Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
20-07-2023 02:14
Behavioral task
behavioral1
Sample
840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe
Resource
win7-20230712-en
General
-
Target
840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe
-
Size
18.5MB
-
MD5
e15275e55b641d2edfdaf980dbd28cda
-
SHA1
24865c4bf9793da9d22049208b5903396e6d3f57
-
SHA256
840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0
-
SHA512
39238e2547e652e2f690f0670d54e5cc7437db1f09219f75e3af73b4bf39c0fd5581fb03319f62460157a5433d9dcc2576398d8f364a92240fc68b723e6d9212
-
SSDEEP
196608:ex4YIeJVSmi93ZjDHTQnOFDKpxOET0hmk00nSJdziGYhU0jatCTNX+wnRtOMGi+W:ney3Hz8pxrT0kHJdqi0e81xRtOMP
Malware Config
Signatures
-
Detect Blackmoon payload 7 IoCs
resource yara_rule behavioral1/files/0x0009000000012024-57.dat family_blackmoon behavioral1/files/0x0009000000012024-60.dat family_blackmoon behavioral1/memory/1976-61-0x0000000010000000-0x00000000100B3000-memory.dmp family_blackmoon behavioral1/files/0x0009000000012024-68.dat family_blackmoon behavioral1/files/0x0009000000012024-67.dat family_blackmoon behavioral1/files/0x0009000000012024-66.dat family_blackmoon behavioral1/files/0x0009000000012024-75.dat family_blackmoon -
Executes dropped EXE 3 IoCs
pid Process 1976 w32vYCPrR2NMahTe.exe 2844 Containers.exe 340 nvgwl.exe -
Loads dropped DLL 7 IoCs
pid Process 2536 840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2536 840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe 2884 WerFault.exe 2844 Containers.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe 2844 Containers.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\zip.dll w32vYCPrR2NMahTe.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2884 1976 WerFault.exe 28 -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Containers.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Containers.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2844 Containers.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe 340 nvgwl.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2536 840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe 2536 840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe 1976 w32vYCPrR2NMahTe.exe 1976 w32vYCPrR2NMahTe.exe 2844 Containers.exe 2844 Containers.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2536 wrote to memory of 1976 2536 840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe 28 PID 2536 wrote to memory of 1976 2536 840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe 28 PID 2536 wrote to memory of 1976 2536 840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe 28 PID 2536 wrote to memory of 1976 2536 840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe 28 PID 1976 wrote to memory of 2884 1976 w32vYCPrR2NMahTe.exe 29 PID 1976 wrote to memory of 2884 1976 w32vYCPrR2NMahTe.exe 29 PID 1976 wrote to memory of 2884 1976 w32vYCPrR2NMahTe.exe 29 PID 1976 wrote to memory of 2884 1976 w32vYCPrR2NMahTe.exe 29 PID 2536 wrote to memory of 2844 2536 840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe 30 PID 2536 wrote to memory of 2844 2536 840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe 30 PID 2536 wrote to memory of 2844 2536 840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe 30 PID 2536 wrote to memory of 2844 2536 840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe 30 PID 2844 wrote to memory of 340 2844 Containers.exe 33 PID 2844 wrote to memory of 340 2844 Containers.exe 33 PID 2844 wrote to memory of 340 2844 Containers.exe 33 PID 2844 wrote to memory of 340 2844 Containers.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe"C:\Users\Admin\AppData\Local\Temp\840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\w32vYCPrR2NMahTe.exeC:\Users\Admin\AppData\Local\Temp\w32vYCPrR2NMahTe.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 2843⤵
