Analysis
-
max time kernel
140s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2025, 20:27
Static task
static1
Behavioral task
behavioral1
Sample
640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe
Resource
win7-20241010-en
General
-
Target
640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe
-
Size
1.4MB
-
MD5
fad7d45230c31489338a62901c686c1a
-
SHA1
727f07676418a9edd681ebd5eea67ba65692ae04
-
SHA256
640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434
-
SHA512
4afacc3f4968cbecebf1aac694ae33d00d210847a8dafa51b105a4c290ace1666965b5372c49d26177f3e440590bddf1ba18c14b186c42473a46df1af3a5f88f
-
SSDEEP
24576:+4PetDoqzEVx6Qnq7NDsj1TxC0vr3fyx+/CMMF5Frw71JlG7NSze+NGzvHtpnP:l+Do1Vx7q76j1VfvTfyx+/CJTe7BoAza
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 2 IoCs
resource yara_rule behavioral2/memory/5636-51-0x0000000000400000-0x0000000000D52000-memory.dmp family_blackmoon behavioral2/memory/5636-52-0x0000000000400000-0x0000000000D52000-memory.dmp family_blackmoon -
Loads dropped DLL 1 IoCs
pid Process 5636 640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe -
resource yara_rule behavioral2/memory/5636-7-0x0000000010000000-0x0000000010018000-memory.dmp upx behavioral2/memory/5636-8-0x0000000002AC0000-0x0000000002AFF000-memory.dmp upx behavioral2/memory/5636-44-0x0000000002AC0000-0x0000000002AFF000-memory.dmp upx behavioral2/memory/5636-48-0x0000000002AC0000-0x0000000002AFF000-memory.dmp upx behavioral2/memory/5636-46-0x0000000002AC0000-0x0000000002AFF000-memory.dmp upx behavioral2/memory/5636-42-0x0000000002AC0000-0x0000000002AFF000-memory.dmp upx behavioral2/memory/5636-40-0x0000000002AC0000-0x0000000002AFF000-memory.dmp upx behavioral2/memory/5636-38-0x0000000002AC0000-0x0000000002AFF000-memory.dmp upx behavioral2/memory/5636-36-0x0000000002AC0000-0x0000000002AFF000-memory.dmp upx behavioral2/memory/5636-34-0x0000000002AC0000-0x0000000002AFF000-memory.dmp upx behavioral2/memory/5636-32-0x0000000002AC0000-0x0000000002AFF000-memory.dmp upx behavioral2/memory/5636-30-0x0000000002AC0000-0x0000000002AFF000-memory.dmp upx behavioral2/memory/5636-28-0x0000000002AC0000-0x0000000002AFF000-memory.dmp upx behavioral2/memory/5636-50-0x0000000002AC0000-0x0000000002AFF000-memory.dmp upx behavioral2/memory/5636-22-0x0000000002AC0000-0x0000000002AFF000-memory.dmp upx behavioral2/memory/5636-16-0x0000000002AC0000-0x0000000002AFF000-memory.dmp upx behavioral2/memory/5636-12-0x0000000002AC0000-0x0000000002AFF000-memory.dmp upx behavioral2/memory/5636-26-0x0000000002AC0000-0x0000000002AFF000-memory.dmp upx behavioral2/memory/5636-24-0x0000000002AC0000-0x0000000002AFF000-memory.dmp upx behavioral2/memory/5636-20-0x0000000002AC0000-0x0000000002AFF000-memory.dmp upx behavioral2/memory/5636-18-0x0000000002AC0000-0x0000000002AFF000-memory.dmp upx behavioral2/memory/5636-14-0x0000000002AC0000-0x0000000002AFF000-memory.dmp upx behavioral2/memory/5636-10-0x0000000002AC0000-0x0000000002AFF000-memory.dmp upx behavioral2/memory/5636-9-0x0000000002AC0000-0x0000000002AFF000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 5636 640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe Token: SeLockMemoryPrivilege 5636 640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe Token: SeCreateGlobalPrivilege 5636 640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe Token: SeBackupPrivilege 5636 640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe Token: SeRestorePrivilege 5636 640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe Token: SeShutdownPrivilege 5636 640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe Token: SeCreateTokenPrivilege 5636 640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe Token: SeTakeOwnershipPrivilege 5636 640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5636 640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe 5636 640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe"C:\Users\Admin\AppData\Local\Temp\640d003f1a7121f56c876af1dd7c10752c0c9dfc0d3f904df040b4c0ade61434.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
167KB
MD5870bf728d1b59132e45ed8cbb6b5d40f
SHA1589ab4c0be5e06e9d8015d0e090ec4ec763df104
SHA2562430f87cd3f8ac25bcbbb4d4690294d4c35f948362a2a6d126aa3a5fa4bad80d
SHA512743a6e774b1e85a14543c5fd8ea9a48b9727655393e70ef4afcf57df12a1b54913b7fe5f376aad76139e78f50859d2f047294bcee30db4b76d5560414d79e818