Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
21/12/2023, 05:28
Behavioral task
behavioral1
Sample
af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe
Resource
win7-20231129-en
General
-
Target
af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe
-
Size
9.4MB
-
MD5
376e36a8ca0c893397a0a0192bdff6ad
-
SHA1
b2b86d096fab33d4dd1348564d1bbffab301b964
-
SHA256
af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d
-
SHA512
95446092e3554923d8b2fd569f95c3c95b77f4446f9bc3da5b7d9151366027cbad78aec7e5c4b54f513af3330e66dc18580d91bc8e47d09b6f9d6dfef4fbe580
-
SSDEEP
196608:PhcVBkldkxTdy+Zotrwo0tQN0Az0txQxKEf2hkHDhnzKZHcuHLKd:Parykxjvo0w0AzkKVeyj9S8r
Malware Config
Signatures
-
Detect Blackmoon payload 3 IoCs
resource yara_rule behavioral1/memory/3040-2-0x0000000000400000-0x00000000015B8000-memory.dmp family_blackmoon behavioral1/memory/3040-5-0x0000000000400000-0x00000000015B8000-memory.dmp family_blackmoon behavioral1/memory/3040-52-0x0000000000400000-0x00000000015B8000-memory.dmp family_blackmoon -
Executes dropped EXE 1 IoCs
pid Process 2612 aow_dr.exe -
Loads dropped DLL 2 IoCs
pid Process 3040 af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe 3052 Process not Found -
resource yara_rule behavioral1/memory/3040-2-0x0000000000400000-0x00000000015B8000-memory.dmp vmprotect behavioral1/memory/3040-5-0x0000000000400000-0x00000000015B8000-memory.dmp vmprotect behavioral1/memory/3040-52-0x0000000000400000-0x00000000015B8000-memory.dmp vmprotect -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3040 af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe 3040 af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3040 af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3040 af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe 3040 af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3040 wrote to memory of 2696 3040 af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe 28 PID 3040 wrote to memory of 2696 3040 af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe 28 PID 3040 wrote to memory of 2696 3040 af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe 28 PID 3040 wrote to memory of 2696 3040 af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe 28 PID 3040 wrote to memory of 2612 3040 af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe 30 PID 3040 wrote to memory of 2612 3040 af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe 30 PID 3040 wrote to memory of 2612 3040 af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe 30 PID 3040 wrote to memory of 2612 3040 af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe"C:\Users\Admin\AppData\Local\Temp\af51646b3b0016f198a61062c6505b2aff08826adee0aa04df5e3c7a4775798d.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ÏêϸʹÓÃ˵Ã÷.txt2⤵PID:2696
-
-
C:\Users\Admin\AppData\Local\Temp\aow_dr.exeC:\Users\Admin\AppData\Local\Temp\aow_dr.exe2⤵
- Executes dropped EXE
PID:2612
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
288B
MD5465d31b9b4a8813d053f20d8f6464f1b
SHA154f3c26713bba3498789a4cbd0ff2ce5ec4b46e7
SHA256ab94a8e3b291577e01cfbdf5eefd139ce8418ea9ace152240e476f43301e9890
SHA512e5e746a5d37e33aba33b2a54172ea2dea385a57d3be16aff82c6f6f1ba03b9833815f488bd5784abd7f43f55fcefd83cc2516a317b90fee135a338cac4585639
-
Filesize
1KB
MD545e32807f10a086a3823929f2a666119
SHA117ee3eefcddfddb88a8fde3da1c563eb7d98344a
SHA256f570c243b986a4f66bc922a965f2910a7a5b5605d707d47f1740243c87042294
SHA51286b53125748d91a8393080d9b65183e781a00e2779fea73738786af42fe65eb2dc42bf8f356ce31998e192090e48c61097e1bac5c836875a1c4f68e5397d8e31
-
Filesize
13KB
MD5b5dd2ad618694048355e2e3c396d7860
SHA1bceaf75cf61c51bf711cd9180d95d30355a99578
SHA2565ff4970bd69b9f541ae61a56be0d87436ce6258ca87ffcea16b9bb4767846e91
SHA512d1a01f35f84b1b3fde339d351a101bac8826365a26c597dfa76397d72a6378a89c43b64718ef71694cfa814b40e12309b5b31f47721301c6d7d9ca1497fb66ec