Analysis
-
max time kernel
30s -
max time network
66s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
04-05-2023 19:36
Behavioral task
behavioral1
Sample
2f3a3e776bcdeb21ef0e530be052231ffb2c0cc541c7083c646a4c24b9befe5a.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
2f3a3e776bcdeb21ef0e530be052231ffb2c0cc541c7083c646a4c24b9befe5a.exe
Resource
win10v2004-20230220-en
General
-
Target
2f3a3e776bcdeb21ef0e530be052231ffb2c0cc541c7083c646a4c24b9befe5a.exe
-
Size
4.3MB
-
MD5
ea3e9d19106196e24b10b15d2ae9210d
-
SHA1
0194afbf5ccd49db5e168815b31b19871b8fdb7f
-
SHA256
2f3a3e776bcdeb21ef0e530be052231ffb2c0cc541c7083c646a4c24b9befe5a
-
SHA512
8472297798911213ef8eec4a943898978463756e89a3295f3a4ad12d6a26669cfb9c0c18bfc176d549f99e7b3b0e15a6b06803cbf2040c9aa79d5691f00b55a5
-
SSDEEP
98304:XqlBDmLNAlORoPZ6YCSEvDAKOHG2eSgw41WSqBgZT4kxL4tbezpJ:XqvtkiR6YCSEvKm4IqiZ3YeNJ
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/904-54-0x0000000010000000-0x0000000010575000-memory.dmp family_blackmoon behavioral1/memory/904-61-0x0000000002460000-0x00000000029B9000-memory.dmp family_blackmoon -
Sets service image path in registry 2 TTPs 12 IoCs
Processes:
33a35743bdc84004.execttunesvr.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\GLCKIo2\ImagePath = "\\??\\C:\\Windows\\SYSWOW64\\GLCKIo2.sys" 33a35743bdc84004.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinRing0x64\ImagePath = "\\??\\C:\\Windows\\SYSWOW64\\WinRing0x64.sys" 33a35743bdc84004.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\EneTechIo64\ImagePath = "\\??\\C:\\Windows\\SYSWOW64\\EneTechIo64.sys" 33a35743bdc84004.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ATSZIO\ImagePath = "\\??\\C:\\Windows\\SYSWOW64\\ATSZIO.sys" 33a35743bdc84004.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\1021313c080\IMAGEPATH = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\1021313c080.bin" cttunesvr.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\1033fa0cad9\IMAGEPATH = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\1033fa0cad9.bin" cttunesvr.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NalDrv\ImagePath = "\\??\\C:\\Windows\\SYSWOW64\\NalDrv.sys" 33a35743bdc84004.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RTCore64\ImagePath = "\\??\\C:\\Windows\\SYSWOW64\\RTCore64.sys" 33a35743bdc84004.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Gdrv\ImagePath = "\\??\\C:\\Windows\\SYSWOW64\\Gdrv.sys" 33a35743bdc84004.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MsIo64\ImagePath = "\\??\\C:\\Windows\\SYSWOW64\\MsIo64.sys" 33a35743bdc84004.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\EneIo64\ImagePath = "\\??\\C:\\Windows\\SYSWOW64\\EneIo64.sys" 33a35743bdc84004.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\101b181fd5b\IMAGEPATH = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\101b181fd5b.bin" cttunesvr.exe -
Executes dropped EXE 1 IoCs
Processes:
33a35743bdc84004.exepid process 804 33a35743bdc84004.exe -
Loads dropped DLL 2 IoCs
Processes:
cttunesvr.exepid process 904 cttunesvr.exe 904 cttunesvr.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
cttunesvr.exedescription ioc process File opened for modification \??\PhysicalDrive0 cttunesvr.exe -
Drops file in System32 directory 9 IoCs
Processes:
