Analysis
-
max time kernel
158s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 05:34
Static task
static1
Behavioral task
behavioral1
Sample
8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe
Resource
win10v2004-20220812-en
General
-
Target
8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe
-
Size
141KB
-
MD5
b87df20eda8aea1594ce221ee1fc550a
-
SHA1
a5e985819ed2be3433b7caa8901e2b6bcb237fc9
-
SHA256
8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8
-
SHA512
77a1c83ad951bde5561ae6377f91ce2643962a51f98005b56fa6874ae8e0c35256d715e784703ff2d2cb273cf19d500316661d59ddc37a6712843781c504cef5
-
SSDEEP
3072:iS13dexXhf2hek4txILwTFnvt2c3Ek4oAJ/gDH9gzuaEgTsDz:iS1twl2he9RIc0kBzuu+s
Malware Config
Signatures
-
Detect Blackmoon payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4200-132-0x0000000000400000-0x0000000000461000-memory.dmp family_blackmoon behavioral2/memory/4200-133-0x0000000000400000-0x0000000000461000-memory.dmp family_blackmoon behavioral2/memory/4200-134-0x0000000000400000-0x0000000000461000-memory.dmp family_blackmoon -
Drops file in Drivers directory 1 IoCs
Processes:
8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe -
Executes dropped EXE 1 IoCs
Processes:
TuxYwz569.exepid process 2032 TuxYwz569.exe -
Processes:
yara_rule vmprotect C:\Users\Admin\AppData\Local\Temp\240578546.txt vmprotect C:\Users\Admin\AppData\Local\Temp\240578546.txt vmprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
TuxYwz569.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation TuxYwz569.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3544 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Configuring = "rundll32.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\240578546.txt,M" rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exepid process 4200 8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe 4200 8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe 4200 8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe 4200 8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe 4200 8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe 4200 8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe 4200 8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe 4200 8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe 4200 8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe 4200 8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe 4200 8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe 4200 8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe 4200 8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe 4200 8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe 4200 8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe 4200 8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe 4200 8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe 4200 8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
rundll32.exepid process 3544 rundll32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exeTuxYwz569.exedescription pid process target process PID 4200 wrote to memory of 2032 4200 8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe TuxYwz569.exe PID 4200 wrote to memory of 2032 4200 8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe TuxYwz569.exe PID 4200 wrote to memory of 2032 4200 8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe TuxYwz569.exe PID 2032 wrote to memory of 3544 2032 TuxYwz569.exe rundll32.exe PID 2032 wrote to memory of 3544 2032 TuxYwz569.exe rundll32.exe PID 2032 wrote to memory of 3544 2032 TuxYwz569.exe rundll32.exe PID 2032 wrote to memory of 524 2032 TuxYwz569.exe cmd.exe PID 2032 wrote to memory of 524 2032 TuxYwz569.exe cmd.exe PID 2032 wrote to memory of 524 2032 TuxYwz569.exe cmd.exe PID 4200 wrote to memory of 3808 4200 8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe cmd.exe PID 4200 wrote to memory of 3808 4200 8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe cmd.exe PID 4200 wrote to memory of 3808 4200 8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe"C:\Users\Admin\AppData\Local\Temp\8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe"1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TuxYwz569.exeC:\Users\Admin\AppData\Local\Temp\TuxYwz569.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\240578546.txt,M3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\240578546.bat3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\8f2fdc0a52748edb7be9bb430a6ae62fb9c65db79fa00a2078a2218b4b062cb8.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240578546.batFilesize
134B
MD524620b3413f719c3bdeb1e8db07a0884
SHA1b1f1b2122aa0d9e472b30b0fc95108f0de6bd572
SHA256a396ce3fff484e6f62f6ad562292ffe05b0259ae2dc4a997e3a4340fbe01fcbc
SHA51259dc22f0ec4e0e56ad01dec815c909775f0a7fc4694ee3c28afdf52746eb892db47c7696bf3af86bde0fffc6a1004818feeaa74afb2fd2f5850cf0e906688bb2
-
C:\Users\Admin\AppData\Local\Temp\240578546.txtFilesize
105KB
MD5a7df87290a05904215cef9c89588b675
SHA1b67c3c1c891cf7680729106d4c77b2c1cabe463b
SHA256b993570b89ca3580c7078464231fe6a9823a80469b15b6c7bfdd0c8c410587ae
SHA5122b1ee03fad425b652443b820411de573376a970e0cade80aed783192fb0c02a525372b460d4b47bfd503ef85091affc5ecec9d8757664eeaace4519ccdb38d94
-
C:\Users\Admin\AppData\Local\Temp\240578546.txtFilesize
105KB
MD5a7df87290a05904215cef9c89588b675
SHA1b67c3c1c891cf7680729106d4c77b2c1cabe463b
SHA256b993570b89ca3580c7078464231fe6a9823a80469b15b6c7bfdd0c8c410587ae
SHA5122b1ee03fad425b652443b820411de573376a970e0cade80aed783192fb0c02a525372b460d4b47bfd503ef85091affc5ecec9d8757664eeaace4519ccdb38d94
-
C:\Users\Admin\AppData\Local\Temp\TuxYwz569.exeFilesize
80.1MB
MD56c769718760dcdfef5fa626237aa63c6
SHA1554565c6685bab8e1586ff57b99f065d63315b03
SHA25653a8fbcada2c37034fc11669d06dd9eb151c4dc97582e332f27a5c7ffa68b6d4
SHA5127d4162d011d33a169f371dc4706029d07d344bbbb130b7d5a8cb1c42a2610063aebb12102c5f5c9829a5bb14f3e8064d6aa119c4017267a12a8d41b233887c15
-
C:\Users\Admin\AppData\Local\Temp\TuxYwz569.exeFilesize
80.1MB
MD56c769718760dcdfef5fa626237aa63c6
SHA1554565c6685bab8e1586ff57b99f065d63315b03
SHA25653a8fbcada2c37034fc11669d06dd9eb151c4dc97582e332f27a5c7ffa68b6d4
SHA5127d4162d011d33a169f371dc4706029d07d344bbbb130b7d5a8cb1c42a2610063aebb12102c5f5c9829a5bb14f3e8064d6aa119c4017267a12a8d41b233887c15
-
memory/524-145-0x0000000000000000-mapping.dmp
-
memory/2032-138-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/2032-139-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/2032-142-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/2032-143-0x000000000A560000-0x000000000A584000-memory.dmpFilesize
144KB
-
memory/2032-135-0x0000000000000000-mapping.dmp
-
memory/3544-144-0x0000000000000000-mapping.dmp
-
memory/3808-149-0x0000000000000000-mapping.dmp
-
memory/4200-132-0x0000000000400000-0x0000000000461000-memory.dmpFilesize
388KB
-
memory/4200-134-0x0000000000400000-0x0000000000461000-memory.dmpFilesize
388KB
-
memory/4200-133-0x0000000000400000-0x0000000000461000-memory.dmpFilesize
388KB