Windows Analysis Report
eOlMJXTCUH.exe

Overview

General Information

Sample name:	eOlMJXTCUH.exe renamed because original name is a hash value
Original sample name:	bbea55c736e2eccfcbaf36bd4467c419.exe
Analysis ID:	1520455
MD5:	bbea55c736e2eccfcbaf36bd4467c419
SHA1:	02cb4b74b3af0a545b922be9161ff588221cde5c
SHA256:	7d7f580de5a46d90941ed4c7db9ac24e0117a957614324647d6c528b7d2f1833
Tags:	exeuser-abuse_ch
Infos:

Detection

BlackMoon

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected BlackMoon Ransomware

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
KrBanker, BlackMoon	ThreatPost describes KRBanker (Blackmoon) as a banking Trojan designed to steal user credentials from various South Korean banking institutions. It was discovered in early 2014 and since then has adopted a variety of infection and credential stealing techniques.	No Attribution	http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/ https://fidelissecurity.com/threatgeek/threat-intelligence/blackmoon-banking-trojan-new-framework/ https://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan https://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-monetization-approach/	https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: eOlMJXTCUH.exe

ReversingLabs: Detection: 47%

Machine Learning detection for sample

Source: eOlMJXTCUH.exe

Joe Sandbox ML: detected

Source: eOlMJXTCUH.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: \COD_TB\x64\Release\TOP_2.4.6.pdb@@ source: eOlMJXTCUH.exe
Source:	Binary string: \COD_TB\x64\Release\TOP_2.4.6.pdb source: eOlMJXTCUH.exe
Source:	Binary string: C:\Windows\Start.pdb source: eOlMJXTCUH.exe
Source:	Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: eOlMJXTCUH.exe

Source: eOlMJXTCUH.exe	String found in binary or memory: http://103.239.244.218:8898/
Source: eOlMJXTCUH.exe	String found in binary or memory: http://103.239.244.218:8898/1c5b7aafca5f2cef32b8aea1ded2a1e9ed7a8f4b6d7cc93d3f1b914b61ea0731a?datamo
Source: eOlMJXTCUH.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: eOlMJXTCUH.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: eOlMJXTCUH.exe	String found in binary or memory: http://top6666.top/top/version.txt
Source: eOlMJXTCUH.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: eOlMJXTCUH.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: eOlMJXTCUH.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: eOlMJXTCUH.exe	String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155C71E0 OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

0_2_00007FF7155C71E0

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155C71E0 OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

0_2_00007FF7155C71E0

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155C7070 _Init_thread_footer,free,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_00007FF7155C7070

Spam, unwanted Advertisements and Ransom Demands

Yara detected BlackMoon Ransomware

Source: Yara match	File source: eOlMJXTCUH.exe, type: SAMPLE
Source: Yara match	File source: 0.0.eOlMJXTCUH.exe.7ff715608390.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.eOlMJXTCUH.exe.7ff71560b5c9.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eOlMJXTCUH.exe.7ff71560b5c9.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eOlMJXTCUH.exe.7ff715608390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.eOlMJXTCUH.exe.7ff715608390.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eOlMJXTCUH.exe.7ff715608390.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eOlMJXTCUH.exe.7ff7155ffc80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.eOlMJXTCUH.exe.7ff7155ffc80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eOlMJXTCUH.exe.7ff7155a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.eOlMJXTCUH.exe.7ff7155a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1445088590.00007FF7155FE000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eOlMJXTCUH.exe PID: 2884, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: eOlMJXTCUH.exe, type: SAMPLE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.eOlMJXTCUH.exe.7ff715608390.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.eOlMJXTCUH.exe.7ff71560b5c9.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.eOlMJXTCUH.exe.7ff71560b5c9.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.eOlMJXTCUH.exe.7ff715608390.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.eOlMJXTCUH.exe.7ff715608390.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.eOlMJXTCUH.exe.7ff715608390.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.eOlMJXTCUH.exe.7ff7155ffc80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.eOlMJXTCUH.exe.7ff7155ffc80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.eOlMJXTCUH.exe.7ff7155a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.eOlMJXTCUH.exe.7ff7155a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen

