Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 20:08
Behavioral task
behavioral1
Sample
00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe
Resource
win7-20240221-en
General
-
Target
00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe
-
Size
4.5MB
-
MD5
6053aaa74236170b3b6e4604e377e0b5
-
SHA1
1983a0e088727ee5ceaa0386de81f08e8dddd022
-
SHA256
00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3
-
SHA512
cb0dd2dcd0a97fcaf65153e5ca54d3bd3d19bc22c8e507571f2f1a5f2b8be9f944ee1ef3d14a62eb503cabe0f2041b8193b7562ac22ea6ea6422859f10e854b3
-
SSDEEP
98304:hS5bmig2VCnxwWFUYTY25p/Fmj6dcKgosI10K991TOvFKlz1us3iYzW:WbBQnywfjFme+rodyQAKlwy
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2864-19-0x0000000000400000-0x0000000000891000-memory.dmp family_blackmoon -
Executes dropped EXE 1 IoCs
Processes:
behwg.behwgcpid process 2604 behwg.behwgc -
Loads dropped DLL 2 IoCs
Processes:
00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exepid process 2864 00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe 2864 00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exepid process 2864 00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exedescription pid process target process PID 2864 wrote to memory of 2604 2864 00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe behwg.behwgc PID 2864 wrote to memory of 2604 2864 00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe behwg.behwgc PID 2864 wrote to memory of 2604 2864 00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe behwg.behwgc PID 2864 wrote to memory of 2604 2864 00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe behwg.behwgc
Processes
-
C:\Users\Admin\AppData\Local\Temp\00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe"C:\Users\Admin\AppData\Local\Temp\00c28885f9f24c7ea2f2846a1fe26c01d4e5adbe6a67d5e93f9f0d7e87b990d3.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\behwg.behwgcC:\Users\Admin\AppData\Local\Temp\behwg.behwgc --2⤵
- Executes dropped EXE
PID:2604
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD557466db9c3fcba2b38c5298d0624f02f
SHA15e185aa3af4ebd0121a0051a51fa9674df91bddd
SHA256d5005cb019f62c8444a7144fd58f804aafd0908a3418eb8c3363f3f3535914eb
SHA5123eef333b9eeff8d09defa7584e7f957a9ac4a2e89308ef0e8456741ce461264c8f5ff36375b2f2503b9b7072f92875c73a97e16a29efa1da6705074d2cae755f
-
Filesize
2.8MB
MD551278d4c79465ef2bf1d60b16e0538a2
SHA16fd9de82fd0779c0fbff745e66236044949a857b
SHA25650926ed37fdb9f6f5d8e62799c4f2d0f6b8dcc7be06353ff558e459cb1dbe4b3
SHA512122af007134a4f3ec3994d683bf5f5f237b1e009f90ad791aa5e3358e9d7d516925dd2fbdbdd3e2784cdc886cec96ad721eefc87a736d10dee9348c046d83e2f