Analysis
-
max time kernel
132s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
submitted
22-07-2022 12:14
Static task
static1
Behavioral task
behavioral1
Sample
tfccltd.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
tfccltd.exe
Resource
win10v2004-20220721-en
General
-
Target
tfccltd.exe
-
Size
292KB
-
MD5
a1bfff3769a3962c5075e041c1c937b3
-
SHA1
2936ad4944f553277842155b0de2aa5f43d741fb
-
SHA256
ae8369a28b53ba7e283436a65c211ef032af555515fb961e6cb0c56c635d1834
-
SHA512
31eb0d602e1621b40cbc27acc85ac96eae2ab5d11d074fd13df2e08501c55bce328e75acb53ac666d4135246e018e85ac90e2a8b3099deb0d148c9e88186b7c5
Malware Config
Signatures
-
Detect Blackmoon payload 11 IoCs
resource yara_rule behavioral2/files/0x0008000000022e2a-135.dat family_blackmoon behavioral2/files/0x0008000000022e2a-139.dat family_blackmoon behavioral2/files/0x0008000000022e2a-140.dat family_blackmoon behavioral2/files/0x0008000000022e2a-138.dat family_blackmoon behavioral2/files/0x0008000000022e2a-137.dat family_blackmoon behavioral2/files/0x0008000000022e2a-136.dat family_blackmoon behavioral2/files/0x0008000000022e2a-145.dat family_blackmoon behavioral2/files/0x0008000000022e2a-148.dat family_blackmoon behavioral2/files/0x0008000000022e2a-150.dat family_blackmoon behavioral2/files/0x0008000000022e2a-147.dat family_blackmoon behavioral2/files/0x0008000000022e2a-146.dat family_blackmoon -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 10 IoCs
pid Process 3464 test.exe 4912 test.exe 3912 test.exe 3852 test.exe 4092 test.exe 4972 test.exe 3860 test.exe 448 test.exe 3044 test.exe 4076 test.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\CurrentVersion\Run tfccltd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bootcontfccltd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tfccltd.exe" tfccltd.exe -
Kills process with taskkill 1 IoCs
pid Process 44452 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 44452 taskkill.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2708 wrote to memory of 3464 2708 tfccltd.exe 80 PID 2708 wrote to memory of 4912 2708 tfccltd.exe 79 PID 2708 wrote to memory of 3464 2708 tfccltd.exe 80 PID 2708 wrote to memory of 4912 2708 tfccltd.exe 79 PID 2708 wrote to memory of 3464 2708 tfccltd.exe 80 PID 2708 wrote to memory of 4912 2708 tfccltd.exe 79 PID 2708 wrote to memory of 3852 2708 tfccltd.exe 77 PID 2708 wrote to memory of 3852 2708 tfccltd.exe 77 PID 2708 wrote to memory of 3852 2708 tfccltd.exe 77 PID 2708 wrote to memory of 3912 2708 tfccltd.exe 78 PID 2708 wrote to memory of 3912 2708 tfccltd.exe 78 PID 2708 wrote to memory of 3912 2708 tfccltd.exe 78 PID 2708 wrote to memory of 4092 2708 tfccltd.exe 76 PID 2708 wrote to memory of 4092 2708 tfccltd.exe 76 PID 2708 wrote to memory of 4092 2708 tfccltd.exe 76 PID 4092 wrote to memory of 3860 4092 test.exe 82 PID 4092 wrote to memory of 3860 4092 test.exe 82 PID 4092 wrote to memory of 3860 4092 test.exe 82 PID 3912 wrote to memory of 4972 3912 test.exe 81 PID 3912 wrote to memory of 4972 3912 test.exe 81 PID 3912 wrote to memory of 4972 3912 test.exe 81 PID 4912 wrote to memory of 448 4912 test.exe 85 PID 4912 wrote to memory of 448 4912 test.exe 85 PID 4912 wrote to memory of 448 4912 test.exe 85 PID 3464 wrote to memory of 3044 3464 test.exe 84 PID 3464 wrote to memory of 3044 3464 test.exe 84 PID 3464 wrote to memory of 3044 3464 test.exe 84 PID 3852 wrote to memory of 4076 3852 test.exe 83 PID 3852 wrote to memory of 4076 3852 test.exe 83 PID 3852 wrote to memory of 4076 3852 test.exe 83 PID 2708 wrote to memory of 44452 2708 tfccltd.exe 86 PID 2708 wrote to memory of 44452 2708 tfccltd.exe 86 PID 2708 wrote to memory of 44452 2708 tfccltd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\tfccltd.exe"C:\Users\Admin\AppData\Local\Temp\tfccltd.