Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 19:10
Static task
static1
Behavioral task
behavioral1
Sample
92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
Resource
win7-20240508-en
General
-
Target
92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe
-
Size
5.0MB
-
MD5
d97ff1102e8ba106596d50a100021b9f
-
SHA1
a9484405b91d2b0e19f845b85516d88e271b5184
-
SHA256
92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63
-
SHA512
05d055943264b1bab63127ff90edaa6a0cf7ef69282739d0466df4bd015abcc5531910896a0f93e67aa24689e1af4010dbd5e6b3793039bf0da08a6b77887fff
-
SSDEEP
98304:D+HVb4W8Qh49un3vR3riSm+NJSBGwd43W9FRq:D+HJ8C49O/RHNJSEDiFw
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\~6554066059501221788..\点我启动软件.exe family_blackmoon -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Clean WeChat X.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Clean WeChat X.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Clean WeChat X.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Clean WeChat X.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Clean WeChat X.exe -
Executes dropped EXE 3 IoCs
Processes:
sg.tmp点我启动软件.exeClean WeChat X.exepid process 1620 sg.tmp 6012 点我启动软件.exe 5376 Clean WeChat X.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\~6554066059501221788..\Clean WeChat X.exe themida behavioral2/memory/5376-25-0x0000000000400000-0x0000000000D98000-memory.dmp themida behavioral2/memory/5376-28-0x0000000000400000-0x0000000000D98000-memory.dmp themida behavioral2/memory/5376-27-0x0000000000400000-0x0000000000D98000-memory.dmp themida behavioral2/memory/5376-26-0x0000000000400000-0x0000000000D98000-memory.dmp themida behavioral2/memory/5376-32-0x0000000000400000-0x0000000000D98000-memory.dmp themida behavioral2/memory/5376-33-0x0000000000400000-0x0000000000D98000-memory.dmp themida behavioral2/memory/5376-34-0x0000000000400000-0x0000000000D98000-memory.dmp themida behavioral2/memory/5376-35-0x0000000000400000-0x0000000000D98000-memory.dmp themida behavioral2/memory/5376-36-0x0000000000400000-0x0000000000D98000-memory.dmp themida behavioral2/memory/5376-37-0x0000000000400000-0x0000000000D98000-memory.dmp themida behavioral2/memory/5376-39-0x0000000000400000-0x0000000000D98000-memory.dmp themida behavioral2/memory/5376-40-0x0000000000400000-0x0000000000D98000-memory.dmp themida behavioral2/memory/5376-41-0x0000000000400000-0x0000000000D98000-memory.dmp themida behavioral2/memory/5376-42-0x0000000000400000-0x0000000000D98000-memory.dmp themida behavioral2/memory/5376-43-0x0000000000400000-0x0000000000D98000-memory.dmp themida behavioral2/memory/5376-44-0x0000000000400000-0x0000000000D98000-memory.dmp themida behavioral2/memory/5376-45-0x0000000000400000-0x0000000000D98000-memory.dmp themida behavioral2/memory/5376-46-0x0000000000400000-0x0000000000D98000-memory.dmp themida behavioral2/memory/5376-47-0x0000000000400000-0x0000000000D98000-memory.dmp themida -
Processes:
Clean WeChat X.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Clean WeChat X.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Clean WeChat X.exepid process 5376 Clean WeChat X.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
点我启动软件.exeClean WeChat X.exepid process 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 5376 Clean WeChat X.exe 5376 Clean WeChat X.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe 6012 点我启动软件.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exesg.tmpClean WeChat X.exedescription pid process Token: SeBackupPrivilege 4136 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe Token: SeRestorePrivilege 4136 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe Token: 33 4136 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe Token: SeIncBasePriorityPrivilege 4136 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe Token: 33 4136 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe Token: SeIncBasePriorityPrivilege 4136 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe Token: 33 4136 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe Token: SeIncBasePriorityPrivilege 4136 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe Token: SeBackupPrivilege 5056 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe Token: SeRestorePrivilege 5056 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe Token: 33 5056 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe Token: SeIncBasePriorityPrivilege 5056 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe Token: 33 4136 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe Token: SeIncBasePriorityPrivilege 4136 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe Token: SeRestorePrivilege 1620 sg.tmp Token: 35 1620 sg.tmp Token: SeSecurityPrivilege 1620 sg.tmp Token: SeSecurityPrivilege 1620 sg.tmp Token: 33 4136 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe Token: SeIncBasePriorityPrivilege 4136 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe Token: SeDebugPrivilege 5376 Clean WeChat X.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
