Overview
overview
10Static
static
1大航全�...API.db
windows10-1703-x64
3大航全�...API.db
windows7-x64
3大航全�...API.db
windows10-2004-x64
3大航全�...��.exe
windows10-1703-x64
10大航全�...��.exe
windows7-x64
10大航全�...��.exe
windows10-2004-x64
10大航科�...API.db
windows10-1703-x64
3大航科�...API.db
windows7-x64
3大航科�...API.db
windows10-2004-x64
3大航科�...��.exe
windows10-1703-x64
10大航科�...��.exe
windows7-x64
10大航科�...��.exe
windows10-2004-x64
10Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2023 17:34
Static task
static1
Behavioral task
behavioral1
Sample
大航全球实体卡-虚拟卡接码电脑端口/X64/DIFXAPI.db
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
大航全球实体卡-虚拟卡接码电脑端口/X64/DIFXAPI.db
Resource
win7-20230220-en
Behavioral task
behavioral3
Sample
大航全球实体卡-虚拟卡接码电脑端口/X64/DIFXAPI.db
Resource
win10v2004-20230221-en
Behavioral task
behavioral4
Sample
大航全球实体卡-虚拟卡接码电脑端口/大航全球实体卡-虚拟卡接码电脑端口.exe
Resource
win10-20230220-en
Behavioral task
behavioral5
Sample
大航全球实体卡-虚拟卡接码电脑端口/大航全球实体卡-虚拟卡接码电脑端口.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
大航全球实体卡-虚拟卡接码电脑端口/大航全球实体卡-虚拟卡接码电脑端口.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
大航科技全球实体卡-虚拟卡接码PC端口/X64/DIFXAPI.db
Resource
win10-20230220-en
Behavioral task
behavioral8
Sample
大航科技全球实体卡-虚拟卡接码PC端口/X64/DIFXAPI.db
Resource
win7-20230220-en
Behavioral task
behavioral9
Sample
大航科技全球实体卡-虚拟卡接码PC端口/X64/DIFXAPI.db
Resource
win10v2004-20230220-en
Behavioral task
behavioral10
Sample
大航科技全球实体卡-虚拟卡接码PC端口/大航科技全球实体卡-虚拟卡接码PC端口.exe
Resource
win10-20230220-en
Behavioral task
behavioral11
Sample
大航科技全球实体卡-虚拟卡接码PC端口/大航科技全球实体卡-虚拟卡接码PC端口.exe
Resource
win7-20230220-en
General
-
Target
大航全球实体卡-虚拟卡接码电脑端口/大航全球实体卡-虚拟卡接码电脑端口.exe
-
Size
2.6MB
-
MD5
9f339063dbe562051732472b0f73c12d
-
SHA1
2ac2940992ad9cee88092e18566c82f6b6c114b1
-
SHA256
7955c98c1bd693e24c92833f2186d58dd0c5fad231a8f27572bac5aeb2793674
-
SHA512
06d44b0cdc4b62536a61d4cae7e9b96a435e13907890b1b423d64e9b2c68cf6dd342eefa3af1601018508353c837d35d2a28f1d29306f990b32367f63e09c7ab
-
SSDEEP
49152:MC8ie3CGb7SCEns4SdqyTZ0Z3dMZG0+RQnwyiAKP1HrlF0OS20wlR+BkpT:e3+P2wyiAA0OSylRMkp
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\D1Softwaredata\Plugins\qvlnk.dll family_blackmoon C:\Users\Admin\AppData\Roaming\D1Softwaredata\plugins\qvlnk.dll family_blackmoon -
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\D1Softwaredata\echs.dll acprotect C:\Users\Admin\AppData\Roaming\D1Softwaredata\echs.dll acprotect C:\Users\Admin\AppData\Roaming\D1Softwaredata\echs.dll acprotect -
Executes dropped EXE 3 IoCs
Processes:
netbri.exeD1Bin.exerepair.exepid process 4496 netbri.exe 4196 D1Bin.exe 3344 repair.exe -
Loads dropped DLL 5 IoCs
