Analysis
-
max time kernel
167s -
max time network
247s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 07:50
Behavioral task
behavioral1
Sample
5cedc86c7b32e5b3a83fdab800e6bbc650919ccdc778f75cb69541f4a15d91af.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
5cedc86c7b32e5b3a83fdab800e6bbc650919ccdc778f75cb69541f4a15d91af.exe
Resource
win10v2004-20221111-en
General
-
Target
5cedc86c7b32e5b3a83fdab800e6bbc650919ccdc778f75cb69541f4a15d91af.exe
-
Size
114KB
-
MD5
af30ea13a0721fb3e3b95c9824306941
-
SHA1
feaa318b3f735c8c0f6377adc98489256edca988
-
SHA256
5cedc86c7b32e5b3a83fdab800e6bbc650919ccdc778f75cb69541f4a15d91af
-
SHA512
d77bd0e58dda70cbcda742de520a979e0114184374fee12cbbfcf987ff8155c23caf4a97970af8e5caa30b49b707568c4abe4614e297dc4d2422fe03cea1fcab
-
SSDEEP
1536:PYOoVTjI9O31bY2/CyON4CsS2c92NYu3qb5KeopfL3dDtI+RZ7:PYO4I9OlbTq72WuS5VgL3dDtIE
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\Nril\syetom.exe family_blackmoon C:\Program Files (x86)\Nril\syetom.exe family_blackmoon -
Drops file in Drivers directory 4 IoCs
Processes:
syetom.exedescription ioc process File created C:\Windows\System32\drivers\etc\hosts.ics syetom.exe File created C:\Windows\System32\drivers\etc\hosts syetom.exe File opened for modification C:\Windows\System32\drivers\etc\hosts syetom.exe File opened for modification C:\Windows\System32\drivers\etc\hosts.ics syetom.exe -
Executes dropped EXE 1 IoCs
Processes:
syetom.exepid process 4204 syetom.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5cedc86c7b32e5b3a83fdab800e6bbc650919ccdc778f75cb69541f4a15d91af.exedescription ioc process Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\CurrentVersion\Run 5cedc86c7b32e5b3a83fdab800e6bbc650919ccdc778f75cb69541f4a15d91af.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syetom = "C:\\Program Files (x86)\\Nril\\syetom.exe" 5cedc86c7b32e5b3a83fdab800e6bbc650919ccdc778f75cb69541f4a15d91af.exe -
Drops file in Program Files directory 2 IoCs
Processes:
5cedc86c7b32e5b3a83fdab800e6bbc650919ccdc778f75cb69541f4a15d91af.exedescription ioc process File created C:\Program Files (x86)\Nril\syetom.exe 5cedc86c7b32e5b3a83fdab800e6bbc650919ccdc778f75cb69541f4a15d91af.exe File opened for modification C:\Program Files (x86)\Nril\syetom.exe 5cedc86c7b32e5b3a83fdab800e6bbc650919ccdc778f75cb69541f4a15d91af.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
5cedc86c7b32e5b3a83fdab800e6bbc650919ccdc778f75cb69541f4a15d91af.exedescription pid process target process PID 2572 wrote to memory of 4204 2572 5cedc86c7b32e5b3a83fdab800e6bbc650919ccdc778f75cb69541f4a15d91af.exe syetom.exe PID 2572 wrote to memory of 4204 2572 5cedc86c7b32e5b3a83fdab800e6bbc650919ccdc778f75cb69541f4a15d91af.exe syetom.exe PID 2572 wrote to memory of 4204 2572 5cedc86c7b32e5b3a83fdab800e6bbc650919ccdc778f75cb69541f4a15d91af.exe syetom.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cedc86c7b32e5b3a83fdab800e6bbc650919ccdc778f75cb69541f4a15d91af.exe"C:\Users\Admin\AppData\Local\Temp\5cedc86c7b32e5b3a83fdab800e6bbc650919ccdc778f75cb69541f4a15d91af.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Program Files (x86)\Nril\syetom.exe"C:\Program Files (x86)\Nril\syetom.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:4204
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Nril\syetom.exeFilesize
114KB
MD5af30ea13a0721fb3e3b95c9824306941
SHA1feaa318b3f735c8c0f6377adc98489256edca988
SHA2565cedc86c7b32e5b3a83fdab800e6bbc650919ccdc778f75cb69541f4a15d91af
SHA512d77bd0e58dda70cbcda742de520a979e0114184374fee12cbbfcf987ff8155c23caf4a97970af8e5caa30b49b707568c4abe4614e297dc4d2422fe03cea1fcab
-
C:\Program Files (x86)\Nril\syetom.exeFilesize
114KB
MD5af30ea13a0721fb3e3b95c9824306941
SHA1feaa318b3f735c8c0f6377adc98489256edca988
SHA2565cedc86c7b32e5b3a83fdab800e6bbc650919ccdc778f75cb69541f4a15d91af
SHA512d77bd0e58dda70cbcda742de520a979e0114184374fee12cbbfcf987ff8155c23caf4a97970af8e5caa30b49b707568c4abe4614e297dc4d2422fe03cea1fcab
-
memory/4204-132-0x0000000000000000-mapping.dmp