Analysis
-
max time kernel
137s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2023 20:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6dcce825c476e5329299ac78c8d10e5f01a4ca034d3c1474d54f2fdf74457df5.dll
Resource
win7-20230220-en
windows7-x64
3 signatures
150 seconds
General
-
Target
6dcce825c476e5329299ac78c8d10e5f01a4ca034d3c1474d54f2fdf74457df5.dll
-
Size
1.2MB
-
MD5
03d5a0d3f0b25b77b4fc17ed52345083
-
SHA1
bb4f6515c51daed125a20ce0a6520603cd745087
-
SHA256
6dcce825c476e5329299ac78c8d10e5f01a4ca034d3c1474d54f2fdf74457df5
-
SHA512
15bf516fbb4451a6637538b8fb281c2381a720c37fa05ee9992091b98e5f4477395891d531aa1b5147080f1136528802c8c0dbfe26315f3d707a1edda8085271
-
SSDEEP
24576:sodLs/HI52UTJes5OGLEh2UwlZI1ncWB4fGHTL9EB:sodwaRF75GoI1ncJfGHTJEB
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4980-133-0x0000000010000000-0x000000001013E000-memory.dmp family_blackmoon behavioral2/memory/4980-134-0x0000000010000000-0x000000001013E000-memory.dmp family_blackmoon -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4900 wrote to memory of 4980 4900 rundll32.exe rundll32.exe PID 4900 wrote to memory of 4980 4900 rundll32.exe rundll32.exe PID 4900 wrote to memory of 4980 4900 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6dcce825c476e5329299ac78c8d10e5f01a4ca034d3c1474d54f2fdf74457df5.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6dcce825c476e5329299ac78c8d10e5f01a4ca034d3c1474d54f2fdf74457df5.dll,#12⤵