Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220715-en -
submitted
25-07-2022 08:25
Behavioral task
behavioral1
Sample
b7f74c02e8e4dc10eb8f11d0e107310e.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
b7f74c02e8e4dc10eb8f11d0e107310e.exe
Resource
win10v2004-20220721-en
General
-
Target
b7f74c02e8e4dc10eb8f11d0e107310e.exe
-
Size
1.2MB
-
MD5
b7f74c02e8e4dc10eb8f11d0e107310e
-
SHA1
d7efa03c14830997e55c78365ee15bd8c1c01971
-
SHA256
3ac761271417ecf9e5e8e6152f3c9bbcaf8863286da6933f5fc4c7a2462a31e9
-
SHA512
d64d3224075ca55efe055dca5f9fcb658b4541db94db1908a05924827b1d6d290e5f0bab83477a13fc29292793e32e420d6183155076235f8ebc26363b2e5c44
Malware Config
Signatures
-
Detect Blackmoon payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1288-64-0x0000000000400000-0x0000000000611000-memory.dmp family_blackmoon behavioral1/memory/1288-68-0x0000000000400000-0x0000000000611000-memory.dmp family_blackmoon \ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp family_blackmoon \??\c:\programdata\microsoft\windows\gameexplorer\remote.hlp family_blackmoon -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
b7f74c02e8e4dc10eb8f11d0e107310e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SQL Server Reporting Services (MSSQLSERVSER)\Parameters\ServiceDll = "C:\\ProgramData\\Microsoft\\Windows\\GameExplorer\\Remote.hlp" b7f74c02e8e4dc10eb8f11d0e107310e.exe -
Processes:
resource yara_rule behavioral1/memory/1204-55-0x0000000000400000-0x00000000005CA000-memory.dmp upx behavioral1/memory/1288-58-0x0000000000400000-0x0000000000611000-memory.dmp upx behavioral1/memory/1204-61-0x0000000000400000-0x00000000005CA000-memory.dmp upx behavioral1/memory/1288-63-0x0000000000400000-0x0000000000611000-memory.dmp upx behavioral1/memory/1288-64-0x0000000000400000-0x0000000000611000-memory.dmp upx behavioral1/memory/1288-68-0x0000000000400000-0x0000000000611000-memory.dmp upx behavioral1/memory/1160-73-0x00000000000E0000-0x00000000000EB000-memory.dmp upx behavioral1/memory/1160-74-0x00000000000E0000-0x00000000000EB000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1728 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 1160 svchost.exe -
Drops file in System32 directory 1 IoCs
Processes:
b7f74c02e8e4dc10eb8f11d0e107310e.exedescription ioc process File created C:\Windows\SysWOW64\Delete00.bat b7f74c02e8e4dc10eb8f11d0e107310e.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b7f74c02e8e4dc10eb8f11d0e107310e.exedescription pid process target process PID 1204 set thread context of 1288 1204 b7f74c02e8e4dc10eb8f11d0e107310e.exe b7f74c02e8e4dc10eb8f11d0e107310e.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 832 sc.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
b7f74c02e8e4dc10eb8f11d0e107310e.exesvchost.exepid process 1288 b7f74c02e8e4dc10eb8f11d0e107310e.exe 1160 svchost.exe 1160 svchost.exe 1160 svchost.exe 1160 svchost.exe 1160 svchost.exe 1160 svchost.exe 1160 svchost.exe 1160 svchost.exe 1160 svchost.exe 1160 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b7f74c02e8e4dc10eb8f11d0e107310e.exesvchost.exedescription pid process Token: SeDebugPrivilege 1288 b7f74c02e8e4dc10eb8f11d0e107310e.exe Token: SeDebugPrivilege 1160 svchost.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
