Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-05-2024 16:56
Behavioral task
behavioral1
Sample
Bl4ck Client.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Bl4ck Client.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
��~�K�.pyc
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
��~�K�.pyc
Resource
win10v2004-20240426-en
General
-
Target
Bl4ck Client.exe
-
Size
6.0MB
-
MD5
4861a568eb379fcd43b5a0db6994f9e2
-
SHA1
4a02f9bc5be0fe193c4d71be4d89553b56a1222f
-
SHA256
af479e34de20aa19a1214d21b9a3c1083b4d37ab1479022df49b4ce06d57938a
-
SHA512
0fb058fcab917d4742fcaa72af6c33594bd088a86e41d76e402b807851c30ab7eea940de2a895b6c6db48933b51ad84628ab56937c9796fb78fbc128132b623c
-
SSDEEP
98304:TrSrEtdFBCwAamaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzQgsRuGK4R0OuAKsXw3Dw:TrSCFIwBeN/FJMIDJf0gsAGK4RXuAKsh
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
Bl4ck Client.exepid process 1732 Bl4ck Client.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI20042\python310.dll upx behavioral1/memory/1732-23-0x000007FEF5E90000-0x000007FEF62FE000-memory.dmp upx -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 103d4f4220b1da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6D6C8F71-1D13-11EF-9C59-EAAAC4CFEF2E} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a13a251ce62c3b40adcad455e403765800000000020000000000106600000001000020000000b4dbd385407586d0d77a8a5ee9282cec2cedb17a69d97f8691a88dccfe58a2f7000000000e80000000020000200000004dda67400181eccc069175b5b2e40eb13b54a2b0da34edf9d7525982cbb351b6200000009b2fad40572bb677a5d238e1dc3a7af8cb29f3a158159e6f8b96c72ca049869d400000000b572d3cf73c22cbf2722d2ea85c6cb2ffdcd8fcae09848766972f403a2cea76b838a7c565a625cdfe63f17bf1b2f45568f2479ee1965786788b8bbd53aa3694 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a13a251ce62c3b40adcad455e4037658000000000200000000001066000000010000200000005aad87994238a23b223af39dfde087f9a79e45fb59795de71b0236ba94158e36000000000e80000000020000200000007aab7d3b51b353bcdf67247b49f2106dddd176878f17a6f4ded08d3bf7dea54990000000888bd6ec844674af80932c313ba5fef5a7f7b1f850b4b671a2ce079d8f5669ea394cd6f1e24a5af9ae96363c0a0c73132047dcf0003ed46eeb1105a119c2d291016581a29577cb245b0553dcb4cf80de920c6b690cf8c94a7216e0de8cfc596ce2131b2f94b8c163772c0cf74e1e77d28cd19fce4bc04ec282080587432703aa9c7c5ecf8a51141fa2e918c0303d62bf400000002ebd4f44daa836380589e1612f7a9cddece278dbeafc9d4d6a756401e9b31f6b8271d048df13c6f87a77812e45ecb160e0e6aba3ac0abbdfae87426046937f4c iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff83000000000000000905000065020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exepid process 640 iexplore.exe 640 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 640 iexplore.exe 640 iexplore.exe 1944 IEXPLORE.EXE 1944 IEXPLORE.EXE 1944 IEXPLORE.EXE 1944 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Bl4ck Client.exeiexplore.exedescription pid process target process PID 2004 wrote to memory of 1732 2004 Bl4ck Client.exe Bl4ck Client.exe PID 2004 wrote to memory of 1732 2004 Bl4ck Client.exe Bl4ck Client.exe PID 2004 wrote to memory of 1732 2004 Bl4ck Client.exe Bl4ck Client.exe PID 640 wrote to memory of 1944 640 iexplore.exe IEXPLORE.EXE PID 640 wrote to memory of 1944 640 iexplore.exe IEXPLORE.EXE PID 640 wrote to memory of 1944 640 iexplore.exe IEXPLORE.EXE PID 640 wrote to memory of 1944 640 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bl4ck Client.exe"C:\Users\Admin\AppData\Local\Temp\Bl4ck Client.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\Bl4ck Client.exe"C:\Users\Admin\AppData\Local\Temp\Bl4ck Client.exe"2⤵
- Loads dropped DLL
PID:1732
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2592
