Analysis
-
max time kernel
135s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2023 16:23
Behavioral task
behavioral1
Sample
3KCat.exe
Resource
win7-20230220-en
6 signatures
150 seconds
General
-
Target
3KCat.exe
-
Size
17.3MB
-
MD5
55323cf67f21e349e4a8d33a246d3013
-
SHA1
a6d261dc9ae5dc9c90f194dd811a5a50ff50a3c2
-
SHA256
54c11d75fde269791ac564306003248678b1c6a1dcac494cd431500885d91846
-
SHA512
10a86032165a00843f7cbae4b2614529cfc8105124a1f2a63de5f733db460b7a5138ac92bcd357d011f95207099debde2ce5e5e93917e5c8a52bf935868405ef
-
SSDEEP
393216:JiN5ETRbZ+elNsQiasvvLNOmYg3r3d51AyzmkiF8q5EXK:JiN5ETblOhasvvLNfpbN5aYgiucK
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3992-137-0x0000000003670000-0x0000000003694000-memory.dmp family_blackmoon behavioral2/memory/3992-139-0x0000000003670000-0x0000000003694000-memory.dmp family_blackmoon -
Processes:
resource yara_rule behavioral2/memory/3992-133-0x0000000010000000-0x0000000010019000-memory.dmp upx behavioral2/memory/3992-135-0x0000000010000000-0x0000000010019000-memory.dmp upx behavioral2/memory/3992-137-0x0000000003670000-0x0000000003694000-memory.dmp upx behavioral2/memory/3992-136-0x0000000003640000-0x0000000003666000-memory.dmp upx behavioral2/memory/3992-138-0x0000000003640000-0x0000000003666000-memory.dmp upx behavioral2/memory/3992-139-0x0000000003670000-0x0000000003694000-memory.dmp upx behavioral2/memory/3992-140-0x0000000010000000-0x0000000010019000-memory.dmp upx behavioral2/memory/3992-141-0x0000000003640000-0x0000000003666000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
3KCat.exedescription ioc process File created C:\Windows\SysWOW64\Dult.dll 3KCat.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
3KCat.exedescription pid process Token: SeDebugPrivilege 3992 3KCat.exe Token: SeDebugPrivilege 3992 3KCat.exe Token: SeDebugPrivilege 3992 3KCat.exe Token: 1 3992 3KCat.exe Token: SeDebugPrivilege 3992 3KCat.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
3KCat.exepid process 3992 3KCat.exe 3992 3KCat.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3992-133-0x0000000010000000-0x0000000010019000-memory.dmpFilesize
100KB
-
memory/3992-135-0x0000000010000000-0x0000000010019000-memory.dmpFilesize
100KB
-
memory/3992-137-0x0000000003670000-0x0000000003694000-memory.dmpFilesize
144KB
-
memory/3992-136-0x0000000003640000-0x0000000003666000-memory.dmpFilesize
152KB
-
memory/3992-138-0x0000000003640000-0x0000000003666000-memory.dmpFilesize
152KB
-
memory/3992-139-0x0000000003670000-0x0000000003694000-memory.dmpFilesize
144KB
-
memory/3992-140-0x0000000010000000-0x0000000010019000-memory.dmpFilesize
100KB
-
memory/3992-141-0x0000000003640000-0x0000000003666000-memory.dmpFilesize
152KB