Analysis
-
max time kernel
91s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04-08-2024 08:58
Behavioral task
behavioral1
Sample
1f0754128f1fd32781886c3d9e7dc138.exe
Resource
win7-20240708-en
General
-
Target
1f0754128f1fd32781886c3d9e7dc138.exe
-
Size
475KB
-
MD5
1f0754128f1fd32781886c3d9e7dc138
-
SHA1
91170c5fd52ea3b5aa77c4b746d0781b3b195a6d
-
SHA256
e5bcef72212f77a5390675d5fc24433af0e682db535969894f967a409eefb8aa
-
SHA512
38ec7ead85e45b82c02420da71f0bed58fc199f658f9b2fb7f0a164f5a26dc4ed9e5de7084e7380a3dcc9bfd3be214fbebb3cfb2a316b1d37cee1acbd4116afa
-
SSDEEP
12288:EfqiJSvtZDd4YQp7T8BPZ0T9XG1rVBbtpIwaDoS8:GqiWfvQpX8T0h2r/b/IDK
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4392-1-0x0000000000400000-0x00000000004C4000-memory.dmp family_blackmoon -
Processes:
resource yara_rule behavioral2/memory/4392-0-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/4392-1-0x0000000000400000-0x00000000004C4000-memory.dmp upx -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 2360 sc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3224 4392 WerFault.exe 1f0754128f1fd32781886c3d9e7dc138.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1f0754128f1fd32781886c3d9e7dc138.execmd.exesc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1f0754128f1fd32781886c3d9e7dc138.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
1f0754128f1fd32781886c3d9e7dc138.exepid process 4392 1f0754128f1fd32781886c3d9e7dc138.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1f0754128f1fd32781886c3d9e7dc138.execmd.exedescription pid process target process PID 4392 wrote to memory of 1388 4392 1f0754128f1fd32781886c3d9e7dc138.exe cmd.exe PID 4392 wrote to memory of 1388 4392 1f0754128f1fd32781886c3d9e7dc138.exe cmd.exe PID 4392 wrote to memory of 1388 4392 1f0754128f1fd32781886c3d9e7dc138.exe cmd.exe PID 1388 wrote to memory of 2360 1388 cmd.exe sc.exe PID 1388 wrote to memory of 2360 1388 cmd.exe sc.exe PID 1388 wrote to memory of 2360 1388 cmd.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f0754128f1fd32781886c3d9e7dc138.exe"C:\Users\Admin\AppData\Local\Temp\1f0754128f1fd32781886c3d9e7dc138.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\SysWOW64\cmd.execmd /c sc config "UxSms" start= demand2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\sc.exesc config "UxSms" start= demand3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2360
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 5362⤵
- Program crash
PID:3224
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4392 -ip 43921⤵PID:396