Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/05/2024, 09:13
Static task
static1
Behavioral task
behavioral1
Sample
2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe
Resource
win7-20240221-en
General
-
Target
2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe
-
Size
3.9MB
-
MD5
05610aaec5183a6b37fb1b0177ef3110
-
SHA1
42ff8165d48ebd81e449c90bfeaf808366ca9745
-
SHA256
2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5
-
SHA512
59269b02ca6eaba7ad9895a94ceb7278f51b7a90f9aba5209b67865a477c4cc09d4724dbb2054209a8078c630de64f79039994011cf6c84009a586af19cff146
-
SSDEEP
98304:8iJM4l7QGx7D9q6j/IrxIdowPAnY41w/9v65VinbzJNB7I:8x4icCxNY41w/9v6biLd
Malware Config
Signatures
-
Detect Blackmoon payload 21 IoCs
resource yara_rule behavioral1/memory/2240-37-0x0000000000400000-0x00000000010A6000-memory.dmp family_blackmoon behavioral1/memory/2240-40-0x0000000000400000-0x00000000010A6000-memory.dmp family_blackmoon behavioral1/memory/2240-41-0x0000000000400000-0x00000000010A6000-memory.dmp family_blackmoon behavioral1/memory/2240-42-0x0000000000400000-0x00000000010A6000-memory.dmp family_blackmoon behavioral1/memory/2240-43-0x0000000000400000-0x00000000010A6000-memory.dmp family_blackmoon behavioral1/memory/2240-44-0x0000000000400000-0x00000000010A6000-memory.dmp family_blackmoon behavioral1/memory/2240-45-0x0000000000400000-0x00000000010A6000-memory.dmp family_blackmoon behavioral1/memory/2240-46-0x0000000000400000-0x00000000010A6000-memory.dmp family_blackmoon behavioral1/memory/2240-49-0x0000000000400000-0x00000000010A6000-memory.dmp family_blackmoon behavioral1/memory/2240-50-0x0000000000400000-0x00000000010A6000-memory.dmp family_blackmoon behavioral1/memory/2240-51-0x0000000000400000-0x00000000010A6000-memory.dmp family_blackmoon behavioral1/memory/2240-54-0x0000000000400000-0x00000000010A6000-memory.dmp family_blackmoon behavioral1/memory/2240-55-0x0000000000400000-0x00000000010A6000-memory.dmp family_blackmoon behavioral1/memory/2240-58-0x0000000000400000-0x00000000010A6000-memory.dmp family_blackmoon behavioral1/memory/2240-59-0x0000000000400000-0x00000000010A6000-memory.dmp family_blackmoon behavioral1/memory/2240-62-0x0000000000400000-0x00000000010A6000-memory.dmp family_blackmoon behavioral1/memory/2240-63-0x0000000000400000-0x00000000010A6000-memory.dmp family_blackmoon behavioral1/memory/2240-66-0x0000000000400000-0x00000000010A6000-memory.dmp family_blackmoon behavioral1/memory/2240-67-0x0000000000400000-0x00000000010A6000-memory.dmp family_blackmoon behavioral1/memory/2240-70-0x0000000000400000-0x00000000010A6000-memory.dmp family_blackmoon behavioral1/memory/2240-71-0x0000000000400000-0x00000000010A6000-memory.dmp family_blackmoon -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Wine 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe -
Loads dropped DLL 1 IoCs
pid Process 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe Token: SeDebugPrivilege 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe Token: SeDebugPrivilege 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe Token: SeDebugPrivilege 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe 2240 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe"C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2240
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
724KB
MD5e60421fdd78fd5c62f7188055202e055
SHA130874f0a03f409231e8b64be2d76ba9a92c82f31
SHA256aa8bc94c32576e87db8fc327c1103441966380e3e1da30303ce05df40687dd41
SHA512c348fe342c5299b90da1f325a8a3a1defd6bf0da555af0d5bdfd5f1dde7ac871316932fd9fba67feebf2f31ee6978fc63547d3c3317b9c39f9777cf66608460b