Analysis
-
max time kernel
149s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:02
Behavioral task
behavioral1
Sample
83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe
Resource
win7-20240903-en
General
-
Target
83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe
-
Size
87KB
-
MD5
be1caf87a76ca70f2118decc075b100a
-
SHA1
11581129f15b36c03a3d372be2e3b9c37f6f7d27
-
SHA256
83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c
-
SHA512
b8e2959e79d3e27943d785532c855f0bcb281f743e0cbddfebb9bf1620b065c16e9d756e3ca6da4a6276ea72a1b8056b445863afdb3437abf40337edc818f530
-
SSDEEP
1536:z4hkM3Yz8wMZhUD2XsjEQWOSkE+Ct6WKBex3GWU5FkWp+AmQwKGSMdH+002I3/ia:Mq6OLM3QasY5Ft71fqWWp+efGftm2I31
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1492-14-0x0000000000400000-0x000000000047F000-memory.dmp family_blackmoon behavioral2/memory/4496-16-0x0000000000400000-0x000000000047F000-memory.dmp family_blackmoon -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe -
Deletes itself 1 IoCs
Processes:
Syslemwdqju.exepid process 4496 Syslemwdqju.exe -
Executes dropped EXE 1 IoCs
Processes:
Syslemwdqju.exepid process 4496 Syslemwdqju.exe -
Processes:
resource yara_rule behavioral2/memory/1492-0-0x0000000000400000-0x000000000047F000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\Syslemwdqju.exe upx behavioral2/memory/1492-14-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral2/memory/4496-16-0x0000000000400000-0x000000000047F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exeSyslemwdqju.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Syslemwdqju.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exeSyslemwdqju.exepid process 1492 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe 1492 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe 1492 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe 1492 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe 1492 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe 1492 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe 1492 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe 1492 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe 1492 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe 1492 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe 1492 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe 1492 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe 1492 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe 1492 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe 1492 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe 1492 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe 4496 Syslemwdqju.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exedescription pid process target process PID 1492 wrote to memory of 4496 1492 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe Syslemwdqju.exe PID 1492 wrote to memory of 4496 1492 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe Syslemwdqju.exe PID 1492 wrote to memory of 4496 1492 83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe Syslemwdqju.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe"C:\Users\Admin\AppData\Local\Temp\83fd3c691931b6cfee538eb0f688ac14a06a2715a1d7b9970ccba22c52b1a85c.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\Syslemwdqju.exe"C:\Users\Admin\AppData\Local\Temp\Syslemwdqju.exe"2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD5670401416ac7359cdd2118d19b92424d
SHA161a3245e3d26b07a8fe8470ee17d1c145da65758
SHA256d543ff9be454e50ab10d8ed6e7454db087c16fd6ce464b4f71a6366173fc1a79
SHA512728f9f304f97147632d337e20e793c96d03abd41c1ddeae327a80c4c07fec150615eca634280a0d302eac17d55b32125ccfa71e77afc4f7a1f18c353b60b1f94
-
Filesize
102B
MD5f89bb0954242fa3816f9e8d05b3cec36
SHA1e09be2a100c80b49e5600eb29cd3a2bc06a827d2
SHA256cd1ac67cb37d864d9444c5d8f0ad6c37a14c25b3eb438af50d67b31fd0af4921
SHA512a225f6403900c9737f72691a5b800a4db5810d8cf254d4f0888ae4f7d5b0ab1aed02a02f4a34c3ed60d9cc84a48a9a057fdcb5f0c1f684890188bb03be902c55