Contains functionality to call native functions

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155DA090 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,memset,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree,		0_2_00007FF7155DA090
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155F9FC0 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,VirtualFree,_stricmp,VirtualFree,VirtualFree,_invalid_parameter_noinfo_noreturn,		0_2_00007FF7155F9FC0

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155D9930: DeviceIoControl,

0_2_00007FF7155D9930

Detected potential crypto function

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155C8690	0_2_00007FF7155C8690
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B6A3F	0_2_00007FF7155B6A3F
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B7245	0_2_00007FF7155B7245
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B8220	0_2_00007FF7155B8220
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155CDF00	0_2_00007FF7155CDF00
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155D5F00	0_2_00007FF7155D5F00
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B62F1	0_2_00007FF7155B62F1
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B66E7	0_2_00007FF7155B66E7
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B6D5E	0_2_00007FF7155B6D5E
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B696A	0_2_00007FF7155B696A
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155C5150	0_2_00007FF7155C5150
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B6124	0_2_00007FF7155B6124
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B6E05	0_2_00007FF7155B6E05
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155CCE10	0_2_00007FF7155CCE10
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B61DE	0_2_00007FF7155B61DE
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155C99F0	0_2_00007FF7155C99F0
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B65BC	0_2_00007FF7155B65BC
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155D21A0	0_2_00007FF7155D21A0
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155D51B0	0_2_00007FF7155D51B0
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155C2C80	0_2_00007FF7155C2C80
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155C147F	0_2_00007FF7155C147F
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155DA090	0_2_00007FF7155DA090
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155D3460	0_2_00007FF7155D3460
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B585C	0_2_00007FF7155B585C
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155CDC50	0_2_00007FF7155CDC50
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155CAC30	0_2_00007FF7155CAC30
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B650B	0_2_00007FF7155B650B
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B5CD7	0_2_00007FF7155B5CD7
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155D8CA0	0_2_00007FF7155D8CA0
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155D78A0	0_2_00007FF7155D78A0
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B709B	0_2_00007FF7155B709B
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155CFCB0	0_2_00007FF7155CFCB0
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B9B90	0_2_00007FF7155B9B90
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B5F95	0_2_00007FF7155B5F95
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155CD390	0_2_00007FF7155CD390
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155CC770	0_2_00007FF7155CC770
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155D0B50	0_2_00007FF7155D0B50
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155D3F20	0_2_00007FF7155D3F20
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155CE400	0_2_00007FF7155CE400
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155EFC00	0_2_00007FF7155EFC00
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B57A5	0_2_00007FF7155B57A5

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: String function: 00007FF7155B75E0 appears 47 times

Sample file is different than original file name gathered from version info

Source: eOlMJXTCUH.exe, 00000000.00000000.1445088590.00007FF7155FE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameiQVW64.SYSH vs eOlMJXTCUH.exe
Source: eOlMJXTCUH.exe, 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameiQVW64.SYSH vs eOlMJXTCUH.exe
Source: eOlMJXTCUH.exe	Binary or memory string: OriginalFilenameiQVW64.SYSH vs eOlMJXTCUH.exe

Yara signature match

Source: eOlMJXTCUH.exe, type: SAMPLE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.eOlMJXTCUH.exe.7ff715608390.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.eOlMJXTCUH.exe.7ff71560b5c9.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.eOlMJXTCUH.exe.7ff71560b5c9.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.eOlMJXTCUH.exe.7ff715608390.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.eOlMJXTCUH.exe.7ff715608390.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.eOlMJXTCUH.exe.7ff715608390.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.eOlMJXTCUH.exe.7ff7155ffc80.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.eOlMJXTCUH.exe.7ff7155ffc80.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.eOlMJXTCUH.exe.7ff7155a0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.eOlMJXTCUH.exe.7ff7155a0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime

