Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
27-06-2023 19:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0f6ebf0d283cb8d63d3dbbc8d07db38d0e6de82d595fb0981a2b3a52d5f7b212.dll
Resource
win7-20230621-en
windows7-x64
5 signatures
150 seconds
General
-
Target
0f6ebf0d283cb8d63d3dbbc8d07db38d0e6de82d595fb0981a2b3a52d5f7b212.dll
-
Size
1.4MB
-
MD5
a9d8f51f6de7545b371bb2b304d185cd
-
SHA1
a206494194aa0dcbb498b7622d814b9ba81a2c3c
-
SHA256
0f6ebf0d283cb8d63d3dbbc8d07db38d0e6de82d595fb0981a2b3a52d5f7b212
-
SHA512
a9521f8ddd4285dd0829730b4237e672ea196d0a5dce6bd6e468d5eec25d1c1704dd621cbc51fe4172d521a85554399d0c144bc751242d3212fab3f2cd2f882d
-
SSDEEP
24576:OyfTxWgblLOJNhZW17ehQhb5TYQopbs+SykZH8jFdOpPP15vgA168K:OW0gU7hARX5dopYJH8pdOpHT4A168K
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1192-54-0x0000000010000000-0x00000000103C1000-memory.dmp family_blackmoon -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 2 1192 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
rundll32.exepid process 1192 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1088 wrote to memory of 1192 1088 rundll32.exe rundll32.exe PID 1088 wrote to memory of 1192 1088 rundll32.exe rundll32.exe PID 1088 wrote to memory of 1192 1088 rundll32.exe rundll32.exe PID 1088 wrote to memory of 1192 1088 rundll32.exe rundll32.exe PID 1088 wrote to memory of 1192 1088 rundll32.exe rundll32.exe PID 1088 wrote to memory of 1192 1088 rundll32.exe rundll32.exe PID 1088 wrote to memory of 1192 1088 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0f6ebf0d283cb8d63d3dbbc8d07db38d0e6de82d595fb0981a2b3a52d5f7b212.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0f6ebf0d283cb8d63d3dbbc8d07db38d0e6de82d595fb0981a2b3a52d5f7b212.dll,#12⤵
- Blocklisted process makes network request
- Suspicious use of SetWindowsHookEx