Analysis
-
max time kernel
142s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 01:18
Behavioral task
behavioral1
Sample
a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe
Resource
win7-20240508-en
General
-
Target
a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe
-
Size
9.1MB
-
MD5
5fc8d0eb10acf166b7e4e46f7532a8c4
-
SHA1
a1b0cf0a7721c6e4b29ec3ef03bef814bbf16708
-
SHA256
a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc
-
SHA512
e96fb93be49c6045c3f12c64ff19974f8488f5ad54ba52b4768e4649efa369bdeeee12892fe561435c478df31dc3cc80e90e1536ce580631cf7954d8e7bff554
-
SSDEEP
196608:cXhm5Mgv2fjWLHP9laG5nudSH2RXg2ECNSiLKXSR:KhCMg0jylajdd5g2EaSiLKXSR
Malware Config
Signatures
-
Detect Blackmoon payload 19 IoCs
Processes:
resource yara_rule behavioral1/memory/1264-15-0x0000000000400000-0x0000000000D5A000-memory.dmp family_blackmoon behavioral1/memory/1264-13-0x0000000000400000-0x0000000000D5A000-memory.dmp family_blackmoon behavioral1/memory/1264-20-0x0000000003EA0000-0x000000000492C000-memory.dmp family_blackmoon behavioral1/memory/1264-19-0x0000000003EA0000-0x000000000492C000-memory.dmp family_blackmoon behavioral1/memory/1264-22-0x0000000003EA0000-0x000000000492C000-memory.dmp family_blackmoon behavioral1/memory/1264-21-0x0000000003EA0000-0x000000000492C000-memory.dmp family_blackmoon behavioral1/memory/1264-25-0x0000000003EA0000-0x000000000492C000-memory.dmp family_blackmoon behavioral1/memory/1264-24-0x0000000003EA0000-0x000000000492C000-memory.dmp family_blackmoon behavioral1/memory/1264-23-0x0000000003EA0000-0x000000000492C000-memory.dmp family_blackmoon behavioral1/memory/1264-26-0x0000000003EA0000-0x000000000492C000-memory.dmp family_blackmoon behavioral1/memory/1264-34-0x0000000003EA0000-0x000000000492C000-memory.dmp family_blackmoon behavioral1/memory/1264-35-0x0000000000400000-0x0000000000D5A000-memory.dmp family_blackmoon behavioral1/memory/1264-36-0x0000000003EA0000-0x000000000492C000-memory.dmp family_blackmoon behavioral1/memory/1264-39-0x0000000003EA0000-0x000000000492C000-memory.dmp family_blackmoon behavioral1/memory/1264-67-0x0000000003EA0000-0x000000000492C000-memory.dmp family_blackmoon behavioral1/memory/1264-70-0x0000000003EA0000-0x000000000492C000-memory.dmp family_blackmoon behavioral1/memory/1264-71-0x0000000003EA0000-0x000000000492C000-memory.dmp family_blackmoon behavioral1/memory/1264-72-0x0000000003EA0000-0x000000000492C000-memory.dmp family_blackmoon behavioral1/memory/1264-73-0x0000000003EA0000-0x000000000492C000-memory.dmp family_blackmoon -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\DultATd7ATd\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\DultATd7ATd.sys" a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe -
Executes dropped EXE 2 IoCs
Processes:
certmgr.execertmgr.exepid process 1860 certmgr.exe 1032 certmgr.exe -
Loads dropped DLL 5 IoCs
Processes:
a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exepid process 1264 a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe 1264 a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe 1264 a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe 1264 a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe 1264 a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\logitech.dll themida behavioral1/memory/1264-18-0x0000000003EA0000-0x000000000492C000-memory.dmp themida behavioral1/memory/1264-20-0x0000000003EA0000-0x000000000492C000-memory.dmp themida behavioral1/memory/1264-19-0x0000000003EA0000-0x000000000492C000-memory.dmp themida behavioral1/memory/1264-22-0x0000000003EA0000-0x000000000492C000-memory.dmp themida behavioral1/memory/1264-21-0x0000000003EA0000-0x000000000492C000-memory.dmp themida behavioral1/memory/1264-25-0x0000000003EA0000-0x000000000492C000-memory.dmp themida behavioral1/memory/1264-24-0x0000000003EA0000-0x000000000492C000-memory.dmp themida behavioral1/memory/1264-23-0x0000000003EA0000-0x000000000492C000-memory.dmp