Analysis
-
max time kernel
149s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 17:19
Behavioral task
behavioral1
Sample
8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe
Resource
win7-20231129-en
General
-
Target
8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe
-
Size
1.4MB
-
MD5
0cf6ef89fd8080d6a8f81e863cd5b93f
-
SHA1
4473a8fd474a316a5c3fc0bbff565f1204401b20
-
SHA256
8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081
-
SHA512
433ec826bf7abef99c9a1ea7a4da5e16bcd07da36da0a5c02673f70fe2c5d391964f25429aa7fbd22e5f0fdf8245867e06044b07a37444ecf068a8d599531a6f
-
SSDEEP
24576:m0bajn5sNJOZDV1USRveLWoq/Ed6BVq+RGSbp8A7ifqVnRTRpSHgRiC:mxsNUFbRRveLWSYB4+I9A+fInzoHgkC
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1480-4-0x0000000010000000-0x0000000010067000-memory.dmp family_blackmoon behavioral2/memory/1484-24-0x00000000008B0000-0x00000000008EE000-memory.dmp family_blackmoon -
Drops startup file 1 IoCs
Processes:
8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYSTEM_START.lnk 8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe -
Executes dropped EXE 1 IoCs
Processes:
djaln.exepid process 1484 djaln.exe -
Loads dropped DLL 1 IoCs
Processes:
djaln.exepid process 1484 djaln.exe -
Processes:
resource yara_rule behavioral2/memory/1480-0-0x0000000000400000-0x00000000006D6000-memory.dmp vmprotect behavioral2/memory/1480-2-0x0000000000400000-0x00000000006D6000-memory.dmp vmprotect behavioral2/memory/1480-8-0x0000000000400000-0x00000000006D6000-memory.dmp vmprotect C:\Users\Public\Videos\VSTelem\djaln\Language.dll vmprotect behavioral2/memory/1484-20-0x0000000010000000-0x000000001005D000-memory.dmp vmprotect behavioral2/memory/1484-21-0x0000000010000000-0x000000001005D000-memory.dmp vmprotect behavioral2/memory/1480-29-0x0000000000400000-0x00000000006D6000-memory.dmp vmprotect behavioral2/memory/1484-33-0x0000000010000000-0x000000001005D000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exedjaln.exepid process 1480 8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe 1484 djaln.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
djaln.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 djaln.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 djaln.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz djaln.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 djaln.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier djaln.exe -
Modifies registry class 1 IoCs
Processes:
8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings 8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exedjaln.exepid process 1480 8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe 1480 8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe 1480 8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe 1480 8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe 1484 djaln.exe 1484 djaln.exe 1484 djaln.exe 1484 djaln.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
OpenWith.exedjaln.exepid process 1376 OpenWith.exe 1484 djaln.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exedescription pid process target process PID 1480 wrote to memory of 1484 1480 8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe djaln.exe PID 1480 wrote to memory of 1484 1480 8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe djaln.exe PID 1480 wrote to memory of 1484 1480 8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe djaln.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe"C:\Users\Admin\AppData\Local\Temp\8ed28a33b7109234a832d4131723949736a78892d33228f2c078840018a21081.exe"1⤵
- Drops startup file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Videos\VSTelem\djaln\djaln.exeC:\Users\Public\Videos\VSTelem\djaln\djaln.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Videos\VSTelem\djaln\Language.dllFilesize
188KB
MD53dc8268e939ea269474b319e6ad64066
SHA137919c320708877525aa0b4443674b3b75d32ebc
SHA2560e807eea09cfb000d965d3f32ac4dfba6fa9a480bf6289ffd3c7576dddfdbb5a
SHA51205c0c4c8eb6e9af30739968bf70c308db9ac74b97d9a58e7adb6a0c42683f261b1018eddedee9fa0898275ca288f1af7cac7fa9a380a7745d80bc0d325f60fde
-
C:\Users\Public\Videos\VSTelem\djaln\Update.logFilesize
73KB
MD57e651e861e25e68820d109b1f2618d79
SHA17a8263f724d1ba5891b3c7d96cbf140c9d731cc7
SHA256e7b0140998a55eac72263fd9d41452851475ef99fea74e201dfb76a963e25b80
SHA5126bc20c4c85c0399dbeb9e2f523b3e0e3368434da074fa669bc026105a8e6e67bf9fd5d78542ba295d8f470ca507eb3b5416bcf5c75f5ac0c9bba0a323ed19c00
-
C:\Users\Public\Videos\VSTelem\djaln\djaln.exeFilesize
49KB
MD586810e2d993f7327eb5b25b5d17d21c1
SHA192be7e63223f3c7e37161b8fc1ab555813988d70
SHA25663636cec408acbbc4d04c01f9efdbe4b9b08fa0c4390ec8729b9ff0c8be9d246
SHA512148ef0d152260f874d2c32accf4afdc07d7b975fc15d2373d9c4d8fc4975dc4c54f37ca432eddb9b4e0d109386ab9ab8aad2dcea420ed8a5ee42e4aff341fd4c
-
memory/1480-2-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/1480-4-0x0000000010000000-0x0000000010067000-memory.dmpFilesize
412KB
-
memory/1480-8-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/1480-1-0x0000000000401000-0x0000000000487000-memory.dmpFilesize
536KB
-
memory/1480-0-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/1480-29-0x0000000000400000-0x00000000006D6000-memory.dmpFilesize
2.8MB
-
memory/1484-20-0x0000000010000000-0x000000001005D000-memory.dmpFilesize
372KB
-
memory/1484-21-0x0000000010000000-0x000000001005D000-memory.dmpFilesize
372KB
-
memory/1484-24-0x00000000008B0000-0x00000000008EE000-memory.dmpFilesize
248KB
-
memory/1484-33-0x0000000010000000-0x000000001005D000-memory.dmpFilesize
372KB