Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 12:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d2fe840c45bc4f60cba85e7e1709c3e993e9faed230f88e785988aacae68c3d3.dll
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
d2fe840c45bc4f60cba85e7e1709c3e993e9faed230f88e785988aacae68c3d3.dll
-
Size
15.1MB
-
MD5
ca455757a490342d08ddd0636282d1db
-
SHA1
bfc05e1baa642475b06048aeb09f4e90cd709e87
-
SHA256
d2fe840c45bc4f60cba85e7e1709c3e993e9faed230f88e785988aacae68c3d3
-
SHA512
954b9925669ce2fe44c65ee589a45b47588496d4a62facf583bb0a952ee9c44686f754a1df773713a12c8e7f1dcebef749b895c6cf383006518118ae57f2989f
-
SSDEEP
393216:aiIPTObyuJIOmTnMTW6vBfK+DlV3y7Prqt:aLPWGOpS+X36PWt
Malware Config
Signatures
-
Detect Blackmoon payload 11 IoCs
Processes:
resource yara_rule behavioral1/memory/2188-9-0x0000000010000000-0x00000000120DA000-memory.dmp family_blackmoon behavioral1/memory/2188-7-0x0000000010000000-0x00000000120DA000-memory.dmp family_blackmoon behavioral1/memory/2188-13-0x0000000010000000-0x00000000120DA000-memory.dmp family_blackmoon behavioral1/memory/2188-16-0x0000000010000000-0x00000000120DA000-memory.dmp family_blackmoon behavioral1/memory/2188-23-0x0000000010000000-0x00000000120DA000-memory.dmp family_blackmoon behavioral1/memory/2188-19-0x0000000010000000-0x00000000120DA000-memory.dmp family_blackmoon behavioral1/memory/2188-30-0x0000000010000000-0x00000000120DA000-memory.dmp family_blackmoon behavioral1/memory/2188-29-0x0000000010000000-0x00000000120DA000-memory.dmp family_blackmoon behavioral1/memory/2188-37-0x0000000003050000-0x0000000003236000-memory.dmp family_blackmoon behavioral1/memory/2188-41-0x0000000010000000-0x00000000120DA000-memory.dmp family_blackmoon behavioral1/memory/2188-42-0x0000000010000000-0x00000000120DA000-memory.dmp family_blackmoon -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
rundll32.exepid process 2188 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2388 wrote to memory of 2188 2388 rundll32.exe rundll32.exe PID 2388 wrote to memory of 2188 2388 rundll32.exe rundll32.exe PID 2388 wrote to memory of 2188 2388 rundll32.exe rundll32.exe PID 2388 wrote to memory of 2188 2388 rundll32.exe rundll32.exe PID 2388 wrote to memory of 2188 2388 rundll32.exe rundll32.exe PID 2388 wrote to memory of 2188 2388 rundll32.exe rundll32.exe PID 2388 wrote to memory of 2188 2388 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d2fe840c45bc4f60cba85e7e1709c3e993e9faed230f88e785988aacae68c3d3.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d2fe840c45bc4f60cba85e7e1709c3e993e9faed230f88e785988aacae68c3d3.dll,#12⤵
- Suspicious use of SetWindowsHookEx
PID:2188