Processes:
netbri.exepid process 4496 netbri.exe 4496 netbri.exe 4496 netbri.exe 4496 netbri.exe 4496 netbri.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\D1Softwaredata\echs.dll upx C:\Users\Admin\AppData\Roaming\D1Softwaredata\echs.dll upx C:\Users\Admin\AppData\Roaming\D1Softwaredata\echs.dll upx behavioral6/memory/4496-169-0x0000000002520000-0x0000000002685000-memory.dmp upx behavioral6/memory/4496-177-0x0000000002520000-0x0000000002685000-memory.dmp upx -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
D1Bin.exepid process 4196 D1Bin.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
D1Bin.exedescription pid process Token: SeDebugPrivilege 4196 D1Bin.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
大航全球实体卡-虚拟卡接码电脑端口.exenetbri.exerepair.exepid process 856 大航全球实体卡-虚拟卡接码电脑端口.exe 4496 netbri.exe 4496 netbri.exe 3344 repair.exe 3344 repair.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
大航全球实体卡-虚拟卡接码电脑端口.exedescription pid process target process PID 856 wrote to memory of 4496 856 大航全球实体卡-虚拟卡接码电脑端口.exe netbri.exe PID 856 wrote to memory of 4496 856 大航全球实体卡-虚拟卡接码电脑端口.exe netbri.exe PID 856 wrote to memory of 4496 856 大航全球实体卡-虚拟卡接码电脑端口.exe netbri.exe PID 856 wrote to memory of 4196 856 大航全球实体卡-虚拟卡接码电脑端口.exe D1Bin.exe PID 856 wrote to memory of 4196 856 大航全球实体卡-虚拟卡接码电脑端口.exe D1Bin.exe PID 856 wrote to memory of 3344 856 大航全球实体卡-虚拟卡接码电脑端口.exe repair.exe PID 856 wrote to memory of 3344 856 大航全球实体卡-虚拟卡接码电脑端口.exe repair.exe PID 856 wrote to memory of 3344 856 大航全球实体卡-虚拟卡接码电脑端口.exe repair.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\大航全球实体卡-虚拟卡接码电脑端口\大航全球实体卡-虚拟卡接码电脑端口.exe"C:\Users\Admin\AppData\Local\Temp\大航全球实体卡-虚拟卡接码电脑端口\大航全球实体卡-虚拟卡接码电脑端口.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Admin\AppData\Roaming\D1Softwaredata\netbri.exeC:\Users\Admin\AppData\Roaming\D1Softwaredata\netbri.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4496 -
C:\Users\Admin\AppData\Roaming\D1Softwaredata\Bin\D1Bin.exeC:\Users\Admin\AppData\Roaming\D1Softwaredata\Bin\D1Bin.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4196 -
C:\Users\Admin\AppData\Roaming\D1Softwaredata\repair.exeC:\Users\Admin\AppData\Roaming\D1Softwaredata\repair.exe -Ho9LN2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3344
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5a0acc3b2c25d5a9d6994f013142159e7
SHA16d992746c197976b9df65a5ac8fbe74a4401d9bd
SHA2560a14a43b4acb0785d6cdedd9d659caf469392c42f9dc3cb7891e8329c2957ff0
SHA512bb5d3e73cee108af3d16c41bfd0c503e78fff1fcc2c3131960dc68e462c6bd9c243917b2c935f7a25a1e5802b63f7c71e7cc036811ef8b90353fa83df4446042
