Analysis
-
max time kernel
38s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-10-2022 20:39
Behavioral task
behavioral1
Sample
a14848d5d7118fc5e265d956ac857703bb433b5b9b5029ae9ec38ab10d3b9e3c.dll
Resource
win7-20220812-en
General
-
Target
a14848d5d7118fc5e265d956ac857703bb433b5b9b5029ae9ec38ab10d3b9e3c.dll
-
Size
2.1MB
-
MD5
6b8f922e24b6953f1646942d1fbb5493
-
SHA1
863747f5c00f71635ba9bc7ca7ed158e98852c6f
-
SHA256
a14848d5d7118fc5e265d956ac857703bb433b5b9b5029ae9ec38ab10d3b9e3c
-
SHA512
8e6991fce2939e1745d1d1dec8a0ef793706c22c4135c388a0662fd4f4355afa00ecd590b83e51a50ef295cf2536a9a3d060868de13496971e42ec33929c3028
-
SSDEEP
49152:Zl8V/HfDl3v33vqkWo2+rZra+hciZvCOhRv:ZqZ/ZfnvZWo/5hciZvCO7v
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1384-58-0x0000000010000000-0x0000000010428000-memory.dmp family_blackmoon behavioral1/memory/1384-61-0x0000000010000000-0x0000000010428000-memory.dmp family_blackmoon -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 2 1384 rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/1384-56-0x0000000010000000-0x0000000010428000-memory.dmp vmprotect behavioral1/memory/1384-57-0x0000000010000000-0x0000000010428000-memory.dmp vmprotect behavioral1/memory/1384-58-0x0000000010000000-0x0000000010428000-memory.dmp vmprotect behavioral1/memory/1384-61-0x0000000010000000-0x0000000010428000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe File opened for modification \??\PhysicalDrive0 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 952 1384 WerFault.exe rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 1384 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1112 wrote to memory of 1384 1112 rundll32.exe rundll32.exe PID 1112 wrote to memory of 1384 1112 rundll32.exe rundll32.exe PID 1112 wrote to memory of 1384 1112 rundll32.exe rundll32.exe PID 1112 wrote to memory of 1384 1112 rundll32.exe rundll32.exe PID 1112 wrote to memory of 1384 1112 rundll32.exe rundll32.exe PID 1112 wrote to memory of 1384 1112 rundll32.exe rundll32.exe PID 1112 wrote to memory of 1384 1112 rundll32.exe rundll32.exe PID 1384 wrote to memory of 952 1384 rundll32.exe WerFault.exe PID 1384 wrote to memory of 952 1384 rundll32.exe WerFault.exe PID 1384 wrote to memory of 952 1384 rundll32.exe WerFault.exe PID 1384 wrote to memory of 952 1384 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a14848d5d7118fc5e265d956ac857703bb433b5b9b5029ae9ec38ab10d3b9e3c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a14848d5d7118fc5e265d956ac857703bb433b5b9b5029ae9ec38ab10d3b9e3c.dll,#12⤵
- Blocklisted process makes network request
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 3483⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/952-60-0x0000000000000000-mapping.dmp
-
memory/1384-54-0x0000000000000000-mapping.dmp
-
memory/1384-55-0x0000000075351000-0x0000000075353000-memory.dmpFilesize
8KB
-
memory/1384-56-0x0000000010000000-0x0000000010428000-memory.dmpFilesize
4.2MB
-
memory/1384-57-0x0000000010000000-0x0000000010428000-memory.dmpFilesize
4.2MB
-
memory/1384-58-0x0000000010000000-0x0000000010428000-memory.dmpFilesize
4.2MB
-
memory/1384-61-0x0000000010000000-0x0000000010428000-memory.dmpFilesize
4.2MB