Analysis
-
max time kernel
125s -
max time network
210s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 20:13
Behavioral task
behavioral1
Sample
e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe
Resource
win7-20221111-en
General
-
Target
e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe
-
Size
2.1MB
-
MD5
0287e13e0df148a77e8e0b829918ea13
-
SHA1
c02d090847f4e91423e98a2857c696fa2be802e3
-
SHA256
e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b
-
SHA512
bbe4877d88a1903ce3bbf165b3e4545c46a993d030d9ae491cdc5d0f742926a36cb43cf5d309bc9c997c9d8d5acb9fd9825b091bba187162a45bb9410bea2575
-
SSDEEP
49152:N+Bp091F1Eu/4opVwg3DT6KvN2Ne1O1ez4Br0ORZCfBV3U6g:ABK9Cu/dwg3KqEBrbRZG3U6
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1420-57-0x0000000000400000-0x00000000008D6000-memory.dmp family_blackmoon -
Blocklisted process makes network request 17 IoCs
Processes:
cmd.exeflow pid process 8 796 cmd.exe 10 796 cmd.exe 12 796 cmd.exe 17 796 cmd.exe 18 796 cmd.exe 19 796 cmd.exe 20 796 cmd.exe 23 796 cmd.exe 24 796 cmd.exe 26 796 cmd.exe 27 796 cmd.exe 28 796 cmd.exe 29 796 cmd.exe 30 796 cmd.exe 36 796 cmd.exe 37 796 cmd.exe 38 796 cmd.exe -
Processes:
resource yara_rule behavioral1/memory/1420-60-0x0000000002660000-0x00000000026D2000-memory.dmp upx behavioral1/memory/1420-61-0x0000000002660000-0x00000000026D2000-memory.dmp upx -
Processes:
resource yara_rule behavioral1/memory/1420-54-0x0000000000400000-0x00000000008D6000-memory.dmp vmprotect behavioral1/memory/1420-56-0x0000000000400000-0x00000000008D6000-memory.dmp vmprotect behavioral1/memory/1420-57-0x0000000000400000-0x00000000008D6000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exepid process 1420 e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exedescription pid process target process PID 1420 set thread context of 796 1420 e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe cmd.exe -
Processes:
e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main cmd.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\yy.com cmd.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\yy.com\NumberOfSubdomains = "1" cmd.exe -
Processes:
cmd.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 cmd.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exepid process 1420 e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe 1420 e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exepid process 1420 e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.execmd.exepid process 1420 e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe 1420 e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe 1420 e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe 1420 e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe 796 cmd.exe 796 cmd.exe 796 cmd.exe 796 cmd.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exedescription pid process target process PID 1420 wrote to memory of 796 1420 e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe cmd.exe PID 1420 wrote to memory of 796 1420 e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe cmd.exe PID 1420 wrote to memory of 796 1420 e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe cmd.exe PID 1420 wrote to memory of 796 1420 e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe cmd.exe PID 1420 wrote to memory of 796 1420 e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe cmd.exe PID 1420 wrote to memory of 796 1420 e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe cmd.exe PID 1420 wrote to memory of 796 1420 e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe cmd.exe PID 1420 wrote to memory of 796 1420 e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe cmd.exe PID 1420 wrote to memory of 796 1420 e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe cmd.exe PID 1420 wrote to memory of 796 1420 e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe"C:\Users\Admin\AppData\Local\Temp\e2ef236bed554deb32964045130011894fbccd240d7d20d5992e81366fb71f4b.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:796
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/796-68-0x0000000000400000-0x00000000004AC000-memory.dmpFilesize
688KB
-
memory/796-65-0x0000000000400000-0x00000000004AC000-memory.dmpFilesize
688KB
-
memory/796-78-0x0000000000400000-0x00000000004AC000-memory.dmpFilesize
688KB
-
memory/796-76-0x000000000044E933-mapping.dmp
-
memory/796-74-0x0000000000400000-0x00000000004AC000-memory.dmpFilesize
688KB
-
memory/796-63-0x0000000000400000-0x00000000004AC000-memory.dmpFilesize
688KB
-
memory/796-71-0x0000000000400000-0x00000000004AC000-memory.dmpFilesize
688KB
-
memory/796-62-0x0000000000400000-0x00000000004AC000-memory.dmpFilesize
688KB
-
memory/1420-55-0x00000000767B1000-0x00000000767B3000-memory.dmpFilesize
8KB
-
memory/1420-54-0x0000000000400000-0x00000000008D6000-memory.dmpFilesize
4.8MB
-
memory/1420-61-0x0000000002660000-0x00000000026D2000-memory.dmpFilesize
456KB
-
memory/1420-60-0x0000000002660000-0x00000000026D2000-memory.dmpFilesize
456KB
-
memory/1420-57-0x0000000000400000-0x00000000008D6000-memory.dmpFilesize
4.8MB
-
memory/1420-56-0x0000000000400000-0x00000000008D6000-memory.dmpFilesize
4.8MB