Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 13:56
Behavioral task
behavioral1
Sample
20240825ec380602cd1815803a71fe93c54638bficedid.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
20240825ec380602cd1815803a71fe93c54638bficedid.exe
Resource
win10v2004-20240802-en
General
-
Target
20240825ec380602cd1815803a71fe93c54638bficedid.exe
-
Size
3.4MB
-
MD5
ec380602cd1815803a71fe93c54638bf
-
SHA1
c9e526d15cef4cdb8cd853a66adb7cc240446c90
-
SHA256
902cea489e8363193904fd6dca8b5d4939d1e00fbfa2a7fad7c8cf9288098d27
-
SHA512
75fdb0555adb9f15c6f079a54e1792768b1d6faf7a2db00c5c3fd2f63bf4a4d66afe08c0236a5420ceeecff5099960eccedbdcb3b03e3a561dd99d3291d152f1
-
SSDEEP
49152:8Xt3tH1bHKHZd/fcB2gZvckHgWCWXTE7TqEvA6VbpNPJvyteA9Zgi7cdEG:y9VbHK5eGkHgW7XTRERxJasQi
Malware Config
Signatures
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/2020-26-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-36-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-32-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-29-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-55-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-87-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-91-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-92-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-93-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-94-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-95-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-102-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-103-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-104-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-105-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-106-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-107-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-108-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-109-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-110-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-111-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-112-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-113-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-114-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-115-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-116-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-117-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-118-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-119-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-120-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-121-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-122-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-124-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-123-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-125-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-126-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-127-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-129-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-128-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-130-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-131-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-132-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-133-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-134-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-135-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-136-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-137-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-138-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-139-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon behavioral1/memory/2020-141-0x0000000000400000-0x00000000007AB000-memory.dmp family_blackmoon -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 calc.