Analysis
-
max time kernel
26s -
max time network
29s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
28-06-2023 10:24
Behavioral task
behavioral1
Sample
汇单图.exe
Resource
win7-20230621-en
windows7-x64
7 signatures
300 seconds
General
-
Target
汇单图.exe
-
Size
265KB
-
MD5
7dfe3a740d55d5e677802cf8a68b0437
-
SHA1
c183a2fa41659d4df18d4b79ec09e6151d16aee0
-
SHA256
9fdce593fa16c76525206982a35718da11007319501d0910af25a253588702c1
-
SHA512
026b75192ac0c1cde44cb1d8916a3535493a5259d56d3db65b30c21db94d44a9bb3ee9e68fe9a56bb1ecbeca715c483f25ddaa4f3fd153fae5c074ec81c495eb
-
SSDEEP
3072:u30JBc9y8BpUwMyZ+BvK2t5SBjTCktECyqewTvDyRxwUdj/Tss0mGGMKT:u30JB58TnMys5iBj4CtpyFvss0mxMQ
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1876-54-0x0000000000400000-0x0000000000456200-memory.dmp family_blackmoon behavioral1/memory/1876-55-0x0000000000400000-0x0000000000456200-memory.dmp family_blackmoon -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1724 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
汇单图.exedescription pid process Token: SeIncBasePriorityPrivilege 1876 汇单图.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
汇单图.exepid process 1876 汇单图.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
汇单图.exedescription pid process target process PID 1876 wrote to memory of 1724 1876 汇单图.exe cmd.exe PID 1876 wrote to memory of 1724 1876 汇单图.exe cmd.exe PID 1876 wrote to memory of 1724 1876 汇单图.exe cmd.exe PID 1876 wrote to memory of 1724 1876 汇单图.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\汇单图.exe"C:\Users\Admin\AppData\Local\Temp\汇单图.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\77AA~1.EXE > nul2⤵
- Deletes itself