Analysis
-
max time kernel
148s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 00:02
Behavioral task
behavioral1
Sample
83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe
Resource
win7-20240903-en
General
-
Target
83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe
-
Size
87KB
-
MD5
be1caf87a76ca70f2118decc075b100a
-
SHA1
11581129f15b36c03a3d372be2e3b9c37f6f7d27
-
SHA256
83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c
-
SHA512
b8e2959e79d3e27943d785532c855f0bcb281f743e0cbddfebb9bf1620b065c16e9d756e3ca6da4a6276ea72a1b8056b445863afdb3437abf40337edc818f530
-
SSDEEP
1536:z4hkM3Yz8wMZhUD2XsjEQWOSkE+Ct6WKBex3GWU5FkWp+AmQwKGSMdH+002I3/ia:Mq6OLM3QasY5Ft71fqWWp+efGftm2I31
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1796-7-0x0000000000400000-0x000000000047F000-memory.dmp family_blackmoon behavioral1/memory/2784-21-0x0000000000400000-0x000000000047F000-memory.dmp family_blackmoon -
Deletes itself 1 IoCs
Processes:
Syslemxiizw.exepid process 2784 Syslemxiizw.exe -
Executes dropped EXE 1 IoCs
Processes:
Syslemxiizw.exepid process 2784 Syslemxiizw.exe -
Loads dropped DLL 2 IoCs
Processes:
83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exepid process 1796 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe 1796 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe -
Processes:
resource yara_rule behavioral1/memory/1796-0-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/1796-7-0x0000000000400000-0x000000000047F000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\Syslemxiizw.exe upx behavioral1/memory/2784-17-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/2784-21-0x0000000000400000-0x000000000047F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exeSyslemxiizw.exepid process 1796 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe 1796 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe 1796 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe 1796 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe 1796 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe 1796 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe 1796 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe 1796 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe 2784 Syslemxiizw.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exedescription pid process target process PID 1796 wrote to memory of 2784 1796 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe Syslemxiizw.exe PID 1796 wrote to memory of 2784 1796 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe Syslemxiizw.exe PID 1796 wrote to memory of 2784 1796 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe Syslemxiizw.exe PID 1796 wrote to memory of 2784 1796 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe Syslemxiizw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe"C:\Users\Admin\AppData\Local\Temp\83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\Syslemxiizw.exe"C:\Users\Admin\AppData\Local\Temp\Syslemxiizw.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD5097b4977bfe6714bf0712dcb65c14b03
SHA1c01bb385d15a7b050ad969479a0220b0e95fda9a
SHA2563e6afb658c6a236dfdf53b45e4c4d93b089c928c7f4c2bc3b1de9fb9b4b357af
SHA512c0f4d46e722a7d3152efaa343aea9f808c1b6e0f9403f56d581d0e787638b5b3d1f6ebf70d712e01edd7d8f26f15f18fe0ae737b855f133fec4d4ee88916649f
-
Filesize
102B
MD5f89bb0954242fa3816f9e8d05b3cec36
SHA1e09be2a100c80b49e5600eb29cd3a2bc06a827d2
SHA256cd1ac67cb37d864d9444c5d8f0ad6c37a14c25b3eb438af50d67b31fd0af4921
SHA512a225f6403900c9737f72691a5b800a4db5810d8cf254d4f0888ae4f7d5b0ab1aed02a02f4a34c3ed60d9cc84a48a9a057fdcb5f0c1f684890188bb03be902c55