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\curl.exe calc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2672 set thread context of 2020 2672 20240825ec380602cd1815803a71fe93c54638bficedid.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240825ec380602cd1815803a71fe93c54638bficedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language calc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 2672 20240825ec380602cd1815803a71fe93c54638bficedid.exe 2672 20240825ec380602cd1815803a71fe93c54638bficedid.exe 2672 20240825ec380602cd1815803a71fe93c54638bficedid.exe 2672 20240825ec380602cd1815803a71fe93c54638bficedid.exe 2672 20240825ec380602cd1815803a71fe93c54638bficedid.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe 2020 calc.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3024 WMIC.exe Token: SeSecurityPrivilege 3024 WMIC.exe Token: SeTakeOwnershipPrivilege 3024 WMIC.exe Token: SeLoadDriverPrivilege 3024 WMIC.exe Token: SeSystemProfilePrivilege 3024 WMIC.exe Token: SeSystemtimePrivilege 3024 WMIC.exe Token: SeProfSingleProcessPrivilege 3024 WMIC.exe Token: SeIncBasePriorityPrivilege 3024 WMIC.exe Token: SeCreatePagefilePrivilege 3024 WMIC.exe Token: SeBackupPrivilege 3024 WMIC.exe Token: SeRestorePrivilege 3024 WMIC.exe Token: SeShutdownPrivilege 3024 WMIC.exe Token: SeDebugPrivilege 3024 WMIC.exe Token: SeSystemEnvironmentPrivilege 3024 WMIC.exe Token: SeRemoteShutdownPrivilege 3024 WMIC.exe Token: SeUndockPrivilege 3024 WMIC.exe Token: SeManageVolumePrivilege 3024 WMIC.exe Token: 33 3024 WMIC.exe Token: 34 3024 WMIC.exe Token: 35 3024 WMIC.exe Token: SeIncreaseQuotaPrivilege 3024 WMIC.exe Token: SeSecurityPrivilege 3024 WMIC.exe Token: SeTakeOwnershipPrivilege 3024 WMIC.exe Token: SeLoadDriverPrivilege 3024 WMIC.exe Token: SeSystemProfilePrivilege 3024 WMIC.exe Token: SeSystemtimePrivilege 3024 WMIC.exe Token: SeProfSingleProcessPrivilege 3024 WMIC.exe Token: SeIncBasePriorityPrivilege 3024 WMIC.exe Token: SeCreatePagefilePrivilege 3024 WMIC.exe Token: SeBackupPrivilege 3024 WMIC.exe Token: SeRestorePrivilege 3024 WMIC.exe Token: SeShutdownPrivilege 3024 WMIC.exe Token: SeDebugPrivilege 3024 WMIC.exe Token: SeSystemEnvironmentPrivilege 3024 WMIC.exe Token: SeRemoteShutdownPrivilege 3024 WMIC.exe Token: SeUndockPrivilege 3024 WMIC.exe Token: SeManageVolumePrivilege 3024 WMIC.exe Token: 33 3024 WMIC.exe Token: 34 3024 WMIC.exe Token: 35 3024 WMIC.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2672 20240825ec380602cd1815803a71fe93c54638bficedid.exe 2672 20240825ec380602cd1815803a71fe93c54638bficedid.exe 2020 calc.exe 2020 calc.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2672 wrote to memory of 2020 2672 20240825ec380602cd1815803a71fe93c54638bficedid.exe 30 PID 2672 wrote to memory of 2020 2672 20240825ec380602cd1815803a71fe93c54638bficedid.exe 30 PID 2672 wrote to memory of 2020 2672 20240825ec380602cd1815803a71fe93c54638bficedid.exe 30 PID 2672 wrote to memory of 2020 2672 20240825ec380602cd1815803a71fe93c54638bficedid.exe 30 PID 2672 wrote to memory of 2020 2672 20240825ec380602cd1815803a71fe93c54638bficedid.exe 30 PID 2672 wrote to memory of 2020 2672 20240825ec380602cd1815803a71fe93c54638bficedid.exe 30 PID 2672 wrote to memory of 2020 2672 20240825ec380602cd1815803a71fe93c54638bficedid.exe 30 PID 2672 wrote to memory of 2020 2672 20240825ec380602cd1815803a71fe93c54638bficedid.exe 30 PID 2672 wrote to memory of 2020 2672 20240825ec380602cd1815803a71fe93c54638bficedid.exe 30 PID 2672 wrote to memory of 2020 2672 20240825ec380602cd1815803a71fe93c54638bficedid.exe 30 PID 2020 wrote to memory of 2948 2020 