33a35743bdc84004.exedescription ioc process File created C:\Windows\SYSWOW64\EneTechIo64.sys 33a35743bdc84004.exe File created C:\Windows\SYSWOW64\ATSZIO.sys 33a35743bdc84004.exe File created C:\Windows\SYSWOW64\MsIo64.sys 33a35743bdc84004.exe File created C:\Windows\SYSWOW64\GLCKIo2.sys 33a35743bdc84004.exe File created C:\Windows\SYSWOW64\EneIo64.sys 33a35743bdc84004.exe File created C:\Windows\SYSWOW64\WinRing0x64.sys 33a35743bdc84004.exe File created C:\Windows\SYSWOW64\NalDrv.sys 33a35743bdc84004.exe File created C:\Windows\SYSWOW64\RTCore64.sys 33a35743bdc84004.exe File created C:\Windows\SYSWOW64\Gdrv.sys 33a35743bdc84004.exe -
Drops file in Windows directory 1 IoCs
Processes:
cttunesvr.exedescription ioc process File opened for modification C:\Windows\Konfig.ini cttunesvr.exe -
Suspicious behavior: LoadsDriver 12 IoCs
Processes:
cttunesvr.exe33a35743bdc84004.exepid process 904 cttunesvr.exe 904 cttunesvr.exe 904 cttunesvr.exe 804 33a35743bdc84004.exe 804 33a35743bdc84004.exe 804 33a35743bdc84004.exe 804 33a35743bdc84004.exe 804 33a35743bdc84004.exe 804 33a35743bdc84004.exe 804 33a35743bdc84004.exe 804 33a35743bdc84004.exe 804 33a35743bdc84004.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
2f3a3e776bcdeb21ef0e530be052231ffb2c0cc541c7083c646a4c24b9befe5a.exepid process 1972 2f3a3e776bcdeb21ef0e530be052231ffb2c0cc541c7083c646a4c24b9befe5a.exe -
Suspicious use of AdjustPrivilegeToken 62 IoCs
Processes:
wmic.execttunesvr.exe33a35743bdc84004.exedescription pid process Token: SeIncreaseQuotaPrivilege 1220 wmic.exe Token: SeSecurityPrivilege 1220 wmic.exe Token: SeTakeOwnershipPrivilege 1220 wmic.exe Token: SeLoadDriverPrivilege 1220 wmic.exe Token: SeSystemProfilePrivilege 1220 wmic.exe Token: SeSystemtimePrivilege 1220 wmic.exe Token: SeProfSingleProcessPrivilege 1220 wmic.exe Token: SeIncBasePriorityPrivilege 1220 wmic.exe Token: SeCreatePagefilePrivilege 1220 wmic.exe Token: SeBackupPrivilege 1220 wmic.exe Token: SeRestorePrivilege 1220 wmic.exe Token: SeShutdownPrivilege 1220 wmic.exe Token: SeDebugPrivilege 1220 wmic.exe Token: SeSystemEnvironmentPrivilege 1220 wmic.exe Token: SeRemoteShutdownPrivilege 1220 wmic.exe Token: SeUndockPrivilege 1220 wmic.exe Token: SeManageVolumePrivilege 1220 wmic.exe Token: 33 1220 wmic.exe Token: 34 1220 wmic.exe Token: 35 1220 wmic.exe Token: SeIncreaseQuotaPrivilege 1220 wmic.exe Token: SeSecurityPrivilege 1220 wmic.exe Token: SeTakeOwnershipPrivilege 1220 wmic.exe Token: SeLoadDriverPrivilege 1220 wmic.exe Token: SeSystemProfilePrivilege 1220 wmic.exe Token: SeSystemtimePrivilege 1220 wmic.exe Token: SeProfSingleProcessPrivilege 1220 wmic.exe Token: SeIncBasePriorityPrivilege 1220 wmic.exe Token: SeCreatePagefilePrivilege 1220 wmic.exe Token: SeBackupPrivilege 1220 wmic.exe Token: SeRestorePrivilege 1220 wmic.exe Token: SeShutdownPrivilege 1220 wmic.exe Token: SeDebugPrivilege 1220 wmic.exe Token: SeSystemEnvironmentPrivilege 1220 wmic.exe Token: SeRemoteShutdownPrivilege 1220 wmic.exe Token: SeUndockPrivilege 1220 wmic.exe Token: SeManageVolumePrivilege 1220 wmic.exe Token: 33 1220 wmic.exe Token: 34 1220 wmic.exe Token: 35 1220 wmic.exe Token: SeLoadDriverPrivilege 904 cttunesvr.exe Token: SeSystemEnvironmentPrivilege 804 33a35743bdc84004.exe Token: SeDebugPrivilege 804 33a35743bdc84004.exe Token: SeLoadDriverPrivilege 804 33a35743bdc84004.exe Token: SeDebugPrivilege 804 33a35743bdc84004.exe Token: SeLoadDriverPrivilege 804 33a35743bdc84004.exe Token: SeDebugPrivilege 804 33a35743bdc84004.exe Token: SeLoadDriverPrivilege 804 33a35743bdc84004.exe Token: SeDebugPrivilege 804 33a35743bdc84004.exe Token: SeLoadDriverPrivilege 804 33a35743bdc84004.exe Token: SeDebugPrivilege 804 33a35743bdc84004.exe Token: SeLoadDriverPrivilege 804 33a35743bdc84004.exe Token: SeDebugPrivilege 804 33a35743bdc84004.exe Token: SeLoadDriverPrivilege 804 33a35743bdc84004.exe Token: SeDebugPrivilege 804 33a35743bdc84004.exe Token: SeLoadDriverPrivilege 804 33a35743bdc84004.exe Token: SeDebugPrivilege 804 33a35743bdc84004.exe Token: SeLoadDriverPrivilege 804 33a35743bdc84004.exe Token: SeDebugPrivilege 804 33a35743bdc84004.exe Token: SeLoadDriverPrivilege 804 33a35743bdc84004.exe Token: SeDebugPrivilege 804 33a35743bdc84004.exe Token: SeLoadDriverPrivilege 804 33a35743bdc84004.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
2f3a3e776bcdeb21ef0e530be052231ffb2c0cc541c7083c646a4c24b9befe5a.execttunesvr.exedescription pid process target process PID 1972 wrote to memory of 904 1972 2f3a3e776bcdeb21ef0e530be052231ffb2c0cc541c7083c646a4c24b9befe5a.exe cttunesvr.exe PID 1972 wrote to memory of 904 1972 2f3a3e776bcdeb21ef0e530be052231ffb2c0cc541c7083c646a4c24b9befe5a.exe cttunesvr.exe PID 1972 wrote to memory of 904 1972 2f3a3e776bcdeb21ef0e530be052231ffb2c0cc541c7083c646a4c24b9befe5a.exe cttunesvr.exe PID 1972 wrote to memory of 904 1972 2f3a3e776bcdeb21ef0e530be052231ffb2c0cc541c7083c646a4c24b9befe5a.exe cttunesvr.exe PID 904 wrote to memory of 1220 904 cttunesvr.exe wmic.exe PID 904 wrote to memory of 1220 904 cttunesvr.exe wmic.exe PID 904 wrote to memory of 1220 904 cttunesvr.exe wmic.exe PID 904 wrote to memory of 1220 904 cttunesvr.exe wmic.exe PID 904 wrote to memory of 804 904 cttunesvr.exe 33a35743bdc84004.exe PID 904 wrote to memory of 804 904 cttunesvr.exe 33a35743bdc84004.exe PID 904 wrote to memory of 804 904 cttunesvr.exe 33a35743bdc84004.exe PID 904 wrote to memory of 804 904 cttunesvr.exe 33a35743bdc84004.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f3a3e776bcdeb21ef0e530be052231ffb2c0cc541c7083c646a4c24b9befe5a.exe"C:\Users\Admin\AppData\Local\Temp\2f3a3e776bcdeb21ef0e530be052231ffb2c0cc541c7083c646a4c24b9befe5a.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSWOW64\cttunesvr.exe"C:\Windows\SYSWOW64\cttunesvr.exe"2⤵
- Sets service image path in registry
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic BaseBoard get SerialNumber3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\33a35743bdc84004.exe"C:\Users\Admin\AppData\Local\Temp\33a35743bdc84004.exe"3⤵
- Sets service image path in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\33a35743bdc84004.exeFilesize
456KB
MD5b37b7cb0d855149fc56b7d76fa40d54f
SHA1e402a250ec28e5d5c3f30dc706bdd729ac87b922
SHA2562281727177c49d7f6519b62407d4de86911a773e3d2ebf63a2b9d9827ab8bc45
SHA51208089b1e712061522edfa9e317bc44c6f7af474e3cf7adf56390f9131a9bbef14371319f25b613587fd935a1ad42014852b8bdae4a4ea6223783e686efa42357
-
\Users\Admin\AppData\Local\Temp\33a35743bdc84004.exeFilesize
456KB
MD5b37b7cb0d855149fc56b7d76fa40d54f
SHA1e402a250ec28e5d5c3f30dc706bdd729ac87b922
SHA2562281727177c49d7f6519b62407d4de86911a773e3d2ebf63a2b9d9827ab8bc45
SHA51208089b1e712061522edfa9e317bc44c6f7af474e3cf7adf56390f9131a9bbef14371319f25b613587fd935a1ad42014852b8bdae4a4ea6223783e686efa42357
-
\Users\Admin\AppData\Local\Temp\Error.dllFilesize
1.7MB
MD56bde7211a233d168d3e1fdec55ed6e0e
SHA1bb97c032c48989bbc10e1e0cff3c8d7c9f45b097
SHA25637eec4edf943a97649b44461365a08ab128cefb12cbe9c92275794e3e9a5c721
SHA512e728e99a1a369c4e8013061510c6e0bd543951cd05d315e7dd3c6a3597b8147462ad4e4c1195dc84763cd198fc2817b91f7702eea90dbfb7ee7d3e01b7d0a7cf
-
memory/904-54-0x0000000010000000-0x0000000010575000-memory.dmpFilesize
5.5MB
-
memory/904-61-0x0000000002460000-0x00000000029B9000-memory.dmpFilesize
5.3MB
-
memory/904-68-0x00000000747E0000-0x0000000074B13000-memory.dmpFilesize
3.2MB