Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 13:03
Behavioral task
behavioral1
Sample
7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe
Resource
win7-20240221-en
General
-
Target
7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe
-
Size
9.5MB
-
MD5
84d7cbb723c1ba711b069377f4b54b8b
-
SHA1
0bfa62d923644a537649b34b832b6a3ceeb9333c
-
SHA256
7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7
-
SHA512
7950226be8800beddda43e43613711fb5f37233af41a0ff3fbaa592c1905052c51f719d293e844246fed4918151d7b6886c1868d03513bcedefebde230330d4b
-
SSDEEP
196608:ZILJcDKlFBqkwDxURK8vyqByLdlf3hRQIgLKNc:ZgODKlFBqHayOclfhRQIG2c
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\ħÓò\7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe family_blackmoon C:\Users\Admin\AppData\Roaming\ħÓò\D5F24BC4FB8AC171.exe family_blackmoon -
Executes dropped EXE 2 IoCs
Processes:
7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exeD5F24BC4FB8AC171.exepid process 3872 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe 5104 D5F24BC4FB8AC171.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exedescription pid process Token: SeDebugPrivilege 60 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe Token: SeDebugPrivilege 60 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe Token: SeDebugPrivilege 3872 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe Token: SeDebugPrivilege 3872 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe Token: SeDebugPrivilege 3872 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exepid process 3872 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe 60 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exepid process 3872 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe 60 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exeD5F24BC4FB8AC171.exepid process 60 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe 3872 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe 5104 D5F24BC4FB8AC171.exe 5104 D5F24BC4FB8AC171.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exedescription pid process target process PID 60 wrote to memory of 3872 60 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe PID 60 wrote to memory of 3872 60 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe PID 60 wrote to memory of 3872 60 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe PID 3872 wrote to memory of 5104 3872 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe D5F24BC4FB8AC171.exe PID 3872 wrote to memory of 5104 3872 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe D5F24BC4FB8AC171.exe PID 3872 wrote to memory of 5104 3872 7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe D5F24BC4FB8AC171.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe"C:\Users\Admin\AppData\Local\Temp\7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ħÓò\7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe"C:\Users\Admin\AppData\Roaming\ħÓò\7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ħÓò\D5F24BC4FB8AC171.exe"C:\Users\Admin\AppData\Roaming\ħÓò\D5F24BC4FB8AC171.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ħÓò\7cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7.exeFilesize
9.5MB
MD584d7cbb723c1ba711b069377f4b54b8b
SHA10bfa62d923644a537649b34b832b6a3ceeb9333c
SHA2567cfb7138be4950b3cbe5df14e77c5f2dfc41ddc856c3354ad5d121ea2441afc7
SHA5127950226be8800beddda43e43613711fb5f37233af41a0ff3fbaa592c1905052c51f719d293e844246fed4918151d7b6886c1868d03513bcedefebde230330d4b
-
C:\Users\Admin\AppData\Roaming\ħÓò\D5F24BC4FB8AC171.exeFilesize
9.0MB
MD587c18ed11024984d6bdf0aff810c89ea
SHA19da51cac8acc292445452a4c102650c8ccfc24aa
SHA2567874d03354836ea8632264c475ba3bea89b497d2fa6863b31a78372e4715d8e2
SHA5123fcda14a97f6e80be600b3ef7845aaed04a6075fa410a7565c4b916c55b4107435cb5a83625f80457403b9a61901c84f7ade09cf30f639d09295fffb6cc6cf77
-
C:\Users\Admin\Desktop\ħÓò.lnkFilesize
1KB
MD5ebfd609f773be4d9a5170dd491930c16
SHA1f01d1e3a9083f5b8459d0c3dd11ad4d837a864fb
SHA256e9db302dd77aa9bbefef2b84e709fae0f2a01aeeba8e98b928c4154fbc64541a
SHA51201faeeb43968206c6f6d6cbb61ff17dd0e328949e97be41d1b3d496a4c0fadf958c982228ee239c2ad50362574ae610420c43841877aa72a3c62b2ddb2254b39