Analysis
-
max time kernel
142s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2023 11:05
Behavioral task
behavioral1
Sample
baa6c9da5b502377205f6f9531afecba5f56e7977ea547e521aca7174d260909.dll
Resource
win7-20231023-en
General
-
Target
baa6c9da5b502377205f6f9531afecba5f56e7977ea547e521aca7174d260909.dll
-
Size
500KB
-
MD5
d39fd459b42b0807fb0388833305c00d
-
SHA1
2193dc7415dcfc3ba64c7d630a3addd557db1e10
-
SHA256
baa6c9da5b502377205f6f9531afecba5f56e7977ea547e521aca7174d260909
-
SHA512
80376f28e47ac4f196fd6da8f6aa0ec17e400e1e809bbc9ec0ccca0c1ba812ff40a7a05e2e59d081d472bae05c8984418b940283d6c78a41ae88a218ec072b1b
-
SSDEEP
12288:ufxf2hROSRDLR5nWFpPoSNeN2XoSFv692ezH+bw:ufBoROs6bveUjv692eEw
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2576-1-0x0000000010000000-0x000000001007D000-memory.dmp family_blackmoon behavioral2/memory/2576-37-0x0000000010000000-0x000000001007D000-memory.dmp family_blackmoon -
Executes dropped EXE 1 IoCs
Processes:
rundll32mgr.exepid process 2800 rundll32mgr.exe -
Processes:
resource yara_rule behavioral2/memory/2576-1-0x0000000010000000-0x000000001007D000-memory.dmp upx C:\Windows\SysWOW64\rundll32mgr.exe upx C:\Windows\SysWOW64\rundll32mgr.exe upx behavioral2/memory/2800-5-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral2/memory/2576-17-0x0000000000E30000-0x0000000000E6E000-memory.dmp upx behavioral2/memory/2576-18-0x0000000000E30000-0x0000000000E6E000-memory.dmp upx behavioral2/memory/2576-19-0x0000000000E30000-0x0000000000E6E000-memory.dmp upx behavioral2/memory/2576-16-0x0000000000E30000-0x0000000000E6E000-memory.dmp upx behavioral2/memory/2576-21-0x0000000000E30000-0x0000000000E6E000-memory.dmp upx behavioral2/memory/2576-23-0x0000000000E30000-0x0000000000E6E000-memory.dmp upx behavioral2/memory/2576-25-0x0000000000E30000-0x0000000000E6E000-memory.dmp upx behavioral2/memory/2576-27-0x0000000000E30000-0x0000000000E6E000-memory.dmp upx behavioral2/memory/2576-29-0x0000000000E30000-0x0000000000E6E000-memory.dmp upx behavioral2/memory/2576-31-0x0000000000E30000-0x0000000000E6E000-memory.dmp upx behavioral2/memory/2576-33-0x0000000000E30000-0x0000000000E6E000-memory.dmp upx behavioral2/memory/2576-35-0x0000000000E30000-0x0000000000E6E000-memory.dmp upx behavioral2/memory/2576-37-0x0000000010000000-0x000000001007D000-memory.dmp upx behavioral2/memory/2576-38-0x0000000000E30000-0x0000000000E6E000-memory.dmp upx behavioral2/memory/2576-41-0x0000000000E30000-0x0000000000E6E000-memory.dmp upx behavioral2/memory/2576-43-0x0000000000E30000-0x0000000000E6E000-memory.dmp upx behavioral2/memory/2576-45-0x0000000000E30000-0x0000000000E6E000-memory.dmp upx behavioral2/memory/2576-47-0x0000000000E30000-0x0000000000E6E000-memory.dmp upx behavioral2/memory/2576-49-0x0000000000E30000-0x0000000000E6E000-memory.dmp upx behavioral2/memory/2576-51-0x0000000000E30000-0x0000000000E6E000-memory.dmp upx behavioral2/memory/2576-53-0x0000000000E30000-0x0000000000E6E000-memory.dmp upx behavioral2/memory/2576-55-0x0000000000E30000-0x0000000000E6E000-memory.dmp upx behavioral2/memory/2576-58-0x0000000000E30000-0x0000000000E6E000-memory.dmp upx behavioral2/memory/2576-60-0x0000000000E30000-0x0000000000E6E000-memory.dmp upx behavioral2/memory/2576-62-0x0000000000E30000-0x0000000000E6E000-memory.dmp upx behavioral2/memory/2576-64-0x0000000000E30000-0x0000000000E6E000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3924 2800 WerFault.exe rundll32mgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
rundll32.exepid process 2576 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3488 wrote to memory of 2576 3488 rundll32.exe rundll32.exe PID 3488 wrote to memory of 2576 3488 rundll32.exe rundll32.exe PID 3488 wrote to memory of 2576 3488 rundll32.exe rundll32.exe PID 2576 wrote to memory of 2800 2576 rundll32.exe rundll32mgr.exe PID 2576 wrote to memory of 2800 2576 rundll32.exe rundll32mgr.exe PID 2576 wrote to memory of 2800 2576 rundll32.exe rundll32mgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\baa6c9da5b502377205f6f9531afecba5f56e7977ea547e521aca7174d260909.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\baa6c9da5b502377205f6f9531afecba5f56e7977ea547e521aca7174d260909.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 2644⤵
- Program crash
PID:3924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2800 -ip 28001⤵PID:1688
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105KB
MD5dfb5daabb95dcfad1a5faf9ab1437076
SHA14a199569a9b52911bee7fb19ab80570cc5ff9ed1
SHA25654282ec29d4993ed6e9972122cfbb70bba4898a21d527bd9e72a166d7ec2fdc0
SHA5125d31c34403ab5f8db4a6d84f2b5579d4ea18673914b626d78e458a648ac20ddd8e342818e807331036d7bb064f596a02b9737acac42fbead29260343a30717e8
-
Filesize
105KB
MD5dfb5daabb95dcfad1a5faf9ab1437076
SHA14a199569a9b52911bee7fb19ab80570cc5ff9ed1
SHA25654282ec29d4993ed6e9972122cfbb70bba4898a21d527bd9e72a166d7ec2fdc0
SHA5125d31c34403ab5f8db4a6d84f2b5579d4ea18673914b626d78e458a648ac20ddd8e342818e807331036d7bb064f596a02b9737acac42fbead29260343a30717e8