Source: eOlMJXTCUH.exe	Binary string: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZstring too longbad cast\\\.\Nal[-] \Device\Nal is already in use.[<] Loading vulnerable driver, Name: [-] Can't find TEMP folder[-] Failed to create vulnerable driver file[-] Failed to register and start service for the vulnerable driver[-] Failed to load driver iqvw64e.sysntoskrnl.exe[-] Failed to get ntoskrnl.exe[-] Failed to ClearPiDDBCacheTable[-] Failed to ClearKernelHashBucketList[!] Failed to ClearMmUnloadedDrivers[<] Unloading vulnerable driver[!] Error dumping shit inside the disk[+] Vul driver data destroyed before unlink[-] Failed to translate virtual address 0x[-] Failed to map IO space of 0x[!] Failed to unmap IO space of physical address 0xExAllocatePoolWithTag[!] Failed to find ExAllocatePoolExFreePool[!] Failed to find device_object[!] Failed to find driver_object[!] Failed to find driver_section[!] Failed to find driver name[!] Failed to read driver name[!] Failed to write driver name length[+] MmUnloadedDrivers Cleaned: ExAcquireResourceExclusiveLite[!] Failed to find ExAcquireResourceExclusiveLiteExReleaseResourceLite[!] Failed to find ExReleaseResourceLiteRtlDeleteElementGenericTableAvl[!] Failed to find RtlDeleteElementGenericTableAvlRtlLookupElementGenericTableAvl[!] Failed to find RtlLookupElementGenericTableAvlxxxxxx????xxxxx????xxx????xxxxx????x????xx?x
Source: eOlMJXTCUH.exe	Binary string: \Device\Nal

Source: classification engine

Classification label: mal68.rans.winEXE@2/0@0/0

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155EF760 _invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,FindResourceExW,LoadResource,LockResource,SizeofResource,FindResourceW,LoadResource,LockResource,SizeofResource,WideCharToMultiByte,WideCharToMultiByte,

0_2_00007FF7155EF760

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_03

Source: eOlMJXTCUH.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: eOlMJXTCUH.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\eOlMJXTCUH.exe "C:\Users\user\Desktop\eOlMJXTCUH.exe"
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Section loaded: d3dcompiler_43.dll	Jump to behavior
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Section loaded: vcruntime140_1.dll	Jump to behavior

Source: eOlMJXTCUH.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: eOlMJXTCUH.exe

Static file information: File size 2647552 > 1048576

Source: eOlMJXTCUH.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x225c00

Source: eOlMJXTCUH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: eOlMJXTCUH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: eOlMJXTCUH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: eOlMJXTCUH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: eOlMJXTCUH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: eOlMJXTCUH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: eOlMJXTCUH.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: eOlMJXTCUH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \COD_TB\x64\Release\TOP_2.4.6.pdb@@ source: eOlMJXTCUH.exe
Source:	Binary string: \COD_TB\x64\Release\TOP_2.4.6.pdb source: eOlMJXTCUH.exe
Source:	Binary string: C:\Windows\Start.pdb source: eOlMJXTCUH.exe
Source:	Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: eOlMJXTCUH.exe

Source: eOlMJXTCUH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: eOlMJXTCUH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: eOlMJXTCUH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: eOlMJXTCUH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: eOlMJXTCUH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155B8220 InitOnceBeginInitialize,LoadLibraryA,InitOnceComplete,LoadLibraryA,GetProcAddress,abort,InitOnceBeginInitialize,LoadLibraryA,InitOnceComplete,LoadLibraryA,GetProcAddress,abort,InitOnceBeginInitialize,LoadLibraryA,InitOnceComplete,LoadLibraryA,GetProcAddress,abort,