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\jawshtml.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:640 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1944
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD537d67f7537e88d4af5dde3527d3d00f4
SHA17592ad5e992f485297e51760e8b9c092cc759b92
SHA256d063ff6bb0432b7a59bf29947e4a9348e1e1d3190295dfeaad0e35365d7ef6c2
SHA512961360e2b149a6ffa414520d273c54de8c0b052687a5101dbc7d59ede627c8fce14251795acfc9d77f5adc6912b5f6f7fbc6c6498796ed7801e60802fa3fa644
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD558eb6e65d8e0d35a29db9007705810c5
SHA1760cbace47728ca82b69b8c9f6050b5aa16ba65c
SHA256cdbf1ca5d6ccca0637b8491c350cf8a25ab05fcbf87bd9b60bc68c46a185e757
SHA512d75a0f1b5a37db65be65c759efa2ce46e8b16c421f353c1e73f0e3239b73fd4baeb68884c6b58387fc9599e444132a9354738ddb283ff76815864a9d28e9d6b5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD532fc955f9ba7ac6487990331974c8960
SHA1fe384c6d73ec3c7c9f3d61f6f26a1cf1d6175685
SHA256e250c060482dc976f021a831b75913c5aeed8c5b573825ed67f88c9533ff4111
SHA51206dc5cf3965c15d3852805387273c6af32f76ef280555e6bb14fa5086dbcfc3616b2c4f39586784b9ca6e8c1e4f9f6fcde17b066713ca727f3613db8fa6c371e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5de3958a5f53886eefde818bbae660716
SHA1c44f687b6ca957697dde7df4ba0b44f97a992437
SHA2569a8e227da71f002801cd90245b31756c1f75bc0f8494c943082355d37cb9c3ac
SHA51288586b5947633f49668002c5103bc0641ca6dcb336f37aaf61b202ec91f318b35bdf8aed280e150468abfe159955ead71b961782f73868ace7f208c71355a8ea
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD570d665fe417129cbf5a439d61a74a559
SHA1eb33ae7dd1a235e9f26681004d46346c8f31e938
SHA256c1494bcc7f5f9daf2026ee0beb858bc1ad75d3da01f0aaec677d57b9fe23f125
SHA5124de959b24bbc1e751ccb28bc21e599e828577a6ba7f8291621feb4a7cd67f9dbbc76b61974728121c2d80468866ce0b16a0b5fdc85a7dc58658233057408b167
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ec59b8c8ef755f27394e272d815a2814
SHA1e0d246dc0241311ed2e905bc011333a4b45ca999
SHA256aecd437929acd0c4a19c48828bb69b03693f212caf42affc9512c7bde6f3ea97
SHA5128348d04adc4c36964c90e176f018b2a6f0d91397aeb33549a1c4ed99395adba26a14da32af650cd54c180222f655a00818d4788734f4335a17c95a9a7b37a01d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f616fa6d0c12aea1336f2ac0e0bf958b
SHA1b3b11971ed1ba954b9f28d3e8ebaaeffacacdce1
SHA256e4dd5ecc593b5c58db3164eb5c7ebc0a5d7d132c0809b9056e87eded37c791b8
SHA5120140e58107761929b023f941820fab8137e8e8c03a105531a381e83bd8e5c3780e3fc799ca2f842b943f072d136918fdff42c6357916867033958656890688f1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD571811c48a77ee80c58f0d946c136e5ba
SHA1b588bfab44681e17a079452646d6f140d7c8e161
SHA25638d6b08297e25a5454deece3c2293e1e01ec4080044e786addd4a9ba60acdfcd
SHA512ffab05b75e7bd889d00508e65903ce5b73c4e3eb8494f82a4d4cbdff9b55a819eba09c26b6d1eaa1f83efcce77e20d232eb347b36325d3aac9f37fab84dd6d2e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52e22ba8ca6f0ecf7736a1dd702d1efa0
SHA1e9e01eb55f8be00c5184283edaf1c6fd9373f65a
SHA256e86d1f0c9f41b2a5d734fd42d6f807cfd2acdfb304c20e8046f4afe120f7e771
SHA51228b1279cd666c09193b20d0f1cdde95f31bcbc637491f9f437951eeb0b1ad887a0d4b9439cb7a388ddedd6a1032b10211cdf39976e362e613909f5d0d05b37ea
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
1.4MB
MD5178a0f45fde7db40c238f1340a0c0ec0
SHA1dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe
SHA2569fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed
SHA5124b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee
-
Filesize
16KB
MD515aad910cf595076ee1de571b9dc4140
SHA111947e4258586910e334857c9c6e20b16f54dcde
SHA2563e538541c5ffbcc783ff7ef0ae7113a5732811e17011eea03881c291cdeac1fe
SHA512ac2aa117aa27fab9ad9c67e0ba8f646fc778738ae656952dfa19df9f31cc164aa1d271ba8188a99509d53a3866b8164f64857b1e97a10dec20a65e4ba014c9f5