Malware Analysis Report

2024-11-16 13:52

Sample ID 240620-d3zbnawfma
Target a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a
SHA256 a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a
Tags
blackmoon
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a

Threat Level: Known bad

The file a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a was found to be: Known bad.

Malicious Activity Summary

blackmoon

Detect Blackmoon payload

Blackmoon family

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 03:32

Signatures

Blackmoon family

blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 03:32

Reported

2024-06-20 03:35

Platform

win7-20240611-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a.exe"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Media\xminfo.wav C:\Users\Admin\AppData\Local\Temp\a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a.exe

"C:\Users\Admin\AppData\Local\Temp\a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a.exe"

Network

Country Destination Domain Proto
HK 154.204.58.230:1010 tcp
US 8.8.8.8:53 t.pcpcg.com udp

Files

\ÌìÁúСÃÛ\ÔËÐÐÎļþ\QYCJ.dll

MD5 54da9cb20347baec926b6678f8efb3ab
SHA1 18ca10861aa561c56666270cca7fd44c73c28d72
SHA256 038675d5ee0b22a17a12646ba9cf3fcffd0a2acfb712c1953102671774a82390
SHA512 e4608ef1875e2dd46c1352d5e750178ce439725a6b190d37a14decb7e960428841ea3ef5e17488226f9bcfc6d58793cb254f142ba4f54cd316c9cbee50cae77b

memory/1476-31-0x0000000004301000-0x00000000045DC000-memory.dmp

memory/1476-29-0x0000000004290000-0x00000000048DC000-memory.dmp

memory/1476-32-0x0000000004290000-0x00000000048DC000-memory.dmp

memory/1476-33-0x0000000004290000-0x00000000048DC000-memory.dmp

memory/1476-28-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

memory/1476-26-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

memory/1476-24-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

memory/1476-42-0x0000000004290000-0x00000000048DC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 03:32

Reported

2024-06-20 03:35

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a.exe"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Media\xminfo.wav C:\Users\Admin\AppData\Local\Temp\a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a.exe

"C:\Users\Admin\AppData\Local\Temp\a8c04a9b2f313779678e0670db2e91a2e10185af4ae4efac1d8e814d8345158a.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1292 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
HK 154.204.58.230:1010 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 t.pcpcg.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 34.197.79.40.in-addr.arpa udp

Files

C:\ÌìÁúСÃÛ\ÔËÐÐÎļþ\QYCJ.dll

MD5 54da9cb20347baec926b6678f8efb3ab
SHA1 18ca10861aa561c56666270cca7fd44c73c28d72
SHA256 038675d5ee0b22a17a12646ba9cf3fcffd0a2acfb712c1953102671774a82390
SHA512 e4608ef1875e2dd46c1352d5e750178ce439725a6b190d37a14decb7e960428841ea3ef5e17488226f9bcfc6d58793cb254f142ba4f54cd316c9cbee50cae77b

memory/4960-27-0x0000000005A71000-0x0000000005D4C000-memory.dmp

memory/4960-28-0x0000000002F80000-0x0000000002F81000-memory.dmp

memory/4960-31-0x0000000005A00000-0x000000000604C000-memory.dmp

memory/4960-32-0x0000000005A00000-0x000000000604C000-memory.dmp

memory/4960-42-0x0000000005A00000-0x000000000604C000-memory.dmp

memory/4960-43-0x0000000005A71000-0x0000000005D4C000-memory.dmp