Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
7s -
max time network
2s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2022, 13:42
Behavioral task
behavioral1
Sample
ba074cc13cf6636ae0578a7a6218c62b650ed129002ac41ce9cfde158a2bd012.dll
Resource
win7-20220901-en
4 signatures
150 seconds
General
-
Target
ba074cc13cf6636ae0578a7a6218c62b650ed129002ac41ce9cfde158a2bd012.dll
-
Size
156KB
-
MD5
6af815643fd22b27a3d29edc1458dc00
-
SHA1
e34570b2b07e5e305be5553eb7d9c2b545a46532
-
SHA256
ba074cc13cf6636ae0578a7a6218c62b650ed129002ac41ce9cfde158a2bd012
-
SHA512
8144d623dd2263224de1d2fa580aa34c3ea1eae4b3daada0419bc4ced68a69e0d39279cb8dfb240e6bbe78ac464e1c81ddf3c6b19e869aef34a036ded9a3e8b2
-
SSDEEP
3072:owC0qvztzqbU3nCwwqDYbsky/mik/cwt5VS/hCN7HVLB6F5+fFy/Q:owCpv4mCmUbs3/VOcwt5VS/INDV9o5Uv
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
resource yara_rule behavioral2/memory/3560-134-0x0000000010000000-0x0000000010073000-memory.dmp family_blackmoon -
resource yara_rule behavioral2/memory/3560-133-0x0000000010000000-0x0000000010073000-memory.dmp vmprotect behavioral2/memory/3560-134-0x0000000010000000-0x0000000010073000-memory.dmp vmprotect -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4544 wrote to memory of 3560 4544 rundll32.exe 77 PID 4544 wrote to memory of 3560 4544 rundll32.exe 77 PID 4544 wrote to memory of 3560 4544 rundll32.exe 77
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ba074cc13cf6636ae0578a7a6218c62b650ed129002ac41ce9cfde158a2bd012.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ba074cc13cf6636ae0578a7a6218c62b650ed129002ac41ce9cfde158a2bd012.dll,#12⤵PID:3560
-