Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 01:58
Behavioral task
behavioral1
Sample
b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe
Resource
win7-20240221-en
General
-
Target
b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe
-
Size
9.5MB
-
MD5
c1a327f80304feb7842e1f35cbcf131c
-
SHA1
193bff007356348b1327c100a7a3cf0e30c2967f
-
SHA256
b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b
-
SHA512
eca17a38069af074e77c0c52f880ac5b468e8ec453e8705886fa2c4c3ad91e14bbf321bf6ded0ee655db1ad85d0e853019dc3e459f9c2290fbefaf08af365cfd
-
SSDEEP
196608:J/MJcDKlFBqkwDxURK8vyqByLdlf3hRQIgLKNg:JUODKlFBqHayOclfhRQIG2g
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\ǧÇïħÓò\b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe family_blackmoon C:\Users\Admin\AppData\Roaming\ǧÇïħÓò\5E0A676E54A8365AFB17FD466BCDF925.exe family_blackmoon -
Executes dropped EXE 2 IoCs
Processes:
b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe5E0A676E54A8365AFB17FD466BCDF925.exepid process 2472 b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe 4352 5E0A676E54A8365AFB17FD466BCDF925.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exeb189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exedescription pid process Token: SeDebugPrivilege 2336 b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe Token: SeDebugPrivilege 2336 b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe Token: SeDebugPrivilege 2472 b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe Token: SeDebugPrivilege 2472 b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe Token: SeDebugPrivilege 2472 b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exeb189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exepid process 2472 b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe 2336 b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exeb189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exepid process 2472 b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe 2336 b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exeb189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe5E0A676E54A8365AFB17FD466BCDF925.exepid process 2336 b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe 2472 b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe 4352 5E0A676E54A8365AFB17FD466BCDF925.exe 4352 5E0A676E54A8365AFB17FD466BCDF925.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exeb189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exedescription pid process target process PID 2336 wrote to memory of 2472 2336 b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe PID 2336 wrote to memory of 2472 2336 b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe PID 2336 wrote to memory of 2472 2336 b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe PID 2472 wrote to memory of 4352 2472 b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe 5E0A676E54A8365AFB17FD466BCDF925.exe PID 2472 wrote to memory of 4352 2472 b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe 5E0A676E54A8365AFB17FD466BCDF925.exe PID 2472 wrote to memory of 4352 2472 b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe 5E0A676E54A8365AFB17FD466BCDF925.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe"C:\Users\Admin\AppData\Local\Temp\b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ǧÇïħÓò\b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe"C:\Users\Admin\AppData\Roaming\ǧÇïħÓò\b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ǧÇïħÓò\5E0A676E54A8365AFB17FD466BCDF925.exe"C:\Users\Admin\AppData\Roaming\ǧÇïħÓò\5E0A676E54A8365AFB17FD466BCDF925.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ǧÇïħÓò\5E0A676E54A8365AFB17FD466BCDF925.exeFilesize
9.0MB
MD50b00122c4eac3c5c6f1b1c783a7aa94f
SHA1584ef0295c0b1d714dfe9de916a1d69dd2e76646
SHA256923cb3c28f626586174f3768fc49b4146b008a6d5f92ee27f5605ea68ac206bc
SHA51227f867c785598a7fb683d79d5ca7a1a56b799e77742d136b912e7de55f0196a8a25bec69d1417d7448b45bfed8190b5686fcb962dadbb764396689b86d1eea24
-
C:\Users\Admin\AppData\Roaming\ǧÇïħÓò\b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b.exeFilesize
9.5MB
MD5c1a327f80304feb7842e1f35cbcf131c
SHA1193bff007356348b1327c100a7a3cf0e30c2967f
SHA256b189137f34636b52b16c40fcc40376e9c86daf483c05be4099ee0e211e94fa4b
SHA512eca17a38069af074e77c0c52f880ac5b468e8ec453e8705886fa2c4c3ad91e14bbf321bf6ded0ee655db1ad85d0e853019dc3e459f9c2290fbefaf08af365cfd
-
C:\Users\Admin\Desktop\ǧÇïħÓò.lnkFilesize
1KB
MD592d0c1c13d8d5516dc381aaf489caf8f
SHA1a4776d357e5e65161048bfc6a697b1b10412b1f3
SHA256b55f22c7fbdc770f5b5d6d31ea064b5fc17e794a6b2cd671581a854032546246
SHA5122aeb09cebef90e85dd1ae9e7ad8d95563c405c527d69cb84081e441077076b35edadf30dab11d2d8388384b380409d6a37edd26eb4d62ef9f15fbb8031bb0eb1