0_2_00007FF7155B8220

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155D3A91 push 8B48D68Bh; retf

0_2_00007FF7155D3A9C

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155DA090 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,memset,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree,

0_2_00007FF7155DA090

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155FB400 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF7155FB400

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155FB400 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF7155FB400

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

0_2_00007FF7155DA090

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

0_2_00007FF7155B8220

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155D8880 GetProcessHeap,_Init_thread_footer,_Init_thread_footer,

0_2_00007FF7155D8880

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155FA958 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00007FF7155FA958

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155FB280 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7155FB280

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Multi AV Scanner detection for submitted file

Source: eOlMJXTCUH.exe

ReversingLabs: Detection: 47%

Machine Learning detection for sample

Source: eOlMJXTCUH.exe

Joe Sandbox ML: detected

Source: eOlMJXTCUH.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: \COD_TB\x64\Release\TOP_2.4.6.pdb@@ source: eOlMJXTCUH.exe
Source:	Binary string: \COD_TB\x64\Release\TOP_2.4.6.pdb source: eOlMJXTCUH.exe
Source:	Binary string: C:\Windows\Start.pdb source: eOlMJXTCUH.exe
Source:	Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: eOlMJXTCUH.exe

Source: eOlMJXTCUH.exe	String found in binary or memory: http://103.239.244.218:8898/
Source: eOlMJXTCUH.exe	String found in binary or memory: http://103.239.244.218:8898/1c5b7aafca5f2cef32b8aea1ded2a1e9ed7a8f4b6d7cc93d3f1b914b61ea0731a?datamo
Source: eOlMJXTCUH.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: eOlMJXTCUH.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: eOlMJXTCUH.exe	String found in binary or memory: http://top6666.top/top/version.txt
Source: eOlMJXTCUH.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: eOlMJXTCUH.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: eOlMJXTCUH.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: eOlMJXTCUH.exe	String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155C71E0 OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

0_2_00007FF7155C71E0

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155C71E0 OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

0_2_00007FF7155C71E0

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155C7070 _Init_thread_footer,free,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_00007FF7155C7070

Spam, unwanted Advertisements and Ransom Demands

Yara detected BlackMoon Ransomware

Source: Yara match	File source: eOlMJXTCUH.exe, type: SAMPLE
Source: Yara match	File source: 0.0.eOlMJXTCUH.exe.7ff715608390.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.eOlMJXTCUH.exe.7ff71560b5c9.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eOlMJXTCUH.exe.7ff71560b5c9.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eOlMJXTCUH.exe.7ff715608390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.eOlMJXTCUH.exe.7ff715608390.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eOlMJXTCUH.exe.7ff715608390.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eOlMJXTCUH.exe.7ff7155ffc80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.eOlMJXTCUH.exe.7ff7155ffc80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eOlMJXTCUH.exe.7ff7155a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.eOlMJXTCUH.exe.7ff7155a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1445088590.00007FF7155FE000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eOlMJXTCUH.exe PID: 2884, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: eOlMJXTCUH.exe, type: SAMPLE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.eOlMJXTCUH.exe.7ff715608390.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.eOlMJXTCUH.exe.7ff71560b5c9.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.eOlMJXTCUH.exe.7ff71560b5c9.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.eOlMJXTCUH.exe.7ff715608390.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.eOlMJXTCUH.exe.7ff715608390.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.eOlMJXTCUH.exe.7ff715608390.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.eOlMJXTCUH.exe.7ff7155ffc80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.eOlMJXTCUH.exe.7ff7155ffc80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.eOlMJXTCUH.exe.7ff7155a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.eOlMJXTCUH.exe.7ff7155a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen

Contains functionality to call native functions

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155DA090 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,memset,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree,		0_2_00007FF7155DA090
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155F9FC0 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,VirtualFree,_stricmp,VirtualFree,VirtualFree,_invalid_parameter_noinfo_noreturn,		0_2_00007FF7155F9FC0