-
Filesize
1.9MB
MD5a0acc3b2c25d5a9d6994f013142159e7
SHA16d992746c197976b9df65a5ac8fbe74a4401d9bd
SHA2560a14a43b4acb0785d6cdedd9d659caf469392c42f9dc3cb7891e8329c2957ff0
SHA512bb5d3e73cee108af3d16c41bfd0c503e78fff1fcc2c3131960dc68e462c6bd9c243917b2c935f7a25a1e5802b63f7c71e7cc036811ef8b90353fa83df4446042
-
Filesize
2.1MB
MD5c83247fac0840125db662eb3e27ac6a3
SHA16d7a24b3d1c10516232a6f3ac4aed8d69da56568
SHA2562dc7b369e5e3d8c828e2fe947e79df7d4ed60cdb1a004e8e94bf2bf38698cdb2
SHA512f3359e7ddd3fceeb442ba0b847ac9f744f9df01f02e0cda20078d4ad0af404a53e6151f8d908ad54f0c7d3469769d39c833f34d448f6b9c566a4f413ef41a50f
-
Filesize
2.1MB
MD5c83247fac0840125db662eb3e27ac6a3
SHA16d7a24b3d1c10516232a6f3ac4aed8d69da56568
SHA2562dc7b369e5e3d8c828e2fe947e79df7d4ed60cdb1a004e8e94bf2bf38698cdb2
SHA512f3359e7ddd3fceeb442ba0b847ac9f744f9df01f02e0cda20078d4ad0af404a53e6151f8d908ad54f0c7d3469769d39c833f34d448f6b9c566a4f413ef41a50f
-
Filesize
492KB
MD5001db37c243710301a862d8dd8a025e0
SHA17e4fc33b58dae290861712e4194e855923ebde1a
SHA2565e6c4b35329f48fcf8fb7ec5dc13d6a4f41c8d58da1849ec5a761b4af86fbbeb
SHA5127edee439741daa58e6fc108e28b177f2ac87fc8492dec52f4392df095c187ddd1bace043cdc0a2c0b8c9ddb8f86e7add2f8f822f53c5e25b758b69894f576a16
-
Filesize
82KB
MD5d0520569180accd7e17ed9697711d6ec
SHA146cb7e2db7efda70b9a5b75b2fe0bb6038499008
SHA25613026df002b3575564f32927b7f791d59b4cc571f30ccc28075c4edb4afef67c
SHA51286e96f5648d714914469a576693a656390291a547ea9dd5903c85853ac63c68f69129e54f95e5fc7aec781b883232ffaf0d5a536302226f4243d1f2e517e2034
-
Filesize
124B
MD566112fc6cfe3ced805c08c18fcb7f986
SHA1b96e68cbd49a30cb339b15431d72670b32f37b33
SHA25696efd35503f550ff1532f9ed9c8d3c2a051098d5f179f1c5d8d837bded515f60
SHA512d4afe1a939dd40df122697a0a3b31a81141af787f3b2f5ab2e6dc4d36f41e2c474cbb7513baa36d2f3ef235c0c3bc617eabdc914339c7ea1a02977f29cbf3f95
-
Filesize
124B
MD566112fc6cfe3ced805c08c18fcb7f986
SHA1b96e68cbd49a30cb339b15431d72670b32f37b33
SHA25696efd35503f550ff1532f9ed9c8d3c2a051098d5f179f1c5d8d837bded515f60
SHA512d4afe1a939dd40df122697a0a3b31a81141af787f3b2f5ab2e6dc4d36f41e2c474cbb7513baa36d2f3ef235c0c3bc617eabdc914339c7ea1a02977f29cbf3f95
-
Filesize
421KB
MD58e5dc64def28aee0032ed0c878127c39
SHA1ad9685100b71f0fd4f2b3d65f62894beba1937de
SHA256c121eb7c37949d789f5c4b7fcd4445057f70ab23befde95929e63e3db9c43e9a
SHA512a337bb678534d93f74cdbd46728d87b3c8d4b3d5f5713f176ef4bf6d23d09c636c378fefd992e088611ec62cc559ebd4640a4ea61842a8edee39feffc8e8fab8
-
Filesize
421KB
MD58e5dc64def28aee0032ed0c878127c39
SHA1ad9685100b71f0fd4f2b3d65f62894beba1937de
SHA256c121eb7c37949d789f5c4b7fcd4445057f70ab23befde95929e63e3db9c43e9a
