Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 02:38
Behavioral task
behavioral1
Sample
f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe
Resource
win7-20240903-en
General
-
Target
f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe
-
Size
282KB
-
MD5
7221de427bfc94627d5dca358b07653c
-
SHA1
356b3562884ed9409ebc490db637a80c891b660e
-
SHA256
f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab
-
SHA512
7b75c91ef877f780e8b8bddd0d85ed1992e78502f4633e1d4ec9ef1e9fdcd2751208d2d0b200de841e60b52568f79594759e85dfe317a85486c7f54a035fad5d
-
SSDEEP
6144:dnriPrgSyrSjda3biWdzvOsoXsYczVgYSyykq3tiMmVVpOfMR+B8ckBtqqXpeYwR:dnQZnda3OWAsPYciuykCtizOhB8ck3q3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 2 IoCs
resource yara_rule behavioral1/files/0x000700000001878c-10.dat family_blackmoon behavioral1/memory/3048-16-0x0000000000400000-0x00000000004C8000-memory.dmp family_blackmoon -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" pythonw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" pythonw.exe -
Executes dropped EXE 1 IoCs
pid Process 2408 pythonw.exe -
Loads dropped DLL 3 IoCs
pid Process 3048 f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe 2408 pythonw.exe 2408 pythonw.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ÏÔ¿¨Çý¶¯ÓÅ»¯×é¼þ = "C:\\ProgramData\\pythonw.exe" f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: pythonw.exe File opened (read-only) \??\T: pythonw.exe File opened (read-only) \??\N: pythonw.exe File opened (read-only) \??\P: pythonw.exe File opened (read-only) \??\R: pythonw.exe File opened (read-only) \??\V: pythonw.exe File opened (read-only) \??\B: pythonw.exe File opened (read-only) \??\E: pythonw.exe File opened (read-only) \??\G: pythonw.exe File opened (read-only) \??\L: pythonw.exe File opened (read-only) \??\H: pythonw.exe File opened (read-only) \??\I: pythonw.exe File opened (read-only) \??\S: pythonw.exe File opened (read-only) \??\W: pythonw.exe File opened (read-only) \??\U: pythonw.exe File opened (read-only) \??\X: pythonw.exe File opened (read-only) \??\Y: pythonw.exe File opened (read-only) \??\Z: pythonw.exe File opened (read-only) \??\J: pythonw.exe File opened (read-only) \??\M: pythonw.exe File opened (read-only) \??\O: pythonw.exe File opened (read-only) \??\Q: pythonw.exe -
resource yara_rule behavioral1/memory/3048-0-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral1/memory/3048-16-0x0000000000400000-0x00000000004C8000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pythonw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ pythonw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString pythonw.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2408 pythonw.exe 2408 pythonw.exe 2408 pythonw.exe 2408 pythonw.exe 2408 pythonw.exe 2408 pythonw.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3048 f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe 2408 pythonw.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3048 wrote to memory of 2436 3048 f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe 30 PID 3048 wrote to memory of 2436 3048 f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe 30 PID 3048 wrote to memory of 2436 3048 f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe 30 PID 3048 wrote to memory of 2436 3048 f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe 30 PID 2436 wrote to memory of 2412 2436 cmd.exe 32 PID 2436 wrote to memory of 2412 2436 cmd.exe 32 PID 2436 wrote to memory of 2412 2436 cmd.exe 32 PID 2436 wrote to memory of 2412 2436 cmd.exe 32 PID 2412 wrote to memory of 2420 2412 cmd.exe 33 PID 2412 wrote to memory of 2420 2412 cmd.exe 33 PID 2412 wrote to memory of 2420 2412 cmd.exe 33 PID 2412 wrote to memory of 2420 2412 cmd.exe 33 PID 3048 wrote to memory of 2408 3048 f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe 34 PID 3048 wrote to memory of 2408 3048 f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe 34 PID 3048 wrote to memory of 2408 3048 f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe 34 PID 3048 wrote to memory of 2408 3048 f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe 34 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" pythonw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" pythonw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe"C:\Users\Admin\AppData\Local\Temp\f062d26483d0bb0fccc152133cc67b08cbda7f73de187db2de3ca31289da31ab.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\cmd.execmd.exe /c cmd.exe /c SCHTASKS /Delete /TN "SDL" /F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\cmd.execmd.exe /c SCHTASKS /Delete /TN "SDL" /F3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Delete /TN "SDL" /F4⤵
- System Location Discovery: System Language Discovery
PID:2420
-
-
-
-
C:\ProgramData\pythonw.exeC:\ProgramData\pythonw.exe2⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2408
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
75KB
MD582c3c8d3a6221cf8db71fdee532bfedf
SHA16c2a447acc79cacecc8efbe0b8de38fd194aa095
SHA2563177dbc2ce8f68405fc874f6189ccf947d8217227ffc81a85f9b23aec1f47f80
SHA512491e914b091d218a663abca5f2c2aed2b839ba87a74429c285145baef6a23fb4cf0718b64869a04237258d0608c44c6e2cec3446feaae9b4d5a7071a0325f420
-
Filesize
272KB
MD5d30cd5301720b65435f734e6351b2050
SHA1d89f13113b3bdd1ee085a40e52ff12f1e2463858
SHA256613ae676d96080041ac9f08825ae2d0fb8d63cbbeabb1cc54cca9945b6a4409d
SHA512461c75e1a54d17bc532ed0c4f1b860b139cfadad756a5b4a53e6d6bd3449daa7062dcd32fa4e3b53a64861b553f0bf265800e146fa1aa7d06d6b72be487f44ea
-
Filesize
93KB
MD5867945992b1375b625b16f0e5ba1b623
SHA1af2e140ecd754d2e700c7043c26b35f0a1e4c982
SHA25651182a4dc90f0d8019031e27f9fb8f8f2b8d73cd0c8f5ad5aac194c9f3f5c1e1
SHA512d46c21753edaa50ec6e913932bccec59b59da2077fa4ef66abcaadc4f5e291dc21662c11c0c607c9be65bb52e9190b9f8e216aa7319e2d4ff26e876b85457a68
-
Filesize
84KB
MD5ae96651cfbd18991d186a029cbecb30c
SHA118df8af1022b5cb188e3ee98ac5b4da24ac9c526
SHA2561b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1
SHA51242a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7