Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 00:45
Static task
static1
Behavioral task
behavioral1
Sample
c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe
Resource
win7-20240903-en
General
-
Target
c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe
-
Size
7.5MB
-
MD5
c88226d44adcffb4dc370b1024561c71
-
SHA1
44336057920c887f0497abb9db6acc5b517ae5d4
-
SHA256
c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8
-
SHA512
4782d3d3f17c203841644a8d061f10a0448cfaae852848ea1a3bf31ba3befe859c4c09d9e0f192d22719f9c2211540f2c220807ef3f91cadd43692a78b1ea1ab
-
SSDEEP
98304:TPF75Ej5VK+568kTjE5D7R5z8yDB+EM181mGgKvoPc2r6GDNMs1B7X8jEExDrWMl:5+VWA5RbDBBYz6GheAE0MZCCLyUS7NXq
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 17 IoCs
resource yara_rule behavioral1/memory/2156-2-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral1/memory/2156-18-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral1/memory/2156-19-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral1/memory/2156-20-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral1/memory/2156-22-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral1/memory/2156-74-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral1/memory/2156-195-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral1/memory/2156-316-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral1/memory/2156-437-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral1/memory/2156-552-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral1/memory/2156-661-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral1/memory/2156-782-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral1/memory/2156-897-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral1/memory/2156-1018-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral1/memory/2156-1139-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral1/memory/2156-1260-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral1/memory/2156-1381-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon -
Drops file in Drivers directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\HOSTS.dz c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe File created C:\Windows\system32\drivers\etc\hosts.dz c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe File opened for modification C:\Windows\system32\drivers\etc\hosts.dz c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe File opened for modification C:\Windows\system32\drivers\etc\hosts c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\DultwgT48wgT\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\DultwgT48wgT.sys" c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dult.dll c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe -
resource yara_rule behavioral1/memory/2156-6-0x0000000010000000-0x0000000010019000-memory.dmp upx behavioral1/memory/2156-4-0x0000000010000000-0x0000000010019000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\System32.exe c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe File opened for modification C:\Windows\System32.exe c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 476 Process not Found -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2156 c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2156 c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe Token: SeDebugPrivilege 2156 c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe Token: SeDebugPrivilege 2156 c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe Token: SeDebugPrivilege 2156 c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe Token: 1 2156 c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2156 c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe 2156 c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe"C:\Users\Admin\AppData\Local\Temp\c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2156
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114B
MD540f9e0ee8fe9d23ab654fae5754cb9a6
SHA1dccae241c87fffe78a4ac7263e68cfcfb1997649
SHA2563f7907656b67120c440f9eab5fdeb4ec601c1a3cb42165552aa964f87e71619f
SHA512696b649b518cbd04330216e4f2ed7f37909a4250539c5e78a5a0e3cc038c25880eb105f8500e63ccf92180b1b96e983426b46d566f31386a2857945df2789553