Analysis
-
max time kernel
149s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 01:52
Behavioral task
behavioral1
Sample
a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe
Resource
win7-20240419-en
General
-
Target
a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe
-
Size
92KB
-
MD5
813874e8444595219cfae82f3a61de65
-
SHA1
385d5b25ca8a0cde312df93d2cf61cb369f5341e
-
SHA256
a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9
-
SHA512
b15bf917049352e8eafe33295e3bf257206205f2342d0c050d8481a23eb2c94baa43e3c693d2c17263672dbc64c5cb255925940c128c1435ed3644534768ef76
-
SSDEEP
1536:Q/vTGudTe5k4Lo8KI2Z4yNcR5Mpk7WO9f2zXGYxTIx9JL8IoQ6CqZphk4:Q/bhOrBKIq4XR5Mpp+fw2CIx9JLYpk4
Malware Config
Signatures
-
Detect Blackmoon payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4176-2-0x0000000000400000-0x000000000047F000-memory.dmp family_blackmoon behavioral2/memory/4176-4-0x0000000000400000-0x000000000047F000-memory.dmp family_blackmoon behavioral2/memory/4176-16-0x0000000000400000-0x000000000047F000-memory.dmp family_blackmoon behavioral2/memory/2232-18-0x0000000000400000-0x000000000047F000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 6 IoCs
Processes:
resource yara_rule behavioral2/memory/4176-0-0x0000000000400000-0x000000000047F000-memory.dmp UPX behavioral2/memory/4176-2-0x0000000000400000-0x000000000047F000-memory.dmp UPX behavioral2/memory/4176-4-0x0000000000400000-0x000000000047F000-memory.dmp UPX C:\Users\Admin\AppData\Local\Temp\Syslemlfgdr.exe UPX behavioral2/memory/4176-16-0x0000000000400000-0x000000000047F000-memory.dmp UPX behavioral2/memory/2232-18-0x0000000000400000-0x000000000047F000-memory.dmp UPX -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe -
Deletes itself 1 IoCs
Processes:
Syslemlfgdr.exepid process 2232 Syslemlfgdr.exe -
Executes dropped EXE 1 IoCs
Processes:
Syslemlfgdr.exepid process 2232 Syslemlfgdr.exe -
Processes:
resource yara_rule behavioral2/memory/4176-0-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral2/memory/4176-2-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral2/memory/4176-4-0x0000000000400000-0x000000000047F000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\Syslemlfgdr.exe upx behavioral2/memory/4176-16-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral2/memory/2232-18-0x0000000000400000-0x000000000047F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exeSyslemlfgdr.exepid process 4176 a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe 4176 a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe 4176 a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe 4176 a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe 4176 a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe 4176 a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe 4176 a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe 4176 a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe 4176 a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe 4176 a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe 4176 a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe 4176 a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe 4176 a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe 4176 a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe 4176 a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe 4176 a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe 2232 Syslemlfgdr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exedescription pid process target process PID 4176 wrote to memory of 2232 4176 a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe Syslemlfgdr.exe PID 4176 wrote to memory of 2232 4176 a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe Syslemlfgdr.exe PID 4176 wrote to memory of 2232 4176 a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe Syslemlfgdr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe"C:\Users\Admin\AppData\Local\Temp\a5391f367b0b4aa3b822de7c55bdeb2f4876df4cba2b3a718c3cf68273b35ac9.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Users\Admin\AppData\Local\Temp\Syslemlfgdr.exe"C:\Users\Admin\AppData\Local\Temp\Syslemlfgdr.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2232
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5ca4212d2b370fbd82141e254bc51bf72
SHA1f917535ad47c49aaed46d1418f79a339fb242133
SHA2564ae11d7632687b9beb3128dda5a54e95ca020ac62a26d6ae8be2a0560df1ef7d
SHA5127bcb85d712cd166d50b874c5d6108b1e258ab31f0910a12dfd8b4b9241489cf27077cb134d2b2a089c66ec6bf86f077fdadded1fe75bd5542ce6ce5d9d48d127
-
Filesize
102B
MD54ef3e771343e96efe159584d3443e44d
SHA1c35cdf799d3050a312d82463240562af56e1efdd
SHA256d90999f33e57288fcb6d7a7de2374cc540597af60ae31f264cfaa1443ec31559
SHA5120a95b2bed81717095bd6ee0e3a428ce9a9d128cabcddb8c872ef49c713e4ee3f0b193cee8dc7be0e8a5310166ad81311abcc82154e4788a83234ef5137ba2beb