Analysis
-
max time kernel
299s -
max time network
298s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2023 09:32
Behavioral task
behavioral1
Sample
5.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
5.exe
Resource
win10v2004-20230220-en
General
-
Target
5.exe
-
Size
4.1MB
-
MD5
d1e3796faa8febcb5727af4cf10fa912
-
SHA1
329a3ad3cdbb1c05ae60d5a7e232e11dc55ff4bb
-
SHA256
b568fd0c4e510808e3c4368f2a5ad7a579675a41e4d010541d3308dcc1ab0237
-
SHA512
1fe38416a1d868a506ac3ba317f0d306c9c8d6d8d6609b5d275944aa32faf29d30bd5a6df1fbf946bff942344e28926bc131204c29549c4d498f5089e006e499
-
SSDEEP
98304:hGGReDAApdZ4WATvMu3ehwtwrEEcm9GR+NcKJrJ10dqcx+MItpqcws:hGIAp74dL33h7QGR+KKJrnOH6
Malware Config
Signatures
-
Detect Blackmoon payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2228-141-0x0000000003B10000-0x0000000003B88000-memory.dmp family_blackmoon behavioral2/memory/2228-143-0x0000000003B10000-0x0000000003B88000-memory.dmp family_blackmoon behavioral2/memory/2228-174-0x0000000003B10000-0x0000000003B88000-memory.dmp family_blackmoon -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation 5.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows\CurrentVersion\Run 5.exe Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qdate = "C:\\Users\\Public\\Documents\\Applicationkunpo.exe" 5.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
5.exedescription ioc process File opened (read-only) \??\J: 5.exe File opened (read-only) \??\K: 5.exe File opened (read-only) \??\O: 5.exe File opened (read-only) \??\Y: 5.exe File opened (read-only) \??\Z: 5.exe File opened (read-only) \??\X: 5.exe File opened (read-only) \??\B: 5.exe File opened (read-only) \??\E: 5.exe File opened (read-only) \??\F: 5.exe File opened (read-only) \??\L: 5.exe File opened (read-only) \??\R: 5.exe File opened (read-only) \??\T: 5.exe File opened (read-only) \??\U: 5.exe File opened (read-only) \??\H: 5.exe File opened (read-only) \??\I: 5.exe File opened (read-only) \??\M: 5.exe File opened (read-only) \??\G: 5.exe File opened (read-only) \??\N: 5.exe File opened (read-only) \??\P: 5.exe File opened (read-only) \??\Q: 5.exe File opened (read-only) \??\S: 5.exe File opened (read-only) \??\V: 5.exe File opened (read-only) \??\W: 5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
5.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 5.exe -
Modifies registry class 1 IoCs
Processes:
5.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings 5.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4472 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
5.exepid process 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe 2228 5.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
5.exepid process 2228 5.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
5.exepid process 2228 5.exe 2228 5.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
5.exedescription pid process target process PID 2228 wrote to memory of 4472 2228 5.exe NOTEPAD.EXE PID 2228 wrote to memory of 4472 2228 5.exe NOTEPAD.EXE PID 2228 wrote to memory of 4472 2228 5.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\5.txt2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5.txtFilesize
120KB
MD53aea5b78bac5359a799c2714fecccd1a
SHA15d3203b328ecfc7a55c0ded1032d209e9f273367
SHA256c05e763cab67cf9daf5be7a6a6cff2650223987a9693eaa119f69b2bbb6df6c3
SHA5129513cc84a7ed3dd709d4affb03f6e286dcd43e82f33441c00a9d74d2b45449f2ee20baa8db46218d7a59d9e62fb7f95050ea305166e70f3e71dde39ccf07b6d3
-
C:\Users\Admin\AppData\Local\Temp\qxx.zipFilesize
26B
MD517df3b34c7d09ae0ee694735fdeb7ecf
SHA12457cd98147c41b58c22593202d064e50bba6fd2
SHA256b8c13f9c76fea2138a097498ba5d48108354baa6d00602b4d7eff6bbbf2eaf5c
SHA5124c3518c4c59ca6750777efaeebae2d3c04790da3706ba78a6d60486b2945262103ce1e337aafe736932bf8d35b886816c9443450b5ade1ed06cde03bf567cd10
-
C:\Users\Public\Documents\sjsw.logFilesize
158B
MD592fcfb5e820db1b09636ec64c9ebd8e4
SHA12d4a6e46b240f16385500026bbd8042b6c2ba574
SHA2566e879f2d95cdb7884d30b504c8200ea6286b23762760448d130ba4d744297f4a
SHA512a14c7d76a5dd69afc2437d53610d2edd3ce43770337eb47a3e96dccc35277beba03b3e8617713d21fb394a427ed6e1cbce531635738846178d9728a0b711be78
-
C:\Users\Public\Documents\sjsw.logFilesize
158B
MD592fcfb5e820db1b09636ec64c9ebd8e4
SHA12d4a6e46b240f16385500026bbd8042b6c2ba574
SHA2566e879f2d95cdb7884d30b504c8200ea6286b23762760448d130ba4d744297f4a
SHA512a14c7d76a5dd69afc2437d53610d2edd3ce43770337eb47a3e96dccc35277beba03b3e8617713d21fb394a427ed6e1cbce531635738846178d9728a0b711be78
-
memory/2228-141-0x0000000003B10000-0x0000000003B88000-memory.dmpFilesize
480KB
-
memory/2228-143-0x0000000003B10000-0x0000000003B88000-memory.dmpFilesize
480KB
-
memory/2228-142-0x0000000003B90000-0x0000000003B93000-memory.dmpFilesize
12KB
-
memory/2228-133-0x0000000000400000-0x0000000000EF3000-memory.dmpFilesize
10.9MB
-
memory/2228-136-0x0000000000400000-0x0000000000EF3000-memory.dmpFilesize
10.9MB
-
memory/2228-135-0x0000000000400000-0x0000000000EF3000-memory.dmpFilesize
10.9MB
-
memory/2228-134-0x0000000000400000-0x0000000000EF3000-memory.dmpFilesize
10.9MB
-
memory/2228-165-0x0000000004580000-0x0000000004723000-memory.dmpFilesize
1.6MB
-
memory/2228-171-0x0000000004290000-0x0000000004291000-memory.dmpFilesize
4KB
-
memory/2228-172-0x0000000003D30000-0x0000000003E20000-memory.dmpFilesize
960KB
-
memory/2228-173-0x0000000004360000-0x0000000004575000-memory.dmpFilesize
2.1MB
-
memory/2228-174-0x0000000003B10000-0x0000000003B88000-memory.dmpFilesize
480KB
-
memory/2228-175-0x0000000000400000-0x0000000000EF3000-memory.dmpFilesize
10.9MB