Analysis
-
max time kernel
125s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 16:54
Behavioral task
behavioral1
Sample
exe.exe
Resource
win7-20240903-en
General
-
Target
exe.exe
-
Size
406KB
-
MD5
c1105b325208b94c7f2a054901ee7122
-
SHA1
6d43a222928259afed09081427cea7efbe64cd33
-
SHA256
eece8f6aa859eec0d58fde08b08d6716d0df66aacd180d102b4df5b4896bc23e
-
SHA512
760efa89bd317d9383aae85f41f6d090461e21522cd8e4f4c5c90503ba9e0d4ec265fbdfa8c76fd32c1305c51128f27ea7a246b180fd5d574af64f0966093142
-
SSDEEP
3072:hR3TSduMAhgamPis0/iR8mbeUUHoYOooc422f2c+2XF9HQjMR:hRjJhgaAis0/28mbVUHoQMj
Malware Config
Signatures
-
Detect Blackmoon payload 12 IoCs
resource yara_rule behavioral1/memory/2456-3-0x0000000000400000-0x00000000004A7000-memory.dmp family_blackmoon behavioral1/memory/2456-2-0x0000000000400000-0x00000000004A7000-memory.dmp family_blackmoon behavioral1/memory/2456-1-0x0000000000400000-0x00000000004A7000-memory.dmp family_blackmoon behavioral1/memory/2456-5-0x0000000000400000-0x00000000004A7000-memory.dmp family_blackmoon behavioral1/memory/2456-20-0x0000000000400000-0x00000000004A7000-memory.dmp family_blackmoon behavioral1/memory/2456-23-0x0000000000400000-0x00000000004A7000-memory.dmp family_blackmoon behavioral1/memory/2456-27-0x0000000000400000-0x00000000004A7000-memory.dmp family_blackmoon behavioral1/memory/2456-32-0x0000000000400000-0x00000000004A7000-memory.dmp family_blackmoon behavioral1/memory/2456-35-0x0000000000400000-0x00000000004A7000-memory.dmp family_blackmoon behavioral1/memory/2456-38-0x0000000000400000-0x00000000004A7000-memory.dmp family_blackmoon behavioral1/memory/2456-80-0x0000000000400000-0x00000000004A7000-memory.dmp family_blackmoon behavioral1/memory/2456-102-0x0000000000400000-0x00000000004A7000-memory.dmp family_blackmoon -
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 1 IoCs
resource yara_rule behavioral1/memory/1880-95-0x0000000010000000-0x000000001002D000-memory.dmp fatalrat -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
pid Process 2620 mesvc.exe 2920 upssvc.exe 2944 spower.exe 1880 svchost.exe -
Loads dropped DLL 14 IoCs
pid Process 1212 Process not Found 1212 Process not Found 2620 mesvc.exe 2620 mesvc.exe 2620 mesvc.exe 2620 mesvc.exe 2620 mesvc.exe 2620 mesvc.exe 2620 mesvc.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe -
resource yara_rule behavioral1/files/0x0005000000019543-58.dat vmprotect behavioral1/memory/2456-65-0x0000000003CC0000-0x0000000003EFA000-memory.dmp vmprotect behavioral1/memory/2944-71-0x000000013FB10000-0x000000013FD4A000-memory.dmp vmprotect behavioral1/memory/2944-73-0x000000013FB10000-0x000000013FD4A000-memory.dmp vmprotect behavioral1/memory/2944-84-0x000000013FB10000-0x000000013FD4A000-memory.dmp vmprotect -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\Microvirt\MEmuHyperv\mesvc.exe exe.exe File created C:\Program Files\Microvirt\MEmuHyperv\libcrypto-1_1-x64.dll exe.exe File created C:\Program Files\Microvirt\MEmuHyperv\libcurl.dll exe.exe File created C:\Program