Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 19:02
Static task
static1
Behavioral task
behavioral1
Sample
c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12.exe
Resource
win7-20221111-en
General
-
Target
c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12.exe
-
Size
260KB
-
MD5
fc2e73824f78609c27efab5fa7c73493
-
SHA1
78d62dec4ba87bd8ed0ee9751b63fc5d0668dc3a
-
SHA256
c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12
-
SHA512
abbae4bf59f442b01a0186a0e0c63a5b41c67c43ace11b8e1c2ad1a094c4b1b9fb60f074800bf05034e9e5bf7fe01ae2323e0a2fcacda353267514b8fc8e0f6e
-
SSDEEP
6144:LhR5nr+Pzr1Gq/Jf+2upbKOCeY9nP878g9M:9r+PfP/J2baecrg9M
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4844-138-0x0000000000400000-0x0000000000422000-memory.dmp family_blackmoon -
Executes dropped EXE 2 IoCs
Processes:
doudou.exeÁ¬·¢³ÌÐò.exepid process 4844 doudou.exe 4768 Á¬·¢³ÌÐò.exe -
Processes:
resource yara_rule C:\doudou.exe upx C:\doudou.exe upx C:\Á¬·¢³ÌÐò.exe upx C:\Á¬·¢³ÌÐò.exe upx behavioral2/memory/4844-138-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/memory/4768-139-0x0000000000400000-0x0000000000484000-memory.dmp upx behavioral2/memory/4768-140-0x0000000000400000-0x0000000000484000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
doudou.exepid process 4844 doudou.exe 4844 doudou.exe 4844 doudou.exe 4844 doudou.exe 4844 doudou.exe 4844 doudou.exe 4844 doudou.exe 4844 doudou.exe 4844 doudou.exe 4844 doudou.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Á¬·¢³ÌÐò.exepid process 4768 Á¬·¢³ÌÐò.exe 4768 Á¬·¢³ÌÐò.exe 4768 Á¬·¢³ÌÐò.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Á¬·¢³ÌÐò.exepid process 4768 Á¬·¢³ÌÐò.exe 4768 Á¬·¢³ÌÐò.exe 4768 Á¬·¢³ÌÐò.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Á¬·¢³ÌÐò.exepid process 4768 Á¬·¢³ÌÐò.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12.exedescription pid process target process PID 4904 wrote to memory of 4844 4904 c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12.exe doudou.exe PID 4904 wrote to memory of 4844 4904 c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12.exe doudou.exe PID 4904 wrote to memory of 4844 4904 c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12.exe doudou.exe PID 4904 wrote to memory of 4768 4904 c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12.exe Á¬·¢³ÌÐò.exe PID 4904 wrote to memory of 4768 4904 c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12.exe Á¬·¢³ÌÐò.exe PID 4904 wrote to memory of 4768 4904 c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12.exe Á¬·¢³ÌÐò.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12.exe"C:\Users\Admin\AppData\Local\Temp\c61ecaeab40591b89f8138333499b40a0060e02ce11403499e829b7f588e7a12.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\doudou.exe"C:\doudou.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4844 -
C:\Á¬·¢³ÌÐò.exe"C:\Á¬·¢³ÌÐò.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\doudou.exeFilesize
14KB
MD59dc6adde90f23e1778612867bc47a7db
SHA1f6b140d44944c1197f886ac2c3ad9a4c4824ee45
SHA25679268839f46c8ca4d010415b07e7b02957e728c652988bcd276ae50717b41386
SHA51287e61373abbb7ab18d647ff5fe4a60f5c1e08c8170f30127cbd5b4dd0402031a2e8f95662811cbf4ba35d9b7f834a4711e2515dad30efc90d3171bf13c8b786d
-
C:\doudou.exeFilesize
14KB
MD59dc6adde90f23e1778612867bc47a7db
SHA1f6b140d44944c1197f886ac2c3ad9a4c4824ee45
SHA25679268839f46c8ca4d010415b07e7b02957e728c652988bcd276ae50717b41386
SHA51287e61373abbb7ab18d647ff5fe4a60f5c1e08c8170f30127cbd5b4dd0402031a2e8f95662811cbf4ba35d9b7f834a4711e2515dad30efc90d3171bf13c8b786d
-
C:\Á¬·¢³ÌÐò.exeFilesize
235KB
MD559f233558cfdb557e835b3538317a67a
SHA1003f9992b69d494c1c65b6631691819d1d1302a0
SHA256319ac331bd2e87fd3477884f359104c54a1ac24b0781d0354eb248f5e6d84bf9
SHA512ae738799048192c4a226d61db3cecabfce57bf206170ebdcd2a893ed8d4081513f5d1f25cd27b5dc0fe0bc27c9a258be44fb1f24a46829a1893cf0d5e3f475b6
-
C:\Á¬·¢³ÌÐò.exeFilesize
235KB
MD559f233558cfdb557e835b3538317a67a
SHA1003f9992b69d494c1c65b6631691819d1d1302a0
SHA256319ac331bd2e87fd3477884f359104c54a1ac24b0781d0354eb248f5e6d84bf9
SHA512ae738799048192c4a226d61db3cecabfce57bf206170ebdcd2a893ed8d4081513f5d1f25cd27b5dc0fe0bc27c9a258be44fb1f24a46829a1893cf0d5e3f475b6
-
memory/4768-135-0x0000000000000000-mapping.dmp
-
memory/4768-139-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/4768-140-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/4844-132-0x0000000000000000-mapping.dmp
-
memory/4844-138-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB