Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 00:45
Static task
static1
Behavioral task
behavioral1
Sample
c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe
Resource
win7-20240903-en
General
-
Target
c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe
-
Size
7.5MB
-
MD5
c88226d44adcffb4dc370b1024561c71
-
SHA1
44336057920c887f0497abb9db6acc5b517ae5d4
-
SHA256
c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8
-
SHA512
4782d3d3f17c203841644a8d061f10a0448cfaae852848ea1a3bf31ba3befe859c4c09d9e0f192d22719f9c2211540f2c220807ef3f91cadd43692a78b1ea1ab
-
SSDEEP
98304:TPF75Ej5VK+568kTjE5D7R5z8yDB+EM181mGgKvoPc2r6GDNMs1B7X8jEExDrWMl:5+VWA5RbDBBYz6GheAE0MZCCLyUS7NXq
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 17 IoCs
resource yara_rule behavioral2/memory/3616-2-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral2/memory/3616-3-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral2/memory/3616-9-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral2/memory/3616-10-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral2/memory/3616-12-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral2/memory/3616-76-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral2/memory/3616-197-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral2/memory/3616-318-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral2/memory/3616-433-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral2/memory/3616-554-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral2/memory/3616-675-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral2/memory/3616-796-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral2/memory/3616-917-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral2/memory/3616-1032-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral2/memory/3616-1141-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral2/memory/3616-1262-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon behavioral2/memory/3616-1377-0x0000000000400000-0x000000000198F000-memory.dmp family_blackmoon -
Drops file in Drivers directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe File opened for modification C:\Windows\system32\drivers\etc\HOSTS.dz c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe File created C:\Windows\system32\drivers\etc\hosts.dz c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe File opened for modification C:\Windows\system32\drivers\etc\hosts.dz c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DultwQg34wQg\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\DultwQg34wQg.sys" c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dult.dll c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe -
resource yara_rule behavioral2/memory/3616-6-0x0000000010000000-0x0000000010019000-memory.dmp upx behavioral2/memory/3616-4-0x0000000010000000-0x0000000010019000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\System32.exe c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe File opened for modification C:\Windows\System32.exe c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 652 Process not Found -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3616 c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3616 c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe Token: SeDebugPrivilege 3616 c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe Token: SeDebugPrivilege 3616 c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe Token: SeDebugPrivilege 3616 c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe Token: 1 3616 c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3616 c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe 3616 c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe"C:\Users\Admin\AppData\Local\Temp\c64b2ef7e5c9460dc464f682ba24aab7818c839e222178621697f9ba07b402c8.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114B
MD540f9e0ee8fe9d23ab654fae5754cb9a6
SHA1dccae241c87fffe78a4ac7263e68cfcfb1997649
SHA2563f7907656b67120c440f9eab5fdeb4ec601c1a3cb42165552aa964f87e71619f
SHA512696b649b518cbd04330216e4f2ed7f37909a4250539c5e78a5a0e3cc038c25880eb105f8500e63ccf92180b1b96e983426b46d566f31386a2857945df2789553