Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 18:59
Behavioral task
behavioral1
Sample
190c1d3d1f171e6475c118d162e632e40d8ca596d0cd30df1052a6398e6f4773.exe
Resource
win7-20241010-en
General
-
Target
190c1d3d1f171e6475c118d162e632e40d8ca596d0cd30df1052a6398e6f4773.exe
-
Size
80KB
-
MD5
44ab132e64b8cda5ab2fdbc612e749c2
-
SHA1
27340bc4a07b75d4b126e5cb7a10a65e8cf27621
-
SHA256
190c1d3d1f171e6475c118d162e632e40d8ca596d0cd30df1052a6398e6f4773
-
SHA512
e8c7d3a620adb7ba2aa1b65b8bf5e8d31affc20373e6f794c0cc8943cbba0c129942c533b4c023a0a3550db5186076521b72f456aa689f3187a02e63bf0345d5
-
SSDEEP
1536:+VtjAKqURk0Ex/tIWLSYGc5cmFF+TTdGka2dQe5GrpXLaN:CN1qURFY/RLSO5cmFY9GMdKGN
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
resource yara_rule behavioral1/memory/2808-7-0x0000000000400000-0x000000000046B000-memory.dmp family_blackmoon behavioral1/memory/2716-20-0x0000000000400000-0x000000000046B000-memory.dmp family_blackmoon -
Deletes itself 1 IoCs
pid Process 2716 Systemjgaly.exe -
Executes dropped EXE 1 IoCs
pid Process 2716 Systemjgaly.exe -
Loads dropped DLL 2 IoCs
pid Process 2808 190c1d3d1f171e6475c118d162e632e40d8ca596d0cd30df1052a6398e6f4773.exe 2808 190c1d3d1f171e6475c118d162e632e40d8ca596d0cd30df1052a6398e6f4773.exe -
resource yara_rule behavioral1/memory/2808-0-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2808-7-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/files/0x00060000000186bb-9.dat upx behavioral1/memory/2716-20-0x0000000000400000-0x000000000046B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 190c1d3d1f171e6475c118d162e632e40d8ca596d0cd30df1052a6398e6f4773.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2808 190c1d3d1f171e6475c118d162e632e40d8ca596d0cd30df1052a6398e6f4773.exe 2808 190c1d3d1f171e6475c118d162e632e40d8ca596d0cd30df1052a6398e6f4773.exe 2808 190c1d3d1f171e6475c118d162e632e40d8ca596d0cd30df1052a6398e6f4773.exe 2808 190c1d3d1f171e6475c118d162e632e40d8ca596d0cd30df1052a6398e6f4773.exe 2808 190c1d3d1f171e6475c118d162e632e40d8ca596d0cd30df1052a6398e6f4773.exe 2808 190c1d3d1f171e6475c118d162e632e40d8ca596d0cd30df1052a6398e6f4773.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe 2716 Systemjgaly.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2808 wrote to memory of 2716 2808 190c1d3d1f171e6475c118d162e632e40d8ca596d0cd30df1052a6398e6f4773.exe 31 PID 2808 wrote to memory of 2716 2808 190c1d3d1f171e6475c118d162e632e40d8ca596d0cd30df1052a6398e6f4773.exe 31 PID 2808 wrote to memory of 2716 2808 190c1d3d1f171e6475c118d162e632e40d8ca596d0cd30df1052a6398e6f4773.exe 31 PID 2808 wrote to memory of 2716 2808 190c1d3d1f171e6475c118d162e632e40d8ca596d0cd30df1052a6398e6f4773.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\190c1d3d1f171e6475c118d162e632e40d8ca596d0cd30df1052a6398e6f4773.exe"C:\Users\Admin\AppData\Local\Temp\190c1d3d1f171e6475c118d162e632e40d8ca596d0cd30df1052a6398e6f4773.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\Systemjgaly.exe"C:\Users\Admin\AppData\Local\Temp\Systemjgaly.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2716
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD52b4159504c411ecc93fca80c5076184d
SHA1ba1d6781ec9f229ee87228149a3e3d87f07752f0
SHA2561a9fa5f0f9cd70cf19afea69f04cc367a26384d71409b67169b8f1f7ea025f5c
SHA51293b99d6928b69b9378e164c869f8a095f47d921ef4d1f869ca89c550eacb6778eec22a184b7ede3d22c04ad326b3307d6e45b7b8c39538d1073c0ddd3549060d
-
Filesize
80KB
MD50abb8433b57987ef8b02ce2c28590303
SHA1477b014cdd86a9b8c7eb0ed0b8a87a035acb8ab0
SHA2569681cf15c0baf6e1f237cd62c88e34ecc99f3236e7566df21d6a097eee40f0db
SHA5127aec78b45c846d02be9a6a5b9af6cd87f6a8083c996c025e20c1b9daf573654dc9977eb4b65125a393b0207deb22bb782fe000a9f8cae0a2bf037cc6c02ad205