Analysis
-
max time kernel
28s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
25-06-2023 20:41
Behavioral task
behavioral1
Sample
41ff2b0d6c9ad76caeea7221077e28f04480af7338ad724f5bbf7aec3f8a7f72.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
41ff2b0d6c9ad76caeea7221077e28f04480af7338ad724f5bbf7aec3f8a7f72.exe
Resource
win10v2004-20230621-en
General
-
Target
41ff2b0d6c9ad76caeea7221077e28f04480af7338ad724f5bbf7aec3f8a7f72.exe
-
Size
233KB
-
MD5
f7c625d7263c18ecc8168c219dc9724c
-
SHA1
d2420a7a7e230efb3a7747c82cc6c45cac439a1f
-
SHA256
41ff2b0d6c9ad76caeea7221077e28f04480af7338ad724f5bbf7aec3f8a7f72
-
SHA512
78844189eba5420cdcf0ed13fb65cfd1a0fdafffd25fde409a376b49143910fa7ad2c367499e7beb70f872aea3172cabf909dd7ce312598177c648f9b7f8ae90
-
SSDEEP
6144:t5/xaoPuPKgyVX1e6IreazzIb4iue7G2r:t7a4lJ1e6IrotG2r
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\NIEPAN.exe family_blackmoon C:\Users\Admin\AppData\Local\Temp\NIEPAN.exe family_blackmoon -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
NIEPAN.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\R\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\R.sys" NIEPAN.exe -
Executes dropped EXE 3 IoCs
Processes:
NIEPAN.exeJQM.exekdmapper.exepid process 872 NIEPAN.exe 848 JQM.exe 1364 kdmapper.exe -
Loads dropped DLL 4 IoCs
Processes:
NIEPAN.exeJQM.execmd.exepid process 872 NIEPAN.exe 848 JQM.exe 848 JQM.exe 1920 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
41ff2b0d6c9ad76caeea7221077e28f04480af7338ad724f5bbf7aec3f8a7f72.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Local\Temp\\NIEPAN.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\41ff2b0d6c9ad76caeea7221077e28f04480af7338ad724f5bbf7aec3f8a7f72.exe" 41ff2b0d6c9ad76caeea7221077e28f04480af7338ad724f5bbf7aec3f8a7f72.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\NIEPAN.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\NIEPAN.exe nsis_installer_2 \Users\Admin\AppData\Local\Temp\JQM.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\JQM.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\JQM.exe nsis_installer_2 -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 1800 taskkill.exe 552 taskkill.exe 432 taskkill.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
NIEPAN.exepid process 872 NIEPAN.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 460 460 -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1800 taskkill.exe Token: SeDebugPrivilege 552 taskkill.exe Token: SeDebugPrivilege 432 taskkill.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
41ff2b0d6c9ad76caeea7221077e28f04480af7338ad724f5bbf7aec3f8a7f72.execmd.exeNIEPAN.exeJQM.execmd.exedescription pid process target process PID 1252 wrote to memory of 1244 1252 41ff2b0d6c9ad76caeea7221077e28f04480af7338ad724f5bbf7aec3f8a7f72.exe cmd.exe PID 1252 wrote to memory of 1244 1252 41ff2b0d6c9ad76caeea7221077e28f04480af7338ad724f5bbf7aec3f8a7f72.exe cmd.exe PID 1252 wrote to memory of 1244 1252 41ff2b0d6c9ad76caeea7221077e28f04480af7338ad724f5bbf7aec3f8a7f72.exe cmd.exe PID 1244 wrote to memory of 872 1244 cmd.exe NIEPAN.exe PID 1244 wrote to memory of 872 1244 cmd.exe NIEPAN.exe PID 1244 wrote to memory of 872 1244 cmd.exe NIEPAN.exe PID 