Overview
overview
10Static
static
71111111111...11.exe
windows7-x64
61111111111...11.exe
windows10-1703-x64
61111111111...11.exe
windows10-2004-x64
69VIcoCiitn.exe
windows7-x64
69VIcoCiitn.exe
windows10-1703-x64
69VIcoCiitn.exe
windows10-2004-x64
1Microsoft Windows.exe
windows7-x64
10Microsoft Windows.exe
windows10-1703-x64
10Microsoft Windows.exe
windows10-2004-x64
10New.exe
windows7-x64
7New.exe
windows10-1703-x64
7New.exe
windows10-2004-x64
7SBLlgcMqPg.exe
windows7-x64
10SBLlgcMqPg.exe
windows10-1703-x64
10SBLlgcMqPg.exe
windows10-2004-x64
10hh.chm
windows7-x64
10hh.chm
windows10-1703-x64
8hh.chm
windows10-2004-x64
8nY4Ke1JkQH.exe
windows7-x64
10nY4Ke1JkQH.exe
windows10-1703-x64
10nY4Ke1JkQH.exe
windows10-2004-x64
10qnr.dll
windows7-x64
3qnr.dll
windows10-1703-x64
3qnr.dll
windows10-2004-x64
3˫װ.exe
windows7-x64
7˫װ.exe
windows10-1703-x64
7˫װ.exe
windows10-2004-x64
7�...װ.exe
windows7-x64
7�...װ.exe
windows10-1703-x64
7�...װ.exe
windows10-2004-x64
7Analysis
-
max time kernel
299s -
max time network
303s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
01-10-2023 09:07
Behavioral task
behavioral1
Sample
1111111111111111111111.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
1111111111111111111111.exe
Resource
win10-20230915-en
Behavioral task
behavioral3
Sample
1111111111111111111111.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral4
Sample
9VIcoCiitn.exe
Resource
win7-20230831-en
Behavioral task
behavioral5
Sample
9VIcoCiitn.exe
Resource
win10-20230915-en
Behavioral task
behavioral6
Sample
9VIcoCiitn.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral7
Sample
Microsoft Windows.exe
Resource
win7-20230831-en
Behavioral task
behavioral8
Sample
Microsoft Windows.exe
Resource
win10-20230915-en
Behavioral task
behavioral9
Sample
Microsoft Windows.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral10
Sample
New.exe
Resource
win7-20230831-en
Behavioral task
behavioral11
Sample
New.exe
Resource
win10-20230915-en
Behavioral task
behavioral12
Sample
New.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral13
Sample
SBLlgcMqPg.exe
Resource
win7-20230831-en
Behavioral task
behavioral14
Sample
SBLlgcMqPg.exe
Resource
win10-20230915-en
Behavioral task
behavioral15
Sample
SBLlgcMqPg.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral16
Sample
hh.chm
Resource
win7-20230831-en
Behavioral task
behavioral17
Sample
hh.chm
Resource
win10-20230915-en
Behavioral task
behavioral18
Sample
hh.chm
Resource
win10v2004-20230915-en
Behavioral task
behavioral19
Sample
nY4Ke1JkQH.exe
Resource
win7-20230831-en
Behavioral task
behavioral20
Sample
nY4Ke1JkQH.exe
Resource
win10-20230915-en
Behavioral task
behavioral21
Sample
nY4Ke1JkQH.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral22
Sample
qnr.dll
Resource
win7-20230831-en
Behavioral task
behavioral23
Sample
qnr.dll
Resource
win10-20230915-en
Behavioral task
behavioral24
Sample
qnr.dll
Resource
win10v2004-20230915-en
Behavioral task
behavioral25
Sample
˫װ.exe
Resource
win7-20230831-en
Behavioral task
behavioral26
Sample
˫װ.exe
Resource
win10-20230915-en
Behavioral task
behavioral27
Sample
˫װ.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral28
Sample
ٷѰװ.exe
Resource
win7-20230831-en
Behavioral task
behavioral29
Sample
ٷѰװ.exe
Resource
win10-20230831-en
Behavioral task
behavioral30
Sample
ٷѰװ.exe
Resource
win10v2004-20230915-en
General
-
Target
hh.chm
-
Size
201KB
-
MD5
8dd20f3f2f25bb297c9b64895530f920
-
SHA1
87c98fe066c3424ae89f18b439cede19679076b2
-
SHA256
3317b010df0c78ddd2043dfc02a824023faba86d362627e4d42b38084134e275
