Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 10:56
Static task
static1
Behavioral task
behavioral1
Sample
c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe
Resource
win7-20240903-en
General
-
Target
c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe
-
Size
546KB
-
MD5
d76ee42b3f0213dff456133d3f49a828
-
SHA1
9b08f2f5ba94f5c2dec40b999d6d37e2a3f39d45
-
SHA256
c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc
-
SHA512
fc5b386a17114ca1ef55aa19fd4e3825a1830fadf889d0e8e6a54b38a1ce62fee788ecf26b07ce688dd54041a9cde0bf82598ac897d95d445f31fa812f606956
-
SSDEEP
12288:eag9hsVdB1WUTYw6DgjfgOhWpUpytE5O03BFgGr3DODTZ7M:1g96dTYTDgjf2EDBmGg1M
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 2 IoCs
resource yara_rule behavioral1/memory/1940-34-0x0000000000400000-0x00000000006C0000-memory.dmp family_blackmoon behavioral1/memory/1940-39-0x0000000000400000-0x00000000006C0000-memory.dmp family_blackmoon -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 1940 D8jHt4.exe 2880 S25J11r4uz.exe -
Loads dropped DLL 4 IoCs
pid Process 2308 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 2308 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 2308 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 2308 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 223.5.5.5 Destination IP 114.114.114.114 Destination IP 223.5.5.5 Destination IP 114.114.114.114 -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dult.dll D8jHt4.exe -
resource yara_rule behavioral1/files/0x0004000000004ed7-1.dat upx behavioral1/memory/2308-8-0x0000000003070000-0x0000000003330000-memory.dmp upx behavioral1/memory/1940-31-0x0000000010000000-0x0000000010019000-memory.dmp upx behavioral1/memory/1940-29-0x0000000010000000-0x0000000010019000-memory.dmp upx behavioral1/memory/1940-28-0x0000000000400000-0x00000000006C0000-memory.dmp upx behavioral1/memory/1940-34-0x0000000000400000-0x00000000006C0000-memory.dmp upx behavioral1/memory/1940-39-0x0000000000400000-0x00000000006C0000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification \??\c:\windows\h0u8A142F\ c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe File created \??\c:\windows\h0u8A142F\D8jHt4.exe c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe File created \??\c:\windows\h0u8A142F\S25J11r4uz.exe c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D8jHt4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2556 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2556 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2880 S25J11r4uz.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe 1940 D8jHt4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1940 D8jHt4.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2308 wrote to memory of 1940 2308 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 31 PID 2308 wrote to memory of 1940 2308 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 31 PID 2308 wrote to memory of 1940 2308 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 31 PID 2308 wrote to memory of 1940 2308 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 31 PID 2308 wrote to memory of 2880 2308 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 32 PID 2308 wrote to memory of 2880 2308 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 32 PID 2308 wrote to memory of 2880 2308 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 32 PID 2308 wrote to memory of 2880 2308 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 32 PID 2880 wrote to memory of 1224 2880 S25J11r4uz.exe 21 PID 2880 wrote to memory of 1224 2880 S25J11r4uz.exe 21 PID 2880 wrote to memory of 2804 2880 S25J11r4uz.exe 33 PID 2880 wrote to memory of 2804 2880 S25J11r4uz.exe 33 PID 2880 wrote to memory of 2804 2880 S25J11r4uz.exe 33 PID 2804 wrote to memory of 2556 2804 cmd.exe 36 PID 2804 wrote to memory of 2556 2804 cmd.exe 36 PID 2804 wrote to memory of 2556 2804 cmd.exe 36
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe"C:\Users\Admin\AppData\Local\Temp\c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\windows\h0u8A142F\D8jHt4.exe"c:\windows\h0u8A142F\D8jHt4.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
\??\c:\windows\h0u8A142F\S25J11r4uz.exe"c:\windows\h0u8A142F\S25J11r4uz.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Y4X2Wq.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\system32\PING.EXEping -n 2 127.15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2556
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD5e197d2e929343eb763d3daa32c531daf
SHA1021343314e90d99c2225f1d443fc3c2271662b19
SHA256fea0bb505192c06963ef0aaadc29e24b6ae7c83cca8c053899520ca918097fd6
SHA512a735c0eb1b2a1a943670d3d31449b07369b4dbdd0d421ca0094bb5c8829db55a76ab9d18a1c8a98497b287e03d82f0748e07ac0656c63c70e2429c233fe196ac
-
Filesize
534KB
MD53792cabfbc4f330d39c06b51509146d0
SHA123e792c93cd0b73431c77255e298a3737dc18e20
SHA256a42bb30639580792db5fb6ee080b50fae7cf93767b497447f7d2f3d00d904833
SHA512ed4e6b3ccb087028b8fb09ede525bbdec4249202e01800bda52ea4bfd1ba5c3ca4ab5ab62b15dfa33d1bd8afb3a3ed5ee6b4b71f587f361ec67b7e5abc02def1
-
Filesize
222KB
MD5561a88261d6c906c397723d0a484f366
SHA196201e0ce8a4433b9d22ae77ecc16435d34a6216
SHA2569780d0a48df19bace1a2c6724a094db2d43bdd8925c93b30778653a70f04893e
SHA51231ce8034681f18d57a156fbecad34d920f2633de00e414c306c1f68887b17f83ce21a6bdc1e74df437a07759641721441cdb108d0e96a9ccaa1b02345bb69124