Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 10:59
Static task
static1
Behavioral task
behavioral1
Sample
c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe
Resource
win7-20241010-en
General
-
Target
c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe
-
Size
546KB
-
MD5
d76ee42b3f0213dff456133d3f49a828
-
SHA1
9b08f2f5ba94f5c2dec40b999d6d37e2a3f39d45
-
SHA256
c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc
-
SHA512
fc5b386a17114ca1ef55aa19fd4e3825a1830fadf889d0e8e6a54b38a1ce62fee788ecf26b07ce688dd54041a9cde0bf82598ac897d95d445f31fa812f606956
-
SSDEEP
12288:eag9hsVdB1WUTYw6DgjfgOhWpUpytE5O03BFgGr3DODTZ7M:1g96dTYTDgjf2EDBmGg1M
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 3 IoCs
resource yara_rule behavioral1/memory/2884-21-0x0000000000400000-0x00000000006C0000-memory.dmp family_blackmoon behavioral1/memory/2884-34-0x0000000000400000-0x00000000006C0000-memory.dmp family_blackmoon behavioral1/memory/2884-39-0x0000000000400000-0x00000000006C0000-memory.dmp family_blackmoon -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2832 649eu6Ec3.exe 2884 61xRb6B.exe -
Loads dropped DLL 4 IoCs
pid Process 1600 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 1600 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 1600 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 1600 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 223.5.5.5 Destination IP 223.5.5.5 -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dult.dll 61xRb6B.exe -
resource yara_rule behavioral1/files/0x0038000000017021-1.dat upx behavioral1/memory/2884-31-0x0000000010000000-0x0000000010019000-memory.dmp upx behavioral1/memory/2884-29-0x0000000010000000-0x0000000010019000-memory.dmp upx behavioral1/memory/2884-21-0x0000000000400000-0x00000000006C0000-memory.dmp upx behavioral1/memory/2884-34-0x0000000000400000-0x00000000006C0000-memory.dmp upx behavioral1/memory/2884-39-0x0000000000400000-0x00000000006C0000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created \??\c:\windows\FxvN\649eu6Ec3.exe c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe File opened for modification \??\c:\windows\FxvN\ c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe File created \??\c:\windows\FxvN\61xRb6B.exe c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61xRb6B.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2692 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2692 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2832 649eu6Ec3.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe 2884 61xRb6B.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2884 61xRb6B.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1600 wrote to memory of 2884 1600 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 30 PID 1600 wrote to memory of 2884 1600 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 30 PID 1600 wrote to memory of 2884 1600 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 30 PID 1600 wrote to memory of 2884 1600 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 30 PID 1600 wrote to memory of 2832 1600 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 31 PID 1600 wrote to memory of 2832 1600 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 31 PID 1600 wrote to memory of 2832 1600 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 31 PID 1600 wrote to memory of 2832 1600 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 31 PID 2832 wrote to memory of 1212 2832 649eu6Ec3.exe 21 PID 2832 wrote to memory of 1212 2832 649eu6Ec3.exe 21 PID 2832 wrote to memory of 2984 2832 649eu6Ec3.exe 32 PID 2832 wrote to memory of 2984 2832 649eu6Ec3.exe 32 PID 2832 wrote to memory of 2984 2832 649eu6Ec3.exe 32 PID 2984 wrote to memory of 2692 2984 cmd.exe 34 PID 2984 wrote to memory of 2692 2984 cmd.exe 34 PID 2984 wrote to memory of 2692 2984 cmd.exe 34
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe"C:\Users\Admin\AppData\Local\Temp\c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\windows\FxvN\61xRb6B.exe"c:\windows\FxvN\61xRb6B.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
-
\??\c:\windows\FxvN\649eu6Ec3.exe"c:\windows\FxvN\649eu6Ec3.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RNKecHYV.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\system32\PING.EXEping -n 2 127.15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2692
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262B
MD5c2c9141f6ef34ea75db8e6d325fa59d1
SHA10a9dfdc655e59cbcf1f77a57aad1d608507aadd9
SHA256fb364d7aa015ce38356e20fd4d807c378a170410275e8b5a508a1bc476d4c441
SHA5125c49fbbd4eaceb1bd7f75d265b093199c95e3a86e883d41440e1b725b6a8dcb5a8f6052c10d17ab72350f3654ebae89da6a0da71ff03eca3f4235c94b6b08394
-
Filesize
222KB
MD5561a88261d6c906c397723d0a484f366
SHA196201e0ce8a4433b9d22ae77ecc16435d34a6216
SHA2569780d0a48df19bace1a2c6724a094db2d43bdd8925c93b30778653a70f04893e
SHA51231ce8034681f18d57a156fbecad34d920f2633de00e414c306c1f68887b17f83ce21a6bdc1e74df437a07759641721441cdb108d0e96a9ccaa1b02345bb69124
-
Filesize
534KB
MD53792cabfbc4f330d39c06b51509146d0
SHA123e792c93cd0b73431c77255e298a3737dc18e20
SHA256a42bb30639580792db5fb6ee080b50fae7cf93767b497447f7d2f3d00d904833
SHA512ed4e6b3ccb087028b8fb09ede525bbdec4249202e01800bda52ea4bfd1ba5c3ca4ab5ab62b15dfa33d1bd8afb3a3ed5ee6b4b71f587f361ec67b7e5abc02def1