Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 04:43
Behavioral task
behavioral1
Sample
31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
Resource
win7-20240221-en
General
-
Target
31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe
-
Size
9.5MB
-
MD5
7757ee8cf24323b67fb5a40802fb2f36
-
SHA1
8e9625603b39809eeadcc68ff533c1fe9a7ed010
-
SHA256
31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817
-
SHA512
ed49d5f68be598e88bd56985ce0cd806b098b487337e04173773f8c90d5a7be608f856e17af1a8126c2b44bbf76e744ee3bec0f32cfd7e95dc04a70e67b01c21
-
SSDEEP
196608:ZjVJcDKlFBqkwDxURK8vyqByLdlf3hRQIgLKNc:ZxODKlFBqHayOclfhRQIG2c
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\ÀíÏëħÓò\31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe family_blackmoon C:\Users\Admin\AppData\Roaming\ÀíÏëħÓò\ÀíÏëħÓò.exe family_blackmoon -
Executes dropped EXE 2 IoCs
Processes:
31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exeÀíÏëħÓò.exepid process 756 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe 1816 ÀíÏëħÓò.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exedescription pid process Token: SeDebugPrivilege 264 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe Token: SeDebugPrivilege 264 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe Token: SeDebugPrivilege 756 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe Token: SeDebugPrivilege 756 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe Token: SeDebugPrivilege 756 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exepid process 756 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe 264 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exepid process 756 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe 264 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exeÀíÏëħÓò.exepid process 264 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe 756 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe 1816 ÀíÏëħÓò.exe 1816 ÀíÏëħÓò.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exedescription pid process target process PID 264 wrote to memory of 756 264 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe PID 264 wrote to memory of 756 264 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe PID 264 wrote to memory of 756 264 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe PID 756 wrote to memory of 1816 756 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe ÀíÏëħÓò.exe PID 756 wrote to memory of 1816 756 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe ÀíÏëħÓò.exe PID 756 wrote to memory of 1816 756 31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe ÀíÏëħÓò.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe"C:\Users\Admin\AppData\Local\Temp\31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Users\Admin\AppData\Roaming\ÀíÏëħÓò\31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe"C:\Users\Admin\AppData\Roaming\ÀíÏëħÓò\31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Roaming\ÀíÏëħÓò\ÀíÏëħÓò.exe"C:\Users\Admin\AppData\Roaming\ÀíÏëħÓò\ÀíÏëħÓò.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ÀíÏëħÓò\31e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817.exeFilesize
9.5MB
MD57757ee8cf24323b67fb5a40802fb2f36
SHA18e9625603b39809eeadcc68ff533c1fe9a7ed010
SHA25631e2172058613e443b473c2f3311a208d9b68ba84a8f53315200baa8cc076817
SHA512ed49d5f68be598e88bd56985ce0cd806b098b487337e04173773f8c90d5a7be608f856e17af1a8126c2b44bbf76e744ee3bec0f32cfd7e95dc04a70e67b01c21
-
C:\Users\Admin\AppData\Roaming\ÀíÏëħÓò\ÀíÏëħÓò.exeFilesize
9.0MB
MD5d796dca47874d2848f19ba80859a1dbb
SHA17a6def1eab1a93ef93a4182f22c0a7eedb2f0314
SHA256413ca8a2b0be9632c2f626f9e8b630e3985adf011102e563462fc9d092f18ef6
SHA512506c6d3e41bc5e212068383ff790bc4a871af36008d47c956528e5901e85a5df21002cdb665f967f6f5b690dc961ac7d65a11b61a8527a98b025507c3dfd1734
-
C:\Users\Admin\Desktop\ÀíÏëħÓò.lnkFilesize
1KB
MD544499572e79456123108b10e4f9632f8
SHA1788fa8aadc01636236fef4d6e4203bcdd45ef4d4
SHA256494d6c75ea80f12f41a77a1369bb65e03e0e01fe60b8943022e63c250b29ec70
SHA5127bf4e9c1ca1362c8c2d42ea9230db2a5c014a0f8ee7e03175359f9b3e4368829cd4cf3c6da43e3e07621e60174a4f499a9b7f9dff824e7a2dab4e0d427b420cd