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\test.exeC:\Users\Admin\AppData\Local\Temp/test.exe 2048&&106.126.11.167:80&&Mozilla/5.0¿Õ¸ñ(compatible;¿Õ¸ñBaiduspider-render/2.0;¿Õ¸ñ+http://www.baidu.com/search/spider.html)&&9999999&&¼Ù&&¼Ù&&¿Õ&&¿Õ2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Users\Admin\AppData\Local\Temp\test.exeC:\Users\Admin\AppData\Local\Temp\test.exe "1024&&106.126.11.167:80&&Mozilla/5.0????(compatible;????Baiduspider-render/2.0;????+http://www.baidu.com/search/spider.html)&&9999999&&?¨´&&?¨´&&??&&??"3⤵
- Executes dropped EXE
PID:3860
-
-
-
C:\Users\Admin\AppData\Local\Temp\test.exeC:\Users\Admin\AppData\Local\Temp/test.exe 2048&&106.126.11.167:80&&Mozilla/5.0¿Õ¸ñ(compatible;¿Õ¸ñBaiduspider-render/2.0;¿Õ¸ñ+http://www.baidu.com/search/spider.html)&&9999999&&¼Ù&&¼Ù&&¿Õ&&¿Õ2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Users\Admin\AppData\Local\Temp\test.exeC:\Users\Admin\AppData\Local\Temp\test.exe "1024&&106.126.11.167:80&&Mozilla/5.0????(compatible;????Baiduspider-render/2.0;????+http://www.baidu.com/search/spider.html)&&9999999&&?¨´&&?¨´&&??&&??"3⤵
- Executes dropped EXE
PID:4076
-
-
-
C:\Users\Admin\AppData\Local\Temp\test.exeC:\Users\Admin\AppData\Local\Temp/test.exe 2048&&106.126.11.167:80&&Mozilla/5.0¿Õ¸ñ(compatible;¿Õ¸ñBaiduspider-render/2.0;¿Õ¸ñ+http://www.baidu.com/search/spider.html)&&9999999&&¼Ù&&¼Ù&&¿Õ&&¿Õ2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Users\Admin\AppData\Local\Temp\test.exeC:\Users\Admin\AppData\Local\Temp\test.exe "1024&&106.126.11.167:80&&Mozilla/5.0????(compatible;????Baiduspider-render/2.0;????+http://www.baidu.com/search/spider.html)&&9999999&&?¨´&&?¨´&&??&&??"3⤵
- Executes dropped EXE
PID:4972
-
-
-
C:\Users\Admin\AppData\Local\Temp\test.exeC:\Users\Admin\AppData\Local\Temp/test.exe 2048&&106.126.11.167:80&&Mozilla/5.0¿Õ¸ñ(compatible;¿Õ¸ñBaiduspider-render/2.0;¿Õ¸ñ+http://www.baidu.com/search/spider.html)&&9999999&&¼Ù&&¼Ù&&¿Õ&&¿Õ2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\test.exeC:\Users\Admin\AppData\Local\Temp\test.exe "1024&&106.126.11.167:80&&Mozilla/5.0????(compatible;????Baiduspider-render/2.0;????+http://www.baidu.com/search/spider.html)&&9999999&&?¨´&&?¨´&&??&&??"3⤵
- Executes dropped EXE
PID:448
-
-
-
C:\Users\Admin\AppData\Local\Temp\test.exeC:\Users\Admin\AppData\Local\Temp/test.exe 2048&&106.126.11.167:80&&Mozilla/5.0¿Õ¸ñ(compatible;¿Õ¸ñBaiduspider-render/2.0;¿Õ¸ñ+http://www.baidu.com/search/spider.html)&&9999999&&¼Ù&&¼Ù&&¿Õ&&¿Õ2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Users\Admin\AppData\Local\Temp\test.exeC:\Users\Admin\AppData\Local\Temp\test.exe "1024&&106.126.11.167:80&&Mozilla/5.0????(compatible;????Baiduspider-render/2.0;????+http://www.baidu.com/search/spider.html)&&9999999&&?¨´&&?¨´&&??&&??"3⤵
- Executes dropped EXE
PID:3044
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im test.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:44452