1244 wrote to memory of 872 1244 cmd.exe NIEPAN.exe PID 872 wrote to memory of 848 872 NIEPAN.exe JQM.exe PID 872 wrote to memory of 848 872 NIEPAN.exe JQM.exe PID 872 wrote to memory of 848 872 NIEPAN.exe JQM.exe PID 872 wrote to memory of 848 872 NIEPAN.exe JQM.exe PID 848 wrote to memory of 1920 848 JQM.exe cmd.exe PID 848 wrote to memory of 1920 848 JQM.exe cmd.exe PID 848 wrote to memory of 1920 848 JQM.exe cmd.exe PID 848 wrote to memory of 1920 848 JQM.exe cmd.exe PID 1920 wrote to memory of 1364 1920 cmd.exe kdmapper.exe PID 1920 wrote to memory of 1364 1920 cmd.exe kdmapper.exe PID 1920 wrote to memory of 1364 1920 cmd.exe kdmapper.exe PID 1920 wrote to memory of 1364 1920 cmd.exe kdmapper.exe PID 1920 wrote to memory of 1800 1920 cmd.exe taskkill.exe PID 1920 wrote to memory of 1800 1920 cmd.exe taskkill.exe PID 1920 wrote to memory of 1800 1920 cmd.exe taskkill.exe PID 1920 wrote to memory of 1800 1920 cmd.exe taskkill.exe PID 1920 wrote to memory of 552 1920 cmd.exe taskkill.exe PID 1920 wrote to memory of 552 1920 cmd.exe taskkill.exe PID 1920 wrote to memory of 552 1920 cmd.exe taskkill.exe PID 1920 wrote to memory of 552 1920 cmd.exe taskkill.exe PID 1920 wrote to memory of 432 1920 cmd.exe taskkill.exe PID 1920 wrote to memory of 432 1920 cmd.exe taskkill.exe PID 1920 wrote to memory of 432 1920 cmd.exe taskkill.exe PID 1920 wrote to memory of 432 1920 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\41ff2b0d6c9ad76caeea7221077e28f04480af7338ad724f5bbf7aec3f8a7f72.exe"C:\Users\Admin\AppData\Local\Temp\41ff2b0d6c9ad76caeea7221077e28f04480af7338ad724f5bbf7aec3f8a7f72.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\NIEPAN.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NIEPAN.exeC:\Users\Admin\AppData\Local\Temp\\NIEPAN.exe3⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\JQM.exeC:\Users\Admin\AppData\Local\Temp\JQM.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\н¨Îļþ¼Ð\bhWm.bat5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\н¨Îļþ¼Ð\kdmapper.exekdmapper.exe Null.sys6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM WmiPrvSE.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM WmiPrvSE.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM WmiPrvSE.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\JQM.exeFilesize
164KB
MD522a93b1e9dc4a606f774f63efab9593b
SHA140c9b1d8e1c829dab298cf7f79c5e2b9a3db77d5
SHA2561a776d1cafe55d8f50cb86eb977e6936be349b3b46fa632013d0d69b8ec20e84
SHA5129629bee1537d824f71f82a54077a75a6d69b184a63ffb8fa03ef73b53c26f2f0612eba131341efc0c2945bd4b0016691ac40207c5957b1ae6b9417954bff3313
-
C:\Users\Admin\AppData\Local\Temp\JQM.exeFilesize
164KB
MD522a93b1e9dc4a606f774f63efab9593b
SHA140c9b1d8e1c829dab298cf7f79c5e2b9a3db77d5
SHA2561a776d1cafe55d8f50cb86eb977e6936be349b3b46fa632013d0d69b8ec20e84
SHA5129629bee1537d824f71f82a54077a75a6d69b184a63ffb8fa03ef73b53c26f2f0612eba131341efc0c2945bd4b0016691ac40207c5957b1ae6b9417954bff3313
-
C:\Users\Admin\AppData\Local\Temp\NIEPAN.exeFilesize
194KB
MD5be4769e52155fad728b27ddbb7cad92b
SHA1ffbd07acf14b41ee569e7da98cda2ce3beceb769
SHA2562a86f387314411d6f91b66439e0c3ef82d37e7060dcbe0dc098d2c52f41fbcab
