Analysis
-
max time kernel
151s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 02:24
Static task
static1
Behavioral task
behavioral1
Sample
40e78f28618f257161558930bd4ca73fe7d3b9bb68d38692f5ce75139a350c13.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
40e78f28618f257161558930bd4ca73fe7d3b9bb68d38692f5ce75139a350c13.exe
Resource
win10v2004-20220901-en
General
-
Target
40e78f28618f257161558930bd4ca73fe7d3b9bb68d38692f5ce75139a350c13.exe
-
Size
163KB
-
MD5
ac13d94cacaf23b6e81a2701ff974319
-
SHA1
957df0b2f9f1e73a0d866e3ef2f82c2c5078061c
-
SHA256
40e78f28618f257161558930bd4ca73fe7d3b9bb68d38692f5ce75139a350c13
-
SHA512
003870b0e296396ae645bd42a00ed3306ec68581d9158a5ceb09d235c3bac7b1ea9edd00717950839003761e348a3475b503ca55054312fb6624d191456fa76e
-
SSDEEP
3072:eRHYIPwGaXaBOV/fXj5NvfeNKRQsoCoc0AAlFcbEVB/9ggwBI:elYIPfRo5L5NTR7oe0AgcwF9jwBI
Malware Config
Signatures
-
Detect Blackmoon payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/1812-136-0x0000000000400000-0x0000000000426000-memory.dmp family_blackmoon behavioral2/memory/3256-137-0x0000000000400000-0x000000000046F000-memory.dmp family_blackmoon behavioral2/memory/1812-138-0x0000000000400000-0x0000000000426000-memory.dmp family_blackmoon behavioral2/memory/3256-139-0x0000000000400000-0x000000000046F000-memory.dmp family_blackmoon behavioral2/memory/1812-140-0x0000000000400000-0x0000000000426000-memory.dmp family_blackmoon behavioral2/memory/3256-141-0x0000000000400000-0x000000000046F000-memory.dmp family_blackmoon -
Drops file in Drivers directory 2 IoCs
Processes:
wr.exedescription ioc process File created C:\Windows\system32\drivers\etc\hosts.ics wr.exe File opened for modification C:\Windows\system32\drivers\etc\hosts.ics wr.exe -
Executes dropped EXE 1 IoCs
Processes:
wr.exepid process 1812 wr.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
40e78f28618f257161558930bd4ca73fe7d3b9bb68d38692f5ce75139a350c13.exewr.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 40e78f28618f257161558930bd4ca73fe7d3b9bb68d38692f5ce75139a350c13.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\stol = "C:\\Users\\Admin\\AppData\\Local\\Temp\\40e78f28618f257161558930bd4ca73fe7d3b9bb68d38692f5ce75139a350c13.exe" 40e78f28618f257161558930bd4ca73fe7d3b9bb68d38692f5ce75139a350c13.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run wr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SvcH0s = "C:\\Windows\\wr.exe" wr.exe -
Drops file in Windows directory 2 IoCs
Processes:
wr.exe40e78f28618f257161558930bd4ca73fe7d3b9bb68d38692f5ce75139a350c13.exedescription ioc process File opened for modification C:\Windows\wr.exe wr.exe File created C:\Windows\wr.exe 40e78f28618f257161558930bd4ca73fe7d3b9bb68d38692f5ce75139a350c13.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wr.exedescription pid process Token: SeDebugPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe Token: SeIncBasePriorityPrivilege 1812 wr.exe Token: 33 1812 wr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
40e78f28618f257161558930bd4ca73fe7d3b9bb68d38692f5ce75139a350c13.exedescription pid process target process PID 3256 wrote to memory of 1812 3256 40e78f28618f257161558930bd4ca73fe7d3b9bb68d38692f5ce75139a350c13.exe wr.exe PID 3256 wrote to memory of 1812 3256 40e78f28618f257161558930bd4ca73fe7d3b9bb68d38692f5ce75139a350c13.exe wr.exe PID 3256 wrote to memory of 1812 3256 40e78f28618f257161558930bd4ca73fe7d3b9bb68d38692f5ce75139a350c13.exe wr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\40e78f28618f257161558930bd4ca73fe7d3b9bb68d38692f5ce75139a350c13.exe"C:\Users\Admin\AppData\Local\Temp\40e78f28618f257161558930bd4ca73fe7d3b9bb68d38692f5ce75139a350c13.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\wr.exeC:\Windows\wr.exe2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\wr.exeFilesize
17KB
MD5ead93401f3f9a67b01eee18e93cfe9ff
SHA1e65efd0e5a4286a9a221ef9747c95ed3436312bd
SHA256f9ef8acc245ad8abee4d767c04781c7f7e5b1fa4aea9f6e4682c31e1e51183ff
SHA512a234953431a18b9bf4f06908cec9cc195d825687d9863b807cb9af8284fc54ee4ec1f3d6ae92bafcd26c50d6d6739c46fa857dc199456a695654a6f4b0932f0b
-
C:\Windows\wr.exeFilesize
17KB
MD5ead93401f3f9a67b01eee18e93cfe9ff
SHA1e65efd0e5a4286a9a221ef9747c95ed3436312bd
SHA256f9ef8acc245ad8abee4d767c04781c7f7e5b1fa4aea9f6e4682c31e1e51183ff
SHA512a234953431a18b9bf4f06908cec9cc195d825687d9863b807cb9af8284fc54ee4ec1f3d6ae92bafcd26c50d6d6739c46fa857dc199456a695654a6f4b0932f0b
-
memory/1812-133-0x0000000000000000-mapping.dmp
-
memory/1812-136-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1812-138-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1812-140-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/3256-132-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/3256-137-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/3256-139-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/3256-141-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB