Analysis
-
max time kernel
148s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/10/2024, 19:33
Behavioral task
behavioral1
Sample
749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe
Resource
win7-20240903-en
General
-
Target
749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe
-
Size
80KB
-
MD5
2bfc41fc744cef02880c43394e17751e
-
SHA1
35c296e0fbd6ed77b9dab7ece016e8306c26512a
-
SHA256
749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca
-
SHA512
d3387fafbd4e9ea76e9d32b24f2e7ea61e3f95263e3e52904f008b74357cebd6c75d9521389406337d9dda8ef2687f02d63e99ed95c1657aec763122d0f9eed7
-
SSDEEP
1536:ITJxjZZ29Up2U7O0Ov15+o46zqMi9G7WXnQQvaWh3zWKfx/t126a631:SHZ2up5JkH+o46LuRXnLdpzp/tg6Z31
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
resource yara_rule behavioral1/memory/2216-7-0x0000000000400000-0x000000000046E000-memory.dmp family_blackmoon behavioral1/memory/2828-21-0x0000000000400000-0x000000000046E000-memory.dmp family_blackmoon -
Deletes itself 1 IoCs
pid Process 2828 Syslemnridt.exe -
Executes dropped EXE 1 IoCs
pid Process 2828 Syslemnridt.exe -
Loads dropped DLL 2 IoCs
pid Process 2216 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe 2216 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe -
resource yara_rule behavioral1/memory/2216-0-0x0000000000400000-0x000000000046E000-memory.dmp upx behavioral1/memory/2216-7-0x0000000000400000-0x000000000046E000-memory.dmp upx behavioral1/files/0x00080000000190e0-9.dat upx behavioral1/memory/2216-11-0x0000000003290000-0x00000000032FE000-memory.dmp upx behavioral1/memory/2828-17-0x0000000000400000-0x000000000046E000-memory.dmp upx behavioral1/memory/2828-21-0x0000000000400000-0x000000000046E000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2216 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe 2216 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe 2216 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe 2216 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe 2216 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe 2216 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe 2216 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe 2216 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe 2828 Syslemnridt.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2216 wrote to memory of 2828 2216 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe 32 PID 2216 wrote to memory of 2828 2216 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe 32 PID 2216 wrote to memory of 2828 2216 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe 32 PID 2216 wrote to memory of 2828 2216 749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe"C:\Users\Admin\AppData\Local\Temp\749d7db3ebc03a0ba180b5f52f57d8d9ff749fabde17ad9e63580b3ec591e6ca.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\Syslemnridt.exe"C:\Users\Admin\AppData\Local\Temp\Syslemnridt.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2828
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD5fb8abda925a7cb9a18da9e549724471d
SHA10c21ff317ab37de37e6b1a395e2a84700cf57ba0
SHA256cbba1a97f432a53f3618722a406b77fba78e4f5c61a0d07145e894043a2a0cc0
SHA512b230ef8fb52fc6eca54b1319df6a8344deb4dcfa23b645dc99deca9ed71976996951bb7b3a2cb6f92293cbb09e36c47ce1954a0bfbd0552539778b1e1950b3ec
-
Filesize
80KB
MD5e73fa9495849bbffaeb0a8a20a225745
SHA1dd564527ddbc7cc8cb3cf586670ab4a4b9d68a43
SHA256b3c0b757a7aa4e15090905167b2cd595aa0e8c02ae81486fd85c7ea874926a5f
SHA512a8ce3b19f61ce0ca377cd69806b1ae4048b2902932f4c014ddb466de5edafa0c1d334ebfccf39011140ed071a9ad85e068551bc91b0a9556f28f99df70cfd375