Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 04:43
Behavioral task
behavioral1
Sample
31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
Resource
win7-20240221-en
General
-
Target
31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
-
Size
9.5MB
-
MD5
7757ee8cf24323b67fb5a40802fb2f36
-
SHA1
8e9625603b39809eeadcc68ff533c1fe9a7ed010
-
SHA256
31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817
-
SHA512
ed49d5f68be598e88bd56985ce0cd806b098b487337e04173773f8c90d5a7be608f856e17af1a8126c2b44bbf76e744ee3bec0f32cfd7e95dc04a70e67b01c21
-
SSDEEP
196608:ZjVJcDKlFBqkwDxURK8vyqByLdlf3hRQIgLKNc:ZxODKlFBqHayOclfhRQIG2c
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\ÀíÏëħÓò\31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe family_blackmoon \Users\Admin\AppData\Roaming\ÀíÏëħÓò\ÀíÏëħÓò.exe family_blackmoon -
Executes dropped EXE 2 IoCs
Processes:
31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exeÀíÏëħÓò.exepid process 2892 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe 2848 ÀíÏëħÓò.exe -
Loads dropped DLL 3 IoCs
Processes:
31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exepid process 2744 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe 2744 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe 2892 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exedescription pid process Token: SeDebugPrivilege 2744 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe Token: SeDebugPrivilege 2744 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe Token: SeDebugPrivilege 2892 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe Token: SeDebugPrivilege 2892 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe Token: SeDebugPrivilege 2892 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exepid process 2892 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe 2744 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exepid process 2892 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe 2744 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exeÀíÏëħÓò.exepid process 2744 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe 2892 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe 2848 ÀíÏëħÓò.exe 2848 ÀíÏëħÓò.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exedescription pid process target process PID 2744 wrote to memory of 2892 2744 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe PID 2744 wrote to memory of 2892 2744 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe PID 2744 wrote to memory of 2892 2744 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe PID 2744 wrote to memory of 2892 2744 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe PID 2892 wrote to memory of 2848 2892 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe ÀíÏëħÓò.exe PID 2892 wrote to memory of 2848 2892 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe ÀíÏëħÓò.exe PID 2892 wrote to memory of 2848 2892 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe ÀíÏëħÓò.exe PID 2892 wrote to memory of 2848 2892 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe ÀíÏëħÓò.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe"C:\Users\Admin\AppData\Local\Temp\31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ÀíÏëħÓò\31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe"C:\Users\Admin\AppData\Roaming\ÀíÏëħÓò\31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ÀíÏëħÓò\ÀíÏëħÓò.exe"C:\Users\Admin\AppData\Roaming\ÀíÏëħÓò\ÀíÏëħÓò.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\ÀíÏëħÓò.lnkFilesize
1KB
MD55742615f75b6ea2f3b7c2545f96c7b15
SHA13e5f3a378d2a4b7f760990cd0290d3730fda2088
SHA256beabb4b53b3f47b24805879ef94a519dbbc13db32bc54b8fba2b4aaac8089998
SHA5128c5b4d91e70d3d1c7aa4a80858fd5a94e3b838ac5e6f9378907019df8b39b21f9f5a357f9a8fc57abdce2dbdd86ced400694d1b9d4c6de19bb2f1951b81574fe
-
\Users\Admin\AppData\Roaming\ÀíÏëħÓò\31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exeFilesize
9.5MB
MD57757ee8cf24323b67fb5a40802fb2f36
SHA18e9625603b39809eeadcc68ff533c1fe9a7ed010
SHA25631e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817
SHA512ed49d5f68be598e88bd56985ce0cd806b098b487337e04173773f8c90d5a7be608f856e17af1a8126c2b44bbf76e744ee3bec0f32cfd7e95dc04a70e67b01c21
-
\Users\Admin\AppData\Roaming\ÀíÏëħÓò\ÀíÏëħÓò.exeFilesize
9.0MB
MD5d796dca47874d2848f19ba80859a1dbb
SHA17a6def1eab1a93ef93a4182f22c0a7eedb2f0314
SHA256413ca8a2b0be9632c2f626f9e8b630e3985adf011102e563462fc9d092f18ef6
SHA512506c6d3e41bc5e212068383ff790bc4a871af36008d47c956528e5901e85a5df21002cdb665f967f6f5b690dc961ac7d65a11b61a8527a98b025507c3dfd1734