Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 10:59
Static task
static1
Behavioral task
behavioral1
Sample
c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe
Resource
win7-20241010-en
General
-
Target
c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe
-
Size
546KB
-
MD5
d76ee42b3f0213dff456133d3f49a828
-
SHA1
9b08f2f5ba94f5c2dec40b999d6d37e2a3f39d45
-
SHA256
c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc
-
SHA512
fc5b386a17114ca1ef55aa19fd4e3825a1830fadf889d0e8e6a54b38a1ce62fee788ecf26b07ce688dd54041a9cde0bf82598ac897d95d445f31fa812f606956
-
SSDEEP
12288:eag9hsVdB1WUTYw6DgjfgOhWpUpytE5O03BFgGr3DODTZ7M:1g96dTYTDgjf2EDBmGg1M
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 2 IoCs
resource yara_rule behavioral2/memory/1520-18-0x0000000000400000-0x00000000006C0000-memory.dmp family_blackmoon behavioral2/memory/1520-21-0x0000000000400000-0x00000000006C0000-memory.dmp family_blackmoon -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 1520 k7KwG1J.exe 4244 1nae9DF.exe -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 223.5.5.5 Destination IP 114.114.114.114 Destination IP 223.5.5.5 Destination IP 114.114.114.114 -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dult.dll k7KwG1J.exe -
resource yara_rule behavioral2/files/0x000200000001e75d-3.dat upx behavioral2/memory/1520-6-0x0000000000400000-0x00000000006C0000-memory.dmp upx behavioral2/memory/1520-17-0x0000000010000000-0x0000000010019000-memory.dmp upx behavioral2/memory/1520-15-0x0000000010000000-0x0000000010019000-memory.dmp upx behavioral2/memory/1520-18-0x0000000000400000-0x00000000006C0000-memory.dmp upx behavioral2/memory/1520-21-0x0000000000400000-0x00000000006C0000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification \??\c:\windows\L8z7645e\ c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe File created \??\c:\windows\L8z7645e\k7KwG1J.exe c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe File created \??\c:\windows\L8z7645e\1nae9DF.exe c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k7KwG1J.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1820 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1820 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4244 1nae9DF.exe 4244 1nae9DF.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe 1520 k7KwG1J.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1520 k7KwG1J.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2972 wrote to memory of 1520 2972 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 84 PID 2972 wrote to memory of 1520 2972 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 84 PID 2972 wrote to memory of 1520 2972 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 84 PID 2972 wrote to memory of 4244 2972 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 85 PID 2972 wrote to memory of 4244 2972 c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe 85 PID 4244 wrote to memory of 3520 4244 1nae9DF.exe 56 PID 4244 wrote to memory of 3520 4244 1nae9DF.exe 56 PID 4244 wrote to memory of 3312 4244 1nae9DF.exe 86 PID 4244 wrote to memory of 3312 4244 1nae9DF.exe 86 PID 3312 wrote to memory of 1820 3312 cmd.exe 88 PID 3312 wrote to memory of 1820 3312 cmd.exe 88
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe"C:\Users\Admin\AppData\Local\Temp\c75e1a5d3149f33efb090d9f1106ed75d09a5570b3f56a0669f4f13cc3728bcc.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\windows\L8z7645e\k7KwG1J.exe"c:\windows\L8z7645e\k7KwG1J.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
\??\c:\windows\L8z7645e\1nae9DF.exe"c:\windows\L8z7645e\1nae9DF.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TCVEcr.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\system32\PING.EXEping -n 2 127.15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1820
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264B
MD57fcb2dda49824d3337cf07c967832b85
SHA16f6d8e27da3fb0109bdf72235077d9395330b4f8
SHA2569c51b7aae92b228d2a591e4d07ee04fbc6c93c8bdcc90fe8603f8fff1f2f154f
SHA51232b803a9dd99d3edf90e2d4965f9c23d5fa65b30c7c6d96c6b4ba7314a4d8882a754864abbb4a27fdb992360001369f92d60b45251554294374976a9996760d6
-
Filesize
222KB
MD5561a88261d6c906c397723d0a484f366
SHA196201e0ce8a4433b9d22ae77ecc16435d34a6216
SHA2569780d0a48df19bace1a2c6724a094db2d43bdd8925c93b30778653a70f04893e
SHA51231ce8034681f18d57a156fbecad34d920f2633de00e414c306c1f68887b17f83ce21a6bdc1e74df437a07759641721441cdb108d0e96a9ccaa1b02345bb69124
-
Filesize
534KB
MD53792cabfbc4f330d39c06b51509146d0
SHA123e792c93cd0b73431c77255e298a3737dc18e20
SHA256a42bb30639580792db5fb6ee080b50fae7cf93767b497447f7d2f3d00d904833
SHA512ed4e6b3ccb087028b8fb09ede525bbdec4249202e01800bda52ea4bfd1ba5c3ca4ab5ab62b15dfa33d1bd8afb3a3ed5ee6b4b71f587f361ec67b7e5abc02def1