Analysis
-
max time kernel
118s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 01:52
Static task
static1
Behavioral task
behavioral1
Sample
b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe
Resource
win7-20240220-en
General
-
Target
b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe
-
Size
294KB
-
MD5
358e8aca62af3968c2468ea48ab51666
-
SHA1
f56a9aeac008bbb6b7f55ab2724fb62ecf7141cf
-
SHA256
b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525
-
SHA512
c930f4d75ec28cbb3284e94133c727bd4dd3dc55ba1fc765b5c7bfd1a910289eec6e66345b936713f3ccb079675a137f6ddc941d15a678c1c85e6d71499d0f63
-
SSDEEP
6144:CDm7mfz+SOkynqxlZw3wWTEYZvjBNbGagbE567V9KKSwhOg:CDm7W+WpHZw3wYlZvNwK6B9K3w3
Malware Config
Signatures
-
Detect Blackmoon payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2860-0-0x0000000000540000-0x000000000056E000-memory.dmp family_blackmoon behavioral1/memory/1840-6-0x0000000000770000-0x000000000079E000-memory.dmp family_blackmoon behavioral1/memory/2860-8-0x0000000000540000-0x000000000056E000-memory.dmp family_blackmoon behavioral1/memory/1840-45-0x0000000000770000-0x000000000079E000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1840-9-0x00000000002E0000-0x00000000002EB000-memory.dmp UPX behavioral1/memory/1840-10-0x00000000002E0000-0x00000000002EB000-memory.dmp UPX behavioral1/memory/1840-11-0x00000000021C0000-0x00000000021CB000-memory.dmp UPX behavioral1/memory/1840-14-0x00000000021C0000-0x00000000021CB000-memory.dmp UPX behavioral1/memory/1840-46-0x00000000002E0000-0x00000000002EB000-memory.dmp UPX behavioral1/memory/1840-47-0x00000000021C0000-0x00000000021CB000-memory.dmp UPX -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1736 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
JYjvVGD.exepid process 1840 JYjvVGD.exe -
Loads dropped DLL 1 IoCs
Processes:
b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exepid process 2860 b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe -
Processes:
resource yara_rule behavioral1/memory/1840-9-0x00000000002E0000-0x00000000002EB000-memory.dmp upx behavioral1/memory/1840-10-0x00000000002E0000-0x00000000002EB000-memory.dmp upx behavioral1/memory/1840-11-0x00000000021C0000-0x00000000021CB000-memory.dmp upx behavioral1/memory/1840-14-0x00000000021C0000-0x00000000021CB000-memory.dmp upx behavioral1/memory/1840-46-0x00000000002E0000-0x00000000002EB000-memory.dmp upx behavioral1/memory/1840-47-0x00000000021C0000-0x00000000021CB000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exedescription ioc process File created C:\Windows\SysWOW64\JYjvVGD.exe b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe File opened for modification C:\Windows\SysWOW64\JYjvVGD.exe b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exeJYjvVGD.exepid process 2860 b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe 2860 b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe 1840 JYjvVGD.exe 1840 JYjvVGD.exe 1840 JYjvVGD.exe 1840 JYjvVGD.exe 1840 JYjvVGD.exe 1840 JYjvVGD.exe 1840 JYjvVGD.exe 1840 JYjvVGD.exe 1840 JYjvVGD.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exepid process 2860 b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
JYjvVGD.exedescription pid process Token: SeDebugPrivilege 1840 JYjvVGD.exe Token: SeDebugPrivilege 1840 JYjvVGD.exe Token: SeDebugPrivilege 1840 JYjvVGD.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exeJYjvVGD.exepid process 2860 b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe 1840 JYjvVGD.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.execmd.exedescription pid process target process PID 2860 wrote to memory of 1840 2860 b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe JYjvVGD.exe PID 2860 wrote to memory of 1840 2860 b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe JYjvVGD.exe PID 2860 wrote to memory of 1840 2860 b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe JYjvVGD.exe PID 2860 wrote to memory of 1840 2860 b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe JYjvVGD.exe PID 2860 wrote to memory of 1736 2860 b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe cmd.exe PID 2860 wrote to memory of 1736 2860 b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe cmd.exe PID 2860 wrote to memory of 1736 2860 b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe cmd.exe PID 2860 wrote to memory of 1736 2860 b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe cmd.exe PID 1736 wrote to memory of 1620 1736 cmd.exe PING.EXE PID 1736 wrote to memory of 1620 1736 cmd.exe PING.EXE PID 1736 wrote to memory of 1620 1736 cmd.exe PING.EXE PID 1736 wrote to memory of 1620 1736 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe"C:\Users\Admin\AppData\Local\Temp\b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\JYjvVGD.exe-auto \/.\C:\Windows\/syStEm32//JYjvVGD.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1840 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" cmd/c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\[email protected] > nul && exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
PID:1620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
294KB
MD5358e8aca62af3968c2468ea48ab51666
SHA1f56a9aeac008bbb6b7f55ab2724fb62ecf7141cf
SHA256b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525
SHA512c930f4d75ec28cbb3284e94133c727bd4dd3dc55ba1fc765b5c7bfd1a910289eec6e66345b936713f3ccb079675a137f6ddc941d15a678c1c85e6d71499d0f63