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155D9930: DeviceIoControl,

0_2_00007FF7155D9930

Detected potential crypto function

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155C8690	0_2_00007FF7155C8690
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B6A3F	0_2_00007FF7155B6A3F
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B7245	0_2_00007FF7155B7245
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B8220	0_2_00007FF7155B8220
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155CDF00	0_2_00007FF7155CDF00
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155D5F00	0_2_00007FF7155D5F00
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B62F1	0_2_00007FF7155B62F1
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B66E7	0_2_00007FF7155B66E7
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B6D5E	0_2_00007FF7155B6D5E
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B696A	0_2_00007FF7155B696A
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155C5150	0_2_00007FF7155C5150
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B6124	0_2_00007FF7155B6124
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B6E05	0_2_00007FF7155B6E05
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155CCE10	0_2_00007FF7155CCE10
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B61DE	0_2_00007FF7155B61DE
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155C99F0	0_2_00007FF7155C99F0
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B65BC	0_2_00007FF7155B65BC
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155D21A0	0_2_00007FF7155D21A0
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155D51B0	0_2_00007FF7155D51B0
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155C2C80	0_2_00007FF7155C2C80
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155C147F	0_2_00007FF7155C147F
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155DA090	0_2_00007FF7155DA090
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155D3460	0_2_00007FF7155D3460
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B585C	0_2_00007FF7155B585C
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155CDC50	0_2_00007FF7155CDC50
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155CAC30	0_2_00007FF7155CAC30
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B650B	0_2_00007FF7155B650B
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B5CD7	0_2_00007FF7155B5CD7
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155D8CA0	0_2_00007FF7155D8CA0
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155D78A0	0_2_00007FF7155D78A0
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B709B	0_2_00007FF7155B709B
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155CFCB0	0_2_00007FF7155CFCB0
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B9B90	0_2_00007FF7155B9B90
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B5F95	0_2_00007FF7155B5F95
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155CD390	0_2_00007FF7155CD390
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155CC770	0_2_00007FF7155CC770
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155D0B50	0_2_00007FF7155D0B50
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155D3F20	0_2_00007FF7155D3F20
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155CE400	0_2_00007FF7155CE400
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155EFC00	0_2_00007FF7155EFC00
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B57A5	0_2_00007FF7155B57A5

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: String function: 00007FF7155B75E0 appears 47 times

Sample file is different than original file name gathered from version info

Source: eOlMJXTCUH.exe, 00000000.00000000.1445088590.00007FF7155FE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameiQVW64.SYSH vs eOlMJXTCUH.exe
Source: eOlMJXTCUH.exe, 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameiQVW64.SYSH vs eOlMJXTCUH.exe
Source: eOlMJXTCUH.exe	Binary or memory string: OriginalFilenameiQVW64.SYSH vs eOlMJXTCUH.exe

Yara signature match

Source: eOlMJXTCUH.exe, type: SAMPLE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.eOlMJXTCUH.exe.7ff715608390.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.eOlMJXTCUH.exe.7ff71560b5c9.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.eOlMJXTCUH.exe.7ff71560b5c9.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.eOlMJXTCUH.exe.7ff715608390.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.eOlMJXTCUH.exe.7ff715608390.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.eOlMJXTCUH.exe.7ff715608390.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.eOlMJXTCUH.exe.7ff7155ffc80.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.eOlMJXTCUH.exe.7ff7155ffc80.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.eOlMJXTCUH.exe.7ff7155a0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.eOlMJXTCUH.exe.7ff7155a0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime

Source: eOlMJXTCUH.exe	Binary string: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZstring too longbad cast\\\.\Nal[-] \Device\Nal is already in use.[<] Loading vulnerable driver, Name: [-] Can't find TEMP folder[-] Failed to create vulnerable driver file[-] Failed to register and start service for the vulnerable driver[-] Failed to load driver iqvw64e.sysntoskrnl.exe[-] Failed to get ntoskrnl.exe[-] Failed to ClearPiDDBCacheTable[-] Failed to ClearKernelHashBucketList[!] Failed to ClearMmUnloadedDrivers[<] Unloading vulnerable driver[!] Error dumping shit inside the disk[+] Vul driver data destroyed before unlink[-] Failed to translate virtual address 0x[-] Failed to map IO space of 0x[!] Failed to unmap IO space of physical address 0xExAllocatePoolWithTag[!] Failed to find ExAllocatePoolExFreePool[!] Failed to find device_object[!] Failed to find driver_object[!] Failed to find driver_section[!] Failed to find driver name[!] Failed to read driver name[!] Failed to write driver name length[+] MmUnloadedDrivers Cleaned: ExAcquireResourceExclusiveLite[!] Failed to find ExAcquireResourceExclusiveLiteExReleaseResourceLite[!] Failed to find ExReleaseResourceLiteRtlDeleteElementGenericTableAvl[!] Failed to find RtlDeleteElementGenericTableAvlRtlLookupElementGenericTableAvl[!] Failed to find RtlLookupElementGenericTableAvlxxxxxx????xxxxx????xxx????xxxxx????x????xx?x
Source: eOlMJXTCUH.exe	Binary string: \Device\Nal

Source: classification engine

Classification label: mal68.rans.winEXE@2/0@0/0

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

0_2_00007FF7155EF760

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_03

Source: eOlMJXTCUH.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: eOlMJXTCUH.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\eOlMJXTCUH.exe "C:\Users\user\Desktop\eOlMJXTCUH.exe"
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Section loaded: d3dcompiler_43.dll	Jump to behavior
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Section loaded: vcruntime140_1.dll	Jump to behavior

Source: eOlMJXTCUH.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: eOlMJXTCUH.exe

Static file information: File size 2647552 > 1048576

Source: eOlMJXTCUH.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x225c00

Source: eOlMJXTCUH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: eOlMJXTCUH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: eOlMJXTCUH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: eOlMJXTCUH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: eOlMJXTCUH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: eOlMJXTCUH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: eOlMJXTCUH.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: eOlMJXTCUH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \COD_TB\x64\Release\TOP_2.4.6.pdb@@ source: eOlMJXTCUH.exe
Source:	Binary string: \COD_TB\x64\Release\TOP_2.4.6.pdb source: eOlMJXTCUH.exe
Source:	Binary string: C:\Windows\Start.pdb source: eOlMJXTCUH.exe
Source:	Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: eOlMJXTCUH.exe

Source: eOlMJXTCUH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: eOlMJXTCUH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: eOlMJXTCUH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: eOlMJXTCUH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: eOlMJXTCUH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

0_2_00007FF7155B8220

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155D3A91 push 8B48D68Bh; retf

0_2_00007FF7155D3A9C

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

0_2_00007FF7155DA090

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155FB400 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF7155FB400

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155FB400 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF7155FB400

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

0_2_00007FF7155DA090

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

0_2_00007FF7155B8220

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155D8880 GetProcessHeap,_Init_thread_footer,_Init_thread_footer,

0_2_00007FF7155D8880

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155FA958 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00007FF7155FA958

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155FB280 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7155FB280

ID:	1520455
Product:	CloudBasic
Start time:	11:19:15
Start date:	27.09.2024
Sample:	eOlMJXTCUH.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	bbea55c736e2eccfcbaf36bd4467c419
SHA1:	02cb4b74b3af0a545b922be9161ff588221cde5c
SHA256:	7d7f580de5a46d90941ed4c7db9ac24e0117a957614324647d6c528b7d2f1833
Filetype:	Win64 Executable Console (202006/5) 81.26%

Windows Analysis Report
eOlMJXTCUH.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report eOlMJXTCUH.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
eOlMJXTCUH.exe

Malware Threat Intel
Provided by