Malware Analysis Report

2024-10-24 18:40

Sample ID 211005-prrcfsaagm
Target 86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94
SHA256 86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94
Tags
0c6ca0532355a106258791f50b66c153 blackmatter
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94

Threat Level: Known bad

The file 86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94 was found to be: Known bad.

Malicious Activity Summary

0c6ca0532355a106258791f50b66c153 blackmatter

Blackmatter family

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-10-05 12:34

Signatures

Blackmatter family

blackmatter

Analysis: behavioral1

Detonation Overview

Submitted

2021-10-05 12:34

Reported

2021-10-05 12:36

Platform

win7-en-20210920

Max time kernel

69s

Max time network

18s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94.dll,#1

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1212 wrote to memory of 1328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1212 wrote to memory of 1328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1212 wrote to memory of 1328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1212 wrote to memory of 1328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1212 wrote to memory of 1328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1212 wrote to memory of 1328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1212 wrote to memory of 1328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94.dll,#1

Network

N/A

Files

memory/1328-53-0x0000000000000000-mapping.dmp

memory/1328-54-0x0000000075331000-0x0000000075333000-memory.dmp

memory/1328-55-0x0000000002215000-0x0000000002226000-memory.dmp

memory/1328-56-0x0000000002210000-0x0000000002211000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-10-05 12:34

Reported

2021-10-05 12:36

Platform

win10v20210408

Max time kernel

67s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94.dll,#1

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 808 wrote to memory of 912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 808 wrote to memory of 912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 808 wrote to memory of 912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94.dll,#1

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Files

memory/912-114-0x0000000000000000-mapping.dmp

memory/912-115-0x0000000000BF3000-0x0000000000BF5000-memory.dmp

memory/912-116-0x0000000000BF0000-0x0000000000BF1000-memory.dmp