Analysis
-
max time kernel
117s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 17:19
Behavioral task
behavioral1
Sample
8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe
Resource
win7-20231129-en
General
-
Target
8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe
-
Size
1.4MB
-
MD5
0cf6ef89fd8080d6a8f81e863cd5b93f
-
SHA1
4473a8fd474a316a5c3fc0bbff565f1204401b20
-
SHA256
8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081
-
SHA512
433ec826bf7abef99c9a1ea7a4da5e16bcd07da36da0a5c02673f70fe2c5d391964f25429aa7fbd22e5f0fdf8245867e06044b07a37444ecf068a8d599531a6f
-
SSDEEP
24576:m0bajn5sNJOZDV1USRveLWoq/Ed6BVq+RGSbp8A7ifqVnRTRpSHgRiC:mxsNUFbRRveLWSYB4+I9A+fInzoHgkC
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2064-14-0x0000000010000000-0x0000000010067000-memory.dmp family_blackmoon behavioral1/memory/2652-33-0x0000000000250000-0x000000000028E000-memory.dmp family_blackmoon -
Drops startup file 1 IoCs
Processes:
8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYSTEM_START.lnk 8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe -
Executes dropped EXE 1 IoCs
Processes:
jniic.exepid process 2652 jniic.exe -
Loads dropped DLL 2 IoCs
Processes:
8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exejniic.exepid process 2064 8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe 2652 jniic.exe -
Processes:
resource yara_rule behavioral1/memory/2064-0-0x0000000000400000-0x00000000006D6000-memory.dmp vmprotect behavioral1/memory/2064-10-0x0000000000400000-0x00000000006D6000-memory.dmp vmprotect behavioral1/memory/2064-12-0x0000000000400000-0x00000000006D6000-memory.dmp vmprotect C:\Users\Public\Videos\VSTelem\jniic\Language.dll vmprotect behavioral1/memory/2652-29-0x0000000010000000-0x000000001005D000-memory.dmp vmprotect behavioral1/memory/2652-31-0x0000000010000000-0x000000001005D000-memory.dmp vmprotect behavioral1/memory/2064-40-0x0000000000400000-0x00000000006D6000-memory.dmp vmprotect behavioral1/memory/2652-43-0x0000000010000000-0x000000001005D000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exejniic.exepid process 2064 8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe 2652 jniic.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
jniic.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier jniic.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 jniic.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 jniic.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz jniic.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 jniic.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exejniic.exepid process 2064 8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe 2064 8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe 2652 jniic.exe 2652 jniic.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
jniic.exepid process 2652 jniic.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exedescription pid process target process PID 2064 wrote to memory of 2652 2064 8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe jniic.exe PID 2064 wrote to memory of 2652 2064 8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe jniic.exe PID 2064 wrote to memory of 2652 2064 8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe jniic.exe PID 2064 wrote to memory of 2652 2064 8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe jniic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe"C:\Users\Admin\AppData\Local\Temp\8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Videos\VSTelem\jniic\jniic.exeC:\Users\Public\Videos\VSTelem\jniic\jniic.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Videos\VSTelem\jniic\Language.dllFilesize
188KB
MD53dc8268e939ea269474b319e6ad64066
SHA137919c320708877525aa0b4443674b3b75d32ebc
SHA2560e807eea09cfb000d965d3f32ac4dfba6fa9a480bf6289ffd3c7576dddfdbb5a
SHA51205c0c4c8eb6e9af30739968bf70c308db9ac74b97d9a58e7adb6a0c42683f261b1018eddedee9fa0898275ca288f1af7cac7fa9a380a7745d80bc0d325f60fde
-
C:\Users\Public\Videos\VSTelem\jniic\Update.logFilesize
73KB
MD57e651e861e25e68820d109b1f2618d79
SHA17a8263f724d1ba5891b3c7d96cbf140c9d731cc7
SHA256e7b0140998a55eac72263fd9d41452851475ef99fea74e201dfb76a963e25b80
SHA5126bc20c4c85c0399dbeb9e2f523b3e0e3368434da074fa669bc026105a8e6e67bf9fd5d78542ba295d8f470ca507eb3b5416bcf5c75f5ac0c9bba0a323ed19c00
-
\Users\Public\Videos\VSTelem\jniic\jniic.exeFilesize
49KB
MD586810e2d993f7327eb5b25b5d17d21c1
SHA192be7e63223f3c7e37161b8fc1ab555813988d70
SHA25663636cec408acbbc4d04c01f9efdbe4b9b08fa0c4390ec8729b9ff0c8be9d246
SHA512148ef0d152260f874d2c32accf4afdc07d7b975fc15d2373d9c4d8fc4975dc4c54f37ca432eddb9b4e0d109386ab9ab8aad2dcea420ed8a5ee42e4aff341fd4c
-
memory/2064-8-0x0000000077BD0000-0x0000000077BD1000-memory.dmpFilesize
4KB
-
memory/2064-4-0x0000000077D90000-0x0000000077D91000-memory.dmpFilesize
4KB
-
memory/2064-1-0x0000000000401000-0x0000000000487000-memory.dmpFilesize
536KB
-
memory/2064-12-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/2064-14-0x0000000010000000-0x0000000010067000-memory.dmpFilesize
412KB
-
memory/2064-0-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/2064-2-0x0000000077D90000-0x0000000077D91000-memory.dmpFilesize
4KB
-
memory/2064-40-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/2064-10-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/2652-33-0x0000000000250000-0x000000000028E000-memory.dmpFilesize
248KB
-
memory/2652-31-0x0000000010000000-0x000000001005D000-memory.dmpFilesize
372KB
-
memory/2652-37-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/2652-29-0x0000000010000000-0x000000001005D000-memory.dmpFilesize
372KB
-
memory/2652-43-0x0000000010000000-0x000000001005D000-memory.dmpFilesize
372KB