Analysis
-
max time kernel
233s -
max time network
295s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2023 10:24
Behavioral task
behavioral1
Sample
汇单图.exe
Resource
win7-20230621-en
windows7-x64
7 signatures
300 seconds
General
-
Target
汇单图.exe
-
Size
265KB
-
MD5
7dfe3a740d55d5e677802cf8a68b0437
-
SHA1
c183a2fa41659d4df18d4b79ec09e6151d16aee0
-
SHA256
9fdce593fa16c76525206982a35718da11007319501d0910af25a253588702c1
-
SHA512
026b75192ac0c1cde44cb1d8916a3535493a5259d56d3db65b30c21db94d44a9bb3ee9e68fe9a56bb1ecbeca715c483f25ddaa4f3fd153fae5c074ec81c495eb
-
SSDEEP
3072:u30JBc9y8BpUwMyZ+BvK2t5SBjTCktECyqewTvDyRxwUdj/Tss0mGGMKT:u30JB58TnMys5iBj4CtpyFvss0mxMQ
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1036-133-0x0000000000400000-0x0000000000456200-memory.dmp family_blackmoon behavioral2/memory/1036-134-0x0000000000400000-0x0000000000456200-memory.dmp family_blackmoon -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
汇单图.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation 汇单图.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
汇单图.exedescription pid process Token: SeIncBasePriorityPrivilege 1036 汇单图.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
汇单图.exepid process 1036 汇单图.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
汇单图.exedescription pid process target process PID 1036 wrote to memory of 3344 1036 汇单图.exe cmd.exe PID 1036 wrote to memory of 3344 1036 汇单图.exe cmd.exe PID 1036 wrote to memory of 3344 1036 汇单图.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\汇单图.exe"C:\Users\Admin\AppData\Local\Temp\汇单图.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\77AA~1.EXE > nul2⤵