- Loads dropped DLL
- Program crash
PID:2884
-
-
-
C:\Users\Admin\AppData\Local\Temp\Containers.exeC:\Users\Admin\AppData\Local\Temp\\Containers.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\AppData\Roaming\nvgwl.exeC:\Users\Admin\AppData\Roaming\nvgwl.exe -n Containers.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:340
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.6MB
MD50e7b5d11663d65bc4518103ad57b7a35
SHA1eec123b1ae6325abb5ab319bdf9a0c9fa1b18767
SHA256751aef0fa57a2cc5a3831eb4df342a006a326ff7deeb9f7eb7b91844d0babb21
SHA5124e91d17cc68076ea3a85dacfc64a19c8e4ad4ed84bb6967764530b33b7de487361fc3b8b5e87ebea03e5581963ec06a7b390856b43b46a3360ef7a3cee3759c1
-
Filesize
14.6MB
MD50e7b5d11663d65bc4518103ad57b7a35
SHA1eec123b1ae6325abb5ab319bdf9a0c9fa1b18767
SHA256751aef0fa57a2cc5a3831eb4df342a006a326ff7deeb9f7eb7b91844d0babb21
SHA5124e91d17cc68076ea3a85dacfc64a19c8e4ad4ed84bb6967764530b33b7de487361fc3b8b5e87ebea03e5581963ec06a7b390856b43b46a3360ef7a3cee3759c1
-
Filesize
3.2MB
MD5b9a6dde62126369e9fa342a7b7f168dd
SHA121c83f14f397a2d73af9573876876f452c3c2092
SHA2567e8500a4d0d9937d48a7dfd33ba28c06e2d16e842141f1c02a68f73b6d087806
SHA5121a86577ae2fff33b94f0242191ba1b1297e0b75ef96578b8ec18f294b62168835f57966e036b179661dcdf01e4d5891a2e62650e62ca643c41a7034312a2f4df
-
Filesize
642KB
MD55551b5f2a3f14636f8947f112a7ca6aa
SHA1fad4b84c8c2d58f88e0013a10d02417097ff2e84
SHA256c3bf1743cd48c6c3f8a705ffa96b7f005652f39fe359c25c443b2fb3f31f3858
SHA5126a3dd4b9d97fce3aac31ec050b9b637e3b835d76e15c3ed9ee03241e80148c569a15e45489a023fb600373b7352b38034da84f47a5ad1f20e5baea7bc012ef8d
-
Filesize
14.6MB
MD50e7b5d11663d65bc4518103ad57b7a35
SHA1eec123b1ae6325abb5ab319bdf9a0c9fa1b18767
SHA256751aef0fa57a2cc5a3831eb4df342a006a326ff7deeb9f7eb7b91844d0babb21
SHA5124e91d17cc68076ea3a85dacfc64a19c8e4ad4ed84bb6967764530b33b7de487361fc3b8b5e87ebea03e5581963ec06a7b390856b43b46a3360ef7a3cee3759c1
-
Filesize
3.2MB
MD5b9a6dde62126369e9fa342a7b7f168dd
SHA121c83f14f397a2d73af9573876876f452c3c2092
SHA2567e8500a4d0d9937d48a7dfd33ba28c06e2d16e842141f1c02a68f73b6d087806
SHA5121a86577ae2fff33b94f0242191ba1b1297e0b75ef96578b8ec18f294b62168835f57966e036b179661dcdf01e4d5891a2e62650e62ca643c41a7034312a2f4df
-
Filesize
3.2MB
MD5b9a6dde62126369e9fa342a7b7f168dd
SHA121c83f14f397a2d73af9573876876f452c3c2092
SHA2567e8500a4d0d9937d48a7dfd33ba28c06e2d16e842141f1c02a68f73b6d087806
SHA5121a86577ae2fff33b94f0242191ba1b1297e0b75ef96578b8ec18f294b62168835f57966e036b179661dcdf01e4d5891a2e62650e62ca643c41a7034312a2f4df
-
Filesize
3.2MB
MD5b9a6dde62126369e9fa342a7b7f168dd
SHA121c83f14f397a2d73af9573876876f452c3c2092
SHA2567e8500a4d0d9937d48a7dfd33ba28c06e2d16e842141f1c02a68f73b6d087806
SHA5121a86577ae2fff33b94f0242191ba1b1297e0b75ef96578b8ec18f294b62168835f57966e036b179661dcdf01e4d5891a2e62650e62ca643c41a7034312a2f4df
-
Filesize
3.2MB
MD5b9a6dde62126369e9fa342a7b7f168dd
SHA121c83f14f397a2d73af9573876876f452c3c2092
SHA2567e8500a4d0d9937d48a7dfd33ba28c06e2d16e842141f1c02a68f73b6d087806
SHA5121a86577ae2fff33b94f0242191ba1b1297e0b75ef96578b8ec18f294b62168835f57966e036b179661dcdf01e4d5891a2e62650e62ca643c41a7034312a2f4df
-
Filesize
3.2MB
MD5b9a6dde62126369e9fa342a7b7f168dd
SHA121c83f14f397a2d73af9573876876f452c3c2092
SHA2567e8500a4d0d9937d48a7dfd33ba28c06e2d16e842141f1c02a68f73b6d087806
SHA5121a86577ae2fff33b94f0242191ba1b1297e0b75ef96578b8ec18f294b62168835f57966e036b179661dcdf01e4d5891a2e62650e62ca643c41a7034312a2f4df
-
Filesize
642KB
MD55551b5f2a3f14636f8947f112a7ca6aa
SHA1fad4b84c8c2d58f88e0013a10d02417097ff2e84
SHA256c3bf1743cd48c6c3f8a705ffa96b7f005652f39fe359c25c443b2fb3f31f3858
SHA5126a3dd4b9d97fce3aac31ec050b9b637e3b835d76e15c3ed9ee03241e80148c569a15e45489a023fb600373b7352b38034da84f47a5ad1f20e5baea7bc012ef8d