69048b23c53ad689126c520910ead99694a3387a1249a66b458b0a09b08e82d3a4cb715f6e519803d95e0b
-
C:\Users\Admin\Desktop\UnblockConvert.aspFilesize
1.3MB
MD5785ce140bfc69fa59bd1a580e9f3cbfa
SHA1a53d0004db72b44f1ad488da50eb13cb7fb1c4f4
SHA256af92f71aa55997111a79b48fd015970a35e46e925c9065199902b53fe944f208
SHA5127f83fc6d7d2fc49e792ccf992cd83156842d5a11e125c3f5351b7e831f300e072dd056e9b41357f915e79c972ef1a663e48498f441d348d9956db1bea4f8d0df
-
C:\Users\Admin\Desktop\UseUninstall.ppsxFilesize
625KB
MD5b32c9698c72687bbf11cfa6ee1e1e2ae
SHA13057db07bf85731ce5d14caa7d73d2377f46e482
SHA256cb3e162b1c8f1f00cc624f7848676d15fd6dd7d8964b909da80f3ad9e8bcbe04
SHA5122b8ceacd5c3244cbccee2ff7f0177119da61cf5a335791e05f4c229172479756078771ca0cec31b142940ccf24c6cc8bead7ea78a07fa4ccee87116d2fa2754d
-
C:\Users\Admin\Desktop\WatchDisable.vsdxFilesize
455KB
MD5c162d1dc325b8ad4773865a335518abe
SHA10c8b8db484185345ba15d10e098617c77e96dd9b
SHA256be1aa3409471147ff5d985fe0b2b52869a508682fbfa8b660b87e779a03effc7
SHA512c6023608338a601fca010fd7d58ebc01d82759bd7995f7d14ee83173db52cfd7f41be4377fa5c0135e900b5fdae48cbf492ade1ce89a2ebbcde04419a9bd311e
-
C:\Windows\Dllhost.exeFilesize
37KB
MD51f60289917bb553067c148fd238b24a5
SHA19540097003c4586b5e5de3103dd7a473b33398e9
SHA2564c8b3ba90bc41a271d9c24139d39728c469112945f413fdc368338f39b7be356
SHA5129f047b3be3c30924d688ed2160b8ec6c655dd6da579164e69368b754d607aa2ab4b432d3603e70af0dffe1ecf20be876d146b0f124998d88876b15ec54544118
-
C:\Windows\Dllhost.exeFilesize
37KB
MD51f60289917bb553067c148fd238b24a5
SHA19540097003c4586b5e5de3103dd7a473b33398e9
SHA2564c8b3ba90bc41a271d9c24139d39728c469112945f413fdc368338f39b7be356
SHA5129f047b3be3c30924d688ed2160b8ec6c655dd6da579164e69368b754d607aa2ab4b432d3603e70af0dffe1ecf20be876d146b0f124998d88876b15ec54544118
-
memory/1764-69-0x00000000748C0000-0x0000000074E6B000-memory.dmpFilesize
5.7MB
-
memory/1764-65-0x0000000000000000-mapping.dmp
-
memory/1764-88-0x00000000748C0000-0x0000000074E6B000-memory.dmpFilesize
5.7MB
-
memory/1764-92-0x00000000002F5000-0x0000000000306000-memory.dmpFilesize
68KB
-
memory/1976-55-0x00000000748C0000-0x0000000074E6B000-memory.dmpFilesize
5.7MB
-
memory/1976-70-0x00000000748C0000-0x0000000074E6B000-memory.dmpFilesize
5.7MB
-
memory/1976-64-0x00000000748C0000-0x0000000074E6B000-memory.dmpFilesize
5.7MB
-
memory/1976-54-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/2004-89-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmpFilesize
8KB
-
memory/2004-90-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/2004-91-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/2016-86-0x0000000000000000-mapping.dmp