Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 00:42
Behavioral task
behavioral1
Sample
fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
Resource
win7-20240221-en
General
-
Target
fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe
-
Size
7.7MB
-
MD5
7ba0092f4fa7a1b28b7d87443458520f
-
SHA1
4e794596849a876ced83ff35463860dbcbfc85b5
-
SHA256
fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f
-
SHA512
c0da16c7f072af819e30b3555a1d879cc9af76f989dec46384b0c4050561a7705890b29e4a614a2b0e722ee692d77f78b2b5215ae0dde8c156247b3a28ad996f
-
SSDEEP
196608:s3DbJcDKlFBqZcPz0RK85Xs5XvyCMYpr/nGLtwN5:sTbODKlFBqakXsBvyCpLGLtw3
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\°×µ°Æ·ÅÆ\fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe family_blackmoon \Users\Admin\AppData\Roaming\°×µ°Æ·ÅÆ\1835FFF3D4E324B5CDE27633041CCA28.exe family_blackmoon -
Executes dropped EXE 2 IoCs
Processes:
fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe1835FFF3D4E324B5CDE27633041CCA28.exepid process 2696 fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe 2540 1835FFF3D4E324B5CDE27633041CCA28.exe -
Loads dropped DLL 3 IoCs
Processes:
fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exefce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exepid process 2244 fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe 2244 fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe 2696 fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exefce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exedescription pid process Token: SeDebugPrivilege 2244 fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe Token: SeDebugPrivilege 2244 fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe Token: SeDebugPrivilege 2696 fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe Token: SeDebugPrivilege 2696 fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe Token: SeDebugPrivilege 2696 fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exefce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exepid process 2696 fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe 2244 fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exefce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exepid process 2696 fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe 2244 fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exefce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe1835FFF3D4E324B5CDE27633041CCA28.exepid process 2244 fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe 2696 fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe 2540 1835FFF3D4E324B5CDE27633041CCA28.exe 2540 1835FFF3D4E324B5CDE27633041CCA28.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exefce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exedescription pid process target process PID 2244 wrote to memory of 2696 2244 fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe PID 2244 wrote to memory of 2696 2244 fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe PID 2244 wrote to memory of 2696 2244 fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe PID 2244 wrote to memory of 2696 2244 fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe PID 2696 wrote to memory of 2540 2696 fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe 1835FFF3D4E324B5CDE27633041CCA28.exe PID 2696 wrote to memory of 2540 2696 fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe 1835FFF3D4E324B5CDE27633041CCA28.exe PID 2696 wrote to memory of 2540 2696 fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe 1835FFF3D4E324B5CDE27633041CCA28.exe PID 2696 wrote to memory of 2540 2696 fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe 1835FFF3D4E324B5CDE27633041CCA28.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe"C:\Users\Admin\AppData\Local\Temp\fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\°×µ°Æ·ÅÆ\fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe"C:\Users\Admin\AppData\Roaming\°×µ°Æ·ÅÆ\fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\°×µ°Æ·ÅÆ\1835FFF3D4E324B5CDE27633041CCA28.exe"C:\Users\Admin\AppData\Roaming\°×µ°Æ·ÅÆ\1835FFF3D4E324B5CDE27633041CCA28.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\°×µ°Æ·ÅÆ.lnkFilesize
1KB
MD5a3d5d3ed0ef61f3e01597c30147f887d
SHA16a877d55f666fec860da9b7c459f789f39e532e6
SHA2567638147ec6093c99ecb329e7786ff8874e572f5acde510d8ecef455b5004f7d1
SHA512eae9d78ad9d856f962817833449e4cd60201fefaef97b24dd1feb157a8859abc19d189ba1bec981d5507c3db7c3801a2ebc43b17b0873c6d140f4e3fcea0345c
-
\Users\Admin\AppData\Roaming\°×µ°Æ·ÅÆ\1835FFF3D4E324B5CDE27633041CCA28.exeFilesize
7.2MB
MD5e18a1c638d75d4c7086835860170282d
SHA1eb1899e15dc0e02227907ffc15a94bce51412854
SHA2561e78a1c0dcbf3803936393d884f8ac706d710f30fb97546ab3b3d59ae9008c1a
SHA5124ae89ebae887597c6648f5caf5239a6b20d2836e4c15971e8b7b661f8f253c09fdd1aabce263c36f2ab591b2ecfe0e6dd5886e219367e7bc736bb236575a6942
-
\Users\Admin\AppData\Roaming\°×µ°Æ·ÅÆ\fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f.exeFilesize
7.7MB
MD57ba0092f4fa7a1b28b7d87443458520f
SHA14e794596849a876ced83ff35463860dbcbfc85b5
SHA256fce7f39135c20f0637e664affdc20b5c4ccc90db44bd6bd1c795741442f0ce5f
SHA512c0da16c7f072af819e30b3555a1d879cc9af76f989dec46384b0c4050561a7705890b29e4a614a2b0e722ee692d77f78b2b5215ae0dde8c156247b3a28ad996f