Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 12:34
Static task
static1
Behavioral task
behavioral1
Sample
09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe
Resource
win10v2004-20240426-en
General
-
Target
09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe
-
Size
10.2MB
-
MD5
b3991b3ab21beae0511ead9c1f1d9da7
-
SHA1
2eac3c6ab582431b9915cdfa16f25f0f95be22fb
-
SHA256
09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb
-
SHA512
4fe1445aba6f0a1eb0222f3c2b60d8cbd9dc70d648941fa8c6af69917181a547a4296bee57c591cb41e474b363dc9592a3da1038e33a5560153d1cb1829ad784
-
SSDEEP
49152:i18You03cT8xUGvYD2BXh/KYJESnoX1IwSTnyhtxB+XywheZZXfpd8extOJcCjGe:NtswUG6ShSYs4ybzFhdLOzZYyFpz
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1636-14-0x0000000010000000-0x0000000010097000-memory.dmp family_blackmoon -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
1346ip.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 1346ip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1346ip = "C:\\ProgramData\\TTQQinstall\\{3POw278Z73uPhAy}\\1346ip.exe" 1346ip.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\ProgramData\TTQQinstall\{3POw278Z73uPhAy}\ctxmui.dll acprotect -
Executes dropped EXE 1 IoCs
Processes:
1346ip.exepid process 1636 1346ip.exe -
Loads dropped DLL 1 IoCs
Processes:
1346ip.exepid process 1636 1346ip.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
1346ip.exepid process 1636 1346ip.exe 1636 1346ip.exe 1636 1346ip.exe 1636 1346ip.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1346ip.exedescription pid process Token: SeDebugPrivilege 1636 1346ip.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe1346ip.exepid process 4016 09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe 3712 09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe 1636 1346ip.exe 1636 1346ip.exe 1636 1346ip.exe 1636 1346ip.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exedescription pid process target process PID 4016 wrote to memory of 3712 4016 09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe 09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe PID 4016 wrote to memory of 3712 4016 09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe 09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe PID 3712 wrote to memory of 1636 3712 09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe 1346ip.exe PID 3712 wrote to memory of 1636 3712 09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe 1346ip.exe PID 3712 wrote to memory of 1636 3712 09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe 1346ip.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe"C:\Users\Admin\AppData\Local\Temp\09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exeC:\Users\Admin\AppData\Local\Temp\09dc3e8bbd2a073847dab02976cd6f383fac26740127948da2fd6eb7371920eb.exe 490A300A560A5A0A780A650A6D0A780A6B0A670A4E0A6B0A7E0A6B0A560A5E0A5E0A5B0A5B0A630A640A790A7E0A6B0A660A660A560A710A390A5A0A450A7D0A380A3D0A320A500A3D0A390A7F0A5A0A620A4B0A730A770A560A3B0A390A3E0A3C0A630A7A0A-22⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\ProgramData\TTQQinstall\{3POw278Z73uPhAy}\1346ip.exe"C:\ProgramData\TTQQinstall\{3POw278Z73uPhAy}\1346ip.exe"3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\TTQQinstall\{3POw278Z73uPhAy}\1346ip.exeFilesize
30KB
MD59e80b662cc6335824592af506a46c20c
SHA176f447db453e28835de09f7c865f373903bb50b4
SHA25618716cd861b4de03f9d2ea9b32c4bed8473cf7e09410d04b5bb3db70be3863c1
SHA512ea304340afe0137f7920c4ceeb0fbe226638339ba2b0b9f742770bee49cdd8b0dea886ce47c80cd1c5840654e67ecda5c61ece09fa0a0f00176aff0c222e58ae
-
C:\ProgramData\TTQQinstall\{3POw278Z73uPhAy}\1346ip.txtFilesize
269B
MD538296012d815bf39eb65962a77395abd
SHA1f07c54d99c6a6648a086a630bdc40f2e9afcab2e
SHA2561857e9e8c85448caaf4a0206331e1a8362987bf628bc6b4530489a58e1d379a1
SHA512e2c109bc3bab70f7cd504b9ce10762c7444d39458fa9e1b28cc17be5dc7c3317a9d45ec0ca8dd4584b93b2e3e9b7d91fd7fef7a3027cc28d90a7372869d8b585
-
C:\ProgramData\TTQQinstall\{3POw278Z73uPhAy}\ctxmui.dllFilesize
390KB
MD5c77f430fa7442382402d2f86d7bd49de
SHA175517e2a5a6d9d98c49bc429b96d5ec31e420a30
SHA256c229f622424c9643e51930f601a979c14773eaae037fabe099bed393f8f6c507
SHA51236aaece801c8642476b7fe61d7b030495b7865d7dd1555e297b9dda4c67b3ea0e3c111a3049fd267ab401cbd7eed998aa51e9610a13030f78b34c2724d7c122d
-
memory/1636-23-0x0000000004060000-0x00000000040F9000-memory.dmpFilesize
612KB
-
memory/1636-27-0x0000000004720000-0x0000000004772000-memory.dmpFilesize
328KB
-
memory/1636-9-0x0000000000DC0000-0x0000000000DC1000-memory.dmpFilesize
4KB
-
memory/1636-10-0x0000000002AB0000-0x0000000002B97000-memory.dmpFilesize
924KB
-
memory/1636-13-0x0000000002AB0000-0x0000000002B97000-memory.dmpFilesize
924KB
-
memory/1636-14-0x0000000010000000-0x0000000010097000-memory.dmpFilesize
604KB
-
memory/1636-15-0x0000000003D50000-0x0000000003F61000-memory.dmpFilesize
2.1MB
-
memory/1636-19-0x00000000028E0000-0x0000000002936000-memory.dmpFilesize
344KB
-
memory/1636-20-0x0000000003F70000-0x000000000405B000-memory.dmpFilesize
940KB
-
memory/1636-21-0x0000000003F70000-0x000000000405B000-memory.dmpFilesize
940KB
-
memory/1636-24-0x00000000045A0000-0x0000000004715000-memory.dmpFilesize
1.5MB
-
memory/1636-8-0x0000000010000000-0x0000000010097000-memory.dmpFilesize
604KB
-
memory/1636-25-0x00000000045A0000-0x0000000004715000-memory.dmpFilesize
1.5MB
-
memory/1636-11-0x0000000002AB0000-0x0000000002B97000-memory.dmpFilesize
924KB
-
memory/1636-29-0x0000000002700000-0x0000000002701000-memory.dmpFilesize
4KB
-
memory/1636-28-0x0000000002710000-0x0000000002711000-memory.dmpFilesize
4KB
-
memory/1636-30-0x0000000003D50000-0x0000000003F61000-memory.dmpFilesize
2.1MB
-
memory/1636-31-0x0000000004720000-0x0000000004772000-memory.dmpFilesize
328KB
-
memory/1636-32-0x0000000002AB0000-0x0000000002B97000-memory.dmpFilesize
924KB
-
memory/1636-34-0x0000000003D50000-0x0000000003F61000-memory.dmpFilesize
2.1MB
-
memory/1636-36-0x0000000003F70000-0x000000000405B000-memory.dmpFilesize
940KB
-
memory/1636-35-0x00000000028E0000-0x0000000002936000-memory.dmpFilesize
344KB
-
memory/1636-38-0x0000000004060000-0x00000000040F9000-memory.dmpFilesize
612KB
-
memory/1636-39-0x00000000045A0000-0x0000000004715000-memory.dmpFilesize
1.5MB
-
memory/1636-40-0x0000000004720000-0x0000000004772000-memory.dmpFilesize
328KB