Analysis
-
max time kernel
153s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 03:02
Static task
static1
Behavioral task
behavioral1
Sample
617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe
Resource
win7-20240220-en
General
-
Target
617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe
-
Size
10.2MB
-
MD5
7fbfa292073ad37d6c32a0f34f559310
-
SHA1
4bace3be7a391e11cda054dda656c4eac0a04c85
-
SHA256
617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a
-
SHA512
61bd8f4b7a22b19c5a88b52a23818094f1540a017d2d36a5b85ba6cbd08553913e312c0286e555bf0ffc02024e482a4ebda350306d61035b5daefea9e209d23c
-
SSDEEP
196608:10/mSIFYgeWSwviTIfGiOtcZhmplOQigV3cT+U57egdzmwtHN4M9oHfL1:iO6geWSwaTI+iwcZhmLH/Bca87egVmoM
Malware Config
Signatures
-
Detect Blackmoon payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1756-5-0x0000000000400000-0x00000000009FA000-memory.dmp family_blackmoon behavioral2/memory/1756-17-0x0000000000400000-0x00000000009FA000-memory.dmp family_blackmoon behavioral2/memory/632-47-0x0000000000400000-0x00000000009FA000-memory.dmp family_blackmoon -
Executes dropped EXE 1 IoCs
Processes:
31543617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exepid process 632 31543617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exedescription ioc process File opened (read-only) \??\A: 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe File opened (read-only) \??\I: 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe File opened (read-only) \??\J: 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe File opened (read-only) \??\Q: 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe File opened (read-only) \??\X: 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe File opened (read-only) \??\K: 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe File opened (read-only) \??\P: 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe File opened (read-only) \??\R: 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe File opened (read-only) \??\U: 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe File opened (read-only) \??\W: 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe File opened (read-only) \??\E: 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe File opened (read-only) \??\G: 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe File opened (read-only) \??\H: 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe File opened (read-only) \??\M: 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe File opened (read-only) \??\O: 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe File opened (read-only) \??\S: 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe File opened (read-only) \??\T: 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe File opened (read-only) \??\Z: 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe File opened (read-only) \??\B: 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe File opened (read-only) \??\L: 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe File opened (read-only) \??\N: 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe File opened (read-only) \??\V: 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe File opened (read-only) \??\Y: 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe31543617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exepid process 1756 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe 1756 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe 1756 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe 632 31543617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe 632 31543617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe 632 31543617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exedescription pid process target process PID 1756 wrote to memory of 632 1756 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe 31543617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe PID 1756 wrote to memory of 632 1756 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe 31543617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe PID 1756 wrote to memory of 632 1756 617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe 31543617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe"C:\Users\Admin\AppData\Local\Temp\617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe"1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\ÎÑÎÑah\31543617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exeC:\ÎÑÎÑah\31543617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:632
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵PID:3972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\745e914139c2d487f07e6b9328379432.txtFilesize
10B
MD54a7c7e98274403ea3c33fd02f5338d82
SHA1e207839a27552f8de20e703c985a9bf3b683e005
SHA256a1ce16fc3708c35bef9f60a14409c5ba6b892fd9a6b010b087e4251d7005ba45
SHA512f3d74891aa1440eb53804309654453413dc01a89ba055879813cdc27c29eee978c2f440dd47fdafa1bcf2769b01e975d7a435a8183888c46ea1c708f871c2cba
-
C:\ÎÑÎÑah\31543617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a.exeFilesize
10.2MB
MD57fbfa292073ad37d6c32a0f34f559310
SHA14bace3be7a391e11cda054dda656c4eac0a04c85
SHA256617333883e2e9b3971dcefb4e9f66cda96d89f3c66c03db32d1fcc4ded25f67a
SHA51261bd8f4b7a22b19c5a88b52a23818094f1540a017d2d36a5b85ba6cbd08553913e312c0286e555bf0ffc02024e482a4ebda350306d61035b5daefea9e209d23c
-
memory/632-16-0x0000000000B60000-0x0000000000B63000-memory.dmpFilesize
12KB
-
memory/632-47-0x0000000000400000-0x00000000009FA000-memory.dmpFilesize
6.0MB
-
memory/632-49-0x0000000000B60000-0x0000000000B63000-memory.dmpFilesize
12KB
-
memory/1756-8-0x0000000003C30000-0x0000000003C31000-memory.dmpFilesize
4KB
-
memory/1756-7-0x0000000003C00000-0x0000000003C01000-memory.dmpFilesize
4KB
-
memory/1756-6-0x0000000003C20000-0x0000000003C21000-memory.dmpFilesize
4KB
-
memory/1756-5-0x0000000000400000-0x00000000009FA000-memory.dmpFilesize
6.0MB
-
memory/1756-18-0x0000000000A10000-0x0000000000A13000-memory.dmpFilesize
12KB
-
memory/1756-17-0x0000000000400000-0x00000000009FA000-memory.dmpFilesize
6.0MB
-
memory/1756-0-0x0000000000400000-0x00000000009FA000-memory.dmpFilesize
6.0MB
-
memory/1756-1-0x0000000000A10000-0x0000000000A13000-memory.dmpFilesize
12KB