Analysis
-
max time kernel
132s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
27-02-2023 09:25
Behavioral task
behavioral1
Sample
5.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
5.exe
Resource
win10v2004-20230220-en
General
-
Target
5.exe
-
Size
4.1MB
-
MD5
d1e3796faa8febcb5727af4cf10fa912
-
SHA1
329a3ad3cdbb1c05ae60d5a7e232e11dc55ff4bb
-
SHA256
b568fd0c4e510808e3c4368f2a5ad7a579675a41e4d010541d3308dcc1ab0237
-
SHA512
1fe38416a1d868a506ac3ba317f0d306c9c8d6d8d6609b5d275944aa32faf29d30bd5a6df1fbf946bff942344e28926bc131204c29549c4d498f5089e006e499
-
SSDEEP
98304:hGGReDAApdZ4WATvMu3ehwtwrEEcm9GR+NcKJrJ10dqcx+MItpqcws:hGIAp74dL33h7QGR+KKJrnOH6
Malware Config
Signatures
-
Detect Blackmoon payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2016-63-0x00000000046C0000-0x0000000004738000-memory.dmp family_blackmoon behavioral1/memory/2016-62-0x00000000046C0000-0x0000000004738000-memory.dmp family_blackmoon behavioral1/memory/2016-84-0x00000000046C0000-0x0000000004738000-memory.dmp family_blackmoon behavioral1/memory/2016-95-0x00000000046C0000-0x0000000004738000-memory.dmp family_blackmoon -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run 5.exe Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\qdate = "C:\\Users\\Public\\Documents\\Applicationqyvte.exe" 5.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
5.exedescription ioc process File opened (read-only) \??\N: 5.exe File opened (read-only) \??\P: 5.exe File opened (read-only) \??\R: 5.exe File opened (read-only) \??\T: 5.exe File opened (read-only) \??\B: 5.exe File opened (read-only) \??\H: 5.exe File opened (read-only) \??\J: 5.exe File opened (read-only) \??\L: 5.exe File opened (read-only) \??\W: 5.exe File opened (read-only) \??\E: 5.exe File opened (read-only) \??\Y: 5.exe File opened (read-only) \??\Z: 5.exe File opened (read-only) \??\K: 5.exe File opened (read-only) \??\O: 5.exe File opened (read-only) \??\V: 5.exe File opened (read-only) \??\Q: 5.exe File opened (read-only) \??\S: 5.exe File opened (read-only) \??\U: 5.exe File opened (read-only) \??\X: 5.exe File opened (read-only) \??\F: 5.exe File opened (read-only) \??\G: 5.exe File opened (read-only) \??\I: 5.exe File opened (read-only) \??\M: 5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
5.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 5.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 520 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
5.exepid process 2016 5.exe 2016 5.exe 2016 5.exe 2016 5.exe 2016 5.exe 2016 5.exe 2016 5.exe 2016 5.exe 2016 5.exe 2016 5.exe 2016 5.exe 2016 5.exe 2016 5.exe 2016 5.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
5.exepid process 2016 5.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
5.exepid process 2016 5.exe 2016 5.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
5.exedescription pid process target process PID 2016 wrote to memory of 520 2016 5.exe NOTEPAD.EXE PID 2016 wrote to memory of 520 2016 5.exe NOTEPAD.EXE PID 2016 wrote to memory of 520 2016 5.exe NOTEPAD.EXE PID 2016 wrote to memory of 520 2016 5.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\5.txt2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5.txtFilesize
120KB
MD53aea5b78bac5359a799c2714fecccd1a
SHA15d3203b328ecfc7a55c0ded1032d209e9f273367
SHA256c05e763cab67cf9daf5be7a6a6cff2650223987a9693eaa119f69b2bbb6df6c3
SHA5129513cc84a7ed3dd709d4affb03f6e286dcd43e82f33441c00a9d74d2b45449f2ee20baa8db46218d7a59d9e62fb7f95050ea305166e70f3e71dde39ccf07b6d3
-
C:\Users\Admin\AppData\Local\Temp\qxx.zipFilesize
26B
MD517df3b34c7d09ae0ee694735fdeb7ecf
SHA12457cd98147c41b58c22593202d064e50bba6fd2
SHA256b8c13f9c76fea2138a097498ba5d48108354baa6d00602b4d7eff6bbbf2eaf5c
SHA5124c3518c4c59ca6750777efaeebae2d3c04790da3706ba78a6d60486b2945262103ce1e337aafe736932bf8d35b886816c9443450b5ade1ed06cde03bf567cd10
-
C:\Users\Public\Documents\sjsw.logFilesize
158B
MD55ef7c7ed88027bcef3a264eea0ac481d
SHA1108b38b6dd56f0fabc752c0555291c0d8ef3b309
SHA256ff4fb80c351dd190d0131aa1869e337b22b6f21f8b30717a95561448c705d3b0
SHA51265c454375126397ef012f220ea0601f33261ddb923c656c41af1292ecae5bba4bdf9df7e5d9c12eff1544ca459079bbca7dcd0d907d7fd5f1c5da9a60afdfff9
-
memory/2016-63-0x00000000046C0000-0x0000000004738000-memory.dmpFilesize
480KB
-
memory/2016-85-0x0000000004070000-0x0000000004073000-memory.dmpFilesize
12KB
-
memory/2016-62-0x00000000046C0000-0x0000000004738000-memory.dmpFilesize
480KB
-
memory/2016-57-0x0000000000400000-0x0000000000EF3000-memory.dmpFilesize
10.9MB
-
memory/2016-56-0x0000000000400000-0x0000000000EF3000-memory.dmpFilesize
10.9MB
-
memory/2016-55-0x0000000000400000-0x0000000000EF3000-memory.dmpFilesize
10.9MB
-
memory/2016-84-0x00000000046C0000-0x0000000004738000-memory.dmpFilesize
480KB
-
memory/2016-54-0x0000000000400000-0x0000000000EF3000-memory.dmpFilesize
10.9MB
-
memory/2016-86-0x0000000004E20000-0x0000000004FA0000-memory.dmpFilesize
1.5MB
-
memory/2016-92-0x00000000047A0000-0x00000000047A1000-memory.dmpFilesize
4KB
-
memory/2016-93-0x0000000004BD0000-0x0000000004CE0000-memory.dmpFilesize
1.1MB
-
memory/2016-94-0x0000000004740000-0x0000000004787000-memory.dmpFilesize
284KB
-
memory/2016-95-0x00000000046C0000-0x0000000004738000-memory.dmpFilesize
480KB
-
memory/2016-96-0x0000000000400000-0x0000000000EF3000-memory.dmpFilesize
10.9MB