Analysis
-
max time kernel
92s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2022 20:39
Behavioral task
behavioral1
Sample
a14848d5d7118fc5e265d956ac857703bb433b5b9b5029ae9ec38ab10d3b9e3c.dll
Resource
win7-20220812-en
General
-
Target
a14848d5d7118fc5e265d956ac857703bb433b5b9b5029ae9ec38ab10d3b9e3c.dll
-
Size
2.1MB
-
MD5
6b8f922e24b6953f1646942d1fbb5493
-
SHA1
863747f5c00f71635ba9bc7ca7ed158e98852c6f
-
SHA256
a14848d5d7118fc5e265d956ac857703bb433b5b9b5029ae9ec38ab10d3b9e3c
-
SHA512
8e6991fce2939e1745d1d1dec8a0ef793706c22c4135c388a0662fd4f4355afa00ecd590b83e51a50ef295cf2536a9a3d060868de13496971e42ec33929c3028
-
SSDEEP
49152:Zl8V/HfDl3v33vqkWo2+rZra+hciZvCOhRv:ZqZ/ZfnvZWo/5hciZvCO7v
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4928-134-0x0000000010000000-0x0000000010428000-memory.dmp family_blackmoon behavioral2/memory/4928-136-0x0000000010000000-0x0000000010428000-memory.dmp family_blackmoon -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 7 4928 rundll32.exe -
Processes:
resource yara_rule behavioral2/memory/4928-133-0x0000000010000000-0x0000000010428000-memory.dmp vmprotect behavioral2/memory/4928-134-0x0000000010000000-0x0000000010428000-memory.dmp vmprotect behavioral2/memory/4928-136-0x0000000010000000-0x0000000010428000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe File opened for modification \??\PhysicalDrive0 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3956 4928 WerFault.exe rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 4928 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4824 wrote to memory of 4928 4824 rundll32.exe rundll32.exe PID 4824 wrote to memory of 4928 4824 rundll32.exe rundll32.exe PID 4824 wrote to memory of 4928 4824 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a14848d5d7118fc5e265d956ac857703bb433b5b9b5029ae9ec38ab10d3b9e3c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a14848d5d7118fc5e265d956ac857703bb433b5b9b5029ae9ec38ab10d3b9e3c.dll,#12⤵
- Blocklisted process makes network request
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 7003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4928 -ip 49281⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4928-132-0x0000000000000000-mapping.dmp
-
memory/4928-133-0x0000000010000000-0x0000000010428000-memory.dmpFilesize
4.2MB
-
memory/4928-134-0x0000000010000000-0x0000000010428000-memory.dmpFilesize
4.2MB
-
memory/4928-136-0x0000000010000000-0x0000000010428000-memory.dmpFilesize
4.2MB