Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 18:50
Behavioral task
behavioral1
Sample
10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799.exe
Resource
win7-20240221-en
General
-
Target
10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799.exe
-
Size
2.7MB
-
MD5
78f859499e7ee0089583258a0815c4ca
-
SHA1
5bb211d3902e4bbf7b516634c6f531beb8e704e6
-
SHA256
10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799
-
SHA512
5a42e6445f36288c09631d02d62775aeb454a6a55e397ad667c33bd481fe2097d70b81a7b952f1b0a4309107f39f4e798f4d3e211c6d45a3f38805ccdac3df10
-
SSDEEP
49152:ROMNT+hOy1U8EkTYN/KXeqpomFsE01zdBST1Ws:EMNChj1U8MN/KXeOFs7OWs
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\FOJBGT.EZS family_blackmoon -
Executes dropped EXE 1 IoCs
Processes:
FOJBGT.EZSpid process 4672 FOJBGT.EZS -
Loads dropped DLL 2 IoCs
Processes:
FOJBGT.EZSpid process 4672 FOJBGT.EZS 4672 FOJBGT.EZS -
Drops file in System32 directory 2 IoCs
Processes:
FOJBGT.EZSdescription ioc process File created C:\Windows\SysWOW64\ESPI11.dll FOJBGT.EZS File opened for modification C:\Windows\SysWOW64\ESPI11.dll FOJBGT.EZS -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
FOJBGT.EZSpid process 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS 4672 FOJBGT.EZS -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799.exeFOJBGT.EZSpid process 3612 10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799.exe 3612 10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799.exe 4672 FOJBGT.EZS 4672 FOJBGT.EZS -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799.exeFOJBGT.EZSdescription pid process target process PID 3612 wrote to memory of 4672 3612 10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799.exe FOJBGT.EZS PID 3612 wrote to memory of 4672 3612 10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799.exe FOJBGT.EZS PID 3612 wrote to memory of 4672 3612 10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799.exe FOJBGT.EZS PID 4672 wrote to memory of 3860 4672 FOJBGT.EZS netsh.exe PID 4672 wrote to memory of 3860 4672 FOJBGT.EZS netsh.exe PID 4672 wrote to memory of 3860 4672 FOJBGT.EZS netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799.exe"C:\Users\Admin\AppData\Local\Temp\10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FOJBGT.EZS"C:\Users\Admin\AppData\Local\Temp\FOJBGT.EZS"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh winsock reset3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3468,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4204 /prefetch:81⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FOJBGT.EZSFilesize
2.7MB
MD5dd1c9b981d5e0877fa6922cbdc8fb38b
SHA14d9f0f6b1d5a382d5abed45c78ffdec7a5823736
SHA25615eccfb33746d01a86b7b49c334b6ba665338c8893dacd7a8b37cd69dc53d803
SHA5122ea7141f75eaba769e7306c6287e0f57d21b9e4af4ef8e7159686c908cf35a940e340130bdde4b5befd534bffa5ac236702f33313ca9d34b5fcbaad8ed3f384a
-
C:\Windows\SysWOW64\ESPI11.dllFilesize
120KB
MD5c3adbb35a05b44bc877a895d273aa270
SHA18afe20d8261d217fd23ccfe53bd45ad3bec82d2d
SHA256b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c
SHA512614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc