Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 13:35
Behavioral task
behavioral1
Sample
0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.exe
Resource
win7-20240705-en
General
-
Target
0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.exe
-
Size
676KB
-
MD5
bd8f6a68e9bab31cab60ac88fd307310
-
SHA1
4c6ca10b196448fd85d7979b15dda32ba23e2417
-
SHA256
0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81
-
SHA512
199ac6702c5f6bb8460ff5ba3484aa1cf3455393aa9ab9ccc863571ed3a6e7b6ef335f8a7bf925f020e501f664c4561fdaa4f49a5962d712d496ad114e9af8a3
-
SSDEEP
12288:bg8fK/r8bYZYCtOhzodMDPStM8ePO2S4McLs:c8Gr8bYeCtOhzo6D2MG2Js
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1872-9-0x0000000000400000-0x00000000004B3000-memory.dmp family_blackmoon behavioral1/memory/1872-35-0x0000000000400000-0x00000000004B3000-memory.dmp family_blackmoon -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
WinDos.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WtGeVpSprPwRFFbMpZAdUn\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\WtGeVpSprPwRFFbMpZAdUn" WinDos.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ZyOerf.exe aspack_v212_v242 -
Executes dropped EXE 2 IoCs
Processes:
ZyOerf.exeWinDos.exepid process 1884 ZyOerf.exe 2684 WinDos.exe -
Loads dropped DLL 4 IoCs
Processes:
0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.exepid process 1872 0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.exe 1872 0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.exe 1872 0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.exe 2800 -
Drops file in Program Files directory 64 IoCs
Processes:
ZyOerf.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe ZyOerf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE ZyOerf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE ZyOerf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe ZyOerf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe ZyOerf.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe ZyOerf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE ZyOerf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe ZyOerf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe ZyOerf.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe ZyOerf.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe ZyOerf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE ZyOerf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE ZyOerf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe ZyOerf.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe ZyOerf.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe ZyOerf.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe ZyOerf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe ZyOerf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe ZyOerf.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe ZyOerf.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe ZyOerf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe ZyOerf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE ZyOerf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe ZyOerf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe ZyOerf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe ZyOerf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe ZyOerf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe ZyOerf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe ZyOerf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe ZyOerf.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe ZyOerf.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe ZyOerf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE ZyOerf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE ZyOerf.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe ZyOerf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe ZyOerf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe ZyOerf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe ZyOerf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe ZyOerf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe ZyOerf.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe ZyOerf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE ZyOerf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe ZyOerf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe ZyOerf.exe File opened for modification C:\Program Files\Windows Mail\WinMail.exe ZyOerf.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{82C9E0F7-90DB-4BC5-9338-612926653CF7}\chrome_installer.exe ZyOerf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE ZyOerf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe ZyOerf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE ZyOerf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe ZyOerf.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe ZyOerf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE ZyOerf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE ZyOerf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE ZyOerf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE ZyOerf.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe ZyOerf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe ZyOerf.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe ZyOerf.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe ZyOerf.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe ZyOerf.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe ZyOerf.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe ZyOerf.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe ZyOerf.exe File opened for modification C:\Program Files\Windows Defender\MSASCui.exe ZyOerf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ZyOerf.execmd.exe0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.execmd.exetaskkill.exetaskkill.exetaskkill.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZyOerf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 2868 taskkill.exe 2364 taskkill.exe 2864 taskkill.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
WinDos.exepid process 2684 WinDos.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
WinDos.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeLoadDriverPrivilege 2684 WinDos.exe Token: SeDebugPrivilege 2868 taskkill.exe Token: SeDebugPrivilege 2364 taskkill.exe Token: SeDebugPrivilege 2864 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.exepid process 1872 0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.execmd.exeZyOerf.exedescription pid process target process PID 1872 wrote to memory of 1884 1872 0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.exe ZyOerf.exe PID 1872 wrote to memory of 1884 1872 0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.exe ZyOerf.exe PID 1872 wrote to memory of 1884 1872 0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.exe ZyOerf.exe PID 1872 wrote to memory of 1884 1872 0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.exe ZyOerf.exe PID 1872 wrote to memory of 2684 1872 0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.exe WinDos.exe PID 1872 wrote to memory of 2684 1872 0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.exe WinDos.exe PID 1872 wrote to memory of 2684 1872 0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.exe WinDos.exe PID 1872 wrote to memory of 2684 1872 0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.exe WinDos.exe PID 1872 wrote to memory of 2736 1872 0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.exe cmd.exe PID 1872 wrote to memory of 2736 1872 0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.exe cmd.exe PID 1872 wrote to memory of 2736 1872 0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.exe cmd.exe PID 1872 wrote to memory of 2736 1872 0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.exe cmd.exe PID 2736 wrote to memory of 2868 2736 cmd.exe taskkill.exe PID 2736 wrote to memory of 2868 2736 cmd.exe taskkill.exe PID 2736 wrote to memory of 2868 2736 cmd.exe taskkill.exe PID 2736 wrote to memory of 2868 2736 cmd.exe taskkill.exe PID 2736 wrote to memory of 2364 2736 cmd.exe taskkill.exe PID 2736 wrote to memory of 2364 2736 cmd.exe taskkill.exe PID 2736 wrote to memory of 2364 2736 cmd.exe taskkill.exe PID 2736 wrote to memory of 2364 2736 cmd.exe taskkill.exe PID 2736 wrote to memory of 2864 2736 cmd.exe taskkill.exe PID 2736 wrote to memory of 2864 2736 cmd.exe taskkill.exe PID 2736 wrote to memory of 2864 2736 cmd.exe taskkill.exe PID 2736 wrote to memory of 2864 2736 cmd.exe taskkill.exe PID 1884 wrote to memory of 1104 1884 ZyOerf.exe cmd.exe PID 1884 wrote to memory of 1104 1884 ZyOerf.exe cmd.exe PID 1884 wrote to memory of 1104 1884 ZyOerf.exe cmd.exe PID 1884 wrote to memory of 1104 1884 ZyOerf.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.exe"C:\Users\Admin\AppData\Local\Temp\0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\ZyOerf.exeC:\Users\Admin\AppData\Local\Temp\ZyOerf.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\174c3765.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\WinDos.exeC:\Users\Admin\AppData\Local\Temp\WinDos.exe C:\Users\Admin\AppData\Local\Temp\isr.sys2⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2684 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\1.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM WmiPrvSE.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2868 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM WmiPrvSE.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2364 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM WmiPrvSE.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4B
MD520879c987e2f9a916e578386d499f629
SHA1c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA2569f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f
-
Filesize
126B
MD5a35389ee8a311570bf047f784a1680b6
SHA1f3c0aac747bbef4d349da9b843d6811fa5e6816b
SHA256c73137478dcf5132e851006476da2d90add1817cb24421027c9d6b7b3cffdafe
SHA512aa8c34ed2560139d409a96e540a825947acf95bb93606098ec24e714eb03d50d5bd3cd974de08546e5d98a859fc41864da946281ef036e06a879230d4354e207
-
Filesize
187B
MD51f09d3d6b839727b89a2d0e76d58dfd4
SHA160a09d4a0f983dfa0e076146e78fdb996865bc91
SHA2565aec79e46bea4b8536bd7a1a7dbc5c1bd35372f35415b9e257586e437817c339
SHA512779766d22e1a141e836035fac7ac1a606705d0209f75ee811422670b3e4bfbaeed6e6619fbfa79071bc0660d89d13b6c379561b822b7e50473c58b5709ec9f28
-
Filesize
134KB
MD53f69bcd2ab365cbd2ac3328b99123b83
SHA1deb65ebfe716db9eb95ce4630c4b124e9f68618f
SHA25649e79e780bdffbb236c7ec8fd08069330cf80ca37b5846f9d909631e10ebbce5
SHA512ea6c7faa6bb2e13df24e0b195e300b9cce0b8a7b67a131352dedf97d8f5166d0523a646c676d6b5e1a1a4160752a10ca8490f09f1817b916df8b175c6e71c793
-
Filesize
15KB
MD5f7d21de5c4e81341eccd280c11ddcc9a
SHA1d4e9ef10d7685d491583c6fa93ae5d9105d815bd
SHA2564485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794
SHA512e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3