Clean WeChat X.exepid process 5376 Clean WeChat X.exe 5376 Clean WeChat X.exe 5376 Clean WeChat X.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe点我启动软件.exedescription pid process target process PID 4136 wrote to memory of 4272 4136 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe cmd.exe PID 4136 wrote to memory of 4272 4136 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe cmd.exe PID 4136 wrote to memory of 5056 4136 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe PID 4136 wrote to memory of 5056 4136 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe PID 4136 wrote to memory of 5056 4136 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe PID 4136 wrote to memory of 1620 4136 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe sg.tmp PID 4136 wrote to memory of 1620 4136 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe sg.tmp PID 4136 wrote to memory of 1620 4136 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe sg.tmp PID 4136 wrote to memory of 6012 4136 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe 点我启动软件.exe PID 4136 wrote to memory of 6012 4136 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe 点我启动软件.exe PID 4136 wrote to memory of 6012 4136 92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe 点我启动软件.exe PID 6012 wrote to memory of 5376 6012 点我启动软件.exe Clean WeChat X.exe PID 6012 wrote to memory of 5376 6012 点我启动软件.exe Clean WeChat X.exe PID 6012 wrote to memory of 5376 6012 点我启动软件.exe Clean WeChat X.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe"C:\Users\Admin\AppData\Local\Temp\92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c set2⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exePECMD**pecmd-cmd* PUTF -dd -skipb=1726464 -len=3470184 "C:\Users\Admin\AppData\Local\Temp\~7797432659843274099.tmp",,C:\Users\Admin\AppData\Local\Temp\92cccc47a5dab5fde39c9ce89b006808e88f4ab664a8f78014f8422639111b63.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\~5646964404686827150~\sg.tmp7zG_exe x "C:\Users\Admin\AppData\Local\Temp\~7797432659843274099.tmp" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~6554066059501221788.."2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\~6554066059501221788..\点我启动软件.exe"C:\Users\Admin\AppData\Local\Temp\~6554066059501221788..\点我启动软件.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:6012 -
C:\Users\Admin\AppData\Local\Temp\~6554066059501221788..\Clean WeChat X.exe"C:\Users\Admin\AppData\Local\Temp\~6554066059501221788..\Clean WeChat X.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5376
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~5646964404686827150~\sg.tmpFilesize
715KB
MD57c4718943bd3f66ebdb47ccca72c7b1e
SHA1f9edfaa7adb8fa528b2e61b2b251f18da10a6969
SHA2564cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc
SHA512e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516
-
C:\Users\Admin\AppData\Local\Temp\~6554066059501221788..\Clean WeChat X.exeFilesize
3.6MB
MD5eeddf37e807097fc5aad876724c92f85
SHA138aebdfd0bfd7acf866156b1fbf43f4f2fa00f05
SHA256c8f82ba8e56e5c1d24745a637e6d76bd6d593ccf539c6a101a7bfb9eca3624f7
SHA512c1965ce51533be4617362223bc4b5850d4367e87bf243f0ee9ab2bea8de2478b7298c0347a31f03592fc8de052d6e0f799208e80590b920051b7012bb3357c87
-
C:\Users\Admin\AppData\Local\Temp\~6554066059501221788..\点我启动软件.exeFilesize
453KB
MD55dfe0fb8655ed70a0c8bda2167b156af
SHA18613f0213e2be06212fe1f8cf47855e8e37efb57
SHA25618f7352254e97c5a655b8bd202615905f77b686ed587a501f895533a2016f58c
SHA512941a12790ea9200c7b944d98e48884fe36625960ad51c774b472ea49ea8b2efe3270d189a939a3218d6b7d1471185250cefe3599d4c12634da2d187d8040ae6d
-
C:\Users\Admin\AppData\Local\Temp\~7797432659843274099.tmpFilesize
3.3MB
MD5d3694c868bf680ae3524ee5aa6a642ef
SHA105e34034f05e5be7839450fc3da409976e1fc6b8
SHA256a93a2fe8d6b6942fffb58b3e9dd073ba3d671f02c423a5da4b9333b67131e0a7
SHA512824a551b3a188c0445b7fee742980f6588a9f8a4075a8dbcf8b55cd38916eec7923dd18b0788c34ee94ce506a9a92fd863eef9ac4de02229445861a5afba43a2
-
memory/5376-35-0x0000000000400000-0x0000000000D98000-memory.dmpFilesize
9.6MB
-
memory/5376-36-0x0000000000400000-0x0000000000D98000-memory.dmpFilesize
9.6MB
-
memory/5376-27-0x0000000000400000-0x0000000000D98000-memory.dmpFilesize
9.6MB
-
memory/5376-26-0x0000000000400000-0x0000000000D98000-memory.dmpFilesize
9.6MB
-
memory/5376-29-0x0000000004AA0000-0x0000000004ACB000-memory.dmpFilesize
172KB
-
memory/5376-32-0x0000000000400000-0x0000000000D98000-memory.dmpFilesize
9.6MB
-
memory/5376-33-0x0000000000400000-0x0000000000D98000-memory.dmpFilesize
9.6MB
-
memory/5376-34-0x0000000000400000-0x0000000000D98000-memory.dmpFilesize
9.6MB
-
memory/5376-25-0x0000000000400000-0x0000000000D98000-memory.dmpFilesize
9.6MB
-
memory/5376-28-0x0000000000400000-0x0000000000D98000-memory.dmpFilesize
9.6MB
-
memory/5376-37-0x0000000000400000-0x0000000000D98000-memory.dmpFilesize
9.6MB
-
memory/5376-39-0x0000000000400000-0x0000000000D98000-memory.dmpFilesize
9.6MB
-
memory/5376-40-0x0000000000400000-0x0000000000D98000-memory.dmpFilesize
9.6MB
-
memory/5376-41-0x0000000000400000-0x0000000000D98000-memory.dmpFilesize
9.6MB
-
memory/5376-42-0x0000000000400000-0x0000000000D98000-memory.dmpFilesize
9.6MB
-
memory/5376-43-0x0000000000400000-0x0000000000D98000-memory.dmpFilesize
9.6MB
-
memory/5376-44-0x0000000000400000-0x0000000000D98000-memory.dmpFilesize
9.6MB
-
memory/5376-45-0x0000000000400000-0x0000000000D98000-memory.dmpFilesize
9.6MB
-
memory/5376-46-0x0000000000400000-0x0000000000D98000-memory.dmpFilesize
9.6MB
-
memory/5376-47-0x0000000000400000-0x0000000000D98000-memory.dmpFilesize
9.6MB