calc.exe 31 PID 2020 wrote to memory of 2948 2020 calc.exe 31 PID 2020 wrote to memory of 2948 2020 calc.exe 31 PID 2020 wrote to memory of 2948 2020 calc.exe 31 PID 2948 wrote to memory of 3024 2948 cmd.exe 33 PID 2948 wrote to memory of 3024 2948 cmd.exe 33 PID 2948 wrote to memory of 3024 2948 cmd.exe 33 PID 2948 wrote to memory of 3024 2948 cmd.exe 33 PID 2020 wrote to memory of 1976 2020 calc.exe 35 PID 2020 wrote to memory of 1976 2020 calc.exe 35 PID 2020 wrote to memory of 1976 2020 calc.exe 35 PID 2020 wrote to memory of 1976 2020 calc.exe 35 PID 2020 wrote to memory of 1936 2020 calc.exe 37 PID 2020 wrote to memory of 1936 2020 calc.exe 37 PID 2020 wrote to memory of 1936 2020 calc.exe 37 PID 2020 wrote to memory of 1936 2020 calc.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\20240825ec380602cd1815803a71fe93c54638bficedid.exe"C:\Users\Admin\AppData\Local\Temp\20240825ec380602cd1815803a71fe93c54638bficedid.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\calc.exe -p-FIuC7LSNqJeLvNqJ7LGNdJmLkNnJ7LGNpJrLDN8JvLcN5JRLiNaJaLhN5JZL8NkJrL2⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "c:\Windows\temp\wmic.bat"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic.exe OS Get DataExecutionPrevention_SupportPolicy4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "c:\Windows\temp\bcdedit.bat"3⤵
- System Location Discovery: System Language Discovery
PID:1976
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "c:\Windows\temp\cle.bat"3⤵
- System Location Discovery: System Language Discovery
PID:1936
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
Filesize
813KB
MD55e0db2d8b2750543cd2ebb9ea8e6cdd3
SHA18b997b38e179cd03c0a2e87bddbc1ebca39a8630
SHA25601eb95fa3943cf3c6b1a21e473a5c3cb9fcbce46913b15c96cac14e4f04075b4
SHA51238a2064f7a740feb6dba46d57998140f16da7b9302bfe217a24d593220c2340f854645d05993aac6b7ecf819b5c09e062c5c81ba29f79d919ae518e6de071716
-
Filesize
304KB
MD5d6d3ad7bf1d6f6ce9547613ed5e170a2
SHA16a20fe18619dc46e379c42f12ed761749053cbf9
SHA256ea3bd7fec193a8cfe1d5736301acadc476fb6aac5475a45776d0a638e9845445
SHA5122b900118d582eb8bba1612c67909bda97b2cd8755a00de1135c2809ab65385523a2f1c74eff7b37fc4ada585decfab2febbab9247d46038787a9ac786747c222
-
Filesize
151B
MD5a28594db72139ec67fcd7bd9f1aed617
SHA1dae1d3e5033f331f9d1ca7399c6d826bb1cfc332
SHA2561fa2d393a4ec56c00d86660824e68967a5a03be7607de5fd3456da15e3142d31
SHA512403e8adae23dac3dde6453f854bb4d842bcb9d98fe24f96653902c57198fa488c6fbf1ae9c039420ad1826114461bf4aa6e903b8c4e3a6b2ac5b981cf5a9cd35
-
Filesize
166B
MD52986710bef827476b9eb344a98c1ef75
SHA1be0fa9c426a07af85a7c3e471af5f6a9c1f020da
SHA2565a1bb571dc286002b186cc2139ff0eddfbfbaad4fcaea3b8c987544d8f577768
SHA512d7ab88def47721d4e50c096f85297945cc010cad295bb6fcc1613e500a19cccfdd7b04c502f27c7f70dd2ef7093239f5bbbaa28e55817001d0e0f9c0e213300c
-
Filesize
73B
MD5826a91f38a27b727f2d402eb88affd93
SHA1775f82ef022402bb73b8b25b6987caa646da66dc
SHA256edf1b16044fc808e7c4521cbf0ad5339721409e3494f9a24c1e3a3f1b0385228
SHA512f6bd6932ec7c4b413d0c2a3a321e33f19ce52d1b9d584578fb016c414fbaa55ffe84eac9ee0271c7bca89b1b2aabbd99c048c428b1b2e5aa860422859c239dee
-
Filesize
116B
MD5056e0fb44de976a0ada65dcbd10592f2
SHA1fd15cc45e8cd3042ab041da21fdfa6104954e571
SHA256718a2a9f3524ae9a9d735f21e29b676aee6ebaf600e8a99207db7de8ac0d1a7c
SHA51242b1d1fc60d05ac464dc52ed8dca4f8ce54991ff6ab90ac6d9914d23ecc3f7a8c259a2db417446fe73ac2d2d0798d6d82ffae704b54064bf837a6d447cd4dee7
-
Filesize
91B
MD5212630613755b710a828f0cd584670ae
SHA1e5e760a14d3cc44d878ce5ca8730a9cf7c031181
SHA2560e43a627172dc58d7f2392a9ff3130e2cbdf2fdc296b963e6b611c22a0f743a0
SHA512c62c3281d06ec5376a61ae42f26d6e87c195b5d5656f15eb1b93efb0d7d2feef380eb0ce90dca3f6e5e61426a4b81d6d29b79b7ae3113a55bac5a4d98995a7bb