Analysis Overview
SHA256
a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a
Threat Level: Known bad
The file a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a was found to be: Known bad.
Malicious Activity Summary
Detect Blackmoon payload
Blackmoon family
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 03:32
Signatures
Blackmoon family
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 03:32
Reported
2024-06-20 03:35
Platform
win7-20240611-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Media\xminfo.wav | C:\Users\Admin\AppData\Local\Temp\a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a.exe
"C:\Users\Admin\AppData\Local\Temp\a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a.exe"
Network
| Country | Destination | Domain | Proto |
| HK | 154.204.58.230:1010 | tcp | |
| US | 8.8.8.8:53 | t.pcpcg.com | udp |
Files
\ÌìÁúСÃÛ\ÔËÐÐÎļþ\QYCJ.dll
| MD5 | 54da9cb20347baec926b6678f8efb3ab |
| SHA1 | 18ca10861aa561c56666270cca7fd44c73c28d72 |
| SHA256 | 038675d5ee0b22a17a12646ba9cf3fcffd0a2acfb712c1953102671774a82390 |
| SHA512 | e4608ef1875e2dd46c1352d5e750178ce439725a6b190d37a14decb7e960428841ea3ef5e17488226f9bcfc6d58793cb254f142ba4f54cd316c9cbee50cae77b |
memory/1476-31-0x0000000004301000-0x00000000045DC000-memory.dmp
memory/1476-29-0x0000000004290000-0x00000000048DC000-memory.dmp
memory/1476-32-0x0000000004290000-0x00000000048DC000-memory.dmp
memory/1476-33-0x0000000004290000-0x00000000048DC000-memory.dmp
memory/1476-28-0x0000000000FF0000-0x0000000000FF1000-memory.dmp
memory/1476-26-0x0000000000FF0000-0x0000000000FF1000-memory.dmp
memory/1476-24-0x0000000000FF0000-0x0000000000FF1000-memory.dmp
memory/1476-42-0x0000000004290000-0x00000000048DC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 03:32
Reported
2024-06-20 03:35
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
160s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Media\xminfo.wav | C:\Users\Admin\AppData\Local\Temp\a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a.exe
"C:\Users\Admin\AppData\Local\Temp\a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1292 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| HK | 154.204.58.230:1010 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | t.pcpcg.com | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.197.79.40.in-addr.arpa | udp |
Files
C:\ÌìÁúСÃÛ\ÔËÐÐÎļþ\QYCJ.dll
| MD5 | 54da9cb20347baec926b6678f8efb3ab |
| SHA1 | 18ca10861aa561c56666270cca7fd44c73c28d72 |
| SHA256 | 038675d5ee0b22a17a12646ba9cf3fcffd0a2acfb712c1953102671774a82390 |
| SHA512 | e4608ef1875e2dd46c1352d5e750178ce439725a6b190d37a14decb7e960428841ea3ef5e17488226f9bcfc6d58793cb254f142ba4f54cd316c9cbee50cae77b |
memory/4960-27-0x0000000005A71000-0x0000000005D4C000-memory.dmp
memory/4960-28-0x0000000002F80000-0x0000000002F81000-memory.dmp
memory/4960-31-0x0000000005A00000-0x000000000604C000-memory.dmp
memory/4960-32-0x0000000005A00000-0x000000000604C000-memory.dmp
memory/4960-42-0x0000000005A00000-0x000000000604C000-memory.dmp
memory/4960-43-0x0000000005A71000-0x0000000005D4C000-memory.dmp