Analysis
-
max time kernel
13s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09-11-2024 23:55
Behavioral task
behavioral1
Sample
aa27ccab35b2c6efe143c22907cfca3364f3fc5367bded59c73f2b9acba7f2abN.exe
Resource
win7-20241010-en
General
-
Target
aa27ccab35b2c6efe143c22907cfca3364f3fc5367bded59c73f2b9acba7f2abN.exe
-
Size
469KB
-
MD5
26e3842fd1b8d9392ca3b99c2454c380
-
SHA1
3d4c780451d786b627d5e22dd561efcae73239fd
-
SHA256
aa27ccab35b2c6efe143c22907cfca3364f3fc5367bded59c73f2b9acba7f2ab
-
SHA512
f2b49c2512c8e23edad11c653f83fd274997c70a9d0354ce1715c3400ea725c166a60b8ce656fa502c360d78f25f077440fffaa45327f7339cd4c666edae483a
-
SSDEEP
6144:hqzOPI16UkWVs+QEoD/dL/4oSlCIqbKRs4EkfRDaPRrnVkWHQG:hqzIIUUvVs+IdMoSzqkR5RWVVWG
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 1 IoCs
Processes:
resource yara_rule C:\xfbrl.exe family_blackmoon -
Deletes itself 1 IoCs
Processes:
xfbrl.exepid process 2280 xfbrl.exe -
Executes dropped EXE 1 IoCs
Processes:
xfbrl.exepid process 2280 xfbrl.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1244 2280 WerFault.exe xfbrl.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
aa27ccab35b2c6efe143c22907cfca3364f3fc5367bded59c73f2b9acba7f2abN.exexfbrl.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aa27ccab35b2c6efe143c22907cfca3364f3fc5367bded59c73f2b9acba7f2abN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfbrl.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
aa27ccab35b2c6efe143c22907cfca3364f3fc5367bded59c73f2b9acba7f2abN.exexfbrl.exedescription pid process target process PID 2104 wrote to memory of 2280 2104 aa27ccab35b2c6efe143c22907cfca3364f3fc5367bded59c73f2b9acba7f2abN.exe xfbrl.exe PID 2104 wrote to memory of 2280 2104 aa27ccab35b2c6efe143c22907cfca3364f3fc5367bded59c73f2b9acba7f2abN.exe xfbrl.exe PID 2104 wrote to memory of 2280 2104 aa27ccab35b2c6efe143c22907cfca3364f3fc5367bded59c73f2b9acba7f2abN.exe xfbrl.exe PID 2104 wrote to memory of 2280 2104 aa27ccab35b2c6efe143c22907cfca3364f3fc5367bded59c73f2b9acba7f2abN.exe xfbrl.exe PID 2280 wrote to memory of 1244 2280 xfbrl.exe WerFault.exe PID 2280 wrote to memory of 1244 2280 xfbrl.exe WerFault.exe PID 2280 wrote to memory of 1244 2280 xfbrl.exe WerFault.exe PID 2280 wrote to memory of 1244 2280 xfbrl.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa27ccab35b2c6efe143c22907cfca3364f3fc5367bded59c73f2b9acba7f2abN.exe"C:\Users\Admin\AppData\Local\Temp\aa27ccab35b2c6efe143c22907cfca3364f3fc5367bded59c73f2b9acba7f2abN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\xfbrl.exec:\xfbrl.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 963⤵
- Program crash
PID:1244
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
469KB
MD52a965aa6007c9c05aaf53ff416733447
SHA1cb49138903ea33fe91393d3f3507ddd13f96196a
SHA25639a14c59c5d668a915b9a30a5769e7d139de4c74b396c5184eafc4bd3770ca9b
SHA512cb6b6236535f2ee98d00ebde700303dd348fbc70f908948ab44ecc07b7ec490f9fc8521be2da861eddbfde48e03f095983b93b12679769f3cb08123c603da394