Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 18:07
Static task
static1
Behavioral task
behavioral1
Sample
992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe
Resource
win7-20240221-en
General
-
Target
992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe
-
Size
280KB
-
MD5
592ec0af016e173c46dfd1636bb99ad7
-
SHA1
555d8de445852c67ae69dee7c1ddda750bb27316
-
SHA256
992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f
-
SHA512
938b5d2f0c7f8ea3cb26372c719a169fca0e30e5b43ce0f09a66a1cc354ce672fc9795470214e82df0f4b23fd0d07b0eca38767b687dd0fbbd264be7188ba45a
-
SSDEEP
6144:xnC1Xm2LQJEumPvf9Yik7vDyObWO9feEzqnedNBIal9J+:xC1Xm+QJEIy8WEzqM
Malware Config
Signatures
-
Detect Blackmoon payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/1880-0-0x0000000002180000-0x00000000021AE000-memory.dmp family_blackmoon behavioral2/memory/992-5-0x00000000025E0000-0x000000000260E000-memory.dmp family_blackmoon behavioral2/memory/1880-7-0x0000000002180000-0x00000000021AE000-memory.dmp family_blackmoon behavioral2/memory/992-11-0x00000000025E0000-0x000000000260E000-memory.dmp family_blackmoon behavioral2/memory/4844-12-0x0000000000740000-0x000000000076E000-memory.dmp family_blackmoon behavioral2/memory/4844-48-0x0000000000740000-0x000000000076E000-memory.dmp family_blackmoon -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe -
Executes dropped EXE 2 IoCs
Processes:
IxKNxNrx.exeIxKNxNrx.exepid process 992 IxKNxNrx.exe 4844 IxKNxNrx.exe -
Processes:
resource yara_rule behavioral2/memory/4844-13-0x00000000021A0000-0x00000000021AB000-memory.dmp upx behavioral2/memory/4844-14-0x00000000021A0000-0x00000000021AB000-memory.dmp upx behavioral2/memory/4844-15-0x0000000004510000-0x000000000451B000-memory.dmp upx behavioral2/memory/4844-18-0x0000000004510000-0x000000000451B000-memory.dmp upx behavioral2/memory/4844-49-0x00000000021A0000-0x00000000021AB000-memory.dmp upx behavioral2/memory/4844-50-0x0000000004510000-0x000000000451B000-memory.dmp upx -
Drops file in System32 directory 4 IoCs
Processes:
992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exeIxKNxNrx.exedescription ioc process File created C:\Windows\SysWOW64\IxKNxNrx.exe 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe File opened for modification C:\Windows\SysWOW64\IxKNxNrx.exe 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe File created C:\Windows\system32\IxKNxNrx.exe IxKNxNrx.exe File opened for modification C:\Windows\system32\IxKNxNrx.exe IxKNxNrx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exeIxKNxNrx.exeIxKNxNrx.exepid process 1880 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe 1880 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe 1880 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe 1880 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe 1880 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe 1880 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe 1880 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe 1880 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe 1880 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe 1880 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe 1880 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe 1880 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe 1880 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe 1880 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe 1880 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe 1880 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe 1880 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe 1880 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe 992 IxKNxNrx.exe 992 IxKNxNrx.exe 992 IxKNxNrx.exe 992 IxKNxNrx.exe 992 IxKNxNrx.exe 992 IxKNxNrx.exe 992 IxKNxNrx.exe 992 IxKNxNrx.exe 992 IxKNxNrx.exe 992 IxKNxNrx.exe 992 IxKNxNrx.exe 992 IxKNxNrx.exe 992 IxKNxNrx.exe 992 IxKNxNrx.exe 992 IxKNxNrx.exe 992 IxKNxNrx.exe 992 IxKNxNrx.exe 992 IxKNxNrx.exe 992 IxKNxNrx.exe 992 IxKNxNrx.exe 992 IxKNxNrx.exe 992 IxKNxNrx.exe 992 IxKNxNrx.exe 992 IxKNxNrx.exe 4844 IxKNxNrx.exe 4844 IxKNxNrx.exe 4844 IxKNxNrx.exe 4844 IxKNxNrx.exe 4844 IxKNxNrx.exe 4844 IxKNxNrx.exe 4844 IxKNxNrx.exe 4844 IxKNxNrx.exe 4844 IxKNxNrx.exe 4844 IxKNxNrx.exe 4844 IxKNxNrx.exe 4844 IxKNxNrx.exe 4844 IxKNxNrx.exe 4844 IxKNxNrx.exe 4844 IxKNxNrx.exe 4844 IxKNxNrx.exe 4844 IxKNxNrx.exe 4844 IxKNxNrx.exe 4844 IxKNxNrx.exe 4844 IxKNxNrx.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exepid process 1880 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
IxKNxNrx.exedescription pid process Token: SeDebugPrivilege 4844 IxKNxNrx.exe Token: SeDebugPrivilege 4844 IxKNxNrx.exe Token: SeDebugPrivilege 4844 IxKNxNrx.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exeIxKNxNrx.exeIxKNxNrx.exepid process 1880 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe 992 IxKNxNrx.exe 4844 IxKNxNrx.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.execmd.exeIxKNxNrx.exedescription pid process target process PID 1880 wrote to memory of 992 1880 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe IxKNxNrx.exe PID 1880 wrote to memory of 992 1880 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe IxKNxNrx.exe PID 1880 wrote to memory of 992 1880 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe IxKNxNrx.exe PID 1880 wrote to memory of 2296 1880 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe cmd.exe PID 1880 wrote to memory of 2296 1880 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe cmd.exe PID 1880 wrote to memory of 2296 1880 992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe cmd.exe PID 2296 wrote to memory of 928 2296 cmd.exe PING.EXE PID 2296 wrote to memory of 928 2296 cmd.exe PING.EXE PID 2296 wrote to memory of 928 2296 cmd.exe PING.EXE PID 992 wrote to memory of 4844 992 IxKNxNrx.exe IxKNxNrx.exe PID 992 wrote to memory of 4844 992 IxKNxNrx.exe IxKNxNrx.exe PID 992 wrote to memory of 4844 992 IxKNxNrx.exe IxKNxNrx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe"C:\Users\Admin\AppData\Local\Temp\992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\IxKNxNrx.exe-auto C:\Windows\system32\\IxKNxNrx.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\system32\IxKNxNrx.exe-troj3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4844 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" cmd/c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\[email protected] > nul && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
PID:928
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280KB
MD5592ec0af016e173c46dfd1636bb99ad7
SHA1555d8de445852c67ae69dee7c1ddda750bb27316
SHA256992e0452dd58f031ca85ffd4d9f68a26fb91fb44778044d6a74bd09bfb4d629f
SHA512938b5d2f0c7f8ea3cb26372c719a169fca0e30e5b43ce0f09a66a1cc354ce672fc9795470214e82df0f4b23fd0d07b0eca38767b687dd0fbbd264be7188ba45a