Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
90s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2022, 20:23
Behavioral task
behavioral1
Sample
e3ba5bb057ea8d27bd39fc4d8b607c8c51c5021ec10d5bcf011866317fdc16c6.dll
Resource
win7-20220812-en
General
-
Target
e3ba5bb057ea8d27bd39fc4d8b607c8c51c5021ec10d5bcf011866317fdc16c6.dll
-
Size
3.9MB
-
MD5
9a05d32a9e7fedce9c4fc8cb0afa966c
-
SHA1
46791e12d3471d9ccd012a9ed52be43dd7a2b8a9
-
SHA256
e3ba5bb057ea8d27bd39fc4d8b607c8c51c5021ec10d5bcf011866317fdc16c6
-
SHA512
ef643a5ef313505a0f6b5ca5f4e9635b7d8534b507f129aad61b0b31e2011a44248dd50f7f808544c7c06e8783954d510ba1de175332607a067486d59119c074
-
SSDEEP
98304:ziSacGY85ycuvTZ6Er4v/YBYSnFP1GashgyiIqoXKkV6:zPZG3y9lEvsYS51ZshgyiIDXKkV
Malware Config
Signatures
-
Detect Blackmoon payload 4 IoCs
resource yara_rule behavioral2/memory/3468-133-0x0000000010000000-0x000000001043D000-memory.dmp family_blackmoon behavioral2/memory/3468-134-0x0000000010000000-0x000000001043D000-memory.dmp family_blackmoon behavioral2/memory/3468-135-0x0000000010000000-0x000000001043D000-memory.dmp family_blackmoon behavioral2/memory/3468-136-0x0000000010000000-0x000000001043D000-memory.dmp family_blackmoon -
resource yara_rule behavioral2/files/0x000e000000022e04-137.dat aspack_v212_v242 -
Loads dropped DLL 1 IoCs
pid Process 3468 rundll32.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\987561.bmd rundll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4228 3468 WerFault.exe 80 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4676 wrote to memory of 3468 4676 rundll32.exe 80 PID 4676 wrote to memory of 3468 4676 rundll32.exe 80 PID 4676 wrote to memory of 3468 4676 rundll32.exe 80
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e3ba5bb057ea8d27bd39fc4d8b607c8c51c5021ec10d5bcf011866317fdc16c6.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e3ba5bb057ea8d27bd39fc4d8b607c8c51c5021ec10d5bcf011866317fdc16c6.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:3468 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 6883⤵
- Program crash
PID:4228
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3468 -ip 34681⤵PID:4128
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5aae2c15f00256d1a50cd72665e267f36
SHA1de15c39b155a45782313d5523f93e4dcdefe59ac
SHA256691feff90464a118c8390a8d366d6ab407a0642e6d0c937a293f639e23eabe2f
SHA5129fb4751b44e279a3e73131ce5debeb1cac9805a31063cdc265c3cd945db1e7f14dc62a38595bc2311d110467fcb898023a158cf6063cde7939e1fd97ff0a8122