SHA512525d2479a0cc5bf42a4d113eda4bf5069ef07abe56f6ed7962e0410b374ac14ff252346b2a8a20269910b13d597b829f4d50ca130049e116ed5cc96de856d80e
-
C:\Users\Admin\AppData\Local\Temp\NIEPAN.exeFilesize
194KB
MD5be4769e52155fad728b27ddbb7cad92b
SHA1ffbd07acf14b41ee569e7da98cda2ce3beceb769
SHA2562a86f387314411d6f91b66439e0c3ef82d37e7060dcbe0dc098d2c52f41fbcab
SHA512525d2479a0cc5bf42a4d113eda4bf5069ef07abe56f6ed7962e0410b374ac14ff252346b2a8a20269910b13d597b829f4d50ca130049e116ed5cc96de856d80e
-
C:\Users\Admin\AppData\Local\Temp\nsy2040.tmp\System.dllFilesize
11KB
MD500a0194c20ee912257df53bfe258ee4a
SHA1d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA5123b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667
-
C:\Users\Admin\AppData\Local\Temp\nsy2040.tmp\nsExec.dllFilesize
6KB
MD5e54eb27fb5048964e8d1ec7a1f72334b
SHA12b76d7aedafd724de96532b00fbc6c7c370e4609
SHA256ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824
SHA512c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4
-
C:\Users\Admin\AppData\Local\Temp\н¨Îļþ¼Ð\bhWm.batFilesize
137B
MD5e74a5a81e2c45c7bfb4a7e96d3a0c733
SHA126c4f82ba5cee30cab96fab7cd2d8c1fd2552566
SHA2567b25b47ccc09d1156fec0913b7000659eae1bedd7efafbd17d0dc45fb2714ad5
SHA512bdd70104091d52b8a1bd4e79dfd1eec3fb4c752fa8179661f40f5b0cc6b7e8bf9bfbb55687cb2f30669c2f883666c806ca08ec7e8d121223402232a90dc6db99
-
C:\Users\Admin\AppData\Local\Temp\н¨Îļþ¼Ð\bhWm.batFilesize
137B
MD5e74a5a81e2c45c7bfb4a7e96d3a0c733
SHA126c4f82ba5cee30cab96fab7cd2d8c1fd2552566
SHA2567b25b47ccc09d1156fec0913b7000659eae1bedd7efafbd17d0dc45fb2714ad5
SHA512bdd70104091d52b8a1bd4e79dfd1eec3fb4c752fa8179661f40f5b0cc6b7e8bf9bfbb55687cb2f30669c2f883666c806ca08ec7e8d121223402232a90dc6db99
-
C:\Users\Admin\AppData\Local\Temp\н¨Îļþ¼Ð\kdmapper.exeFilesize
107KB
MD5d63c0a558ae60ae055d8f2aae1d0a494
SHA151ed78431c44402abcea6913ecf845e1662777ba
SHA256779411d073c1aaefc7df224c9e972fd3ea848944b7fa92412c5cd71da512a729
SHA512c2f421be696ac398d158a9da6fe6586b7bd1f528bc94f7b295d65f12d515584c4d78cb901ae667c925f60182e62815fe8c64b95c6806f95cd2facfd4db52f55b
-
\Users\Admin\AppData\Local\Temp\JQM.exeFilesize
164KB
MD522a93b1e9dc4a606f774f63efab9593b
SHA140c9b1d8e1c829dab298cf7f79c5e2b9a3db77d5
SHA2561a776d1cafe55d8f50cb86eb977e6936be349b3b46fa632013d0d69b8ec20e84
SHA5129629bee1537d824f71f82a54077a75a6d69b184a63ffb8fa03ef73b53c26f2f0612eba131341efc0c2945bd4b0016691ac40207c5957b1ae6b9417954bff3313
-
\Users\Admin\AppData\Local\Temp\nsy2040.tmp\System.dllFilesize
11KB
MD500a0194c20ee912257df53bfe258ee4a
SHA1d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA5123b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667
-
\Users\Admin\AppData\Local\Temp\nsy2040.tmp\nsExec.dllFilesize
6KB
MD5e54eb27fb5048964e8d1ec7a1f72334b
SHA12b76d7aedafd724de96532b00fbc6c7c370e4609
SHA256ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824
SHA512c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4
-
\Users\Admin\AppData\Local\Temp\н¨Îļþ¼Ð\kdmapper.exeFilesize
107KB
MD5d63c0a558ae60ae055d8f2aae1d0a494
SHA151ed78431c44402abcea6913ecf845e1662777ba
SHA256779411d073c1aaefc7df224c9e972fd3ea848944b7fa92412c5cd71da512a729
SHA512c2f421be696ac398d158a9da6fe6586b7bd1f528bc94f7b295d65f12d515584c4d78cb901ae667c925f60182e62815fe8c64b95c6806f95cd2facfd4db52f55b