Analysis
-
max time kernel
139s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
08/12/2023, 05:28
Behavioral task
behavioral1
Sample
f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe
Resource
win10v2004-20231127-en
General
-
Target
f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe
-
Size
11.5MB
-
MD5
e0ac8681c53c9caf51042246b15d122d
-
SHA1
90cf66858157540e6c39fb2c4b2d4562c16f935c
-
SHA256
f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973
-
SHA512
f970b3c3acc9aa1a026f9d3f4133e76e04fca86ea2e56db56b1de60dc15123f17caef8ff24a5b7eda8029026c73b2364695e9eebf2bad503c405f26dba98ce7c
-
SSDEEP
196608:HPCUhW2aj2/yZL8W/q2F54b85va9QX+9bueDD0z3au7fuCalZozAR8E:KEWD2/yKWqIuF9bnDD0jaouCzs
Malware Config
Signatures
-
Detect Blackmoon payload 7 IoCs
resource yara_rule behavioral1/files/0x0026000000015d39-74.dat family_blackmoon behavioral1/files/0x0026000000015d39-75.dat family_blackmoon behavioral1/files/0x0026000000015d39-77.dat family_blackmoon behavioral1/files/0x0026000000015d39-76.dat family_blackmoon behavioral1/files/0x0026000000015d39-80.dat family_blackmoon behavioral1/files/0x0026000000015d39-79.dat family_blackmoon behavioral1/files/0x0026000000015d39-78.dat family_blackmoon -
Executes dropped EXE 2 IoCs
pid Process 2204 Patch.exe 2716 fog.exe -
Loads dropped DLL 8 IoCs
pid Process 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2204 Patch.exe 2204 Patch.exe 2204 Patch.exe 2716 fog.exe 2716 fog.exe 2716 fog.exe -
resource yara_rule behavioral1/memory/2116-4-0x0000000000400000-0x0000000001939000-memory.dmp vmprotect behavioral1/files/0x0027000000015dc1-19.dat vmprotect behavioral1/files/0x0027000000015dc1-21.dat vmprotect behavioral1/files/0x0027000000015dc1-22.dat vmprotect behavioral1/files/0x0027000000015dc1-23.dat vmprotect behavioral1/memory/2204-29-0x0000000000400000-0x0000000000EF0000-memory.dmp vmprotect behavioral1/memory/2116-81-0x0000000000400000-0x0000000001939000-memory.dmp vmprotect behavioral1/memory/2204-82-0x0000000000400000-0x0000000000EF0000-memory.dmp vmprotect -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\ESPI11.dll Patch.exe File opened for modification C:\Windows\SysWOW64\ESPI11.dll Patch.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2204 Patch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 2204 Patch.exe 2204 Patch.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2116 wrote to memory of 2204 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 28 PID 2116 wrote to memory of 2204 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 28 PID 2116 wrote to memory of 2204 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 28 PID 2116 wrote to memory of 2204 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 28 PID 2116 wrote to memory of 2204 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 28 PID 2116 wrote to memory of 2204 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 28 PID 2116 wrote to memory of 2204 2116 f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe 28 PID 2204 wrote to memory of 2716 2204 Patch.exe 29 PID 2204 wrote to memory of 2716 2204 Patch.exe 29 PID 2204 wrote to memory of 2716 2204 Patch.exe 29 PID 2204 wrote to memory of 2716 2204 Patch.exe 29 PID 2204 wrote to memory of 2716 2204 Patch.exe 29 PID 2204 wrote to memory of 2716 2204 Patch.exe 29 PID 2204 wrote to memory of 2716 2204 Patch.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe"C:\Users\Admin\AppData\Local\Temp\f2fc86ac97be7dd994c3d20ee9a58f48eb7dc780ea273daf24c5343b90bb9973.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\Patch.exeC:\Users\Admin\AppData\Local\Temp\\Patch.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\fog.exeC:\Users\Admin\AppData\Local\Temp\fog.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120KB
MD5c3adbb35a05b44bc877a895d273aa270
SHA18afe20d8261d217fd23ccfe53bd45ad3bec82d2d
SHA256b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c
SHA512614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc
-
Filesize
6.1MB
MD5757d9e9d11e35d3763c07743fcc6e7ed
SHA12037c66cac11ab802065c4dcac9866d74bab41c5
SHA2560ec52b0bd46c831fbc7dc9dd2164f9821c16009dafd6c4191053420838f18637
SHA5121f7029fdea1a135a3f2944a6f25c50897f494ebf437fadb4600c05c83c2bb75dad36b00a77ff5d231cbe6e3ffb8f2c02c8eb4b496f56719736f9ebd7482fbeb1
-
Filesize
6.1MB
MD5757d9e9d11e35d3763c07743fcc6e7ed
SHA12037c66cac11ab802065c4dcac9866d74bab41c5
SHA2560ec52b0bd46c831fbc7dc9dd2164f9821c16009dafd6c4191053420838f18637
SHA5121f7029fdea1a135a3f2944a6f25c50897f494ebf437fadb4600c05c83c2bb75dad36b00a77ff5d231cbe6e3ffb8f2c02c8eb4b496f56719736f9ebd7482fbeb1
-
Filesize
6.1MB
MD5757d9e9d11e35d3763c07743fcc6e7ed
SHA12037c66cac11ab802065c4dcac9866d74bab41c5
SHA2560ec52b0bd46c831fbc7dc9dd2164f9821c16009dafd6c4191053420838f18637
SHA5121f7029fdea1a135a3f2944a6f25c50897f494ebf437fadb4600c05c83c2bb75dad36b00a77ff5d231cbe6e3ffb8f2c02c8eb4b496f56719736f9ebd7482fbeb1
-
Filesize
785KB
MD51dbc14b104a35c2a82f6a63429b59739
SHA1a4ebec8b4a52d5449f96fed0fdcf15aea6efde7e
SHA2563f529ba8703596a82c7873a9c47559d3a778a0b2fa5d5857e34f756571407743
SHA512d2bdd77696ca143c994db32b75d636f72e8d045a63e6e80e1ea3b65d1bb80d96d324ecf399b9769f186e70c4dd54d01a7a03c4b123c5a3a71e69ff36ac9f932c
-
Filesize
785KB
MD51dbc14b104a35c2a82f6a63429b59739
SHA1a4ebec8b4a52d5449f96fed0fdcf15aea6efde7e
SHA2563f529ba8703596a82c7873a9c47559d3a778a0b2fa5d5857e34f756571407743
SHA512d2bdd77696ca143c994db32b75d636f72e8d045a63e6e80e1ea3b65d1bb80d96d324ecf399b9769f186e70c4dd54d01a7a03c4b123c5a3a71e69ff36ac9f932c
-
Filesize
120KB
MD5c3adbb35a05b44bc877a895d273aa270
SHA18afe20d8261d217fd23ccfe53bd45ad3bec82d2d
SHA256b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c
SHA512614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc
-
Filesize
6.1MB
MD5757d9e9d11e35d3763c07743fcc6e7ed
SHA12037c66cac11ab802065c4dcac9866d74bab41c5
SHA2560ec52b0bd46c831fbc7dc9dd2164f9821c16009dafd6c4191053420838f18637
SHA5121f7029fdea1a135a3f2944a6f25c50897f494ebf437fadb4600c05c83c2bb75dad36b00a77ff5d231cbe6e3ffb8f2c02c8eb4b496f56719736f9ebd7482fbeb1
-
Filesize
785KB
MD51dbc14b104a35c2a82f6a63429b59739
SHA1a4ebec8b4a52d5449f96fed0fdcf15aea6efde7e
SHA2563f529ba8703596a82c7873a9c47559d3a778a0b2fa5d5857e34f756571407743
SHA512d2bdd77696ca143c994db32b75d636f72e8d045a63e6e80e1ea3b65d1bb80d96d324ecf399b9769f186e70c4dd54d01a7a03c4b123c5a3a71e69ff36ac9f932c
-
Filesize
785KB
MD51dbc14b104a35c2a82f6a63429b59739
SHA1a4ebec8b4a52d5449f96fed0fdcf15aea6efde7e
SHA2563f529ba8703596a82c7873a9c47559d3a778a0b2fa5d5857e34f756571407743
SHA512d2bdd77696ca143c994db32b75d636f72e8d045a63e6e80e1ea3b65d1bb80d96d324ecf399b9769f186e70c4dd54d01a7a03c4b123c5a3a71e69ff36ac9f932c
-
Filesize
785KB
MD51dbc14b104a35c2a82f6a63429b59739
SHA1a4ebec8b4a52d5449f96fed0fdcf15aea6efde7e
SHA2563f529ba8703596a82c7873a9c47559d3a778a0b2fa5d5857e34f756571407743
SHA512d2bdd77696ca143c994db32b75d636f72e8d045a63e6e80e1ea3b65d1bb80d96d324ecf399b9769f186e70c4dd54d01a7a03c4b123c5a3a71e69ff36ac9f932c
-
Filesize
785KB
MD51dbc14b104a35c2a82f6a63429b59739
SHA1a4ebec8b4a52d5449f96fed0fdcf15aea6efde7e
SHA2563f529ba8703596a82c7873a9c47559d3a778a0b2fa5d5857e34f756571407743
SHA512d2bdd77696ca143c994db32b75d636f72e8d045a63e6e80e1ea3b65d1bb80d96d324ecf399b9769f186e70c4dd54d01a7a03c4b123c5a3a71e69ff36ac9f932c
-
Filesize
785KB
MD51dbc14b104a35c2a82f6a63429b59739
SHA1a4ebec8b4a52d5449f96fed0fdcf15aea6efde7e
SHA2563f529ba8703596a82c7873a9c47559d3a778a0b2fa5d5857e34f756571407743
SHA512d2bdd77696ca143c994db32b75d636f72e8d045a63e6e80e1ea3b65d1bb80d96d324ecf399b9769f186e70c4dd54d01a7a03c4b123c5a3a71e69ff36ac9f932c
-
Filesize
120KB
MD5c3adbb35a05b44bc877a895d273aa270
SHA18afe20d8261d217fd23ccfe53bd45ad3bec82d2d
SHA256b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c
SHA512614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc