Analysis
-
max time kernel
59s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/10/2024, 19:26
Behavioral task
behavioral1
Sample
749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe
Resource
win7-20240903-en
General
-
Target
749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe
-
Size
80KB
-
MD5
2bfc41fc744cef02880c43394e17751e
-
SHA1
35c296e0fbd6ed77b9dab7ece016e8306c26512a
-
SHA256
749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca
-
SHA512
d3387fafbd4e9ea76e9d32b24f2e7ea61e3f95263e3e52904f008b74357cebd6c75d9521389406337d9dda8ef2687f02d63e99ed95c1657aec763122d0f9eed7
-
SSDEEP
1536:ITJxjZZ29Up2U7O0Ov15+o46zqMi9G7WXnQQvaWh3zWKfx/t126a631:SHZ2up5JkH+o46LuRXnLdpzp/tg6Z31
Malware Config
Signatures
-
Detect Blackmoon payload 3 IoCs
resource yara_rule behavioral1/memory/2848-7-0x0000000000400000-0x000000000046E000-memory.dmp family_blackmoon behavioral1/memory/2848-11-0x0000000003160000-0x00000000031CE000-memory.dmp family_blackmoon behavioral1/memory/2596-22-0x0000000000400000-0x000000000046E000-memory.dmp family_blackmoon -
Deletes itself 1 IoCs
pid Process 2596 Syslemkchgb.exe -
Executes dropped EXE 1 IoCs
pid Process 2596 Syslemkchgb.exe -
Loads dropped DLL 2 IoCs
pid Process 2848 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe 2848 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe -
resource yara_rule behavioral1/memory/2848-0-0x0000000000400000-0x000000000046E000-memory.dmp upx behavioral1/memory/2848-7-0x0000000000400000-0x000000000046E000-memory.dmp upx behavioral1/files/0x0007000000018c26-9.dat upx behavioral1/memory/2596-18-0x0000000000400000-0x000000000046E000-memory.dmp upx behavioral1/memory/2848-11-0x0000000003160000-0x00000000031CE000-memory.dmp upx behavioral1/memory/2596-22-0x0000000000400000-0x000000000046E000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2848 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe 2848 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe 2848 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe 2848 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe 2848 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe 2848 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe 2848 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe 2848 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe 2596 Syslemkchgb.exe 2596 Syslemkchgb.exe 2596 Syslemkchgb.exe 2596 Syslemkchgb.exe 2596 Syslemkchgb.exe 2596 Syslemkchgb.exe 2596 Syslemkchgb.exe 2596 Syslemkchgb.exe 2596 Syslemkchgb.exe 2596 Syslemkchgb.exe 2596 Syslemkchgb.exe 2596 Syslemkchgb.exe 2596 Syslemkchgb.exe 2596 Syslemkchgb.exe 2596 Syslemkchgb.exe 2596 Syslemkchgb.exe 2596 Syslemkchgb.exe 2596 Syslemkchgb.exe 2596 Syslemkchgb.exe 2596 Syslemkchgb.exe 2596 Syslemkchgb.exe 2596 Syslemkchgb.exe 2596 Syslemkchgb.exe 2596 Syslemkchgb.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2596 2848 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe 32 PID 2848 wrote to memory of 2596 2848 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe 32 PID 2848 wrote to memory of 2596 2848 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe 32 PID 2848 wrote to memory of 2596 2848 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe"C:\Users\Admin\AppData\Local\Temp\749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\Syslemkchgb.exe"C:\Users\Admin\AppData\Local\Temp\Syslemkchgb.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2596
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD5fb8abda925a7cb9a18da9e549724471d
SHA10c21ff317ab37de37e6b1a395e2a84700cf57ba0
SHA256cbba1a97f432a53f3618722a406b77fba78e4f5c61a0d07145e894043a2a0cc0
SHA512b230ef8fb52fc6eca54b1319df6a8344deb4dcfa23b645dc99deca9ed71976996951bb7b3a2cb6f92293cbb09e36c47ce1954a0bfbd0552539778b1e1950b3ec
-
Filesize
80KB
MD53dae46c6c17dcf650b7c5353a81ef31e
SHA11f93b5c83fa49e6bd08b49dff28e2c841499c932
SHA2562440ad23231ac4720700db07cb98f13b34d8a67b863348adc3d27ec9862b29b5
SHA512333f90ae2fdbd8b30120747540ca8d82368f95a9b4e74eb6016d74851d040b8942e2f4fca10f405be888a7bd0038c65a75ce842b95e93c0092a5d09534c0d7fe