Analysis
-
max time kernel
141s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
28-08-2023 08:27
Behavioral task
behavioral1
Sample
61efe3f6a91e5c6ef31b9c27ced0a0e6f1de73fcf6487b70e1ce69133c0fd99a.exe
Resource
win7-20230712-en
General
-
Target
61efe3f6a91e5c6ef31b9c27ced0a0e6f1de73fcf6487b70e1ce69133c0fd99a.exe
-
Size
1.0MB
-
MD5
48098be8e5ae8010664d2e006cdc8a8e
-
SHA1
70e2042b9b3d52ddd133edd2e6c81f83f2ef0071
-
SHA256
61efe3f6a91e5c6ef31b9c27ced0a0e6f1de73fcf6487b70e1ce69133c0fd99a
-
SHA512
35fd1edcc721f4951dc14edf8ca00e0a9ef8558db599f56f735fb950cbf23de60e2a25ef58cb02ab6cfcaaa88707e8b3e2c2d5506ba34395203d27897d5e5d06
-
SSDEEP
24576:hCXGqiuTPZ54YAFWd815T2M5SwMsA2740a388/YolI5hMJWVY:sXGqiu3EFnP2LcA2va388AiI5
Malware Config
Signatures
-
Detect Blackmoon payload 6 IoCs
resource yara_rule behavioral1/memory/2044-18-0x0000000000400000-0x00000000007FC000-memory.dmp family_blackmoon behavioral1/memory/2044-19-0x0000000000400000-0x00000000007FC000-memory.dmp family_blackmoon behavioral1/memory/2044-20-0x0000000000400000-0x00000000007FC000-memory.dmp family_blackmoon behavioral1/memory/2376-39-0x0000000000400000-0x00000000007FC000-memory.dmp family_blackmoon behavioral1/memory/2044-42-0x0000000000400000-0x00000000007FC000-memory.dmp family_blackmoon behavioral1/memory/2376-44-0x0000000000400000-0x00000000007FC000-memory.dmp family_blackmoon -
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0009000000012029-21.dat acprotect behavioral1/files/0x0009000000012029-22.dat acprotect -
Loads dropped DLL 1 IoCs
pid Process 2044 explorer.exe -
resource yara_rule behavioral1/memory/2376-0-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral1/memory/2044-4-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral1/memory/2044-7-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral1/memory/2044-10-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral1/memory/2044-16-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral1/memory/2044-17-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral1/memory/2044-18-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral1/memory/2044-19-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral1/memory/2044-20-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral1/files/0x0009000000012029-21.dat upx behavioral1/memory/2044-23-0x0000000074E00000-0x0000000074F0B000-memory.dmp upx behavioral1/files/0x0009000000012029-22.dat upx behavioral1/memory/2376-39-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral1/memory/2044-41-0x0000000074E00000-0x0000000074F0B000-memory.dmp upx behavioral1/memory/2044-42-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral1/memory/2044-43-0x0000000074E00000-0x0000000074F0B000-memory.dmp upx behavioral1/memory/2376-44-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral1/memory/2044-57-0x0000000074E00000-0x0000000074F0B000-memory.dmp upx behavioral1/memory/2044-71-0x0000000074E00000-0x0000000074F0B000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\ExuiKrnln.dll 61efe3f6a91e5c6ef31b9c27ced0a0e6f1de73fcf6487b70e1ce69133c0fd99a.exe File created C:\Windows\SysWOW64\ExuiKrnln.dll explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2376 set thread context of 2044 2376 61efe3f6a91e5c6ef31b9c27ced0a0e6f1de73fcf6487b70e1ce69133c0fd99a.exe 28 PID 2044 set thread context of 2808 2044 explorer.