Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-10-2024 13:07
Behavioral task
behavioral1
Sample
db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe
Resource
win7-20240903-en
General
-
Target
db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe
-
Size
106KB
-
MD5
6a0f90d47cb818fbf65215becaebfc56
-
SHA1
3bed9eb472e8915c99f285b4f39088c9bfdac283
-
SHA256
db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b
-
SHA512
c841c23b7c863c6eeb2b168453b0b097b264c699d3afb6208af1aa997fa194fc9784c12c40de83c8fed4bf409ed787e0c881bd35b0b565934a6950ca32f33e50
-
SSDEEP
3072:DqgtB3f8Jf34KEhnsEi+xI9l6XutP1rDqRoJ3:DqvJfIGh+xI9lAu9ZD9
Malware Config
Signatures
-
Detect Blackmoon payload 8 IoCs
Processes:
resource yara_rule behavioral1/memory/1480-2-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/1480-1-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/1480-3-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/1480-18-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/1480-26-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/1480-32-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/1480-55-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/1480-95-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon -
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2924-88-0x0000000010000000-0x000000001002D000-memory.dmp fatalrat -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
mesvc.exespower.exeupssvc.exesvchost.exepid Process 3056 mesvc.exe 1396 spower.exe 2388 upssvc.exe 2924 svchost.exe -
Loads dropped DLL 14 IoCs
Processes:
mesvc.exedb5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exepid Process 1248 1248 3056 mesvc.exe 3056 mesvc.exe 3056 mesvc.exe 3056 mesvc.exe 3056 mesvc.exe 3056 mesvc.exe 3056 mesvc.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe -
Processes:
resource yara_rule behavioral1/files/0x0005000000019479-57.dat vmprotect behavioral1/memory/1396-61-0x000000013F550000-0x000000013F789000-memory.dmp vmprotect behavioral1/memory/1396-60-0x000000013F550000-0x000000013F789000-memory.dmp vmprotect behavioral1/memory/1396-77-0x000000013F550000-0x000000013F789000-memory.dmp vmprotect -
Drops file in Program Files directory 10 IoCs
Processes:
db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exeupssvc.exedescription ioc Process File created C:\Program Files\Microvirt\MEmuHyperv\mesvc.exe db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe File created C:\Program Files\Microvirt\MEmuHyperv\libcurl.dll db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe File created C:\Program Files\Microvirt\MEmuHyperv\MSVCR100.dll db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe File opened for modification C:\Program Files (x86)\360\360Safe\safemon\360tray.exe upssvc.exe File opened for modification C:\Program Files (x86)\360\360sd\360sd.exe upssvc.exe File created C:\Program Files\Microvirt\MEmuHyperv\libcrypto-1_1-x64.dll db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe File created C:\Program Files\Microvirt\MEmuHyperv\libssl-1_1-x64.dll db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe File created C:\Program Files\Microvirt\MEmuHyperv\MEmuDDU.dll db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe File created C:\Program Files\Microvirt\MEmuHyperv\MEmuRT.dll db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe File created C:\Program Files\Microvirt\MEmuHyperv\MSVCP100.dll db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
svchost.exeSCHTASKS.exedb5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SCHTASKS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exespower.exeupssvc.exepid Process 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1396 spower.exe 1396 spower.exe 1396 spower.exe 1396 spower.exe 1396 spower.exe 1396 spower.exe 1396 spower.exe 1396 spower.exe 1396 spower.exe 1396 spower.exe 1396 spower.exe 1396 spower.exe 1396 spower.exe 1396 spower.exe 1396 spower.exe 1396 spower.exe 1396 spower.exe 1396 spower.exe 1396 spower.exe 1396 spower.exe 1396 spower.exe 1396 spower.exe 1396 spower.exe 1396 spower.exe 2388 upssvc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid Process Token: SeDebugPrivilege 2924 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exepid Process 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exepid Process 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exedescription pid Process procid_target PID 1480 wrote to memory of 1396 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 34 PID 1480 wrote to memory of 1396 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 34 PID 1480 wrote to memory of 1396 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 34 PID 1480 wrote to memory of 1396 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 34 PID 1480 wrote to memory of 2388 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 35 PID 1480 wrote to memory of 2388 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 35 PID 1480 wrote to memory of 2388 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 35 PID 1480 wrote to memory of 2388 