-
SHA512
22713705334e69564df34938194692cb534f0c8a8be4ced34fc367aa2a7e77c96e1742b9d6ce72004c3d378fba6930fb1800a0a39985b969ced0d02d14e8d459
-
SSDEEP
6144:iTnr34RHDSWdynEzIsOcr792z8Xn5UBq0:onr3yHOiIsOcr7SOn5UU0
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
resource yara_rule behavioral16/memory/856-88-0x0000000000150000-0x0000000000175000-memory.dmp family_blackmoon -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" svchost.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 856 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 856 svchost.exe 856 svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 ifconfig.me -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main hh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1692 hh.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe 856 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1692 hh.exe 1692 hh.exe -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System svchost.exe
Processes
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\hh.chm1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1692
-
C:\Users\Admin\Searches\qTRod0J0x9huXtWYGroR3nXdjpHRlTQsMxmPsaUNvXhrizfcxzfBv\svchost.exe"C:\Users\Admin\Searches\qTRod0J0x9huXtWYGroR3nXdjpHRlTQsMxmPsaUNvXhrizfcxzfBv\svchost.exe"1⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:856
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
132.5MB
MD54b76e6f9478e03b6d5c20612857a7f63
SHA184496777e665853730c895c08540b8b48fc708be
SHA2563407c7f02a4be2bdb2729e43cc776d61230fc1840bb89adc6b62517a8e24b3cf
SHA512a9a6c6def227c6b8931ce47a308522a4ceb2f07014c6b0b4a7468830c4d76f9d49910f6e35fe30b5ff3ba605dcbc1ca19c19c6aa6123de2cbf01907b6b842b47
-
Filesize
571KB
MD5f9ce53070a8a09158146344723e9cf3a
SHA1face56300c1e7e81845a8ad63f990441a45fa4f6
SHA256253ae3586d0f1953b895ef927614ed351065921916fd4d9ff6f02d566d16cb78
SHA5120560db7f15e2d1df22c6de00342dcd3225a3f54f150e54d395cb3fcb3cc6357a7e01698b91a0b05d904d6093f95dd79f73ba7595b5a4ac7260a6d4d0f02e7eea
-
Filesize
1.1MB
MD57c4bfda1e4dfa3a7c59aaeb7fee08c80
SHA17ac76bcf4a74ab57aeb62aa59531f8aad14c6c77
SHA256781609c3f08ad116aa2c342e277c4899ae760e08e6c1593f95b6aa3cf6f5b109
SHA512bd189c981a1a25c782f4c12dc00a9009a4819a33ee9eacb6c1ba30b1d656965c86099bd0beb66f1ea8cfc0bf5e7a5ddfc370b1a0fd0f69381f216e05d437d68a
-
Filesize
1.1MB
MD57c4bfda1e4dfa3a7c59aaeb7fee08c80
SHA17ac76bcf4a74ab57aeb62aa59531f8aad14c6c77
SHA256781609c3f08ad116aa2c342e277c4899ae760e08e6c1593f95b6aa3cf6f5b109
SHA512bd189c981a1a25c782f4c12dc00a9009a4819a33ee9eacb6c1ba30b1d656965c86099bd0beb66f1ea8cfc0bf5e7a5ddfc370b1a0fd0f69381f216e05d437d68a
-
Filesize
1.1MB
MD57c4bfda1e4dfa3a7c59aaeb7fee08c80
SHA17ac76bcf4a74ab57aeb62aa59531f8aad14c6c77
SHA256781609c3f08ad116aa2c342e277c4899ae760e08e6c1593f95b6aa3cf6f5b109
SHA512bd189c981a1a25c782f4c12dc00a9009a4819a33ee9eacb6c1ba30b1d656965c86099bd0beb66f1ea8cfc0bf5e7a5ddfc370b1a0fd0f69381f216e05d437d68a
-
Filesize
132.5MB
MD54b76e6f9478e03b6d5c20612857a7f63
SHA184496777e665853730c895c08540b8b48fc708be
SHA2563407c7f02a4be2bdb2729e43cc776d61230fc1840bb89adc6b62517a8e24b3cf
SHA512a9a6c6def227c6b8931ce47a308522a4ceb2f07014c6b0b4a7468830c4d76f9d49910f6e35fe30b5ff3ba605dcbc1ca19c19c6aa6123de2cbf01907b6b842b47
-
Filesize
1.1MB
MD57c4bfda1e4dfa3a7c59aaeb7fee08c80
SHA17ac76bcf4a74ab57aeb62aa59531f8aad14c6c77
SHA256781609c3f08ad116aa2c342e277c4899ae760e08e6c1593f95b6aa3cf6f5b109
SHA512bd189c981a1a25c782f4c12dc00a9009a4819a33ee9eacb6c1ba30b1d656965c86099bd0beb66f1ea8cfc0bf5e7a5ddfc370b1a0fd0f69381f216e05d437d68a