Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 16:52
Behavioral task
behavioral1
Sample
ef79533e643bb11424280d23b8270999c52cc226f409f72e972073f1adad7d2d.exe
Resource
win7-20240903-en
General
-
Target
ef79533e643bb11424280d23b8270999c52cc226f409f72e972073f1adad7d2d.exe
-
Size
314KB
-
MD5
afee45b830be9fae35ebda722b801800
-
SHA1
2b49f9ed6ae2b0c36612d2267b58803bab96259e
-
SHA256
ef79533e643bb11424280d23b8270999c52cc226f409f72e972073f1adad7d2d
-
SHA512
d485dff2f4eda2c140e2ee87f3d048c3b78157c82ab746ca1704dcd7c38f67e98b42b6f31137ae6ef84a4c35b3cbe9d012977b62a7a2cd52ee80adfda5597862
-
SSDEEP
6144:PMivKqmiRqbQFI7tjBty1xYtwQYpk0iYCF+lq9177tGKBoudDeklV04E3:0kYbQFI7RPwk00rFekHLE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023c87-7.dat family_blackmoon behavioral2/memory/1036-19-0x0000000000400000-0x00000000004BD000-memory.dmp family_blackmoon -
Modifies RDP port number used by Windows 1 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 3272 pythonw.exe -
Loads dropped DLL 2 IoCs
pid Process 3272 pythonw.exe 3272 pythonw.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ÏÔ¿¨Çý¶¯ = "C:\\Users\\Public\\Downloads\\desktop\\pythonw.exe" ef79533e643bb11424280d23b8270999c52cc226f409f72e972073f1adad7d2d.exe -
resource yara_rule behavioral2/memory/1036-0-0x0000000000400000-0x00000000004BD000-memory.dmp upx behavioral2/memory/1036-19-0x0000000000400000-0x00000000004BD000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pythonw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef79533e643bb11424280d23b8270999c52cc226f409f72e972073f1adad7d2d.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 pythonw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz pythonw.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe 3272 pythonw.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1036 ef79533e643bb11424280d23b8270999c52cc226f409f72e972073f1adad7d2d.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1036 wrote to memory of 3272 1036 ef79533e643bb11424280d23b8270999c52cc226f409f72e972073f1adad7d2d.exe 84 PID 1036 wrote to memory of 3272 1036 ef79533e643bb11424280d23b8270999c52cc226f409f72e972073f1adad7d2d.exe 84 PID 1036 wrote to memory of 3272 1036 ef79533e643bb11424280d23b8270999c52cc226f409f72e972073f1adad7d2d.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef79533e643bb11424280d23b8270999c52cc226f409f72e972073f1adad7d2d.exe"C:\Users\Admin\AppData\Local\Temp\ef79533e643bb11424280d23b8270999c52cc226f409f72e972073f1adad7d2d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\ProgramData\pythonw.exeC:\ProgramData\pythonw.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3272
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84KB
MD5ae96651cfbd18991d186a029cbecb30c
SHA118df8af1022b5cb188e3ee98ac5b4da24ac9c526
SHA2561b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1
SHA51242a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7
-
Filesize
272KB
MD59a54895a1ac99f435a8c89516547e759
SHA14cb748cdb7dc9a4b424cc29fa41b3ac2d015e5b4
SHA256e58d00dca904f875d30a1e980f89325d70cba8fb75939aa95621f348a733ba8c
SHA512a123af33e5baaa1b8291ce911e75a4cd699f6812620eb7997db0855e3ad41232cba7aee2ca2fe19f302e308aa8778afbd0356d358d5bc11455f4f23080a3d224
-
Filesize
93KB
MD5867945992b1375b625b16f0e5ba1b623
SHA1af2e140ecd754d2e700c7043c26b35f0a1e4c982
SHA25651182a4dc90f0d8019031e27f9fb8f8f2b8d73cd0c8f5ad5aac194c9f3f5c1e1
SHA512d46c21753edaa50ec6e913932bccec59b59da2077fa4ef66abcaadc4f5e291dc21662c11c0c607c9be65bb52e9190b9f8e216aa7319e2d4ff26e876b85457a68
-
Filesize
156KB
MD5eba56b08fb99be3cd1f858834d0d58d0
SHA177be8a344fbf4fca1737cda27ac9a6c9d60c8832
SHA256a42c6872cdc6ae03ab19e8e0017829062ca284b55a9ae4f6c9b9277ebf7d3ca3
SHA512476b62331e41beac5137101ee8ff429abf9a7985632d706880c0eae72585e86d1c2b4666ab60068ed6b6434dd3b6e44c808dfa2de590c3b5b6fde1085f2af447