Analysis
-
max time kernel
149s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 05:12
Behavioral task
behavioral1
Sample
f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exe
Resource
win7-20231129-en
General
-
Target
f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exe
-
Size
431KB
-
MD5
6f882a62faa48c6722bd0da1b34c26a4
-
SHA1
e47f36f68f92f6c7e57e92379dd63f84e5f682dd
-
SHA256
f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76
-
SHA512
b4c7cd6e25e1a7e909399715bf5a840baf6cfcc2f156d5a1c7a80377f98efb09c646eca9841734afb737ed8182f210fd492899030013c65bb286c45219b8452e
-
SSDEEP
3072:TVmHpJqu0Vh6jw/fmZmRMpVuWwP5tOcQfgdVqYHKjoS1HwZCFjTPG1UFNE2XCKU4:TcHpJfHElepVuWwP5YcQfg8J+ojCKC+b
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Systemlhhji.exe family_blackmoon -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exe -
Deletes itself 1 IoCs
Processes:
Systemlhhji.exepid process 4912 Systemlhhji.exe -
Executes dropped EXE 1 IoCs
Processes:
Systemlhhji.exepid process 4912 Systemlhhji.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exeSystemlhhji.exepid process 184 f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exe 184 f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exe 184 f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exe 184 f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exe 184 f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exe 184 f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exe 184 f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exe 184 f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exe 184 f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exe 184 f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exe 184 f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exe 184 f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exe 184 f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exe 184 f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exe 184 f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exe 184 f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe 4912 Systemlhhji.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exedescription pid process target process PID 184 wrote to memory of 4912 184 f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exe Systemlhhji.exe PID 184 wrote to memory of 4912 184 f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exe Systemlhhji.exe PID 184 wrote to memory of 4912 184 f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exe Systemlhhji.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exe"C:\Users\Admin\AppData\Local\Temp\f18b2d9ca2caf1b7b8b1913c886a112e18769c71200bccb5f1cb2be2b034eb76.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:184 -
C:\Users\Admin\AppData\Local\Temp\Systemlhhji.exe"C:\Users\Admin\AppData\Local\Temp\Systemlhhji.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Systemlhhji.exeFilesize
431KB
MD5aff63a6cf78931406d30df2eb053cb50
SHA1806f8fed0ad3a44b76fa599eb329bf718fcb30d7
SHA256b957271cd94a29f648766b19beddc3fc2a3423042e8c67fc6ccf5a825df3121d
SHA512493fc832da7bcf4098a07a942bd94a5fd14508fe90fee2bcf1865d04378f09a88129410d62c23c0aa8762d20273ce7a816b162c7aef44d406070589e9498b301
-
C:\Users\Admin\AppData\Local\Temp\path.iniFilesize
102B
MD57f8645fb30d48c7c334029db7c62e08b
SHA12564e0f0bbca93551e1e0e90c8c6e1ea0add3dfd
SHA256b9f4bedb94b3cb881f9ffe78611f95e059a2325ef1b0e96f5804593c24bcb762
SHA512c732d508ca4e997308e06971f068c6a82dfcce68766e63fe1ef95a9dc085ae801911aa2e7bb6d3bf42e8460049b5fd39cf5014a3c300f19751304f647a589cff