Files\Microvirt\MEmuHyperv\libssl-1_1-x64.dll exe.exe File opened for modification C:\Program Files (x86)\360\360Safe\safemon\360tray.exe upssvc.exe File created C:\Program Files\Microvirt\MEmuHyperv\MEmuDDU.dll exe.exe File created C:\Program Files\Microvirt\MEmuHyperv\MEmuRT.dll exe.exe File created C:\Program Files\Microvirt\MEmuHyperv\MSVCP100.dll exe.exe File created C:\Program Files\Microvirt\MEmuHyperv\MSVCR100.dll exe.exe File opened for modification C:\Program Files (x86)\360\360sd\360sd.exe upssvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SCHTASKS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language exe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1740 SCHTASKS.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe 2456 exe.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1880 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2456 exe.exe 2456 exe.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2456 exe.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2456 wrote to memory of 2944 2456 exe.exe 34 PID 2456 wrote to memory of 2944 2456 exe.exe 34 PID 2456 wrote to memory of 2944 2456 exe.exe 34 PID 2456 wrote to memory of 2944 2456 exe.exe 34 PID 2456 wrote to memory of 2920 2456 exe.exe 35 PID 2456 wrote to memory of 2920 2456 exe.exe 35 PID 2456 wrote to memory of 2920 2456 exe.exe 35 PID 2456 wrote to memory of 2920 2456 exe.exe 35 PID 2456 wrote to memory of 1880 2456 exe.exe 38 PID 2456 wrote to memory of 1880 2456 exe.exe 38 PID 2456 wrote to memory of 1880 2456 exe.exe 38 PID 2456 wrote to memory of 1880 2456 exe.exe 38 PID 2456 wrote to memory of 1740 2456 exe.exe 39 PID 2456 wrote to memory of 1740 2456 exe.exe 39 PID 2456 wrote to memory of 1740 2456 exe.exe 39 PID 2456 wrote to memory of 1740 2456 exe.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\exe.exe"C:\Users\Admin\AppData\Local\Temp\exe.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\8lzwrz7fevekc6c\spower.exeC:\Users\Admin\AppData\Local\Temp\8lzwrz7fevekc6c\spower.exe2⤵
- Executes dropped EXE
PID:2944
-
-
C:\Users\Admin\AppData\Local\Temp\8lzwrz7fevekc6c\upssvc.exeC:\Users\Admin\AppData\Local\Temp\8lzwrz7fevekc6c\upssvc.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2920
-
-
C:\ProgramData\NVIDIARV\svchost.exeC:\ProgramData\NVIDIARV\svchost.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1880
-
-
C:\Windows\SysWOW64\SCHTASKS.exeSCHTASKS /Create /SC ONLOGON /TN WindowsUpdata /F /RL HIGHEST /TR C:\Users\Public\Pictures8lzwrz7f\CCCef3Render.exe2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1740
-
-
C:\Program Files\Microvirt\MEmuHyperv\mesvc.exe"C:\Program Files\Microvirt\MEmuHyperv\mesvc.exe" -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
146KB
MD55645f4739313841c6af76fa40d1a2d95
SHA11fdf5d9e098fba6d49893b89eb8ca6a3ec7b8477
SHA256fcdf15c6c5100c37876317cb678b4b2021dfa502e0d9872600c3060a3fc284c4
SHA512038e74667a280be2ed4b9d3afb0711d6574a1316b73dd6a578e3e3066080d166d0e66755b150f4f77cd8b471c1d7a84bb023d4ac34d5cd380ce350b3ae570916
-
Filesize