themida behavioral1/memory/1264-26-0x0000000003EA0000-0x000000000492C000-memory.dmp themida behavioral1/memory/1264-34-0x0000000003EA0000-0x000000000492C000-memory.dmp themida behavioral1/memory/1264-36-0x0000000003EA0000-0x000000000492C000-memory.dmp themida behavioral1/memory/1264-39-0x0000000003EA0000-0x000000000492C000-memory.dmp themida behavioral1/memory/1264-67-0x0000000003EA0000-0x000000000492C000-memory.dmp themida behavioral1/memory/1264-70-0x0000000003EA0000-0x000000000492C000-memory.dmp themida behavioral1/memory/1264-71-0x0000000003EA0000-0x000000000492C000-memory.dmp themida behavioral1/memory/1264-72-0x0000000003EA0000-0x000000000492C000-memory.dmp themida behavioral1/memory/1264-73-0x0000000003EA0000-0x000000000492C000-memory.dmp themida -
Processes:
resource yara_rule behavioral1/memory/1264-0-0x0000000010000000-0x0000000010019000-memory.dmp upx behavioral1/memory/1264-4-0x0000000010000000-0x0000000010019000-memory.dmp upx -
Processes:
a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe -
Drops file in System32 directory 2 IoCs
Processes:
a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exedescription ioc process File created C:\Windows\SysWOW64\setie.bat a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe File created C:\Windows\SysWOW64\Dult.dll a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe -
Processes:
a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe = "1" a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe = "11001" a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 480 480 -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exedescription pid process Token: SeDebugPrivilege 1264 a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe Token: SeDebugPrivilege 1264 a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe Token: SeDebugPrivilege 1264 a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe Token: 1 1264 a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe Token: SeDebugPrivilege 1264 a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exepid process 1264 a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe 1264 a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe 1264 a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.execmd.exedescription pid process target process PID 1264 wrote to memory of 1952 1264 a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe cmd.exe PID 1264 wrote to memory of 1952 1264 a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe cmd.exe PID 1264 wrote to memory of 1952 1264 a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe cmd.exe PID 1264 wrote to memory of 1952 1264 a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe cmd.exe PID 1952 wrote to memory of 1236 1952 cmd.exe regini.exe PID 1952 wrote to memory of 1236 1952 cmd.exe regini.exe PID 1952 wrote to memory of 1236 1952 cmd.exe regini.exe PID 1952 wrote to memory of 1236 1952 cmd.exe regini.exe PID 1264 wrote to memory of 1032 1264 a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe certmgr.exe PID 1264 wrote to memory of 1032 1264 a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe certmgr.exe PID 1264 wrote to memory of 1032 1264 a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe certmgr.exe PID 1264 wrote to memory of 1032 1264 a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe certmgr.exe PID 1264 wrote to memory of 1860 1264 a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe certmgr.exe PID 1264 wrote to memory of 1860 1264 a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe certmgr.exe PID 1264 wrote to memory of 1860 1264 a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe certmgr.exe PID 1264 wrote to memory of 1860 1264 a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe certmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe"C:\Users\Admin\AppData\Local\Temp\a456cb4dec8a9e9a9e8fe0934da3477259959de27543f44f252de07375f323fc.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Sets service image path in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\System32\setie.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regini.exeregini.exe c:\regset.ini3⤵
-
C:\Users\Admin\AppData\Local\Temp\certmgr.exe"C:\Users\Admin\AppData\Local\Temp\\certmgr.exe" -add "C:\Users\Admin\AppData\Local\Temp\\newCA.cer" -s -r currentUser trustedpublisher2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\certmgr.exe"C:\Users\Admin\AppData\Local\Temp\\certmgr.exe" -add "C:\Users\Admin\AppData\Local\Temp\\newCA.cer" -s -r currentUser root2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\setie.batFilesize
24B
MD523a007ebe89849e7997a4afb9e5b722b
SHA11cd87b9c2be0ce63b8a4633adbfed0c414379ae3
SHA2560703e1f7e9e53f3eb0044c37d0232cecb4e95a5c6eeeca8897635774ad0870a1
SHA512b126b39fca6b91b806f06e46e2a82644db9858e4e8ee3748a13ac7560cf33e2298c278a7af784feb167acc62e99a3b97d7d40e1baa314e58583eb063323f169b
-
\??\c:\regset.iniFilesize
81B
MD5a67c03c1b51dfbb7e31d33a1b9344936
SHA10cec23c581c31bf6bcadc34dcf6706cbd75cd33c
SHA2564859d6cc634295d4ab4b4ee49ae90d1e8d73611ee3d9dc8b8581a235b9e66834
SHA512ffadc454b5682281aa519dd3e1ef2812334db5965545448d28ce6c4cf75d4edc68d1525ed606723d3061801ce7a9680eacab6c443f5453500a03732ac0edfcad
-
\Users\Admin\AppData\Local\Temp\certmgr.exeFilesize
73KB
MD5d56b22e2495e4cb73aefe3faef046c93
SHA1383e9460d2426a98abfaad0e8dfca7dd436733c9
SHA25638fe38349068c264ff653c2d1d273f2a8154f0da485364d962b83f2a75bddb45
SHA5126d6213d6122d85171b910c392c717cd1a19d14f0b483accaf33f8677c841f92ccae4092fc47740a8a2a57098b68208416197c84b62ea41bd5790cf3c1b905dfa
-
\Users\Admin\AppData\Local\Temp\logitech.dllFilesize
4.4MB
MD581f17e2646be7a2c1378f6f45247c06a
SHA11318734082fb4a141dcec26436019af08c92eaf2
SHA25631e1dbec882158fc7c64c46401e3b15a18ae4d3aba62ee7024b981266664f04f
SHA512812fe51d3e3b12617e878f82d9583364b3571a0f890f3ac9a56dfae6b3eee2aaf6c88c0e4fa11c1bd9316c92754e897ff6d94e882bb0f0807530dc64d6da4690
-
memory/1264-24-0x0000000003EA0000-0x000000000492C000-memory.dmpFilesize
10.5MB
-
memory/1264-34-0x0000000003EA0000-0x000000000492C000-memory.dmpFilesize
10.5MB
-
memory/1264-18-0x0000000003EA0000-0x000000000492C000-memory.dmpFilesize
10.5MB
-
memory/1264-20-0x0000000003EA0000-0x000000000492C000-memory.dmpFilesize
10.5MB
-
memory/1264-19-0x0000000003EA0000-0x000000000492C000-memory.dmpFilesize
10.5MB
-
memory/1264-22-0x0000000003EA0000-0x000000000492C000-memory.dmpFilesize
10.5MB
-
memory/1264-21-0x0000000003EA0000-0x000000000492C000-memory.dmpFilesize
10.5MB
-
memory/1264-25-0x0000000003EA0000-0x000000000492C000-memory.dmpFilesize
10.5MB
-
memory/1264-0-0x0000000010000000-0x0000000010019000-memory.dmpFilesize
100KB
-
memory/1264-23-0x0000000003EA0000-0x000000000492C000-memory.dmpFilesize
10.5MB
-
memory/1264-26-0x0000000003EA0000-0x000000000492C000-memory.dmpFilesize
10.5MB
-
memory/1264-13-0x0000000000400000-0x0000000000D5A000-memory.dmpFilesize
9.4MB
-
memory/1264-35-0x0000000000400000-0x0000000000D5A000-memory.dmpFilesize
9.4MB
-
memory/1264-36-0x0000000003EA0000-0x000000000492C000-memory.dmpFilesize
10.5MB
-
memory/1264-39-0x0000000003EA0000-0x000000000492C000-memory.dmpFilesize
10.5MB
-
memory/1264-15-0x0000000000400000-0x0000000000D5A000-memory.dmpFilesize
9.4MB
-
memory/1264-5-0x00000000004CF000-0x00000000004D0000-memory.dmpFilesize
4KB
-
memory/1264-4-0x0000000010000000-0x0000000010019000-memory.dmpFilesize
100KB
-
memory/1264-67-0x0000000003EA0000-0x000000000492C000-memory.dmpFilesize
10.5MB
-
memory/1264-70-0x0000000003EA0000-0x000000000492C000-memory.dmpFilesize
10.5MB
-
memory/1264-71-0x0000000003EA0000-0x000000000492C000-memory.dmpFilesize
10.5MB
-
memory/1264-72-0x0000000003EA0000-0x000000000492C000-memory.dmpFilesize
10.5MB
-
memory/1264-73-0x0000000003EA0000-0x000000000492C000-memory.dmpFilesize
10.5MB