Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 03:43
Behavioral task
behavioral1
Sample
af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe
Resource
win7-20240221-en
General
-
Target
af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe
-
Size
9.5MB
-
MD5
4c4e65fb7303955f343adba2108efe41
-
SHA1
de0d983e60a012bcb207e946053b994a619058b1
-
SHA256
af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab
-
SHA512
ba4cf5655e2d04606aabe28ecc87d3aa213722b7fb207089b75c5f729e9a0f7a081e9e76f63ac3704c13d765c78b90f912149bd63812b7d4c38568b0b417ee35
-
SSDEEP
196608:JQOJcDKlFBqkwDxURK8vyqByLdlf3hRQIgLKNN:JZODKlFBqHayOclfhRQIG2N
Malware Config
Signatures
-
Detect Blackmoon payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe family_blackmoon C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\577B781B16B43518D26314CEA1E10DB3.exe family_blackmoon \Users\Admin\AppData\Roaming\Ì츮¼¤Çé\577B781B16B43518D26314CEA1E10DB3.exe family_blackmoon -
Executes dropped EXE 2 IoCs
Processes:
af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe577B781B16B43518D26314CEA1E10DB3.exepid process 1936 af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe 2672 577B781B16B43518D26314CEA1E10DB3.exe -
Loads dropped DLL 3 IoCs
Processes:
af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exeaf08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exepid process 1692 af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe 1692 af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe 1936 af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exeaf08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exedescription pid process Token: SeDebugPrivilege 1692 af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe Token: SeDebugPrivilege 1692 af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe Token: SeDebugPrivilege 1936 af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe Token: SeDebugPrivilege 1936 af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe Token: SeDebugPrivilege 1936 af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exeaf08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exepid process 1936 af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe 1692 af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exeaf08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exepid process 1936 af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe 1692 af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exeaf08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe577B781B16B43518D26314CEA1E10DB3.exepid process 1692 af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe 1936 af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe 2672 577B781B16B43518D26314CEA1E10DB3.exe 2672 577B781B16B43518D26314CEA1E10DB3.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exeaf08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exedescription pid process target process PID 1692 wrote to memory of 1936 1692 af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe PID 1692 wrote to memory of 1936 1692 af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe PID 1692 wrote to memory of 1936 1692 af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe PID 1692 wrote to memory of 1936 1692 af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe PID 1936 wrote to memory of 2672 1936 af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe 577B781B16B43518D26314CEA1E10DB3.exe PID 1936 wrote to memory of 2672 1936 af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe 577B781B16B43518D26314CEA1E10DB3.exe PID 1936 wrote to memory of 2672 1936 af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe 577B781B16B43518D26314CEA1E10DB3.exe PID 1936 wrote to memory of 2672 1936 af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe 577B781B16B43518D26314CEA1E10DB3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe"C:\Users\Admin\AppData\Local\Temp\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe"C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\577B781B16B43518D26314CEA1E10DB3.exe"C:\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\577B781B16B43518D26314CEA1E10DB3.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2672
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.6MB
MD5ea19bf9f47d2608536b727009e1656bf
SHA1057b7295cd114d29f7850219ac2d7e3345ea8cbb
SHA256277402646f33acd8cc2c671044f60f71678cfa9664a450a2784d3dbb116c4328
SHA51225f3b3d6c7931823046e5b8be6388f5d64f06989383c6445a70ccffcc5fd3e13a01a97b859eb835468d0eb30dfc9e3afc2905cf3ddb6527ec60469131d59174c
-
Filesize
1KB
MD558b93c3ea5cae739341a35cfc9ad9913
SHA1b52ae60d6e5e0c596a3c2a67e4eb8e3bffb63263
SHA256135844a7e956799ebd5cb74a91bd5c130fde42aba98cb2da0d2fec8921b806cd
SHA512ea648c94eda34520aa0522c65140611760d26db79f2830837fbe31c82750878cf83d469385a8d5bba3933b561e0bf5e628dd3b579328ae32a32ab487fb374f3a
-
Filesize
6.3MB
MD524f33d75b01f0b81a0e9f98551c483f2
SHA16f217bf5025cfb69d65f28c08c16d97ae5f6c926
SHA256b50fe6dfd6db993906d16c6645bf378f8c34894d49456ba5fce1ccf6d11cdcf8
SHA5129601ed152c8d2c9fdbf2e710ff71f106e69210957c65ea7227a40f5d3ce4771c6b8798baaeecba99b17e2fc69571114181db95e1777ee707f975a1665a44376e
-
\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe
Filesize2.8MB
MD5345249335a7c76d74167220ff2ba174c
SHA1ff77a6bf471762b2f5977421ad87e9ee0fbac5d8
SHA256e704e4986c00df2273a2e518e0e1501f978012e30d1c76e6caafc20a8f99115f
SHA512685eb287b6e0a444b1ab6c786d78b8192e364a72cdc2cd8b04980be4540e826cc19cb235c23a0e1851522360003f0168de4e1b0ed3f2dba3ceaaad85391bad9f
-
\Users\Admin\AppData\Roaming\Ì츮¼¤Çé\af08ef344a5810ffe4a633cd69d19fd88985ec45ef47b5bc73c6ff95c2321dab.exe
Filesize6.8MB
MD50b63a5a045d0a417272cd9db1472e76b
SHA16131e93e5a834d9cee1fae2291587d51e310a1a1
SHA256f5c6d1a192b1e6aac61cc5ba935b88080b4d0bf72bfa38f9a942b2e719613830
SHA51297e913567012eed258c6b7d4170d32b1289e8438c8568a9adf3c7960a0ac590361e70d537578d74842465dbe502ae7068f7ead5c4e2847f906a518563417638d