Analysis
-
max time kernel
152s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 22:58
Behavioral task
behavioral1
Sample
6c51affaebfd462bb1874140dbb82925e28c1fb1a01e1898f6589ba550b70ea4.exe
Resource
win7-20240221-en
General
-
Target
6c51affaebfd462bb1874140dbb82925e28c1fb1a01e1898f6589ba550b70ea4.exe
-
Size
440KB
-
MD5
d5c59bea6aa23227033e38138885fe11
-
SHA1
7d759e7c38529e91905adedced3b50c71cace6af
-
SHA256
6c51affaebfd462bb1874140dbb82925e28c1fb1a01e1898f6589ba550b70ea4
-
SHA512
f58c9cf643f23df82422f589405fb2534b586cb6d22fbb14201fb16d0356fc4b8dd93bcdce2cd6674ec07b6e3d68bef8ca80fd2b77f92904fa60c2b2a0a1cd1a
-
SSDEEP
6144:xozXQKqfmiiyWwuiFOLeyOV0R7YRXxMSaAT:xgXQKSLpOCtV0R8xMSaAT
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Syslemgaybv.exe family_blackmoon -
Deletes itself 1 IoCs
Processes:
Syslemgaybv.exepid process 2680 Syslemgaybv.exe -
Executes dropped EXE 1 IoCs
Processes:
Syslemgaybv.exepid process 2680 Syslemgaybv.exe -
Loads dropped DLL 2 IoCs
Processes:
6c51affaebfd462bb1874140dbb82925e28c1fb1a01e1898f6589ba550b70ea4.exepid process 1936 6c51affaebfd462bb1874140dbb82925e28c1fb1a01e1898f6589ba550b70ea4.exe 1936 6c51affaebfd462bb1874140dbb82925e28c1fb1a01e1898f6589ba550b70ea4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6c51affaebfd462bb1874140dbb82925e28c1fb1a01e1898f6589ba550b70ea4.exeSyslemgaybv.exepid process 1936 6c51affaebfd462bb1874140dbb82925e28c1fb1a01e1898f6589ba550b70ea4.exe 1936 6c51affaebfd462bb1874140dbb82925e28c1fb1a01e1898f6589ba550b70ea4.exe 1936 6c51affaebfd462bb1874140dbb82925e28c1fb1a01e1898f6589ba550b70ea4.exe 1936 6c51affaebfd462bb1874140dbb82925e28c1fb1a01e1898f6589ba550b70ea4.exe 1936 6c51affaebfd462bb1874140dbb82925e28c1fb1a01e1898f6589ba550b70ea4.exe 1936 6c51affaebfd462bb1874140dbb82925e28c1fb1a01e1898f6589ba550b70ea4.exe 1936 6c51affaebfd462bb1874140dbb82925e28c1fb1a01e1898f6589ba550b70ea4.exe 1936 6c51affaebfd462bb1874140dbb82925e28c1fb1a01e1898f6589ba550b70ea4.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe 2680 Syslemgaybv.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
6c51affaebfd462bb1874140dbb82925e28c1fb1a01e1898f6589ba550b70ea4.exedescription pid process target process PID 1936 wrote to memory of 2680 1936 6c51affaebfd462bb1874140dbb82925e28c1fb1a01e1898f6589ba550b70ea4.exe Syslemgaybv.exe PID 1936 wrote to memory of 2680 1936 6c51affaebfd462bb1874140dbb82925e28c1fb1a01e1898f6589ba550b70ea4.exe Syslemgaybv.exe PID 1936 wrote to memory of 2680 1936 6c51affaebfd462bb1874140dbb82925e28c1fb1a01e1898f6589ba550b70ea4.exe Syslemgaybv.exe PID 1936 wrote to memory of 2680 1936 6c51affaebfd462bb1874140dbb82925e28c1fb1a01e1898f6589ba550b70ea4.exe Syslemgaybv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c51affaebfd462bb1874140dbb82925e28c1fb1a01e1898f6589ba550b70ea4.exe"C:\Users\Admin\AppData\Local\Temp\6c51affaebfd462bb1874140dbb82925e28c1fb1a01e1898f6589ba550b70ea4.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\Syslemgaybv.exe"C:\Users\Admin\AppData\Local\Temp\Syslemgaybv.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD5a6792ef1175f12b6d58aa4a75103977d
SHA1edb10ec20b3be6a3f99b561031bdfa3797e14128
SHA256dad7bac1a417831992757964d570f20343837d856dd8d5e5cde6a84b37c58f2f
SHA51275d9877a0ce4924f5bbf347656ac48670e84e0db64e4d08ef50c329aa97198dd22054b5b5f6120cd4822a2052d379f878f5fb47cdd8bc9f6cd9d61da25fc01bf
-
Filesize
440KB
MD5b6b3215e18ffeac89ec0bcf237863ecf
SHA1f509c78ef062ce73f84ebe0e29e91f47a40e1fd1
SHA256efb038ba8853e26d75d077afdcfad9afef89c7a09d37c988a146d121f3ecf0fa
SHA5120bf0061a087007add1006cb9f98d5e2d9b47b99434b31c63d98ca6b4caf032b603f2547266a786e667ec297f07abbb70e94508f60296e93f5cb39d3fd478d18f