Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2023 09:25
Behavioral task
behavioral1
Sample
5.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
5.exe
Resource
win10v2004-20230220-en
General
-
Target
5.exe
-
Size
4.1MB
-
MD5
d1e3796faa8febcb5727af4cf10fa912
-
SHA1
329a3ad3cdbb1c05ae60d5a7e232e11dc55ff4bb
-
SHA256
b568fd0c4e510808e3c4368f2a5ad7a579675a41e4d010541d3308dcc1ab0237
-
SHA512
1fe38416a1d868a506ac3ba317f0d306c9c8d6d8d6609b5d275944aa32faf29d30bd5a6df1fbf946bff942344e28926bc131204c29549c4d498f5089e006e499
-
SSDEEP
98304:hGGReDAApdZ4WATvMu3ehwtwrEEcm9GR+NcKJrJ10dqcx+MItpqcws:hGIAp74dL33h7QGR+KKJrnOH6
Malware Config
Signatures
-
Detect Blackmoon payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4540-143-0x0000000003B10000-0x0000000003B88000-memory.dmp family_blackmoon behavioral2/memory/4540-142-0x0000000003B10000-0x0000000003B88000-memory.dmp family_blackmoon behavioral2/memory/4540-175-0x0000000003B10000-0x0000000003B88000-memory.dmp family_blackmoon -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation 5.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Run 5.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qdate = "C:\\Users\\Public\\Documents\\Applicationctunp.exe" 5.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
5.exedescription ioc process File opened (read-only) \??\P: 5.exe File opened (read-only) \??\Y: 5.exe File opened (read-only) \??\B: 5.exe File opened (read-only) \??\F: 5.exe File opened (read-only) \??\K: 5.exe File opened (read-only) \??\U: 5.exe File opened (read-only) \??\Z: 5.exe File opened (read-only) \??\E: 5.exe File opened (read-only) \??\H: 5.exe File opened (read-only) \??\R: 5.exe File opened (read-only) \??\L: 5.exe File opened (read-only) \??\Q: 5.exe File opened (read-only) \??\T: 5.exe File opened (read-only) \??\G: 5.exe File opened (read-only) \??\I: 5.exe File opened (read-only) \??\J: 5.exe File opened (read-only) \??\S: 5.exe File opened (read-only) \??\V: 5.exe File opened (read-only) \??\W: 5.exe File opened (read-only) \??\X: 5.exe File opened (read-only) \??\M: 5.exe File opened (read-only) \??\N: 5.exe File opened (read-only) \??\O: 5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
5.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 5.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5.exe -
Modifies registry class 1 IoCs
Processes:
5.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings 5.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4172 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
5.exepid process 4540 5.exe 4540 5.exe 4540 5.exe 4540 5.exe 4540 5.exe 4540 5.exe 4540 5.exe 4540 5.exe 4540 5.exe 4540 5.exe 4540 5.exe 4540 5.exe 4540 5.exe 4540 5.exe 4540 5.exe 4540 5.exe 4540 5.exe 4540 5.exe 4540 5.exe 4540 5.exe 4540 5.exe 4540 5.exe 4540 5.exe 4540 5.exe 4540 5.exe 4540 5.exe 4540 5.exe 4540 5.exe 4540 5.exe 4540 5.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
5.exepid process 4540 5.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
5.exepid process 4540 5.exe 4540 5.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
5.exedescription pid process target process PID 4540 wrote to memory of 4172 4540 5.exe NOTEPAD.EXE PID 4540 wrote to memory of 4172 4540 5.exe NOTEPAD.EXE PID 4540 wrote to memory of 4172 4540 5.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\5.txt2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5.txtFilesize
120KB
MD53aea5b78bac5359a799c2714fecccd1a
SHA15d3203b328ecfc7a55c0ded1032d209e9f273367
SHA256c05e763cab67cf9daf5be7a6a6cff2650223987a9693eaa119f69b2bbb6df6c3
SHA5129513cc84a7ed3dd709d4affb03f6e286dcd43e82f33441c00a9d74d2b45449f2ee20baa8db46218d7a59d9e62fb7f95050ea305166e70f3e71dde39ccf07b6d3
-
C:\Users\Admin\AppData\Local\Temp\qxx.zipFilesize
26B
MD517df3b34c7d09ae0ee694735fdeb7ecf
SHA12457cd98147c41b58c22593202d064e50bba6fd2
SHA256b8c13f9c76fea2138a097498ba5d48108354baa6d00602b4d7eff6bbbf2eaf5c
SHA5124c3518c4c59ca6750777efaeebae2d3c04790da3706ba78a6d60486b2945262103ce1e337aafe736932bf8d35b886816c9443450b5ade1ed06cde03bf567cd10
-
C:\Users\Public\Documents\sjsw.logFilesize
151B
MD5b0bf3cd227bdcee4c5653c4e9ff011fb
SHA1f83449655fda9630ed5647596d8118c5e8c048ea
SHA256a720968a2bb0ae18e8d72404aa77ab757e7f195904853cbb6767bded705abe39
SHA512a376919699da8c4acb3a29fece8ed1919b3e75f7fb9ea87e326597c7e3b3dd3d81d0f12f4389d6e88cdf5c6fe19291defe29f2bd1f16d6093af7444ead1e9e83
-
memory/4540-143-0x0000000003B10000-0x0000000003B88000-memory.dmpFilesize
480KB
-
memory/4540-134-0x0000000000400000-0x0000000000EF3000-memory.dmpFilesize
10.9MB
-
memory/4540-144-0x0000000003B90000-0x0000000003B93000-memory.dmpFilesize
12KB
-
memory/4540-142-0x0000000003B10000-0x0000000003B88000-memory.dmpFilesize
480KB
-
memory/4540-136-0x0000000000400000-0x0000000000EF3000-memory.dmpFilesize
10.9MB
-
memory/4540-135-0x0000000000400000-0x0000000000EF3000-memory.dmpFilesize
10.9MB
-
memory/4540-133-0x0000000000400000-0x0000000000EF3000-memory.dmpFilesize
10.9MB
-
memory/4540-166-0x0000000004110000-0x00000000042B3000-memory.dmpFilesize
1.6MB
-
memory/4540-173-0x0000000003D70000-0x0000000003E60000-memory.dmpFilesize
960KB
-
memory/4540-172-0x0000000004090000-0x0000000004091000-memory.dmpFilesize
4KB
-
memory/4540-174-0x00000000043A0000-0x00000000045B5000-memory.dmpFilesize
2.1MB
-
memory/4540-175-0x0000000003B10000-0x0000000003B88000-memory.dmpFilesize
480KB
-
memory/4540-176-0x0000000000400000-0x0000000000EF3000-memory.dmpFilesize
10.9MB