Analysis
-
max time kernel
148s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
18/05/2024, 01:36
Behavioral task
behavioral1
Sample
a7c8eca6195903d4128789cbfddba7294205dc6646e8da2334d2e410111dfbd6.exe
Resource
win7-20240508-en
General
-
Target
a7c8eca6195903d4128789cbfddba7294205dc6646e8da2334d2e410111dfbd6.exe
-
Size
436KB
-
MD5
be39ea6aa5c3e1cb82262cc29207bec0
-
SHA1
ec1e745bf0e8f1fc8fda84590070bf535336be94
-
SHA256
a7c8eca6195903d4128789cbfddba7294205dc6646e8da2334d2e410111dfbd6
-
SHA512
86df5546c71e0ba5bb2ff67b5e22ea426fb880bf6821608203a95805551c24e66a116bb92ffee9590fa25179247b42ed0cdd3229bbbc7cf9ff93850e89d9f5d2
-
SSDEEP
3072:q0mx45LFnq9qDAuSbAXVkQUQ9oPfz0c0uxNUIqTkHoYCDfxj4/0/yjUuMx8kQ:q0m2FqgDAuSbAXKfz0c0sUIJHk40/yWM
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
resource yara_rule behavioral1/files/0x0007000000016c56-7.dat family_blackmoon -
Deletes itself 1 IoCs
pid Process 2676 Syslemyzmki.exe -
Executes dropped EXE 1 IoCs
pid Process 2676 Syslemyzmki.exe -
Loads dropped DLL 2 IoCs
pid Process 1688 a7c8eca6195903d4128789cbfddba7294205dc6646e8da2334d2e410111dfbd6.exe 1688 a7c8eca6195903d4128789cbfddba7294205dc6646e8da2334d2e410111dfbd6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1688 a7c8eca6195903d4128789cbfddba7294205dc6646e8da2334d2e410111dfbd6.exe 1688 a7c8eca6195903d4128789cbfddba7294205dc6646e8da2334d2e410111dfbd6.exe 1688 a7c8eca6195903d4128789cbfddba7294205dc6646e8da2334d2e410111dfbd6.exe 1688 a7c8eca6195903d4128789cbfddba7294205dc6646e8da2334d2e410111dfbd6.exe 1688 a7c8eca6195903d4128789cbfddba7294205dc6646e8da2334d2e410111dfbd6.exe 1688 a7c8eca6195903d4128789cbfddba7294205dc6646e8da2334d2e410111dfbd6.exe 1688 a7c8eca6195903d4128789cbfddba7294205dc6646e8da2334d2e410111dfbd6.exe 1688 a7c8eca6195903d4128789cbfddba7294205dc6646e8da2334d2e410111dfbd6.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe 2676 Syslemyzmki.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1688 wrote to memory of 2676 1688 a7c8eca6195903d4128789cbfddba7294205dc6646e8da2334d2e410111dfbd6.exe 29 PID 1688 wrote to memory of 2676 1688 a7c8eca6195903d4128789cbfddba7294205dc6646e8da2334d2e410111dfbd6.exe 29 PID 1688 wrote to memory of 2676 1688 a7c8eca6195903d4128789cbfddba7294205dc6646e8da2334d2e410111dfbd6.exe 29 PID 1688 wrote to memory of 2676 1688 a7c8eca6195903d4128789cbfddba7294205dc6646e8da2334d2e410111dfbd6.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7c8eca6195903d4128789cbfddba7294205dc6646e8da2334d2e410111dfbd6.exe"C:\Users\Admin\AppData\Local\Temp\a7c8eca6195903d4128789cbfddba7294205dc6646e8da2334d2e410111dfbd6.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\Syslemyzmki.exe"C:\Users\Admin\AppData\Local\Temp\Syslemyzmki.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2676
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD5006bf0320e353a01bfe26f4c485efc10
SHA1450d23111c59bae7d462e6b6ad9594fe2be532f3
SHA25637b04c5798505268aac74ae4ed31bde8fba5c9bd2c7e64c5f5717c07bac7a038
SHA512692e9911379b993c1d14f1ba6a81d3c97052ac8969ac942af1b4064030d1eb28482f0ec88d0008968852ed686bf49c18960771ea2421dc8135977ca874ef55d6
-
Filesize
436KB
MD58a01a9b4f6c118ff7fb6dad6b52a5449
SHA1265014515a667487085a29aea8f44808f8510c63
SHA2563cc7fd9fc46d28d6e81e901400c3f4ca0be70b06b2331fc5c54173797988bfb8
SHA51254b0165c81730e9f26b10eac40b8ad6ae5ca97969e7bb9c743fe51c6f54af785cba67ad09ef30c291f7c5c7af96f09d30db0d7fc090c5ad36ab8d66bf9bedfe4