Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 10:56
Static task
static1
Behavioral task
behavioral1
Sample
c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe
Resource
win7-20240903-en
General
-
Target
c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe
-
Size
546KB
-
MD5
d76ee42b3f0213dff456133d3f49a828
-
SHA1
9b08f2f5ba94f5c2dec40b999d6d37e2a3f39d45
-
SHA256
c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc
-
SHA512
fc5b386a17114ca1ef55aa19fd4e3825a1830fadf889d0e8e6a54b38a1ce62fee788ecf26b07ce688dd54041a9cde0bf82598ac897d95d445f31fa812f606956
-
SSDEEP
12288:eag9hsVdB1WUTYw6DgjfgOhWpUpytE5O03BFgGr3DODTZ7M:1g96dTYTDgjf2EDBmGg1M
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 2 IoCs
resource yara_rule behavioral2/memory/1112-18-0x0000000000400000-0x00000000006C0000-memory.dmp family_blackmoon behavioral2/memory/1112-21-0x0000000000400000-0x00000000006C0000-memory.dmp family_blackmoon -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 1112 DO925.exe 2964 lDkLn8rlk.exe -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 223.5.5.5 Destination IP 223.5.5.5 -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dult.dll DO925.exe -
resource yara_rule behavioral2/files/0x000a000000023b81-2.dat upx behavioral2/memory/1112-6-0x0000000000400000-0x00000000006C0000-memory.dmp upx behavioral2/memory/1112-16-0x0000000010000000-0x0000000010019000-memory.dmp upx behavioral2/memory/1112-15-0x0000000010000000-0x0000000010019000-memory.dmp upx behavioral2/memory/1112-18-0x0000000000400000-0x00000000006C0000-memory.dmp upx behavioral2/memory/1112-21-0x0000000000400000-0x00000000006C0000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification \??\c:\windows\o87Y\ c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe File created \??\c:\windows\o87Y\DO925.exe c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe File created \??\c:\windows\o87Y\lDkLn8rlk.exe c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DO925.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4284 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4284 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2964 lDkLn8rlk.exe 2964 lDkLn8rlk.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe 1112 DO925.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1112 DO925.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1732 wrote to memory of 1112 1732 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 86 PID 1732 wrote to memory of 1112 1732 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 86 PID 1732 wrote to memory of 1112 1732 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 86 PID 1732 wrote to memory of 2964 1732 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 87 PID 1732 wrote to memory of 2964 1732 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 87 PID 2964 wrote to memory of 3424 2964 lDkLn8rlk.exe 56 PID 2964 wrote to memory of 3424 2964 lDkLn8rlk.exe 56 PID 2964 wrote to memory of 2136 2964 lDkLn8rlk.exe 88 PID 2964 wrote to memory of 2136 2964 lDkLn8rlk.exe 88 PID 2136 wrote to memory of 4284 2136 cmd.exe 90 PID 2136 wrote to memory of 4284 2136 cmd.exe 90
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe"C:\Users\Admin\AppData\Local\Temp\c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\windows\o87Y\DO925.exe"c:\windows\o87Y\DO925.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
-
\??\c:\windows\o87Y\lDkLn8rlk.exe"c:\windows\o87Y\lDkLn8rlk.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bhwOhgI.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\system32\PING.EXEping -n 2 127.15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4284
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
261B
MD56785e1fe2b60c6bb1ca6a3ff08a085d9
SHA1f117a9ee25cc9f0148fd0f23c566175e9a6af679
SHA2563557ebe7c16325bbacba7519818fff6796983a8461ad212f364aed6366359027
SHA512a2a97180e11d11ca188607c3480e29089cef4bd3895e5f5e6a301e88f02b7af5c0cf9b7882e8ca9cfb7208f206c287b8c28c37d8356eb53e4747c01a4adcaade
-
Filesize
534KB
MD53792cabfbc4f330d39c06b51509146d0
SHA123e792c93cd0b73431c77255e298a3737dc18e20
SHA256a42bb30639580792db5fb6ee080b50fae7cf93767b497447f7d2f3d00d904833
SHA512ed4e6b3ccb087028b8fb09ede525bbdec4249202e01800bda52ea4bfd1ba5c3ca4ab5ab62b15dfa33d1bd8afb3a3ed5ee6b4b71f587f361ec67b7e5abc02def1
-
Filesize
222KB
MD5561a88261d6c906c397723d0a484f366
SHA196201e0ce8a4433b9d22ae77ecc16435d34a6216
SHA2569780d0a48df19bace1a2c6724a094db2d43bdd8925c93b30778653a70f04893e
SHA51231ce8034681f18d57a156fbecad34d920f2633de00e414c306c1f68887b17f83ce21a6bdc1e74df437a07759641721441cdb108d0e96a9ccaa1b02345bb69124