355KB
MD5ce98c3cbd7bfcca2755b35e77a2bceb2
SHA1c12c20bb69e7858682ab6bb21ca3971880efdc07
SHA2561ec46488b2db690f6f769c6cfa7e3021ee6f88096303f04be43f3f2150d8c946
SHA512dfc4f4b300cd2dc0d0f19b415da157b15ce666e1927266feb7a445ffb9199620bb7fc55746239f81fd3f79133c64c8d41822ccddc625288a33a6737a062faee5
-
Filesize
3.8MB
MD556719cc92af72f56f46a5798b1430d9e
SHA1497456e1b225a541058c8d7f96f2a3ef082d147c
SHA256ca5e9919a5b3612a2faaab0f08f3e95db69e3d88d821a706c5d68d3f0d86d060
SHA5125ca3fd7d6f86c5969949e55669c315287084633ccd42aae45cef170bce4fb05071637aaf6a9fce973cdb32003fdf02e184c8dc5aa3c327a17d3889084e07637a
-
Filesize
612KB
MD589acd78f8c6d92947b3fcc78c7493036
SHA13317bd26eda9a7a0d49dfcfe27673d96b2873c95
SHA256e7675926ff8f230e3ce88de65e47ab3fd6f8d617a93e062dd9ecc4226e9d16c0
SHA51208ddb16ab60ea0f531f7853dc6a66a7a2302516e1b54258f2884528a4304cb05111b073d15387702c359f00bd96156043cadddd2b230bfa8bd288b578a11225f
-
Filesize
830KB
MD534b2d5ad1c7c600f9d24660928a03382
SHA1ab9621342ada12b355ea5fcd76b666193898c11b
SHA256d7d6ff911503e848ffc6c0ba43382cc2e1e00b367d55ffdb883c54b688c5c28e
SHA5120d86a396f81864c9ce5a57090fd45745f8c66a28f78fb469a6d62ce01c519f6a0c58d904afa99baef2f74ae4fe2308dc710c901d0394779837b82748679363fa
-
Filesize
2.6MB
MD56def652fd7e5207c374fc51534bda953
SHA1ee23eab28dd67ce96e7799a31801580c824cde5f
SHA25680677a75588101ca6da2a22b74c02bd5b91aba2a62d1bce20d07370a9ddf0118
SHA512f3284532571bfb83a622b019040e4882866941c66a06a9c83da23a1a820b940c48ffedd1d109c799b64d6bd30775cdb9ea1067869f565116653988bd763552a8
-
Filesize
365KB
MD575b9bbfcf9581252474a5d1daa6e6641
SHA10fb1cfa16bf68fb13ba9816c2354af358bded167
SHA256c78b0aa24630b35dfd3030626f873a89a39944ffa620b6afb42ae50eb1618f4b
SHA512ed527526fd6053425fcefdfa5174d7dfa3b3b3601f33f8019b1215c9f1b85d823910f5a02c9bdd296d70058a516f9d464f42e712903144315e17f4ce7ad17561
-
Filesize
639KB
MD52b242983d5fc098515105268eb22f0b7
SHA16a660eae893f16b988b44ec943a8dacf808f467e
SHA2561679808a0a410e73d7807c1facfd0ce0ee1e6270b35d29dcdf0a8977c17418ac
SHA512905b01240f92124f71acd61a075887d89a83699681f585a246aa44b9d514829adec5ab827d720c7c7eccd8392698ee3f18fe9b2f7fcd81000cb0f40caa28ff06
-
Filesize
4.6MB
MD58c1eca3e2fe8f5fd1a0ce4b4a8cf4409
SHA18d45e044cbdcf645fe359864bc700b2568032687
SHA2566ef47689ea1309e43869ec59861a677fe4e40cf03eb89386fc7d32fc516e9671
SHA5124bf03b1453fa1f1bed14cb133c01c7b9b348f82da775bbbeaefc7867d348928c265b6b38623ced8b711138876365d63a669955920a5b5ae119975184297fe54f
-
Filesize
3.3MB
MD53670adfc30d5b2719002b7dfce6192b5
SHA123b4956a4ee353153a8ceda6b14079d26303cc78
SHA25656c03d3a3e962ad2c0167b1baa48f309a368f1c132e4b9b10142eeb2b862679a
SHA5121648e62c7ba77618e60066ef245af255a1df968b5b7b75a484a16aa0540b50252fc8461156d8b9a4d756cd7ed6567364d21d4c0093633787d310e943caf6712e
-
Filesize
1.1MB
MD53c124149591abc905e07753ad7bf5a35
SHA1c8d0fe2de8882bd26c394b7e602142f6c9674e43
SHA2561520fa7e27eb0b310bc83946594251b570f1d4042345eea243010260e7676ac6
SHA51267e30eda7eb311a7778c6cde5f1fbec7cd72e00a650f89e2930135ce8861c5128ddc1e463d225eb011bf5359d1f16571f1c6f42ce629c3a76fe586268624911e