7bd000df2bf9b233836e7b718c967a6477adfb27bf2edb95313b6a30df191971

Analysis

max time kernel
140s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Black Project free/Black Project free.exe
Size

134KB
MD5

90485b80afeb10e4b7c0cdaa9debe03e
SHA1

d973b65b1634b5f964792bfc0d61cbcdcbd46f5c
SHA256

f3f455267b6436ecab5c82d4b7ad2fe09c7600cd447eb17bd3f2fafba7a755ae
SHA512

90c2b6134a0c5ef202f0ad2d3409975d0a75d0144752e4a0ca11baafc714b7b77f120bfacef901535940281ae282634564947ccd05df446343e68bf618e92597
SSDEEP

3072:g8B9qTvDWIGoJriZqVvum5R5m2AQ0m6mFijaVN:g5TrWIrZiium5R1A9Zm

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ahmedatef.exe	Black Project free.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ahmedatef.exe	Black Project free.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
38	pastebin.com
39	pastebin.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	Black Project free.exe
Token: SeRestorePrivilege	3532	dw20.exe
Token: SeBackupPrivilege	3532	dw20.exe
Token: SeBackupPrivilege	3532	dw20.exe
Token: SeBackupPrivilege	3532	dw20.exe
Token: SeBackupPrivilege	3532	dw20.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 3532	2884	Black Project free.exe	100
PID 2884 wrote to memory of 3532	2884	Black Project free.exe	100
PID 2884 wrote to memory of 3532	2884	Black Project free.exe	100

C:\Users\Admin\AppData\Local\Temp\Black Project free\Black Project free.exe
"C:\Users\Admin\AppData\Local\Temp\Black Project free\Black Project free.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 1660
  2⤵
  - Drops file in Windows directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2884-0-0x0000000075432000-0x0000000075433000-memory.dmp

Filesize
4KB

Download
memory/2884-1-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/2884-2-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/2884-3-0x0000000075432000-0x0000000075433000-memory.dmp

Filesize
4KB

Download
memory/2884-4-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/2884-12-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads