Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
26-05-2023 02:30
Static task
static1
Behavioral task
behavioral1
Sample
514e0cd471b6e2065a13931a2f75c586d419b1d68f32d4ea16309eed28e608f5 (1)/514e0cd471b6e2065a13931a2f75c58.exe
Resource
win7-20230220-en
General
-
Target
514e0cd471b6e2065a13931a2f75c586d419b1d68f32d4ea16309eed28e608f5 (1)/514e0cd471b6e2065a13931a2f75c58.exe
-
Size
844KB
-
MD5
07979781449b4a4de757c980a2368412
-
SHA1
811fe4940f1eac767a5912922b4b3001b0dfb2f9
-
SHA256
514e0cd471b6e2065a13931a2f75c586d419b1d68f32d4ea16309eed28e608f5
-
SHA512
4cb87e513e2d9ebf9be7aaf22dda491c55670b9861a10ea4011b5133ed4d1901dd573890d3696816ed89aec4cecf906b13b69a95ee0e36701498f8a5710606c7
-
SSDEEP
12288:bRZ5tsO2zUoq8qRgAH3yaCFoGvDoy2iAnRItlu4k7kO:bRZ5tsO2wohqqAXTCURmlO
Malware Config
Signatures
-
Detect Blackmoon payload 8 IoCs
Processes:
resource yara_rule behavioral1/memory/624-58-0x00000000001B0000-0x00000000001EB000-memory.dmp family_blackmoon behavioral1/memory/624-57-0x00000000001B0000-0x00000000001EB000-memory.dmp family_blackmoon behavioral1/memory/624-59-0x00000000001B0000-0x00000000001EB000-memory.dmp family_blackmoon behavioral1/memory/624-64-0x0000000002370000-0x00000000023E6000-memory.dmp family_blackmoon behavioral1/memory/624-86-0x0000000002370000-0x00000000023E6000-memory.dmp family_blackmoon behavioral1/memory/624-105-0x0000000002370000-0x00000000023E6000-memory.dmp family_blackmoon behavioral1/memory/624-111-0x0000000002370000-0x00000000023E6000-memory.dmp family_blackmoon behavioral1/memory/624-112-0x00000000001B0000-0x00000000001EB000-memory.dmp family_blackmoon -
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/624-93-0x0000000010000000-0x0000000010017000-memory.dmp family_gh0strat -
Loads dropped DLL 2 IoCs
Processes:
514e0cd471b6e2065a13931a2f75c58.exepid process 624 514e0cd471b6e2065a13931a2f75c58.exe 624 514e0cd471b6e2065a13931a2f75c58.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
514e0cd471b6e2065a13931a2f75c58.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run 514e0cd471b6e2065a13931a2f75c58.exe Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\qdatem = "C:\\Users\\Public\\Documents\\Applicationosqrf.exe" 514e0cd471b6e2065a13931a2f75c58.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 560 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
514e0cd471b6e2065a13931a2f75c58.exepid process 624 514e0cd471b6e2065a13931a2f75c58.exe 624 514e0cd471b6e2065a13931a2f75c58.exe 624 514e0cd471b6e2065a13931a2f75c58.exe 624 514e0cd471b6e2065a13931a2f75c58.exe 624 514e0cd471b6e2065a13931a2f75c58.exe 624 514e0cd471b6e2065a13931a2f75c58.exe 624 514e0cd471b6e2065a13931a2f75c58.exe 624 514e0cd471b6e2065a13931a2f75c58.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
514e0cd471b6e2065a13931a2f75c58.exepid process 624 514e0cd471b6e2065a13931a2f75c58.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
514e0cd471b6e2065a13931a2f75c58.exepid process 624 514e0cd471b6e2065a13931a2f75c58.exe 624 514e0cd471b6e2065a13931a2f75c58.exe 624 514e0cd471b6e2065a13931a2f75c58.exe 624 514e0cd471b6e2065a13931a2f75c58.exe 624 514e0cd471b6e2065a13931a2f75c58.exe 624 514e0cd471b6e2065a13931a2f75c58.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
514e0cd471b6e2065a13931a2f75c58.exepid process 624 514e0cd471b6e2065a13931a2f75c58.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
514e0cd471b6e2065a13931a2f75c58.exedescription pid process target process PID 624 wrote to memory of 560 624 514e0cd471b6e2065a13931a2f75c58.exe NOTEPAD.EXE PID 624 wrote to memory of 560 624 514e0cd471b6e2065a13931a2f75c58.exe NOTEPAD.EXE PID 624 wrote to memory of 560 624 514e0cd471b6e2065a13931a2f75c58.exe NOTEPAD.EXE PID 624 wrote to memory of 560 624 514e0cd471b6e2065a13931a2f75c58.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\514e0cd471b6e2065a13931a2f75c586d419b1d68f32d4ea16309eed28e608f5 (1)\514e0cd471b6e2065a13931a2f75c58.exe"C:\Users\Admin\AppData\Local\Temp\514e0cd471b6e2065a13931a2f75c586d419b1d68f32d4ea16309eed28e608f5 (1)\514e0cd471b6e2065a13931a2f75c58.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\514e0cd471b6e2065a13931a2f75c58.txt2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\514e0cd471b6e2065a13931a2f75c58.txtFilesize
120KB
MD53aea5b78bac5359a799c2714fecccd1a
SHA15d3203b328ecfc7a55c0ded1032d209e9f273367
SHA256c05e763cab67cf9daf5be7a6a6cff2650223987a9693eaa119f69b2bbb6df6c3
SHA5129513cc84a7ed3dd709d4affb03f6e286dcd43e82f33441c00a9d74d2b45449f2ee20baa8db46218d7a59d9e62fb7f95050ea305166e70f3e71dde39ccf07b6d3
-
C:\Users\Public\Documents\sjsw.logFilesize
284B
MD55a2961c930fd0938318b1b76dbfe6299
SHA19096e9293497f68b3cef75c5d5bd96400085cbe9
SHA256944cd9c7dfe71505b6013bb86f2c3c5449c65861d6bf1a3b06cd256d1f0d4fea
SHA5121eeafbbb2b02589e6e61d8742205b9ad268754208b0d7ffc84c155defee634d8b00a4dfd6be6464c2e0e59f70bab76b6f3e0b7abe8e08c00e22f4263f1072d0f
-
\Users\Admin\AppData\Local\Temp\aaaty.dllFilesize
2KB
MD57943effe67a4647e06def2348949020e
SHA1eabd561f0639a975de259633f63896d82c3f878d
SHA2563fac47db92d581b2daef7a4f9493be2fe441041e5158101d80873d05808d5cfa
SHA512c9db1962e7457c94426c2a5c7f439736697d4399db6982c45357459d58805daa4a9d297912135488b6990e265ffa59d687fd5ba43717aab46ccc212083ef5003
-
\Users\Public\Documents\tooy.dllFilesize
2KB
MD57943effe67a4647e06def2348949020e
SHA1eabd561f0639a975de259633f63896d82c3f878d
SHA2563fac47db92d581b2daef7a4f9493be2fe441041e5158101d80873d05808d5cfa
SHA512c9db1962e7457c94426c2a5c7f439736697d4399db6982c45357459d58805daa4a9d297912135488b6990e265ffa59d687fd5ba43717aab46ccc212083ef5003
-
memory/624-87-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/624-91-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/624-64-0x0000000002370000-0x00000000023E6000-memory.dmpFilesize
472KB
-
memory/624-59-0x00000000001B0000-0x00000000001EB000-memory.dmpFilesize
236KB
-
memory/624-57-0x00000000001B0000-0x00000000001EB000-memory.dmpFilesize
236KB
-
memory/624-86-0x0000000002370000-0x00000000023E6000-memory.dmpFilesize
472KB
-
memory/624-58-0x00000000001B0000-0x00000000001EB000-memory.dmpFilesize
236KB
-
memory/624-89-0x00000000043D0000-0x00000000044C2000-memory.dmpFilesize
968KB
-
memory/624-90-0x00000000043D0000-0x00000000044C2000-memory.dmpFilesize
968KB
-
memory/624-60-0x00000000001F0000-0x00000000001F3000-memory.dmpFilesize
12KB
-
memory/624-92-0x00000000043D0000-0x00000000044C2000-memory.dmpFilesize
968KB
-
memory/624-93-0x0000000010000000-0x0000000010017000-memory.dmpFilesize
92KB
-
memory/624-96-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/624-105-0x0000000002370000-0x00000000023E6000-memory.dmpFilesize
472KB
-
memory/624-107-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/624-111-0x0000000002370000-0x00000000023E6000-memory.dmpFilesize
472KB
-
memory/624-112-0x00000000001B0000-0x00000000001EB000-memory.dmpFilesize
236KB