Analysis
-
max time kernel
151s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2023 02:14
Behavioral task
behavioral1
Sample
840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe
Resource
win7-20230712-en
General
-
Target
840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe
-
Size
18.5MB
-
MD5
e15275e55b641d2edfdaf980dbd28cda
-
SHA1
24865c4bf9793da9d22049208b5903396e6d3f57
-
SHA256
840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0
-
SHA512
39238e2547e652e2f690f0670d54e5cc7437db1f09219f75e3af73b4bf39c0fd5581fb03319f62460157a5433d9dcc2576398d8f364a92240fc68b723e6d9212
-
SSDEEP
196608:ex4YIeJVSmi93ZjDHTQnOFDKpxOET0hmk00nSJdziGYhU0jatCTNX+wnRtOMGi+W:ney3Hz8pxrT0kHJdqi0e81xRtOMP
Malware Config
Signatures
-
Detect Blackmoon payload 3 IoCs
resource yara_rule behavioral2/files/0x00060000000231bb-137.dat family_blackmoon behavioral2/files/0x00060000000231bb-138.dat family_blackmoon behavioral2/memory/3328-139-0x0000000010000000-0x00000000100B3000-memory.dmp family_blackmoon -
Executes dropped EXE 3 IoCs
pid Process 3328 w32vYCPrR2NMahTe.exe 688 Containers.exe 4316 nvgwl.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe 688 Containers.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\zip.dll w32vYCPrR2NMahTe.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4396 3328 WerFault.exe 86 -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Containers.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Containers.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 688 Containers.exe 688 Containers.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe 4316 nvgwl.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3516 840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe 3516 840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe 3328 w32vYCPrR2NMahTe.exe 3328 w32vYCPrR2NMahTe.exe 688 Containers.exe 688 Containers.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3516 wrote to memory of 3328 3516 840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe 86 PID 3516 wrote to memory of 3328 3516 840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe 86 PID 3516 wrote to memory of 3328 3516 840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe 86 PID 3516 wrote to memory of 688 3516 840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe 91 PID 3516 wrote to memory of 688 3516 840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe 91 PID 3516 wrote to memory of 688 3516 840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe 91 PID 688 wrote to memory of 4316 688 Containers.exe 102 PID 688 wrote to memory of 4316 688 Containers.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe"C:\Users\Admin\AppData\Local\Temp\840990c302bde9e128238314c8ffb9c64a7317b728d4ff577d5f089998b07cf0.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\w32vYCPrR2NMahTe.exeC:\Users\Admin\AppData\Local\Temp\w32vYCPrR2NMahTe.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3328 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 7163⤵
- Program crash
PID:4396
-
-
-
C:\Users\Admin\AppData\Local\Temp\Containers.exeC:\Users\Admin\AppData\Local\Temp\\Containers.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Users\Admin\AppData\Roaming\nvgwl.exeC:\Users\Admin\AppData\Roaming\nvgwl.exe -n Containers.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4316
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3328 -ip 33281⤵PID:3468
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.6MB
MD50e7b5d11663d65bc4518103ad57b7a35
SHA1eec123b1ae6325abb5ab319bdf9a0c9fa1b18767
SHA256751aef0fa57a2cc5a3831eb4df342a006a326ff7deeb9f7eb7b91844d0babb21
SHA5124e91d17cc68076ea3a85dacfc64a19c8e4ad4ed84bb6967764530b33b7de487361fc3b8b5e87ebea03e5581963ec06a7b390856b43b46a3360ef7a3cee3759c1
-
Filesize
14.6MB
MD50e7b5d11663d65bc4518103ad57b7a35
SHA1eec123b1ae6325abb5ab319bdf9a0c9fa1b18767
SHA256751aef0fa57a2cc5a3831eb4df342a006a326ff7deeb9f7eb7b91844d0babb21
SHA5124e91d17cc68076ea3a85dacfc64a19c8e4ad4ed84bb6967764530b33b7de487361fc3b8b5e87ebea03e5581963ec06a7b390856b43b46a3360ef7a3cee3759c1
-
Filesize
3.2MB
MD5b9a6dde62126369e9fa342a7b7f168dd
SHA121c83f14f397a2d73af9573876876f452c3c2092
SHA2567e8500a4d0d9937d48a7dfd33ba28c06e2d16e842141f1c02a68f73b6d087806
SHA5121a86577ae2fff33b94f0242191ba1b1297e0b75ef96578b8ec18f294b62168835f57966e036b179661dcdf01e4d5891a2e62650e62ca643c41a7034312a2f4df
-
Filesize
3.2MB
MD5b9a6dde62126369e9fa342a7b7f168dd
SHA121c83f14f397a2d73af9573876876f452c3c2092
SHA2567e8500a4d0d9937d48a7dfd33ba28c06e2d16e842141f1c02a68f73b6d087806
SHA5121a86577ae2fff33b94f0242191ba1b1297e0b75ef96578b8ec18f294b62168835f57966e036b179661dcdf01e4d5891a2e62650e62ca643c41a7034312a2f4df
-
Filesize
642KB
MD55551b5f2a3f14636f8947f112a7ca6aa
SHA1fad4b84c8c2d58f88e0013a10d02417097ff2e84
SHA256c3bf1743cd48c6c3f8a705ffa96b7f005652f39fe359c25c443b2fb3f31f3858
SHA5126a3dd4b9d97fce3aac31ec050b9b637e3b835d76e15c3ed9ee03241e80148c569a15e45489a023fb600373b7352b38034da84f47a5ad1f20e5baea7bc012ef8d
-
Filesize
642KB
MD55551b5f2a3f14636f8947f112a7ca6aa
SHA1fad4b84c8c2d58f88e0013a10d02417097ff2e84
SHA256c3bf1743cd48c6c3f8a705ffa96b7f005652f39fe359c25c443b2fb3f31f3858
SHA5126a3dd4b9d97fce3aac31ec050b9b637e3b835d76e15c3ed9ee03241e80148c569a15e45489a023fb600373b7352b38034da84f47a5ad1f20e5baea7bc012ef8d