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 596 2376 WerFault.exe 27 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TypedURLs 61efe3f6a91e5c6ef31b9c27ced0a0e6f1de73fcf6487b70e1ce69133c0fd99a.exe Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TypedURLs explorer.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2376 61efe3f6a91e5c6ef31b9c27ced0a0e6f1de73fcf6487b70e1ce69133c0fd99a.exe 2044 explorer.exe 2044 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2376 61efe3f6a91e5c6ef31b9c27ced0a0e6f1de73fcf6487b70e1ce69133c0fd99a.exe 2376 61efe3f6a91e5c6ef31b9c27ced0a0e6f1de73fcf6487b70e1ce69133c0fd99a.exe 2044 explorer.exe 2044 explorer.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2376 wrote to memory of 2044 2376 61efe3f6a91e5c6ef31b9c27ced0a0e6f1de73fcf6487b70e1ce69133c0fd99a.exe 28 PID 2376 wrote to memory of 2044 2376 61efe3f6a91e5c6ef31b9c27ced0a0e6f1de73fcf6487b70e1ce69133c0fd99a.exe 28 PID 2376 wrote to memory of 2044 2376 61efe3f6a91e5c6ef31b9c27ced0a0e6f1de73fcf6487b70e1ce69133c0fd99a.exe 28 PID 2376 wrote to memory of 2044 2376 61efe3f6a91e5c6ef31b9c27ced0a0e6f1de73fcf6487b70e1ce69133c0fd99a.exe 28 PID 2376 wrote to memory of 2044 2376 61efe3f6a91e5c6ef31b9c27ced0a0e6f1de73fcf6487b70e1ce69133c0fd99a.exe 28 PID 2376 wrote to memory of 2044 2376 61efe3f6a91e5c6ef31b9c27ced0a0e6f1de73fcf6487b70e1ce69133c0fd99a.exe 28 PID 2376 wrote to memory of 2044 2376 61efe3f6a91e5c6ef31b9c27ced0a0e6f1de73fcf6487b70e1ce69133c0fd99a.exe 28 PID 2376 wrote to memory of 2044 2376 61efe3f6a91e5c6ef31b9c27ced0a0e6f1de73fcf6487b70e1ce69133c0fd99a.exe 28 PID 2044 wrote to memory of 2808 2044 explorer.exe 29 PID 2044 wrote to memory of 2808 2044 explorer.exe 29 PID 2044 wrote to memory of 2808 2044 explorer.exe 29 PID 2044 wrote to memory of 2808 2044 explorer.exe 29 PID 2044 wrote to memory of 2808 2044 explorer.exe 29 PID 2044 wrote to memory of 2808 2044 explorer.exe 29 PID 2044 wrote to memory of 2808 2044 explorer.exe 29 PID 2044 wrote to memory of 2808 2044 explorer.exe 29 PID 2044 wrote to memory of 2808 2044 explorer.exe 29 PID 2044 wrote to memory of 2808 2044 explorer.exe 29 PID 2376 wrote to memory of 596 2376 61efe3f6a91e5c6ef31b9c27ced0a0e6f1de73fcf6487b70e1ce69133c0fd99a.exe 31 PID 2376 wrote to memory of 596 2376 61efe3f6a91e5c6ef31b9c27ced0a0e6f1de73fcf6487b70e1ce69133c0fd99a.exe 31 PID 2376 wrote to memory of 596 2376 61efe3f6a91e5c6ef31b9c27ced0a0e6f1de73fcf6487b70e1ce69133c0fd99a.exe 31 PID 2376 wrote to memory of 596 2376 61efe3f6a91e5c6ef31b9c27ced0a0e6f1de73fcf6487b70e1ce69133c0fd99a.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\61efe3f6a91e5c6ef31b9c27ced0a0e6f1de73fcf6487b70e1ce69133c0fd99a.exe"C:\Users\Admin\AppData\Local\Temp\61efe3f6a91e5c6ef31b9c27ced0a0e6f1de73fcf6487b70e1ce69133c0fd99a.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2808
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 5882⤵
- Program crash
PID:596
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
328KB
MD56b0c10b774ee6dbcf0e4bd1557e7160b
SHA198e5502f0cb27e355062e8fa0b9aad80e5c0bbad
SHA256335722b2684ffeac668ed8e9d7d582a395f9fc3d13f552f07c5d3ec7f025890f
SHA512a44729fad75a090e4b3a0a4211ded10ef8ec499a7479efd2e3e6c448a3c625073b88e9e2c63c943f2fbcd9605aa9cc3cb1176a2ad61d91f22c4116948d66decf
-
Filesize
328KB
MD56b0c10b774ee6dbcf0e4bd1557e7160b
SHA198e5502f0cb27e355062e8fa0b9aad80e5c0bbad
SHA256335722b2684ffeac668ed8e9d7d582a395f9fc3d13f552f07c5d3ec7f025890f
SHA512a44729fad75a090e4b3a0a4211ded10ef8ec499a7479efd2e3e6c448a3c625073b88e9e2c63c943f2fbcd9605aa9cc3cb1176a2ad61d91f22c4116948d66decf