Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 02:02
Behavioral task
behavioral1
Sample
18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
Resource
win7-20240508-en
General
-
Target
18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
-
Size
7.7MB
-
MD5
105cd89b0ddfd8e86235ca852c2c57dd
-
SHA1
38e643be21749f86929f1fb624a562f5d9fd0e93
-
SHA256
18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328
-
SHA512
c6162d35d8173ecf91e0095c49dc6e0a7b0175e9607fa6b889cba6533ab79e607fd31757900a02997adf220d7e7058973dbcf5f9cfd58135795fb1b7bc2a0a3f
-
SSDEEP
196608:sZDtJcDKlFBqhRK85Xs5XvyCMYpr/nGLtwNo:s9tODKlFBq7XsBvyCpLGLtw2
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\°×µ°\18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe family_blackmoon \Users\Admin\AppData\Roaming\°×µ°\C148FAE227FC6914.exe family_blackmoon -
Executes dropped EXE 2 IoCs
Processes:
18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exeC148FAE227FC6914.exepid process 2148 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe 2720 C148FAE227FC6914.exe -
Loads dropped DLL 3 IoCs
Processes:
18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exepid process 1576 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe 1576 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe 2148 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exedescription pid process Token: SeDebugPrivilege 1576 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe Token: SeDebugPrivilege 1576 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe Token: SeDebugPrivilege 2148 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe Token: SeDebugPrivilege 2148 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe Token: SeDebugPrivilege 2148 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exepid process 2148 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe 1576 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exepid process 2148 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe 1576 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exeC148FAE227FC6914.exepid process 1576 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe 2148 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe 2720 C148FAE227FC6914.exe 2720 C148FAE227FC6914.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exedescription pid process target process PID 1576 wrote to memory of 2148 1576 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe PID 1576 wrote to memory of 2148 1576 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe PID 1576 wrote to memory of 2148 1576 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe PID 1576 wrote to memory of 2148 1576 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe PID 2148 wrote to memory of 2720 2148 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe C148FAE227FC6914.exe PID 2148 wrote to memory of 2720 2148 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe C148FAE227FC6914.exe PID 2148 wrote to memory of 2720 2148 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe C148FAE227FC6914.exe PID 2148 wrote to memory of 2720 2148 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe C148FAE227FC6914.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe"C:\Users\Admin\AppData\Local\Temp\18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\°×µ°\18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe"C:\Users\Admin\AppData\Roaming\°×µ°\18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\°×µ°\C148FAE227FC6914.exe"C:\Users\Admin\AppData\Roaming\°×µ°\C148FAE227FC6914.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\°×µ°.lnkFilesize
1KB
MD53dff333abbb975ca1802604e2b44e8bb
SHA15d9da6e6de2ada59081f919a35da7d887120793f
SHA2566b6da3f0f6ad0e96ece0aaec33fe5c1b1d2e734beda03be15ca836e7c3e02e7d
SHA51240998eff39fc8e2f2dc70834e911c4d0a1ba359148f582ea231aa7514e0975c3e4b127d1ac3d2f682bcc249c09f871c1c7a474f4ac93eb1bd5aa15a05296d9ff
-
\Users\Admin\AppData\Roaming\°×µ°\18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exeFilesize
7.7MB
MD5105cd89b0ddfd8e86235ca852c2c57dd
SHA138e643be21749f86929f1fb624a562f5d9fd0e93
SHA25618b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328
SHA512c6162d35d8173ecf91e0095c49dc6e0a7b0175e9607fa6b889cba6533ab79e607fd31757900a02997adf220d7e7058973dbcf5f9cfd58135795fb1b7bc2a0a3f
-
\Users\Admin\AppData\Roaming\°×µ°\C148FAE227FC6914.exeFilesize
7.2MB
MD5a6746c7beaf77b3895b0c6a996bd3fc2
SHA1ab2864186175b96652967f38a204ebb41f608f50
SHA25691a454a925fa4ab29ce0eaa131bb44877637d95897340f9c2485f418b1605560
SHA5120792403db7edb69577fc3964362b38eb27445e23d906084e4bb1dc2737e25e24d25eed2f47525a0c069f8f6bdc7f7534dbcbd50c9aa970939ba04ccd50016619