Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
28/08/2023, 21:35
Behavioral task
behavioral1
Sample
a8a2c05606db0b08fd77dfc4fb96728160cd786860deb6d31018825648e9ffae.dll
Resource
win7-20230712-en
14 signatures
150 seconds
General
-
Target
a8a2c05606db0b08fd77dfc4fb96728160cd786860deb6d31018825648e9ffae.dll
-
Size
432KB
-
MD5
1ec07a06295fbd106998f68f81035292
-
SHA1
9344788b70d9e4be55aefcf7fc031834463582ef
-
SHA256
a8a2c05606db0b08fd77dfc4fb96728160cd786860deb6d31018825648e9ffae
-
SHA512
922bff3a99501c286450982eab6b5375c9b4833c8090f661a1bb93eaa3a6bc6ac60589a2d91bc11e1422c41ef52629502af3980cc02cd28dcaf567fe2d90024f
-
SSDEEP
12288:kov9YJjrV+pJR6cuXFqaYCL9yKASIAcl3hkWWlyvQO:B+JHVyR6xXky0KASbcdh6yvQO
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
resource yara_rule behavioral1/memory/2984-0-0x0000000010000000-0x0000000010089000-memory.dmp family_blackmoon behavioral1/memory/2984-2-0x0000000010000000-0x0000000010089000-memory.dmp family_blackmoon -
resource yara_rule behavioral1/memory/3004-17-0x0000000010000000-0x00000000101A0000-memory.dmp purplefox_rootkit behavioral1/memory/3004-18-0x00000000765F0000-0x0000000076700000-memory.dmp purplefox_rootkit behavioral1/memory/3004-19-0x0000000010000000-0x00000000101A0000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral1/memory/3004-17-0x0000000010000000-0x00000000101A0000-memory.dmp family_gh0strat behavioral1/memory/3004-19-0x0000000010000000-0x00000000101A0000-memory.dmp family_gh0strat -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2984 created 420 2984 rundll32.exe 3 -
resource yara_rule behavioral1/memory/2984-0-0x0000000010000000-0x0000000010089000-memory.dmp upx behavioral1/memory/2984-2-0x0000000010000000-0x0000000010089000-memory.dmp upx behavioral1/memory/3004-3-0x0000000000400000-0x0000000000543000-memory.dmp upx behavioral1/memory/3004-5-0x0000000000400000-0x0000000000543000-memory.dmp upx behavioral1/memory/3004-8-0x0000000000400000-0x0000000000543000-memory.dmp upx behavioral1/memory/3004-14-0x0000000000400000-0x0000000000543000-memory.dmp upx behavioral1/memory/3004-15-0x0000000000400000-0x0000000000543000-memory.dmp upx behavioral1/memory/3004-16-0x0000000000400000-0x0000000000543000-memory.dmp upx -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\K: svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2984 set thread context of 3004 2984 rundll32.exe 29 -
Modifies data under HKEY_USERS 12 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 2984 rundll32.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe 3004 svchost.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2984 rundll32.exe Token: 33 3004 svchost.exe Token: SeIncBasePriorityPrivilege 3004 svchost.exe Token: 33 3004 svchost.exe Token: SeIncBasePriorityPrivilege 3004 svchost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1260 wrote to memory of 2984 1260 rundll32.exe 28 PID 1260 wrote to memory of 2984 1260 rundll32.exe 28 PID 1260 wrote to memory of 2984 1260 rundll32.exe 28 PID 1260 wrote to memory of 2984 1260 rundll32.exe 28 PID 1260 wrote to memory of 2984 1260 rundll32.exe 28 PID 1260 wrote to memory of 2984 1260 rundll32.exe 28 PID 1260 wrote to memory of 2984 1260 rundll32.exe 28 PID 2984 wrote to memory of 3004 2984 rundll32.exe 29 PID 2984 wrote to memory of 3004 2984 rundll32.exe 29 PID 2984 wrote to memory of 3004 2984 rundll32.exe 29 PID 2984 wrote to memory of 3004 2984 rundll32.exe 29 PID 2984 wrote to memory of 3004 2984 rundll32.exe 29 PID 2984 wrote to memory of 3004 2984 rundll32.exe 29 PID 2984 wrote to memory of 3004 2984 rundll32.exe 29 PID 2984 wrote to memory of 3004 2984 rundll32.exe 29
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted2⤵
- Enumerates connected drives
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a8a2c05606db0b08fd77dfc4fb96728160cd786860deb6d31018825648e9ffae.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a8a2c05606db0b08fd77dfc4fb96728160cd786860deb6d31018825648e9ffae.dll,#12⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984
-