Analysis
-
max time kernel
134s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 01:52
Static task
static1
Behavioral task
behavioral1
Sample
b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe
Resource
win7-20240220-en
General
-
Target
b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe
-
Size
294KB
-
MD5
358e8aca62af3968c2468ea48ab51666
-
SHA1
f56a9aeac008bbb6b7f55ab2724fb62ecf7141cf
-
SHA256
b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525
-
SHA512
c930f4d75ec28cbb3284e94133c727bd4dd3dc55ba1fc765b5c7bfd1a910289eec6e66345b936713f3ccb079675a137f6ddc941d15a678c1c85e6d71499d0f63
-
SSDEEP
6144:CDm7mfz+SOkynqxlZw3wWTEYZvjBNbGagbE567V9KKSwhOg:CDm7W+WpHZw3wYlZvNwK6B9K3w3
Malware Config
Signatures
-
Detect Blackmoon payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/1952-0-0x00000000021D0000-0x00000000021FE000-memory.dmp family_blackmoon behavioral2/memory/2672-5-0x0000000002050000-0x000000000207E000-memory.dmp family_blackmoon behavioral2/memory/1952-7-0x00000000021D0000-0x00000000021FE000-memory.dmp family_blackmoon behavioral2/memory/2672-11-0x0000000002050000-0x000000000207E000-memory.dmp family_blackmoon behavioral2/memory/2188-12-0x00000000005F0000-0x000000000061E000-memory.dmp family_blackmoon behavioral2/memory/2188-48-0x00000000005F0000-0x000000000061E000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 6 IoCs
Processes:
resource yara_rule behavioral2/memory/2188-13-0x0000000000500000-0x000000000050B000-memory.dmp UPX behavioral2/memory/2188-14-0x0000000000500000-0x000000000050B000-memory.dmp UPX behavioral2/memory/2188-15-0x0000000004420000-0x000000000442B000-memory.dmp UPX behavioral2/memory/2188-18-0x0000000004420000-0x000000000442B000-memory.dmp UPX behavioral2/memory/2188-49-0x0000000000500000-0x000000000050B000-memory.dmp UPX behavioral2/memory/2188-50-0x0000000004420000-0x000000000442B000-memory.dmp UPX -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe -
Executes dropped EXE 2 IoCs
Processes:
JYjvVGD.exeJYjvVGD.exepid process 2672 JYjvVGD.exe 2188 JYjvVGD.exe -
Processes:
resource yara_rule behavioral2/memory/2188-13-0x0000000000500000-0x000000000050B000-memory.dmp upx behavioral2/memory/2188-14-0x0000000000500000-0x000000000050B000-memory.dmp upx behavioral2/memory/2188-15-0x0000000004420000-0x000000000442B000-memory.dmp upx behavioral2/memory/2188-18-0x0000000004420000-0x000000000442B000-memory.dmp upx behavioral2/memory/2188-49-0x0000000000500000-0x000000000050B000-memory.dmp upx behavioral2/memory/2188-50-0x0000000004420000-0x000000000442B000-memory.dmp upx -
Drops file in System32 directory 4 IoCs
Processes:
b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exeJYjvVGD.exedescription ioc process File created C:\Windows\SysWOW64\JYjvVGD.exe b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe File opened for modification C:\Windows\SysWOW64\JYjvVGD.exe b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe File created C:\Windows\syStEm32\JYjvVGD.exe JYjvVGD.exe File opened for modification C:\Windows\syStEm32\JYjvVGD.exe JYjvVGD.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exeJYjvVGD.exeJYjvVGD.exepid process 1952 b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe 1952 b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe 1952 b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe 1952 b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe 2672 JYjvVGD.exe 2672 JYjvVGD.exe 2672 JYjvVGD.exe 2672 JYjvVGD.exe 2672 JYjvVGD.exe 2672 JYjvVGD.exe 2672 JYjvVGD.exe 2672 JYjvVGD.exe 2672 JYjvVGD.exe 2672 JYjvVGD.exe 2188 JYjvVGD.exe 2188 JYjvVGD.exe 2188 JYjvVGD.exe 2188 JYjvVGD.exe 2188 JYjvVGD.exe 2188 JYjvVGD.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exepid process 1952 b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
JYjvVGD.exedescription pid process Token: SeDebugPrivilege 2188 JYjvVGD.exe Token: SeDebugPrivilege 2188 JYjvVGD.exe Token: SeDebugPrivilege 2188 JYjvVGD.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exeJYjvVGD.exeJYjvVGD.exepid process 1952 b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe 2672 JYjvVGD.exe 2188 JYjvVGD.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.execmd.exeJYjvVGD.exedescription pid process target process PID 1952 wrote to memory of 2672 1952 b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe JYjvVGD.exe PID 1952 wrote to memory of 2672 1952 b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe JYjvVGD.exe PID 1952 wrote to memory of 2672 1952 b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe JYjvVGD.exe PID 1952 wrote to memory of 5016 1952 b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe cmd.exe PID 1952 wrote to memory of 5016 1952 b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe cmd.exe PID 1952 wrote to memory of 5016 1952 b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe cmd.exe PID 5016 wrote to memory of 4432 5016 cmd.exe PING.EXE PID 5016 wrote to memory of 4432 5016 cmd.exe PING.EXE PID 5016 wrote to memory of 4432 5016 cmd.exe PING.EXE PID 2672 wrote to memory of 2188 2672 JYjvVGD.exe JYjvVGD.exe PID 2672 wrote to memory of 2188 2672 JYjvVGD.exe JYjvVGD.exe PID 2672 wrote to memory of 2188 2672 JYjvVGD.exe JYjvVGD.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe"C:\Users\Admin\AppData\Local\Temp\b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\JYjvVGD.exe-auto \/.\C:\Windows\/syStEm32//JYjvVGD.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\syStEm32\JYjvVGD.exe-troj3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2188 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" cmd/c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\[email protected] > nul && exit2⤵
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
PID:4432
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
294KB
MD5358e8aca62af3968c2468ea48ab51666
SHA1f56a9aeac008bbb6b7f55ab2724fb62ecf7141cf
SHA256b71ed1f09e16ce89c7ea9b64feba1e8d39b8103191062ec3f85dc8a689ac3525
SHA512c930f4d75ec28cbb3284e94133c727bd4dd3dc55ba1fc765b5c7bfd1a910289eec6e66345b936713f3ccb079675a137f6ddc941d15a678c1c85e6d71499d0f63