Analysis
-
max time kernel
158s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 07:21
Static task
static1
Behavioral task
behavioral1
Sample
79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe
Resource
win10v2004-20220812-en
General
-
Target
79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe
-
Size
131KB
-
MD5
9ec2385aa31573102fb1a53a283270e5
-
SHA1
038483847c3d93d90c01fa4c0bb3e920e3e8aeda
-
SHA256
79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d
-
SHA512
4945d5aec4878eebe058d77287f226dd9264a1cc523fa8a531b8a1fc5bcf39a06d31fc37a37fe1c0e2403f13356ffdff30d8445ffaac8435e4e7c95fb3cdfd05
-
SSDEEP
3072:Jb5CSaLbs4RHjVb2+OwZGC6+0Mm6cK2y5y5DmeffwHMICZzGWSS+pAboutj:JsBPzjVbSwZGCk6cDy+DmqfmsSStboSj
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4900-145-0x0000000000400000-0x000000000043F000-memory.dmp family_blackmoon -
Drops file in Drivers directory 1 IoCs
Processes:
79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe -
Executes dropped EXE 1 IoCs
Processes:
VnrYne173.exepid process 1372 VnrYne173.exe -
Processes:
yara_rule vmprotect C:\Users\Admin\AppData\Local\Temp\240610921.txt vmprotect C:\Users\Admin\AppData\Local\Temp\240610921.txt vmprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
VnrYne173.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation VnrYne173.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 5064 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Configuring = "rundll32.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\240610921.txt,M" rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exepid process 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
rundll32.exepid process 5064 rundll32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exeVnrYne173.exedescription pid process target process PID 4900 wrote to memory of 1372 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe VnrYne173.exe PID 4900 wrote to memory of 1372 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe VnrYne173.exe PID 4900 wrote to memory of 1372 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe VnrYne173.exe PID 1372 wrote to memory of 5064 1372 VnrYne173.exe rundll32.exe PID 1372 wrote to memory of 5064 1372 VnrYne173.exe rundll32.exe PID 1372 wrote to memory of 5064 1372 VnrYne173.exe rundll32.exe PID 1372 wrote to memory of 4984 1372 VnrYne173.exe cmd.exe PID 1372 wrote to memory of 4984 1372 VnrYne173.exe cmd.exe PID 1372 wrote to memory of 4984 1372 VnrYne173.exe cmd.exe PID 4900 wrote to memory of 1160 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe cmd.exe PID 4900 wrote to memory of 1160 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe cmd.exe PID 4900 wrote to memory of 1160 4900 79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe"C:\Users\Admin\AppData\Local\Temp\79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe"1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VnrYne173.exeC:\Users\Admin\AppData\Local\Temp\VnrYne173.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\240610921.txt,M3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\240610921.bat3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\79db79870019b16dd6259baf23fbdb0badec4c7ab519d63f950d35e2f602a17d.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240610921.batFilesize
132B
MD594c81f4fa825da5f7cd0ab04a1a57fe0
SHA15b47232a4a31c98c935112704c6a125a874d1a57
SHA256413d25d0266693bcfc838d8abae2ff1990399728064f8fa486db7a4cbd2ea5bb
SHA512a63d50b52405a8c8aeefb9db349838805ec7dd50598a5a558d923301ee00d61cc98df3fc71e716e81be38b017f0c9ee59def855e6a8a06f0d8d8c2e61c2a301c
-
C:\Users\Admin\AppData\Local\Temp\240610921.txtFilesize
105KB
MD5b89a7dbe0cc3b12970215a02dfb49c6c
SHA1ce545bc075ae333cde63460ef3c3c3e8f4649265
SHA256036fd651bdf0549a766e1a045feca8c5071674758fcd77aff1d5b851d212cb52
SHA5123881a0ee753a410aa9f5f8dcb154323f903caca9d1745ab650278fe6303e81cbe5c9cdb9c62ead36357ebec54050561fd2473fdbb139000fcbb85018f95948c2
-
C:\Users\Admin\AppData\Local\Temp\240610921.txtFilesize
105KB
MD5b89a7dbe0cc3b12970215a02dfb49c6c
SHA1ce545bc075ae333cde63460ef3c3c3e8f4649265
SHA256036fd651bdf0549a766e1a045feca8c5071674758fcd77aff1d5b851d212cb52
SHA5123881a0ee753a410aa9f5f8dcb154323f903caca9d1745ab650278fe6303e81cbe5c9cdb9c62ead36357ebec54050561fd2473fdbb139000fcbb85018f95948c2
-
C:\Users\Admin\AppData\Local\Temp\VnrYne173.exeFilesize
80.1MB
MD55fdbaa2d49424a48ddd895eff5e03ad6
SHA1e053f3ff549bc7e33d2c2d58d586560c0d95bc53
SHA2569c6f8626462b26e6d0c7adbd0f54bd885134f7f8401ef09db2e9241094466efe
SHA5120ab72c453cde9b995e7a8511d9c73d4ffb13083ba87146e7d68569dcd9636db9fe9e9ad7e154626a0dc955b469b8f4f9ab81bc8128004225a13f29460ff93b9d
-
C:\Users\Admin\AppData\Local\Temp\VnrYne173.exeFilesize
80.1MB
MD55fdbaa2d49424a48ddd895eff5e03ad6
SHA1e053f3ff549bc7e33d2c2d58d586560c0d95bc53
SHA2569c6f8626462b26e6d0c7adbd0f54bd885134f7f8401ef09db2e9241094466efe
SHA5120ab72c453cde9b995e7a8511d9c73d4ffb13083ba87146e7d68569dcd9636db9fe9e9ad7e154626a0dc955b469b8f4f9ab81bc8128004225a13f29460ff93b9d
-
memory/1160-144-0x0000000000000000-mapping.dmp
-
memory/1372-138-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/1372-139-0x000000000C2A0000-0x000000000C2D9000-memory.dmpFilesize
228KB
-
memory/1372-137-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/1372-136-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/1372-133-0x0000000000000000-mapping.dmp
-
memory/4900-132-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/4900-145-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/4984-141-0x0000000000000000-mapping.dmp
-
memory/5064-140-0x0000000000000000-mapping.dmp