b7f74c02e8e4dc10eb8f11d0e107310e.exeb7f74c02e8e4dc10eb8f11d0e107310e.execmd.exedescription pid process target process PID 1204 wrote to memory of 1288 1204 b7f74c02e8e4dc10eb8f11d0e107310e.exe b7f74c02e8e4dc10eb8f11d0e107310e.exe PID 1204 wrote to memory of 1288 1204 b7f74c02e8e4dc10eb8f11d0e107310e.exe b7f74c02e8e4dc10eb8f11d0e107310e.exe PID 1204 wrote to memory of 1288 1204 b7f74c02e8e4dc10eb8f11d0e107310e.exe b7f74c02e8e4dc10eb8f11d0e107310e.exe PID 1204 wrote to memory of 1288 1204 b7f74c02e8e4dc10eb8f11d0e107310e.exe b7f74c02e8e4dc10eb8f11d0e107310e.exe PID 1204 wrote to memory of 1288 1204 b7f74c02e8e4dc10eb8f11d0e107310e.exe b7f74c02e8e4dc10eb8f11d0e107310e.exe PID 1204 wrote to memory of 1288 1204 b7f74c02e8e4dc10eb8f11d0e107310e.exe b7f74c02e8e4dc10eb8f11d0e107310e.exe PID 1204 wrote to memory of 1288 1204 b7f74c02e8e4dc10eb8f11d0e107310e.exe b7f74c02e8e4dc10eb8f11d0e107310e.exe PID 1204 wrote to memory of 1288 1204 b7f74c02e8e4dc10eb8f11d0e107310e.exe b7f74c02e8e4dc10eb8f11d0e107310e.exe PID 1204 wrote to memory of 1288 1204 b7f74c02e8e4dc10eb8f11d0e107310e.exe b7f74c02e8e4dc10eb8f11d0e107310e.exe PID 1288 wrote to memory of 832 1288 b7f74c02e8e4dc10eb8f11d0e107310e.exe sc.exe PID 1288 wrote to memory of 832 1288 b7f74c02e8e4dc10eb8f11d0e107310e.exe sc.exe PID 1288 wrote to memory of 832 1288 b7f74c02e8e4dc10eb8f11d0e107310e.exe sc.exe PID 1288 wrote to memory of 832 1288 b7f74c02e8e4dc10eb8f11d0e107310e.exe sc.exe PID 1288 wrote to memory of 1728 1288 b7f74c02e8e4dc10eb8f11d0e107310e.exe cmd.exe PID 1288 wrote to memory of 1728 1288 b7f74c02e8e4dc10eb8f11d0e107310e.exe cmd.exe PID 1288 wrote to memory of 1728 1288 b7f74c02e8e4dc10eb8f11d0e107310e.exe cmd.exe PID 1288 wrote to memory of 1728 1288 b7f74c02e8e4dc10eb8f11d0e107310e.exe cmd.exe PID 1728 wrote to memory of 1576 1728 cmd.exe PING.EXE PID 1728 wrote to memory of 1576 1728 cmd.exe PING.EXE PID 1728 wrote to memory of 1576 1728 cmd.exe PING.EXE PID 1728 wrote to memory of 1576 1728 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7f74c02e8e4dc10eb8f11d0e107310e.exe"C:\Users\Admin\AppData\Local\Temp\b7f74c02e8e4dc10eb8f11d0e107310e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\b7f74c02e8e4dc10eb8f11d0e107310e.exe
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\sc.exesc failure SQL Server Reporting Services (MSSQLSERVSER) reset= 86400 actions= restart/10003⤵
- Launches sc.exe
PID:832
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\System32\\Delete00.bat3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
PID:1576
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133B
MD5fe72e026fa4c2520aa971558762d04c9
SHA18efaf78444b8d155d7174a5500f3980b4c53c0ff
SHA256e0d8793794aafd2f6619820c93f9f9a8f7c59c0187339d4c4330c9c67a8efbaf
SHA51221384f6f4826b306ec1b760161faec85a643b660418438773bba9deb18a668ee4e6e6edeb75137a290df06e4c3619bc03dfc98fb0099ad00200340a34378c7cd
-
Filesize
936KB
MD52148ed98f723563683990f569d23bf43
SHA125cfad1a06933f65f7d110a81d7adbfa83c19005
SHA256b53132d5c59e5e62e23a9cb65fa9c09aa8403f625d76877c4e8fd60a331be56a
SHA5128ac4b829802e3238fcdf6629b09417dfb48b04d18880a230a387b3673c724a8281c795c83e7a088c12ef676b9fd054b70f90aebca34a1217fc7376aeb9f13dfa
-
Filesize
936KB
MD52148ed98f723563683990f569d23bf43
SHA125cfad1a06933f65f7d110a81d7adbfa83c19005
SHA256b53132d5c59e5e62e23a9cb65fa9c09aa8403f625d76877c4e8fd60a331be56a
SHA5128ac4b829802e3238fcdf6629b09417dfb48b04d18880a230a387b3673c724a8281c795c83e7a088c12ef676b9fd054b70f90aebca34a1217fc7376aeb9f13dfa