Analysis Overview
SHA256
86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94
Threat Level: Known bad
The file 86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94 was found to be: Known bad.
Malicious Activity Summary
Blackmatter family
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2021-10-05 12:34
Signatures
Blackmatter family
Analysis: behavioral1
Detonation Overview
Submitted
2021-10-05 12:34
Reported
2021-10-05 12:36
Platform
win7-en-20210920
Max time kernel
69s
Max time network
18s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1212 wrote to memory of 1328 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1212 wrote to memory of 1328 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1212 wrote to memory of 1328 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1212 wrote to memory of 1328 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1212 wrote to memory of 1328 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1212 wrote to memory of 1328 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1212 wrote to memory of 1328 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94.dll,#1
Network
Files
memory/1328-53-0x0000000000000000-mapping.dmp
memory/1328-54-0x0000000075331000-0x0000000075333000-memory.dmp
memory/1328-55-0x0000000002215000-0x0000000002226000-memory.dmp
memory/1328-56-0x0000000002210000-0x0000000002211000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-10-05 12:34
Reported
2021-10-05 12:36
Platform
win10v20210408
Max time kernel
67s
Max time network
152s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 808 wrote to memory of 912 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 808 wrote to memory of 912 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 808 wrote to memory of 912 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94.dll,#1
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
Files
memory/912-114-0x0000000000000000-mapping.dmp
memory/912-115-0x0000000000BF3000-0x0000000000BF5000-memory.dmp
memory/912-116-0x0000000000BF0000-0x0000000000BF1000-memory.dmp