SHA512a337bb678534d93f74cdbd46728d87b3c8d4b3d5f5713f176ef4bf6d23d09c636c378fefd992e088611ec62cc559ebd4640a4ea61842a8edee39feffc8e8fab8
-
Filesize
421KB
MD58e5dc64def28aee0032ed0c878127c39
SHA1ad9685100b71f0fd4f2b3d65f62894beba1937de
SHA256c121eb7c37949d789f5c4b7fcd4445057f70ab23befde95929e63e3db9c43e9a
SHA512a337bb678534d93f74cdbd46728d87b3c8d4b3d5f5713f176ef4bf6d23d09c636c378fefd992e088611ec62cc559ebd4640a4ea61842a8edee39feffc8e8fab8
-
Filesize
3.9MB
MD5013d85cf626e32fbc89daa124e10f7f0
SHA1b3722239f268ee9a6d3408193081633daac6b05b
SHA25674a5437c4f76f6d88628afc8dfbe7bbd6c2fd6f846cf957ea6262156eb76163c
SHA512952c317ee5e54c2f55ec646cd1d7241f7a4270eccb8d53fdc6cd99963486bcedb9d66f46c099086de12872e95a515922f4bfc47294e6d58e202a425ef42c538a
-
Filesize
314KB
MD5dfee4c679663ffb566a7150bbc1768c7
SHA18f8144d26b141d097df742e4ef4d5c85bba685a3
SHA256f0a82dba182ef5d8fe32bd358473cc7e9ec0d07e0f4a33f50c49d7cccbb5bc7a
SHA51223ff4b55e4d01d7712a3313f9aecd69331cb4fb5fce8b2d8610332a1e7b3ced19bdab64ef37ab2d335179844e176e6bd5a2f5c6562c61451c02b37cb2e58da52
-
Filesize
314KB
MD5dfee4c679663ffb566a7150bbc1768c7
SHA18f8144d26b141d097df742e4ef4d5c85bba685a3
SHA256f0a82dba182ef5d8fe32bd358473cc7e9ec0d07e0f4a33f50c49d7cccbb5bc7a
SHA51223ff4b55e4d01d7712a3313f9aecd69331cb4fb5fce8b2d8610332a1e7b3ced19bdab64ef37ab2d335179844e176e6bd5a2f5c6562c61451c02b37cb2e58da52
-
Filesize
492KB
MD5001db37c243710301a862d8dd8a025e0
SHA17e4fc33b58dae290861712e4194e855923ebde1a
SHA2565e6c4b35329f48fcf8fb7ec5dc13d6a4f41c8d58da1849ec5a761b4af86fbbeb
SHA5127edee439741daa58e6fc108e28b177f2ac87fc8492dec52f4392df095c187ddd1bace043cdc0a2c0b8c9ddb8f86e7add2f8f822f53c5e25b758b69894f576a16
-
Filesize
792KB
MD55ce000758e1b8fb5d2cab78003245ac1
SHA14ff5a6bbee58e63c100bac6130ee22eb740bed09
SHA256483a0c0f6dfc0f54f972aefc4a6c9d7345b795be913f98283fecfeb3dda9126e
SHA512228625ef8692c8be41294de551dc6fd38afb5d2f68860762984ea78bd2a3df43ceea32966a827173118abb507c9e0ffe4689c992b216bcf60d6f774b0d4a4748
-
Filesize
792KB
MD55ce000758e1b8fb5d2cab78003245ac1
SHA14ff5a6bbee58e63c100bac6130ee22eb740bed09
SHA256483a0c0f6dfc0f54f972aefc4a6c9d7345b795be913f98283fecfeb3dda9126e
SHA512228625ef8692c8be41294de551dc6fd38afb5d2f68860762984ea78bd2a3df43ceea32966a827173118abb507c9e0ffe4689c992b216bcf60d6f774b0d4a4748
-
Filesize
82KB
MD5d0520569180accd7e17ed9697711d6ec
SHA146cb7e2db7efda70b9a5b75b2fe0bb6038499008
SHA25613026df002b3575564f32927b7f791d59b4cc571f30ccc28075c4edb4afef67c
SHA51286e96f5648d714914469a576693a656390291a547ea9dd5903c85853ac63c68f69129e54f95e5fc7aec781b883232ffaf0d5a536302226f4243d1f2e517e2034