Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 13:03
Behavioral task
behavioral1
Sample
7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe
Resource
win7-20240221-en
General
-
Target
7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe
-
Size
9.5MB
-
MD5
84d7cbb723c1ba711b069377f4b54b8b
-
SHA1
0bfa62d923644a537649b34b832b6a3ceeb9333c
-
SHA256
7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7
-
SHA512
7950226be8800beddda43e43613711fb5f37233af41a0ff3fbaa592c1905052c51f719d293e844246fed4918151d7b6886c1868d03513bcedefebde230330d4b
-
SSDEEP
196608:ZILJcDKlFBqkwDxURK8vyqByLdlf3hRQIgLKNc:ZgODKlFBqHayOclfhRQIG2c
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\ħÓò\7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe family_blackmoon C:\Users\Admin\AppData\Roaming\ħÓò\D5F24BC4FB8AC171.exe family_blackmoon -
Executes dropped EXE 2 IoCs
Processes:
7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exeD5F24BC4FB8AC171.exepid process 2308 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe 2828 D5F24BC4FB8AC171.exe -
Loads dropped DLL 3 IoCs
Processes:
7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exepid process 2104 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe 2104 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe 2308 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exedescription pid process Token: SeDebugPrivilege 2104 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe Token: SeDebugPrivilege 2104 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe Token: SeDebugPrivilege 2308 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe Token: SeDebugPrivilege 2308 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe Token: SeDebugPrivilege 2308 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exepid process 2308 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe 2104 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exepid process 2308 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe 2104 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exeD5F24BC4FB8AC171.exepid process 2104 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe 2308 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe 2828 D5F24BC4FB8AC171.exe 2828 D5F24BC4FB8AC171.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exedescription pid process target process PID 2104 wrote to memory of 2308 2104 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe PID 2104 wrote to memory of 2308 2104 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe PID 2104 wrote to memory of 2308 2104 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe PID 2104 wrote to memory of 2308 2104 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe PID 2308 wrote to memory of 2828 2308 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe D5F24BC4FB8AC171.exe PID 2308 wrote to memory of 2828 2308 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe D5F24BC4FB8AC171.exe PID 2308 wrote to memory of 2828 2308 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe D5F24BC4FB8AC171.exe PID 2308 wrote to memory of 2828 2308 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe D5F24BC4FB8AC171.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe"C:\Users\Admin\AppData\Local\Temp\7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ħÓò\7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe"C:\Users\Admin\AppData\Roaming\ħÓò\7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ħÓò\D5F24BC4FB8AC171.exe"C:\Users\Admin\AppData\Roaming\ħÓò\D5F24BC4FB8AC171.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ħÓò\D5F24BC4FB8AC171.exeFilesize
9.0MB
MD587c18ed11024984d6bdf0aff810c89ea
SHA19da51cac8acc292445452a4c102650c8ccfc24aa
SHA2567874d03354836ea8632264c475ba3bea89b497d2fa6863b31a78372e4715d8e2
SHA5123fcda14a97f6e80be600b3ef7845aaed04a6075fa410a7565c4b916c55b4107435cb5a83625f80457403b9a61901c84f7ade09cf30f639d09295fffb6cc6cf77
-
C:\Users\Admin\Desktop\ħÓò.lnkFilesize
1KB
MD547d6ec4744382023dd887465aeb6ac41
SHA1116d548c2aa91749381d02a90935a6bdcd79d32b
SHA25621cb523df4095d259fdb582c1ec21bcf8f8f172a8092eeed78dc32a47d936d88
SHA512cdfafa4f524f105618693fc3d9efa7d5337daf3343d946d81794281ba0eb84d51c640e01207644237dbae7a4c041b55e46eef6e52a09a3e56b19621128441bc2
-
\Users\Admin\AppData\Roaming\ħÓò\7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exeFilesize
9.5MB
MD584d7cbb723c1ba711b069377f4b54b8b
SHA10bfa62d923644a537649b34b832b6a3ceeb9333c
SHA2567cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7
SHA5127950226be8800beddda43e43613711fb5f37233af41a0ff3fbaa592c1905052c51f719d293e844246fed4918151d7b6886c1868d03513bcedefebde230330d4b