Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
28/03/2025, 20:27
Static task
static1
Behavioral task
behavioral1
Sample
640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe
Resource
win7-20241010-en
General
-
Target
640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe
-
Size
1.4MB
-
MD5
fad7d45230c31489338a62901c686c1a
-
SHA1
727f07676418a9edd681ebd5eea67ba65692ae04
-
SHA256
640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434
-
SHA512
4afacc3f4968cbecebf1aac694ae33d00d210847a8dafa51b105a4c290ace1666965b5372c49d26177f3e440590bddf1ba18c14b186c42473a46df1af3a5f88f
-
SSDEEP
24576:+4PetDoqzEVx6Qnq7NDsj1TxC0vr3fyx+/CMMF5Frw71JlG7NSze+NGzvHtpnP:l+Do1Vx7q76j1VfvTfyx+/CJTe7BoAza
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 3 IoCs
resource yara_rule behavioral1/memory/1592-50-0x0000000000400000-0x0000000000D52000-memory.dmp family_blackmoon behavioral1/memory/1592-51-0x0000000000400000-0x0000000000D52000-memory.dmp family_blackmoon behavioral1/memory/1592-52-0x0000000000400000-0x0000000000D52000-memory.dmp family_blackmoon -
Loads dropped DLL 1 IoCs
pid Process 1592 640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe -
resource yara_rule behavioral1/memory/1592-6-0x0000000010000000-0x0000000010018000-memory.dmp upx behavioral1/memory/1592-49-0x0000000000EF0000-0x0000000000F2F000-memory.dmp upx behavioral1/memory/1592-47-0x0000000000EF0000-0x0000000000F2F000-memory.dmp upx behavioral1/memory/1592-45-0x0000000000EF0000-0x0000000000F2F000-memory.dmp upx behavioral1/memory/1592-43-0x0000000000EF0000-0x0000000000F2F000-memory.dmp upx behavioral1/memory/1592-41-0x0000000000EF0000-0x0000000000F2F000-memory.dmp upx behavioral1/memory/1592-39-0x0000000000EF0000-0x0000000000F2F000-memory.dmp upx behavioral1/memory/1592-37-0x0000000000EF0000-0x0000000000F2F000-memory.dmp upx behavioral1/memory/1592-35-0x0000000000EF0000-0x0000000000F2F000-memory.dmp upx behavioral1/memory/1592-33-0x0000000000EF0000-0x0000000000F2F000-memory.dmp upx behavioral1/memory/1592-31-0x0000000000EF0000-0x0000000000F2F000-memory.dmp upx behavioral1/memory/1592-29-0x0000000000EF0000-0x0000000000F2F000-memory.dmp upx behavioral1/memory/1592-27-0x0000000000EF0000-0x0000000000F2F000-memory.dmp upx behavioral1/memory/1592-25-0x0000000000EF0000-0x0000000000F2F000-memory.dmp upx behavioral1/memory/1592-23-0x0000000000EF0000-0x0000000000F2F000-memory.dmp upx behavioral1/memory/1592-21-0x0000000000EF0000-0x0000000000F2F000-memory.dmp upx behavioral1/memory/1592-19-0x0000000000EF0000-0x0000000000F2F000-memory.dmp upx behavioral1/memory/1592-17-0x0000000000EF0000-0x0000000000F2F000-memory.dmp upx behavioral1/memory/1592-15-0x0000000000EF0000-0x0000000000F2F000-memory.dmp upx behavioral1/memory/1592-13-0x0000000000EF0000-0x0000000000F2F000-memory.dmp upx behavioral1/memory/1592-11-0x0000000000EF0000-0x0000000000F2F000-memory.dmp upx behavioral1/memory/1592-9-0x0000000000EF0000-0x0000000000F2F000-memory.dmp upx behavioral1/memory/1592-8-0x0000000000EF0000-0x0000000000F2F000-memory.dmp upx behavioral1/memory/1592-7-0x0000000000EF0000-0x0000000000F2F000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1592 640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe Token: SeLockMemoryPrivilege 1592 640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe Token: SeCreateGlobalPrivilege 1592 640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe Token: SeBackupPrivilege 1592 640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe Token: SeRestorePrivilege 1592 640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe Token: SeShutdownPrivilege 1592 640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe Token: SeCreateTokenPrivilege 1592 640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe Token: SeTakeOwnershipPrivilege 1592 640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1592 640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe 1592 640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe"C:\Users\Admin\AppData\Local\Temp\640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
167KB
MD5870bf728d1b59132e45ed8cbb6b5d40f
SHA1589ab4c0be5e06e9d8015d0e090ec4ec763df104
SHA2562430f87cd3f8ac25bcbbb4d4690294d4c35f948362a2a6d126aa3a5fa4bad80d
SHA512743a6e774b1e85a14543c5fd8ea9a48b9727655393e70ef4afcf57df12a1b54913b7fe5f376aad76139e78f50859d2f047294bcee30db4b76d5560414d79e818