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102KB
MD56dffe4f58e220cd779b530478e9a40a0
SHA16def979cb57b7a4fa97b87f3c0e0b02a37c17c85
SHA256d952722ac595dc3f86d0307092ed7adca701edf8d568984dc479fbf10d4a6348
SHA512c5a18b0cbffe08b45c9534515be3f232f0d0861954d79ee80a14f382f748852f124aaa78927988e06347f531c87ce71ddbd793b8ddd422bff8756096041d4973
-
Filesize
102KB
MD56dffe4f58e220cd779b530478e9a40a0
SHA16def979cb57b7a4fa97b87f3c0e0b02a37c17c85
SHA256d952722ac595dc3f86d0307092ed7adca701edf8d568984dc479fbf10d4a6348
SHA512c5a18b0cbffe08b45c9534515be3f232f0d0861954d79ee80a14f382f748852f124aaa78927988e06347f531c87ce71ddbd793b8ddd422bff8756096041d4973
-
Filesize
102KB
MD56dffe4f58e220cd779b530478e9a40a0
SHA16def979cb57b7a4fa97b87f3c0e0b02a37c17c85
SHA256d952722ac595dc3f86d0307092ed7adca701edf8d568984dc479fbf10d4a6348
SHA512c5a18b0cbffe08b45c9534515be3f232f0d0861954d79ee80a14f382f748852f124aaa78927988e06347f531c87ce71ddbd793b8ddd422bff8756096041d4973
-
Filesize
102KB
MD56dffe4f58e220cd779b530478e9a40a0
SHA16def979cb57b7a4fa97b87f3c0e0b02a37c17c85
SHA256d952722ac595dc3f86d0307092ed7adca701edf8d568984dc479fbf10d4a6348
SHA512c5a18b0cbffe08b45c9534515be3f232f0d0861954d79ee80a14f382f748852f124aaa78927988e06347f531c87ce71ddbd793b8ddd422bff8756096041d4973
-
Filesize
102KB
MD56dffe4f58e220cd779b530478e9a40a0
SHA16def979cb57b7a4fa97b87f3c0e0b02a37c17c85
SHA256d952722ac595dc3f86d0307092ed7adca701edf8d568984dc479fbf10d4a6348
SHA512c5a18b0cbffe08b45c9534515be3f232f0d0861954d79ee80a14f382f748852f124aaa78927988e06347f531c87ce71ddbd793b8ddd422bff8756096041d4973
-
Filesize
102KB
MD56dffe4f58e220cd779b530478e9a40a0
SHA16def979cb57b7a4fa97b87f3c0e0b02a37c17c85
SHA256d952722ac595dc3f86d0307092ed7adca701edf8d568984dc479fbf10d4a6348
SHA512c5a18b0cbffe08b45c9534515be3f232f0d0861954d79ee80a14f382f748852f124aaa78927988e06347f531c87ce71ddbd793b8ddd422bff8756096041d4973
-
Filesize
102KB
MD56dffe4f58e220cd779b530478e9a40a0
SHA16def979cb57b7a4fa97b87f3c0e0b02a37c17c85
SHA256d952722ac595dc3f86d0307092ed7adca701edf8d568984dc479fbf10d4a6348
SHA512c5a18b0cbffe08b45c9534515be3f232f0d0861954d79ee80a14f382f748852f124aaa78927988e06347f531c87ce71ddbd793b8ddd422bff8756096041d4973
-
Filesize
102KB
MD56dffe4f58e220cd779b530478e9a40a0
SHA16def979cb57b7a4fa97b87f3c0e0b02a37c17c85
SHA256d952722ac595dc3f86d0307092ed7adca701edf8d568984dc479fbf10d4a6348
SHA512c5a18b0cbffe08b45c9534515be3f232f0d0861954d79ee80a14f382f748852f124aaa78927988e06347f531c87ce71ddbd793b8ddd422bff8756096041d4973
-
Filesize
102KB
MD56dffe4f58e220cd779b530478e9a40a0
SHA16def979cb57b7a4fa97b87f3c0e0b02a37c17c85
SHA256d952722ac595dc3f86d0307092ed7adca701edf8d568984dc479fbf10d4a6348
SHA512c5a18b0cbffe08b45c9534515be3f232f0d0861954d79ee80a14f382f748852f124aaa78927988e06347f531c87ce71ddbd793b8ddd422bff8756096041d4973
-
Filesize
102KB
MD56dffe4f58e220cd779b530478e9a40a0
SHA16def979cb57b7a4fa97b87f3c0e0b02a37c17c85
SHA256d952722ac595dc3f86d0307092ed7adca701edf8d568984dc479fbf10d4a6348
SHA512c5a18b0cbffe08b45c9534515be3f232f0d0861954d79ee80a14f382f748852f124aaa78927988e06347f531c87ce71ddbd793b8ddd422bff8756096041d4973
-
Filesize
102KB
MD56dffe4f58e220cd779b530478e9a40a0
SHA16def979cb57b7a4fa97b87f3c0e0b02a37c17c85
SHA256d952722ac595dc3f86d0307092ed7adca701edf8d568984dc479fbf10d4a6348
SHA512c5a18b0cbffe08b45c9534515be3f232f0d0861954d79ee80a14f382f748852f124aaa78927988e06347f531c87ce71ddbd793b8ddd422bff8756096041d4973