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 35 PID 1480 wrote to memory of 2924 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 37 PID 1480 wrote to memory of 2924 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 37 PID 1480 wrote to memory of 2924 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 37 PID 1480 wrote to memory of 2924 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 37 PID 1480 wrote to memory of 2176 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 38 PID 1480 wrote to memory of 2176 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 38 PID 1480 wrote to memory of 2176 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 38 PID 1480 wrote to memory of 2176 1480 db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe"C:\Users\Admin\AppData\Local\Temp\db5ebaf833f42ac680d858bd2873e07f0cebf1016627ff3687e3521c66ed8c5b.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\yaoma1ufr1xkkf6\spower.exeC:\Users\Admin\AppData\Local\Temp\yaoma1ufr1xkkf6\spower.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1396
-
-
C:\Users\Admin\AppData\Local\Temp\yaoma1ufr1xkkf6\upssvc.exeC:\Users\Admin\AppData\Local\Temp\yaoma1ufr1xkkf6\upssvc.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2388
-
-
C:\ProgramData\NVIDIARV\svchost.exeC:\ProgramData\NVIDIARV\svchost.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\SysWOW64\SCHTASKS.exeSCHTASKS /Create /SC ONLOGON /TN WindowsUpdata /F /RL HIGHEST /TR C:\Users\Public\Picturesyaoma1uf\CCCef3Render.exe2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2176
-
-
C:\Program Files\Microvirt\MEmuHyperv\mesvc.exe"C:\Program Files\Microvirt\MEmuHyperv\mesvc.exe" -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
639KB
MD52b242983d5fc098515105268eb22f0b7
SHA16a660eae893f16b988b44ec943a8dacf808f467e
SHA2561679808a0a410e73d7807c1facfd0ce0ee1e6270b35d29dcdf0a8977c17418ac
SHA512905b01240f92124f71acd61a075887d89a83699681f585a246aa44b9d514829adec5ab827d720c7c7eccd8392698ee3f18fe9b2f7fcd81000cb0f40caa28ff06
-
Filesize
1.1MB
MD5b7324991095fc5710dff7f98075c9800
SHA1af669e900f571e85f4c3448bc7854402814c00ac
SHA256481408f1b1c59753c24980124615406951f8412b2711ebadffbe73576f59c26a
SHA512eb11be91cb8db57e9c6616e899675f1d42a1a8f13c260ed3168d2d76dd4c30858bd4234a5429c9a43bdeaf30d98f48407e6f24db6e136e686d35a396f2e1f00d
-
Filesize
151KB
MD549a7722ea3d588753a6f90f9a094b84b
SHA1d21bf72dcbc6fd58ed9c11baf119d13df2322273
SHA2560330970ca33b5b0d80e6ac151befc97de78a52135a2e08a907b2a1cd701869ff
SHA5129fa4510620b8ad3e167f1b13723d43ca5535433f2d07e430dd5a0f6514ce2f7da9422c352929f45f0b35b1767c446b949dfb15b0aa61572766322a639c2e8c6a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
355KB
MD5ce98c3cbd7bfcca2755b35e77a2bceb2
SHA1c12c20bb69e7858682ab6bb21ca3971880efdc07
SHA2561ec46488b2db690f6f769c6cfa7e3021ee6f88096303f04be43f3f2150d8c946
SHA512dfc4f4b300cd2dc0d0f19b415da157b15ce666e1927266feb7a445ffb9199620bb7fc55746239f81fd3f79133c64c8d41822ccddc625288a33a6737a062faee5
-
Filesize
3.8MB
MD556719cc92af72f56f46a5798b1430d9e
SHA1497456e1b225a541058c8d7f96f2a3ef082d147c
SHA256ca5e9919a5b3612a2faaab0f08f3e95db69e3d88d821a706c5d68d3f0d86d060
SHA5125ca3fd7d6f86c5969949e55669c315287084633ccd42aae45cef170bce4fb05071637aaf6a9fce973cdb32003fdf02e184c8dc5aa3c327a17d3889084e07637a
-
Filesize
612KB
MD589acd78f8c6d92947b3fcc78c7493036
SHA13317bd26eda9a7a0d49dfcfe27673d96b2873c95
SHA256e7675926ff8f230e3ce88de65e47ab3fd6f8d617a93e062dd9ecc4226e9d16c0
SHA51208ddb16ab60ea0f531f7853dc6a66a7a2302516e1b54258f2884528a4304cb05111b073d15387702c359f00bd96156043cadddd2b230bfa8bd288b578a11225f
-
Filesize
830KB
MD534b2d5ad1c7c600f9d24660928a03382
SHA1ab9621342ada12b355ea5fcd76b666193898c11b
SHA256d7d6ff911503e848ffc6c0ba43382cc2e1e00b367d55ffdb883c54b688c5c28e
SHA5120d86a396f81864c9ce5a57090fd45745f8c66a28f78fb469a6d62ce01c519f6a0c58d904afa99baef2f74ae4fe2308dc710c901d0394779837b82748679363fa
-
Filesize
2.6MB
MD56def652fd7e5207c374fc51534bda953
SHA1ee23eab28dd67ce96e7799a31801580c824cde5f
SHA25680677a75588101ca6da2a22b74c02bd5b91aba2a62d1bce20d07370a9ddf0118
SHA512f3284532571bfb83a622b019040e4882866941c66a06a9c83da23a1a820b940c48ffedd1d109c799b64d6bd30775cdb9ea1067869f565116653988bd763552a8
-
Filesize
365KB
MD575b9bbfcf9581252474a5d1daa6e6641
SHA10fb1cfa16bf68fb13ba9816c2354af358bded167
SHA256c78b0aa24630b35dfd3030626f873a89a39944ffa620b6afb42ae50eb1618f4b
SHA512ed527526fd6053425fcefdfa5174d7dfa3b3b3601f33f8019b1215c9f1b85d823910f5a02c9bdd296d70058a516f9d464f42e712903144315e17f4ce7ad17561
-
Filesize
4.6MB
MD58c1eca3e2fe8f5fd1a0ce4b4a8cf4409
SHA18d45e044cbdcf645fe359864bc700b2568032687
SHA2566ef47689ea1309e43869ec59861a677fe4e40cf03eb89386fc7d32fc516e9671
SHA5124bf03b1453fa1f1bed14cb133c01c7b9b348f82da775bbbeaefc7867d348928c265b6b38623ced8b711138876365d63a669955920a5b5ae119975184297fe54f
-
Filesize
3.3MB
MD59f2627f35c53b58781a60905ccd52507
SHA13fc5708b379c13946f5c004df0fa541a43e9c570
SHA256a1cdff2f7478dff703f3899c0d33798f1e49c02953753d62f412e87f7d30ea7b
SHA5128503dea7534aaaec0c7a2ba1f71a2aa61cbe42ae7a9b5d517def157813f54515416c9c68b21551a1d11b98ca0abfb9d6bb83ae7dd4d877665ed98e06eb4ff3b2