Analysis
-
max time kernel
144s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 20:51
Static task
static1
Behavioral task
behavioral1
Sample
aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe
Resource
win7-20221111-en
General
-
Target
aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe
-
Size
2.0MB
-
MD5
cc888e112e6212bc0a77c5628ceb2e23
-
SHA1
7c16d0c6349af720642109c67435236a3239d273
-
SHA256
aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7
-
SHA512
3b6c1121eac1d9609e2e20f923d6b80020701402a70abd3eaa7c2dc8035b047ff011c057ff101e59e4f8dcffbdd4f486f9224fb5c2336163cb9771a0612b0557
-
SSDEEP
49152:P96pwkZmHLcZEQ8L09njnxvcjxFSKmQV00ObPT+Db0KZCgHk9:5okLcZEoZg3SV3+D4jn
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\Desktop\good\good.exe family_blackmoon C:\Users\Admin\Desktop\good\good.exe family_blackmoon -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe -
Executes dropped EXE 1 IoCs
Processes:
good.exepid process 1504 good.exe -
Processes:
resource yara_rule behavioral2/memory/3576-134-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3576-136-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3576-135-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3576-138-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3576-140-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3576-142-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3576-144-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3576-146-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3576-148-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3576-150-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3576-152-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3576-154-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3576-156-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3576-158-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3576-160-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3576-162-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3576-164-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3576-166-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3576-168-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3576-170-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3576-172-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3576-174-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3576-176-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3576-178-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3576-186-0x0000000010000000-0x000000001003E000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Wine aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exepid process 3576 aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exepid process 3576 aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe 3576 aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exepid process 3576 aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe 3576 aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe 3576 aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe 3576 aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe 3576 aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exedescription pid process target process PID 3576 wrote to memory of 1504 3576 aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe good.exe PID 3576 wrote to memory of 1504 3576 aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe good.exe PID 3576 wrote to memory of 1504 3576 aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe good.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe"C:\Users\Admin\AppData\Local\Temp\aa0f430e5c143bfaec8a9a5c46b3cb0b7f16b9defad69cf677c4a8879eb9bcd7.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\good\good.exe"C:\Users\Admin\Desktop\good\good.exe" i2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\good\cfg.iniMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\Desktop\good\good.exeFilesize
107KB
MD5446d420e57d1818aa690364f59a487c0
SHA1627bb0a8f70bef07494a9e0c078b1659d23da8de
SHA256ed303b005e5a2e39a4c58a17dec360eced3794d6b6aeaf963cb5ab77bc64490d
SHA5129d447f71b4b788c51bcd2ee28ae2fc134972b89b983c2e4e69e392895f841d2b69f81b4e383d309e23b9b85c25162a0274f4cab8837d94c20b3c9435f8362ba3
-
C:\Users\Admin\Desktop\good\good.exeFilesize
107KB
MD5446d420e57d1818aa690364f59a487c0
SHA1627bb0a8f70bef07494a9e0c078b1659d23da8de
SHA256ed303b005e5a2e39a4c58a17dec360eced3794d6b6aeaf963cb5ab77bc64490d
SHA5129d447f71b4b788c51bcd2ee28ae2fc134972b89b983c2e4e69e392895f841d2b69f81b4e383d309e23b9b85c25162a0274f4cab8837d94c20b3c9435f8362ba3
-
memory/1504-179-0x0000000000000000-mapping.dmp
-
memory/3576-160-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3576-166-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3576-140-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3576-142-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3576-144-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3576-146-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3576-148-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3576-150-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3576-152-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3576-154-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3576-156-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3576-158-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3576-132-0x0000000000400000-0x000000000092D000-memory.dmpFilesize
5.2MB
-
memory/3576-162-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3576-164-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3576-138-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3576-168-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3576-170-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3576-172-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3576-174-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3576-176-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3576-177-0x0000000000400000-0x000000000092D000-memory.dmpFilesize
5.2MB
-
memory/3576-178-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3576-135-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3576-136-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3576-134-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/3576-133-0x0000000077080000-0x0000000077223000-memory.dmpFilesize
1.6MB
-
memory/3576-183-0x0000000000400000-0x000000000092D000-memory.dmpFilesize
5.2MB
-
memory/3576-184-0x0000000077080000-0x0000000077223000-memory.dmpFilesize
1.6MB
-
memory/3576-185-0x0000000000400000-0x000000000092D000-memory.dmpFilesize
5.2MB
-
memory/3576-186-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB