Analysis
-
max time kernel
144s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2023 22:09
Static task
static1
Behavioral task
behavioral1
Sample
7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe
Resource
win7-20230621-en
General
-
Target
7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe
-
Size
2.9MB
-
MD5
b03da2cad31f6dd89dde2e181553da6e
-
SHA1
5c8ba30aa2c3971e179e5c86ca31462897a3b5a9
-
SHA256
7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556
-
SHA512
3488b6171534d61620bfc1f42dd11e4c4c826892f466b24da4187a94000f072c1c0f3ed5b4bd0c3a1fe3e7f807e96c638418a6d3eac4d9b6b89f8f094f1a2f6a
-
SSDEEP
49152:SGOHuqFTiOmBukNbWQZ6ZbaHcYz5aAVKiw6ZWqTG93jJ3hWpVcn:tOjFTirBPng3Yz5J/693kO
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1256-141-0x0000000000400000-0x000000000040F000-memory.dmp family_blackmoon behavioral2/memory/1256-143-0x0000000000400000-0x000000000040F000-memory.dmp family_blackmoon -
Downloads MZ/PE file
-
Processes:
resource yara_rule C:\Users\Public\xiaodaxzqxia\jecxz.exe aspack_v212_v242 C:\Users\Public\xiaodaxzqxia\jecxz.exe aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation 7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe -
Executes dropped EXE 2 IoCs
Processes:
jecxz.exev.exepid process 1256 jecxz.exe 4876 v.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
jecxz.exedescription ioc process File opened (read-only) \??\B: jecxz.exe File opened (read-only) \??\E: jecxz.exe File opened (read-only) \??\L: jecxz.exe File opened (read-only) \??\M: jecxz.exe File opened (read-only) \??\R: jecxz.exe File opened (read-only) \??\S: jecxz.exe File opened (read-only) \??\Z: jecxz.exe File opened (read-only) \??\G: jecxz.exe File opened (read-only) \??\P: jecxz.exe File opened (read-only) \??\T: jecxz.exe File opened (read-only) \??\U: jecxz.exe File opened (read-only) \??\I: jecxz.exe File opened (read-only) \??\K: jecxz.exe File opened (read-only) \??\Q: jecxz.exe File opened (read-only) \??\V: jecxz.exe File opened (read-only) \??\H: jecxz.exe File opened (read-only) \??\J: jecxz.exe File opened (read-only) \??\N: jecxz.exe File opened (read-only) \??\O: jecxz.exe File opened (read-only) \??\W: jecxz.exe File opened (read-only) \??\X: jecxz.exe File opened (read-only) \??\Y: jecxz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
jecxz.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 jecxz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString jecxz.exe -
Modifies registry class 1 IoCs
Processes:
7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings 7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exejecxz.exepid process 4088 7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe 4088 7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe 1256 jecxz.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exejecxz.exehh.exehh.exepid process 4088 7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe 4088 7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe 1256 jecxz.exe 1580 hh.exe 1580 hh.exe 2536 hh.exe 2536 hh.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.execmd.exedescription pid process target process PID 4088 wrote to memory of 4256 4088 7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe cmd.exe PID 4088 wrote to memory of 4256 4088 7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe cmd.exe PID 4088 wrote to memory of 4256 4088 7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe cmd.exe PID 4256 wrote to memory of 4668 4256 cmd.exe reg.exe PID 4256 wrote to memory of 4668 4256 cmd.exe reg.exe PID 4256 wrote to memory of 4668 4256 cmd.exe reg.exe PID 4088 wrote to memory of 1256 4088 7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe jecxz.exe PID 4088 wrote to memory of 1256 4088 7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe jecxz.exe PID 4088 wrote to memory of 1256 4088 7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe jecxz.exe PID 4088 wrote to memory of 4876 4088 7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe v.exe PID 4088 wrote to memory of 4876 4088 7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe v.exe PID 4088 wrote to memory of 4876 4088 7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe v.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe"C:\Users\Admin\AppData\Local\Temp\7f6344e5ebcc7ecf98acaf63efcd29952b2152f6f9d2ed061289b2d7944a5556.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Public\xiaodaxzqxia\n.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f3⤵
-
C:\Users\Public\xiaodaxzqxia\jecxz.exeC:\Users\Public\xiaodaxzqxia\jecxz.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Public\xiaodaxzqxia\v.exe"C:\Users\Public\xiaodaxzqxia\v.exe" -o -d C:\Users\Public\xiaodaxzqxia C:\Users\Public\xiaodaxzqxia\1112⤵
- Executes dropped EXE
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\9353431270583033\A11.chm1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\9353431270583033\A11.chm1⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\HTML Help\hh.datFilesize
8KB
MD527c0984984114dac6d17e6a07c237c42
SHA113746cfcdfa47d2b53bf13318c6761218e4d45ef
SHA256a92efcfaa827808ba734eb086b83bee153987740bb89894bace60dd31802bfe2
SHA512bec4023adfdde0af26a9792dbda8a8fdd4eaa175cfe8b4922bbf6a673e99b40da70f25f190d03f01b211ca823cdab45bdb90f14e91bc029f5d48d3149a2dc22c
-
C:\Users\Public\cxzvasdfg\9353431270583033\A11.chmFilesize
11KB
MD5db7961bf21e69e9cdbbfbc5357b6ae84
SHA16b43da6f1a502cc3ede9a46a71536e79335e3169
SHA25649c7fc9d58e588bdcac23d7d576b699d49d5497de8afcb73be23cab89edf3b0e
SHA512e0c7f502e60c9a15d407416645266614dd1e29c42c4711f1f3e10bd0de4c2404994fc71d3cb73a5ca56977afdf36f96c4e60b2bccce7459a1988877f197312f8
-
C:\Users\Public\xiaodaxzqxia\1Filesize
291KB
MD566bbcc42fe6cf9c1b890ec4a9049a9d7
SHA1dd6bf3e2ca01625a1c2d1cd59ec523b55978d32e
SHA2564950e959cb8ac30540acf2544bbe6a0bdf78e7ea2ce558f248c7f902df29b9ae
SHA51256daaa94dab1ec09d3a328f78e794d6040822ef26ee5370020e59a9da0e0be7e7c95c4e1805d24cf9270a475219e4dd98aa3a71afc6785df406f99a17110ddb0
-
C:\Users\Public\xiaodaxzqxia\111Filesize
1.1MB
MD58030310d4a14ad7db433811b6a999683
SHA10df42168454db804f8d67fdee7835560bfb3d3ab
SHA256238e7e4c3a764f8570d7db9612373343385b63ae65c94ac5684d6d52e3745eba
SHA512049f74881fc50b9b96f002230b689958f75b7215ccc7bb93bda9580c91f7bfec7ca2fecde902be89a3f501c0622f83b6ee71adadbd7f12c9c6d180a2602dc45b
-
C:\Users\Public\xiaodaxzqxia\jecxz.exeFilesize
16KB
MD59a0dd06445e36d0c2fc29cbcfe11d8f9
SHA1a85b21b0b8bf3db76aa7a743dbd4898fd63cc4bb
SHA256a1edd40e6b9661df0937b96f3dc3709e9cdb32ea277bc996ae3df6b3f217fa92
SHA512fbd7bb36e7641817794e2818f27f2501e94cc7df7a871230d445d145e6102ffb0396b696a2e8f2cefee2fb473302ae5821e7a625b2c7fc906597c2d582011c77
-
C:\Users\Public\xiaodaxzqxia\jecxz.exeFilesize
16KB
MD59a0dd06445e36d0c2fc29cbcfe11d8f9
SHA1a85b21b0b8bf3db76aa7a743dbd4898fd63cc4bb
SHA256a1edd40e6b9661df0937b96f3dc3709e9cdb32ea277bc996ae3df6b3f217fa92
SHA512fbd7bb36e7641817794e2818f27f2501e94cc7df7a871230d445d145e6102ffb0396b696a2e8f2cefee2fb473302ae5821e7a625b2c7fc906597c2d582011c77
-
C:\Users\Public\xiaodaxzqxia\n.batFilesize
263B
MD5c7d8b33e05722104d63de564a5d92b01
SHA1fd703f1c71ac1dae65dc34f3521854604cec8091
SHA256538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a
SHA51254a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e
-
C:\Users\Public\xiaodaxzqxia\v.exeFilesize
161KB
MD5fecf803f7d84d4cfa81277298574d6e6
SHA10fd9a61bf9a361f87661de295e70a9c6795fe6a1
SHA25681046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a
SHA512a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4
-
C:\Users\Public\xiaodaxzqxia\v.exeFilesize
161KB
MD5fecf803f7d84d4cfa81277298574d6e6
SHA10fd9a61bf9a361f87661de295e70a9c6795fe6a1
SHA25681046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a
SHA512a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4
-
memory/1256-147-0x00000000020F0000-0x000000000213A000-memory.dmpFilesize
296KB
-
memory/1256-148-0x00000000020F0000-0x000000000213A000-memory.dmpFilesize
296KB
-
memory/1256-141-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/1256-146-0x00000000020F0000-0x000000000213A000-memory.dmpFilesize
296KB
-
memory/1256-144-0x00000000020F0000-0x000000000213A000-memory.dmpFilesize
296KB
-
memory/1256-143-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/1256-177-0x00000000020F0000-0x000000000213A000-memory.dmpFilesize
296KB
-
memory/4876-172-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB