Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 19:35
Behavioral task
behavioral1
Sample
20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe
Resource
win10v2004-20231222-en
General
-
Target
20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe
-
Size
4.7MB
-
MD5
f05debf54fe5722d9430887cc806146f
-
SHA1
587b8c06feb2ef924ddc2b3d098a55c786ef26c5
-
SHA256
d2fcd69ea514d5d72f88f86f3605d8559f1f94be3c064ee57e2f23bccb7b4961
-
SHA512
29c5ae6eade8a098492bf6dde6d4fa6d05c51dd179031a321fc254c053ac8055c6d0fdd56d5f3bb60a1985b777d48e0b89029bcfe403c82c3c90b6543f76f9f6
-
SSDEEP
49152:HMwN00ppnsoBTKtKXzdFo8hnK6xPLeBsVu9Cdca7t47FUHhKbieBHuzZ/S9fJpil:swN9V/TKWfxlcsAAd9OOk2WCZ/kjou6
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
resource yara_rule behavioral1/files/0x000c0000000126af-4.dat family_blackmoon -
Executes dropped EXE 1 IoCs
pid Process 2224 TPHelper.exe -
Loads dropped DLL 2 IoCs
pid Process 2380 20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe 2224 TPHelper.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2380 20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe 2380 20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe 2380 20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe 2380 20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe 2380 20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe 2380 20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2380 20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2380 20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2224 2380 20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe 28 PID 2380 wrote to memory of 2224 2380 20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe 28 PID 2380 wrote to memory of 2224 2380 20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe 28 PID 2380 wrote to memory of 2224 2380 20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe"C:\Users\Admin\AppData\Local\Temp\20240106f05debf54fe5722d9430887cc806146fhacktoolsicedid.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\TPHelper.exeC:\Users\Admin\AppData\Local\Temp\\TPHelper.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD535ad2688f70633fe65f435f7aac8391f
SHA1d0fd9ea0fa3836688064f50d5c96f281e2830b42
SHA2561b0482ba2c3c72a71508a009c881c1f45193a7b3987d3f76b8cf43263cc78cec
SHA5124d157e8b0429a1f3b167bd7d6302435bf436b253e6cc1043e4e0e34bd2094a658f13846b18f99bc968e74fdd0a1f52de1e073afffad3049d5f458e0f7bc3b4b4
-
Filesize
92KB
MD5def3b0579cea1e1bcd6c30a818f0a2e5
SHA1e57da62fd32d02725eebb27bae3f830ce4148f1d
SHA256d81a87646314713e9242650e72e442e8a306864ba6f0a615e215828b0cf23756
SHA5124b17880768a1c72856940350416381496d60b2feb0f6274d141c4ce2d7a7da64a534debdeb5651e76440a742c4767df3ff0315841a466330b3010f47bc5175f6
-
Filesize
382KB
MD5a413d742ab8168ddf9ca8a12df5757f3
SHA196e4fae4ed92d83126aeeb3d207491c64bea903a
SHA25625f508f415a9890f2da568cd830499334c340fc88a840cd1b77862182f63d753
SHA51288eca809348c15924b4627d675e5423073e6760d26d1fd4946c5a4001bea2d4406e3836d787790ec85d0ad3a5acbf25bbe932043a93040564feaf7d29d95eabd