Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 02:02
Behavioral task
behavioral1
Sample
18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
Resource
win7-20240508-en
General
-
Target
18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe
-
Size
7.7MB
-
MD5
105cd89b0ddfd8e86235ca852c2c57dd
-
SHA1
38e643be21749f86929f1fb624a562f5d9fd0e93
-
SHA256
18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328
-
SHA512
c6162d35d8173ecf91e0095c49dc6e0a7b0175e9607fa6b889cba6533ab79e607fd31757900a02997adf220d7e7058973dbcf5f9cfd58135795fb1b7bc2a0a3f
-
SSDEEP
196608:sZDtJcDKlFBqhRK85Xs5XvyCMYpr/nGLtwNo:s9tODKlFBq7XsBvyCpLGLtw2
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\°×µ°\18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe family_blackmoon C:\Users\Admin\AppData\Roaming\°×µ°\C148FAE227FC6914.exe family_blackmoon -
Executes dropped EXE 2 IoCs
Processes:
18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exeC148FAE227FC6914.exepid process 3760 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe 2836 C148FAE227FC6914.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exedescription pid process Token: SeDebugPrivilege 2904 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe Token: SeDebugPrivilege 2904 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe Token: SeDebugPrivilege 3760 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe Token: SeDebugPrivilege 3760 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe Token: SeDebugPrivilege 3760 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exepid process 3760 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe 2904 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exepid process 3760 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe 2904 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exeC148FAE227FC6914.exepid process 2904 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe 3760 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe 2836 C148FAE227FC6914.exe 2836 C148FAE227FC6914.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exedescription pid process target process PID 2904 wrote to memory of 3760 2904 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe PID 2904 wrote to memory of 3760 2904 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe PID 2904 wrote to memory of 3760 2904 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe PID 3760 wrote to memory of 2836 3760 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe C148FAE227FC6914.exe PID 3760 wrote to memory of 2836 3760 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe C148FAE227FC6914.exe PID 3760 wrote to memory of 2836 3760 18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe C148FAE227FC6914.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe"C:\Users\Admin\AppData\Local\Temp\18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\°×µ°\18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe"C:\Users\Admin\AppData\Roaming\°×µ°\18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\°×µ°\C148FAE227FC6914.exe"C:\Users\Admin\AppData\Roaming\°×µ°\C148FAE227FC6914.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\°×µ°\18b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328.exeFilesize
7.7MB
MD5105cd89b0ddfd8e86235ca852c2c57dd
SHA138e643be21749f86929f1fb624a562f5d9fd0e93
SHA25618b543659a23bccdc2a18803cf4d2ce7588d47b06a76dff98a9ca4c4cc646328
SHA512c6162d35d8173ecf91e0095c49dc6e0a7b0175e9607fa6b889cba6533ab79e607fd31757900a02997adf220d7e7058973dbcf5f9cfd58135795fb1b7bc2a0a3f
-
C:\Users\Admin\AppData\Roaming\°×µ°\C148FAE227FC6914.exeFilesize
7.2MB
MD5a6746c7beaf77b3895b0c6a996bd3fc2
SHA1ab2864186175b96652967f38a204ebb41f608f50
SHA25691a454a925fa4ab29ce0eaa131bb44877637d95897340f9c2485f418b1605560
SHA5120792403db7edb69577fc3964362b38eb27445e23d906084e4bb1dc2737e25e24d25eed2f47525a0c069f8f6bdc7f7534dbcbd50c9aa970939ba04ccd50016619
-
C:\Users\Admin\Desktop\°×µ°.lnkFilesize
1KB
MD5fb5b4f87feaee1f5349e23201decf763
SHA19a0a5adb0a085287259a31a5dda045305bd98e5a
SHA25672e045c4a0b27b35abcd1859dd300e6bc0fc9d146770a27d9e3488639b63bfae
SHA5129902de7a095db92db8b9477368f35fca83faaca684b25cee845a0c592e02dbc6eb5f8141daafcf6e4eb2cbff4fd6fb704a00a3f91475507682eb06a67e77af1b