Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 01:11
Behavioral task
behavioral1
Sample
11fbf0e65b4a3c5970c16fe79f2e442fdb484613703c5453215e1ca835837988.exe
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
11fbf0e65b4a3c5970c16fe79f2e442fdb484613703c5453215e1ca835837988.exe
-
Size
4.5MB
-
MD5
35f88b4ddcfa1ad111af4c95807a64b5
-
SHA1
b524a0b67990fadc2f952592d2fe969e46f4f800
-
SHA256
11fbf0e65b4a3c5970c16fe79f2e442fdb484613703c5453215e1ca835837988
-
SHA512
57352f99225b90c0072862905fec3e239d65ca9da5ceaf99d3de33dd75cc8366cf3e7c073db4f226b5a7871ce03b8da4a86ccc0572cbd4f882e76a3213f7aed6
-
SSDEEP
49152:BLLM4pYVSRTzW3x71kjLtbRz53wJWqD2NRmXNT08+C3looYM2sdIYOxrPFS:Rg4pfTzWhJglZEWNkloq91O
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
resource yara_rule behavioral2/memory/1056-0-0x0000000000400000-0x00000000008886B6-memory.dmp family_blackmoon behavioral2/memory/1056-2-0x0000000000400000-0x00000000008886B6-memory.dmp family_blackmoon -
Detects Windows executables referencing non-Windows User-Agents 2 IoCs
resource yara_rule behavioral2/memory/1056-0-0x0000000000400000-0x00000000008886B6-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/1056-2-0x0000000000400000-0x00000000008886B6-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
UPX dump on OEP (original entry point) 2 IoCs
resource yara_rule behavioral2/memory/1056-0-0x0000000000400000-0x00000000008886B6-memory.dmp UPX behavioral2/memory/1056-2-0x0000000000400000-0x00000000008886B6-memory.dmp UPX -
Program crash 1 IoCs
pid pid_target Process procid_target 4472 1056 WerFault.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\11fbf0e65b4a3c5970c16fe79f2e442fdb484613703c5453215e1ca835837988.exe"C:\Users\Admin\AppData\Local\Temp\11fbf0e65b4a3c5970c16fe79f2e442fdb484613703c5453215e1ca835837988.exe"1⤵PID:1056
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 5322⤵
- Program crash
PID:4472
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1056 -ip 10561⤵PID:408